Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-18 19:00:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'test' into master

Browse source
This commit is contained in:
4s3ti 2019-09-01 15:32:56 +02:00 committed by GitHub
commit 1bd8169aa6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 353 additions and 69 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

103
auto_install/install.sh
View file

@ -21,7 +21,8 @@ PKG_CACHE="/var/lib/apt/lists/"
UPDATE_PKG_CACHE="${PKG_MANAGER} update" UPDATE_PKG_CACHE="${PKG_MANAGER} update"
PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install" PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install"
PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true" PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true"
PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools) PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools grepcidr jq)
### ### ### ###
pivpnGitUrl="https://github.com/pivpn/pivpn.git" pivpnGitUrl="https://github.com/pivpn/pivpn.git"
@ -92,18 +93,19 @@ distro_check() {
source /etc/os-release source /etc/os-release
PLAT=$(awk '{print $1}' <<< "$NAME") PLAT=$(awk '{print $1}' <<< "$NAME")
VER="$VERSION_ID" VER="$VERSION_ID"
declare -A VER_MAP=(["9"]="stretch" ["8"]="jessie" ["18.04"]="bionic" ["16.04"]="xenial" ["14.04"]="trusty") declare -A VER_MAP=(["10"]="buster" ["9"]="stretch" ["8"]="jessie" ["18.04"]="bionic" ["16.04"]="xenial" ["14.04"]="trusty")
OSCN=${VER_MAP["${VER}"]} OSCN=${VER_MAP["${VER}"]}
fi fi
if [[ ${OSCN} != "bionic" ]]; then if [[ ${OSCN} != "bionic" ]]; then
PIVPN_DEPS+=(dhcpcd5) PIVPN_DEPS+=(dhcpcd5)
fi fi
case ${PLAT} in case ${PLAT} in
Ubuntu|Raspbian|Debian|Devuan) Ubuntu|Raspbian|Debian|Devuan)
case ${OSCN} in case ${OSCN} in
trusty|xenial|jessie|stretch) trusty|xenial|jessie|stretch|buster)
;; ;;
*) *)
maybeOS_Support maybeOS_Support
@ -474,11 +476,21 @@ notify_package_updates_available() {
fi fi
} }
install_bitwarden() {
# Install Bitwarden through NPM - this is the preferred installation method since NPM makes it easy to update the package
apt-get install -y nodejs npm
npm install -g @bitwarden/cli
}
install_dependent_packages() { install_dependent_packages() {
# Install packages passed in via argument array # Install packages passed in via argument array
# No spinner - conflicts with set -e # No spinner - conflicts with set -e
declare -a argArray1=("${!1}") declare -a argArray1=("${!1}")
if [[ ${OSCN} == "buster" ]]; then
$SUDO update-alternatives --set iptables /usr/sbin/iptables-legacy
$SUDO update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
fi
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections
@ -528,7 +540,7 @@ getGitFiles() {
echo ":::" echo ":::"
echo "::: Checking for existing base files..." echo "::: Checking for existing base files..."
if is_repo "${1}"; then if is_repo "${1}"; then
update_repo "${1}" update_repo "${1}" "${2}"
else else
make_repo "${1}" "${2}" make_repo "${1}" "${2}"
fi fi
@ -561,6 +573,9 @@ update_repo() {
# Pull the latest commits # Pull the latest commits
echo -n "::: Updating repo in $1..." echo -n "::: Updating repo in $1..."
$SUDO rm -rf "${1}" $SUDO rm -rf "${1}"
# Go back to /etc otherwhise git will complain when the current working directory has
# just been deleted (/etc/.pivpn).
cd /etc
$SUDO git clone -q --depth 1 --no-single-branch "${2}" "${1}" > /dev/null & spinner $! $SUDO git clone -q --depth 1 --no-single-branch "${2}" "${1}" > /dev/null & spinner $!
cd "${1}" || exit 1 cd "${1}" || exit 1
if [ -z "${TESTING+x}" ]; then if [ -z "${TESTING+x}" ]; then
@ -664,7 +679,7 @@ setClientDNS() {
do do
strInvalid="Invalid" strInvalid="Invalid"
if OVPNDNS=$(whiptail --backtitle "Specify Upstream DNS Provider(s)" --inputbox "Enter your desired upstream DNS provider(s), seperated by a comma.\n\nFor example '8.8.8.8, 8.8.4.4'" ${r} ${c} "" 3>&1 1>&2 2>&3) if OVPNDNS=$(whiptail --backtitle "Specify Upstream DNS Provider(s)" --inputbox "Enter your desired upstream DNS provider(s), separated by a comma.\n\nFor example '8.8.8.8, 8.8.4.4'" ${r} ${c} "" 3>&1 1>&2 2>&3)
then then
OVPNDNS1=$(echo "$OVPNDNS" | sed 's/[, \t]\+/,/g' | awk -F, '{print$1}') OVPNDNS1=$(echo "$OVPNDNS" | sed 's/[, \t]\+/,/g' | awk -F, '{print$1}')
OVPNDNS2=$(echo "$OVPNDNS" | sed 's/[, \t]\+/,/g' | awk -F, '{print$2}') OVPNDNS2=$(echo "$OVPNDNS" | sed 's/[, \t]\+/,/g' | awk -F, '{print$2}')
@ -745,15 +760,22 @@ setCustomDomain() {
} }
confOpenVPN() { confOpenVPN() {
# Generate a random, alphanumeric identifier of 16 characters for this server so that we can use verify-x509-name later that is unique for this server installation. Source: Earthgecko (https://gist.github.com/earthgecko/3089509) # Grab the existing Hostname
NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) HOST_NAME=$(hostname -s)
SERVER_NAME="server_${NEW_UUID}" # Generate a random UUID for this server so that we can use verify-x509-name later that is unique for this server installation.
NEW_UUID=$(</proc/sys/kernel/random/uuid)
# Create a unique server name using the host name and UUID
SERVER_NAME="${HOST_NAME}_${NEW_UUID}"
declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1")
if [[ ${useUpdateVars} == false ]]; then if [[ ${useUpdateVars} == false ]]; then
# Ask user for desired level of encryption # Ask user for desired level of encryption
if [[ ${useUpdateVars} == false ]]; then if [[ ${useUpdateVars} == false ]]; then
if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]]; then
if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]] && [[ ${OSCN} != "buster" ]] ; then
APPLY_TWO_POINT_FOUR=false APPLY_TWO_POINT_FOUR=false
else else
if (whiptail --backtitle "Setup OpenVPN" --title "Installation mode" --yesno "OpenVPN 2.4 brings support for stronger authentication and key exchange using Elliptic Curves, along with encrypted control channel.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then if (whiptail --backtitle "Setup OpenVPN" --title "Installation mode" --yesno "OpenVPN 2.4 brings support for stronger authentication and key exchange using Elliptic Curves, along with encrypted control channel.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then
@ -779,9 +801,8 @@ confOpenVPN() {
else else
declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1")
ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA certificate size" --radiolist \ ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA certificate size" --radiolist \
"Choose the desired size of your certificate (press space to select):\n This is an certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \ "Choose the desired size of your certificate (press space to select):\n This is a certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \
"256" "Use a 256-bit certificate (recommended level)" ON \ "256" "Use a 256-bit certificate (recommended level)" ON \
"384" "Use a 384-bit certificate" OFF \ "384" "Use a 384-bit certificate" OFF \
"521" "Use a 521-bit certificate (paranoid level)" OFF 3>&1 1>&2 2>&3) "521" "Use a 521-bit certificate (paranoid level)" OFF 3>&1 1>&2 2>&3)
@ -847,7 +868,7 @@ EOF
fi fi
# Build the server # Build the server
${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass EASYRSA_CERT_EXPIRE=3650 ${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass
if [[ ${useUpdateVars} == false ]]; then if [[ ${useUpdateVars} == false ]]; then
if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then
@ -963,8 +984,21 @@ confNetwork() {
$SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules $SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
# Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic) # Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic)
$SUDO ufw insert 1 allow "$PORT"/"$PROTO" >/dev/null $SUDO ufw insert 1 allow "$PORT"/"$PROTO" >/dev/null
# https://askubuntu.com/a/712202
INSTALLED_UFW=$(dpkg-query --showformat='${Version}' --show ufw)
MINIMUM_UFW=0.34
if $SUDO dpkg --compare-versions "$INSTALLED_UFW" ge "$MINIMUM_UFW"; then
# Don't forward everything, just the traffic originated from the VPN subnet # Don't forward everything, just the traffic originated from the VPN subnet
$SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null $SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
echo 0 > /tmp/OLD_UFW
else
# This ufw version does not support route command, fallback to policy change
$SUDO sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw
echo 1 > /tmp/OLD_UFW
fi
$SUDO ufw reload >/dev/null $SUDO ufw reload >/dev/null
echo "::: UFW configuration completed." echo "::: UFW configuration completed."
fi fi
@ -974,7 +1008,43 @@ confNetwork() {
# else configure iptables # else configure iptables
if [[ $noUFW -eq 1 ]]; then if [[ $noUFW -eq 1 ]]; then
echo 1 > /tmp/noUFW echo 1 > /tmp/noUFW
# Now some checks to detect which rules we need to add. On a newly installed system all policies
# should be ACCEPT, so the only required rule would be the MASQUERADE one.
$SUDO iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "$IPv4dev" -j MASQUERADE $SUDO iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "$IPv4dev" -j MASQUERADE
# Count how many rules are in the INPUT and FORWARD chain. When parsing input from
# iptables -S, '^-P' skips the policies and 'ufw-' skips ufw chains (in case ufw was found
# installed but not enabled).
# Grep returns non 0 exit code where there are no matches, however that would make the script exit,
# for this reasons we use '|| true' to force exit code 0
INPUT_RULES_COUNT="$($SUDO iptables -S INPUT | grep -vcE '(^-P|ufw-)' || true)"
FORWARD_RULES_COUNT="$($SUDO iptables -S FORWARD | grep -vcE '(^-P|ufw-)' || true)"
INPUT_POLICY="$($SUDO iptables -S INPUT | grep '^-P' | awk '{print $3}')"
FORWARD_POLICY="$($SUDO iptables -S FORWARD | grep '^-P' | awk '{print $3}')"
# If rules count is not zero, we assume we need to explicitly allow traffic. Same conclusion if
# there are no rules and the policy is not ACCEPT. Note that rules are being added to the top of the
# chain (using -I).
if [ "$INPUT_RULES_COUNT" -ne 0 ] || [ "$INPUT_POLICY" != "ACCEPT" ]; then
$SUDO iptables -I INPUT 1 -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT
INPUT_CHAIN_EDITED=1
else
INPUT_CHAIN_EDITED=0
fi
if [ "$FORWARD_RULES_COUNT" -ne 0 ] || [ "$FORWARD_POLICY" != "ACCEPT" ]; then
$SUDO iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$SUDO iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT
FORWARD_CHAIN_EDITED=1
else
FORWARD_CHAIN_EDITED=0
fi
case ${PLAT} in case ${PLAT} in
Ubuntu|Debian|Devuan) Ubuntu|Debian|Devuan)
$SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null $SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null
@ -987,7 +1057,13 @@ confNetwork() {
echo 0 > /tmp/noUFW echo 0 > /tmp/noUFW
fi fi
echo "$INPUT_CHAIN_EDITED" > /tmp/INPUT_CHAIN_EDITED
echo "$FORWARD_CHAIN_EDITED" > /tmp/FORWARD_CHAIN_EDITED
$SUDO cp /tmp/noUFW /etc/pivpn/NO_UFW $SUDO cp /tmp/noUFW /etc/pivpn/NO_UFW
$SUDO cp /tmp/OLD_UFW /etc/pivpn/OLD_UFW
$SUDO cp /tmp/INPUT_CHAIN_EDITED /etc/pivpn/INPUT_CHAIN_EDITED
$SUDO cp /tmp/FORWARD_CHAIN_EDITED /etc/pivpn/FORWARD_CHAIN_EDITED
} }
confOVPN() { confOVPN() {
@ -1295,6 +1371,9 @@ main() {
# Notify user of package availability # Notify user of package availability
notify_package_updates_available notify_package_updates_available
# Install packages for Bitwarden
install_bitwarden
# Install packages used by this installation script # Install packages used by this installation script
install_dependent_packages PIVPN_DEPS[@] install_dependent_packages PIVPN_DEPS[@]

2
pivpn
View file

@ -58,6 +58,7 @@ function helpFunc {
echo ":::" echo ":::"
echo "::: Commands:" echo "::: Commands:"
echo "::: -a, add [nopass] Create a client ovpn profile, optional nopass" echo "::: -a, add [nopass] Create a client ovpn profile, optional nopass"
echo "::: -b,--bitwarden Create and save a client through Bitwarden"
echo "::: -c, clients List any connected clients to the server" echo "::: -c, clients List any connected clients to the server"
echo "::: -d, debug Start a debugging session if having trouble" echo "::: -d, debug Start a debugging session if having trouble"
echo "::: -l, list List all valid and revoked certificates" echo "::: -l, list List all valid and revoked certificates"
@ -74,6 +75,7 @@ fi
# Handle redirecting to specific functions based on arguments # Handle redirecting to specific functions based on arguments
case "$1" in case "$1" in
"-a" | "add" ) makeOVPNFunc "$@";; "-a" | "add" ) makeOVPNFunc "$@";;
"-b" | "bitwarden" ) makeOVPNFunc "$@";;
"-c" | "clients" ) listClientsFunc;; "-c" | "clients" ) listClientsFunc;;
"-d" | "debug" ) debugFunc;; "-d" | "debug" ) debugFunc;;
"-l" | "list" ) listOVPNFunc;; "-l" | "list" ) listOVPNFunc;;

150
scripts/makeOVPN.sh
View file

@ -13,14 +13,16 @@ INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
helpFunc() { helpFunc() {
echo "::: Create a client ovpn profile, optional nopass" echo "::: Create a client ovpn profile, optional nopass"
echo ":::" echo ":::"
echo "::: Usage: pivpn <-a|add> [-n|--name <arg>] [-p|--password <arg>]|[nopass] [-d|--days <number>] [-h|--help]" echo "::: Usage: pivpn <-a|add> [-n|--name <arg>] [-p|--password <arg>]|[nopass] [-d|--days <number>] [-i|--iOS] [-h|--help]"
echo ":::" echo ":::"
echo "::: Commands:" echo "::: Commands:"
echo "::: [none] Interactive mode" echo "::: [none] Interactive mode"
echo "::: nopass Create a client without a password" echo "::: nopass Create a client without a password"
echo "::: -b,--bitwarden Create and save a client through Bitwarden"
echo "::: -d,--days Expire the certificate after specified number of days (default: 1080)" echo "::: -d,--days Expire the certificate after specified number of days (default: 1080)"
echo "::: -n,--name Name for the Client (default: '"$(hostname)"')" echo "::: -n,--name Name for the Client (default: '"$(hostname)"')"
echo "::: -p,--password Password for the Client (no default)" echo "::: -p,--password Password for the Client (no default)"
echo "::: -i,--iOS Generate a certificate that leverages iOS keychain"
echo "::: -h,--help Show this help dialog" echo "::: -h,--help Show this help dialog"
} }
@ -59,6 +61,9 @@ do
fi fi
DAYS="$_val" DAYS="$_val"
;; ;;
-i|--iOS)
iOS=1
;;
-h|--help) -h|--help)
helpFunc helpFunc
exit 0 exit 0
@ -66,6 +71,9 @@ do
nopass) nopass)
NO_PASS="1" NO_PASS="1"
;; ;;
-b|--bitwarden)
BITWARDEN="2"
;;
*) *)
echo "Error: Got an unexpected argument '$1'" echo "Error: Got an unexpected argument '$1'"
helpFunc helpFunc
@ -91,6 +99,52 @@ EOF
} }
function useBitwarden() {
# login and unlock vault
printf "****Bitwarden Login****"
printf "\n"
SESSION_KEY=`bw login --raw`
export BW_SESSION=$SESSION_KEY
printf "Successfully Logged in!"
printf "\n"
# ask user for username
printf "Enter the username: "
read -r NAME
# check name
until [[ "$NAME" =~ ^[a-zA-Z0-9.@_-]+$ && ${NAME::1} != "." && ${NAME::1} != "-" ]]
do
echo "Name can only contain alphanumeric characters and these characters (.-@_). The name also cannot start with a dot (.) or a dash (-). Please try again."
# ask user for username again
printf "Enter the username: "
read -r NAME
done
# ask user for length of password
printf "Please enter the length of characters you want your password to be (minimum 12): "
read -r LENGTH
# check length
until [[ "$LENGTH" -gt 11 && "$LENGTH" -lt 129 ]]
do
echo "Password must be between from 12 to 128 characters, please try again."
# ask user for length of password
printf "Enter the length of characters you want your password to be (minimum 12): "
read -r LENGTH
done
printf "Creating a PiVPN item for your vault..."
printf "\n"
# create a new item for your PiVPN Password
PASSWD=`bw generate -usln --length $LENGTH`
bw get template item | jq '.login.type = "1"'| jq '.name = "PiVPN"' | jq -r --arg NAME "$NAME" '.login.username = $NAME' | jq -r --arg PASSWD "$PASSWD" '.login.password = $PASSWD' | bw encode | bw create item
bw logout
}
function keyPASS() { function keyPASS() {
if [[ -z "${PASSWD}" ]]; then if [[ -z "${PASSWD}" ]]; then
@ -137,6 +191,11 @@ EOF
} }
# bitWarden first
if [[ "${BITWARDEN}" =~ "2" ]]; then
useBitwarden
fi
if [ -z "${NAME}" ]; then if [ -z "${NAME}" ]; then
printf "Enter a Name for the Client: " printf "Enter a Name for the Client: "
read -r NAME read -r NAME
@ -147,7 +206,7 @@ if [[ ${NAME::1} == "." ]] || [[ ${NAME::1} == "-" ]]; then
exit 1 exit 1
fi fi
if [[ "${NAME}" =~ [^a-zA-Z0-9\.\-\@\_] ]]; then if [[ "${NAME}" =~ [^a-zA-Z0-9.@_-] ]]; then
echo "Name can only contain alphanumeric characters and these characters (.-@_)." echo "Name can only contain alphanumeric characters and these characters (.-@_)."
exit 1 exit 1
fi fi
@ -228,15 +287,65 @@ if [ ! -f "${CA}" ]; then
fi fi
echo "CA public Key found: $CA" echo "CA public Key found: $CA"
#Confirm the tls-auth ta key file exists #Confirm the tls key file exists
if [ ! -f "${TA}" ]; then if [ ! -f "${TA}" ]; then
echo "[ERROR]: tls-auth Key not found: $TA" echo "[ERROR]: tls Private Key not found: $TA"
exit exit
fi fi
echo "tls-auth Private Key found: $TA" echo "tls Private Key found: $TA"
## Added new step to create an .ovpn12 file that can be stored on iOS keychain
## This step is more secure method and does not require the end-user to keep entering passwords, or storing the client private cert where it can be easily tampered
## https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/
if [ "$iOS" = "1" ]; then
#Generates the .ovpn file WITHOUT the client private key
{
# Start by populating with the default file
cat "${DEFAULT}"
#Now, append the CA Public Cert
echo "<ca>"
cat "${CA}"
echo "</ca>"
#Next append the client Public Cert
echo "<cert>"
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' < "issued/${NAME}${CRT}"
echo "</cert>"
#Finally, append the TA Private Key
if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then
echo "<tls-crypt>"
cat "${TA}"
echo "</tls-crypt>"
else
echo "<tls-auth>"
cat "${TA}"
echo "</tls-auth>"
fi
} > "${NAME}${FILEEXT}"
# Copy the .ovpn profile to the home directory for convenient remote access
printf "========================================================\n"
printf "Generating an .ovpn12 file for use with iOS devices\n"
printf "Please remember the export password\n"
printf "as you will need this import the certificate on your iOS device\n"
printf "========================================================\n"
openssl pkcs12 -passin env:$PASSWD -export -in issued/${NAME}${CRT} -inkey private/${NAME}${KEY} -certfile ${CA} -name ${NAME} -out /home/$INSTALL_USER/ovpns/$NAME.ovpn12
chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME.ovpn12"
chmod 600 "/home/$INSTALL_USER/ovpns/$NAME.ovpn12"
printf "========================================================\n"
printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME.ovpn12"
printf "You will need to transfer both the .ovpn and .ovpn12 files\n"
printf "to your iOS device.\n"
printf "========================================================\n\n"
else
#This is the standard non-iOS configuration
#Ready to make a new .ovpn file #Ready to make a new .ovpn file
{ {
# Start by populating with the default file # Start by populating with the default file
cat "${DEFAULT}" cat "${DEFAULT}"
@ -255,7 +364,7 @@ echo "tls-auth Private Key found: $TA"
cat "private/${NAME}${KEY}" cat "private/${NAME}${KEY}"
echo "</key>" echo "</key>"
#Finally, append the TA Private Key #Finally, append the tls Private Key
if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then
echo "<tls-crypt>" echo "<tls-crypt>"
cat "${TA}" cat "${TA}"
@ -266,7 +375,32 @@ echo "tls-auth Private Key found: $TA"
echo "</tls-auth>" echo "</tls-auth>"
fi fi
} > "${NAME}${FILEEXT}" } > "${NAME}${FILEEXT}"
fi
if [ ! -d "/home/$INSTALL_USER/ovpns" ]; then
mkdir "/home/$INSTALL_USER/ovpns"
chmod 0777 -R "/home/$INSTALL_USER/ovpns"
fi
# If user is using Bitwarden, have them login again to submit their .ovpn file to their vault
printf "Would you like to export your .ovpn file to your Bitwarden vault? (y or n)"
read -r RESPONSE
if [ $RESPONSE == "y" ] || [ $RESPONSE == "Y" ]; then
$OVPN_FILE="$(< "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT")"
# Login to Bitwarden
printf "****Bitwarden Login****"
printf "\n"
SESSION_KEY=`bw login --raw`
export BW_SESSION=$SESSION_KEY
printf "Successfully Logged in!"
printf "\n"
# Create a Bitwarden secure note to export the .ovpn file
bw get template item | jq '.name = "PiVPN OVPN File"' | jq '.type = 2' | jq -r --arg VAL "$OVPN_FILE" '.notes = $VAL' | jq ".secureNote = $(bw get template item.secureNote)" | bw encode | bw create item
bw logout
exit
fi
# Copy the .ovpn profile to the home directory for convenient remote access # Copy the .ovpn profile to the home directory for convenient remote access
INSTALL_HOME=$(cat /etc/passwd | grep "$INSTALL_USER" | cut -d: -f6) INSTALL_HOME=$(cat /etc/passwd | grep "$INSTALL_USER" | cut -d: -f6)

69
scripts/pivpnDebug.sh
View file

@ -5,6 +5,10 @@ PORT=$(cat /etc/pivpn/INSTALL_PORT)
PROTO=$(cat /etc/pivpn/INSTALL_PROTO) PROTO=$(cat /etc/pivpn/INSTALL_PROTO)
IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)"
REMOTE="$(grep 'remote ' /etc/openvpn/easy-rsa/pki/Default.txt | awk '{print $2}')" REMOTE="$(grep 'remote ' /etc/openvpn/easy-rsa/pki/Default.txt | awk '{print $2}')"
NO_UFW=$(cat /etc/pivpn/NO_UFW)
OLD_UFW=$(cat /etc/pivpn/NO_UFW)
INPUT_CHAIN_EDITED="$(cat /etc/pivpn/INPUT_CHAIN_EDITED)"
FORWARD_CHAIN_EDITED="$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)"
ERR=0 ERR=0
echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::" echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::"
@ -13,8 +17,9 @@ echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::"
git --git-dir /etc/.pivpn/.git log -n 1 git --git-dir /etc/.pivpn/.git log -n 1
printf "=============================================\n" printf "=============================================\n"
echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::" echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::"
# Use the wildcard so setupVars.conf.update.bak from the previous install is not shown
for filename in /etc/pivpn/*; do for filename in /etc/pivpn/*; do
if [ "$filename" != "/etc/pivpn/setupVars.conf" ]; then if [[ "$filename" != "/etc/pivpn/setupVars.conf"* ]]; then
echo "$filename -> $(cat "$filename")" echo "$filename -> $(cat "$filename")"
fi fi
done done
@ -45,7 +50,7 @@ else
fi fi
fi fi
if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then if [ "$NO_UFW" -eq 1 ]; then
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set" echo ":: [OK] Iptables MASQUERADE rule set"
@ -56,11 +61,42 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then
iptables -t nat -F iptables -t nat -F
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE
iptables-save > /etc/iptables/rules.v4 iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4
echo "Done" echo "Done"
fi fi
fi fi
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
if iptables -C INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT &> /dev/null; then
echo ":: [OK] Iptables INPUT rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
iptables -I INPUT 1 -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT
iptables-save > /etc/iptables/rules.v4
echo "Done"
fi
fi
fi
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then
echo ":: [OK] Iptables FORWARD rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT
iptables-save > /etc/iptables/rules.v4
echo "Done"
fi
fi
fi
else else
if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
@ -97,6 +133,20 @@ else
fi fi
fi fi
if [ "$OLD_UFW" -eq 1 ]; then
FORWARD_POLICY="$(iptables -S FORWARD | grep '^-P' | awk '{print $3}')"
if [ "$FORWARD_POLICY" = "ACCEPT" ]; then
echo ":: [OK] Ufw forwarding policy is accept"
else
ERR=1
read -r -p ":: [ERR] Ufw forwarding policy is not 'ACCEPT', attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw
ufw reload > /dev/null
echo "Done"
fi
fi
else
if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw forwarding rule set" echo ":: [OK] Ufw forwarding rule set"
else else
@ -108,6 +158,7 @@ else
echo "Done" echo "Done"
fi fi
fi fi
fi
fi fi
@ -151,7 +202,17 @@ fi
printf "=============================================\n" printf "=============================================\n"
echo -e ":::: \e[4mSnippet of the server log\e[0m ::::" echo -e ":::: \e[4mSnippet of the server log\e[0m ::::"
tail -20 /var/log/openvpn.log tail -20 /var/log/openvpn.log > /tmp/snippet
# Regular expession taken from https://superuser.com/a/202835, it will match invalid IPs
# like 123.456.789.012 but it's fine because the log only contains valid ones.
declare -a IPS_TO_HIDE=($(grepcidr -v 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 /tmp/snippet | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | uniq))
for IP in "${IPS_TO_HIDE[@]}"; do
sed -i "s/$IP/REDACTED/g" /tmp/snippet
done
cat /tmp/snippet
rm /tmp/snippet
printf "=============================================\n" printf "=============================================\n"
echo -e "::::\t\t\e[4mDebug complete\e[0m\t\t ::::" echo -e "::::\t\t\e[4mDebug complete\e[0m\t\t ::::"

1
scripts/removeOVPN.sh
View file

@ -114,6 +114,7 @@ for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
rm -rf "pki/reqs/${CERTS_TO_REVOKE[ii]}.req" rm -rf "pki/reqs/${CERTS_TO_REVOKE[ii]}.req"
rm -rf "pki/private/${CERTS_TO_REVOKE[ii]}.key" rm -rf "pki/private/${CERTS_TO_REVOKE[ii]}.key"
rm -rf "pki/issued/${CERTS_TO_REVOKE[ii]}.crt" rm -rf "pki/issued/${CERTS_TO_REVOKE[ii]}.crt"
rm -rf "${INSTALL_HOME}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn" rm -rf "${INSTALL_HOME}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn"
rm -rf "/etc/openvpn/easy-rsa/pki/${CERTS_TO_REVOKE[ii]}.ovpn" rm -rf "/etc/openvpn/easy-rsa/pki/${CERTS_TO_REVOKE[ii]}.ovpn"
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem

71
scripts/uninstall.sh
View file

@ -1,28 +1,16 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# PiVPN: Uninstall Script # PiVPN: Uninstall Script
# Must be root to uninstall
if [[ $EUID -eq 0 ]];then
echo "::: You are root."
else
echo "::: Sudo will be used for the uninstall."
# Check if it is actually installed
# If it isn't, exit because the unnstall cannot complete
if [[ $(dpkg-query -s sudo) ]];then
export SUDO="sudo"
else
echo "::: Please install sudo or run this as root."
exit 1
fi
fi
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
INSTALL_HOME=$(cat /etc/passwd | grep "$INSTALL_USER" | cut -d: -f6) INSTALL_HOME=$(cat /etc/passwd | grep "$INSTALL_USER" | cut -d: -f6)
PLAT=$(cat /etc/pivpn/DET_PLATFORM) PLAT=$(cat /etc/pivpn/DET_PLATFORM)
NO_UFW=$(cat /etc/pivpn/NO_UFW) NO_UFW=$(cat /etc/pivpn/NO_UFW)
OLD_UFW=$(cat /etc/pivpn/NO_UFW)
PORT=$(cat /etc/pivpn/INSTALL_PORT) PORT=$(cat /etc/pivpn/INSTALL_PORT)
PROTO=$(cat /etc/pivpn/INSTALL_PROTO) PROTO=$(cat /etc/pivpn/INSTALL_PROTO)
IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)"
INPUT_CHAIN_EDITED="$(cat /etc/pivpn/INPUT_CHAIN_EDITED)"
FORWARD_CHAIN_EDITED="$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)"
# Find the rows and columns. Will default to 80x24 if it can not be detected. # Find the rows and columns. Will default to 80x24 if it can not be detected.
screen_size=$(stty size 2>/dev/null || echo 24 80) screen_size=$(stty size 2>/dev/null || echo 24 80)
@ -60,7 +48,7 @@ echo ":::"
while true; do while true; do
read -rp "::: Do you wish to remove $i from your system? [y/n]: " yn read -rp "::: Do you wish to remove $i from your system? [y/n]: " yn
case $yn in case $yn in
[Yy]* ) printf ":::\tRemoving %s..." "$i"; $SUDO apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n"; [Yy]* ) printf ":::\tRemoving %s..." "$i"; apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n";
if [ "$i" == "openvpn" ]; then UINST_OVPN=1 ; fi if [ "$i" == "openvpn" ]; then UINST_OVPN=1 ; fi
if [ "$i" == "unattended-upgrades" ]; then UINST_UNATTUPG=1 ; fi if [ "$i" == "unattended-upgrades" ]; then UINST_UNATTUPG=1 ; fi
break;; break;;
@ -75,44 +63,63 @@ echo ":::"
# Take care of any additional package cleaning # Take care of any additional package cleaning
printf "::: Auto removing remaining dependencies..." printf "::: Auto removing remaining dependencies..."
$SUDO apt-get -y autoremove &> /dev/null & spinner $!; printf "done!\n"; apt-get -y autoremove &> /dev/null & spinner $!; printf "done!\n";
printf "::: Auto cleaning remaining dependencies..." printf "::: Auto cleaning remaining dependencies..."
$SUDO apt-get -y autoclean &> /dev/null & spinner $!; printf "done!\n"; apt-get -y autoclean &> /dev/null & spinner $!; printf "done!\n";
echo ":::" echo ":::"
# Removing pivpn files # Removing pivpn files
echo "::: Removing pivpn system files..." echo "::: Removing pivpn system files..."
$SUDO rm -rf /opt/pivpn &> /dev/null $SUDO rm -rf /opt/pivpn &> /dev/null
$SUDO rm -rf /etc/.pivpn &> /dev/null $SUDO rm -rf /etc/.pivpn &> /dev/null
$SUDO rm -rf $INSTALL_HOME/ovpns &> /dev/null $SUDO rm -rf $INSTALL_HOME/ovpns &> /dev/null
$SUDO rm -rf /var/log/*pivpn* &> /dev/null rm -rf /var/log/*pivpn* &> /dev/null
$SUDO rm -rf /var/log/*openvpn* &> /dev/null rm -rf /var/log/*openvpn* &> /dev/null
if [[ $UINST_OVPN = 1 ]]; then if [[ $UINST_OVPN = 1 ]]; then
$SUDO rm -rf /etc/openvpn &> /dev/null rm -rf /etc/openvpn &> /dev/null
if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then
printf "::: Removing openvpn apt source..." printf "::: Removing openvpn apt source..."
$SUDO rm -rf /etc/apt/sources.list.d/swupdate.openvpn.net.list &> /dev/null rm -rf /etc/apt/sources.list.d/swupdate.openvpn.net.list &> /dev/null
$SUDO apt-get -qq update & spinner $!; printf "done!\n"; apt-get -qq update & spinner $!; printf "done!\n";
fi fi
fi fi
if [[ $UINST_UNATTUPG = 1 ]]; then if [[ $UINST_UNATTUPG = 1 ]]; then
$SUDO rm -rf /var/log/unattended-upgrades rm -rf /var/log/unattended-upgrades
$SUDO rm -rf /etc/apt/apt.conf.d/*periodic rm -rf /etc/apt/apt.conf.d/*periodic
fi fi
$SUDO rm -rf /etc/pivpn &> /dev/null rm -rf /etc/pivpn &> /dev/null
$SUDO rm /usr/local/bin/pivpn &> /dev/null rm /usr/local/bin/pivpn &> /dev/null
$SUDO rm /etc/bash_completion.d/pivpn rm /etc/bash_completion.d/pivpn
# Disable IPv4 forwarding # Disable IPv4 forwarding
sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf
sysctl -p sysctl -p
if [[ $NO_UFW -eq 0 ]]; then if [[ $NO_UFW -eq 0 ]]; then
$SUDO sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
$SUDO ufw delete allow "$PORT"/"$PROTO" >/dev/null sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
$SUDO ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null ufw delete allow "$PORT"/"$PROTO" >/dev/null
$SUDO ufw reload >/dev/null if [ "$OLD_UFW" -eq 1 ]; then
sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"DROP\"/" /etc/default/ufw
else
ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
fi
ufw reload >/dev/null
else
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
iptables -D INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT
fi
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
iptables -D FORWARD -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -D FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT
fi
iptables-save > /etc/iptables/rules.v4
fi fi
echo ":::" echo ":::"