From ce9b8dfffcfea8d825f27b203140fe2f14622c75 Mon Sep 17 00:00:00 2001 From: IcedComputer <31418197+IcedComputer@users.noreply.github.com> Date: Wed, 19 Jun 2019 15:48:46 -0700 Subject: [PATCH 01/27] Leverage the Hostname of the Server Historic versions leveraged a format of "server_$UUID" to name of the VPN server certificate for X509 verification. This seems very impersonal. The new code pulls the existing hostname of the machines and appends the 16 character UUID. The new format is $hostname_$UUID. Example: A machine named "Martian" with a UUID of 1234567890123456 would change from server_1234567890123456 to Martian_1234567890123456 --- auto_install/install.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 59a3c3b..4cd6730 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -745,9 +745,12 @@ setCustomDomain() { } confOpenVPN() { - # Generate a random, alphanumeric identifier of 16 characters for this server so that we can use verify-x509-name later that is unique for this server installation. Source: Earthgecko (https://gist.github.com/earthgecko/3089509) + # Grab the existing Hostname + HOST_NAME=$(hostname) + # Generate a random, alphanumeric identifier of 16 characters for this server so that we can use verify-x509-name later that is unique for this server installation. Source: Earthgecko (https://gist.github.com/earthgecko/3089509) NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) - SERVER_NAME="server_${NEW_UUID}" + # Create a unique server name using the host name and UUID + SERVER_NAME="${HOST_NAME}_${NEW_UUID}" if [[ ${useUpdateVars} == false ]]; then # Ask user for desired level of encryption From bda0d58b8103780d9806e30d4dad6969acff99a4 Mon Sep 17 00:00:00 2001 From: IcedComputer <31418197+IcedComputer@users.noreply.github.com> Date: Thu, 20 Jun 2019 16:53:29 -0700 Subject: [PATCH 02/27] .ovpn12 files Added new step to create an .ovpn12 file that can be stored on iOS keychain This step is more secure method and does not require the end-user to keep entering passwords, or storing the client private cert where it can be easily tampered based on documentation located: https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/ Someone can improve upon this by adding a parameter (possibly -i|--iOS) and then generating the original .ovpn file to not contain the client private certificate. --- scripts/makeOVPN.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index 0a571b4..429c8de 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -268,6 +268,17 @@ echo "tls-auth Private Key found: $TA" } > "${NAME}${FILEEXT}" + +## Added new step to create an .ovpn12 file that can be stored on iOS keychain +## This step is more secure method and does not require the end-user to keep entering passwords, or storing the client private cert where it can be easily tampered +## https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/ +printf "========================================================\n" +printf "Generating an .ovpn12 file for use with iOS devices\n" +printf "You will be prompted to re-enter some information from the cert you just created\n" +printf "========================================================\n" + +sudo openssl pkcs12 -export -in issued/${NAME}${CRT} -inkey private/${NAME}${KEY} -certfile ${CA} -name ${NAME} -out /home/$INSTALL_USER/ovpns/$NAME.ovpn12 + # Copy the .ovpn profile to the home directory for convenient remote access cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" From 2e5a344c82ec6672f28ec314768eae0bd5afab4e Mon Sep 17 00:00:00 2001 From: IcedComputer <31418197+IcedComputer@users.noreply.github.com> Date: Thu, 20 Jun 2019 17:37:56 -0700 Subject: [PATCH 03/27] Fixed issue with grabbing hostname Per comments and recommendations, added the "-s" when grabbing the hostname. This will ensure uniform performance across various platforms. --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 4cd6730..dac2fea 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -746,7 +746,7 @@ setCustomDomain() { confOpenVPN() { # Grab the existing Hostname - HOST_NAME=$(hostname) + HOST_NAME=$(hostname -s) # Generate a random, alphanumeric identifier of 16 characters for this server so that we can use verify-x509-name later that is unique for this server installation. Source: Earthgecko (https://gist.github.com/earthgecko/3089509) NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) # Create a unique server name using the host name and UUID From 95480f3279f6be8bf2be884e3599d047f38eddb3 Mon Sep 17 00:00:00 2001 From: Orazio Date: Wed, 26 Jun 2019 10:35:56 +0200 Subject: [PATCH 04/27] Add support for Raspbian Buster --- auto_install/install.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 59a3c3b..60903a2 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -92,7 +92,7 @@ distro_check() { source /etc/os-release PLAT=$(awk '{print $1}' <<< "$NAME") VER="$VERSION_ID" - declare -A VER_MAP=(["9"]="stretch" ["8"]="jessie" ["18.04"]="bionic" ["16.04"]="xenial" ["14.04"]="trusty") + declare -A VER_MAP=(["10"]="buster" ["9"]="stretch" ["8"]="jessie" ["18.04"]="bionic" ["16.04"]="xenial" ["14.04"]="trusty") OSCN=${VER_MAP["${VER}"]} fi @@ -103,7 +103,7 @@ distro_check() { case ${PLAT} in Ubuntu|Raspbian|Debian|Devuan) case ${OSCN} in - trusty|xenial|jessie|stretch) + trusty|xenial|jessie|stretch|buster) ;; *) maybeOS_Support @@ -479,6 +479,8 @@ install_dependent_packages() { # No spinner - conflicts with set -e declare -a argArray1=("${!1}") + $SUDO update-alternatives --set iptables /usr/sbin/iptables-legacy + $SUDO update-alternatives --set iptables /usr/sbin/ip6tables-legacy echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections @@ -753,7 +755,7 @@ confOpenVPN() { # Ask user for desired level of encryption if [[ ${useUpdateVars} == false ]]; then - if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]]; then + if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]] && [[ ${OSCN} != "buster" ]] ; then APPLY_TWO_POINT_FOUR=false else if (whiptail --backtitle "Setup OpenVPN" --title "Installation mode" --yesno "OpenVPN 2.4 brings support for stronger authentication and key exchange using Elliptic Curves, along with encrypted control channel.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then From dae6276d3712b1901fbf844f5594b8133f5be4d2 Mon Sep 17 00:00:00 2001 From: IcedComputer <31418197+IcedComputer@users.noreply.github.com> Date: Thu, 27 Jun 2019 11:47:24 -0700 Subject: [PATCH 05/27] Made updates based on comments added changes related to chown and chmod of .ovpn12 file. Also removed sudo. --- scripts/makeOVPN.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index 429c8de..d7a6c8b 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -274,10 +274,12 @@ echo "tls-auth Private Key found: $TA" ## https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/ printf "========================================================\n" printf "Generating an .ovpn12 file for use with iOS devices\n" -printf "You will be prompted to re-enter some information from the cert you just created\n" printf "========================================================\n" -sudo openssl pkcs12 -export -in issued/${NAME}${CRT} -inkey private/${NAME}${KEY} -certfile ${CA} -name ${NAME} -out /home/$INSTALL_USER/ovpns/$NAME.ovpn12 +openssl pkcs12 -export -in issued/${NAME}${CRT} -inkey private/${NAME}${KEY} -certfile ${CA} -name ${NAME} -out /home/$INSTALL_USER/ovpns/$NAME.ovpn12 +chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME.ovpn12" +chmod o-r "/home/$INSTALL_USER/ovpns/$NAME.ovpn12" + # Copy the .ovpn profile to the home directory for convenient remote access cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" From 97bb3197959988e9cf3fb570b6733480c61fd891 Mon Sep 17 00:00:00 2001 From: IcedComputer <31418197+IcedComputer@users.noreply.github.com> Date: Thu, 27 Jun 2019 14:43:30 -0700 Subject: [PATCH 06/27] Updated .ovpn12 configuration Incorporated feedback on how to properly implement .ovpn12 files. --- scripts/makeOVPN.sh | 75 +++++++++++++++++++++++++++++++++++---------- 1 file changed, 59 insertions(+), 16 deletions(-) diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index d7a6c8b..66a25c0 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -13,7 +13,7 @@ INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) helpFunc() { echo "::: Create a client ovpn profile, optional nopass" echo ":::" - echo "::: Usage: pivpn <-a|add> [-n|--name ] [-p|--password ]|[nopass] [-d|--days ] [-h|--help]" + echo "::: Usage: pivpn <-a|add> [-n|--name ] [-p|--password ]|[nopass] [-d|--days ] [-i|--iOS] [-h|--help]" echo ":::" echo "::: Commands:" echo "::: [none] Interactive mode" @@ -21,6 +21,7 @@ helpFunc() { echo "::: -d,--days Expire the certificate after specified number of days (default: 1080)" echo "::: -n,--name Name for the Client (default: '"$(hostname)"')" echo "::: -p,--password Password for the Client (no default)" + echo "::: -i,--iOS Generate a certificate that leverages iOS keychain" echo "::: -h,--help Show this help dialog" } @@ -59,7 +60,10 @@ do fi DAYS="$_val" ;; - -h|--help) + -i|--iOS) + iOS=1 + ;; + -h|--help) helpFunc exit 0 ;; @@ -235,8 +239,58 @@ if [ ! -f "${TA}" ]; then fi echo "tls-auth Private Key found: $TA" + +## Added new step to create an .ovpn12 file that can be stored on iOS keychain +## This step is more secure method and does not require the end-user to keep entering passwords, or storing the client private cert where it can be easily tampered +## https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/ +if [ "$iOS" = "1" ]; then + #Generates the .ovpn file WITHOUT the client private key + { + # Start by populating with the default file + cat "${DEFAULT}" + + #Now, append the CA Public Cert + echo "" + cat "${CA}" + echo "" + + #Next append the client Public Cert + echo "" + sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' < "issued/${NAME}${CRT}" + echo "" + + #Finally, append the TA Private Key + if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then + echo "" + cat "${TA}" + echo "" + else + echo "" + cat "${TA}" + echo "" + fi + + } > "${NAME}${FILEEXT}" + + # Copy the .ovpn profile to the home directory for convenient remote access + + printf "========================================================\n" + printf "Generating an .ovpn12 file for use with iOS devices\n" + printf "Please remember the export password\n" + printf "as you will need this import the certificate on your iOS device\n" + printf "========================================================\n" + openssl pkcs12 -passin pass:$PASSWD -passin pass:$PASSWD -export -in issued/${NAME}${CRT} -inkey private/${NAME}${KEY} -certfile ${CA} -name ${NAME} -out /home/$INSTALL_USER/ovpns/$NAME.ovpn12 + chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME.ovpn12" + chmod o-r "/home/$INSTALL_USER/ovpns/$NAME.ovpn12" + printf "========================================================\n" + printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME.ovpn12" + printf "You will need to transfer both the .ovpn and .ovpn12 files\n" + printf "to your iOS device.\n" + printf "========================================================\n\n" +else + #This is the standard non-iOS configuration #Ready to make a new .ovpn file -{ + { # Start by populating with the default file cat "${DEFAULT}" @@ -266,20 +320,9 @@ echo "tls-auth Private Key found: $TA" echo "" fi -} > "${NAME}${FILEEXT}" - - -## Added new step to create an .ovpn12 file that can be stored on iOS keychain -## This step is more secure method and does not require the end-user to keep entering passwords, or storing the client private cert where it can be easily tampered -## https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/ -printf "========================================================\n" -printf "Generating an .ovpn12 file for use with iOS devices\n" -printf "========================================================\n" - -openssl pkcs12 -export -in issued/${NAME}${CRT} -inkey private/${NAME}${KEY} -certfile ${CA} -name ${NAME} -out /home/$INSTALL_USER/ovpns/$NAME.ovpn12 -chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME.ovpn12" -chmod o-r "/home/$INSTALL_USER/ovpns/$NAME.ovpn12" + } > "${NAME}${FILEEXT}" +fi # Copy the .ovpn profile to the home directory for convenient remote access cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" From 1d7ebd9d2f096020e680a843e0c6a5566198c044 Mon Sep 17 00:00:00 2001 From: IcedComputer <31418197+IcedComputer@users.noreply.github.com> Date: Thu, 27 Jun 2019 14:53:23 -0700 Subject: [PATCH 07/27] added support to remove .ovpn12 files the makeOVPN.sh now generates .ovpn12 files in the /home/${INSTALL_USER}/ovpns/ directory. The remove script was updated to remove both the .ovpn and .ovpn12 files --- scripts/removeOVPN.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/removeOVPN.sh b/scripts/removeOVPN.sh index 4438d98..4503358 100755 --- a/scripts/removeOVPN.sh +++ b/scripts/removeOVPN.sh @@ -113,7 +113,7 @@ for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do rm -rf "pki/reqs/${CERTS_TO_REVOKE[ii]}.req" rm -rf "pki/private/${CERTS_TO_REVOKE[ii]}.key" rm -rf "pki/issued/${CERTS_TO_REVOKE[ii]}.crt" - rm -rf "/home/${INSTALL_USER}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn" + rm -rf "/home/${INSTALL_USER}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn*" rm -rf "/etc/openvpn/easy-rsa/pki/${CERTS_TO_REVOKE[ii]}.ovpn" cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem done From 7a34dd3704ce33eba7f5b43806a5dcde8ba35df5 Mon Sep 17 00:00:00 2001 From: Orazio Date: Mon, 1 Jul 2019 11:12:46 +0200 Subject: [PATCH 08/27] Improve iptables detection --- auto_install/install.sh | 39 +++++++++++++++++++++++ scripts/pivpnDebug.sh | 30 +++++++++++++++++- scripts/uninstall.sh | 68 ++++++++++++++++++++--------------------- 3 files changed, 101 insertions(+), 36 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 59a3c3b..4b81bd1 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -974,7 +974,41 @@ confNetwork() { # else configure iptables if [[ $noUFW -eq 1 ]]; then echo 1 > /tmp/noUFW + + # Now some checks to detect which rules we need to add. On a newly installed system all policies + # should be ACCEPT, so the only required rule would be the MASQUERADE one. + $SUDO iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "$IPv4dev" -j MASQUERADE + + # Count how many rules are in the INPUT and FORWARD chain. When parsing input from + # iptables -S, '^-P' skips the policies and 'ufw-' skips ufw chains (in case ufw was found + # installed but not enabled). + + INPUT_RULES_COUNT="$($SUDO iptables -S INPUT | grep -vcE '(^-P|ufw-)')" + FORWARD_RULES_COUNT="$($SUDO iptables -S FORWARD | grep -vcE '(^-P|ufw-)')" + + INPUT_POLICY="$($SUDO iptables -S INPUT | grep '^-P' | awk '{print $3}')" + FORWARD_POLICY="$($SUDO iptables -S FORWARD | grep '^-P' | awk '{print $3}')" + + # If rules count is not zero, we assume we need to explicitly allow traffic. Same conclusion if + # there are no rules and the policy is not ACCEPT. Note that rules are being added to the top of the + # chain (using -I). + + if [ "$INPUT_RULES_COUNT" -ne 0 ] || [ "$INPUT_POLICY" != "ACCEPT" ]; then + $SUDO iptables -I INPUT 1 -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT + INPUT_CHAIN_EDITED=1 + else + INPUT_CHAIN_EDITED=0 + fi + + if [ "$FORWARD_RULES_COUNT" -ne 0 ] || [ "$FORWARD_POLICY" != "ACCEPT" ]; then + $SUDO iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + $SUDO iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT + FORWARD_CHAIN_EDITED=1 + else + FORWARD_CHAIN_EDITED=0 + fi + case ${PLAT} in Ubuntu|Debian|Devuan) $SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null @@ -987,7 +1021,12 @@ confNetwork() { echo 0 > /tmp/noUFW fi + echo "$INPUT_CHAIN_EDITED" > /tmp/INPUT_CHAIN_EDITED + echo "$FORWARD_CHAIN_EDITED" > /tmp/FORWARD_CHAIN_EDITED + $SUDO cp /tmp/noUFW /etc/pivpn/NO_UFW + $SUDO cp /tmp/INPUT_CHAIN_EDITED /etc/pivpn/INPUT_CHAIN_EDITED + $SUDO cp /tmp/FORWARD_CHAIN_EDITED /etc/pivpn/FORWARD_CHAIN_EDITED } confOVPN() { diff --git a/scripts/pivpnDebug.sh b/scripts/pivpnDebug.sh index 849c70d..ff912f3 100755 --- a/scripts/pivpnDebug.sh +++ b/scripts/pivpnDebug.sh @@ -56,11 +56,39 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then iptables -t nat -F iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE iptables-save > /etc/iptables/rules.v4 - iptables-restore < /etc/iptables/rules.v4 echo "Done" fi fi + if [ "$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" -eq 1 ]; then + if iptables -C INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT &> /dev/null; then + echo ":: [OK] Iptables INPUT rule set" + else + ERR=1 + read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + iptables -I INPUT 1 -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT + iptables-save > /etc/iptables/rules.v4 + echo "Done" + fi + fi + fi + + if [ "$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" -eq 1 ]; then + if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then + echo ":: [OK] Iptables FORWARD rule set" + else + ERR=1 + read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT + iptables-save > /etc/iptables/rules.v4 + echo "Done" + fi + fi + fi + else if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 99192aa..60d93e7 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -1,21 +1,6 @@ #!/usr/bin/env bash # PiVPN: Uninstall Script -# Must be root to uninstall -if [[ $EUID -eq 0 ]];then - echo "::: You are root." -else - echo "::: Sudo will be used for the uninstall." - # Check if it is actually installed - # If it isn't, exit because the unnstall cannot complete - if [[ $(dpkg-query -s sudo) ]];then - export SUDO="sudo" - else - echo "::: Please install sudo or run this as root." - exit 1 - fi -fi - INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) PLAT=$(cat /etc/pivpn/DET_PLATFORM) NO_UFW=$(cat /etc/pivpn/NO_UFW) @@ -59,7 +44,7 @@ echo ":::" while true; do read -rp "::: Do you wish to remove $i from your system? [y/n]: " yn case $yn in - [Yy]* ) printf ":::\tRemoving %s..." "$i"; $SUDO apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n"; + [Yy]* ) printf ":::\tRemoving %s..." "$i"; apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n"; if [ "$i" == "openvpn" ]; then UINST_OVPN=1 ; fi if [ "$i" == "unattended-upgrades" ]; then UINST_UNATTUPG=1 ; fi break;; @@ -74,44 +59,57 @@ echo ":::" # Take care of any additional package cleaning printf "::: Auto removing remaining dependencies..." - $SUDO apt-get -y autoremove &> /dev/null & spinner $!; printf "done!\n"; + apt-get -y autoremove &> /dev/null & spinner $!; printf "done!\n"; printf "::: Auto cleaning remaining dependencies..." - $SUDO apt-get -y autoclean &> /dev/null & spinner $!; printf "done!\n"; + apt-get -y autoclean &> /dev/null & spinner $!; printf "done!\n"; echo ":::" # Removing pivpn files echo "::: Removing pivpn system files..." - $SUDO rm -rf /opt/pivpn &> /dev/null - $SUDO rm -rf /etc/.pivpn &> /dev/null - $SUDO rm -rf /home/$INSTALL_USER/ovpns &> /dev/null + rm -rf /opt/pivpn &> /dev/null + rm -rf /etc/.pivpn &> /dev/null + rm -rf /home/$INSTALL_USER/ovpns &> /dev/null - $SUDO rm -rf /var/log/*pivpn* &> /dev/null - $SUDO rm -rf /var/log/*openvpn* &> /dev/null + rm -rf /var/log/*pivpn* &> /dev/null + rm -rf /var/log/*openvpn* &> /dev/null if [[ $UINST_OVPN = 1 ]]; then - $SUDO rm -rf /etc/openvpn &> /dev/null + rm -rf /etc/openvpn &> /dev/null if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then printf "::: Removing openvpn apt source..." - $SUDO rm -rf /etc/apt/sources.list.d/swupdate.openvpn.net.list &> /dev/null - $SUDO apt-get -qq update & spinner $!; printf "done!\n"; + rm -rf /etc/apt/sources.list.d/swupdate.openvpn.net.list &> /dev/null + apt-get -qq update & spinner $!; printf "done!\n"; fi fi if [[ $UINST_UNATTUPG = 1 ]]; then - $SUDO rm -rf /var/log/unattended-upgrades - $SUDO rm -rf /etc/apt/apt.conf.d/*periodic + rm -rf /var/log/unattended-upgrades + rm -rf /etc/apt/apt.conf.d/*periodic fi - $SUDO rm -rf /etc/pivpn &> /dev/null - $SUDO rm /usr/local/bin/pivpn &> /dev/null - $SUDO rm /etc/bash_completion.d/pivpn + rm -rf /etc/pivpn &> /dev/null + rm /usr/local/bin/pivpn &> /dev/null + rm /etc/bash_completion.d/pivpn # Disable IPv4 forwarding sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf sysctl -p if [[ $NO_UFW -eq 0 ]]; then - $SUDO sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules - $SUDO ufw delete allow "$PORT"/"$PROTO" >/dev/null - $SUDO ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null - $SUDO ufw reload >/dev/null + sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules + ufw delete allow "$PORT"/"$PROTO" >/dev/null + ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + ufw reload >/dev/null + else + iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE + + if [ "$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" -eq 1 ]; then + iptables -D INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT + fi + + if [ "$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" -eq 1 ]; then + iptables -D FORWARD -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -D FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT + fi + + iptables-save > /etc/iptables/rules.v4 fi echo ":::" From 0ad342e007c46fb96f0c73e54ad0e110b6358914 Mon Sep 17 00:00:00 2001 From: Orazio Date: Mon, 1 Jul 2019 11:36:01 +0200 Subject: [PATCH 09/27] Fixed typo --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 60903a2..afa5f89 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -480,7 +480,7 @@ install_dependent_packages() { declare -a argArray1=("${!1}") $SUDO update-alternatives --set iptables /usr/sbin/iptables-legacy - $SUDO update-alternatives --set iptables /usr/sbin/ip6tables-legacy + $SUDO update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections From bcc780546c99ff64c6dad05c3ee7e7cbb2876b14 Mon Sep 17 00:00:00 2001 From: Orazio Date: Mon, 1 Jul 2019 11:39:42 +0200 Subject: [PATCH 10/27] Get variable value before the file is deleted --- scripts/uninstall.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 60d93e7..f1edea4 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -7,6 +7,8 @@ NO_UFW=$(cat /etc/pivpn/NO_UFW) PORT=$(cat /etc/pivpn/INSTALL_PORT) PROTO=$(cat /etc/pivpn/INSTALL_PROTO) IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" +INPUT_CHAIN_EDITED="$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" +FORWARD_CHAIN_EDITED="$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" # Find the rows and columns. Will default to 80x24 if it can not be detected. screen_size=$(stty size 2>/dev/null || echo 24 80) @@ -100,11 +102,11 @@ echo ":::" else iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE - if [ "$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" -eq 1 ]; then + if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then iptables -D INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT fi - if [ "$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" -eq 1 ]; then + if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then iptables -D FORWARD -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -D FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT fi From b823737b5a20059305ed8c7a6ebe334c69167c2c Mon Sep 17 00:00:00 2001 From: Orazio Date: Mon, 1 Jul 2019 15:44:00 +0200 Subject: [PATCH 11/27] Hide client IPs in the debug log --- auto_install/install.sh | 2 +- scripts/pivpnDebug.sh | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 59a3c3b..3f693cd 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -21,7 +21,7 @@ PKG_CACHE="/var/lib/apt/lists/" UPDATE_PKG_CACHE="${PKG_MANAGER} update" PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install" PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true" -PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools) +PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools grepcidr) ### ### pivpnGitUrl="https://github.com/pivpn/pivpn.git" diff --git a/scripts/pivpnDebug.sh b/scripts/pivpnDebug.sh index 849c70d..c7b8438 100755 --- a/scripts/pivpnDebug.sh +++ b/scripts/pivpnDebug.sh @@ -13,8 +13,9 @@ echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::" git --git-dir /etc/.pivpn/.git log -n 1 printf "=============================================\n" echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::" +# Use the wildcard so setupVars.conf.update.bak from the previous install is not shown for filename in /etc/pivpn/*; do - if [ "$filename" != "/etc/pivpn/setupVars.conf" ]; then + if [[ "$filename" != "/etc/pivpn/setupVars.conf"* ]]; then echo "$filename -> $(cat "$filename")" fi done @@ -151,7 +152,17 @@ fi printf "=============================================\n" echo -e ":::: \e[4mSnippet of the server log\e[0m ::::" -tail -20 /var/log/openvpn.log +tail -20 /var/log/openvpn.log > /tmp/snippet + +# Regular expession taken from https://superuser.com/a/202835, it will match invalid IPs +# like 123.456.789.012 but it's fine because the log only contains valid ones. +declare -a IPS_TO_HIDE=($(grepcidr -v 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 /tmp/snippet | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | uniq)) +for IP in "${IPS_TO_HIDE[@]}"; do + sed -i "s/$IP/REDACTED/g" /tmp/snippet +done + +cat /tmp/snippet +rm /tmp/snippet printf "=============================================\n" echo -e "::::\t\t\e[4mDebug complete\e[0m\t\t ::::" From 66dcd69fd50d822d1a6dd98b359b7ff2afddac6b Mon Sep 17 00:00:00 2001 From: Orazio Date: Wed, 3 Jul 2019 10:13:22 +0200 Subject: [PATCH 12/27] Only use iptables-legacy if platform is Buster --- auto_install/install.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 06daddf..4cb1a3a 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -479,8 +479,10 @@ install_dependent_packages() { # No spinner - conflicts with set -e declare -a argArray1=("${!1}") - $SUDO update-alternatives --set iptables /usr/sbin/iptables-legacy - $SUDO update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy + if [[ ${OSCN} == "buster" ]]; then + $SUDO update-alternatives --set iptables /usr/sbin/iptables-legacy + $SUDO update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy + fi echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections From 0189c6983e98fc8efa8cbec6f3934a03a818b2b4 Mon Sep 17 00:00:00 2001 From: Bradley Grainger Date: Thu, 4 Jul 2019 19:47:51 -0700 Subject: [PATCH 13/27] Fix typo in "separated". --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 59a3c3b..cf06800 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -664,7 +664,7 @@ setClientDNS() { do strInvalid="Invalid" - if OVPNDNS=$(whiptail --backtitle "Specify Upstream DNS Provider(s)" --inputbox "Enter your desired upstream DNS provider(s), seperated by a comma.\n\nFor example '8.8.8.8, 8.8.4.4'" ${r} ${c} "" 3>&1 1>&2 2>&3) + if OVPNDNS=$(whiptail --backtitle "Specify Upstream DNS Provider(s)" --inputbox "Enter your desired upstream DNS provider(s), separated by a comma.\n\nFor example '8.8.8.8, 8.8.4.4'" ${r} ${c} "" 3>&1 1>&2 2>&3) then OVPNDNS1=$(echo "$OVPNDNS" | sed 's/[, \t]\+/,/g' | awk -F, '{print$1}') OVPNDNS2=$(echo "$OVPNDNS" | sed 's/[, \t]\+/,/g' | awk -F, '{print$2}') From 241e06f970dc19f645e3b2baa174b7a10a9dd2da Mon Sep 17 00:00:00 2001 From: Orazio Date: Sat, 13 Jul 2019 10:45:44 +0200 Subject: [PATCH 14/27] Miscellaeous fixes --- auto_install/install.sh | 5 +++-- scripts/makeOVPN.sh | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 4f9d0b5..299f53f 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -532,7 +532,7 @@ getGitFiles() { echo ":::" echo "::: Checking for existing base files..." if is_repo "${1}"; then - update_repo "${1}" + update_repo "${1}" "${2}" else make_repo "${1}" "${2}" fi @@ -565,6 +565,7 @@ update_repo() { # Pull the latest commits echo -n "::: Updating repo in $1..." $SUDO rm -rf "${1}" + cd /etc $SUDO git clone -q --depth 1 --no-single-branch "${2}" "${1}" > /dev/null & spinner $! cd "${1}" || exit 1 if [ -z "${TESTING+x}" ]; then @@ -851,7 +852,7 @@ EOF fi # Build the server - ${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass + EASYRSA_CERT_EXPIRE=3650 ${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass if [[ ${useUpdateVars} == false ]]; then if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index 0a571b4..6e6bee6 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -147,7 +147,7 @@ if [[ ${NAME::1} == "." ]] || [[ ${NAME::1} == "-" ]]; then exit 1 fi -if [[ "${NAME}" =~ [^a-zA-Z0-9\.\-\@\_] ]]; then +if [[ "${NAME}" =~ [^a-zA-Z0-9\.\\-\@\_] ]]; then echo "Name can only contain alphanumeric characters and these characters (.-@_)." exit 1 fi From 1b54558769b2a646c708c09be9230c65eed8e76e Mon Sep 17 00:00:00 2001 From: Orazio Date: Sat, 13 Jul 2019 12:48:53 +0200 Subject: [PATCH 15/27] Fix update option --- auto_install/install.sh | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 299f53f..ab68e84 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -565,6 +565,8 @@ update_repo() { # Pull the latest commits echo -n "::: Updating repo in $1..." $SUDO rm -rf "${1}" + # Go back to /etc otherwhise git will complain when the current working directory has + # just been deleted (/etc/.pivpn). cd /etc $SUDO git clone -q --depth 1 --no-single-branch "${2}" "${1}" > /dev/null & spinner $! cd "${1}" || exit 1 @@ -754,6 +756,8 @@ confOpenVPN() { NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) SERVER_NAME="server_${NEW_UUID}" + declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1") + if [[ ${useUpdateVars} == false ]]; then # Ask user for desired level of encryption @@ -784,7 +788,6 @@ confOpenVPN() { else - declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1") ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA certificate size" --radiolist \ "Choose the desired size of your certificate (press space to select):\n This is an certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \ "256" "Use a 256-bit certificate (recommended level)" ON \ @@ -989,8 +992,10 @@ confNetwork() { # iptables -S, '^-P' skips the policies and 'ufw-' skips ufw chains (in case ufw was found # installed but not enabled). - INPUT_RULES_COUNT="$($SUDO iptables -S INPUT | grep -vcE '(^-P|ufw-)')" - FORWARD_RULES_COUNT="$($SUDO iptables -S FORWARD | grep -vcE '(^-P|ufw-)')" + # Grep returns non 0 exit code where there are no matches, however that would make the script exit, + # for this reasons we use '|| true' to force exit code 0 + INPUT_RULES_COUNT="$($SUDO iptables -S INPUT | grep -vcE '(^-P|ufw-)' || true)" + FORWARD_RULES_COUNT="$($SUDO iptables -S FORWARD | grep -vcE '(^-P|ufw-)' || true)" INPUT_POLICY="$($SUDO iptables -S INPUT | grep '^-P' | awk '{print $3}')" FORWARD_POLICY="$($SUDO iptables -S FORWARD | grep '^-P' | awk '{print $3}')" From 8a6d32ced53299909032050a9bb7d3947869acaa Mon Sep 17 00:00:00 2001 From: Orazio Date: Sat, 13 Jul 2019 19:59:28 +0200 Subject: [PATCH 16/27] Fixed regular expression --- scripts/makeOVPN.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index 6e6bee6..7e88ad7 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -147,7 +147,7 @@ if [[ ${NAME::1} == "." ]] || [[ ${NAME::1} == "-" ]]; then exit 1 fi -if [[ "${NAME}" =~ [^a-zA-Z0-9\.\\-\@\_] ]]; then +if [[ "${NAME}" =~ [^a-zA-Z0-9.@_-] ]]; then echo "Name can only contain alphanumeric characters and these characters (.-@_)." exit 1 fi From 2ba8b0c262b9de2ada561d9a3f719405441015eb Mon Sep 17 00:00:00 2001 From: Iulian Onofrei <6d0847b9@opayq.com> Date: Sun, 14 Jul 2019 01:01:44 +0300 Subject: [PATCH 17/27] Fix typo in a setup message --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 59a3c3b..5580131 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -781,7 +781,7 @@ confOpenVPN() { declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1") ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA certificate size" --radiolist \ - "Choose the desired size of your certificate (press space to select):\n This is an certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \ + "Choose the desired size of your certificate (press space to select):\n This is a certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \ "256" "Use a 256-bit certificate (recommended level)" ON \ "384" "Use a 384-bit certificate" OFF \ "521" "Use a 521-bit certificate (paranoid level)" OFF 3>&1 1>&2 2>&3) From b60a06791d755ef21bc586cbf702ed653615a068 Mon Sep 17 00:00:00 2001 From: Akvile Date: Tue, 23 Jul 2019 22:12:35 +0200 Subject: [PATCH 18/27] integrated bitwarden password manager into pivpn --- auto_install/install.sh | 80 +++++++++++++++++++++++++++++++++++------ pivpn | 2 ++ scripts/makeOVPN.sh | 59 ++++++++++++++++++++++++++++-- scripts/pivpnDebug.sh | 45 +++++++++++++++++++++-- scripts/uninstall.sh | 70 ++++++++++++++++++------------------ 5 files changed, 206 insertions(+), 50 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 59a3c3b..9e31d1f 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -21,7 +21,7 @@ PKG_CACHE="/var/lib/apt/lists/" UPDATE_PKG_CACHE="${PKG_MANAGER} update" PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install" PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true" -PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools) +PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools grepcidr jq) ### ### pivpnGitUrl="https://github.com/pivpn/pivpn.git" @@ -29,7 +29,7 @@ pivpnFilesDir="/etc/.pivpn" easyrsaVer="3.0.6" easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz" -# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config +# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config UNATTUPG_RELEASE="1.9" UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/${UNATTUPG_RELEASE}.tar.gz" @@ -92,18 +92,19 @@ distro_check() { source /etc/os-release PLAT=$(awk '{print $1}' <<< "$NAME") VER="$VERSION_ID" - declare -A VER_MAP=(["9"]="stretch" ["8"]="jessie" ["18.04"]="bionic" ["16.04"]="xenial" ["14.04"]="trusty") + declare -A VER_MAP=(["10"]="buster" ["9"]="stretch" ["8"]="jessie" ["18.04"]="bionic" ["16.04"]="xenial" ["14.04"]="trusty") OSCN=${VER_MAP["${VER}"]} fi if [[ ${OSCN} != "bionic" ]]; then PIVPN_DEPS+=(dhcpcd5) + fi case ${PLAT} in Ubuntu|Raspbian|Debian|Devuan) case ${OSCN} in - trusty|xenial|jessie|stretch) + trusty|xenial|jessie|stretch|buster) ;; *) maybeOS_Support @@ -474,11 +475,21 @@ notify_package_updates_available() { fi } +install_bitwarden() { + # Install Bitwarden through NPM - this is the preferred installation method since NPM makes it easy to update the package + apt-get install -y nodejs npm + npm install -g @bitwarden/cli +} + install_dependent_packages() { # Install packages passed in via argument array # No spinner - conflicts with set -e declare -a argArray1=("${!1}") + if [[ ${OSCN} == "buster" ]]; then + $SUDO update-alternatives --set iptables /usr/sbin/iptables-legacy + $SUDO update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy + fi echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections @@ -528,7 +539,7 @@ getGitFiles() { echo ":::" echo "::: Checking for existing base files..." if is_repo "${1}"; then - update_repo "${1}" + update_repo "${1}" "${2}" else make_repo "${1}" "${2}" fi @@ -561,6 +572,9 @@ update_repo() { # Pull the latest commits echo -n "::: Updating repo in $1..." $SUDO rm -rf "${1}" + # Go back to /etc otherwhise git will complain when the current working directory has + # just been deleted (/etc/.pivpn). + cd /etc $SUDO git clone -q --depth 1 --no-single-branch "${2}" "${1}" > /dev/null & spinner $! cd "${1}" || exit 1 if [ -z "${TESTING+x}" ]; then @@ -664,7 +678,7 @@ setClientDNS() { do strInvalid="Invalid" - if OVPNDNS=$(whiptail --backtitle "Specify Upstream DNS Provider(s)" --inputbox "Enter your desired upstream DNS provider(s), seperated by a comma.\n\nFor example '8.8.8.8, 8.8.4.4'" ${r} ${c} "" 3>&1 1>&2 2>&3) + if OVPNDNS=$(whiptail --backtitle "Specify Upstream DNS Provider(s)" --inputbox "Enter your desired upstream DNS provider(s), separated by a comma.\n\nFor example '8.8.8.8, 8.8.4.4'" ${r} ${c} "" 3>&1 1>&2 2>&3) then OVPNDNS1=$(echo "$OVPNDNS" | sed 's/[, \t]\+/,/g' | awk -F, '{print$1}') OVPNDNS2=$(echo "$OVPNDNS" | sed 's/[, \t]\+/,/g' | awk -F, '{print$2}') @@ -749,11 +763,13 @@ confOpenVPN() { NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) SERVER_NAME="server_${NEW_UUID}" + declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1") + if [[ ${useUpdateVars} == false ]]; then # Ask user for desired level of encryption if [[ ${useUpdateVars} == false ]]; then - if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]]; then + if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]] && [[ ${OSCN} != "buster" ]]; then APPLY_TWO_POINT_FOUR=false else if (whiptail --backtitle "Setup OpenVPN" --title "Installation mode" --yesno "OpenVPN 2.4 brings support for stronger authentication and key exchange using Elliptic Curves, along with encrypted control channel.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then @@ -781,7 +797,7 @@ confOpenVPN() { declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1") ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA certificate size" --radiolist \ - "Choose the desired size of your certificate (press space to select):\n This is an certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \ + "Choose the desired size of your certificate (press space to select):\n This is a certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \ "256" "Use a 256-bit certificate (recommended level)" ON \ "384" "Use a 384-bit certificate" OFF \ "521" "Use a 521-bit certificate (paranoid level)" OFF 3>&1 1>&2 2>&3) @@ -847,7 +863,7 @@ EOF fi # Build the server - ${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass + EASYRSA_CERT_EXPIRE=3650 ${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass if [[ ${useUpdateVars} == false ]]; then if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then @@ -974,7 +990,43 @@ confNetwork() { # else configure iptables if [[ $noUFW -eq 1 ]]; then echo 1 > /tmp/noUFW + + # Now some checks to detect which rules we need to add. On a newly installed system all policies + # should be ACCEPT, so the only required rule would be the MASQUERADE one. + $SUDO iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "$IPv4dev" -j MASQUERADE + + # Count how many rules are in the INPUT and FORWARD chain. When parsing input from + # iptables -S, '^-P' skips the policies and 'ufw-' skips ufw chains (in case ufw was found + # installed but not enabled). + + # Grep returns non 0 exit code where there are no matches, however that would make the script exit, + # for this reasons we use '|| true' to force exit code 0 + INPUT_RULES_COUNT="$($SUDO iptables -S INPUT | grep -vcE '(^-P|ufw-)' || true)" + FORWARD_RULES_COUNT="$($SUDO iptables -S FORWARD | grep -vcE '(^-P|ufw-)' || true)" + + INPUT_POLICY="$($SUDO iptables -S INPUT | grep '^-P' | awk '{print $3}')" + FORWARD_POLICY="$($SUDO iptables -S FORWARD | grep '^-P' | awk '{print $3}')" + + # If rules count is not zero, we assume we need to explicitly allow traffic. Same conclusion if + # there are no rules and the policy is not ACCEPT. Note that rules are being added to the top of the + # chain (using -I). + + if [ "$INPUT_RULES_COUNT" -ne 0 ] || [ "$INPUT_POLICY" != "ACCEPT" ]; then + $SUDO iptables -I INPUT 1 -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT + INPUT_CHAIN_EDITED=1 + else + INPUT_CHAIN_EDITED=0 + fi + + if [ "$FORWARD_RULES_COUNT" -ne 0 ] || [ "$FORWARD_POLICY" != "ACCEPT" ]; then + $SUDO iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + $SUDO iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT + FORWARD_CHAIN_EDITED=1 + else + FORWARD_CHAIN_EDITED=0 + fi + case ${PLAT} in Ubuntu|Debian|Devuan) $SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null @@ -987,7 +1039,12 @@ confNetwork() { echo 0 > /tmp/noUFW fi + echo "$INPUT_CHAIN_EDITED" > /tmp/INPUT_CHAIN_EDITED + echo "$FORWARD_CHAIN_EDITED" > /tmp/FORWARD_CHAIN_EDITED + $SUDO cp /tmp/noUFW /etc/pivpn/NO_UFW + $SUDO cp /tmp/INPUT_CHAIN_EDITED /etc/pivpn/INPUT_CHAIN_EDITED + $SUDO cp /tmp/FORWARD_CHAIN_EDITED /etc/pivpn/FORWARD_CHAIN_EDITED } confOVPN() { @@ -1294,6 +1351,9 @@ main() { # Notify user of package availability notify_package_updates_available + # Install packages for Bitwarden + install_bitwarden + # Install packages used by this installation script install_dependent_packages PIVPN_DEPS[@] @@ -1374,7 +1434,7 @@ main() { $SUDO systemctl start openvpn.service ;; esac - + # Ensure that cached writes reach persistent storage echo "::: Flushing writes to disk..." sync diff --git a/pivpn b/pivpn index 8f82a93..495ffcf 100644 --- a/pivpn +++ b/pivpn @@ -58,6 +58,7 @@ function helpFunc { echo ":::" echo "::: Commands:" echo "::: -a, add [nopass] Create a client ovpn profile, optional nopass" + echo "::: -b,--bitwarden Create and save a client through Bitwarden" echo "::: -c, clients List any connected clients to the server" echo "::: -d, debug Start a debugging session if having trouble" echo "::: -l, list List all valid and revoked certificates" @@ -74,6 +75,7 @@ fi # Handle redirecting to specific functions based on arguments case "$1" in "-a" | "add" ) makeOVPNFunc "$@";; +"-b" | "bitwarden" ) makeOVPNFunc "$@";; "-c" | "clients" ) listClientsFunc;; "-d" | "debug" ) debugFunc;; "-l" | "list" ) listOVPNFunc;; diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index 0a571b4..e39df1b 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -13,11 +13,12 @@ INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) helpFunc() { echo "::: Create a client ovpn profile, optional nopass" echo ":::" - echo "::: Usage: pivpn <-a|add> [-n|--name ] [-p|--password ]|[nopass] [-d|--days ] [-h|--help]" + echo "::: Usage: pivpn <-a|add> [-b|--bitwarden] [-n|--name ] [-p|--password ]|[nopass] [-d|--days ] [-h|--help]" echo ":::" echo "::: Commands:" echo "::: [none] Interactive mode" echo "::: nopass Create a client without a password" + echo "::: -b,--bitwarden Create and save a client through Bitwarden" echo "::: -d,--days Expire the certificate after specified number of days (default: 1080)" echo "::: -n,--name Name for the Client (default: '"$(hostname)"')" echo "::: -p,--password Password for the Client (no default)" @@ -66,6 +67,9 @@ do nopass) NO_PASS="1" ;; + -b|--bitwarden) + BITWARDEN="2" + ;; *) echo "Error: Got an unexpected argument '$1'" helpFunc @@ -91,6 +95,52 @@ EOF } +function useBitwarden() { + + # login and unlock vault + printf "****Bitwarden Login****" + printf "\n" + SESSION_KEY=`bw login --raw` + export BW_SESSION=$SESSION_KEY + printf "Successfully Logged in!" + printf "\n" + + # ask user for username + printf "Enter the username: " + read -r NAME + + # check name + until [[ "$NAME" =~ ^[a-zA-Z0-9.@_-]+$ && ${NAME::1} != "." && ${NAME::1} != "-" ]] + do + echo "Name can only contain alphanumeric characters and these characters (.-@_). The name also cannot start with a dot (.) or a dash (-). Please try again." + # ask user for username again + printf "Enter the username: " + read -r NAME + done + + + # ask user for length of password + printf "Please enter the length of characters you want your password to be (minimum 12): " + read -r LENGTH + + # check length + until [[ "$LENGTH" -gt 11 && "$LENGTH" -lt 129 ]] + do + echo "Password must be between from 12 to 128 characters, please try again." + # ask user for length of password + printf "Enter the length of characters you want your password to be (minimum 12): " + read -r LENGTH + done + + printf "Creating a PiVPN item for your vault..." + printf "\n" + # create a new item for your PiVPN Password + PASSWD=`bw generate -usln --length $LENGTH` + bw get template item | jq '.login.type = "1"'| jq '.name = "PiVPN"' | jq -r --arg NAME "$NAME" '.login.username = $NAME' | jq -r --arg PASSWD "$PASSWD" '.login.password = $PASSWD' | bw encode | bw create item + bw logout + +} + function keyPASS() { if [[ -z "${PASSWD}" ]]; then @@ -137,6 +187,11 @@ EOF } +# bitWarden first +if [[ "${BITWARDEN}" =~ "2" ]]; then + useBitwarden +fi + if [ -z "${NAME}" ]; then printf "Enter a Name for the Client: " read -r NAME @@ -147,7 +202,7 @@ if [[ ${NAME::1} == "." ]] || [[ ${NAME::1} == "-" ]]; then exit 1 fi -if [[ "${NAME}" =~ [^a-zA-Z0-9\.\-\@\_] ]]; then +if [[ "${NAME}" =~ [^a-zA-Z0-9.@_-] ]]; then echo "Name can only contain alphanumeric characters and these characters (.-@_)." exit 1 fi diff --git a/scripts/pivpnDebug.sh b/scripts/pivpnDebug.sh index 849c70d..b63079a 100755 --- a/scripts/pivpnDebug.sh +++ b/scripts/pivpnDebug.sh @@ -13,8 +13,9 @@ echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::" git --git-dir /etc/.pivpn/.git log -n 1 printf "=============================================\n" echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::" +# Use the wildcard so setupVars.conf.update.bak from the previous install is not shown for filename in /etc/pivpn/*; do - if [ "$filename" != "/etc/pivpn/setupVars.conf" ]; then + if [[ "$filename" != "/etc/pivpn/setupVars.conf"* ]]; then echo "$filename -> $(cat "$filename")" fi done @@ -56,11 +57,39 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then iptables -t nat -F iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE iptables-save > /etc/iptables/rules.v4 - iptables-restore < /etc/iptables/rules.v4 echo "Done" fi fi + if [ "$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" -eq 1 ]; then + if iptables -C INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT &> /dev/null; then + echo ":: [OK] Iptables INPUT rule set" + else + ERR=1 + read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + iptables -I INPUT 1 -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT + iptables-save > /etc/iptables/rules.v4 + echo "Done" + fi + fi + fi + + if [ "$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" -eq 1 ]; then + if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then + echo ":: [OK] Iptables FORWARD rule set" + else + ERR=1 + read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT + iptables-save > /etc/iptables/rules.v4 + echo "Done" + fi + fi + fi + else if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then @@ -151,7 +180,17 @@ fi printf "=============================================\n" echo -e ":::: \e[4mSnippet of the server log\e[0m ::::" -tail -20 /var/log/openvpn.log +tail -20 /var/log/openvpn.log > /tmp/snippet + +# Regular expession taken from https://superuser.com/a/202835, it will match invalid IPs +# like 123.456.789.012 but it's fine because the log only contains valid ones. +declare -a IPS_TO_HIDE=($(grepcidr -v 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 /tmp/snippet | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | uniq)) +for IP in "${IPS_TO_HIDE[@]}"; do + sed -i "s/$IP/REDACTED/g" /tmp/snippet +done + +cat /tmp/snippet +rm /tmp/snippet printf "=============================================\n" echo -e "::::\t\t\e[4mDebug complete\e[0m\t\t ::::" diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 99192aa..bcb304e 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -1,27 +1,14 @@ #!/usr/bin/env bash # PiVPN: Uninstall Script -# Must be root to uninstall -if [[ $EUID -eq 0 ]];then - echo "::: You are root." -else - echo "::: Sudo will be used for the uninstall." - # Check if it is actually installed - # If it isn't, exit because the unnstall cannot complete - if [[ $(dpkg-query -s sudo) ]];then - export SUDO="sudo" - else - echo "::: Please install sudo or run this as root." - exit 1 - fi -fi - INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) PLAT=$(cat /etc/pivpn/DET_PLATFORM) NO_UFW=$(cat /etc/pivpn/NO_UFW) PORT=$(cat /etc/pivpn/INSTALL_PORT) PROTO=$(cat /etc/pivpn/INSTALL_PROTO) IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" +INPUT_CHAIN_EDITED="$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" +FORWARD_CHAIN_EDITED="$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" # Find the rows and columns. Will default to 80x24 if it can not be detected. screen_size=$(stty size 2>/dev/null || echo 24 80) @@ -59,7 +46,7 @@ echo ":::" while true; do read -rp "::: Do you wish to remove $i from your system? [y/n]: " yn case $yn in - [Yy]* ) printf ":::\tRemoving %s..." "$i"; $SUDO apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n"; + [Yy]* ) printf ":::\tRemoving %s..." "$i"; apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n"; if [ "$i" == "openvpn" ]; then UINST_OVPN=1 ; fi if [ "$i" == "unattended-upgrades" ]; then UINST_UNATTUPG=1 ; fi break;; @@ -74,44 +61,57 @@ echo ":::" # Take care of any additional package cleaning printf "::: Auto removing remaining dependencies..." - $SUDO apt-get -y autoremove &> /dev/null & spinner $!; printf "done!\n"; + apt-get -y autoremove &> /dev/null & spinner $!; printf "done!\n"; printf "::: Auto cleaning remaining dependencies..." - $SUDO apt-get -y autoclean &> /dev/null & spinner $!; printf "done!\n"; + apt-get -y autoclean &> /dev/null & spinner $!; printf "done!\n"; echo ":::" # Removing pivpn files echo "::: Removing pivpn system files..." - $SUDO rm -rf /opt/pivpn &> /dev/null - $SUDO rm -rf /etc/.pivpn &> /dev/null - $SUDO rm -rf /home/$INSTALL_USER/ovpns &> /dev/null + rm -rf /opt/pivpn &> /dev/null + rm -rf /etc/.pivpn &> /dev/null + rm -rf /home/$INSTALL_USER/ovpns &> /dev/null - $SUDO rm -rf /var/log/*pivpn* &> /dev/null - $SUDO rm -rf /var/log/*openvpn* &> /dev/null + rm -rf /var/log/*pivpn* &> /dev/null + rm -rf /var/log/*openvpn* &> /dev/null if [[ $UINST_OVPN = 1 ]]; then - $SUDO rm -rf /etc/openvpn &> /dev/null + rm -rf /etc/openvpn &> /dev/null if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then printf "::: Removing openvpn apt source..." - $SUDO rm -rf /etc/apt/sources.list.d/swupdate.openvpn.net.list &> /dev/null - $SUDO apt-get -qq update & spinner $!; printf "done!\n"; + rm -rf /etc/apt/sources.list.d/swupdate.openvpn.net.list &> /dev/null + apt-get -qq update & spinner $!; printf "done!\n"; fi fi if [[ $UINST_UNATTUPG = 1 ]]; then - $SUDO rm -rf /var/log/unattended-upgrades - $SUDO rm -rf /etc/apt/apt.conf.d/*periodic + rm -rf /var/log/unattended-upgrades + rm -rf /etc/apt/apt.conf.d/*periodic fi - $SUDO rm -rf /etc/pivpn &> /dev/null - $SUDO rm /usr/local/bin/pivpn &> /dev/null - $SUDO rm /etc/bash_completion.d/pivpn + rm -rf /etc/pivpn &> /dev/null + rm /usr/local/bin/pivpn &> /dev/null + rm /etc/bash_completion.d/pivpn # Disable IPv4 forwarding sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf sysctl -p if [[ $NO_UFW -eq 0 ]]; then - $SUDO sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules - $SUDO ufw delete allow "$PORT"/"$PROTO" >/dev/null - $SUDO ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null - $SUDO ufw reload >/dev/null + sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules + ufw delete allow "$PORT"/"$PROTO" >/dev/null + ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + ufw reload >/dev/null + else + iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE + + if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then + iptables -D INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT + fi + + if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then + iptables -D FORWARD -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -D FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT + fi + + iptables-save > /etc/iptables/rules.v4 fi echo ":::" From e6a13cc65e3568cc98c6cb18ed69c84a5597b590 Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 6 Aug 2019 09:53:14 +0200 Subject: [PATCH 19/27] Handle older UFW version from Jessie --- auto_install/install.sh | 18 ++++++++++++++++-- scripts/pivpnDebug.sh | 41 ++++++++++++++++++++++++++++++----------- scripts/uninstall.sh | 7 ++++++- 3 files changed, 52 insertions(+), 14 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index cd9a60c..eec66af 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -971,8 +971,21 @@ confNetwork() { $SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules # Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic) $SUDO ufw insert 1 allow "$PORT"/"$PROTO" >/dev/null - # Don't forward everything, just the traffic originated from the VPN subnet - $SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + + # https://askubuntu.com/a/712202 + INSTALLED_UFW=$(dpkg-query --showformat='${Version}' --show ufw) + MINIMUM_UFW=0.34 + + if $SUDO dpkg --compare-versions "$INSTALLED_UFW" ge "$MINIMUM_UFW"; then + # Don't forward everything, just the traffic originated from the VPN subnet + $SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + echo 0 > /tmp/OLD_UFW + else + # This ufw version does not support route command, fallback to policy change + $SUDO sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw + echo 1 > /tmp/OLD_UFW + fi + $SUDO ufw reload >/dev/null echo "::: UFW configuration completed." fi @@ -1035,6 +1048,7 @@ confNetwork() { echo "$FORWARD_CHAIN_EDITED" > /tmp/FORWARD_CHAIN_EDITED $SUDO cp /tmp/noUFW /etc/pivpn/NO_UFW + $SUDO cp /tmp/OLD_UFW /etc/pivpn/OLD_UFW $SUDO cp /tmp/INPUT_CHAIN_EDITED /etc/pivpn/INPUT_CHAIN_EDITED $SUDO cp /tmp/FORWARD_CHAIN_EDITED /etc/pivpn/FORWARD_CHAIN_EDITED } diff --git a/scripts/pivpnDebug.sh b/scripts/pivpnDebug.sh index b63079a..818c760 100755 --- a/scripts/pivpnDebug.sh +++ b/scripts/pivpnDebug.sh @@ -5,6 +5,10 @@ PORT=$(cat /etc/pivpn/INSTALL_PORT) PROTO=$(cat /etc/pivpn/INSTALL_PROTO) IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" REMOTE="$(grep 'remote ' /etc/openvpn/easy-rsa/pki/Default.txt | awk '{print $2}')" +NO_UFW=$(cat /etc/pivpn/NO_UFW) +OLD_UFW=$(cat /etc/pivpn/NO_UFW) +INPUT_CHAIN_EDITED="$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" +FORWARD_CHAIN_EDITED="$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" ERR=0 echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::" @@ -46,7 +50,7 @@ else fi fi -if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then +if [ "$NO_UFW" -eq 1 ]; then if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then echo ":: [OK] Iptables MASQUERADE rule set" @@ -61,7 +65,7 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then fi fi - if [ "$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" -eq 1 ]; then + if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then if iptables -C INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT &> /dev/null; then echo ":: [OK] Iptables INPUT rule set" else @@ -75,7 +79,7 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then fi fi - if [ "$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" -eq 1 ]; then + if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then echo ":: [OK] Iptables FORWARD rule set" else @@ -126,15 +130,30 @@ else fi fi - if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then - echo ":: [OK] Ufw forwarding rule set" + if [ "$OLD_UFW" -eq 1 ]; then + FORWARD_POLICY="$(iptables -S FORWARD | grep '^-P' | awk '{print $3}')" + if [ "$FORWARD_POLICY" = "ACCEPT" ]; then + echo ":: [OK] Ufw forwarding policy is accept" + else + ERR=1 + read -r -p ":: [ERR] Ufw forwarding policy is not 'ACCEPT', attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw + ufw reload > /dev/null + echo "Done" + fi + fi else - ERR=1 - read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]]; then - ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any - ufw reload - echo "Done" + if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then + echo ":: [OK] Ufw forwarding rule set" + else + ERR=1 + read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any + ufw reload + echo "Done" + fi fi fi diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index f1edea4..94e9eec 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -4,6 +4,7 @@ INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) PLAT=$(cat /etc/pivpn/DET_PLATFORM) NO_UFW=$(cat /etc/pivpn/NO_UFW) +OLD_UFW=$(cat /etc/pivpn/NO_UFW) PORT=$(cat /etc/pivpn/INSTALL_PORT) PROTO=$(cat /etc/pivpn/INSTALL_PROTO) IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" @@ -97,7 +98,11 @@ echo ":::" if [[ $NO_UFW -eq 0 ]]; then sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules ufw delete allow "$PORT"/"$PROTO" >/dev/null - ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + if [ "$OLD_UFW" -eq 1 ]; then + sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"DROP\"/" /etc/default/ufw + else + ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + fi ufw reload >/dev/null else iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE From b71c67c78a0dbb0bf5e426c93e3dc41acf2a8f3e Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 6 Aug 2019 10:02:28 +0200 Subject: [PATCH 20/27] Recreate ovpn folder if deleted --- scripts/makeOVPN.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index 7e88ad7..c945703 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -228,12 +228,12 @@ if [ ! -f "${CA}" ]; then fi echo "CA public Key found: $CA" -#Confirm the tls-auth ta key file exists +#Confirm the tls key file exists if [ ! -f "${TA}" ]; then - echo "[ERROR]: tls-auth Key not found: $TA" + echo "[ERROR]: tls Private Key not found: $TA" exit fi -echo "tls-auth Private Key found: $TA" +echo "tls Private Key found: $TA" #Ready to make a new .ovpn file { @@ -255,7 +255,7 @@ echo "tls-auth Private Key found: $TA" cat "private/${NAME}${KEY}" echo "" - #Finally, append the TA Private Key + #Finally, append the tls Private Key if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then echo "" cat "${TA}" @@ -268,6 +268,11 @@ echo "tls-auth Private Key found: $TA" } > "${NAME}${FILEEXT}" +if [ ! -d "/home/$INSTALL_USER/ovpns" ]; then + mkdir "/home/$INSTALL_USER/ovpns" + chmod 0777 -R "/home/$INSTALL_USER/ovpns" +fi + # Copy the .ovpn profile to the home directory for convenient remote access cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" From 9d6668834140c5270e8b38fe603e3ab76308ad72 Mon Sep 17 00:00:00 2001 From: Akvile Date: Tue, 20 Aug 2019 11:36:05 -0500 Subject: [PATCH 21/27] added the functionality to send your OVPN file to your Bitwarden vault --- scripts/makeOVPN.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index 8c8af49..54d4f95 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -328,6 +328,24 @@ if [ ! -d "/home/$INSTALL_USER/ovpns" ]; then chmod 0777 -R "/home/$INSTALL_USER/ovpns" fi +# If user is using Bitwarden, have them login again to submit their .ovpn file to their vault +printf "Would you like to export your .ovpn file to your Bitwarden vault? (y or n)" +read -r RESPONSE +if [ $RESPONSE == "y" ] || [ $RESPONSE == "Y" ]; then + $OVPN_FILE="$(< "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT")" + # Login to Bitwarden + printf "****Bitwarden Login****" + printf "\n" + SESSION_KEY=`bw login --raw` + export BW_SESSION=$SESSION_KEY + printf "Successfully Logged in!" + printf "\n" + # Create a Bitwarden secure note to export the .ovpn file + bw get template item | jq '.name = "PiVPN OVPN File"' | jq '.type = 2' | jq -r --arg VAL "$OVPN_FILE" '.notes = $VAL' | jq ".secureNote = $(bw get template item.secureNote)" | bw encode | bw create item + bw logout + exit + fi + # Copy the .ovpn profile to the home directory for convenient remote access cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" From 5862d15d60da4ca287997dce148dc8beb0322002 Mon Sep 17 00:00:00 2001 From: IcedComputer <31418197+IcedComputer@users.noreply.github.com> Date: Tue, 27 Aug 2019 12:42:53 -0700 Subject: [PATCH 22/27] Update scripts/makeOVPN.sh Co-Authored-By: Giraffe1966 <35208168+Giraffe1966@users.noreply.github.com> --- scripts/makeOVPN.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index 66a25c0..788873e 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -281,7 +281,7 @@ if [ "$iOS" = "1" ]; then printf "========================================================\n" openssl pkcs12 -passin pass:$PASSWD -passin pass:$PASSWD -export -in issued/${NAME}${CRT} -inkey private/${NAME}${KEY} -certfile ${CA} -name ${NAME} -out /home/$INSTALL_USER/ovpns/$NAME.ovpn12 chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME.ovpn12" - chmod o-r "/home/$INSTALL_USER/ovpns/$NAME.ovpn12" + chmod 600 "/home/$INSTALL_USER/ovpns/$NAME.ovpn12" printf "========================================================\n" printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME.ovpn12" printf "You will need to transfer both the .ovpn and .ovpn12 files\n" From f6beac87d7a51c936f3d7117e67ab0f34b610ed0 Mon Sep 17 00:00:00 2001 From: IcedComputer <31418197+IcedComputer@users.noreply.github.com> Date: Tue, 27 Aug 2019 12:44:37 -0700 Subject: [PATCH 23/27] changed password parameter Removed typo and changed -passin pass:$PASSWD to -passin env:$PASSWD --- scripts/makeOVPN.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index 788873e..11a59ab 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -279,7 +279,7 @@ if [ "$iOS" = "1" ]; then printf "Please remember the export password\n" printf "as you will need this import the certificate on your iOS device\n" printf "========================================================\n" - openssl pkcs12 -passin pass:$PASSWD -passin pass:$PASSWD -export -in issued/${NAME}${CRT} -inkey private/${NAME}${KEY} -certfile ${CA} -name ${NAME} -out /home/$INSTALL_USER/ovpns/$NAME.ovpn12 + openssl pkcs12 -passin env:$PASSWD -export -in issued/${NAME}${CRT} -inkey private/${NAME}${KEY} -certfile ${CA} -name ${NAME} -out /home/$INSTALL_USER/ovpns/$NAME.ovpn12 chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME.ovpn12" chmod 600 "/home/$INSTALL_USER/ovpns/$NAME.ovpn12" printf "========================================================\n" From 09c518408e9e702ae9e6b8b7f25a13a1526820a0 Mon Sep 17 00:00:00 2001 From: IcedComputer <31418197+IcedComputer@users.noreply.github.com> Date: Tue, 27 Aug 2019 12:50:34 -0700 Subject: [PATCH 24/27] Update install.sh --- auto_install/install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index dac2fea..3a6c978 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -747,8 +747,8 @@ setCustomDomain() { confOpenVPN() { # Grab the existing Hostname HOST_NAME=$(hostname -s) - # Generate a random, alphanumeric identifier of 16 characters for this server so that we can use verify-x509-name later that is unique for this server installation. Source: Earthgecko (https://gist.github.com/earthgecko/3089509) - NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) + # Generate a random UUID for this server so that we can use verify-x509-name later that is unique for this server installation. + NEW_UUID=$uuidgen -r # Create a unique server name using the host name and UUID SERVER_NAME="${HOST_NAME}_${NEW_UUID}" From efb845365159c72970c6adc7b74ce19be88e1533 Mon Sep 17 00:00:00 2001 From: IcedComputer <31418197+IcedComputer@users.noreply.github.com> Date: Tue, 27 Aug 2019 12:54:59 -0700 Subject: [PATCH 25/27] Update install.sh added uuidgen dependency and changed method of server name generation. --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 3a6c978..c3b64c0 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -21,7 +21,7 @@ PKG_CACHE="/var/lib/apt/lists/" UPDATE_PKG_CACHE="${PKG_MANAGER} update" PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install" PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true" -PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools) +PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools uuidgen) ### ### pivpnGitUrl="https://github.com/pivpn/pivpn.git" From 64353e337b8ed4419e57b714f7feffe5fa472181 Mon Sep 17 00:00:00 2001 From: IcedComputer <31418197+IcedComputer@users.noreply.github.com> Date: Tue, 27 Aug 2019 15:20:00 -0700 Subject: [PATCH 26/27] Update install.sh --- auto_install/install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 71bd0f3..5e4354b 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -21,7 +21,7 @@ PKG_CACHE="/var/lib/apt/lists/" UPDATE_PKG_CACHE="${PKG_MANAGER} update" PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install" PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true" -PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools grepcidr jq uuidgen) +PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools grepcidr jq) ### ### @@ -763,7 +763,7 @@ confOpenVPN() { # Grab the existing Hostname HOST_NAME=$(hostname -s) # Generate a random UUID for this server so that we can use verify-x509-name later that is unique for this server installation. - NEW_UUID=$uuidgen -r + $NEW_UUID=$( Date: Tue, 27 Aug 2019 15:46:56 -0700 Subject: [PATCH 27/27] Update install.sh --- auto_install/install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 5e4354b..fd96ff0 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -763,8 +763,8 @@ confOpenVPN() { # Grab the existing Hostname HOST_NAME=$(hostname -s) # Generate a random UUID for this server so that we can use verify-x509-name later that is unique for this server installation. - $NEW_UUID=$(