From 93044d6f6d9c4d2a0c086ab4605402937c801792 Mon Sep 17 00:00:00 2001
From: corbolais <corbolais@gmail.com>
Date: Sun, 8 Dec 2019 16:13:26 +0100
Subject: [PATCH 1/2] add local resolver as DNS option.

Signed-off-by: corbolais <corbolais@gmail.com>
---
 auto_install/install.sh | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/auto_install/install.sh b/auto_install/install.sh
index 2305458..9e96e95 100755
--- a/auto_install/install.sh
+++ b/auto_install/install.sh
@@ -975,7 +975,11 @@ askClientDNS(){
 		fi
 	fi
 
-	DNSChoseCmd=(whiptail --separate-output --radiolist "Select the DNS Provider for your VPN Clients (press space to select). To use your own, select Custom." ${r} ${c} 6)
+	DNSChoseCmd=(whiptail --separate-output --radiolist "Select the DNS Provider
+  for your VPN Clients (press space to select). To use your own, select
+    Custom.\\n\\nIn case you have a local resolver running, i.e. unbound, select
+    \"PiVPN-is-local-DNS\" and make sure your resolver is listening on
+    10.8.0.1, allowing requests from 10.8.0.1/8" ${r} ${c} 6)
 	DNSChooseOptions=(Google "" on
 			OpenDNS "" off
 			Level3 "" off
@@ -983,6 +987,7 @@ askClientDNS(){
 			Norton "" off
 			FamilyShield "" off
 			CloudFlare "" off
+			PiVPN-is-local-DNS "" off
 			Custom "" off)
 
 	if DNSchoices=$("${DNSChoseCmd[@]}" "${DNSChooseOptions[@]}" 2>&1 >/dev/tty)
@@ -997,7 +1002,8 @@ askClientDNS(){
 								["DNS.WATCH"]="84.200.69.80 84.200.70.40"
 								["Norton"]="199.85.126.10 199.85.127.10"
 								["FamilyShield"]="208.67.222.123 208.67.220.123"
-								["CloudFlare"]="1.1.1.1 1.0.0.1")
+								["CloudFlare"]="1.1.1.1 1.0.0.1"
+								["PiVPN-is-local-DNS"]="10.8.0.1")
 
 			pivpnDNS1=$(awk '{print $1}' <<< "${DNS_MAP["${DNSchoices}"]}")
 			pivpnDNS2=$(awk '{print $2}' <<< "${DNS_MAP["${DNSchoices}"]}")

From e76f3755aba453adde3c4d9153708d1dcc865369 Mon Sep 17 00:00:00 2001
From: corbolais <corbolais@gmail.com>
Date: Mon, 9 Dec 2019 12:41:40 +0100
Subject: [PATCH 2/2] consistent use of pivpnNET, subnetClass and vpnGw.

Signed-off-by: corbolais <corbolais@gmail.com>
---
 auto_install/install.sh | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/auto_install/install.sh b/auto_install/install.sh
index 9e96e95..9b0af3f 100755
--- a/auto_install/install.sh
+++ b/auto_install/install.sh
@@ -33,6 +33,8 @@ pivpnGitUrl="https://github.com/pivpn/pivpn.git"
 easyrsaVer="3.0.6"
 easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz"
 
+subnetClass="24"
+
 # Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config
 UNATTUPG_RELEASE="1.14"
 UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/${UNATTUPG_RELEASE}.tar.gz"
@@ -692,6 +694,7 @@ askWhichVPN(){
 		pivpnDEV="tun0"
 		pivpnNET="10.8.0.0"
 	fi
+	vpnGw="${pivpnNET/.0/.1}"
 
 	echo "VPN=${VPN}" >> /tmp/setupVars.conf
 }
@@ -979,7 +982,7 @@ askClientDNS(){
   for your VPN Clients (press space to select). To use your own, select
     Custom.\\n\\nIn case you have a local resolver running, i.e. unbound, select
     \"PiVPN-is-local-DNS\" and make sure your resolver is listening on
-    10.8.0.1, allowing requests from 10.8.0.1/8" ${r} ${c} 6)
+    \"$vpnGw\", allowing requests from \"${pivpnNET}/${subnetClass}\"." ${r} ${c} 6)
 	DNSChooseOptions=(Google "" on
 			OpenDNS "" off
 			Level3 "" off
@@ -1003,7 +1006,7 @@ askClientDNS(){
 								["Norton"]="199.85.126.10 199.85.127.10"
 								["FamilyShield"]="208.67.222.123 208.67.220.123"
 								["CloudFlare"]="1.1.1.1 1.0.0.1"
-								["PiVPN-is-local-DNS"]="10.8.0.1")
+								["PiVPN-is-local-DNS"]="$vpnGw")
 
 			pivpnDNS1=$(awk '{print $1}' <<< "${DNS_MAP["${DNSchoices}"]}")
 			pivpnDNS2=$(awk '{print $2}' <<< "${DNS_MAP["${DNSchoices}"]}")
@@ -1388,7 +1391,7 @@ confWireGuard(){
 
 	echo "[Interface]
 PrivateKey = $($SUDO cat /etc/wireguard/keys/server_priv)
-Address = 10.6.0.1/24
+Address = ${vpnGw}/${subnetClass}
 ListenPort = ${pivpnPORT}" | $SUDO tee /etc/wireguard/wg0.conf &> /dev/null
 	echo "::: Server config generated."
 }
@@ -1407,10 +1410,10 @@ confNetwork(){
 			USING_UFW=1
 			echo "::: Detected UFW is enabled."
 			echo "::: Adding UFW rules..."
-			$SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s ${pivpnNET}\/24 -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
+			$SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s ${pivpnNET}\/${subnetClass} -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
 			# Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic)
 			$SUDO ufw insert 1 allow "${pivpnPORT}"/"${pivpnPROTO}" >/dev/null
-			$SUDO ufw route insert 1 allow in on "${pivpnDEV}" from "${pivpnNET}/24" out on "${IPv4dev}" to any >/dev/null
+			$SUDO ufw route insert 1 allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any >/dev/null
 
 			$SUDO ufw reload >/dev/null
 			echo "::: UFW configuration completed."
@@ -1423,7 +1426,7 @@ confNetwork(){
 		# Now some checks to detect which rules we need to add. On a newly installed system all policies
 		# should be ACCEPT, so the only required rule would be the MASQUERADE one.
 
-		$SUDO iptables -t nat -I POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE
+		$SUDO iptables -t nat -I POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE
 
 		# Count how many rules are in the INPUT and FORWARD chain. When parsing input from
 		# iptables -S, '^-P' skips the policies and 'ufw-' skips ufw chains (in case ufw was found
@@ -1449,8 +1452,8 @@ confNetwork(){
 		fi
 
 		if [ "$FORWARD_RULES_COUNT" -ne 0 ] || [ "$FORWARD_POLICY" != "ACCEPT" ]; then
-			$SUDO iptables -I FORWARD 1 -d "${pivpnNET}/24" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-			$SUDO iptables -I FORWARD 2 -s "${pivpnNET}/24" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT
+			$SUDO iptables -I FORWARD 1 -d "${pivpnNET}/${subnetClass}" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+			$SUDO iptables -I FORWARD 2 -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT
 			FORWARD_CHAIN_EDITED=1
 		else
 			FORWARD_CHAIN_EDITED=0