Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-18 19:00:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Revert some variable names and fix iptables rules

Browse source
This commit is contained in:
Orazio 2019-10-16 12:01:50 +02:00
parent 3c973e2a48
commit 5c97221d3f
3 changed files with 39 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
auto_install/install.sh
View file

@ -270,8 +270,8 @@ chooseInterface(){
local firstloop=1 local firstloop=1
if [[ $(echo "${availableInterfaces}" | wc -l) -eq 1 ]]; then if [[ $(echo "${availableInterfaces}" | wc -l) -eq 1 ]]; then
PHYS_INT="${availableInterfaces}" IPv4dev="${availableInterfaces}"
echo "PHYS_INT=${PHYS_INT}" >> /tmp/setupVars.conf echo "IPv4dev=${IPv4dev}" >> /tmp/setupVars.conf
return return
fi fi
@ -290,9 +290,9 @@ chooseInterface(){
chooseInterfaceOptions=$("${chooseInterfaceCmd[@]}" "${interfacesArray[@]}" 2>&1 >/dev/tty) chooseInterfaceOptions=$("${chooseInterfaceCmd[@]}" "${interfacesArray[@]}" 2>&1 >/dev/tty)
if [[ $? = 0 ]]; then if [[ $? = 0 ]]; then
for desiredInterface in ${chooseInterfaceOptions}; do for desiredInterface in ${chooseInterfaceOptions}; do
PHYS_INT=${desiredInterface} IPv4dev=${desiredInterface}
echo "::: Using interface: $PHYS_INT" echo "::: Using interface: $IPv4dev"
echo "PHYS_INT=${PHYS_INT}" >> /tmp/setupVars.conf echo "IPv4dev=${IPv4dev}" >> /tmp/setupVars.conf
done done
else else
echo "::: Cancel selected, exiting...." echo "::: Cancel selected, exiting...."
@ -314,6 +314,9 @@ getStaticIPv4Settings() {
if (whiptail --backtitle "Calibrating network interface" --title "Static IP Address" --yesno "Do you want to use your current network settings as a static address? if (whiptail --backtitle "Calibrating network interface" --title "Static IP Address" --yesno "Do you want to use your current network settings as a static address?
IP address: ${IPv4addr} IP address: ${IPv4addr}
Gateway: ${IPv4gw}" ${r} ${c}); then Gateway: ${IPv4gw}" ${r} ${c}); then
echo "IPv4addr=${IPv4addr%/*}" >> /tmp/setupVars.conf
echo "IPv4gw=${IPv4gw}" >> /tmp/setupVars.conf
# If they choose yes, let the user know that the IP address will not be available via DHCP and may cause a conflict. # If they choose yes, let the user know that the IP address will not be available via DHCP and may cause a conflict.
whiptail --msgbox --backtitle "IP information" --title "FYI: IP Conflict" "It is possible your router could still try to assign this IP to a device, which would cause a conflict. But in most cases the router is smart enough to not do that. whiptail --msgbox --backtitle "IP information" --title "FYI: IP Conflict" "It is possible your router could still try to assign this IP to a device, which would cause a conflict. But in most cases the router is smart enough to not do that.
If you are worried, either manually set the address, or modify the DHCP reservation pool so it does not include the IP you want. If you are worried, either manually set the address, or modify the DHCP reservation pool so it does not include the IP you want.
@ -337,7 +340,8 @@ It is also possible to use a DHCP reservation, but if you are going to do that,
IP address: ${IPv4addr} IP address: ${IPv4addr}
Gateway: ${IPv4gw}" ${r} ${c}); then Gateway: ${IPv4gw}" ${r} ${c}); then
# If the settings are correct, then we need to set the pivpnIP # If the settings are correct, then we need to set the pivpnIP
echo "pivpnIP=${IPv4addr%/*}" >> /tmp/setupVars.conf echo "IPv4addr=${IPv4addr%/*}" >> /tmp/setupVars.conf
echo "IPv4gw=${IPv4gw}" >> /tmp/setupVars.conf
# After that's done, the loop ends and we move on # After that's done, the loop ends and we move on
ipSettingsCorrect=True ipSettingsCorrect=True
else else
@ -363,7 +367,7 @@ It is also possible to use a DHCP reservation, but if you are going to do that,
setDHCPCD(){ setDHCPCD(){
# Append these lines to dhcpcd.conf to enable a static IP # Append these lines to dhcpcd.conf to enable a static IP
echo "interface ${PHYS_INT} echo "interface ${IPv4dev}
static ip_address=${IPv4addr} static ip_address=${IPv4addr}
static routers=${IPv4gw} static routers=${IPv4gw}
static domain_name_servers=${IPv4dns}" | $SUDO tee -a ${dhcpcdFile} >/dev/null static domain_name_servers=${IPv4dns}" | $SUDO tee -a ${dhcpcdFile} >/dev/null
@ -376,7 +380,7 @@ setStaticIPv4(){
echo "::: Static IP already configured." echo "::: Static IP already configured."
else else
setDHCPCD setDHCPCD
$SUDO ip addr replace dev "${PHYS_INT}" "${IPv4addr}" $SUDO ip addr replace dev "${IPv4dev}" "${IPv4addr}"
echo ":::" echo ":::"
echo "::: Setting IP to ${IPv4addr}. You may need to restart after the install is complete." echo "::: Setting IP to ${IPv4addr}. You may need to restart after the install is complete."
echo ":::" echo ":::"
@ -511,14 +515,15 @@ askWhichVPN(){
if (whiptail --backtitle "Setup PiVPN" --title "Installation mode" --yesno "WireGuard is a new kind of VPN that provides near-istantaneous connection speed, high performance, modern cryptography.\n\nIt's the recommended choise expecially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\n\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol. Or if you need features like TCP and custom search domain.\n\nChoose 'Yes' to use WireGuard of 'No' to use OpenVPN." ${r} ${c}); if (whiptail --backtitle "Setup PiVPN" --title "Installation mode" --yesno "WireGuard is a new kind of VPN that provides near-istantaneous connection speed, high performance, modern cryptography.\n\nIt's the recommended choise expecially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\n\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol. Or if you need features like TCP and custom search domain.\n\nChoose 'Yes' to use WireGuard of 'No' to use OpenVPN." ${r} ${c});
then then
VPN="WireGuard" VPN="WireGuard"
pivpnINT="wg0" pivpnDEV="wg0"
pivpnNET="10.6.0.0/24"
else else
VPN="OpenVPN" VPN="OpenVPN"
pivpnINT="tun0" pivpnDEV="tun0"
pivpnNET="10.8.0.0/24"
fi fi
echo "VPN=${VPN}" >> /tmp/setupVars.conf echo "VPN=${VPN}" >> /tmp/setupVars.conf
echo "pivpnINT=${pivpnINT}" >> /tmp/setupVars.conf
} }
installOpenVPN(){ installOpenVPN(){
@ -1053,10 +1058,10 @@ confNetwork(){
USING_UFW=1 USING_UFW=1
echo "::: Detected UFW is enabled." echo "::: Detected UFW is enabled."
echo "::: Adding UFW rules..." echo "::: Adding UFW rules..."
$SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $PHYS_INT -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules $SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s $pivpnNET -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
# Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic) # Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic)
$SUDO ufw insert 1 allow "$PORT"/"$PROTO" >/dev/null $SUDO ufw insert 1 allow "$PORT"/"$PROTO" >/dev/null
$SUDO ufw route insert 1 allow in on "$pivpnINT" from 10.8.0.0/24 out on "$PHYS_INT" to any >/dev/null $SUDO ufw route insert 1 allow in on "$pivpnDEV" from "$pivpnNET" out on "$IPv4dev" to any >/dev/null
$SUDO ufw reload >/dev/null $SUDO ufw reload >/dev/null
echo "::: UFW configuration completed." echo "::: UFW configuration completed."
@ -1069,7 +1074,7 @@ confNetwork(){
# Now some checks to detect which rules we need to add. On a newly installed system all policies # Now some checks to detect which rules we need to add. On a newly installed system all policies
# should be ACCEPT, so the only required rule would be the MASQUERADE one. # should be ACCEPT, so the only required rule would be the MASQUERADE one.
$SUDO iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "$PHYS_INT" -j MASQUERADE $SUDO iptables -t nat -I POSTROUTING -s "$pivpnNET" -o "$IPv4dev" -j MASQUERADE
# Count how many rules are in the INPUT and FORWARD chain. When parsing input from # Count how many rules are in the INPUT and FORWARD chain. When parsing input from
# iptables -S, '^-P' skips the policies and 'ufw-' skips ufw chains (in case ufw was found # iptables -S, '^-P' skips the policies and 'ufw-' skips ufw chains (in case ufw was found
@ -1088,15 +1093,15 @@ confNetwork(){
# chain (using -I). # chain (using -I).
if [ "$INPUT_RULES_COUNT" -ne 0 ] || [ "$INPUT_POLICY" != "ACCEPT" ]; then if [ "$INPUT_RULES_COUNT" -ne 0 ] || [ "$INPUT_POLICY" != "ACCEPT" ]; then
$SUDO iptables -I INPUT 1 -i "$PHYS_INT" -p "$PROTO" --dport "$PORT" -j ACCEPT $SUDO iptables -I INPUT 1 -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT
INPUT_CHAIN_EDITED=1 INPUT_CHAIN_EDITED=1
else else
INPUT_CHAIN_EDITED=0 INPUT_CHAIN_EDITED=0
fi fi
if [ "$FORWARD_RULES_COUNT" -ne 0 ] || [ "$FORWARD_POLICY" != "ACCEPT" ]; then if [ "$FORWARD_RULES_COUNT" -ne 0 ] || [ "$FORWARD_POLICY" != "ACCEPT" ]; then
$SUDO iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$PHYS_INT" -o "$pivpnINT" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $SUDO iptables -I FORWARD 1 -d "$pivpnNET" -i "$IPv4dev" -o "$pivpnDEV" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$SUDO iptables -I FORWARD 2 -s 10.8.0.0/24 -i "$pivpnINT" -o "$PHYS_INT" -j ACCEPT $SUDO iptables -I FORWARD 2 -s "$pivpnNET" -i "$pivpnDEV" -o "$IPv4dev" -j ACCEPT
FORWARD_CHAIN_EDITED=1 FORWARD_CHAIN_EDITED=1
else else
FORWARD_CHAIN_EDITED=0 FORWARD_CHAIN_EDITED=0

22
scripts/openvpn/pivpnDebug.sh
View file

@ -52,14 +52,14 @@ fi
if [ "$USING_UFW" -eq 0 ]; then if [ "$USING_UFW" -eq 0 ]; then
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${PHYS_INT}" -j MASQUERADE &> /dev/null; then if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set" echo ":: [OK] Iptables MASQUERADE rule set"
else else
ERR=1 ERR=1
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then if [[ ${REPLY} =~ ^[Yy]$ ]]; then
iptables -t nat -F iptables -t nat -F
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${PHYS_INT}" -j MASQUERADE iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE
iptables-save > /etc/iptables/rules.v4 iptables-save > /etc/iptables/rules.v4
echo "Done" echo "Done"
fi fi
@ -68,13 +68,13 @@ if [ "$USING_UFW" -eq 0 ]; then
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
if iptables -C INPUT -i "$PHYS_INT" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT &> /dev/null; then if iptables -C INPUT -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT &> /dev/null; then
echo ":: [OK] Iptables INPUT rule set" echo ":: [OK] Iptables INPUT rule set"
else else
ERR=1 ERR=1
read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then if [[ ${REPLY} =~ ^[Yy]$ ]]; then
iptables -I INPUT 1 -i "$PHYS_INT" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT iptables -I INPUT 1 -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT
iptables-save > /etc/iptables/rules.v4 iptables-save > /etc/iptables/rules.v4
echo "Done" echo "Done"
fi fi
@ -83,14 +83,14 @@ if [ "$USING_UFW" -eq 0 ]; then
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$PHYS_INT" -j ACCEPT &> /dev/null; then if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then
echo ":: [OK] Iptables FORWARD rule set" echo ":: [OK] Iptables FORWARD rule set"
else else
ERR=1 ERR=1
read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then if [[ ${REPLY} =~ ^[Yy]$ ]]; then
iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$PHYS_INT" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$PHYS_INT" -j ACCEPT iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT
iptables-save > /etc/iptables/rules.v4 iptables-save > /etc/iptables/rules.v4
echo "Done" echo "Done"
fi fi
@ -109,13 +109,13 @@ else
fi fi
fi fi
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${PHYS_INT}" -j MASQUERADE &> /dev/null; then if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set" echo ":: [OK] Iptables MASQUERADE rule set"
else else
ERR=1 ERR=1
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then if [[ ${REPLY} =~ ^[Yy]$ ]]; then
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $PHYS_INT -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
ufw reload ufw reload
echo "Done" echo "Done"
fi fi
@ -147,13 +147,13 @@ else
fi fi
fi fi
else else
if iptables -C ufw-user-forward -i tun0 -o "${PHYS_INT}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw forwarding rule set" echo ":: [OK] Ufw forwarding rule set"
else else
ERR=1 ERR=1
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then if [[ ${REPLY} =~ ^[Yy]$ ]]; then
ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$PHYS_INT" to any ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any
ufw reload ufw reload
echo "Done" echo "Done"
fi fi

12
scripts/wireguard/pivpnDEBUG.sh
View file

@ -63,14 +63,14 @@ fi
if [ "$USING_UFW" -eq 0 ]; then if [ "$USING_UFW" -eq 0 ]; then
if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${PHYS_INT}" -j MASQUERADE &> /dev/null; then if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set" echo ":: [OK] Iptables MASQUERADE rule set"
else else
ERR=1 ERR=1
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then if [[ ${REPLY} =~ ^[Yy]$ ]]; then
iptables -t nat -F iptables -t nat -F
iptables -t nat -I POSTROUTING -s 10.6.0.0/24 -o "${PHYS_INT}" -j MASQUERADE iptables -t nat -I POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE
iptables-save > /etc/iptables/rules.v4 iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4 iptables-restore < /etc/iptables/rules.v4
echo "Done" echo "Done"
@ -89,13 +89,13 @@ else
fi fi
fi fi
if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${PHYS_INT}" -j MASQUERADE &> /dev/null; then if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set" echo ":: [OK] Iptables MASQUERADE rule set"
else else
ERR=1 ERR=1
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then if [[ ${REPLY} =~ ^[Yy]$ ]]; then
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.6.0.0/24 -o $PHYS_INT -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.6.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
ufw reload ufw reload
echo "Done" echo "Done"
fi fi
@ -113,13 +113,13 @@ else
fi fi
fi fi
if iptables -C ufw-user-forward -i wg0 -o "${PHYS_INT}" -s 10.6.0.0/24 -j ACCEPT &> /dev/null; then if iptables -C ufw-user-forward -i wg0 -o "${IPv4dev}" -s 10.6.0.0/24 -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw forwarding rule set" echo ":: [OK] Ufw forwarding rule set"
else else
ERR=1 ERR=1
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then if [[ ${REPLY} =~ ^[Yy]$ ]]; then
ufw route insert 1 allow in on wg0 from 10.6.0.0/24 out on "$PHYS_INT" to any ufw route insert 1 allow in on wg0 from 10.6.0.0/24 out on "$IPv4dev" to any
ufw reload ufw reload
echo "Done" echo "Done"
fi fi