diff --git a/auto_install/install.sh b/auto_install/install.sh index 8c78d1d..78a838f 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -82,47 +82,33 @@ Would you like to continue anyway?" ${r} ${c}) then distro_check() { # if lsb_release command is on their system if hash lsb_release 2>/dev/null; then - PLAT=$(lsb_release -si) - OSCN=$(lsb_release -sc) # We want this to be trusty xenial or jessie - case ${PLAT} in - Ubuntu|Raspbian|Debian|Devuan) - case ${OSCN} in - trusty|xenial|jessie|stretch) - ;; - *) - maybeOS_Support - ;; - esac + PLAT=$(lsb_release -si) + OSCN=$(lsb_release -sc) # We want this to be trusty xenial or jessie + + else # else get info from os-release + + PLAT=$(grep "^NAME" /etc/os-release | awk -F "=" '{print $2}' | tr -d '"' | awk '{print $1}') + VER=$(grep "VERSION_ID" /etc/os-release | awk -F "=" '{print $2}' | tr -d '"') + declare -A VER_MAP=(["9"]="stretch" ["8"]="jessie" ["16.04"]="xenial" ["14.04"]="trusty") + OSCN=${VER_MAP["${VER}"]} + + fi + + case ${PLAT} in + Ubuntu|Raspbian|Debian|Devuan) + case ${OSCN} in + trusty|xenial|jessie|stretch) ;; - *) - noOS_Support + *) + maybeOS_Support ;; esac - # else get info from os-release - elif grep -q devuan /etc/os-release; then - if grep -q jessie /etc/os-release; then - PLAT="Raspvuan" - OSCN="jessie" - else - noOS_Support - fi - elif grep -q debian /etc/os-release; then - if grep -q jessie /etc/os-release; then - PLAT="Raspbian" - OSCN="jessie" - elif grep -q stretch /etc/os-release; then - PLAT="Raspbian" - OSCN="stretch" - else - PLAT="Ubuntu" - OSCN="unknown" - maybeOS_Support - fi - # else we prob don't want to install - else + ;; + *) noOS_Support - fi + ;; + esac echo "${PLAT}" > /tmp/DET_PLATFORM } @@ -418,6 +404,23 @@ package_check_install() { dpkg-query -W -f='${Status}' "${1}" 2>/dev/null | grep -c "ok installed" || ${PKG_INSTALL} "${1}" } +addSoftwareRepo() { + # Add the official OpenVPN repo for distros that don't have the latest version in their default repos + case ${PLAT} in + Ubuntu|Debian|Devuan) + case ${OSCN} in + trusty|xenial|wheezy|jessie) + wget -qO- https://swupdate.openvpn.net/repos/repo-public.gpg | $SUDO apt-key add - + echo "deb http://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/swupdate.openvpn.net.list > /dev/null + echo -n "::: Adding OpenVPN repo for $PLAT $OSCN ..." + $SUDO apt-get -qq update & spinner $! + echo " done!" + ;; + esac + ;; + esac +} + update_package_cache() { #Running apt-get update/upgrade with minimal output can cause some issues with #requiring user input @@ -695,60 +698,31 @@ setClientDNS() { Level3 "" off DNS.WATCH "" off Norton "" off - FamilyShield "" off + FamilyShield "" off Custom "" off) if DNSchoices=$("${DNSChoseCmd[@]}" "${DNSChooseOptions[@]}" 2>&1 >/dev/tty) then - case ${DNSchoices} in - Google) - echo "::: Using Google DNS servers." - OVPNDNS1="8.8.8.8" - OVPNDNS2="8.8.4.4" - # These are already in the file - ;; - OpenDNS) - echo "::: Using OpenDNS servers." - OVPNDNS1="208.67.222.222" - OVPNDNS2="208.67.220.220" - $SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf - $SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf - ;; - Level3) - echo "::: Using Level3 servers." - OVPNDNS1="209.244.0.3" - OVPNDNS2="209.244.0.4" - $SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf - $SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf - ;; - DNS.WATCH) - echo "::: Using DNS.WATCH servers." - OVPNDNS1="84.200.69.80" - OVPNDNS2="84.200.70.40" - $SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf - $SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf - ;; - Norton) - echo "::: Using Norton ConnectSafe servers." - OVPNDNS1="199.85.126.10" - OVPNDNS2="199.85.127.10" - $SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf - $SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf - ;; - FamilyShield) - echo "::: Using FamilyShield servers." - OVPNDNS1="208.67.222.123" - OVPNDNS2="208.67.220.123" - $SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf - $SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf - ;; - Custom) - until [[ $DNSSettingsCorrect = True ]] - do - strInvalid="Invalid" - if OVPNDNS=$(whiptail --backtitle "Specify Upstream DNS Provider(s)" --inputbox "Enter your desired upstream DNS provider(s), seperated by a comma.\n\nFor example '8.8.8.8, 8.8.4.4'" ${r} ${c} "" 3>&1 1>&2 2>&3) - then + if [[ ${DNSchoices} != "Custom" ]]; then + + echo "::: Using ${DNSchoices} servers." + declare -A DNS_MAP=(["Google"]="8.8.8.8 8.8.4.4" ["OpenDNS"]="208.67.222.222 208.67.220.220" ["Level3"]="209.244.0.3 209.244.0.4" ["DNS.WATCH"]="84.200.69.80 84.200.70.40" ["Norton"]="199.85.126.10 199.85.127.10" ["FamilyShield"]="208.67.222.123 208.67.220.123") + + OVPNDNS1=$(awk '{print $1}' <<< "${DNS_MAP["${DNSchoices}"]}") + OVPNDNS2=$(awk '{print $2}' <<< "${DNS_MAP["${DNSchoices}"]}") + + $SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf + $SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf + + else + + until [[ $DNSSettingsCorrect = True ]] + do + strInvalid="Invalid" + + if OVPNDNS=$(whiptail --backtitle "Specify Upstream DNS Provider(s)" --inputbox "Enter your desired upstream DNS provider(s), seperated by a comma.\n\nFor example '8.8.8.8, 8.8.4.4'" ${r} ${c} "" 3>&1 1>&2 2>&3) + then OVPNDNS1=$(echo "$OVPNDNS" | sed 's/[, \t]\+/,/g' | awk -F, '{print$1}') OVPNDNS2=$(echo "$OVPNDNS" | sed 's/[, \t]\+/,/g' | awk -F, '{print$2}') if ! valid_ip "$OVPNDNS1" || [ ! "$OVPNDNS1" ]; then @@ -757,11 +731,11 @@ setClientDNS() { if ! valid_ip "$OVPNDNS2" && [ "$OVPNDNS2" ]; then OVPNDNS2=$strInvalid fi - else + else echo "::: Cancel selected, exiting...." exit 1 fi - if [[ $OVPNDNS1 == "$strInvalid" ]] || [[ $OVPNDNS2 == "$strInvalid" ]]; then + if [[ $OVPNDNS1 == "$strInvalid" ]] || [[ $OVPNDNS2 == "$strInvalid" ]]; then whiptail --msgbox --backtitle "Invalid IP" --title "Invalid IP" "One or both entered IP addresses were invalid. Please try again.\n\n DNS Server 1: $OVPNDNS1\n DNS Server 2: $OVPNDNS2" ${r} ${c} if [[ $OVPNDNS1 == "$strInvalid" ]]; then OVPNDNS1="" @@ -770,7 +744,7 @@ setClientDNS() { OVPNDNS2="" fi DNSSettingsCorrect=False - else + else if (whiptail --backtitle "Specify Upstream DNS Provider(s)" --title "Upstream DNS Provider(s)" --yesno "Are these settings correct?\n DNS Server 1: $OVPNDNS1\n DNS Server 2: $OVPNDNS2" ${r} ${c}) then DNSSettingsCorrect=True $SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf @@ -784,12 +758,12 @@ setClientDNS() { DNSSettingsCorrect=False fi fi - done - ;; - esac + done + fi + else - echo "::: Cancel selected. Exiting..." - exit 1 + echo "::: Cancel selected. Exiting..." + exit 1 fi } @@ -860,36 +834,41 @@ EOF # Build the server ${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass - if [[ ${useUpdateVars} == false ]]; then - if (whiptail --backtitle "Setup OpenVPN" --title "Version 2.4 improvements" --yesno --defaultno "OpenVPN 2.4 brings support for stronger key exchange using Elliptic Curves and encrypted control channel, along with faster LZ4 compression.\n\nIf you your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then - APPLY_TWO_POINT_FOUR=true - $SUDO touch /etc/pivpn/TWO_POINT_FOUR + if [[ ${useUpdateVars} == false ]]; then + + if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]]; then + APPLY_TWO_POINT_FOUR=false + else + if (whiptail --backtitle "Setup OpenVPN" --title "Version 2.4 improvements" --yesno --defaultno "OpenVPN 2.4 brings support for stronger key exchange using Elliptic Curves and encrypted control channel, along with faster LZ4 compression.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then + APPLY_TWO_POINT_FOUR=true + $SUDO touch /etc/pivpn/TWO_POINT_FOUR else - APPLY_TWO_POINT_FOUR=false + APPLY_TWO_POINT_FOUR=false fi + fi fi if [[ ${useUpdateVars} == false ]]; then - if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then - if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then - DOWNLOAD_DH_PARAM=true - else - DOWNLOAD_DH_PARAM=false - fi - fi + if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then + if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then + DOWNLOAD_DH_PARAM=true + else + DOWNLOAD_DH_PARAM=false + fi + fi fi - if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then - if [ "$ENCRYPT" -ge "4096" ] && [[ ${DOWNLOAD_DH_PARAM} == true ]]; then - # Downloading parameters - RANDOM_INDEX=$(( RANDOM % 128 )) - ${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "/etc/openvpn/easy-rsa/pki/dh${ENCRYPT}.pem" - else - # Generate Diffie-Hellman key exchange - ${SUDOE} ./easyrsa gen-dh - ${SUDOE} mv pki/dh.pem pki/dh${ENCRYPT}.pem - fi - fi + if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then + if [ "$ENCRYPT" -ge "4096" ] && [[ ${DOWNLOAD_DH_PARAM} == true ]]; then + # Downloading parameters + RANDOM_INDEX=$(( RANDOM % 128 )) + ${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "/etc/openvpn/easy-rsa/pki/dh${ENCRYPT}.pem" + else + # Generate Diffie-Hellman key exchange + ${SUDOE} ./easyrsa gen-dh + ${SUDOE} mv pki/dh.pem pki/dh${ENCRYPT}.pem + fi + fi # Generate static HMAC key to defend against DDoS ${SUDOE} openvpn --genkey --secret pki/ta.key @@ -902,19 +881,19 @@ EOF # Write config file for server using the template .txt file $SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf - if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then - #If they enabled 2.4 change compression algorithm and use tls-crypt instead of tls-auth to encrypt control channel - $SUDO sed -i "s/comp-lzo/compress lz4/" /etc/openvpn/server.conf - $SUDO sed -i "s/tls-auth \/etc\/openvpn\/easy-rsa\/pki\/ta.key 0/tls-crypt \/etc\/openvpn\/easy-rsa\/pki\/ta.key/" /etc/openvpn/server.conf - fi + if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then + #If they enabled 2.4 change compression algorithm and use tls-crypt instead of tls-auth to encrypt control channel + $SUDO sed -i "s/comp-lzo/compress lz4/" /etc/openvpn/server.conf + $SUDO sed -i "s/tls-auth \/etc\/openvpn\/easy-rsa\/pki\/ta.key 0/tls-crypt \/etc\/openvpn\/easy-rsa\/pki\/ta.key/" /etc/openvpn/server.conf + fi - if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then - #If they enabled 2.4 disable dh parameters - $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/dh none/" /etc/openvpn/server.conf - else - # Otherwise set the user encryption key size - $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/\1${ENCRYPT}.pem/" /etc/openvpn/server.conf - fi + if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then + #If they enabled 2.4 disable dh parameters, use a specific curve instead + $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/dh none\necdh-curve secp384r1/" /etc/openvpn/server.conf + else + # Otherwise set the user encryption key size + $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/\1${ENCRYPT}.pem/" /etc/openvpn/server.conf + fi # if they modified port put value in server.conf if [ $PORT != 1194 ]; then @@ -965,7 +944,7 @@ confNetwork() { # if ufw enabled, configure that if hash ufw 2>/dev/null; then - if $SUDO ufw status | grep -q inactive + if LANG=en_US.UTF-8 $SUDO ufw status | grep -q inactive then noUFW=1 else @@ -1017,11 +996,11 @@ confOVPN() { $SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt - if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then - #If they enabled 2.4 change compression algorithm and remove key-direction options since it's not required - $SUDO sed -i "s/comp-lzo/compress lz4/" /etc/openvpn/easy-rsa/pki/Default.txt - $SUDO sed -i "/key-direction 1/d" /etc/openvpn/easy-rsa/pki/Default.txt - fi + if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then + #If they enabled 2.4 change compression algorithm and remove key-direction options since it's not required + $SUDO sed -i "s/comp-lzo/compress lz4/" /etc/openvpn/easy-rsa/pki/Default.txt + $SUDO sed -i "/key-direction 1/d" /etc/openvpn/easy-rsa/pki/Default.txt + fi if [[ ${useUpdateVars} == false ]]; then METH=$(whiptail --title "Public IP or DNS" --radiolist "Will clients use a Public IP or DNS Name to connect to your server (press space to select)?" ${r} ${c} 2 \ @@ -1076,16 +1055,11 @@ confOVPN() { $SUDO chmod 0777 -R "/home/$pivpnUser/ovpns" } -confLogging(){ - # Tell rsyslog to log openvpn messages to a specific file - cat << 'EOT' | $SUDO tee /etc/rsyslog.d/30-openvpn.conf >/dev/null -if $programname == 'ovpn-server' then /var/log/openvpn.log -if $programname == 'ovpn-server' then ~ -EOT +confLogging() { + echo "if \$programname == 'ovpn-server' then /var/log/openvpn.log +if \$programname == 'ovpn-server' then ~" | $SUDO tee /etc/rsyslog.d/30-openvpn.conf > /dev/null - # Enable log rotation, it rotates weekly and keeps the current log and the previous uncompressed, with the older 4 compressed - cat << 'EOT' | $SUDO tee /etc/logrotate.d/openvpn >/dev/null -/var/log/openvpn.log + echo "/var/log/openvpn.log { rotate 4 weekly @@ -1097,25 +1071,23 @@ EOT postrotate invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true endscript -} -EOT +}" | $SUDO tee /etc/logrotate.d/openvpn > /dev/null # Restart the logging service case ${PLAT} in - Ubuntu|Debian|*vuan) - $SUDO service rsyslog restart || true - ;; - *) - $SUDO systemctl restart rsyslog.service || true - ;; + Ubuntu|Debian|*vuan) + $SUDO service rsyslog restart || true + ;; + *) + $SUDO systemctl restart rsyslog.service || true + ;; esac - } finalExports() { # Update variables in setupVars.conf file if [ -e "${setupVars}" ]; then - sed -i.update.bak '/pivpnUser/d;/UNATTUPG/d;/pivpnInterface/d;/IPv4dns/d;/IPv4addr/d;/IPv4gw/d;/pivpnProto/d;/PORT/d;/ENCRYPT/d;/DOWNLOAD_DH_PARAM/d;/PUBLICDNS/d;/OVPNDNS1/d;/OVPNDNS2/d;' "${setupVars}" + $SUDO sed -i.update.bak '/pivpnUser/d;/UNATTUPG/d;/pivpnInterface/d;/IPv4dns/d;/IPv4addr/d;/IPv4gw/d;/pivpnProto/d;/PORT/d;/ENCRYPT/d;/DOWNLOAD_DH_PARAM/d;/PUBLICDNS/d;/OVPNDNS1/d;/OVPNDNS2/d;' "${setupVars}" fi { echo "pivpnUser=${pivpnUser}" @@ -1127,12 +1099,12 @@ finalExports() { echo "pivpnProto=${pivpnProto}" echo "PORT=${PORT}" echo "ENCRYPT=${ENCRYPT}" - echo "APPLY_TWO_POINT_FOUR"="${APPLY_TWO_POINT_FOUR}" + echo "APPLY_TWO_POINT_FOUR=${APPLY_TWO_POINT_FOUR}" echo "DOWNLOAD_DH_PARAM=${DOWNLOAD_DH_PARAM}" echo "PUBLICDNS=${PUBLICDNS}" echo "OVPNDNS1=${OVPNDNS1}" echo "OVPNDNS2=${OVPNDNS2}" - }>> "${setupVars}" + } | $SUDO tee "${setupVars}" > /dev/null } @@ -1307,6 +1279,8 @@ main() { fi # Install the packages (we do this first because we need whiptail) + addSoftwareRepo + #checkForDependencies update_package_cache diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index 09ef655..535ca41 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -237,16 +237,16 @@ echo "tls-auth Private Key found: $TA" cat "private/${NAME}${KEY}" echo "" - #Finally, append the TA Private Key - if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then - echo "" - cat "${TA}" - echo "" - else - echo "" - cat "${TA}" - echo "" - fi + #Finally, append the TA Private Key + if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then + echo "" + cat "${TA}" + echo "" + else + echo "" + cat "${TA}" + echo "" + fi } > "${NAME}${FILEEXT}"