From f02f57d7211a6f86550c8bad89ee1668a301a482 Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 4 Sep 2018 12:06:52 +0200 Subject: [PATCH 01/28] Update install.sh --- auto_install/install.sh | 202 +++++++++++++++++++++++----------------- 1 file changed, 116 insertions(+), 86 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 9b27da7..eb459de 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -24,13 +24,16 @@ PKG_CACHE="/var/lib/apt/lists/" UPDATE_PKG_CACHE="${PKG_MANAGER} update" PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install" PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true" -PIVPN_DEPS=( openvpn git dhcpcd5 tar wget grep iptables-persistent dnsutils expect whiptail net-tools) +PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools) ### ### pivpnGitUrl="https://github.com/pivpn/pivpn.git" pivpnFilesDir="/etc/.pivpn" -easyrsaVer="3.0.1-pivpn1" -easyrsaRel="https://github.com/pivpn/easy-rsa/releases/download/${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz" +easyrsaVer="3.0.4" +easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz" + +# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config +UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/1.4.tar.gz" # Find the rows and columns. Will default to 80x24 if it can not be detected. screen_size=$(stty size 2>/dev/null || echo 24 80) @@ -80,37 +83,41 @@ Would you like to continue anyway?" ${r} ${c}) then # Compatibility distro_check() { - # if lsb_release command is on their system - if hash lsb_release 2>/dev/null; then + # if lsb_release command is on their system + if hash lsb_release 2>/dev/null; then - PLAT=$(lsb_release -si) - OSCN=$(lsb_release -sc) # We want this to be trusty xenial or jessie + PLAT=$(lsb_release -si) + OSCN=$(lsb_release -sc) # We want this to be trusty xenial or jessie - else # else get info from os-release + else # else get info from os-release - PLAT=$(grep "^NAME" /etc/os-release | awk -F "=" '{print $2}' | tr -d '"' | awk '{print $1}') - VER=$(grep "VERSION_ID" /etc/os-release | awk -F "=" '{print $2}' | tr -d '"') - declare -A VER_MAP=(["9"]="stretch" ["8"]="jessie" ["16.04"]="xenial" ["14.04"]="trusty") - OSCN=${VER_MAP["${VER}"]} + source /etc/os-release + PLAT=$(awk '{print $1}' <<< "$NAME") + VER="$VERSION_ID" + declare -A VER_MAP=(["9"]="stretch" ["8"]="jessie" ["18.04"]="bionic" ["16.04"]="xenial" ["14.04"]="trusty") + OSCN=${VER_MAP["${VER}"]} + fi - fi + if [[ ${OSCN} != "bionic" ]]; then + PIVPN_DEPS+=(dhcpcd5) + fi - case ${PLAT} in - Ubuntu|Raspbian|Debian|Devuan) - case ${OSCN} in - trusty|xenial|jessie|stretch) - ;; + case ${PLAT} in + Ubuntu|Raspbian|Debian|Devuan) + case ${OSCN} in + trusty|xenial|jessie|stretch) + ;; + *) + maybeOS_Support + ;; + esac + ;; *) - maybeOS_Support - ;; - esac - ;; - *) - noOS_Support - ;; - esac + noOS_Support + ;; + esac - echo "${PLAT}" > /tmp/DET_PLATFORM + echo "${PLAT}" > /tmp/DET_PLATFORM } ####### FUNCTIONS ########## @@ -143,7 +150,7 @@ chooseUser() { # Explain the local user whiptail --msgbox --backtitle "Parsing User List" --title "Local Users" "Choose a local user that will hold your ovpn configurations." ${r} ${c} # First, let's check if there is a user available. - numUsers=$(awk -F':' 'BEGIN {count=0} $3>=500 && $3<=60000 { count++ } END{ print count }' /etc/passwd) + numUsers=$(awk -F':' 'BEGIN {count=0} $3>=1000 && $3<=60000 { count++ } END{ print count }' /etc/passwd) if [ "$numUsers" -eq 0 ] then # We don't have a user, let's ask to add one. @@ -163,7 +170,7 @@ chooseUser() { exit 1 fi fi - availableUsers=$(awk -F':' '$3>=500 && $3<=60000 {print $1}' /etc/passwd) + availableUsers=$(awk -F':' '$3>=1000 && $3<=60000 {print $1}' /etc/passwd) local userArray=() local firstloop=1 @@ -696,11 +703,42 @@ confOpenVPN() { if [[ ${useUpdateVars} == false ]]; then # Ask user for desired level of encryption - ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "Encryption strength" --radiolist \ - "Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications, it is recommended to use 2048 bits. If you are testing, you can use 1024 bits to speed things up, but do not use this for normal use! If you are paranoid about ... things... then grab a cup of joe and pick 4096 bits." ${r} ${c} 3 \ - "1024" "Use 1024-bit encryption (testing only)" OFF \ - "2048" "Use 2048-bit encryption (recommended level)" ON \ - "4096" "Use 4096-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3) + + if [[ ${useUpdateVars} == false ]]; then + if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]]; then + APPLY_TWO_POINT_FOUR=false + else + if (whiptail --backtitle "Setup OpenVPN" --title "Installation mode" --yesno --defaultyes "OpenVPN 2.4 brings support for stronger authentication and key exchange using Elliptic Curves, along with encrypted control channel.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then + APPLY_TWO_POINT_FOUR=true + $SUDO touch /etc/pivpn/TWO_POINT_FOUR + else + APPLY_TWO_POINT_FOUR=false + fi + fi + fi + + if [[ ${runUnattended} == true ]] && [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then + $SUDO touch /etc/pivpn/TWO_POINT_FOUR + fi + + if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then + + ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "RSA encryption strength" --radiolist \ + "Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications, it is recommended to use 2048 bits. If you are testing, you can use 1024 bits to speed things up, but do not use this for normal use! If you are paranoid about ... things... then grab a cup of joe and pick 4096 bits." ${r} ${c} 3 \ + "1024" "Use 1024-bit encryption (testing only)" OFF \ + "2048" "Use 2048-bit encryption (recommended level)" ON \ + "4096" "Use 4096-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3) + + else + + declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1") + ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA encryption strength" --radiolist \ + "Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \ + "256" "Use 256-bit encryption (recommended level)" ON \ + "384" "Use 384-bit encryption" OFF \ + "521" "Use 521-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3) + + fi exitstatus=$? if [ $exitstatus != 0 ]; then @@ -720,6 +758,8 @@ confOpenVPN() { $SUDO chown -R root:root /etc/openvpn/easy-rsa $SUDO mkdir /etc/openvpn/easy-rsa/pki + cd /etc/openvpn/easy-rsa || exit + # Write out new vars file set +e IFS= read -d '' String <<"EOF" @@ -729,17 +769,19 @@ if [ -z "$EASYRSA_CALLER" ]; then fi set_var EASYRSA "/etc/openvpn/easy-rsa" set_var EASYRSA_PKI "$EASYRSA/pki" -set_var EASYRSA_KEY_SIZE 2048 -set_var EASYRSA_ALGO rsa -set_var EASYRSA_CURVE secp384r1 +set_var EASYRSA_CRL_DAYS 3650 EOF - - echo "${String}" | $SUDO tee /etc/openvpn/easy-rsa/vars >/dev/null + echo "${String}" | $SUDO tee vars >/dev/null set -e - # Edit the KEY_SIZE variable in the vars file to set user chosen key size - cd /etc/openvpn/easy-rsa || exit - $SUDO sed -i "s/\(KEY_SIZE\).*/\1 ${ENCRYPT}/" vars + # Set certificate type + if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then + echo "set_var EASYRSA_ALGO rsa" >> vars + echo "set_var EASYRSA_KEY_SIZE ${ENCRYPT}" >> vars + else + echo "set_var EASYRSA_ALGO ec" >> vars + echo "set_var EASYRSA_CURVE ${ECDSA_MAP["${ENCRYPT}"]}" >> vars + fi # Remove any previous keys ${SUDOE} ./easyrsa --batch init-pki @@ -750,30 +792,14 @@ EOF printf "\n::: CA Complete.\n" if [[ ${useUpdateVars} == false ]]; then - whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c} + if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then + whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c} + fi fi # Build the server ${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass - if [[ ${useUpdateVars} == false ]]; then - - if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]]; then - APPLY_TWO_POINT_FOUR=false - else - if (whiptail --backtitle "Setup OpenVPN" --title "Version 2.4 improvements" --yesno --defaultno "OpenVPN 2.4 brings support for stronger key exchange using Elliptic Curves and encrypted control channel, along with faster LZ4 compression.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then - APPLY_TWO_POINT_FOUR=true - $SUDO touch /etc/pivpn/TWO_POINT_FOUR - else - APPLY_TWO_POINT_FOUR=false - fi - fi - fi - - if [[ ${runUnattended} == true ]] && [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then - $SUDO touch /etc/pivpn/TWO_POINT_FOUR - fi - if [[ ${useUpdateVars} == false ]]; then if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from their database.\nMore information about this service can be found here: https://2ton.com.au/safeprimes/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then @@ -781,6 +807,8 @@ EOF else DOWNLOAD_DH_PARAM=false fi + else + DOWNLOAD_DH_PARAM=false fi fi @@ -803,18 +831,17 @@ EOF ${SUDOE} cp pki/crl.pem /etc/openvpn/crl.pem ${SUDOE} chown nobody:nogroup /etc/openvpn/crl.pem - # Write config file for server using the template .txt file + # Write config file for server using the template.txt file $SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then - #If they enabled 2.4 change compression algorithm and use tls-crypt instead of tls-auth to encrypt control channel - $SUDO sed -i "s/comp-lzo/compress lz4/" /etc/openvpn/server.conf + #If they enabled 2.4 use tls-crypt instead of tls-auth to encrypt control channel $SUDO sed -i "s/tls-auth \/etc\/openvpn\/easy-rsa\/pki\/ta.key 0/tls-crypt \/etc\/openvpn\/easy-rsa\/pki\/ta.key/" /etc/openvpn/server.conf fi if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then - #If they enabled 2.4 disable dh parameters, use a specific curve instead - $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/dh none\necdh-curve secp384r1/" /etc/openvpn/server.conf + #If they enabled 2.4 disable dh parameters since the key exchange will use the matching curve from the ECDSA certificate + $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/dh none/" /etc/openvpn/server.conf else # Otherwise set the user encryption key size $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/\1${ENCRYPT}.pem/" /etc/openvpn/server.conf @@ -836,20 +863,24 @@ EOF } confUnattendedUpgrades() { + cd /etc/apt/apt.conf.d + if [[ $UNATTUPG == "unattended-upgrades" ]]; then $SUDO apt-get --yes --quiet --no-install-recommends install "$UNATTUPG" > /dev/null & spinner $! if [[ $PLAT == "Ubuntu" ]]; then # Ubuntu 50unattended-upgrades should already just have security enabled # so we just need to configure the 10periodic file - cat << EOT | $SUDO tee /etc/apt/apt.conf.d/10periodic >/dev/null + cat << EOT | $SUDO tee 10periodic >/dev/null APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "5"; APT::Periodic::Unattended-Upgrade "1"; EOT else - $SUDO sed -i '/\(o=Raspbian,n=jessie\)/c\"o=Raspbian,n=jessie,l=Raspbian-Security";\' /etc/apt/apt.conf.d/50unattended-upgrades - cat << EOT | $SUDO tee /etc/apt/apt.conf.d/02periodic >/dev/null + wget -q -O - "$UNATTUPG_CONFIG" | $SUDO tar xz + $SUDO cp unattended-upgrades-1.4/data/50unattended-upgrades.Raspbian 50unattended-upgrades + $SUDO rm -rf unattended-upgrades-1.4 + cat << EOT | $SUDO tee 02periodic >/dev/null APT::Periodic::Enable "1"; APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; @@ -907,12 +938,12 @@ confNetwork() { } confOVPN() { - if ! IPv4pub=$(dig +short myip.opendns.com @resolver1.opendns.com) - then - echo "dig failed, now trying to curl eth0.me" - if ! IPv4pub=$(curl eth0.me) + IPv4pub=$(dig +short myip.opendns.com @208.67.222.222) + if [ $? -ne 0 ] || [ -z "$IPv4pub" ]; then + echo "dig failed, now trying to curl whatismyip.akamai.com" + if ! IPv4pub=$(curl -s http://whatismyip.akamai.com) then - echo "eth0.me failed, please check your internet connection/DNS" + echo "whatismyip.akamai.com failed, please check your internet connection/DNS" exit $? fi fi @@ -922,8 +953,7 @@ confOVPN() { $SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then - #If they enabled 2.4 change compression algorithm and remove key-direction options since it's not required - $SUDO sed -i "s/comp-lzo/compress lz4/" /etc/openvpn/easy-rsa/pki/Default.txt + #If they enabled 2.4 remove key-direction options since it's not required $SUDO sed -i "/key-direction 1/d" /etc/openvpn/easy-rsa/pki/Default.txt fi @@ -986,16 +1016,16 @@ if \$programname == 'ovpn-server' then ~" | $SUDO tee /etc/rsyslog.d/30-openvpn. echo "/var/log/openvpn.log { - rotate 4 - weekly - missingok - notifempty - compress - delaycompress - sharedscripts - postrotate - invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true - endscript + rotate 4 + weekly + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true + endscript }" | $SUDO tee /etc/logrotate.d/openvpn > /dev/null # Restart the logging service From 9d3e45619957cd0a0cdd6ef8520190b97b6dba76 Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 4 Sep 2018 12:07:15 +0200 Subject: [PATCH 02/28] Update server_config.txt --- server_config.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/server_config.txt b/server_config.txt index 0f34b3d..93143b1 100644 --- a/server_config.txt +++ b/server_config.txt @@ -23,7 +23,6 @@ tls-version-min 1.2 tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0 cipher AES-256-CBC auth SHA256 -comp-lzo user nobody group nogroup persist-key From 6c9650a642cc70ae945bd82a594083afa9eb8a9d Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 4 Sep 2018 12:43:08 +0200 Subject: [PATCH 03/28] Update Default.txt --- Default.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/Default.txt b/Default.txt index 1503e25..db28693 100644 --- a/Default.txt +++ b/Default.txt @@ -12,5 +12,4 @@ tls-version-min 1.2 verify-x509-name SRVRNAME name cipher AES-256-CBC auth SHA256 -comp-lzo verb 3 From 46712e6609c32f70e9f616cdeb8d55ff198ae6e2 Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 4 Sep 2018 12:45:46 +0200 Subject: [PATCH 04/28] Update makeOVPN.sh --- scripts/makeOVPN.sh | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index e4d8962..d5db7e4 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -121,17 +121,6 @@ function keyPASS() { expect eof EOF - #Convert key to aes128 - KEY_FILE="pki/private/${NAME}${KEY}" - expect << EOF - set timeout -1 - spawn openssl rsa -in ${KEY_FILE} -aes128 -out ${KEY_FILE} - expect "Enter pass phrase" { send "${PASSWD}\r" } - expect "Enter PEM pass phrase" { send "${PASSWD}\r" } - expect "Verifying - Enter PEM pass phrase" { send "${PASSWD}\r" } - expect eof -EOF - cd pki || exit } From 66a937f04d7d424741b91e6740c524ab3e7d5d75 Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 4 Sep 2018 14:38:21 +0200 Subject: [PATCH 05/28] Update install.sh --- auto_install/install.sh | 57 ++++++++++++++++++++++++----------------- 1 file changed, 34 insertions(+), 23 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index eb459de..3cb6310 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -30,7 +30,7 @@ PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whipta pivpnGitUrl="https://github.com/pivpn/pivpn.git" pivpnFilesDir="/etc/.pivpn" easyrsaVer="3.0.4" -easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz" +easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz" # Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/1.4.tar.gz" @@ -466,22 +466,28 @@ notify_package_updates_available() { } install_dependent_packages() { - # Install packages passed in via argument array - # No spinner - conflicts with set -e - declare -a argArray1=("${!1}") + # Install packages passed in via argument array + # No spinner - conflicts with set -e + declare -a argArray1=("${!1}") - echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections - echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections + echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections + echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections - if command -v debconf-apt-progress &> /dev/null; then - $SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}" - else - for i in "${argArray1[@]}"; do - echo -n "::: Checking for $i..." - $SUDO package_check_install "${i}" &> /dev/null - echo " installed!" - done - fi + if command -v debconf-apt-progress &> /dev/null; then + + # Use appropriate argument if the package manager uses https otherwise the installation will silently fail + if grep -q https /etc/apt/sources.list; then + $SUDO debconf-apt-progress -- ${PKG_INSTALL} -y apt-transport-https "${argArray1[@]}" + else + $SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}" + fi + else + for i in "${argArray1[@]}"; do + echo -n "::: Checking for $i..." + $SUDO package_check_install "${i}" &> /dev/null + echo " installed!" + done + fi } unattendedUpgrades() { @@ -708,7 +714,7 @@ confOpenVPN() { if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]]; then APPLY_TWO_POINT_FOUR=false else - if (whiptail --backtitle "Setup OpenVPN" --title "Installation mode" --yesno --defaultyes "OpenVPN 2.4 brings support for stronger authentication and key exchange using Elliptic Curves, along with encrypted control channel.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then + if (whiptail --backtitle "Setup OpenVPN" --title "Installation mode" --yesno "OpenVPN 2.4 brings support for stronger authentication and key exchange using Elliptic Curves, along with encrypted control channel.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then APPLY_TWO_POINT_FOUR=true $SUDO touch /etc/pivpn/TWO_POINT_FOUR else @@ -776,11 +782,11 @@ EOF # Set certificate type if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then - echo "set_var EASYRSA_ALGO rsa" >> vars - echo "set_var EASYRSA_KEY_SIZE ${ENCRYPT}" >> vars + echo "set_var EASYRSA_ALGO rsa" | $SUDO tee -a vars + echo "set_var EASYRSA_KEY_SIZE ${ENCRYPT}" | $SUDO tee -a vars else - echo "set_var EASYRSA_ALGO ec" >> vars - echo "set_var EASYRSA_CURVE ${ECDSA_MAP["${ENCRYPT}"]}" >> vars + echo "set_var EASYRSA_ALGO ec" | $SUDO tee -a vars + echo "set_var EASYRSA_CURVE ${ECDSA_MAP["${ENCRYPT}"]}" | $SUDO tee -a vars fi # Remove any previous keys @@ -877,9 +883,14 @@ confUnattendedUpgrades() { APT::Periodic::Unattended-Upgrade "1"; EOT else - wget -q -O - "$UNATTUPG_CONFIG" | $SUDO tar xz - $SUDO cp unattended-upgrades-1.4/data/50unattended-upgrades.Raspbian 50unattended-upgrades - $SUDO rm -rf unattended-upgrades-1.4 + # Fix Raspbian config + if [[ $PLAT == "Raspbian" ]]; then + wget -q -O - "$UNATTUPG_CONFIG" | $SUDO tar xz + $SUDO cp unattended-upgrades-1.4/data/50unattended-upgrades.Raspbian 50unattended-upgrades + $SUDO rm -rf unattended-upgrades-1.4 + fi + + # Add the remaining settings for all other distributions cat << EOT | $SUDO tee 02periodic >/dev/null APT::Periodic::Enable "1"; APT::Periodic::Update-Package-Lists "1"; From dd26662fdf646d0f6750de602d43ef514e8e21bd Mon Sep 17 00:00:00 2001 From: Orazio Date: Fri, 12 Oct 2018 21:06:11 +0200 Subject: [PATCH 06/28] Update install.sh --- auto_install/install.sh | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 3cb6310..f743d05 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -949,13 +949,11 @@ confNetwork() { } confOVPN() { - IPv4pub=$(dig +short myip.opendns.com @208.67.222.222) - if [ $? -ne 0 ] || [ -z "$IPv4pub" ]; then - echo "dig failed, now trying to curl whatismyip.akamai.com" - if ! IPv4pub=$(curl -s http://whatismyip.akamai.com) - then - echo "whatismyip.akamai.com failed, please check your internet connection/DNS" - exit $? + if ! IPv4pub=$(dig +short myip.opendns.com @208.67.222.222) || ! valid_ip "$IPv4pub"; then + echo "dig failed, now trying to curl checkip.amazonaws.com" + if ! IPv4pub=$(curl -s https://checkip.amazonaws.com) || ! valid_ip "$IPv4pub"; then + echo "checkip.amazonaws.com failed, please check your internet connection/DNS" + exit 1 fi fi $SUDO cp /tmp/pivpnUSR /etc/pivpn/INSTALL_USER From d0f85e34292bceb3a9d4ac4d496de6898386e116 Mon Sep 17 00:00:00 2001 From: LMS235 Date: Mon, 24 Dec 2018 14:24:20 +0100 Subject: [PATCH 07/28] right adjustment -read for "other" withdrawn from .ovpn files - delete also /etc/openvpn/easy-rsa/pki/${CERTS_TO_REVOKE[ii]}.ovpn after remove certificate --- scripts/makeOVPN.sh | 2 ++ scripts/removeOVPN.sh | 1 + 2 files changed, 3 insertions(+) diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index a92bc7b..48a25ee 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -241,6 +241,8 @@ echo "tls-auth Private Key found: $TA" # Copy the .ovpn profile to the home directory for convenient remote access cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" +chmod o-r "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" +chmod o-r "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" printf "\n\n" printf "========================================================\n" printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME$FILEEXT" diff --git a/scripts/removeOVPN.sh b/scripts/removeOVPN.sh index 6bf0610..4438d98 100644 --- a/scripts/removeOVPN.sh +++ b/scripts/removeOVPN.sh @@ -114,6 +114,7 @@ for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do rm -rf "pki/private/${CERTS_TO_REVOKE[ii]}.key" rm -rf "pki/issued/${CERTS_TO_REVOKE[ii]}.crt" rm -rf "/home/${INSTALL_USER}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn" + rm -rf "/etc/openvpn/easy-rsa/pki/${CERTS_TO_REVOKE[ii]}.ovpn" cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem done printf "::: Completed!\n" From 996c5469f3b7b309c6194f6eb06a21a6708e80e3 Mon Sep 17 00:00:00 2001 From: LMS235 Date: Mon, 24 Dec 2018 15:49:44 +0100 Subject: [PATCH 08/28] Telekom Hybrid Check Small check whether Telekom Hybrid will be used to give helpful tips. --- scripts/pivpnDebug.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/scripts/pivpnDebug.sh b/scripts/pivpnDebug.sh index a5d4f77..b850032 100644 --- a/scripts/pivpnDebug.sh +++ b/scripts/pivpnDebug.sh @@ -20,4 +20,16 @@ if [[ ${noUFW} -eq 1 ]]; then printf ":::\t\t\t\t\t:::\n::\tOutput of iptables\t\t ::\n:::\t\t\t\t\t:::\n" iptables -t nat -L -n -v fi +# Telekom Hybrid Check +wget -O /tmp/hybcheck http://speedport.ip &>/dev/null +if grep -Fq "Speedport Pro" /tmp/hybcheck || grep -Fq "Speedport Hybrid" /tmp/hybcheck +then + printf ":::\t\t\t\t\t:::\n::\tTelekom Hybrid Check\t\t ::\n:::\t\t\t\t\t:::\n" + echo "Are you using Telekom Hybrid (found a hybrid compatible router)?" + echo "If yes and you have problems with the connections you can test the following:" + echo "Add 'tun-mtu 1316' in /etc/openvpn/easy-rsa/pki/Default.txt to set a hybrid compatible MTU size (new .ovpn files)." + echo "For already existing .ovpn files 'tun-mtu 1316' can also be inserted there manually." + echo "With Telekom hybrid connections, you may have to experiment a little with MTU (tun-mtu, link-mtu and mssfix)." +fi +rm /tmp/hybcheck printf ":::\t\t\t\t\t:::\n::\tDebug Output Complete\t\t ::\n:::\t\t\t\t\t:::\n" From e3f729f2607d6007e5cdd22941ceaeea59474f68 Mon Sep 17 00:00:00 2001 From: Orazio Date: Sun, 3 Mar 2019 10:18:45 +0100 Subject: [PATCH 09/28] General fixes and improvements --- ISSUE_TEMPLATE.md | 16 ---- README.md | 12 ++- auto_install/install.sh | 97 ++++++++++------------ ca_info.txt | 8 -- firewall-openvpn-rules.txt | 3 - pivpn | 18 ---- scripts/clientStat.sh | 0 scripts/fix_iptables.sh | 9 -- scripts/listOVPN.sh | 0 scripts/pivpnDebug.sh | 164 +++++++++++++++++++++++++++++++++---- scripts/removeOVPN.sh | 0 scripts/uninstall.sh | 10 +-- ufw_add.txt | 9 -- 13 files changed, 207 insertions(+), 139 deletions(-) delete mode 100644 ca_info.txt delete mode 100644 firewall-openvpn-rules.txt mode change 100644 => 100755 scripts/clientStat.sh delete mode 100644 scripts/fix_iptables.sh mode change 100644 => 100755 scripts/listOVPN.sh mode change 100644 => 100755 scripts/pivpnDebug.sh mode change 100644 => 100755 scripts/removeOVPN.sh mode change 100644 => 100755 scripts/uninstall.sh delete mode 100644 ufw_add.txt diff --git a/ISSUE_TEMPLATE.md b/ISSUE_TEMPLATE.md index 9058522..c649057 100644 --- a/ISSUE_TEMPLATE.md +++ b/ISSUE_TEMPLATE.md @@ -33,22 +33,6 @@ PiVPN is no longer maintained, see the README Output Here ``` -## Console Output of `sudo iptables -t nat -S` -``` - Output Here -``` - -## Console Output of `sudo iptables -S` -``` - Output Here -``` - -## output of `sudo netstat -uanp | grep openvpn` - -``` - Output Here -``` - ## Have you taken any steps towards solving your issue? which? diff --git a/README.md b/README.md index 2df09c7..2b30ab5 100644 --- a/README.md +++ b/README.md @@ -54,11 +54,13 @@ curl -L https://install.pivpn.io | bash The script will first update your APT repositories, upgrade packages, and install OpenVPN, which will take some time. -It will ask which encryption method you wish the guts of your server to use, 1024-bit, 2048-bit, or 4096-bit. +It will ask which authentication method you wish the guts of your server to use, 1024-bit, 2048-bit, or 4096-bit. If you're unsure or don't have a convincing reason one way or the other I'd use 2048 today. From the OpenVPN site: > For asymmetric keys, general wisdom is that 1024-bit keys are no longer sufficient to protect against well-equipped adversaries. Use of 2048-bit is a good minimum. It is wise to ensure all keys across your active PKI (including the CA root keypair) are using at least 2048-bit keys. -> Up to 4096-bit is accepted by nearly all RSA systems (including OpenVPN,) but use of keys this large will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations; the benefit beyond 2048-bit keys is small enough not to be of great use at the current time. It is often a larger benefit to consider lower validity times than more bits past 2048, but that is for you to decide. +> Up to 4096-bit is accepted by nearly all RSA systems (including OpenVPN), but use of keys this large will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations; the benefit beyond 2048-bit keys is small enough not to be of great use at the current time. It is often a larger benefit to consider lower validity times than more bits past 2048, but that is for you to decide. + +Luckily, OpenVPN 2.4 supports ECDSA certificates, which are based on Elliptic Curves, allowing much smaller keys while providing an equivalent security level (256 bit long, equivalent to 3072 bit RSA). For this reason, PiVPN now uses ECDSA certs if you choose to enable OpenVPN 2.4 features. If not, the usual RSA certificates are generated in case the user has clients running an older version of OpenVPN. After this, the script will go back to the command line as it builds the server's own certificate authority. The script will ask you if you'd like to change the certificate fields, @@ -70,7 +72,11 @@ and have a working configuration at the end. Finally, the script will take some time to build the server's Diffie-Hellman key exchange. If you chose 1024-bit encryption, this will just take a few minutes, but if you chose 2048-bit, it will take much longer (anywhere from 40 minutes to several hours on a -Model B+). The script will also make some changes to your system to allow it to forward +Model B+). + +NOTE: Diffie-Hellman parameters are NOT generated if you choose not to use OpenVPN 2.4. + +The script will also make some changes to your system to allow it to forward internet traffic and allow VPN connections through the Pi's firewall. When the script informs you that it has finished configuring OpenVPN, it will ask if you want to reboot. I have it where you do not need to reboot when done but it also can't hurt. diff --git a/auto_install/install.sh b/auto_install/install.sh index f743d05..c5ab41f 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -9,12 +9,9 @@ # # curl -L https://install.pivpn.io | bash # Make sure you have `curl` installed - set -e -######## VARIABLES ######### -tmpLog="/tmp/pivpn-install.log" -instalLogLoc="/etc/pivpn/install.log" +######## VARIABLES ######### setupVars=/etc/pivpn/setupVars.conf useUpdateVars=false @@ -29,11 +26,12 @@ PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whipta pivpnGitUrl="https://github.com/pivpn/pivpn.git" pivpnFilesDir="/etc/.pivpn" -easyrsaVer="3.0.4" -easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz" +easyrsaVer="3.0.6" +easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz" # Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config -UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/1.4.tar.gz" +UNATTUPG_RELEASE="1.9" +UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/${UNATTUPG_RELEASE}.tar.gz" # Find the rows and columns. Will default to 80x24 if it can not be detected. screen_size=$(stty size 2>/dev/null || echo 24 80) @@ -340,7 +338,7 @@ It is also possible to use a DHCP reservation, but if you are going to do that, setDHCPCD() { # Append these lines to dhcpcd.conf to enable a static IP echo "interface ${pivpnInterface} - static ip_address=${IPv4addr} + static ip_address=${IPv4addr}/24 static routers=${IPv4gw} static domain_name_servers=${IPv4dns}" | $SUDO tee -a ${dhcpcdFile} >/dev/null } @@ -352,7 +350,7 @@ setStaticIPv4() { echo "::: Static IP already configured." else setDHCPCD - $SUDO ip addr replace dev "${pivpnInterface}" "${IPv4addr}" + $SUDO ip addr replace dev "${pivpnInterface}" "${IPv4addr}/24" echo ":::" echo "::: Setting IP to ${IPv4addr}. You may need to restart after the install is complete." echo ":::" @@ -473,14 +471,13 @@ install_dependent_packages() { echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections - if command -v debconf-apt-progress &> /dev/null; then + # Add support for https repositories if there are any that use it otherwise the installation will silently fail + if grep -q https /etc/apt/sources.list; then + PIVPN_DEPS+=("apt-transport-https") + fi - # Use appropriate argument if the package manager uses https otherwise the installation will silently fail - if grep -q https /etc/apt/sources.list; then - $SUDO debconf-apt-progress -- ${PKG_INSTALL} -y apt-transport-https "${argArray1[@]}" - else - $SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}" - fi + if command -v debconf-apt-progress &> /dev/null; then + $SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}" else for i in "${argArray1[@]}"; do echo -n "::: Checking for $i..." @@ -729,20 +726,20 @@ confOpenVPN() { if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then - ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "RSA encryption strength" --radiolist \ - "Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications, it is recommended to use 2048 bits. If you are testing, you can use 1024 bits to speed things up, but do not use this for normal use! If you are paranoid about ... things... then grab a cup of joe and pick 4096 bits." ${r} ${c} 3 \ - "1024" "Use 1024-bit encryption (testing only)" OFF \ - "2048" "Use 2048-bit encryption (recommended level)" ON \ - "4096" "Use 4096-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3) + ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "RSA certificate size" --radiolist \ + "Choose the desired size of your certificate (press space to select):\n This is a certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 2048 bits. If you are testing, you can use 1024 bits to speed things up, but do not use this for normal use! If you are paranoid about ... things... then grab a cup of joe and pick 4096 bits." ${r} ${c} 3 \ + "1024" "Use a 1024-bit certificate (testing only)" OFF \ + "2048" "Use a 2048-bit certificate (recommended level)" ON \ + "4096" "Use a 4096-bit certificate (paranoid level)" OFF 3>&1 1>&2 2>&3) else declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1") - ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA encryption strength" --radiolist \ - "Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \ - "256" "Use 256-bit encryption (recommended level)" ON \ - "384" "Use 384-bit encryption" OFF \ - "521" "Use 521-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3) + ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA certificate size" --radiolist \ + "Choose the desired size of your certificate (press space to select):\n This is an certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \ + "256" "Use a 256-bit certificate (recommended level)" ON \ + "384" "Use a 384-bit certificate" OFF \ + "521" "Use a 521-bit certificate (paranoid level)" OFF 3>&1 1>&2 2>&3) fi @@ -758,8 +755,8 @@ confOpenVPN() { $SUDO rm -rf /etc/openvpn/easy-rsa/ fi - # Get the PiVPN easy-rsa - wget -q -O - "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn && $SUDO mv /etc/openvpn/EasyRSA-${easyrsaVer} /etc/openvpn/easy-rsa + # Get easy-rsa + wget -q -O - "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn && $SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa # fix ownership $SUDO chown -R root:root /etc/openvpn/easy-rsa $SUDO mkdir /etc/openvpn/easy-rsa/pki @@ -799,7 +796,7 @@ EOF if [[ ${useUpdateVars} == false ]]; then if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then - whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c} + whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman parameters, and HMAC key will now be generated." ${r} ${c} fi fi @@ -886,8 +883,8 @@ EOT # Fix Raspbian config if [[ $PLAT == "Raspbian" ]]; then wget -q -O - "$UNATTUPG_CONFIG" | $SUDO tar xz - $SUDO cp unattended-upgrades-1.4/data/50unattended-upgrades.Raspbian 50unattended-upgrades - $SUDO rm -rf unattended-upgrades-1.4 + $SUDO cp "unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" 50unattended-upgrades + $SUDO rm -rf "unattended-upgrades-$UNATTUPG_RELEASE" fi # Add the remaining settings for all other distributions @@ -909,21 +906,20 @@ confNetwork() { $SUDO sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf $SUDO sysctl -p - # if ufw enabled, configure that - if hash ufw 2>/dev/null; then + # if ufw enabled, configure that (running as root because sometimes the executable is not in the user's $PATH, on Debian for example) + if $SUDO bash -c 'hash ufw' 2>/dev/null; then if LANG=en_US.UTF-8 $SUDO ufw status | grep -q inactive then noUFW=1 else echo "::: Detected UFW is enabled." echo "::: Adding UFW rules..." - $SUDO cp /etc/.pivpn/ufw_add.txt /tmp/ufw_add.txt - $SUDO sed -i 's/IPv4dev/'"$IPv4dev"'/' /tmp/ufw_add.txt - $SUDO sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw - $SUDO sed -i -e '/delete these required/r /tmp/ufw_add.txt' -e//N /etc/ufw/before.rules - $SUDO ufw allow "${PORT}/${PROTO}" - $SUDO ufw allow from 10.8.0.0/24 - $SUDO ufw reload + $SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules + # Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic) + $SUDO ufw insert 1 allow "$PORT"/"$PROTO" >/dev/null + # Don't forward everything, just the traffic originated from the VPN subnet + $SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + $SUDO ufw reload >/dev/null echo "::: UFW configuration completed." fi else @@ -932,7 +928,7 @@ confNetwork() { # else configure iptables if [[ $noUFW -eq 1 ]]; then echo 1 > /tmp/noUFW - $SUDO iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o "$IPv4dev" -j MASQUERADE + $SUDO iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "$IPv4dev" -j MASQUERADE case ${PLAT} in Ubuntu|Debian|Devuan) $SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null @@ -1021,7 +1017,7 @@ confOVPN() { confLogging() { echo "if \$programname == 'ovpn-server' then /var/log/openvpn.log -if \$programname == 'ovpn-server' then ~" | $SUDO tee /etc/rsyslog.d/30-openvpn.conf > /dev/null +if \$programname == 'ovpn-server' then stop" | $SUDO tee /etc/rsyslog.d/30-openvpn.conf > /dev/null echo "/var/log/openvpn.log { @@ -1138,8 +1134,7 @@ updatePiVPN() { displayFinalMessage() { # Final completion message to user whiptail --msgbox --backtitle "Make it so." --title "Installation Complete!" "Now run 'pivpn add' to create the ovpn profiles. -Run 'pivpn help' to see what else you can do! -The install log is in /etc/pivpn." ${r} ${c} +Run 'pivpn help' to see what else you can do!" ${r} ${c} if (whiptail --title "Reboot" --yesno --defaultno "It is strongly recommended you reboot after installation. Would you like to reboot now?" ${r} ${c}); then whiptail --title "Rebooting" --msgbox "The system will now reboot." ${r} ${c} printf "\nRebooting system...\n" @@ -1278,9 +1273,11 @@ main() { clone_or_update_repos # Install and log everything to a file - installPiVPN | tee ${tmpLog} - - echo "::: Install Complete..." + if installPiVPN; then + echo "::: Install Complete..." + else + exit 1 + fi else # Source ${setupVars} for use in the rest of the functions. source ${setupVars} @@ -1314,12 +1311,9 @@ main() { clone_or_update_repos - updatePiVPN | tee ${tmpLog} + updatePiVPN fi - #Move the install log into /etc/pivpn for storage - $SUDO mv ${tmpLog} ${instalLogLoc} - echo "::: Restarting services..." # Start services case ${PLAT} in @@ -1349,7 +1343,6 @@ main() { fi echo ":::" - echo "::: The install log is located at: ${instalLogLoc}" } if [[ "${PIVPN_TEST}" != true ]] ; then diff --git a/ca_info.txt b/ca_info.txt deleted file mode 100644 index df01b22..0000000 --- a/ca_info.txt +++ /dev/null @@ -1,8 +0,0 @@ -CO -ST -CITY -ORG -ORG-UNIT -COMMON-NAME -NAME -EMAIL diff --git a/firewall-openvpn-rules.txt b/firewall-openvpn-rules.txt deleted file mode 100644 index 1fc98bf..0000000 --- a/firewall-openvpn-rules.txt +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o IPv4dev -j MASQUERADE diff --git a/pivpn b/pivpn index 4b191c0..8f82a93 100644 --- a/pivpn +++ b/pivpn @@ -27,30 +27,12 @@ function listOVPNFunc { } function debugFunc { - noUFW=$(cat /etc/pivpn/NO_UFW) echo "::: Generating Debug Output" $SUDO /opt/pivpn/pivpnDebug.sh | tee /tmp/debug.txt echo "::: " echo "::: Debug output completed above." echo "::: Copy saved to /tmp/debug.txt" echo "::: " - if [[ ${noUFW} -eq 1 ]]; then - IPTABLES_FIX=`$SUDO iptables -t nat -L -n -v | grep -c 'MASQUERADE.*10.8.0.0\/24'` - $SUDO iptables -t nat -L -n -v | grep -q 'MASQUERADE.*10.8.0.0\/24' - if [ $? -ne 0 ]; then - IPTABLES_FIX=2 - fi - if [[ ${IPTABLES_FIX} -gt 1 ]]; then - echo "::: We detected some potential issues with your iptables." - read -p "::: Would you like us to try to fix this? [y/n]: " -n 1 -r - echo - if [[ ${REPLY} =~ ^[Yy]$ ]]; then - $SUDO /opt/pivpn/fix_iptables.sh - fi - echo "::: Attempt at fix completed." - echo "::: Run 'pivpn debug' again to see if we detect issues." - fi - fi exit 1 } diff --git a/scripts/clientStat.sh b/scripts/clientStat.sh old mode 100644 new mode 100755 diff --git a/scripts/fix_iptables.sh b/scripts/fix_iptables.sh deleted file mode 100644 index 697191a..0000000 --- a/scripts/fix_iptables.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env bash -# PiVPN: Fix iptables script -# called by pivpnDebug.sh - -IPv4dev=$(ip route get 8.8.8.8 | awk '{for(i=1;i<=NF;i++)if($i~/dev/)print $(i+1)}') -iptables -t nat -F -iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${IPv4dev} -j MASQUERADE -iptables-save > /etc/iptables/rules.v4 -iptables-restore < /etc/iptables/rules.v4 diff --git a/scripts/listOVPN.sh b/scripts/listOVPN.sh old mode 100644 new mode 100755 diff --git a/scripts/pivpnDebug.sh b/scripts/pivpnDebug.sh old mode 100644 new mode 100755 index a5d4f77..b13c8ae --- a/scripts/pivpnDebug.sh +++ b/scripts/pivpnDebug.sh @@ -1,23 +1,155 @@ #!/usr/bin/env bash # This scripts runs as root -printf ":::\t\t\t\t\t:::\n::\t\tPiVPN Debug\t\t ::\n" -printf ":::\t\t\t\t\t:::\n::\tLatest Commit\t\t\t ::\n:::\t\t\t\t\t:::\n" + +PORT=$(cat /etc/pivpn/INSTALL_PORT) +PROTO=$(cat /etc/pivpn/INSTALL_PROTO) +IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" +REMOTE="$(grep 'remote ' /etc/openvpn/easy-rsa/pki/Default.txt | awk '{print $2}')" +ERR=0 + +echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::" +printf "=============================================\n" +echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::" git --git-dir /etc/.pivpn/.git log -n 1 -printf ":::\t\t\t\t\t:::\n::\tRecursive list of files in\t ::\n" -printf "::\t/etc/openvpn/easy-rsa/pki\t ::\n:::\t\t\t\t\t:::\n" -ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial -printf ":::\t\t\t\t\t:::\n::\tOutput of /etc/pivpn/*\t\t ::\n:::\t\t\t\t\t:::\n" +printf "=============================================\n" +echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::" for filename in /etc/pivpn/*; do - if [[ "${filename}" != "/etc/pivpn/install.log" ]]; then - echo ":: START $filename ::" - cat "$filename" - echo ":: END $filename ::" + if [ "$filename" != "/etc/pivpn/setupVars.conf" ]; then + echo "$filename -> $(cat "$filename")" fi done -printf ":::\t\t\t\t\t:::\n:: /etc/openvpn/easy-rsa/pki/Default.txt ::\n:::\t\t\t\t\t:::\n" -cat /etc/openvpn/easy-rsa/pki/Default.txt -if [[ ${noUFW} -eq 1 ]]; then - printf ":::\t\t\t\t\t:::\n::\tOutput of iptables\t\t ::\n:::\t\t\t\t\t:::\n" - iptables -t nat -L -n -v +printf "=============================================\n" +echo -e "::::\t\e[4msetupVars file shown below\e[0m\t ::::" +sed "s/$REMOTE/REMOTE/" < /etc/pivpn/setupVars.conf +printf "=============================================\n" +echo -e ":::: \e[4mServer configuration shown below\e[0m ::::" +cat /etc/openvpn/server.conf +printf "=============================================\n" +echo -e ":::: \e[4mClient template file shown below\e[0m ::::" +sed "s/$REMOTE/REMOTE/" < /etc/openvpn/easy-rsa/pki/Default.txt +printf "=============================================\n" +echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::: \e[4m/etc/openvpn/easy-rsa/pki shows below\e[0m :::" +ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial +printf "=============================================\n" +echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::" + +if [ "$(cat /proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then + echo ":: [OK] IP forwarding is enabled" +else + ERR=1 + read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf + sysctl -p + echo "Done" + fi fi -printf ":::\t\t\t\t\t:::\n::\tDebug Output Complete\t\t ::\n:::\t\t\t\t\t:::\n" + +if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then + + if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then + echo ":: [OK] Iptables MASQUERADE rule set" + else + ERR=1 + read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + iptables -t nat -F + iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE + iptables-save > /etc/iptables/rules.v4 + iptables-restore < /etc/iptables/rules.v4 + echo "Done" + fi + fi + +else + + if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then + echo ":: [OK] Ufw is enabled" + else + ERR=1 + read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + ufw enable + fi + fi + + if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then + echo ":: [OK] Iptables MASQUERADE rule set" + else + ERR=1 + read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules + ufw reload + echo "Done" + fi + fi + + if iptables -C ufw-user-input -p "${PROTO}" --dport "${PORT}" -j ACCEPT &> /dev/null; then + echo ":: [OK] Ufw input rule set" + else + ERR=1 + read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + ufw insert 1 allow "$PORT"/"$PROTO" + ufw reload + echo "Done" + fi + fi + + if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then + echo ":: [OK] Ufw forwarding rule set" + else + ERR=1 + read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any + ufw reload + echo "Done" + fi + fi + +fi + +if systemctl is-active -q openvpn; then + echo ":: [OK] OpenVPN is running" +else + ERR=1 + read -r -p ":: [ERR] OpenVPN is not running, try to start now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + systemctl start openvpn + echo "Done" + fi +fi + +if systemctl is-enabled -q openvpn; then + echo ":: [OK] OpenVPN is enabled (it will automatically start on reboot)" +else + ERR=1 + read -r -p ":: [ERR] OpenVPN is not enabled, try to enable now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + systemctl enable openvpn + echo "Done" + fi +fi + +# grep -w (whole word) is used so port 111940 with now match when looking for 1194 +if netstat -uanpt | grep openvpn | grep -w "${PORT}" | grep -q "${PROTO}"; then + echo ":: [OK] OpenVPN is listening on port ${PORT}/${PROTO}" +else + ERR=1 + read -r -p ":: [ERR] OpenVPN is not listening, try to restart now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + systemctl restart openvpn + echo "Done" + fi +fi + +if [ "$ERR" -eq 1 ]; then + echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues" +fi +printf "=============================================\n" +echo -e ":::: \e[4mSnippet of the server log\e[0m ::::" +tail -20 /var/log/openvpn.log +printf "=============================================\n" +echo -e "::::\t\t\e[4mDebug complete\e[0m\t\t ::::" diff --git a/scripts/removeOVPN.sh b/scripts/removeOVPN.sh old mode 100644 new mode 100755 diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh old mode 100644 new mode 100755 index 4c3f4e3..99192aa --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -21,6 +21,7 @@ PLAT=$(cat /etc/pivpn/DET_PLATFORM) NO_UFW=$(cat /etc/pivpn/NO_UFW) PORT=$(cat /etc/pivpn/INSTALL_PORT) PROTO=$(cat /etc/pivpn/INSTALL_PROTO) +IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" # Find the rows and columns. Will default to 80x24 if it can not be detected. screen_size=$(stty size 2>/dev/null || echo 24 80) @@ -107,11 +108,10 @@ echo ":::" sysctl -p if [[ $NO_UFW -eq 0 ]]; then - $SUDO sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"DROP\"/" /etc/default/ufw - $SUDO sed -i '/START OPENVPN RULES/,/END OPENVPN RULES/ d' /etc/ufw/before.rules - $SUDO ufw delete allow from 10.8.0.0/24 >/dev/null - $SUDO ufw delete allow ${PORT}/${PROTO} >/dev/null - $SUDO ufw reload + $SUDO sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules + $SUDO ufw delete allow "$PORT"/"$PROTO" >/dev/null + $SUDO ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + $SUDO ufw reload >/dev/null fi echo ":::" diff --git a/ufw_add.txt b/ufw_add.txt deleted file mode 100644 index 0a17f59..0000000 --- a/ufw_add.txt +++ /dev/null @@ -1,9 +0,0 @@ -# START OPENVPN RULES -# NAT table rules -*nat -:POSTROUTING ACCEPT [0:0] -# Allow traffic from OpenVPN client to masquerade --A POSTROUTING -s 10.8.0.0/24 -o IPv4dev -j MASQUERADE -COMMIT -# END OPENVPN RULES - From 24db1bc2e20aa4a521638a4496748a3b4a9856b9 Mon Sep 17 00:00:00 2001 From: Alex Heidenreich Date: Tue, 5 Mar 2019 11:32:49 -0500 Subject: [PATCH 10/28] Initial commit with comment --- auto_install/install.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index f743d05..46b1ca8 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -10,6 +10,8 @@ # curl -L https://install.pivpn.io | bash # Make sure you have `curl` installed +#Adding custom search domain - atlasalex + set -e ######## VARIABLES ######### @@ -32,7 +34,7 @@ pivpnFilesDir="/etc/.pivpn" easyrsaVer="3.0.4" easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz" -# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config +# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/1.4.tar.gz" # Find the rows and columns. Will default to 80x24 if it can not be detected. From 3364f76790a7e2eff6b6e7cb41428db121474211 Mon Sep 17 00:00:00 2001 From: Alex Heidenreich Date: Sun, 10 Mar 2019 13:55:14 -0400 Subject: [PATCH 11/28] Added procedure to allow users to set custom search domain. --- auto_install/install.sh | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 46b1ca8..fb52306 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -10,8 +10,6 @@ # curl -L https://install.pivpn.io | bash # Make sure you have `curl` installed -#Adding custom search domain - atlasalex - set -e ######## VARIABLES ######### @@ -704,6 +702,36 @@ setClientDNS() { fi } +#This procedure allows a user to specify a custom search domain if they have one. +setCustomDomain() { + DomainSettingsCorrect=False + + if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno "Would you like to add a custom search domain? \n (This is only for advanced users who have their own domain)\n" 8 78); then + + until [[ $DomainSettingsCorrect = True ]] + do + if CUSTOMDomain=$(whiptail --inputbox "Enter Custom Domain\nFormat: mydomain.com" 8 78 --title "Test" 3>&1 1>&2 2>&3); then + + if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno "Are these settings correct?\n Custom Search Domain: $CUSTOMDomain" 8 78); then + DomainSettingsCorrect=True + + $SUDO sed -i '0,/\(.*dhcp-option.*\)/s//\push "dhcp-option DOMAIN '${CUSTOMDomain}'" /' server.conf + + else + # If the settings are wrong, the loop continues + DomainSettingsCorrect=False + fi + else + echo "::: Cancel selected. Exiting..." + exit 1 + fi + done + + else + echo sleep 0.1 + fi +} + confOpenVPN() { # Generate a random, alphanumeric identifier of 16 characters for this server so that we can use verify-x509-name later that is unique for this server installation. Source: Earthgecko (https://gist.github.com/earthgecko/3089509) NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) @@ -1106,6 +1134,7 @@ installPiVPN() { confNetwork confOVPN setClientDNS + setCustomDomain confLogging finalExports } From 3a0d6b1b471d4b5273452468894f2f8bad10b37c Mon Sep 17 00:00:00 2001 From: Alex Heidenreich Date: Sun, 10 Mar 2019 14:02:37 -0400 Subject: [PATCH 12/28] Fixed server.conf path --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index fb52306..f5e0694 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -715,7 +715,7 @@ setCustomDomain() { if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno "Are these settings correct?\n Custom Search Domain: $CUSTOMDomain" 8 78); then DomainSettingsCorrect=True - $SUDO sed -i '0,/\(.*dhcp-option.*\)/s//\push "dhcp-option DOMAIN '${CUSTOMDomain}'" /' server.conf + $SUDO sed -i '0,/\(.*dhcp-option.*\)/s//\push "dhcp-option DOMAIN '${CUSTOMDomain}'" /' /etc/openvpn/server.conf else # If the settings are wrong, the loop continues From 0cd9e0deb6525994e6c8b08230d8b3ac325a2d1f Mon Sep 17 00:00:00 2001 From: Alex Heidenreich Date: Sun, 10 Mar 2019 20:06:49 -0400 Subject: [PATCH 13/28] Added function valid_domain to check user input of custom domain --- auto_install/install.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/auto_install/install.sh b/auto_install/install.sh index f5e0694..b57aa6d 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -380,6 +380,18 @@ function valid_ip() return $stat } +#Call this function to use a regex to check user input for a valid custom domain +function valid_domain() +{ + local domain=$1 + local stat=1 + + if [[ $domain =~ ^[a-zA-Z0-9][a-zA-Z0-9-]{1,61}\.[a-zA-Z]{2,}$ ]]; then + stat=$? + fi + return $stat +} + installScripts() { # Install the scripts from /etc/.pivpn to their various locations $SUDO echo ":::" From 9808234792c0a3cef80bdafd6c5f00dc490d962b Mon Sep 17 00:00:00 2001 From: Alex Heidenreich Date: Sun, 10 Mar 2019 22:33:20 -0400 Subject: [PATCH 14/28] Called valid_domain function in SetCustomDomain() --- auto_install/install.sh | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index b57aa6d..f7d5d9a 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -722,16 +722,20 @@ setCustomDomain() { until [[ $DomainSettingsCorrect = True ]] do - if CUSTOMDomain=$(whiptail --inputbox "Enter Custom Domain\nFormat: mydomain.com" 8 78 --title "Test" 3>&1 1>&2 2>&3); then + if CUSTOMDomain=$(whiptail --inputbox "Enter Custom Domain\nFormat: mydomain.com" 8 78 --title "Custom Domain" 3>&1 1>&2 2>&3); then + if valid_domain "$CUSTOMDomain"; then + if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno "Are these settings correct?\n Custom Search Domain: $CUSTOMDomain" 8 78); then + DomainSettingsCorrect=True - if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno "Are these settings correct?\n Custom Search Domain: $CUSTOMDomain" 8 78); then - DomainSettingsCorrect=True - - $SUDO sed -i '0,/\(.*dhcp-option.*\)/s//\push "dhcp-option DOMAIN '${CUSTOMDomain}'" /' /etc/openvpn/server.conf + $SUDO sed -i '0,/\(.*dhcp-option.*\)/s//\push "dhcp-option DOMAIN '${CUSTOMDomain}'" /' server.conf + else + # If the settings are wrong, the loop continues + DomainSettingsCorrect=False + fi else - # If the settings are wrong, the loop continues - DomainSettingsCorrect=False + whiptail --msgbox --backtitle "Invalid Domain" --title "Invalid Domain" "Domain is invalid. Please try again.\n\n DOMAIN: $CUSTOMDomain\n" 8 78 + DomainSettingsCorrect=False fi else echo "::: Cancel selected. Exiting..." From 9bb82ff372a3c1feb1d2e7c7b17c08b32c33e483 Mon Sep 17 00:00:00 2001 From: Alex Heidenreich Date: Sun, 10 Mar 2019 22:35:18 -0400 Subject: [PATCH 15/28] changed whiptail sizing to use PiVPN variables --- auto_install/install.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index f7d5d9a..1d7f147 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -718,13 +718,13 @@ setClientDNS() { setCustomDomain() { DomainSettingsCorrect=False - if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno "Would you like to add a custom search domain? \n (This is only for advanced users who have their own domain)\n" 8 78); then + if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno "Would you like to add a custom search domain? \n (This is only for advanced users who have their own domain)\n" ${r} ${c}); then until [[ $DomainSettingsCorrect = True ]] do - if CUSTOMDomain=$(whiptail --inputbox "Enter Custom Domain\nFormat: mydomain.com" 8 78 --title "Custom Domain" 3>&1 1>&2 2>&3); then + if CUSTOMDomain=$(whiptail --inputbox "Enter Custom Domain\nFormat: mydomain.com" ${r} ${c} --title "Custom Domain" 3>&1 1>&2 2>&3); then if valid_domain "$CUSTOMDomain"; then - if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno "Are these settings correct?\n Custom Search Domain: $CUSTOMDomain" 8 78); then + if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno "Are these settings correct?\n Custom Search Domain: $CUSTOMDomain" ${r} ${c}); then DomainSettingsCorrect=True $SUDO sed -i '0,/\(.*dhcp-option.*\)/s//\push "dhcp-option DOMAIN '${CUSTOMDomain}'" /' server.conf @@ -734,7 +734,7 @@ setCustomDomain() { DomainSettingsCorrect=False fi else - whiptail --msgbox --backtitle "Invalid Domain" --title "Invalid Domain" "Domain is invalid. Please try again.\n\n DOMAIN: $CUSTOMDomain\n" 8 78 + whiptail --msgbox --backtitle "Invalid Domain" --title "Invalid Domain" "Domain is invalid. Please try again.\n\n DOMAIN: $CUSTOMDomain\n" ${r} ${c} DomainSettingsCorrect=False fi else From 76ae525c1dbaca09f084514e9b647206a42f1527 Mon Sep 17 00:00:00 2001 From: Heidenreich Date: Mon, 11 Mar 2019 10:54:54 -0400 Subject: [PATCH 16/28] updated server.conf path --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 1d7f147..b46bc5e 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -727,7 +727,7 @@ setCustomDomain() { if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno "Are these settings correct?\n Custom Search Domain: $CUSTOMDomain" ${r} ${c}); then DomainSettingsCorrect=True - $SUDO sed -i '0,/\(.*dhcp-option.*\)/s//\push "dhcp-option DOMAIN '${CUSTOMDomain}'" /' server.conf + $SUDO sed -i '0,/\(.*dhcp-option.*\)/s//\push "dhcp-option DOMAIN '${CUSTOMDomain}'" /' /etc/openvpn/server.conf else # If the settings are wrong, the loop continues From ae934253f9b2480c5291cad496d4d26572383130 Mon Sep 17 00:00:00 2001 From: Heidenreich Date: Mon, 11 Mar 2019 11:22:31 -0400 Subject: [PATCH 17/28] Updated sed insertion to fix line overwrite --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index b46bc5e..558e6aa 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -727,7 +727,7 @@ setCustomDomain() { if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno "Are these settings correct?\n Custom Search Domain: $CUSTOMDomain" ${r} ${c}); then DomainSettingsCorrect=True - $SUDO sed -i '0,/\(.*dhcp-option.*\)/s//\push "dhcp-option DOMAIN '${CUSTOMDomain}'" /' /etc/openvpn/server.conf + $SUDO sed -i '0,/\(.*dhcp-option.*\)/s//\push "dhcp-option DOMAIN '${CUSTOMDomain}'" \n&/' /etc/openvpn/server.conf else # If the settings are wrong, the loop continues From cc80ca16bb3a333a533c9f77c47616b6d5e48aa1 Mon Sep 17 00:00:00 2001 From: Giraffe1966 <35208168+Giraffe1966@users.noreply.github.com> Date: Sun, 23 Sep 2018 14:43:51 -0400 Subject: [PATCH 18/28] Use shallow clone for make_repo and update_repo. --- auto_install/install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index f743d05..af7c258 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -537,7 +537,7 @@ make_repo() { # Remove the non-repos interface and clone the interface echo -n "::: Cloning $2 into $1..." $SUDO rm -rf "${1}" - $SUDO git clone -q "${2}" "${1}" > /dev/null & spinner $! + $SUDO git clone -q --depth 1 --no-single-branch "${2}" "${1}" > /dev/null & spinner $! if [ -z "${TESTING+x}" ]; then : else @@ -552,9 +552,9 @@ update_repo() { else # Pull the latest commits echo -n "::: Updating repo in $1..." + $SUDO rm -rf "${1}" + $SUDO git clone -q --depth 1 --no-single-branch "${2}" "${1}" > /dev/null & spinner $! cd "${1}" || exit 1 - $SUDO git stash -q > /dev/null & spinner $! - $SUDO git pull -q > /dev/null & spinner $! if [ -z "${TESTING+x}" ]; then : else From e26cef18630515823825019be1dbda586a4b8f30 Mon Sep 17 00:00:00 2001 From: Orazio Date: Wed, 8 May 2019 13:01:56 +0200 Subject: [PATCH 19/28] Custom certificate duration and more flexible names --- auto_install/install.sh | 1 - scripts/makeOVPN.sh | 33 ++++++++++++++++++++++++++++++--- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index ea915f3..b0c382e 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -405,7 +405,6 @@ installScripts() { $SUDO cp /etc/.pivpn/scripts/removeOVPN.sh /opt/pivpn/removeOVPN.sh $SUDO cp /etc/.pivpn/scripts/uninstall.sh /opt/pivpn/uninstall.sh $SUDO cp /etc/.pivpn/scripts/pivpnDebug.sh /opt/pivpn/pivpnDebug.sh - $SUDO cp /etc/.pivpn/scripts/fix_iptables.sh /opt/pivpn/fix_iptables.sh $SUDO chmod 0755 /opt/pivpn/{makeOVPN,clientStat,listOVPN,removeOVPN,uninstall,pivpnDebug,fix_iptables}.sh $SUDO cp /etc/.pivpn/pivpn /usr/local/bin/pivpn $SUDO chmod 0755 /usr/local/bin/pivpn diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index 48a25ee..4f0f67c 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -13,11 +13,12 @@ INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) helpFunc() { echo "::: Create a client ovpn profile, optional nopass" echo ":::" - echo "::: Usage: pivpn <-a|add> [-n|--name ] [-p|--password ]|[nopass] [-h|--help]" + echo "::: Usage: pivpn <-a|add> [-n|--name ] [-p|--password ]|[nopass] [-d|--days ] [-h|--help]" echo ":::" echo "::: Commands:" echo "::: [none] Interactive mode" echo "::: nopass Create a client without a password" + echo "::: -d,--days Expire the certificate after specified number of days (default: 1080)" echo "::: -n,--name Name for the Client (default: '"$(hostname)"')" echo "::: -p,--password Password for the Client (no default)" echo "::: -h,--help Show this help dialog" @@ -48,6 +49,16 @@ do fi PASSWD="$_val" ;; + -d|--days|--days=*) + _val="${_key##--days=}" + if test "$_val" = "$_key" + then + test $# -lt 2 && echo "Missing value for the optional argument '$_key'." && exit 1 + _val="$2" + shift + fi + DAYS="$_val" + ;; -h|--help) helpFunc exit 0 @@ -71,6 +82,7 @@ function keynoPASS() { #Build the client key expect << EOF set timeout -1 + set env(EASYRSA_CERT_EXPIRE) "${DAYS}" spawn ./easyrsa build-client-full "${NAME}" nopass expect eof EOF @@ -115,6 +127,7 @@ function keyPASS() { expect << EOF set timeout -1 + set env(EASYRSA_CERT_EXPIRE) "${DAYS}" spawn ./easyrsa build-client-full "${NAME}" expect "Enter PEM pass phrase" { send -- "${PASSWD}\r" } expect "Verifying - Enter PEM pass phrase" { send -- "${PASSWD}\r" } @@ -129,8 +142,13 @@ if [ -z "${NAME}" ]; then read -r NAME fi -if [[ "${NAME}" =~ [^a-zA-Z0-9\-] ]]; then - echo "Name can only contain alphanumeric characters and dashes (-)." +if [[ ${NAME::1} == "." ]] || [[ ${NAME::1} == "-" ]]; then + echo "Names cannot start with a dot (.) or a dash (-)." + exit 1 +fi + +if [[ "${NAME}" =~ [^a-zA-Z0-9\.\-\@\_] ]]; then + echo "Name can only contain alphanumeric characters and these characters (.-@_)." exit 1 fi @@ -164,6 +182,15 @@ if [ "${NAME}" == "ta" ] || [ "${NAME}" == "server" ] || [ "${NAME}" == "ca" ]; exit 1 fi +#As of EasyRSA 3.0.6, by default certificates last 1080 days, see https://github.com/OpenVPN/easy-rsa/blob/6b7b6bf1f0d3c9362b5618ad18c66677351cacd1/easyrsa3/vars.example +if [ -z "${DAYS}" ]; then + read -r -e -p "How many days should the certificate last? " -i 1080 DAYS +elif [[ ! "$DAYS" =~ ^[0-9]+$ ]] || [ "$DAYS" -lt 1 ] || [ "$DAYS" -gt 3650 ]; then + #The CRL lasts 3650 days so it doesn't make much sense that certificates would last longer + echo "Please input a valid number of days, between 1 and 3650 inclusive." + exit 1 +fi + cd /etc/openvpn/easy-rsa || exit if [[ "${NO_PASS}" =~ "1" ]]; then From 05d7d8480922cab1c964487c3d636821f16f160d Mon Sep 17 00:00:00 2001 From: Orazio Date: Wed, 8 May 2019 15:29:43 +0200 Subject: [PATCH 20/28] Remove reference to a deleted file --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index b0c382e..f817e45 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -405,7 +405,7 @@ installScripts() { $SUDO cp /etc/.pivpn/scripts/removeOVPN.sh /opt/pivpn/removeOVPN.sh $SUDO cp /etc/.pivpn/scripts/uninstall.sh /opt/pivpn/uninstall.sh $SUDO cp /etc/.pivpn/scripts/pivpnDebug.sh /opt/pivpn/pivpnDebug.sh - $SUDO chmod 0755 /opt/pivpn/{makeOVPN,clientStat,listOVPN,removeOVPN,uninstall,pivpnDebug,fix_iptables}.sh + $SUDO chmod 0755 /opt/pivpn/{makeOVPN,clientStat,listOVPN,removeOVPN,uninstall,pivpnDebug}.sh $SUDO cp /etc/.pivpn/pivpn /usr/local/bin/pivpn $SUDO chmod 0755 /usr/local/bin/pivpn $SUDO cp /etc/.pivpn/scripts/bash-completion /etc/bash_completion.d/pivpn From e70cb32caa79adea9a7299fbbca86a0c65b82847 Mon Sep 17 00:00:00 2001 From: Orazio Date: Fri, 10 May 2019 12:53:52 +0200 Subject: [PATCH 21/28] Fixed logic --- scripts/makeOVPN.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index 4f0f67c..0a571b4 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -185,10 +185,13 @@ fi #As of EasyRSA 3.0.6, by default certificates last 1080 days, see https://github.com/OpenVPN/easy-rsa/blob/6b7b6bf1f0d3c9362b5618ad18c66677351cacd1/easyrsa3/vars.example if [ -z "${DAYS}" ]; then read -r -e -p "How many days should the certificate last? " -i 1080 DAYS -elif [[ ! "$DAYS" =~ ^[0-9]+$ ]] || [ "$DAYS" -lt 1 ] || [ "$DAYS" -gt 3650 ]; then +fi + +if [[ ! "$DAYS" =~ ^[0-9]+$ ]] || [ "$DAYS" -lt 1 ] || [ "$DAYS" -gt 3650 ]; then #The CRL lasts 3650 days so it doesn't make much sense that certificates would last longer echo "Please input a valid number of days, between 1 and 3650 inclusive." exit 1 + fi cd /etc/openvpn/easy-rsa || exit From 1af5c26034ee76c90444ad8ec796a4d28ed155e3 Mon Sep 17 00:00:00 2001 From: Calvin Loncaric Date: Sat, 4 May 2019 21:39:30 -0700 Subject: [PATCH 22/28] Flush disk writes before reboot This commit introduces a `sync` call before the install script exits. The writes that this script does during setup do not reach persistent storage until the kernel decides to flush them. The reboot sequence might drop those pending writes on the floor. To mitigate that possibility (but not fully eliminate it), the script now calls `sync`, which waits until the kernel has flushed its write cache. --- auto_install/install.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/auto_install/install.sh b/auto_install/install.sh index f817e45..9632e5d 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -1371,6 +1371,10 @@ main() { $SUDO systemctl start openvpn.service ;; esac + + # Ensure that cached writes reach persistent storage + echo "::: Flushing writes to disk..." + sync echo "::: done." From 616c2e24c4ae9d75be2f965c59e68f4807c4fe6c Mon Sep 17 00:00:00 2001 From: 4s3ti Date: Mon, 13 May 2019 23:06:14 +0100 Subject: [PATCH 23/28] Removed /24, fixed issue template --- ISSUE_TEMPLATE.md | 17 +++++++++-------- auto_install/install.sh | 4 ++-- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/ISSUE_TEMPLATE.md b/ISSUE_TEMPLATE.md index 6853205..e7f0ab3 100644 --- a/ISSUE_TEMPLATE.md +++ b/ISSUE_TEMPLATE.md @@ -9,29 +9,30 @@ -## Issue +### Issue -## Have you searched for similar issues and solutions? +### Have you searched for similar issues and solutions? (yes/no / which issues?) -## Console output of `curl -L install.pivpn.io | bash` +### Console output of `curl -L install.pivpn.io | bash` ``` Output Here ``` -## Console output of `pivpn add` or `pivpn add nopass` +### Console output of `pivpn add` or `pivpn add nopass` ``` Output Here ``` -## Console output of `pivpn debug` +### Console output of `pivpn debug` ``` Output Here ``` -## Have you taken any steps towards solving your issue? - which? - +### Have you taken any steps towards solving your issue? +``` + which? +``` diff --git a/auto_install/install.sh b/auto_install/install.sh index 9632e5d..4da43e1 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -338,7 +338,7 @@ It is also possible to use a DHCP reservation, but if you are going to do that, setDHCPCD() { # Append these lines to dhcpcd.conf to enable a static IP echo "interface ${pivpnInterface} - static ip_address=${IPv4addr}/24 + static ip_address=${IPv4addr} static routers=${IPv4gw} static domain_name_servers=${IPv4dns}" | $SUDO tee -a ${dhcpcdFile} >/dev/null } @@ -350,7 +350,7 @@ setStaticIPv4() { echo "::: Static IP already configured." else setDHCPCD - $SUDO ip addr replace dev "${pivpnInterface}" "${IPv4addr}/24" + $SUDO ip addr replace dev "${pivpnInterface}" "${IPv4addr}" echo ":::" echo "::: Setting IP to ${IPv4addr}. You may need to restart after the install is complete." echo ":::" From 6a234233ffd4f5a9291155cbf1ca4db6bd13e830 Mon Sep 17 00:00:00 2001 From: 4s3ti Date: Mon, 13 May 2019 23:23:33 +0100 Subject: [PATCH 24/28] Some changes to README File --- README.md | 31 ++++++++++++------------------- 1 file changed, 12 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 2b30ab5..8bcddca 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,8 @@ -PiVPN is once again maintained -============ - -james-lasersoft: 0-kaladin has assigned me as new admin for this project. I will do my best to keep things rolling into the future. I would like to thanks 0-kaladin for creating the most excellent project and I would also like to thank all of the future contributions we will receive from our zealous followers as they keep me on track. - - ------ - -0-kaladin: Sad times. I love this project just have no time to properly give it the attention it deserves. I'm still around so if anyone is willing to pick this up and keep it running just create an issue to let me know. Thanks to all who've kept this going as current life changes don't allow time for hobbies. Hopefully in the future... I wanted to get this to at one point. - About ----- Visit the [PiVPN](http://pivpn.io) site for more information. -This is a set of shell scripts that serve to easily turn your Raspberry Pi (TM) +This is a set of shell scripts initially developed by @0-kaladin that serve to easily turn your Raspberry Pi (TM) into a VPN server using the free, open-source [OpenVPN](https://openvpn.net) software. Have you been looking for a good guide or tutorial for installing openvpn on a raspberry pi or ubuntu based server? Run this script and you don't need a guide or tutorial, this will do it all for you, in a fraction of the time and with hardened security settings in place by default. @@ -81,6 +71,7 @@ internet traffic and allow VPN connections through the Pi's firewall. When the s informs you that it has finished configuring OpenVPN, it will ask if you want to reboot. I have it where you do not need to reboot when done but it also can't hurt. + Managing the PiVPN ---------------------- @@ -141,14 +132,16 @@ you want to remove OpenVPN without installing a fresh Raspbian image, just run Feedback & Support -------- -I am interested in making this script work for as many people as possible, so I -welcome any feedback on your experience. If you have problems using it, feel -free to post an issue here on github. I'll classify the issues the best I can -to keep things sorted. +PiVPN is purely community driven, and we are interested in making this script work for as many people as possible, we welcome any feedback on your experience. + +for community support or general questions. +Feel free to post on our subreddit +You can also join #pivpn on freenode in IRC + +For code related issues, code contributions, feature requests, feel free to open an issue here at github. +We will classify the issues the best we can to keep things sorted. -[[DISCONTINUED APRIL 17]] You can also post on the [Google Space](https://goo.gl/spaces/kgp2Mcy5RDfZ5SSf8) I created for PiVPN, especially suited for general questions or discussions. -You can also join #pivpn on freenode in IRC for community support or general questions. Related Projects -------- @@ -164,7 +157,7 @@ The foundation for all open-source VPN projects. Contributions ------------- -I'm also interested in improving this script, please check the current issues to see where you can help. If you have any +Please check the current issues to see where you can help. If you have any feature ideas or requests, or are interested in adding your ideas to it, testing it on other platforms, please comment or leave a pull request. If you contribute often I can add you as a member of the PiVPN project. @@ -181,4 +174,4 @@ sources. 4. And as always the ever vigilant [EFF](https://www.eff.org/) -I don't take donations at this time but if you want to show your appreciation to me, then contribute or leave feedback on suggestions or improvements. +PiVPN is not taking donations at this time but if you want to show your appreciation, then contribute or leave feedback on suggestions or improvements. From 050e2c61716766250a802adaf35b6d21bad43703 Mon Sep 17 00:00:00 2001 From: 4s3ti Date: Mon, 13 May 2019 23:32:08 +0100 Subject: [PATCH 25/28] more changes to README --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8bcddca..b92810f 100644 --- a/README.md +++ b/README.md @@ -2,13 +2,14 @@ About ----- Visit the [PiVPN](http://pivpn.io) site for more information. -This is a set of shell scripts initially developed by @0-kaladin that serve to easily turn your Raspberry Pi (TM) +This is a set of shell scripts initially developed by **@0-kaladin** that serve to easily turn your Raspberry Pi (TM) into a VPN server using the free, open-source [OpenVPN](https://openvpn.net) software. Have you been looking for a good guide or tutorial for installing openvpn on a raspberry pi or ubuntu based server? Run this script and you don't need a guide or tutorial, this will do it all for you, in a fraction of the time and with hardened security settings in place by default. The master branch of this script installs and configures OpenVPN on Raspbian -Jessie, Stretch, Devuan and has been tested on Ubuntu 14.04 and 16.04 running from an Amazon AWS image. Personally, I'd recommend using the Stretch or Jessie Lite image on a raspberry pi in your home so you can VPN into your home from unsecure remote locations and safely use the internet. However, the scripts do try to detect different distributions and make adjustments accordingly. They should work on the majority of Ubuntu and Debian based distributions including those using UFW by default instead of raw iptables. +Jessie, Stretch, Devuan and has been tested on Ubuntu 14.04 and 16.04 running from an Amazon AWS image. +We recommend using the Stretch or Jessie Lite image on a raspberry pi in your home so you can VPN into your home from unsecure remote locations and safely use the internet. However, the scripts do try to detect different distributions and make adjustments accordingly. They should work on the majority of Ubuntu and Debian based distributions including those using UFW by default instead of raw iptables. This scripts primary mission in life is to allow a user to have a home VPN for as cost effective as possible and without being a technical wizard. Hence the design of pivpn to work on a Raspberry Pi ($35) and then one command installer. Followed by easy management of the VPN thereafter with the 'pivpn' command. That being said... From e99ae95a5a02521f388f7dd1bc6af7038d6e8bc7 Mon Sep 17 00:00:00 2001 From: 4s3ti Date: Mon, 13 May 2019 23:34:44 +0100 Subject: [PATCH 26/28] Changed setence to better refference 0-kaladin --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b92810f..388bcb0 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ About ----- Visit the [PiVPN](http://pivpn.io) site for more information. -This is a set of shell scripts initially developed by **@0-kaladin** that serve to easily turn your Raspberry Pi (TM) +This is a set of shell scripts developed by **@0-kaladin** that serve to easily turn your Raspberry Pi (TM) into a VPN server using the free, open-source [OpenVPN](https://openvpn.net) software. Have you been looking for a good guide or tutorial for installing openvpn on a raspberry pi or ubuntu based server? Run this script and you don't need a guide or tutorial, this will do it all for you, in a fraction of the time and with hardened security settings in place by default. From ad8a1ac35144ab5047f9fbea469086751159d95b Mon Sep 17 00:00:00 2001 From: 4s3ti Date: Mon, 13 May 2019 23:50:05 +0100 Subject: [PATCH 27/28] Fixed issue template diff with master --- ISSUE_TEMPLATE.md | 53 +++++++++++++++++++++++++++++++++++++---------- 1 file changed, 42 insertions(+), 11 deletions(-) diff --git a/ISSUE_TEMPLATE.md b/ISSUE_TEMPLATE.md index e7f0ab3..caa75e5 100644 --- a/ISSUE_TEMPLATE.md +++ b/ISSUE_TEMPLATE.md @@ -1,11 +1,26 @@ - - - - - - - + + +## In raising this issue, I confirm the following: + +`{please fill the checkboxes, e.g: [X]}` + +- [] I have read and understood the [contributors guide](https://github.com/pivpn/pivpn/blob/master/CONTRIBUTING.md). +- [] The issue I am reporting can be *replicated*. +- [] The issue I am reporting can be *is* directly related to the pivpn installer script. +- [] The issue I am reporting isn't a duplicate (see [FAQs](https://github.com/pivpn/pivpn/wiki/FAQ), [closed issues](https://github.com/pivpn/pivpn/issues?q=is%3Aissue+sort%3Aupdated-desc+is%3Aclosed), and [open issues](https://github.com/pivpn/pivpn/issues?q=is%3Aissue+sort%3Aupdated-desc+is%3Aopen)). + + + + @@ -16,17 +31,34 @@ (yes/no / which issues?) -### Console output of `curl -L install.pivpn.io | bash` +### Console output of `curl -L install.pivpn.io | bash` ``` Output Here ``` -### Console output of `pivpn add` or `pivpn add nopass` + +### Console output of `pivpn add` or `pivpn add nopass` ``` Output Here ``` -### Console output of `pivpn debug` +### Console output of `pivpn debug` +``` + Output Here +``` + +### Console Output of `sudo iptables -t nat -S` +``` + Output Here +``` + +### Console Output of `sudo iptables -S` +``` + Output Here +``` + +### Console Output of `sudo netstat -uanp | grep openvpn` + ``` Output Here ``` @@ -35,4 +67,3 @@ ``` which? ``` - From 227892de1522c3b7ceb561f6ae5f7978bd1dca55 Mon Sep 17 00:00:00 2001 From: 4s3ti Date: Tue, 14 May 2019 09:54:01 +0100 Subject: [PATCH 28/28] Removed IPTables output lines --- ISSUE_TEMPLATE.md | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/ISSUE_TEMPLATE.md b/ISSUE_TEMPLATE.md index 31cccca..dcc2b68 100644 --- a/ISSUE_TEMPLATE.md +++ b/ISSUE_TEMPLATE.md @@ -46,24 +46,7 @@ For any output requested below, you may alternatively post it on http://pastebin ``` Output Here ``` - -### Console Output of `sudo iptables -t nat -S` -``` - Output Here -``` - -### Console Output of `sudo iptables -S` -``` - Output Here -``` - -### Console Output of `sudo netstat -uanp | grep openvpn` - -``` - Output Here -``` - ### Have you taken any steps towards solving your issue? ``` which? -``` \ No newline at end of file +```