Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-18 19:00:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #849 from orazioedoardo/test-wireguard

Browse source 
Code cleanup + WireGuard support
This commit is contained in:
4s3ti 2019-10-17 10:58:47 +02:00 committed by GitHub
commit 4fbb3b8b3c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
17 changed files with 1790 additions and 1477 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1684
auto_install/install.sh
View file

File diff suppressed because it is too large Load diff

11
scripts/backup.sh → scripts/openvpn/backup.sh
View file

@ -1,12 +1,17 @@
#!/bin/bash #!/bin/bash
install_user=$(</etc/pivpn/INSTALL_USER) setupVars="/etc/pivpn/setupVars.conf"
install_home=$(grep -m1 "^${install_user}:" /etc/passwd | cut -d: -f6)
install_home=${install_home%/} # remove possible trailing slash
backupdir=pivpnbackup backupdir=pivpnbackup
openvpndir=/etc/openvpn openvpndir=/etc/openvpn
ovpnsdir=${install_home}/ovpns ovpnsdir=${install_home}/ovpns
date=$(date +%Y-%m-%d-%H%M%S) date=$(date +%Y-%m-%d-%H%M%S)
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
backup_openvpn(){ backup_openvpn(){
if [[ ! -d $install_home/$backupdir ]]; then if [[ ! -d $install_home/$backupdir ]]; then
mkdir $install_home/$backupdir mkdir $install_home/$backupdir

0
scripts/bash-completion → scripts/openvpn/bash-completion
View file

0
scripts/clientStat.sh → scripts/openvpn/clientStat.sh
View file

0
scripts/listOVPN.sh → scripts/openvpn/listOVPN.sh
View file

41
scripts/makeOVPN.sh → scripts/openvpn/makeOVPN.sh
View file

@ -1,6 +1,7 @@
#!/bin/bash #!/bin/bash
# Create OVPN Client # Create OVPN Client
# Default Variable Declarations # Default Variable Declarations
setupVars="/etc/pivpn/setupVars.conf"
DEFAULT="Default.txt" DEFAULT="Default.txt"
FILEEXT=".ovpn" FILEEXT=".ovpn"
CRT=".crt" CRT=".crt"
@ -8,9 +9,13 @@ KEY=".key"
CA="ca.crt" CA="ca.crt"
TA="ta.key" TA="ta.key"
INDEX="/etc/openvpn/easy-rsa/pki/index.txt" INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
INSTALL_USER=$(</etc/pivpn/INSTALL_USER)
INSTALL_HOME=$(grep -m1 "^${INSTALL_USER}:" /etc/passwd | cut -d: -f6) if [ ! -f "${setupVars}" ]; then
INSTALL_HOME=${INSTALL_HOME%/} # remove possible trailing slash echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
helpFunc() { helpFunc() {
echo "::: Create a client ovpn profile, optional nopass" echo "::: Create a client ovpn profile, optional nopass"
@ -28,10 +33,10 @@ helpFunc() {
echo "::: -h,--help Show this help dialog" echo "::: -h,--help Show this help dialog"
} }
if [ ! -f /etc/pivpn/HELP_SHOWN ]; then if [ -z "$HELP_SHOWN" ]; then
helpFunc helpFunc
echo echo
touch /etc/pivpn/HELP_SHOWN echo "HELP_SHOWN=1" >> "$setupVars"
fi fi
# Parse input arguments # Parse input arguments
@ -206,9 +211,9 @@ EOF
} }
#make sure ovpns dir exists #make sure ovpns dir exists
if [ ! -d "$INSTALL_HOME/ovpns" ]; then if [ ! -d "$install_home/ovpns" ]; then
mkdir "$INSTALL_HOME/ovpns" mkdir "$install_home/ovpns"
chmod 0750 "$INSTALL_HOME/ovpns" chmod 0750 "$install_home/ovpns"
fi fi
#bitWarden #bitWarden
@ -354,9 +359,9 @@ if [ "$iOS" = "1" ]; then
printf "Please remember the export password\n" printf "Please remember the export password\n"
printf "as you will need this import the certificate on your iOS device\n" printf "as you will need this import the certificate on your iOS device\n"
printf "========================================================\n" printf "========================================================\n"
openssl pkcs12 -passin pass:"$PASSWD" -export -in "issued/${NAME}${CRT}" -inkey "private/${NAME}${KEY}" -certfile ${CA} -name "${NAME}" -out "/home/$INSTALL_USER/ovpns/$NAME.ovpn12" openssl pkcs12 -passin pass:"$PASSWD" -export -in "issued/${NAME}${CRT}" -inkey "private/${NAME}${KEY}" -certfile ${CA} -name "${NAME}" -out "$install_home/ovpns/$NAME.ovpn12"
chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME.ovpn12" chown "$install_user" "$install_home/ovpns/$NAME.ovpn12"
chmod 600 "/home/$INSTALL_USER/ovpns/$NAME.ovpn12" chmod 600 "$install_home/ovpns/$NAME.ovpn12"
printf "========================================================\n" printf "========================================================\n"
printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME.ovpn12" printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME.ovpn12"
printf "You will need to transfer both the .ovpn and .ovpn12 files\n" printf "You will need to transfer both the .ovpn and .ovpn12 files\n"
@ -385,15 +390,9 @@ else
echo "</key>" echo "</key>"
#Finally, append the tls Private Key #Finally, append the tls Private Key
if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then
echo "<tls-crypt>"
cat "${TA}"
echo "</tls-crypt>"
else
echo "<tls-auth>" echo "<tls-auth>"
cat "${TA}" cat "${TA}"
echo "</tls-auth>" echo "</tls-auth>"
fi
} > "${NAME}${FILEEXT}" } > "${NAME}${FILEEXT}"
@ -401,15 +400,15 @@ fi
# Copy the .ovpn profile to the home directory for convenient remote access # Copy the .ovpn profile to the home directory for convenient remote access
cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "$INSTALL_HOME/ovpns/$NAME$FILEEXT" cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "$install_home/ovpns/$NAME$FILEEXT"
chown "$INSTALL_USER" "$INSTALL_HOME/ovpns/$NAME$FILEEXT" chown "$install_user" "$install_home/ovpns/$NAME$FILEEXT"
chmod 640 "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" chmod 640 "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT"
chmod 640 "$INSTALL_HOME/ovpns/$NAME$FILEEXT" chmod 640 "$install_home/ovpns/$NAME$FILEEXT"
printf "\n\n" printf "\n\n"
printf "========================================================\n" printf "========================================================\n"
printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME$FILEEXT" printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME$FILEEXT"
printf "%s was copied to:\n" "$NAME$FILEEXT" printf "%s was copied to:\n" "$NAME$FILEEXT"
printf " %s/ovpns\n" "$INSTALL_HOME" printf " %s/ovpns\n" "$install_home"
printf "for easy transfer. Please use this profile only on one\n" printf "for easy transfer. Please use this profile only on one\n"
printf "device and create additional profiles for other devices.\n" printf "device and create additional profiles for other devices.\n"
printf "========================================================\n\n" printf "========================================================\n\n"

0
pivpn → scripts/openvpn/pivpn Normal file → Executable file
View file

34
scripts/pivpnDebug.sh → scripts/openvpn/pivpnDebug.sh
View file

@ -1,16 +1,16 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# This scripts runs as root # This scripts runs as root
PORT=$(cat /etc/pivpn/INSTALL_PORT) setupVars="/etc/pivpn/setupVars.conf"
PROTO=$(cat /etc/pivpn/INSTALL_PROTO)
IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)"
REMOTE="$(grep 'remote ' /etc/openvpn/easy-rsa/pki/Default.txt | awk '{print $2}')"
NO_UFW=$(cat /etc/pivpn/NO_UFW)
OLD_UFW=$(cat /etc/pivpn/NO_UFW)
INPUT_CHAIN_EDITED="$(cat /etc/pivpn/INPUT_CHAIN_EDITED)"
FORWARD_CHAIN_EDITED="$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)"
ERR=0 ERR=0
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::" echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::"
printf "=============================================\n" printf "=============================================\n"
echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::" echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::"
@ -25,13 +25,13 @@ for filename in /etc/pivpn/*; do
done done
printf "=============================================\n" printf "=============================================\n"
echo -e "::::\t\e[4msetupVars file shown below\e[0m\t ::::" echo -e "::::\t\e[4msetupVars file shown below\e[0m\t ::::"
sed "s/$REMOTE/REMOTE/" < /etc/pivpn/setupVars.conf sed "s/$pivpnHOST/REDACTED/" < /etc/pivpn/setupVars.conf
printf "=============================================\n" printf "=============================================\n"
echo -e ":::: \e[4mServer configuration shown below\e[0m ::::" echo -e ":::: \e[4mServer configuration shown below\e[0m ::::"
cat /etc/openvpn/server.conf cat /etc/openvpn/server.conf
printf "=============================================\n" printf "=============================================\n"
echo -e ":::: \e[4mClient template file shown below\e[0m ::::" echo -e ":::: \e[4mClient template file shown below\e[0m ::::"
sed "s/$REMOTE/REMOTE/" < /etc/openvpn/easy-rsa/pki/Default.txt sed "s/$pivpnHOST/REDACTED/" < /etc/openvpn/easy-rsa/pki/Default.txt
printf "=============================================\n" printf "=============================================\n"
echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::: \e[4m/etc/openvpn/easy-rsa/pki shows below\e[0m :::" echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::: \e[4m/etc/openvpn/easy-rsa/pki shows below\e[0m :::"
ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial
@ -50,7 +50,7 @@ else
fi fi
fi fi
if [ "$NO_UFW" -eq 1 ]; then if [ "$USING_UFW" -eq 0 ]; then
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set" echo ":: [OK] Iptables MASQUERADE rule set"
@ -68,13 +68,13 @@ if [ "$NO_UFW" -eq 1 ]; then
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
if iptables -C INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT &> /dev/null; then if iptables -C INPUT -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT &> /dev/null; then
echo ":: [OK] Iptables INPUT rule set" echo ":: [OK] Iptables INPUT rule set"
else else
ERR=1 ERR=1
read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then if [[ ${REPLY} =~ ^[Yy]$ ]]; then
iptables -I INPUT 1 -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT iptables -I INPUT 1 -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT
iptables-save > /etc/iptables/rules.v4 iptables-save > /etc/iptables/rules.v4
echo "Done" echo "Done"
fi fi
@ -121,13 +121,13 @@ else
fi fi
fi fi
if iptables -C ufw-user-input -p "${PROTO}" --dport "${PORT}" -j ACCEPT &> /dev/null; then if iptables -C ufw-user-input -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw input rule set" echo ":: [OK] Ufw input rule set"
else else
ERR=1 ERR=1
read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then if [[ ${REPLY} =~ ^[Yy]$ ]]; then
ufw insert 1 allow "$PORT"/"$PROTO" ufw insert 1 allow "$pivpnPORT"/"$pivpnPROTO"
ufw reload ufw reload
echo "Done" echo "Done"
fi fi
@ -185,8 +185,8 @@ else
fi fi
# grep -w (whole word) is used so port 111940 with now match when looking for 1194 # grep -w (whole word) is used so port 111940 with now match when looking for 1194
if netstat -uanpt | grep openvpn | grep -w "${PORT}" | grep -q "${PROTO}"; then if netstat -uanpt | grep openvpn | grep -w "${pivpnPORT}" | grep -q "${pivpnPROTO}"; then
echo ":: [OK] OpenVPN is listening on port ${PORT}/${PROTO}" echo ":: [OK] OpenVPN is listening on port ${pivpnPORT}/${pivpnPROTO}"
else else
ERR=1 ERR=1
read -r -p ":: [ERR] OpenVPN is not listening, try to restart now? [Y/n] " REPLY read -r -p ":: [ERR] OpenVPN is not listening, try to restart now? [Y/n] " REPLY

16
scripts/removeOVPN.sh → scripts/openvpn/removeOVPN.sh
View file

@ -1,10 +1,16 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# PiVPN: revoke client script # PiVPN: revoke client script
INSTALL_USER=$(</etc/pivpn/INSTALL_USER) setupVars="/etc/pivpn/setupVars.conf"
PLAT=$(</etc/pivpn/DET_PLATFORM)
INDEX="/etc/openvpn/easy-rsa/pki/index.txt" INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
helpFunc() { helpFunc() {
echo "::: Revoke a client ovpn profile" echo "::: Revoke a client ovpn profile"
echo ":::" echo ":::"
@ -56,7 +62,7 @@ if [[ -z "${CERTS_TO_REVOKE}" ]]; then
done <${INDEX} done <${INDEX}
printf "\n" printf "\n"
echo "::: Please enter the Name of the client to be revoked from the list above:" echo -n "::: Please enter the Name of the client to be revoked from the list above: "
read -r NAME read -r NAME
if [[ -z "${NAME}" ]]; then if [[ -z "${NAME}" ]]; then
@ -104,8 +110,6 @@ fi
cd /etc/openvpn/easy-rsa || exit cd /etc/openvpn/easy-rsa || exit
INSTALL_HOME=$(grep -m1 "^${INSTALL_USER}:" /etc/passwd | cut -d: -f6)
INSTALL_HOME=${INSTALL_HOME%/} # remove possible trailing slash
for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}" printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}"
./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}" ./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}"
@ -116,7 +120,7 @@ for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
rm -rf "pki/private/${CERTS_TO_REVOKE[ii]}.key" rm -rf "pki/private/${CERTS_TO_REVOKE[ii]}.key"
rm -rf "pki/issued/${CERTS_TO_REVOKE[ii]}.crt" rm -rf "pki/issued/${CERTS_TO_REVOKE[ii]}.crt"
rm -rf "${INSTALL_HOME}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn" rm -rf "${install_home}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn"
rm -rf "/etc/openvpn/easy-rsa/pki/${CERTS_TO_REVOKE[ii]}.ovpn" rm -rf "/etc/openvpn/easy-rsa/pki/${CERTS_TO_REVOKE[ii]}.ovpn"
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
done done

0
scripts/update.sh → scripts/openvpn/update.sh
View file

153
scripts/uninstall.sh
View file

@ -1,153 +0,0 @@
#!/usr/bin/env bash
# PiVPN: Uninstall Script
PKG_MANAGER="apt-get"
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
INSTALL_HOME=$(grep -m1 "^${INSTALL_USER}:" /etc/passwd | cut -d: -f6)
INSTALL_HOME=${INSTALL_HOME%/} # remove possible trailing slash
PLAT=$(cat /etc/pivpn/DET_PLATFORM)
NO_UFW=$(cat /etc/pivpn/NO_UFW)
OLD_UFW=$(cat /etc/pivpn/NO_UFW)
PORT=$(cat /etc/pivpn/INSTALL_PORT)
PROTO=$(cat /etc/pivpn/INSTALL_PROTO)
IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)"
INPUT_CHAIN_EDITED="$(cat /etc/pivpn/INPUT_CHAIN_EDITED)"
FORWARD_CHAIN_EDITED="$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)"
# Find the rows and columns. Will default to 80x24 if it can not be detected.
screen_size=$(stty size 2>/dev/null || echo 24 80)
rows=$(echo $screen_size | awk '{print $1}')
columns=$(echo $screen_size | awk '{print $2}')
# Divide by two so the dialogs take up half of the screen, which looks nice.
r=$(( rows / 2 ))
c=$(( columns / 2 ))
# Unless the screen is tiny
r=$(( r < 20 ? 20 : r ))
c=$(( c < 70 ? 70 : c ))
spinner()
{
local pid=$1
local delay=0.50
local spinstr='/-\|'
while [ "$(ps a | awk '{print $1}' | grep "$pid")" ]; do
local temp=${spinstr#?}
printf " [%c] " "$spinstr"
local spinstr=$temp${spinstr%"$temp"}
sleep $delay
printf "\b\b\b\b\b\b"
done
printf " \b\b\b\b"
}
function removeAll {
# Purge dependencies
echo ":::"
dependencies=( openvpn easy-rsa git iptables-persistent dnsutils expect unattended-upgrades )
for i in "${dependencies[@]}"; do
if [ "$(dpkg-query -W --showformat='${Status}\n' "$i" 2> /dev/null | grep -c "ok installed")" -eq 1 ]; then
while true; do
read -rp "::: Do you wish to remove $i from your system? [y/n]: " yn
case $yn in
[Yy]* ) printf ":::\tRemoving %s..." "$i"; $PKG_MANAGER -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n";
if [ "$i" == "openvpn" ]; then UINST_OVPN=1 ; fi
if [ "$i" == "unattended-upgrades" ]; then UINST_UNATTUPG=1 ; fi
break;;
[Nn]* ) printf ":::\tSkipping %s\n" "$i"; break;;
* ) printf "::: You must answer yes or no!\n";;
esac
done
else
printf ":::\tPackage %s not installed... Not removing.\n" "$i"
fi
done
# Take care of any additional package cleaning
printf "::: Auto removing remaining dependencies..."
$PKG_MANAGER -y autoremove &> /dev/null & spinner $!; printf "done!\n";
printf "::: Auto cleaning remaining dependencies..."
$PKG_MANAGER -y autoclean &> /dev/null & spinner $!; printf "done!\n";
echo ":::"
# Removing pivpn files
echo "::: Removing pivpn system files..."
$SUDO rm -rf /opt/pivpn &> /dev/null
$SUDO rm -rf /etc/.pivpn &> /dev/null
$SUDO rm -rf $INSTALL_HOME/ovpns &> /dev/null
rm -rf /var/log/*pivpn* &> /dev/null
rm -rf /var/log/*openvpn* &> /dev/null
if [[ $UINST_OVPN = 1 ]]; then
rm -rf /etc/openvpn &> /dev/null
if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then
printf "::: Removing openvpn apt source..."
rm -rf /etc/apt/sources.list.d/swupdate.openvpn.net.list &> /dev/null
$PKG_MANAGER -qq update & spinner $!; printf "done!\n";
fi
fi
if [[ $UINST_UNATTUPG = 1 ]]; then
rm -rf /var/log/unattended-upgrades
rm -rf /etc/apt/apt.conf.d/*periodic
fi
rm -rf /etc/pivpn &> /dev/null
rm /usr/local/bin/pivpn &> /dev/null
rm /etc/bash_completion.d/pivpn
# Disable IPv4 forwarding
sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf
sysctl -p
if [[ $NO_UFW -eq 0 ]]; then
sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
ufw delete allow "$PORT"/"$PROTO" >/dev/null
if [ "$OLD_UFW" -eq 1 ]; then
sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"DROP\"/" /etc/default/ufw
else
ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
fi
ufw reload >/dev/null
else
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
iptables -D INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT
fi
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
iptables -D FORWARD -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -D FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT
fi
iptables-save > /etc/iptables/rules.v4
fi
echo ":::"
printf "::: Finished removing PiVPN from your system.\n"
printf "::: Reinstall by simpling running\n:::\n:::\tcurl -L https://install.pivpn.io | bash\n:::\n::: at any time!\n:::\n"
}
function askreboot() {
printf "It is \e[1mstrongly\e[0m recommended to reboot after un-installation.\n"
read -p "Would you like to reboot now? [y/n]: " -n 1 -r
echo
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
printf "\nRebooting system...\n"
sleep 3
shutdown -r now
fi
}
######### SCRIPT ###########
echo "::: Preparing to remove packages, be sure that each may be safely removed depending on your operating system."
echo "::: (SAFE TO REMOVE ALL ON RASPBIAN)"
while true; do
read -rp "::: Do you wish to completely remove PiVPN configuration and installed packages from your system? (You will be prompted for each package) [y/n]: " yn
case $yn in
[Yy]* ) removeAll; askreboot; break;;
[Nn]* ) printf "::: Not removing anything, exiting...\n"; break;;
esac
done

23
scripts/wireguard/listCONF.sh Executable file
View file

@ -0,0 +1,23 @@
#!/bin/bash
cd /etc/wireguard/configs
if [ ! -s clients.txt ]; then
echo "::: There are no clients to list"
exit 1
fi
# Present the user with a summary of the clients, fetching info from dates.
FORMATTED+=": \e[4mClient\e[0m&\e[4mCreation date\e[0m :\n"
while read -r LINE; do
CLIENT_NAME="$(awk '{print $1}' <<< "$LINE")"
CREATION_DATE="$(awk '{print $2}' <<< "$LINE")"
# Dates are converted from UNIX time to human readable.
CD_FORMAT="$(date -d @"$CREATION_DATE" +'%d %b %Y, %H:%M, %Z')"
FORMATTED+="$CLIENT_NAME&$CD_FORMAT\n"
done < clients.txt
echo -e "$FORMATTED" | column -t -s '&'

132
scripts/wireguard/makeCONF.sh Executable file
View file

@ -0,0 +1,132 @@
#!/bin/bash
setupVars="/etc/pivpn/setupVars.conf"
helpFunc(){
echo "::: Create a client conf profile"
echo ":::"
echo "::: Usage: pivpn <-a|add> [-n|--name <arg>] [-h|--help]"
echo ":::"
echo "::: Commands:"
echo "::: [none] Interactive mode"
echo "::: -n,--name Name for the Client (default: '$HOSTNAME')"
echo "::: -h,--help Show this help dialog"
}
# Parse input arguments
while test $# -gt 0; do
_key="$1"
case "$_key" in
-n|--name|--name=*)
_val="${_key##--name=}"
if test "$_val" = "$_key"; then
test $# -lt 2 && echo "::: Missing value for the optional argument '$_key'." && exit 1
_val="$2"
shift
fi
CLIENT_NAME="$_val"
;;
-h|--help)
helpFunc
exit 0
;;
*)
echo "::: Error: Got an unexpected argument '$1'"
helpFunc
exit 1
;;
esac
shift
done
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
# The home folder variable was sourced from the settings file.
if [ ! -d "${install_home}/configs" ]; then
mkdir "${install_home}/configs"
chown "${install_user}":"${install_user}" "${install_home}/configs"
chmod 0750 "${install_home}/configs"
fi
cd /etc/wireguard
if [ -z "${CLIENT_NAME}" ]; then
read -r -p "Enter a Name for the Client: " CLIENT_NAME
fi
if [[ "${CLIENT_NAME}" =~ [^a-zA-Z0-9.@_-] ]]; then
echo "Name can only contain alphanumeric characters and these characters (.-@_)."
exit 1
fi
if [ -z "${CLIENT_NAME}" ]; then
echo "::: You cannot leave the name blank."
exit 1
fi
if [ -f "configs/${CLIENT_NAME}.conf" ]; then
echo "::: A client with this name already exists"
exit 1
fi
wg genkey | tee "keys/${CLIENT_NAME}_priv" | wg pubkey > "keys/${CLIENT_NAME}_pub"
echo "::: Client Keys generated"
# Find an unused number for the last octet of the client IP
for i in {2..254}; do
if ! grep -q " $i" configs/clients.txt; then
COUNT="$i"
echo "${CLIENT_NAME} $(date +%s) ${COUNT}" >> configs/clients.txt
break
fi
done
echo -n "[Interface]
PrivateKey = $(cat "keys/${CLIENT_NAME}_priv")
Address = 10.6.0.${COUNT}/24
DNS = ${pivpnDNS1}" > "configs/${CLIENT_NAME}.conf"
if [ -n "${pivpnDNS2}" ]; then
echo ", ${pivpnDNS2}" >> "configs/${CLIENT_NAME}.conf"
else
echo >> "configs/${CLIENT_NAME}.conf"
fi
echo >> "configs/${CLIENT_NAME}.conf"
echo "[Peer]
PublicKey = $(cat keys/server_pub)
PresharedKey = $(cat keys/psk)
Endpoint = ${pivpnHOST}:${pivpnPORT}
AllowedIPs = 0.0.0.0/0" >> "configs/${CLIENT_NAME}.conf"
echo "::: Client config generated"
echo "# begin ${CLIENT_NAME}
[Peer]
PublicKey = $(cat "keys/${CLIENT_NAME}_pub")
PresharedKey = $(cat keys/psk)
AllowedIPs = 10.6.0.${COUNT}/32
# end ${CLIENT_NAME}" >> wg0.conf
echo "::: Updated server config"
if systemctl restart wg-quick@wg0; then
echo "::: WireGuard restarted"
else
echo "::: Failed to restart WireGuard"
fi
cp "configs/${CLIENT_NAME}.conf" "${install_home}/configs/${CLIENT_NAME}.conf"
chown "${install_user}":"${install_user}" "${install_home}/configs/${CLIENT_NAME}.conf"
chmod 640 "${install_home}/configs/${CLIENT_NAME}.conf"
echo "======================================================================"
echo -e "::: Done! \e[1m${CLIENT_NAME}.conf successfully created!\e[0m"
echo "::: ${CLIENT_NAME}.conf was copied to ${install_home}/configs for easy transfer."
echo "::: Please use this profile only on one device and create additional"
echo -e "::: profiles for other devices. You can also use \e[1mpivpn -qr\e[0m"
echo "::: to generate a QR Code you can scan with the mobile app."
echo "======================================================================"

83
scripts/wireguard/pivpn Executable file
View file

@ -0,0 +1,83 @@
#!/bin/bash
# Must be root to use this tool
if [ $EUID -ne 0 ];then
if dpkg-query -s sudo &> /dev/null; then
export SUDO="sudo"
else
echo "::: Please install sudo or run this as root."
exit 1
fi
fi
makeConf(){
shift
$SUDO /opt/pivpn/makeCONF.sh "$@"
exit 1
}
listConnected(){
$SUDO wg show
exit 1
}
debug(){
$SUDO /opt/pivpn/pivpnDEBUG.sh
exit 1
}
listClients(){
$SUDO /opt/pivpn/listCONF.sh
exit 1
}
showQrcode(){
shift
$SUDO /opt/pivpn/qrcodeCONF.sh "$@"
exit 1
}
removeClient(){
shift
$SUDO /opt/pivpn/removeCONF.sh "$@"
exit 1
}
uninstallServer(){
$SUDO /opt/pivpn/uninstall.sh
exit 1
}
showHelp(){
echo "::: Control all PiVPN specific functions!"
echo ":::"
echo "::: Usage: pivpn <command> [option]"
echo ":::"
echo "::: Commands:"
echo "::: -a, add Create a client conf profile"
echo "::: -c, clients List any connected clients to the server"
echo "::: -d, debug Start a debugging session if having trouble"
echo "::: -l, list List all clients"
echo "::: -qr, qrcode Show the qrcode of a client for use with the mobile app"
echo "::: -r, remove Remove a client"
echo "::: -h, help Show this help dialog"
echo "::: -u, uninstall Uninstall pivpn from your system!"
exit 1
}
if [ $# = 0 ]; then
showHelp
fi
# Handle redirecting to specific functions based on arguments
case "$1" in
"-a" | "add" ) makeConf "$@";;
"-c" | "clients" ) listConnected;;
"-d" | "debug" ) debug;;
"-l" | "list" ) listClients;;
"-qr" | "qrcode" ) showQrcode "$@";;
"-r" | "remove" ) removeClient "$@";;
"-h" | "help" ) showHelp;;
"-u" | "uninstall" ) uninstallServer;;
* ) showHelp;;
esac

174
scripts/wireguard/pivpnDEBUG.sh Executable file
View file

@ -0,0 +1,174 @@
#!/usr/bin/env bash
# This scripts runs as root
setupVars="/etc/pivpn/setupVars.conf"
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
EXAMPLE="$(head -1 /etc/wireguard/configs/clients.txt | awk '{print $1}')"
ERR=0
echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::"
printf "=============================================\n"
echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::"
git --git-dir /etc/.pivpn/.git log -n 1
printf "=============================================\n"
echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::"
sed "s/$pivpnHOST/REDACTED/" < /etc/pivpn/setupVars.conf
printf "=============================================\n"
echo -e ":::: \e[4mServer configuration shown below\e[0m ::::"
cd /etc/wireguard/keys
cp ../wg0.conf ../wg0.tmp
# Replace every key in the server configuration with just it's file name
for k in *; do
sed "s#$(cat "$k")#$k#" -i ../wg0.tmp
done
cat ../wg0.tmp
rm ../wg0.tmp
printf "=============================================\n"
echo -e ":::: \e[4mClient configuration shown below\e[0m ::::"
if [ -n "$EXAMPLE" ]; then
cp ../configs/"$EXAMPLE".conf ../configs/"$EXAMPLE".tmp
for k in *; do
sed "s#$(cat "$k")#$k#" -i ../configs/"$EXAMPLE".tmp
done
sed "s/$pivpnHOST/REDACTED/" < ../configs/"$EXAMPLE".tmp
rm ../configs/"$EXAMPLE".tmp
else
echo "::: There are no clients yet"
fi
printf "=============================================\n"
echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::::\e\t[4m/etc/wireguard shown below\e[0m\t ::::"
ls -LR /etc/wireguard
printf "=============================================\n"
echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::"
if [ "$(cat /proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then
echo ":: [OK] IP forwarding is enabled"
else
ERR=1
read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
sysctl -p
echo "Done"
fi
fi
if [ "$USING_UFW" -eq 0 ]; then
if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
iptables -t nat -F
iptables -t nat -I POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE
iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4
echo "Done"
fi
fi
else
if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
echo ":: [OK] Ufw is enabled"
else
ERR=1
read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
ufw enable
fi
fi
if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.6.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
ufw reload
echo "Done"
fi
fi
if iptables -C ufw-user-input -p udp --dport "${pivpnPORT}" -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw input rule set"
else
ERR=1
read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
ufw insert 1 allow "$pivpnPORT"/udp
ufw reload
echo "Done"
fi
fi
if iptables -C ufw-user-forward -i wg0 -o "${IPv4dev}" -s 10.6.0.0/24 -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw forwarding rule set"
else
ERR=1
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
ufw route insert 1 allow in on wg0 from 10.6.0.0/24 out on "$IPv4dev" to any
ufw reload
echo "Done"
fi
fi
fi
if systemctl is-active -q wg-quick@wg0; then
echo ":: [OK] WireGuard is running"
else
ERR=1
read -r -p ":: [ERR] WireGuard is not running, try to start now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
systemctl start wg-quick@wg0
echo "Done"
fi
fi
if systemctl is-enabled -q wg-quick@wg0; then
echo ":: [OK] WireGuard is enabled (it will automatically start on reboot)"
else
ERR=1
read -r -p ":: [ERR] WireGuard is not enabled, try to enable now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
systemctl enable wg-quick@wg0
echo "Done"
fi
fi
# grep -w (whole word) is used so port 11940 won't match when looking for 1194
if netstat -uanp | grep -w "${pivpnPORT}" | grep -q 'udp'; then
echo ":: [OK] WireGuard is listening on port ${pivpnPORT}/udp"
else
ERR=1
read -r -p ":: [ERR] WireGuard is not listening, try to restart now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
systemctl restart wg-quick@wg0
echo "Done"
fi
fi
if [ "$ERR" -eq 1 ]; then
echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues"
fi
printf "=============================================\n"
echo -e ":::: \e[1mWARNING\e[0m: This script should have automatically masked sensitive ::::"
echo -e ":::: information, however, still make sure that \e[4mPrivateKey\e[0m, \e[4mPublicKey\e[0m ::::"
echo -e ":::: and \e[4mPresharedKey\e[0m are masked before reporting an issue. An example key ::::"
echo ":::: that you should NOT see in this log looks like this: ::::"
echo ":::: WJhKKx+Uk1l1TxaH2KcEGeBdPBTp/k/Qy4EpBig5UnI= ::::"
printf "=============================================\n"
echo -e "::::\t\t\e[4mDebug complete\e[0m\t\t ::::"

63
scripts/wireguard/qrcodeCONF.sh Executable file
View file

@ -0,0 +1,63 @@
#!/bin/bash
helpFunc(){
echo "::: Show the qrcode of a client for use with the mobile app"
echo ":::"
echo "::: Usage: pivpn <-qr|qrcode> [-h|--help] [<client-1>] ... [<client-n>] ..."
echo ":::"
echo "::: Commands:"
echo "::: [none] Interactive mode"
echo "::: <client> Client(s) to show"
echo "::: -h,--help Show this help dialog"
}
# Parse input arguments
while test $# -gt 0
do
_key="$1"
case "$_key" in
-h|--help)
helpFunc
exit 0
;;
*)
CLIENTS_TO_SHOW+=("$1")
;;
esac
shift
done
cd /etc/wireguard/configs
if [ ! -s clients.txt ]; then
echo "::: There are no clients to remove"
exit 1
fi
if [ "${#CLIENTS_TO_SHOW[@]}" -eq 0 ]; then
echo -e "::\e[4m Client list \e[0m::"
LIST=($(awk '{print $1}' clients.txt))
COUNTER=1
while [ $COUNTER -le ${#LIST[@]} ]; do
echo "${LIST[(($COUNTER-1))]}"
((COUNTER++))
done
read -r -p "Please enter the Name of the Client to show: " CLIENTS_TO_SHOW
if [ -z "${CLIENTS_TO_SHOW}" ]; then
echo "::: You can not leave this blank!"
exit 1
fi
fi
for CLIENT_NAME in "${CLIENTS_TO_SHOW[@]}"; do
if grep -qw "${CLIENT_NAME}" clients.txt; then
echo -e "::: Showing client \e[1m${CLIENT_NAME}\e[0m below"
echo "====================================================================="
qrencode -t ansiutf8 < "${CLIENT_NAME}.conf"
echo "====================================================================="
else
echo -e "::: \e[1m${CLIENT_NAME}\e[0m does not exist"
fi
done

117
scripts/wireguard/removeCONF.sh Executable file
View file

@ -0,0 +1,117 @@
#!/bin/bash
setupVars="/etc/pivpn/setupVars.conf"
helpFunc(){
echo "::: Remove a client conf profile"
echo ":::"
echo "::: Usage: pivpn <-r|remove> [-h|--help] [<client-1>] ... [<client-n>] ..."
echo ":::"
echo "::: Commands:"
echo "::: [none] Interactive mode"
echo "::: <client> Client(s) to remove"
echo "::: -h,--help Show this help dialog"
}
# Parse input arguments
while test $# -gt 0
do
_key="$1"
case "$_key" in
-h|--help)
helpFunc
exit 0
;;
*)
CLIENTS_TO_REMOVE+=("$1")
;;
esac
shift
done
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
cd /etc/wireguard
if [ ! -s configs/clients.txt ]; then
echo "::: There are no clients to remove"
exit 1
fi
if [ "${#CLIENTS_TO_REMOVE[@]}" -eq 0 ]; then
echo -e "::\e[4m Client list \e[0m::"
LIST=($(awk '{print $1}' configs/clients.txt))
COUNTER=1
while [ $COUNTER -le ${#LIST[@]} ]; do
echo "${LIST[(($COUNTER-1))]}"
((COUNTER++))
done
read -r -p "Please enter the Name of the Client to be removed from the list above: " CLIENTS_TO_REMOVE
if [ -z "${CLIENTS_TO_REMOVE}" ]; then
echo "::: You can not leave this blank!"
exit 1
fi
fi
DELETED_COUNT=0
for CLIENT_NAME in "${CLIENTS_TO_REMOVE[@]}"; do
if ! grep -qw "${CLIENT_NAME}" configs/clients.txt; then
echo -e "::: \e[1m${CLIENT_NAME}\e[0m does not exist"
else
REQUESTED="$(sha256sum "configs/${CLIENT_NAME}.conf" | cut -c 1-64)"
read -r -p "Do you really want to delete $CLIENT_NAME? [Y/n] "
if [[ $REPLY =~ ^[Yy]$ ]]; then
# Grab the least significant octed of the client IP address
COUNT=$(grep "${CLIENT_NAME}" configs/clients.txt | awk '{print $3}')
# And the creation date of the client
CREATION_DATE="$(grep "${CLIENT_NAME}" configs/clients.txt | awk '{print $2}')"
# Then remove the client matching the variables above
sed "/${CLIENT_NAME} ${CREATION_DATE} ${COUNT}/d" -i configs/clients.txt
# Remove the peer section from the server config
sed "/# begin ${CLIENT_NAME}/,/# end ${CLIENT_NAME}/d" -i wg0.conf
echo "::: Updated server config"
rm "configs/${CLIENT_NAME}.conf"
echo "::: Client config for ${CLIENT_NAME} removed"
rm "keys/${CLIENT_NAME}_priv"
rm "keys/${CLIENT_NAME}_pub"
echo "::: Client Keys for ${CLIENT_NAME} removed"
# Find all .conf files in the home folder of the user matching the checksum of the
# config and delete them. '-maxdepth 3' is used to avoid traversing too many folders.
find "${install_home}" -maxdepth 3 -type f -name '*.conf' -print0 | while IFS= read -r -d '' CONFIG; do
if sha256sum -c <<< "${REQUESTED} ${CONFIG}" &> /dev/null; then
rm "${CONFIG}"
fi
done
echo "::: Successfully deleted ${CLIENT_NAME}"
((DELETED_COUNT++))
fi
fi
done
# Restart WireGuard only if some clients were actually deleted
if [ "${DELETED_COUNT}" -gt 0 ]; then
if systemctl restart wg-quick@wg0; then
echo "::: WireGuard restarted"
else
echo "::: Failed to restart WireGuard"
fi
fi