From 9b772ac4fb6db3fc4b594228cb695056b8cd38d8 Mon Sep 17 00:00:00 2001 From: James <32380918+houlahaj@users.noreply.github.com> Date: Mon, 20 Apr 2020 17:33:27 +0200 Subject: [PATCH 001/114] fix: typos and grammar --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index a937659..8630a9e 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -1076,7 +1076,7 @@ askWhichVPN(){ fi else if [ "$PLAT" = "Raspbian" ] || [ "$X86_SYSTEM" -eq 1 ]; then - chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "WireGuard is a new kind of VPN that provides near-istantaneous connection speed, high performance, modern cryptography.\\n\\nIt's the recommended choice especially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\\n\\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol. Or if you need features like TCP and custom search domain.\\n\\nChoose a VPN (press space to select):" "${r}" "${c}" 2) + chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "WireGuard is a new kind of VPN that provides near-instantaneous connection speed, high performance, and modern cryptography.\\n\\nIt's the recommended choice especially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\\n\\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol or if you need features like TCP and custom search domain.\\n\\nChoose a VPN (press space to select):" "${r}" "${c}" 2) VPNChooseOptions=(WireGuard "" on OpenVPN "" off) From e643acce175ac60383f963405532f4e9da5f9902 Mon Sep 17 00:00:00 2001 From: jellemdekker Date: Tue, 21 Apr 2020 10:52:35 +0200 Subject: [PATCH 002/114] Generate a unique pre-shared key for each client as per WireGuard protocol to improve post-quantum resistance. --- auto_install/install.sh | 7 +++---- scripts/wireguard/makeCONF.sh | 5 +++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index a937659..21657fc 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -1977,9 +1977,9 @@ confWireGuard(){ $SUDO chmod 700 /etc/wireguard if [ "${runUnattended}" = 'true' ]; then - echo "::: The Server Keys and Pre-Shared key will now be generated." + echo "::: The Server Keys will now be generated." else - whiptail --title "Server Information" --msgbox "The Server Keys and Pre-Shared key will now be generated." "${r}" "${c}" + whiptail --title "Server Information" --msgbox "The Server Keys will now be generated." "${r}" "${c}" fi # Remove configs and keys folders to make space for a new server when using 'Repair' or 'Reconfigure' @@ -1993,10 +1993,9 @@ confWireGuard(){ # Generate private key and derive public key from it wg genkey | $SUDO tee /etc/wireguard/keys/server_priv &> /dev/null - wg genpsk | $SUDO tee /etc/wireguard/keys/psk &> /dev/null $SUDO cat /etc/wireguard/keys/server_priv | wg pubkey | $SUDO tee /etc/wireguard/keys/server_pub &> /dev/null - echo "::: Server Keys and Pre-Shared Key have been generated." + echo "::: Server Keys have been generated." echo "[Interface] PrivateKey = $($SUDO cat /etc/wireguard/keys/server_priv) diff --git a/scripts/wireguard/makeCONF.sh b/scripts/wireguard/makeCONF.sh index 745db08..b3d77f2 100755 --- a/scripts/wireguard/makeCONF.sh +++ b/scripts/wireguard/makeCONF.sh @@ -75,6 +75,7 @@ if [ -f "configs/${CLIENT_NAME}.conf" ]; then fi wg genkey | tee "keys/${CLIENT_NAME}_priv" | wg pubkey > "keys/${CLIENT_NAME}_pub" +CLIENT_PRE_SHARED_KEY=$(wg genpsk) echo "::: Client Keys generated" # Find an unused number for the last octet of the client IP @@ -102,7 +103,7 @@ echo >> "configs/${CLIENT_NAME}.conf" echo "[Peer] PublicKey = $(cat keys/server_pub) -PresharedKey = $(cat keys/psk) +PresharedKey = ${CLIENT_PRE_SHARED_KEY} Endpoint = ${pivpnHOST}:${pivpnPORT} AllowedIPs = 0.0.0.0/0, ::0/0" >> "configs/${CLIENT_NAME}.conf" echo "::: Client config generated" @@ -110,7 +111,7 @@ echo "::: Client config generated" echo "# begin ${CLIENT_NAME} [Peer] PublicKey = $(cat "keys/${CLIENT_NAME}_pub") -PresharedKey = $(cat keys/psk) +PresharedKey = ${CLIENT_PRE_SHARED_KEY} AllowedIPs = ${NET_REDUCED}.${COUNT}/32 # end ${CLIENT_NAME}" >> wg0.conf echo "::: Updated server config" From bac5c226534174679c2f4cf8017f38aa241e0b5a Mon Sep 17 00:00:00 2001 From: Casey Liss Date: Tue, 21 Apr 2020 08:08:20 -0400 Subject: [PATCH 003/114] fix spelling & grammar in backup script. --- scripts/backup.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/backup.sh b/scripts/backup.sh index 56b46e5..8711c96 100755 --- a/scripts/backup.sh +++ b/scripts/backup.sh @@ -28,7 +28,7 @@ backup_openvpn(){ backupzip=$date-pivpnovpnbackup.tgz # shellcheck disable=SC2210 tar czpf "$install_home"/"$backupdir"/"$backupzip" "$openvpndir" "$ovpnsdir" > /dev/null 2>&1 - echo -e "Backup crated to $install_home/$backupdir/$backupzip \nTo restore the backup, follow instructions at:\nhttps://github.com/pivpn/pivpn/wiki/FAQ#how-can-i-migrate-my-configs-to-another-pivpn-instance" + echo -e "Backup created in $install_home/$backupdir/$backupzip \nTo restore the backup, follow instructions at:\nhttps://github.com/pivpn/pivpn/wiki/FAQ#how-can-i-migrate-my-configs-to-another-pivpn-instance" } @@ -39,7 +39,7 @@ backup_wireguard(){ checkbackupdir backupzip=$date-pivpnwgbackup.tgz tar czpf "$install_home"/"$backupdir"/"$backupzip" "$wireguarddir" "$configsdir" > /dev/null 2>&1 - echo -e "Backup crated to $install_home/$backupdir/$backupzip \nTo restore the backup, follow instructions at:\nhttps://github.com/pivpn/pivpn/wiki/FAQ#how-can-i-migrate-my-configs-to-another-pivpn-instance" + echo -e "Backup created in $install_home/$backupdir/$backupzip \nTo restore the backup, follow instructions at:\nhttps://github.com/pivpn/pivpn/wiki/FAQ#how-can-i-migrate-my-configs-to-another-pivpn-instance" } From bdfb8f4a645300499b75dc839854c2b73fe90ad1 Mon Sep 17 00:00:00 2001 From: jellemdekker Date: Wed, 22 Apr 2020 14:12:09 +0200 Subject: [PATCH 004/114] Save pre-shared key to file instead of variable. --- scripts/wireguard/makeCONF.sh | 6 +++--- scripts/wireguard/removeCONF.sh | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/scripts/wireguard/makeCONF.sh b/scripts/wireguard/makeCONF.sh index b3d77f2..aafd608 100755 --- a/scripts/wireguard/makeCONF.sh +++ b/scripts/wireguard/makeCONF.sh @@ -75,7 +75,7 @@ if [ -f "configs/${CLIENT_NAME}.conf" ]; then fi wg genkey | tee "keys/${CLIENT_NAME}_priv" | wg pubkey > "keys/${CLIENT_NAME}_pub" -CLIENT_PRE_SHARED_KEY=$(wg genpsk) +wg genpsk | tee "keys/${CLIENT_NAME}_psk" &> /dev/null echo "::: Client Keys generated" # Find an unused number for the last octet of the client IP @@ -103,7 +103,7 @@ echo >> "configs/${CLIENT_NAME}.conf" echo "[Peer] PublicKey = $(cat keys/server_pub) -PresharedKey = ${CLIENT_PRE_SHARED_KEY} +PresharedKey = $(cat "keys/${CLIENT_NAME}_psk") Endpoint = ${pivpnHOST}:${pivpnPORT} AllowedIPs = 0.0.0.0/0, ::0/0" >> "configs/${CLIENT_NAME}.conf" echo "::: Client config generated" @@ -111,7 +111,7 @@ echo "::: Client config generated" echo "# begin ${CLIENT_NAME} [Peer] PublicKey = $(cat "keys/${CLIENT_NAME}_pub") -PresharedKey = ${CLIENT_PRE_SHARED_KEY} +PresharedKey = $(cat "keys/${CLIENT_NAME}_psk") AllowedIPs = ${NET_REDUCED}.${COUNT}/32 # end ${CLIENT_NAME}" >> wg0.conf echo "::: Updated server config" diff --git a/scripts/wireguard/removeCONF.sh b/scripts/wireguard/removeCONF.sh index 414b492..6c81bd8 100755 --- a/scripts/wireguard/removeCONF.sh +++ b/scripts/wireguard/removeCONF.sh @@ -91,6 +91,7 @@ for CLIENT_NAME in "${CLIENTS_TO_REMOVE[@]}"; do rm "keys/${CLIENT_NAME}_priv" rm "keys/${CLIENT_NAME}_pub" + rm "keys/${CLIENT_NAME}_psk" echo "::: Client Keys for ${CLIENT_NAME} removed" # Find all .conf files in the home folder of the user matching the checksum of the From f379ca2e10d4b49e641f1a1cdddfbcf9d96c0644 Mon Sep 17 00:00:00 2001 From: root <63857845+shelleycat485@users.noreply.github.com> Date: Tue, 28 Apr 2020 23:44:56 +0100 Subject: [PATCH 005/114] initial dual install try --- auto_install/install.sh | 122 +++++++++++++++++--------------- scripts/openvpn/makeOVPN.sh | 2 +- scripts/openvpn/pivpn | 19 ++--- scripts/openvpn/pivpnDebug.sh | 2 +- scripts/openvpn/removeOVPN.sh | 2 +- scripts/wireguard/makeCONF.sh | 2 +- scripts/wireguard/pivpn | 21 +++--- scripts/wireguard/pivpnDEBUG.sh | 2 +- scripts/wireguard/removeCONF.sh | 2 +- 9 files changed, 95 insertions(+), 79 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 8630a9e..d0e8cdb 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -12,7 +12,9 @@ ######## VARIABLES ######### pivpnGitUrl="https://github.com/pivpn/pivpn.git" -setupVars="/etc/pivpn/setupVars.conf" +setupVarsFile="setupVars.conf" +setupConfigDir="/etc/pivpn" # will be /etc/pivpn/${VPN}/setupVars.conf +tempsetupVarsFile="/tmp/setupVars.conf" pivpnFilesDir="/etc/.pivpn" piholeSetupVars="/etc/pihole/setupVars.conf" @@ -118,7 +120,14 @@ main(){ fi fi - if [ -r "$setupVars" ]; then + # see which setup already exists + if [ -r "${setupVarsDir}/wireguard/${setupVarsFile}" ]; then + setupVars="${setupVarsDir}/wireguard/${setupVarsFile}" + elif [ -f "${setupVarsDir}/openvpn/${setupVarsFile}" ]; then + setupVars="${setupVarsDir}/openvpn/${setupVarsFile}" + fi + + if [ -r "$setupVars" ]; then #qqq if [[ "${reconfigure}" == true ]]; then echo "::: --reconfigure passed to install script, will reinstall PiVPN overwriting existing settings" UpdateCmd="Reconfigure" @@ -137,7 +146,7 @@ main(){ exit 0 elif [ "$UpdateCmd" = "Repair" ]; then # shellcheck disable=SC1090 - source "$setupVars" + source "$setupVars" #qqq runUnattended=true fi @@ -203,8 +212,9 @@ main(){ fi # Save installation setting to the final location - echo "INSTALLED_PACKAGES=(${INSTALLED_PACKAGES[*]})" >> /tmp/setupVars.conf - $SUDO cp /tmp/setupVars.conf "$setupVars" + echo "INSTALLED_PACKAGES=(${INSTALLED_PACKAGES[*]})" >> ${tempsetupVarsFile} + echo "::: Setupfiles copied to ${setupConfigDir}/{$VPN}/${setupVarsFile}" + $SUDO cp ${tempsetupVarsFile} "${setupConfigDir}/${VPN}/${setupVarsFile}" installScripts @@ -287,8 +297,8 @@ distroCheck(){ BASE_DEPS+=(dhcpcd5) fi - echo "PLAT=${PLAT}" > /tmp/setupVars.conf - echo "OSCN=${OSCN}" >> /tmp/setupVars.conf + echo "PLAT=${PLAT}" > ${tempsetupVarsFile} + echo "OSCN=${OSCN}" >> ${tempsetupVarsFile} } noOSSupport(){ @@ -470,7 +480,7 @@ preconfigurePackages(){ echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections fi - echo "USING_UFW=${USING_UFW}" >> /tmp/setupVars.conf + echo "USING_UFW=${USING_UFW}" >> ${tempsetupVarsFile} } installDependentPackages(){ @@ -581,12 +591,12 @@ if [ "${runUnattended}" = 'true' ]; then exit 1 fi fi - echo "IPv4dev=${IPv4dev}" >> /tmp/setupVars.conf + echo "IPv4dev=${IPv4dev}" >> ${tempsetupVarsFile} return else if [ "$interfaceCount" -eq 1 ]; then IPv4dev="${availableInterfaces}" - echo "IPv4dev=${IPv4dev}" >> /tmp/setupVars.conf + echo "IPv4dev=${IPv4dev}" >> ${tempsetupVarsFile} return fi fi @@ -596,7 +606,7 @@ if chooseInterfaceOptions=$("${chooseInterfaceCmd[@]}" "${interfacesArray[@]}" 2 for desiredInterface in ${chooseInterfaceOptions}; do IPv4dev=${desiredInterface} echo "::: Using interface: $IPv4dev" - echo "IPv4dev=${IPv4dev}" >> /tmp/setupVars.conf + echo "IPv4dev=${IPv4dev}" >> ${tempsetupVarsFile} done else echo "::: Cancel selected, exiting...." @@ -711,9 +721,9 @@ getStaticIPv4Settings() { echo "::: Skipping setting static IP address" fi - echo "dhcpReserv=${dhcpReserv}" >> /tmp/setupVars.conf - echo "IPv4addr=${IPv4addr}" >> /tmp/setupVars.conf - echo "IPv4gw=${IPv4gw}" >> /tmp/setupVars.conf + echo "dhcpReserv=${dhcpReserv}" >> ${tempsetupVarsFile} + echo "IPv4addr=${IPv4addr}" >> ${tempsetupVarsFile} + echo "IPv4gw=${IPv4gw}" >> ${tempsetupVarsFile} return fi @@ -735,10 +745,10 @@ No: Setup static IP address Don't know what DHCP Reservation is? Answer No." ${r} ${c}); then dhcpReserv=1 # shellcheck disable=SC2129 - echo "dhcpReserv=${dhcpReserv}" >> /tmp/setupVars.conf + echo "dhcpReserv=${dhcpReserv}" >> ${tempsetupVarsFile} # We don't really need to save them as we won't set a static IP but they might be useful for debugging - echo "IPv4addr=${CurrentIPv4addr}" >> /tmp/setupVars.conf - echo "IPv4gw=${CurrentIPv4gw}" >> /tmp/setupVars.conf + echo "IPv4addr=${CurrentIPv4addr}" >> ${tempsetupVarsFile} + echo "IPv4gw=${CurrentIPv4gw}" >> ${tempsetupVarsFile} else # Ask if the user wants to use DHCP settings as their static IP if (whiptail --backtitle "Calibrating network interface" --title "Static IP Address" --yesno "Do you want to use your current network settings as a static address? @@ -747,8 +757,8 @@ Don't know what DHCP Reservation is? Answer No." ${r} ${c}); then Gateway: ${CurrentIPv4gw}" ${r} ${c}); then IPv4addr=${CurrentIPv4addr} IPv4gw=${CurrentIPv4gw} - echo "IPv4addr=${IPv4addr}" >> /tmp/setupVars.conf - echo "IPv4gw=${IPv4gw}" >> /tmp/setupVars.conf + echo "IPv4addr=${IPv4addr}" >> ${tempsetupVarsFile} + echo "IPv4gw=${IPv4gw}" >> ${tempsetupVarsFile} # If they choose yes, let the user know that the IP address will not be available via DHCP and may cause a conflict. whiptail --msgbox --backtitle "IP information" --title "FYI: IP Conflict" "It is possible your router could still try to assign this IP to a device, which would cause a conflict. But in most cases the router is smart enough to not do that. @@ -803,8 +813,8 @@ It is also possible to use a DHCP reservation, but if you are going to do that, IP address: ${IPv4addr} Gateway: ${IPv4gw}" ${r} ${c}); then # If the settings are correct, then we need to set the pivpnIP - echo "IPv4addr=${IPv4addr}" >> /tmp/setupVars.conf - echo "IPv4gw=${IPv4gw}" >> /tmp/setupVars.conf + echo "IPv4addr=${IPv4addr}" >> ${tempsetupVarsFile} + echo "IPv4gw=${IPv4gw}" >> ${tempsetupVarsFile} # After that's done, the loop ends and we move on ipSettingsCorrect=True else @@ -867,8 +877,8 @@ chooseUser(){ fi install_home=$(grep -m1 "^${install_user}:" /etc/passwd | cut -d: -f6) install_home=${install_home%/} - echo "install_user=${install_user}" >> /tmp/setupVars.conf - echo "install_home=${install_home}" >> /tmp/setupVars.conf + echo "install_user=${install_user}" >> ${tempsetupVarsFile} + echo "install_home=${install_home}" >> ${tempsetupVarsFile} return fi @@ -915,8 +925,8 @@ chooseUser(){ echo "::: Using User: $install_user" install_home=$(grep -m1 "^${install_user}:" /etc/passwd | cut -d: -f6) install_home=${install_home%/} # remove possible trailing slash - echo "install_user=${install_user}" >> /tmp/setupVars.conf - echo "install_home=${install_home}" >> /tmp/setupVars.conf + echo "install_user=${install_user}" >> ${tempsetupVarsFile} + echo "install_home=${install_home}" >> ${tempsetupVarsFile} done else echo "::: Cancel selected, exiting...." @@ -1034,13 +1044,13 @@ installPiVPN(){ confWireGuard confNetwork - echo "pivpnPROTO=${pivpnPROTO}" >> /tmp/setupVars.conf + echo "pivpnPROTO=${pivpnPROTO}" >> ${tempsetupVarsFile} fi - echo "pivpnDEV=${pivpnDEV}" >> /tmp/setupVars.conf - echo "pivpnNET=${pivpnNET}" >> /tmp/setupVars.conf - echo "subnetClass=${subnetClass}" >> /tmp/setupVars.conf + echo "pivpnDEV=${pivpnDEV}" >> ${tempsetupVarsFile} + echo "pivpnNET=${pivpnNET}" >> ${tempsetupVarsFile} + echo "subnetClass=${subnetClass}" >> ${tempsetupVarsFile} } askWhichVPN(){ @@ -1093,7 +1103,7 @@ askWhichVPN(){ fi fi - echo "VPN=${VPN}" >> /tmp/setupVars.conf + echo "VPN=${VPN}" >> ${tempsetupVarsFile} } downloadVerifyKey(){ @@ -1295,7 +1305,7 @@ askCustomProto(){ exit 1 fi fi - echo "pivpnPROTO=${pivpnPROTO}" >> /tmp/setupVars.conf + echo "pivpnPROTO=${pivpnPROTO}" >> ${tempsetupVarsFile} return fi @@ -1308,7 +1318,7 @@ askCustomProto(){ # Convert option into lowercase (UDP->udp) pivpnPROTO="${pivpnPROTO,,}" echo "::: Using protocol: $pivpnPROTO" - echo "pivpnPROTO=${pivpnPROTO}" >> /tmp/setupVars.conf + echo "pivpnPROTO=${pivpnPROTO}" >> ${tempsetupVarsFile} else echo "::: Cancel selected, exiting...." exit 1 @@ -1338,7 +1348,7 @@ askCustomPort(){ exit 1 fi fi - echo "pivpnPORT=${pivpnPORT}" >> /tmp/setupVars.conf + echo "pivpnPORT=${pivpnPORT}" >> ${tempsetupVarsFile} return fi @@ -1381,7 +1391,7 @@ askCustomPort(){ fi done # write out the port - echo "pivpnPORT=${pivpnPORT}" >> /tmp/setupVars.conf + echo "pivpnPORT=${pivpnPORT}" >> ${tempsetupVarsFile} } askClientDNS(){ @@ -1414,8 +1424,8 @@ askClientDNS(){ exit 1 fi - echo "pivpnDNS1=${pivpnDNS1}" >> /tmp/setupVars.conf - echo "pivpnDNS2=${pivpnDNS2}" >> /tmp/setupVars.conf + echo "pivpnDNS1=${pivpnDNS1}" >> ${tempsetupVarsFile} + echo "pivpnDNS2=${pivpnDNS2}" >> ${tempsetupVarsFile} return fi @@ -1450,8 +1460,8 @@ askClientDNS(){ # Use the Raspberry Pi VPN IP as DNS server. pivpnDNS1="$vpnGw" - echo "pivpnDNS1=${pivpnDNS1}" >> /tmp/setupVars.conf - echo "pivpnDNS2=${pivpnDNS2}" >> /tmp/setupVars.conf + echo "pivpnDNS1=${pivpnDNS1}" >> ${tempsetupVarsFile} + echo "pivpnDNS2=${pivpnDNS2}" >> ${tempsetupVarsFile} return fi fi @@ -1536,8 +1546,8 @@ askClientDNS(){ exit 1 fi - echo "pivpnDNS1=${pivpnDNS1}" >> /tmp/setupVars.conf - echo "pivpnDNS2=${pivpnDNS2}" >> /tmp/setupVars.conf + echo "pivpnDNS1=${pivpnDNS1}" >> ${tempsetupVarsFile} + echo "pivpnDNS2=${pivpnDNS2}" >> ${tempsetupVarsFile} } #Call this function to use a regex to check user input for a valid custom domain @@ -1564,7 +1574,7 @@ askCustomDomain(){ else echo "::: Skipping custom domain" fi - echo "pivpnSEARCHDOMAIN=${pivpnSEARCHDOMAIN}" >> /tmp/setupVars.conf + echo "pivpnSEARCHDOMAIN=${pivpnSEARCHDOMAIN}" >> ${tempsetupVarsFile} return fi @@ -1593,7 +1603,7 @@ askCustomDomain(){ done fi - echo "pivpnSEARCHDOMAIN=${pivpnSEARCHDOMAIN}" >> /tmp/setupVars.conf + echo "pivpnSEARCHDOMAIN=${pivpnSEARCHDOMAIN}" >> ${tempsetupVarsFile} } askPublicIPOrDNS(){ @@ -1619,7 +1629,7 @@ askPublicIPOrDNS(){ exit 1 fi fi - echo "pivpnHOST=${pivpnHOST}" >> /tmp/setupVars.conf + echo "pivpnHOST=${pivpnHOST}" >> ${tempsetupVarsFile} return fi @@ -1663,7 +1673,7 @@ askPublicIPOrDNS(){ exit 1 fi - echo "pivpnHOST=${pivpnHOST}" >> /tmp/setupVars.conf + echo "pivpnHOST=${pivpnHOST}" >> ${tempsetupVarsFile} } askEncryption(){ @@ -1712,9 +1722,9 @@ askEncryption(){ fi fi - echo "TWO_POINT_FOUR=${TWO_POINT_FOUR}" >> /tmp/setupVars.conf - echo "pivpnENCRYPT=${pivpnENCRYPT}" >> /tmp/setupVars.conf - echo "USE_PREDEFINED_DH_PARAM=${USE_PREDEFINED_DH_PARAM}" >> /tmp/setupVars.conf + echo "TWO_POINT_FOUR=${TWO_POINT_FOUR}" >> ${tempsetupVarsFile} + echo "pivpnENCRYPT=${pivpnENCRYPT}" >> ${tempsetupVarsFile} + echo "USE_PREDEFINED_DH_PARAM=${USE_PREDEFINED_DH_PARAM}" >> ${tempsetupVarsFile} return fi @@ -1746,9 +1756,9 @@ askEncryption(){ USE_PREDEFINED_DH_PARAM=0 fi - echo "TWO_POINT_FOUR=${TWO_POINT_FOUR}" >> /tmp/setupVars.conf - echo "pivpnENCRYPT=${pivpnENCRYPT}" >> /tmp/setupVars.conf - echo "USE_PREDEFINED_DH_PARAM=${USE_PREDEFINED_DH_PARAM}" >> /tmp/setupVars.conf + echo "TWO_POINT_FOUR=${TWO_POINT_FOUR}" >> ${tempsetupVarsFile} + echo "pivpnENCRYPT=${pivpnENCRYPT}" >> ${tempsetupVarsFile} + echo "USE_PREDEFINED_DH_PARAM=${USE_PREDEFINED_DH_PARAM}" >> ${tempsetupVarsFile} } cidrToMask(){ @@ -2092,8 +2102,8 @@ confNetwork(){ ;; esac - echo "INPUT_CHAIN_EDITED=${INPUT_CHAIN_EDITED}" >> /tmp/setupVars.conf - echo "FORWARD_CHAIN_EDITED=${FORWARD_CHAIN_EDITED}" >> /tmp/setupVars.conf + echo "INPUT_CHAIN_EDITED=${INPUT_CHAIN_EDITED}" >> ${tempsetupVarsFile} + echo "FORWARD_CHAIN_EDITED=${FORWARD_CHAIN_EDITED}" >> ${tempsetupVarsFile} fi } @@ -2156,7 +2166,7 @@ askUnattendedUpgrades(){ echo "::: Skipping unattended upgrades" fi fi - echo "UNATTUPG=${UNATTUPG}" >> /tmp/setupVars.conf + echo "UNATTUPG=${UNATTUPG}" >> ${tempsetupVarsFile} return fi @@ -2168,7 +2178,7 @@ askUnattendedUpgrades(){ UNATTUPG=0 fi - echo "UNATTUPG=${UNATTUPG}" >> /tmp/setupVars.conf + echo "UNATTUPG=${UNATTUPG}" >> ${tempsetupVarsFile} } confUnattendedUpgrades(){ @@ -2230,8 +2240,8 @@ installScripts(){ fi $SUDO install -m 755 "$pivpnFilesDir"/scripts/*.sh -t /opt/pivpn - $SUDO install -m 755 "$pivpnFilesDir"/scripts/"$VPN"/*.sh -t /opt/pivpn - $SUDO install -m 755 "$pivpnFilesDir"/scripts/"$VPN"/pivpn /usr/local/bin/pivpn + $SUDO install -m 755 "$pivpnFilesDir"/scripts/"$VPN"/*.sh -t /opt/pivpn/${VPN} + $SUDO install -m 755 "$pivpnFilesDir"/scripts/"$VPN"/pivpn /usr/local/bin/pivpn/${VPN} $SUDO install -m 644 "$pivpnFilesDir"/scripts/"$VPN"/bash-completion /etc/bash_completion.d/pivpn # shellcheck disable=SC1091 . /etc/bash_completion.d/pivpn diff --git a/scripts/openvpn/makeOVPN.sh b/scripts/openvpn/makeOVPN.sh index c645c55..719e670 100755 --- a/scripts/openvpn/makeOVPN.sh +++ b/scripts/openvpn/makeOVPN.sh @@ -1,7 +1,7 @@ #!/bin/bash # Create OVPN Client # Default Variable Declarations -setupVars="/etc/pivpn/setupVars.conf" +setupVars="/etc/pivpn/openvpn/setupVars.conf" DEFAULT="Default.txt" FILEEXT=".ovpn" CRT=".crt" diff --git a/scripts/openvpn/pivpn b/scripts/openvpn/pivpn index 27d2d98..f461d7a 100755 --- a/scripts/openvpn/pivpn +++ b/scripts/openvpn/pivpn @@ -10,26 +10,29 @@ if [[ ! $EUID -eq 0 ]];then fi fi +scriptdir="/opt/pivpn" +vpn="openvpn" + function makeOVPNFunc { shift - $SUDO /opt/pivpn/makeOVPN.sh "$@" + $SUDO ${scripdir}/${vpn}/makeOVPN.sh "$@" exit 0 } function listClientsFunc { shift - $SUDO /opt/pivpn/clientStat.sh "$@" + $SUDO ${scripdir}/${vpn}/clientStat.sh "$@" exit 0 } function listOVPNFunc { - $SUDO /opt/pivpn/listOVPN.sh + $SUDO ${scripdir}/${vpn}/listOVPN.sh exit 0 } function debugFunc { echo "::: Generating Debug Output" - $SUDO /opt/pivpn/pivpnDebug.sh | tee /tmp/debug.txt + $SUDO ${scripdir}/${vpn}/pivpnDebug.sh | tee /tmp/debug.txt echo "::: " echo "::: Debug output completed above." echo "::: Copy saved to /tmp/debug.txt" @@ -39,12 +42,12 @@ function debugFunc { function removeOVPNFunc { shift - $SUDO /opt/pivpn/removeOVPN.sh "$@" + $SUDO ${scripdir}/${vpn}/removeOVPN.sh "$@" exit 0 } function uninstallFunc { - $SUDO /opt/pivpn/uninstall.sh + $SUDO ${scripdir}/uninstall.sh exit 0 } @@ -55,7 +58,7 @@ function versionFunc { function update { shift - $SUDO /opt/pivpn/update.sh "$@" + $SUDO ${scripdir}/update.sh "$@" exit 0 @@ -63,7 +66,7 @@ function update { function backup { - $SUDO /opt/pivpn/backup.sh + $SUDO ${scripdir}/backup.sh exit 0 } diff --git a/scripts/openvpn/pivpnDebug.sh b/scripts/openvpn/pivpnDebug.sh index 8299fa3..644933e 100755 --- a/scripts/openvpn/pivpnDebug.sh +++ b/scripts/openvpn/pivpnDebug.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # This scripts runs as root -setupVars="/etc/pivpn/setupVars.conf" +setupVars="/etc/pivpn/openvpn/setupVars.conf" if [ ! -f "${setupVars}" ]; then echo "::: Missing setup vars file!" diff --git a/scripts/openvpn/removeOVPN.sh b/scripts/openvpn/removeOVPN.sh index 50666f0..4f79385 100755 --- a/scripts/openvpn/removeOVPN.sh +++ b/scripts/openvpn/removeOVPN.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # PiVPN: revoke client script -setupVars="/etc/pivpn/setupVars.conf" +setupVars="/etc/pivpn/openvpn/setupVars.conf" INDEX="/etc/openvpn/easy-rsa/pki/index.txt" if [ ! -f "${setupVars}" ]; then diff --git a/scripts/wireguard/makeCONF.sh b/scripts/wireguard/makeCONF.sh index 745db08..db68c97 100755 --- a/scripts/wireguard/makeCONF.sh +++ b/scripts/wireguard/makeCONF.sh @@ -1,6 +1,6 @@ #!/bin/bash -setupVars="/etc/pivpn/setupVars.conf" +setupVars="/etc/pivpn/wireguard/setupVars.conf" if [ ! -f "${setupVars}" ]; then echo "::: Missing setup vars file!" diff --git a/scripts/wireguard/pivpn b/scripts/wireguard/pivpn index fd1ed17..73bcf88 100755 --- a/scripts/wireguard/pivpn +++ b/scripts/wireguard/pivpn @@ -10,53 +10,56 @@ if [ $EUID -ne 0 ];then fi fi +scriptdir="/opt/pivpn" +vpn="wireguard" + makeConf(){ shift - $SUDO /opt/pivpn/makeCONF.sh "$@" + $SUDO ${scriptdir}/${vpn}/makeCONF.sh "$@" exit 0 } listConnected(){ shift - $SUDO /opt/pivpn/clientSTAT.sh "$@" + $SUDO ${scriptdir}/${vpn}/clientSTAT.sh "$@" exit 0 } debug(){ - $SUDO /opt/pivpn/pivpnDEBUG.sh + $SUDO ${scriptdir}/${vpn}/pivpnDEBUG.sh exit 0 } listClients(){ - $SUDO /opt/pivpn/listCONF.sh + $SUDO ${scriptdir}/${vpn}/listCONF.sh exit 0 } showQrcode(){ shift - $SUDO /opt/pivpn/qrcodeCONF.sh "$@" + $SUDO ${scriptdir}/${vpn}/qrcodeCONF.sh "$@" exit 0 } removeClient(){ shift - $SUDO /opt/pivpn/removeCONF.sh "$@" + $SUDO ${scriptdir}/${vpn}/removeCONF.sh "$@" exit 0 } uninstallServer(){ - $SUDO /opt/pivpn/uninstall.sh + $SUDO ${scriptdir}/uninstall.sh exit 0 } updateScripts(){ shift - $SUDO /opt/pivpn/update.sh "$@" + $SUDO ${scriptdir}/update.sh "$@" exit 0 } backup(){ - $SUDO /opt/pivpn/backup.sh + $SUDO ${scriptdir}/backup.sh } showHelp(){ diff --git a/scripts/wireguard/pivpnDEBUG.sh b/scripts/wireguard/pivpnDEBUG.sh index 8c0d9ef..a78e9a3 100755 --- a/scripts/wireguard/pivpnDEBUG.sh +++ b/scripts/wireguard/pivpnDEBUG.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # This scripts runs as root -setupVars="/etc/pivpn/setupVars.conf" +setupVars="/etc/pivpn/wireguard/setupVars.conf" if [ ! -f "${setupVars}" ]; then echo "::: Missing setup vars file!" diff --git a/scripts/wireguard/removeCONF.sh b/scripts/wireguard/removeCONF.sh index 414b492..8eff9cc 100755 --- a/scripts/wireguard/removeCONF.sh +++ b/scripts/wireguard/removeCONF.sh @@ -1,6 +1,6 @@ #!/bin/bash -setupVars="/etc/pivpn/setupVars.conf" +setupVars="/etc/pivpn/wireguard/setupVars.conf" if [ ! -f "${setupVars}" ]; then echo "::: Missing setup vars file!" From 3ed9ec5724911cd67771c80ca12799f89a33267c Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Sat, 2 May 2020 00:06:09 +0100 Subject: [PATCH 006/114] install and uninstall --- auto_install/install.sh | 44 ++++++++++++++++++++++++----------- scripts/uninstall.sh | 51 +++++++++++++++++++++++++++-------------- 2 files changed, 65 insertions(+), 30 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index d0e8cdb..45c2744 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -11,11 +11,13 @@ # Make sure you have `curl` installed ######## VARIABLES ######### -pivpnGitUrl="https://github.com/pivpn/pivpn.git" +#pivpnGitUrl="https://github.com/pivpn/pivpn.git" +pivpnGitUrl="/root/repos/pivpn" setupVarsFile="setupVars.conf" setupConfigDir="/etc/pivpn" # will be /etc/pivpn/${VPN}/setupVars.conf tempsetupVarsFile="/tmp/setupVars.conf" -pivpnFilesDir="/etc/.pivpn" +pivpnFilesDir="/etc/.pivpn" # will be updated when $VPN known +pivpnScriptDir="/opt/pivpn" piholeSetupVars="/etc/pihole/setupVars.conf" dnsmasqConfig="/etc/dnsmasq.d/02-pivpn.conf" @@ -142,7 +144,7 @@ main(){ if [ -z "$UpdateCmd" ] || [ "$UpdateCmd" = "Reconfigure" ]; then : elif [ "$UpdateCmd" = "Update" ]; then - $SUDO /opt/pivpn/update.sh "$@" + $SUDO ${pivpnScriptDir}/update.sh "$@" exit 0 elif [ "$UpdateCmd" = "Repair" ]; then # shellcheck disable=SC1090 @@ -213,7 +215,8 @@ main(){ # Save installation setting to the final location echo "INSTALLED_PACKAGES=(${INSTALLED_PACKAGES[*]})" >> ${tempsetupVarsFile} - echo "::: Setupfiles copied to ${setupConfigDir}/{$VPN}/${setupVarsFile}" + echo "::: Setupfiles copied to ${setupConfigDir}/${VPN}/${setupVarsFile}" + $SUDO mkdir "${setupConfigDir}/${VPN}/" $SUDO cp ${tempsetupVarsFile} "${setupConfigDir}/${VPN}/${setupVarsFile}" installScripts @@ -999,6 +1002,7 @@ getGitFiles(){ } cloneOrUpdateRepos(){ + pivpnFilesDir="${pivpnFilesDir}/${VPN}" # Get Git files getGitFiles ${pivpnFilesDir} ${pivpnGitUrl} || \ { echo "!!! Unable to clone ${pivpnGitUrl} into ${pivpnFilesDir}, unable to continue."; \ @@ -2232,19 +2236,33 @@ confUnattendedUpgrades(){ installScripts(){ # Install the scripts from /etc/.pivpn to their various locations echo ":::" - echo -n -e "::: Installing scripts to /opt/pivpn...\n" - if [ ! -d /opt/pivpn ]; then - $SUDO mkdir -p /opt/pivpn - $SUDO chown root:root /opt/pivpn - $SUDO chmod 0755 /opt/pivpn + echo "::: line ${LINENO}" + echo -n -e "::: Installing scripts to ${pivpnScriptDir}...\n" + echo "::: line ${LINENO}" + if [ ! -d "${pivpnScriptDir}/${VPN}" ]; then + $SUDO mkdir -p ${pivpnScriptDir}/${VPN} + $SUDO chown -R root:root ${pivpnScriptDir} + $SUDO chmod -R 0755 ${pivpnScriptDir} fi - $SUDO install -m 755 "$pivpnFilesDir"/scripts/*.sh -t /opt/pivpn - $SUDO install -m 755 "$pivpnFilesDir"/scripts/"$VPN"/*.sh -t /opt/pivpn/${VPN} - $SUDO install -m 755 "$pivpnFilesDir"/scripts/"$VPN"/pivpn /usr/local/bin/pivpn/${VPN} - $SUDO install -m 644 "$pivpnFilesDir"/scripts/"$VPN"/bash-completion /etc/bash_completion.d/pivpn + $SUDO install -m 755 "${pivpnFilesDir}"/scripts/*.sh -t ${pivpnScriptDir} + $SUDO install -m 755 "${pivpnFilesDir}/scripts/${VPN}"/*.sh -t ${pivpnScriptDir}/${VPN} + echo "::: line ${LINENO}" + $SUDO mkdir -p /usr/local/bin/pivpn/${VPN} + echo "::: line ${LINENO}" + $SUDO install -v -m 755 "${pivpnFilesDir}/scripts/${VPN}"/pivpn -t /usr/local/bin/pivpn/${VPN} + echo "::: line ${LINENO}" + ls -l ${pivpnFilesDir}/scripts/${VPN}/bash-completion + echo "::: line ${LINENO}" + $SUDO -E 'bash cat "${pivpnFilesDir}/scripts/${VPN}/bash-completion" >> /etc/bash_completion.d/pivpn' + echo "::: line ${LINENO}" + $SUDO chown root:root /etc/bash_completion.d/pivpn + echo "::: line ${LINENO}" + $SUDO chmod 755 /etc/bash_completion.d/pivpn # shellcheck disable=SC1091 + echo "::: line ${LINENO}" . /etc/bash_completion.d/pivpn + echo "::: line ${LINENO}" echo " done." } diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index d40afbe..3bf8dca 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -4,19 +4,6 @@ ### FIXME: global: config storage, refactor all scripts to adhere to the storage ### FIXME: use variables where appropriate, reduce magic numbers by 99.9%, at least. -PKG_MANAGER="apt-get" -UPDATE_PKG_CACHE="${PKG_MANAGER} update" -dnsmasqConfig="/etc/dnsmasq.d/02-pivpn.conf" -setupVars="/etc/pivpn/setupVars.conf" - -if [ ! -f "${setupVars}" ]; then - echo "::: Missing setup vars file!" - exit 1 -fi - -# shellcheck disable=SC1090 -source "${setupVars}" - # Find the rows and columns. Will default to 80x24 if it can not be detected. screen_size=$(stty size 2>/dev/null || echo 24 80) rows=$(echo "$screen_size" | awk '{print $1}') @@ -29,6 +16,31 @@ c=$(( columns / 2 )) r=$(( r < 20 ? 20 : r )) c=$(( c < 70 ? 70 : c )) + chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "WireGuard is a new kind of VPN that provides near-instantaneous connection speed, high performance, and modern cryptography.\\n\\nIt's the recommended choice especially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\\n\\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol or if you need features like TCP and custom search domain.\\n\\nChoose a VPN to uninstall (press space to select):" "${r}" "${c}" 2) + VPNChooseOptions=(WireGuard "" on + OpenVPN "" off) + + if VPN=$("${chooseVPNCmd[@]}" "${VPNChooseOptions[@]}" 2>&1 >/dev/tty) ; then + echo "::: Using VPN: $VPN" + VPN="${VPN,,}" + else + echo "::: Cancel selected, exiting...." + exit 1 + fi + +PKG_MANAGER="apt-get" +UPDATE_PKG_CACHE="${PKG_MANAGER} update" +dnsmasqConfig="/etc/dnsmasq.d/02-pivpn.conf" +setupVars="/etc/pivpn/${VPN}/setupVars.conf" + +if [ ! -f "${setupVars}" ]; then + echo "::: Missing setup vars file!" + exit 1 +fi + +# shellcheck disable=SC1090 +source "${setupVars}" + ### FIXME: introduce global lib spinner(){ local pid=$1 @@ -152,11 +164,16 @@ removeAll(){ pihole restartdns fi - rm -rf /opt/pivpn - rm -rf /etc/.pivpn - rm -rf /etc/pivpn + rm -rf /opt/pivpn/${VPN} + # if dual installation, other installation will cause next line to fail + rmdir /opt/pivpn + rm -rf /etc/.pivpn/${VPN} + rmdir /etc/.pivpn + rm -rf /etc/pivpn/${VPN} + rmdir /etc/pivpn rm -f /var/log/*pivpn* - rm -f /usr/local/bin/pivpn + rm -f /usr/local/bin/pivpn/${VPN} + # TODO fix bash_completion removal rm -f /etc/bash_completion.d/pivpn echo ":::" From 5330454f2b48a7a75f0d670f95afe609a19c67d0 Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Sun, 3 May 2020 17:55:48 +0100 Subject: [PATCH 007/114] added generic pivpn for 2 protocols --- scripts/pivpn | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100755 scripts/pivpn diff --git a/scripts/pivpn b/scripts/pivpn new file mode 100755 index 0000000..216b2cb --- /dev/null +++ b/scripts/pivpn @@ -0,0 +1,36 @@ +#!/bin/bash + +# Must be root to use this tool +if [ $EUID -ne 0 ];then + if dpkg-query -s sudo &> /dev/null; then + export SUDO="sudo" + else + echo "::: Please install sudo or run this as root." + exit 1 + fi +fi + +scriptdir="/opt/pivpn" +vpn="wireguard" + +showHelp(){ + echo "::: To pass off to the pivpn command for each protocol" + echo ":::" + echo "::: Usage: pivpn wg [option]" + echo "::: Usage: pivpn opv [option]" + echo ":::" + echo "::: -h, help Show this help dialog" + exit 0 +} + +if [ $# = 0 ]; then + showHelp +fi + +# Handle redirecting to specific functions based on arguments +case "$1" in + wg ) "${scriptDir}/wireguard/pivpn" "${@:2}";; + opv ) "${scriptDir}/openvpn/pivpn" "${@:2}";; +"-h" | "help" ) showHelp;; +* ) showHelp;; +esac From 6a8e508951cecc8cd27718e18930cd13eb64ad2b Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Mon, 4 May 2020 09:54:07 +0100 Subject: [PATCH 008/114] Update README.md --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 157822a..503abf6 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,9 @@ About ----- +Branch test is a modification that allows installing both openvpn and wireguard on the same machine. To do this, run the installer twice locally, makeing sure you are going to pull branch test. + + Visit the [PiVPN](https://pivpn.io) site for more information. This is a set of shell scripts initially developed by **@0-kaladin** that serve to easily turn your Raspberry Pi (TM) into a VPN server using two free, open-source protocols: From 4e3a58702f58108586987241b9007676b070a33b Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Tue, 5 May 2020 00:05:10 +0100 Subject: [PATCH 009/114] more dual --- auto_install/install.sh | 34 +++++++++------------------ scripts/openvpn/{pivpn => pivpn.sh} | 0 scripts/pivpn | 4 ++-- scripts/wireguard/{pivpn => pivpn.sh} | 0 4 files changed, 13 insertions(+), 25 deletions(-) rename scripts/openvpn/{pivpn => pivpn.sh} (100%) rename scripts/wireguard/{pivpn => pivpn.sh} (100%) diff --git a/auto_install/install.sh b/auto_install/install.sh index 45c2744..c423c18 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -16,7 +16,7 @@ pivpnGitUrl="/root/repos/pivpn" setupVarsFile="setupVars.conf" setupConfigDir="/etc/pivpn" # will be /etc/pivpn/${VPN}/setupVars.conf tempsetupVarsFile="/tmp/setupVars.conf" -pivpnFilesDir="/etc/.pivpn" # will be updated when $VPN known +pivpnFilesDir="/etc/.pivpn" pivpnScriptDir="/opt/pivpn" piholeSetupVars="/etc/pihole/setupVars.conf" @@ -1002,7 +1002,6 @@ getGitFiles(){ } cloneOrUpdateRepos(){ - pivpnFilesDir="${pivpnFilesDir}/${VPN}" # Get Git files getGitFiles ${pivpnFilesDir} ${pivpnGitUrl} || \ { echo "!!! Unable to clone ${pivpnGitUrl} into ${pivpnFilesDir}, unable to continue."; \ @@ -2235,32 +2234,21 @@ confUnattendedUpgrades(){ installScripts(){ # Install the scripts from /etc/.pivpn to their various locations - echo ":::" - echo "::: line ${LINENO}" echo -n -e "::: Installing scripts to ${pivpnScriptDir}...\n" echo "::: line ${LINENO}" if [ ! -d "${pivpnScriptDir}/${VPN}" ]; then - $SUDO mkdir -p ${pivpnScriptDir}/${VPN} - $SUDO chown -R root:root ${pivpnScriptDir} - $SUDO chmod -R 0755 ${pivpnScriptDir} + $SUDO install -m 0755 -o root -d ${pivpnScriptDir}/${VPN} +# $SUDO mkdir -p ${pivpnScriptDir}/${VPN} +# $SUDO chown -R root:root ${pivpnScriptDir} +# $SUDO chmod -R 0755 ${pivpnScriptDir} fi - - $SUDO install -m 755 "${pivpnFilesDir}"/scripts/*.sh -t ${pivpnScriptDir} - $SUDO install -m 755 "${pivpnFilesDir}/scripts/${VPN}"/*.sh -t ${pivpnScriptDir}/${VPN} - echo "::: line ${LINENO}" - $SUDO mkdir -p /usr/local/bin/pivpn/${VPN} - echo "::: line ${LINENO}" - $SUDO install -v -m 755 "${pivpnFilesDir}/scripts/${VPN}"/pivpn -t /usr/local/bin/pivpn/${VPN} - echo "::: line ${LINENO}" - ls -l ${pivpnFilesDir}/scripts/${VPN}/bash-completion - echo "::: line ${LINENO}" - $SUDO -E 'bash cat "${pivpnFilesDir}/scripts/${VPN}/bash-completion" >> /etc/bash_completion.d/pivpn' - echo "::: line ${LINENO}" + $SUDO install -v -m 755 -t ${pivpnScriptDir} ${pivpnFilesDir}/scripts/*.sh + $SUDO install -v -m 755 -t ${pivpnScriptDir}/${VPN} ${pivpnFilesDir}/scripts/${VPN}/*.sh + $SUDO install -v -m 755 -t /usr/local/bin /${pivpnFilesDir}/scripts/pivpn + $SUDO cp "${pivpnFilesDir}/scripts/${VPN}/bash-completion" /etc/bash_completion.d/pivpn $SUDO chown root:root /etc/bash_completion.d/pivpn - echo "::: line ${LINENO}" $SUDO chmod 755 /etc/bash_completion.d/pivpn # shellcheck disable=SC1091 - echo "::: line ${LINENO}" . /etc/bash_completion.d/pivpn echo "::: line ${LINENO}" echo " done." @@ -2269,7 +2257,7 @@ installScripts(){ displayFinalMessage(){ if [ "${runUnattended}" = 'true' ]; then echo "::: Installation Complete!" - echo "::: Now run 'pivpn add' to create the ovpn profiles." + echo "::: Now run 'pivpn add' to create the client profiles." echo "::: Run 'pivpn help' to see what else you can do!" echo echo "::: If you run into any issue, please read all our documentation carefully." @@ -2281,7 +2269,7 @@ displayFinalMessage(){ fi # Final completion message to user - whiptail --msgbox --backtitle "Make it so." --title "Installation Complete!" "Now run 'pivpn add' to create the ovpn profiles. + whiptail --msgbox --backtitle "Make it so." --title "Installation Complete!" "Now run 'pivpn add' to create the client profiles. Run 'pivpn help' to see what else you can do!\\n\\nIf you run into any issue, please read all our documentation carefully. All incomplete posts or bug reports will be ignored or deleted.\\n\\nThank you for using PiVPN." ${r} ${c} if (whiptail --title "Reboot" --yesno --defaultno "It is strongly recommended you reboot after installation. Would you like to reboot now?" ${r} ${c}); then diff --git a/scripts/openvpn/pivpn b/scripts/openvpn/pivpn.sh similarity index 100% rename from scripts/openvpn/pivpn rename to scripts/openvpn/pivpn.sh diff --git a/scripts/pivpn b/scripts/pivpn index 216b2cb..e330552 100755 --- a/scripts/pivpn +++ b/scripts/pivpn @@ -29,8 +29,8 @@ fi # Handle redirecting to specific functions based on arguments case "$1" in - wg ) "${scriptDir}/wireguard/pivpn" "${@:2}";; - opv ) "${scriptDir}/openvpn/pivpn" "${@:2}";; + wg ) "${scriptDir}/wireguard/pivpn.sh" "${@:2}";; + opv ) "${scriptDir}/openvpn/pivpn.sh" "${@:2}";; "-h" | "help" ) showHelp;; * ) showHelp;; esac diff --git a/scripts/wireguard/pivpn b/scripts/wireguard/pivpn.sh similarity index 100% rename from scripts/wireguard/pivpn rename to scripts/wireguard/pivpn.sh From 9351016db568f33a6d5a237d7d9ba0a9c38de771 Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Tue, 5 May 2020 09:24:20 +0100 Subject: [PATCH 010/114] extra D in scriptdir --- scripts/pivpn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pivpn b/scripts/pivpn index e330552..029f211 100755 --- a/scripts/pivpn +++ b/scripts/pivpn @@ -10,7 +10,7 @@ if [ $EUID -ne 0 ];then fi fi -scriptdir="/opt/pivpn" +scriptDir="/opt/pivpn" vpn="wireguard" showHelp(){ From 21d954167c97c6257b837012882f3c78551185d9 Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Tue, 5 May 2020 21:43:20 +0100 Subject: [PATCH 011/114] typo in openvpn --- scripts/openvpn/pivpn.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/scripts/openvpn/pivpn.sh b/scripts/openvpn/pivpn.sh index f461d7a..66ab5cc 100755 --- a/scripts/openvpn/pivpn.sh +++ b/scripts/openvpn/pivpn.sh @@ -10,29 +10,29 @@ if [[ ! $EUID -eq 0 ]];then fi fi -scriptdir="/opt/pivpn" +scriptDir="/opt/pivpn" vpn="openvpn" function makeOVPNFunc { shift - $SUDO ${scripdir}/${vpn}/makeOVPN.sh "$@" + $SUDO ${scriptDir}/${vpn}/makeOVPN.sh "$@" exit 0 } function listClientsFunc { shift - $SUDO ${scripdir}/${vpn}/clientStat.sh "$@" + $SUDO ${scriptDir}/${vpn}/clientStat.sh "$@" exit 0 } function listOVPNFunc { - $SUDO ${scripdir}/${vpn}/listOVPN.sh + $SUDO ${scriptDir}/${vpn}/listOVPN.sh exit 0 } function debugFunc { echo "::: Generating Debug Output" - $SUDO ${scripdir}/${vpn}/pivpnDebug.sh | tee /tmp/debug.txt + $SUDO ${scriptDir}/${vpn}/pivpnDebug.sh | tee /tmp/debug.txt echo "::: " echo "::: Debug output completed above." echo "::: Copy saved to /tmp/debug.txt" @@ -42,12 +42,12 @@ function debugFunc { function removeOVPNFunc { shift - $SUDO ${scripdir}/${vpn}/removeOVPN.sh "$@" + $SUDO ${scriptDir}/${vpn}/removeOVPN.sh "$@" exit 0 } function uninstallFunc { - $SUDO ${scripdir}/uninstall.sh + $SUDO ${scriptDir}/uninstall.sh exit 0 } @@ -58,7 +58,7 @@ function versionFunc { function update { shift - $SUDO ${scripdir}/update.sh "$@" + $SUDO ${scriptDir}/update.sh "$@" exit 0 @@ -66,7 +66,7 @@ function update { function backup { - $SUDO ${scripdir}/backup.sh + $SUDO ${scriptDir}/backup.sh exit 0 } From 081bf912c2910de1476c9a485f0e6f3ed4d72d95 Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Tue, 5 May 2020 23:12:32 +0100 Subject: [PATCH 012/114] still debugging dual --- auto_install/install.sh | 17 ++++++++++++++--- scripts/backup.sh | 27 ++++++++++++++++++++++++++- scripts/update.sh | 27 ++++++++++++++++++++++++++- 3 files changed, 66 insertions(+), 5 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index c423c18..f34230c 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -2243,9 +2243,20 @@ installScripts(){ # $SUDO chmod -R 0755 ${pivpnScriptDir} fi $SUDO install -v -m 755 -t ${pivpnScriptDir} ${pivpnFilesDir}/scripts/*.sh - $SUDO install -v -m 755 -t ${pivpnScriptDir}/${VPN} ${pivpnFilesDir}/scripts/${VPN}/*.sh - $SUDO install -v -m 755 -t /usr/local/bin /${pivpnFilesDir}/scripts/pivpn - $SUDO cp "${pivpnFilesDir}/scripts/${VPN}/bash-completion" /etc/bash_completion.d/pivpn + $SUDO install -v -m 755 -t ${pivpnScriptDir}/${VPN} ${pivpnFilesDir}/scripts/${VPN}/*.sh + # line for the single command being installed + $SUDO ln -s -T ${pivpnFilesDir}/scripts/${VPN}/pivpn pivpn + # if the other protocol file exists + if [ ${VPN} -eq 'wireguard' ]; then + othervpn='openvpn' + else + othervpn='wireguard' + fi + if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile} ] then; + # dont need a link, copy the common script to the location instead + $SUDO install -v -m 755 -t /usr/local/bin /${pivpnFilesDir}/scripts/pivpn + fi + $SUDO cp "${pivpnFilesDir}/scripts/${VPN}/bash-completion" /etc/bash_completion.d/pivpn $SUDO chown root:root /etc/bash_completion.d/pivpn $SUDO chmod 755 /etc/bash_completion.d/pivpn # shellcheck disable=SC1091 diff --git a/scripts/backup.sh b/scripts/backup.sh index 8711c96..adf5b43 100755 --- a/scripts/backup.sh +++ b/scripts/backup.sh @@ -2,7 +2,32 @@ backupdir=pivpnbackup date=$(date +%Y%m%d-%H%M%S) -setupVars="/etc/pivpn/setupVars.conf" + +# Find the rows and columns. Will default to 80x24 if it can not be detected. +screen_size=$(stty size 2>/dev/null || echo 24 80) +rows=$(echo "$screen_size" | awk '{print $1}') +columns=$(echo "$screen_size" | awk '{print $2}') + +# Divide by two so the dialogs take up half of the screen, which looks nice. +r=$(( rows / 2 )) +c=$(( columns / 2 )) +# Unless the screen is tiny +r=$(( r < 20 ? 20 : r )) +c=$(( c < 70 ? 70 : c )) + + chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "Choose a VPN to update (press space to select):" "${r}" "${c}" 2) + VPNChooseOptions=(WireGuard "" on + OpenVPN "" off) + + if VPN=$("${chooseVPNCmd[@]}" "${VPNChooseOptions[@]}" 2>&1 >/dev/tty) ; then + echo "::: Using VPN: $VPN" + VPN="${VPN,,}" + else + echo "::: Cancel selected, exiting...." + exit 1 + fi + +setupVars="/etc/pivpn/${VPN}/setupVars.conf" if [ ! -f "${setupVars}" ]; then echo "::: Missing setup vars file!" diff --git a/scripts/update.sh b/scripts/update.sh index 609c273..eed1ce8 100755 --- a/scripts/update.sh +++ b/scripts/update.sh @@ -6,7 +6,32 @@ pivpnrepo="https://github.com/pivpn/pivpn.git" pivpnlocalpath="/etc/.pivpn" pivpnscripts="/opt/pivpn/" bashcompletiondir="/etc/bash_completion.d/" -setupVars="/etc/pivpn/setupVars.conf" + +# Find the rows and columns. Will default to 80x24 if it can not be detected. +screen_size=$(stty size 2>/dev/null || echo 24 80) +rows=$(echo "$screen_size" | awk '{print $1}') +columns=$(echo "$screen_size" | awk '{print $2}') + +# Divide by two so the dialogs take up half of the screen, which looks nice. +r=$(( rows / 2 )) +c=$(( columns / 2 )) +# Unless the screen is tiny +r=$(( r < 20 ? 20 : r )) +c=$(( c < 70 ? 70 : c )) + + chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "Choose a VPN to update (press space to select):" "${r}" "${c}" 2) + VPNChooseOptions=(WireGuard "" on + OpenVPN "" off) + + if VPN=$("${chooseVPNCmd[@]}" "${VPNChooseOptions[@]}" 2>&1 >/dev/tty) ; then + echo "::: Using VPN: $VPN" + VPN="${VPN,,}" + else + echo "::: Cancel selected, exiting...." + exit 1 + fi + +setupVars="/etc/pivpn/${VPN}/setupVars.conf" if [ ! -f "${setupVars}" ]; then echo "::: Missing setup vars file!" From e09bbda1e9aba16319e31979be74460ae338ba3c Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Tue, 5 May 2020 23:13:59 +0100 Subject: [PATCH 013/114] update to backup --- scripts/backup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/backup.sh b/scripts/backup.sh index adf5b43..a632a81 100755 --- a/scripts/backup.sh +++ b/scripts/backup.sh @@ -15,7 +15,7 @@ c=$(( columns / 2 )) r=$(( r < 20 ? 20 : r )) c=$(( c < 70 ? 70 : c )) - chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "Choose a VPN to update (press space to select):" "${r}" "${c}" 2) + chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "Choose a VPN configuration to backup (press space to select):" "${r}" "${c}" 2) VPNChooseOptions=(WireGuard "" on OpenVPN "" off) From 052376a133ce27052206c9e31c86d6512923f1b3 Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Wed, 6 May 2020 22:03:38 +0100 Subject: [PATCH 014/114] install.sh path correct --- auto_install/install.sh | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index f34230c..d133e6c 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -2244,16 +2244,17 @@ installScripts(){ fi $SUDO install -v -m 755 -t ${pivpnScriptDir} ${pivpnFilesDir}/scripts/*.sh $SUDO install -v -m 755 -t ${pivpnScriptDir}/${VPN} ${pivpnFilesDir}/scripts/${VPN}/*.sh - # line for the single command being installed - $SUDO ln -s -T ${pivpnFilesDir}/scripts/${VPN}/pivpn pivpn - # if the other protocol file exists - if [ ${VPN} -eq 'wireguard' ]; then + # make a link for a single command being installed + $SUDO ln -s -T ${pivpnScriptDir}/${VPN}/pivpn.sh /usr/local/bin/pivpn + # if the other protocol file exists it has been installed + if [[ ${VPN} == 'wireguard' ]]; then othervpn='openvpn' else othervpn='wireguard' fi - if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile} ] then; + if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile}" ]; then # dont need a link, copy the common script to the location instead + $SUDO rm -f /usr/local/bin/pivpn $SUDO install -v -m 755 -t /usr/local/bin /${pivpnFilesDir}/scripts/pivpn fi $SUDO cp "${pivpnFilesDir}/scripts/${VPN}/bash-completion" /etc/bash_completion.d/pivpn From f6463b88491664833666fb0acfd5aee161da7f24 Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Wed, 6 May 2020 23:00:13 +0100 Subject: [PATCH 015/114] uninstall to detect one prot remaining, wg_update removed --- scripts/wireguard/bash-completion | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/wireguard/bash-completion b/scripts/wireguard/bash-completion index 412072a..a971696 100644 --- a/scripts/wireguard/bash-completion +++ b/scripts/wireguard/bash-completion @@ -4,8 +4,8 @@ _pivpn() COMPREPLY=() cur="${COMP_WORDS[COMP_CWORD]}" prev="${COMP_WORDS[COMP_CWORD-1]}" - dashopts="-a -c -d -l -qr -r -h -u -up -wg -bk" - opts="add clients debug list qrcode remove help uninstall update wgupdate backup" + dashopts="-a -c -d -l -qr -r -h -u -up -bk" + opts="add clients debug list qrcode remove help uninstall update backup" if [ "${#COMP_WORDS[@]}" -eq 2 ] then if [[ ${cur} == -* ]] ; then From 9b04391629badfe97afdadde7b2a0c4e5d645414 Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Wed, 6 May 2020 23:29:04 +0100 Subject: [PATCH 016/114] uninstall change --- scripts/uninstall.sh | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 3bf8dca..7d53659 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -37,10 +37,26 @@ if [ ! -f "${setupVars}" ]; then echo "::: Missing setup vars file!" exit 1 fi - + # shellcheck disable=SC1090 source "${setupVars}" +# if the other protocol file exists it has been installed +if [[ ${VPN} == 'wireguard' ]]; then + othervpn='openvpn' +else + othervpn='wireguard' +fi +vpnStillExists=no +if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile}" ]; then + $SUDO rm -f /usr/local/bin/pivpn + $SUDO ln -s -T ${pivpnScriptDir}/${othervpn}/pivpn.sh /usr/local/bin/pivpn + vpnStillExists=yes + echo ":::" + echo "::: Two VPN protocols exist, you should remove the other one too" + echo ":::" +fi + ### FIXME: introduce global lib spinner(){ local pid=$1 @@ -98,8 +114,10 @@ removeAll(){ fi # Disable IPv4 forwarding - sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf - sysctl -p + if [ ${vpnStillExists} != 'yes' ]; then + sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf + sysctl -p + fi # Purge dependencies echo "::: Purge dependencies..." @@ -172,9 +190,10 @@ removeAll(){ rm -rf /etc/pivpn/${VPN} rmdir /etc/pivpn rm -f /var/log/*pivpn* - rm -f /usr/local/bin/pivpn/${VPN} - # TODO fix bash_completion removal - rm -f /etc/bash_completion.d/pivpn + rm -rf /usr/local/bin/pivpn/${VPN} + if [ ${vpnStillExists} != 'yes' ]; then + rm -f /etc/bash_completion.d/pivpn + fi echo ":::" echo "::: Removing VPN configuration files..." From 501b9919a820aed718a20f2ad6b8fabdb719c65b Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Sun, 10 May 2020 16:37:30 +0000 Subject: [PATCH 017/114] after ubuntu testing --- auto_install/install.sh | 31 +++++++++++++------------------ 1 file changed, 13 insertions(+), 18 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index d133e6c..09d4a29 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -12,9 +12,9 @@ ######## VARIABLES ######### #pivpnGitUrl="https://github.com/pivpn/pivpn.git" -pivpnGitUrl="/root/repos/pivpn" +pivpnGitUrl="/home/ubuntu/repos/pivpn" setupVarsFile="setupVars.conf" -setupConfigDir="/etc/pivpn" # will be /etc/pivpn/${VPN}/setupVars.conf +setupConfigDir="/etc/pivpn" tempsetupVarsFile="/tmp/setupVars.conf" pivpnFilesDir="/etc/.pivpn" pivpnScriptDir="/opt/pivpn" @@ -123,13 +123,13 @@ main(){ fi # see which setup already exists - if [ -r "${setupVarsDir}/wireguard/${setupVarsFile}" ]; then - setupVars="${setupVarsDir}/wireguard/${setupVarsFile}" - elif [ -f "${setupVarsDir}/openvpn/${setupVarsFile}" ]; then - setupVars="${setupVarsDir}/openvpn/${setupVarsFile}" + if [ -r "${setupConfigDir}/wireguard/${setupVarsFile}" ]; then + setupVars="${setupConfigDir}/wireguard/${setupVarsFile}" + elif [ -r "${setupConfigDir}/openvpn/${setupVarsFile}" ]; then + setupVars="${setupConfigDir}/openvpn/${setupVarsFile}" fi - if [ -r "$setupVars" ]; then #qqq + if [ -r "$setupVars" ]; then if [[ "${reconfigure}" == true ]]; then echo "::: --reconfigure passed to install script, will reinstall PiVPN overwriting existing settings" UpdateCmd="Reconfigure" @@ -137,7 +137,7 @@ main(){ ### What should the script do when passing --unattended to an existing installation? UpdateCmd="Reconfigure" else - askAboutExistingInstall + askAboutExistingInstall ${setupVars} fi fi @@ -148,7 +148,7 @@ main(){ exit 0 elif [ "$UpdateCmd" = "Repair" ]; then # shellcheck disable=SC1090 - source "$setupVars" #qqq + source "$setupVars" runUnattended=true fi @@ -242,7 +242,7 @@ askAboutExistingInstall(){ opt3a="Reconfigure" opt3b="Reinstall PiVPN with new settings" - UpdateCmd=$(whiptail --title "Existing Install Detected!" --menu "\nWe have detected an existing install.\n\nPlease choose from the following options:" ${r} ${c} 3 \ + UpdateCmd=$(whiptail --title "Existing Install Detected!" --menu "\nWe have detected an existing install.\n$1\n\nPlease choose from the following options:" ${r} ${c} 3 \ "${opt1a}" "${opt1b}" \ "${opt2a}" "${opt2b}" \ "${opt3a}" "${opt3b}" 3>&2 2>&1 1>&3) || \ @@ -2235,15 +2235,11 @@ confUnattendedUpgrades(){ installScripts(){ # Install the scripts from /etc/.pivpn to their various locations echo -n -e "::: Installing scripts to ${pivpnScriptDir}...\n" - echo "::: line ${LINENO}" if [ ! -d "${pivpnScriptDir}/${VPN}" ]; then $SUDO install -m 0755 -o root -d ${pivpnScriptDir}/${VPN} -# $SUDO mkdir -p ${pivpnScriptDir}/${VPN} -# $SUDO chown -R root:root ${pivpnScriptDir} -# $SUDO chmod -R 0755 ${pivpnScriptDir} fi - $SUDO install -v -m 755 -t ${pivpnScriptDir} ${pivpnFilesDir}/scripts/*.sh - $SUDO install -v -m 755 -t ${pivpnScriptDir}/${VPN} ${pivpnFilesDir}/scripts/${VPN}/*.sh + $SUDO install -m 755 -t ${pivpnScriptDir} ${pivpnFilesDir}/scripts/*.sh + $SUDO install -m 755 -t ${pivpnScriptDir}/${VPN} ${pivpnFilesDir}/scripts/${VPN}/*.sh # make a link for a single command being installed $SUDO ln -s -T ${pivpnScriptDir}/${VPN}/pivpn.sh /usr/local/bin/pivpn # if the other protocol file exists it has been installed @@ -2255,14 +2251,13 @@ installScripts(){ if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile}" ]; then # dont need a link, copy the common script to the location instead $SUDO rm -f /usr/local/bin/pivpn - $SUDO install -v -m 755 -t /usr/local/bin /${pivpnFilesDir}/scripts/pivpn + $SUDO install -m 755 -t /usr/local/bin /${pivpnFilesDir}/scripts/pivpn fi $SUDO cp "${pivpnFilesDir}/scripts/${VPN}/bash-completion" /etc/bash_completion.d/pivpn $SUDO chown root:root /etc/bash_completion.d/pivpn $SUDO chmod 755 /etc/bash_completion.d/pivpn # shellcheck disable=SC1091 . /etc/bash_completion.d/pivpn - echo "::: line ${LINENO}" echo " done." } From 969cff784831d7eb40f49d14379f7ed4d22d588c Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Sun, 10 May 2020 16:42:23 +0000 Subject: [PATCH 018/114] Readme to say dual install --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 503abf6..64d2ae6 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ About ----- -Branch test is a modification that allows installing both openvpn and wireguard on the same machine. To do this, run the installer twice locally, makeing sure you are going to pull branch test. +Modification that allows installing both openvpn and wireguard on the same machine. To do this, run the installer twice locally, makeing sure you are going to pull branch test. Visit the [PiVPN](https://pivpn.io) site for more information. From b230bade61db2ddee7fabc4388f142d3e014aaf6 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Sun, 10 May 2020 21:13:03 +0000 Subject: [PATCH 019/114] uninstall fixes --- scripts/uninstall.sh | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 7d53659..12a2675 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -31,7 +31,9 @@ c=$(( c < 70 ? 70 : c )) PKG_MANAGER="apt-get" UPDATE_PKG_CACHE="${PKG_MANAGER} update" dnsmasqConfig="/etc/dnsmasq.d/02-pivpn.conf" -setupVars="/etc/pivpn/${VPN}/setupVars.conf" +setupConfigDir="/etc/pivpn" +setupVarsFile="setupVars.conf" +setupVars="${setupConfigDir}/${VPN}/${setupVarsFile}" if [ ! -f "${setupVars}" ]; then echo "::: Missing setup vars file!" @@ -41,21 +43,11 @@ fi # shellcheck disable=SC1090 source "${setupVars}" -# if the other protocol file exists it has been installed if [[ ${VPN} == 'wireguard' ]]; then othervpn='openvpn' else othervpn='wireguard' fi -vpnStillExists=no -if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile}" ]; then - $SUDO rm -f /usr/local/bin/pivpn - $SUDO ln -s -T ${pivpnScriptDir}/${othervpn}/pivpn.sh /usr/local/bin/pivpn - vpnStillExists=yes - echo ":::" - echo "::: Two VPN protocols exist, you should remove the other one too" - echo ":::" -fi ### FIXME: introduce global lib spinner(){ @@ -190,8 +182,18 @@ removeAll(){ rm -rf /etc/pivpn/${VPN} rmdir /etc/pivpn rm -f /var/log/*pivpn* - rm -rf /usr/local/bin/pivpn/${VPN} - if [ ${vpnStillExists} != 'yes' ]; then + + vpnStillExists='no' + + if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile}" ]; then + $SUDO rm -f /usr/local/bin/pivpn + $SUDO ln -s -T ${pivpnScriptDir}/${othervpn}/pivpn.sh /usr/local/bin/pivpn + vpnStillExists='yes' + echo ":::" + echo "::: Two VPN protocols exist, you should remove the other one too" + echo ":::" + + else rm -f /etc/bash_completion.d/pivpn fi From ff77077d56ca572f270b702ae1fd95bbd70d382e Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Sun, 10 May 2020 21:46:54 +0000 Subject: [PATCH 020/114] more uninstall --- scripts/uninstall.sh | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 12a2675..86df98d 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -105,8 +105,22 @@ removeAll(){ fi + vpnStillExists='no' + + if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile}" ]; then + vpnStillExists='yes' + $SUDO rm -f /usr/local/bin/pivpn + $SUDO ln -s -T ${pivpnScriptDir}/${othervpn}/pivpn.sh /usr/local/bin/pivpn + echo ":::" + echo "::: Two VPN protocols exist, you should remove the other one too" + echo ":::" + + else + rm -f /etc/bash_completion.d/pivpn + fi + # Disable IPv4 forwarding - if [ ${vpnStillExists} != 'yes' ]; then + if [ ${vpnStillExists} == 'no' ]; then sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf sysctl -p fi @@ -183,20 +197,6 @@ removeAll(){ rmdir /etc/pivpn rm -f /var/log/*pivpn* - vpnStillExists='no' - - if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile}" ]; then - $SUDO rm -f /usr/local/bin/pivpn - $SUDO ln -s -T ${pivpnScriptDir}/${othervpn}/pivpn.sh /usr/local/bin/pivpn - vpnStillExists='yes' - echo ":::" - echo "::: Two VPN protocols exist, you should remove the other one too" - echo ":::" - - else - rm -f /etc/bash_completion.d/pivpn - fi - echo ":::" echo "::: Removing VPN configuration files..." From 56adbca52eeec5bd416e6b388ac661280106f605 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Sun, 10 May 2020 21:48:38 +0000 Subject: [PATCH 021/114] more uninstall --- scripts/uninstall.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 86df98d..8d04cea 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -110,7 +110,7 @@ removeAll(){ if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile}" ]; then vpnStillExists='yes' $SUDO rm -f /usr/local/bin/pivpn - $SUDO ln -s -T ${pivpnScriptDir}/${othervpn}/pivpn.sh /usr/local/bin/pivpn + $SUDO ln -s -T /opt/pivpn/${othervpn}/pivpn.sh /usr/local/bin/pivpn echo ":::" echo "::: Two VPN protocols exist, you should remove the other one too" echo ":::" From be3ee135861140d3d24c8239a073c11f0b5e5cfd Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Mon, 11 May 2020 16:49:10 +0100 Subject: [PATCH 022/114] Update install.sh --- auto_install/install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/auto_install/install.sh b/auto_install/install.sh index 09d4a29..0bd80ba 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -9,6 +9,7 @@ # # curl -L https://install.pivpn.io | bash # Make sure you have `curl` installed +# timestamp 2020/5/11 16:48BST ######## VARIABLES ######### #pivpnGitUrl="https://github.com/pivpn/pivpn.git" From 4e3a57b9aa5e6d6b1dc86f6c5b117efe8d0778cf Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Wed, 13 May 2020 00:51:45 +0100 Subject: [PATCH 023/114] better uninstall.sh --- auto_install/install.sh | 4 ++-- scripts/uninstall.sh | 39 +++++++++++++++++++++------------------ 2 files changed, 23 insertions(+), 20 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 0bd80ba..f92e6a6 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -9,11 +9,11 @@ # # curl -L https://install.pivpn.io | bash # Make sure you have `curl` installed -# timestamp 2020/5/11 16:48BST +# timestamp 2020/5/13 00:51BST ######## VARIABLES ######### #pivpnGitUrl="https://github.com/pivpn/pivpn.git" -pivpnGitUrl="/home/ubuntu/repos/pivpn" +pivpnGitUrl="/home/pi/repos/pivpn" setupVarsFile="setupVars.conf" setupConfigDir="/etc/pivpn" tempsetupVarsFile="/tmp/setupVars.conf" diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 8d04cea..ccdcb56 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -108,12 +108,12 @@ removeAll(){ vpnStillExists='no' if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile}" ]; then - vpnStillExists='yes' - $SUDO rm -f /usr/local/bin/pivpn - $SUDO ln -s -T /opt/pivpn/${othervpn}/pivpn.sh /usr/local/bin/pivpn - echo ":::" - echo "::: Two VPN protocols exist, you should remove the other one too" - echo ":::" + vpnStillExists='yes' + $SUDO rm -f /usr/local/bin/pivpn + $SUDO ln -s -T /opt/pivpn/${othervpn}/pivpn.sh /usr/local/bin/pivpn + echo ":::" + echo "::: Two VPN protocols exist, you should remove ${othervpn} too" + echo ":::" else rm -f /etc/bash_completion.d/pivpn @@ -179,24 +179,12 @@ removeAll(){ printf "::: Auto cleaning remaining dependencies..." $PKG_MANAGER -y autoclean &> /dev/null & spinner $!; printf "done!\\n"; - echo ":::" - # Removing pivpn files - echo "::: Removing pivpn system files..." if [ -f "$dnsmasqConfig" ]; then rm -f "$dnsmasqConfig" pihole restartdns fi - rm -rf /opt/pivpn/${VPN} - # if dual installation, other installation will cause next line to fail - rmdir /opt/pivpn - rm -rf /etc/.pivpn/${VPN} - rmdir /etc/.pivpn - rm -rf /etc/pivpn/${VPN} - rmdir /etc/pivpn - rm -f /var/log/*pivpn* - echo ":::" echo "::: Removing VPN configuration files..." @@ -215,6 +203,21 @@ removeAll(){ rm -rf "$install_home/ovpns" fi + if [ ${vpnStillExists} == 'no' ]; then + echo ":::" + echo "::: Removing pivpn system files..." + rm -rf /etc/.pivpn + rm -rf /etc/pivpn + rm -f /var/log/*pivpn* + rm -rf /opt/pivpn + rm -f /usr/local/bin/pivpn + else + echo ":::" + echo "::: Other protocol still present, so not" + echo "::: removing pivpn system files" + rm -f "${setupConfigDir}/${VPN}/${setupVarsFile}" + fi + echo ":::" printf "::: Finished removing PiVPN from your system.\\n" printf "::: Reinstall by simpling running\\n:::\\n:::\\tcurl -L https://install.pivpn.io | bash\\n:::\\n::: at any time!\\n:::\\n" From e700cf1c8f0a1e2b779fdb3b025324f3a7ce1d62 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Wed, 13 May 2020 19:49:48 +0000 Subject: [PATCH 024/114] bash_completion not used in dual --- auto_install/install.sh | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index f92e6a6..e0482fe 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -13,7 +13,7 @@ ######## VARIABLES ######### #pivpnGitUrl="https://github.com/pivpn/pivpn.git" -pivpnGitUrl="/home/pi/repos/pivpn" +pivpnGitUrl="/home/ubuntu/repos/pivpn" setupVarsFile="setupVars.conf" setupConfigDir="/etc/pivpn" tempsetupVarsFile="/tmp/setupVars.conf" @@ -2249,16 +2249,25 @@ installScripts(){ else othervpn='wireguard' fi + if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile}" ]; then + # both are installed # dont need a link, copy the common script to the location instead $SUDO rm -f /usr/local/bin/pivpn $SUDO install -m 755 -t /usr/local/bin /${pivpnFilesDir}/scripts/pivpn fi - $SUDO cp "${pivpnFilesDir}/scripts/${VPN}/bash-completion" /etc/bash_completion.d/pivpn - $SUDO chown root:root /etc/bash_completion.d/pivpn - $SUDO chmod 755 /etc/bash_completion.d/pivpn - # shellcheck disable=SC1091 - . /etc/bash_completion.d/pivpn + + if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile}" ]; then + # both are installed, no bash completion, delete if already there + $SUDO rm -f /etc/bash_completion.d/pivpn + else + # only one protocol is installed, put bash completion in place + $SUDO cp "${pivpnFilesDir}/scripts/${VPN}/bash-completion" /etc/bash_completion.d/pivpn + $SUDO chown root:root /etc/bash_completion.d/pivpn + $SUDO chmod 755 /etc/bash_completion.d/pivpn + # shellcheck disable=SC1091 + . /etc/bash_completion.d/pivpn + fi echo " done." } From d4b3c9ee897a8c8d3608e73ff1b616f0488a8110 Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Thu, 14 May 2020 15:32:19 +0100 Subject: [PATCH 025/114] both wg and openvpn can be installed --- auto_install/install.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index e0482fe..200fa76 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -9,11 +9,12 @@ # # curl -L https://install.pivpn.io | bash # Make sure you have `curl` installed -# timestamp 2020/5/13 00:51BST + +# timestamp 2020/5/14 15:29BST ######## VARIABLES ######### -#pivpnGitUrl="https://github.com/pivpn/pivpn.git" -pivpnGitUrl="/home/ubuntu/repos/pivpn" +pivpnGitUrl="https://github.com/pivpn/pivpn.git" +#pivpnGitUrl="/home/ubuntu/repos/pivpn" setupVarsFile="setupVars.conf" setupConfigDir="/etc/pivpn" tempsetupVarsFile="/tmp/setupVars.conf" From e3363a7d98cc7c963aeb7a7c5f1af5e8868cdd83 Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Wed, 20 May 2020 14:32:01 +0100 Subject: [PATCH 026/114] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 64d2ae6..ed8da7b 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,8 @@ About ----- +TS: 20/5/2020 starting change + Modification that allows installing both openvpn and wireguard on the same machine. To do this, run the installer twice locally, makeing sure you are going to pull branch test. From b90077bd78fdded34bb669e48aa1f8d5de155740 Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Fri, 22 May 2020 12:41:02 +0100 Subject: [PATCH 027/114] remove refs to /etc/pivpn/setupVars in selfcheck and debug scripts tidy indenting on install, check if symlink already exists before making one to avoid error uninstall indicates which vpns are available for uninstall selfcheck checks both protocols if both present install - additional text in reconfigure saying 2nd protocol can be added change to use pivpn ovpn instaed of pivpn opv when dual protocols exist --- scripts/openvpn/pivpnDebug.sh | 2 +- scripts/pivpn | 12 +++---- scripts/self_check.sh | 47 +++++++++++++++++++++----- scripts/uninstall.sh | 60 +++++++++++++++++++++------------ scripts/wireguard/pivpnDEBUG.sh | 2 +- 5 files changed, 86 insertions(+), 37 deletions(-) diff --git a/scripts/openvpn/pivpnDebug.sh b/scripts/openvpn/pivpnDebug.sh index 644933e..f3b0e5e 100755 --- a/scripts/openvpn/pivpnDebug.sh +++ b/scripts/openvpn/pivpnDebug.sh @@ -16,7 +16,7 @@ echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::" git --git-dir /etc/.pivpn/.git log -n 1 printf "=============================================\n" echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::" -sed "s/$pivpnHOST/REDACTED/" < /etc/pivpn/setupVars.conf +sed "s/$pivpnHOST/REDACTED/" < ${setupVars} printf "=============================================\n" echo -e ":::: \e[4mServer configuration shown below\e[0m ::::" cat /etc/openvpn/server.conf diff --git a/scripts/pivpn b/scripts/pivpn index 029f211..c48aaa0 100755 --- a/scripts/pivpn +++ b/scripts/pivpn @@ -3,11 +3,11 @@ # Must be root to use this tool if [ $EUID -ne 0 ];then if dpkg-query -s sudo &> /dev/null; then - export SUDO="sudo" + export SUDO="sudo" else - echo "::: Please install sudo or run this as root." - exit 1 - fi + echo "::: Please install sudo or run this as root." + exit 1 + fi fi scriptDir="/opt/pivpn" @@ -17,7 +17,7 @@ showHelp(){ echo "::: To pass off to the pivpn command for each protocol" echo ":::" echo "::: Usage: pivpn wg [option]" - echo "::: Usage: pivpn opv [option]" + echo "::: Usage: pivpn ovpn [option]" echo ":::" echo "::: -h, help Show this help dialog" exit 0 @@ -30,7 +30,7 @@ fi # Handle redirecting to specific functions based on arguments case "$1" in wg ) "${scriptDir}/wireguard/pivpn.sh" "${@:2}";; - opv ) "${scriptDir}/openvpn/pivpn.sh" "${@:2}";; + ovpn ) "${scriptDir}/openvpn/pivpn.sh" "${@:2}";; "-h" | "help" ) showHelp;; * ) showHelp;; esac diff --git a/scripts/self_check.sh b/scripts/self_check.sh index 1ef555d..64b93e4 100755 --- a/scripts/self_check.sh +++ b/scripts/self_check.sh @@ -1,13 +1,7 @@ #!/bin/bash -setupVars="/etc/pivpn/setupVars.conf" -ERR=0 - -if [ ! -f "${setupVars}" ]; then - echo "::: Missing setup vars file!" - exit 1 -fi - +runselfcheck() +{ source "${setupVars}" if [ "$VPN" = "wireguard" ]; then @@ -162,3 +156,40 @@ fi if [ "$ERR" -eq 1 ]; then echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues" fi + +} # end function + +# now there are two places setupVars.conf can be, so check each one + +dualprot='no' +setupVars="/etc/pivpn/wireguard/setupVars.conf" +ERR=0 + +if [ ! -f "${setupVars}" ]; then + echo "::: Missing ${setupVars}i, wireguard not installed" +else + echo "::: Selfcheck for wireguard, config from ${setupVars}" + runselfcheck + dualprot='yes' +fi + +setupVars="/etc/pivpn/openvpn/setupVars.conf" +ERR=0 + +if [ ! -f "${setupVars}" ]; then + echo "::: Missing ${setupVars}, openvpn not installed" +else + echo "::: Selfcheck for openvpn, config from ${setupVars}" + runselfcheck + dualprot='yes' +fi + +# add check for a mixed up installation +setupVars="/etc/pivpn/setupVars.conf" + +if [ ${dualprot} == 'yes' && -f "${setupVars}" ]; then + echo "::: Older ${setupVars} exists, should not be there, + echo "::: two versions have been installed which are not compatible" +fi + + diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index ccdcb56..7afd8af 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -4,6 +4,24 @@ ### FIXME: global: config storage, refactor all scripts to adhere to the storage ### FIXME: use variables where appropriate, reduce magic numbers by 99.9%, at least. +# what is already installed? +setupVars="/etc/pivpn/openvpn/setupVars.conf" +foundins='' +if [ -f "${setupVars}" ]; then + foundins="openvpn" +fi + +setupVars="/etc/pivpn/wireguard/setupVars.conf" +if [ -f "${setupVars}" ]; then + foundins="${foundins} wireguard" +fi + +if [ -z ${foundins} ]; then + foundins="nothing found" +fi + + + # Find the rows and columns. Will default to 80x24 if it can not be detected. screen_size=$(stty size 2>/dev/null || echo 24 80) rows=$(echo "$screen_size" | awk '{print $1}') @@ -16,7 +34,7 @@ c=$(( columns / 2 )) r=$(( r < 20 ? 20 : r )) c=$(( c < 70 ? 70 : c )) - chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "WireGuard is a new kind of VPN that provides near-instantaneous connection speed, high performance, and modern cryptography.\\n\\nIt's the recommended choice especially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\\n\\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol or if you need features like TCP and custom search domain.\\n\\nChoose a VPN to uninstall (press space to select):" "${r}" "${c}" 2) + chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "WireGuard is a new kind of VPN that provides near-instantaneous connection speed, high performance, and modern cryptography.\\n\\nIt's the recommended choice especially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\\n\\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol or if you need features like TCP and custom search domain.\\n\\nChoose a VPN (${foundins}) to uninstall (press space to select):" "${r}" "${c}" 2) VPNChooseOptions=(WireGuard "" on OpenVPN "" off) @@ -108,21 +126,21 @@ removeAll(){ vpnStillExists='no' if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile}" ]; then - vpnStillExists='yes' - $SUDO rm -f /usr/local/bin/pivpn - $SUDO ln -s -T /opt/pivpn/${othervpn}/pivpn.sh /usr/local/bin/pivpn - echo ":::" - echo "::: Two VPN protocols exist, you should remove ${othervpn} too" - echo ":::" + vpnStillExists='yes' + $SUDO rm -f /usr/local/bin/pivpn + $SUDO ln -s -T /opt/pivpn/${othervpn}/pivpn.sh /usr/local/bin/pivpn + echo ":::" + echo "::: Two VPN protocols exist, you should remove ${othervpn} too" + echo ":::" else - rm -f /etc/bash_completion.d/pivpn + rm -f /etc/bash_completion.d/pivpn fi # Disable IPv4 forwarding if [ ${vpnStillExists} == 'no' ]; then - sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf - sysctl -p + sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf + sysctl -p fi # Purge dependencies @@ -204,18 +222,18 @@ removeAll(){ fi if [ ${vpnStillExists} == 'no' ]; then - echo ":::" - echo "::: Removing pivpn system files..." - rm -rf /etc/.pivpn - rm -rf /etc/pivpn - rm -f /var/log/*pivpn* - rm -rf /opt/pivpn - rm -f /usr/local/bin/pivpn + echo ":::" + echo "::: Removing pivpn system files..." + rm -rf /etc/.pivpn + rm -rf /etc/pivpn + rm -f /var/log/*pivpn* + rm -rf /opt/pivpn + rm -f /usr/local/bin/pivpn else - echo ":::" - echo "::: Other protocol still present, so not" - echo "::: removing pivpn system files" - rm -f "${setupConfigDir}/${VPN}/${setupVarsFile}" + echo ":::" + echo "::: Other protocol still present, so not" + echo "::: removing pivpn system files" + rm -f "${setupConfigDir}/${VPN}/${setupVarsFile}" fi echo ":::" diff --git a/scripts/wireguard/pivpnDEBUG.sh b/scripts/wireguard/pivpnDEBUG.sh index a78e9a3..80b80df 100755 --- a/scripts/wireguard/pivpnDEBUG.sh +++ b/scripts/wireguard/pivpnDEBUG.sh @@ -16,7 +16,7 @@ echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::" git --git-dir /etc/.pivpn/.git log -n 1 printf "=============================================\n" echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::" -sed "s/$pivpnHOST/REDACTED/" < /etc/pivpn/setupVars.conf +sed "s/$pivpnHOST/REDACTED/" < ${setupVars} printf "=============================================\n" echo -e ":::: \e[4mServer configuration shown below\e[0m ::::" cd /etc/wireguard/keys From e110286a13ce6d52672f90e9e3cc474d5c99bf3c Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Fri, 22 May 2020 12:46:37 +0100 Subject: [PATCH 028/114] added install.sh to change --- auto_install/install.sh | 45 ++++++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 200fa76..229ea04 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -10,11 +10,11 @@ # curl -L https://install.pivpn.io | bash # Make sure you have `curl` installed -# timestamp 2020/5/14 15:29BST +# timestamp 2020/5/22 12:30BST ######## VARIABLES ######### -pivpnGitUrl="https://github.com/pivpn/pivpn.git" -#pivpnGitUrl="/home/ubuntu/repos/pivpn" +#pivpnGitUrl="https://github.com/pivpn/pivpn.git" +pivpnGitUrl="/home/pi/repos/pivpn" setupVarsFile="setupVars.conf" setupConfigDir="/etc/pivpn" tempsetupVarsFile="/tmp/setupVars.conf" @@ -126,9 +126,9 @@ main(){ # see which setup already exists if [ -r "${setupConfigDir}/wireguard/${setupVarsFile}" ]; then - setupVars="${setupConfigDir}/wireguard/${setupVarsFile}" + setupVars="${setupConfigDir}/wireguard/${setupVarsFile}" elif [ -r "${setupConfigDir}/openvpn/${setupVarsFile}" ]; then - setupVars="${setupConfigDir}/openvpn/${setupVarsFile}" + setupVars="${setupConfigDir}/openvpn/${setupVarsFile}" fi if [ -r "$setupVars" ]; then @@ -244,7 +244,7 @@ askAboutExistingInstall(){ opt3a="Reconfigure" opt3b="Reinstall PiVPN with new settings" - UpdateCmd=$(whiptail --title "Existing Install Detected!" --menu "\nWe have detected an existing install.\n$1\n\nPlease choose from the following options:" ${r} ${c} 3 \ + UpdateCmd=$(whiptail --title "Existing Install Detected!" --menu "\nWe have detected an existing install.\n$1\n\nPlease choose from the following options (Reconfigure can be used to add a second VPN type):" ${r} ${c} 3 \ "${opt1a}" "${opt1b}" \ "${opt2a}" "${opt2b}" \ "${opt3a}" "${opt3b}" 3>&2 2>&1 1>&3) || \ @@ -2243,31 +2243,34 @@ installScripts(){ $SUDO install -m 755 -t ${pivpnScriptDir} ${pivpnFilesDir}/scripts/*.sh $SUDO install -m 755 -t ${pivpnScriptDir}/${VPN} ${pivpnFilesDir}/scripts/${VPN}/*.sh # make a link for a single command being installed - $SUDO ln -s -T ${pivpnScriptDir}/${VPN}/pivpn.sh /usr/local/bin/pivpn + # may already exist if installing the second protocol + if [ ! -e "/usr/local/bin/pivpn" ]; then + $SUDO ln -s -T ${pivpnScriptDir}/${VPN}/pivpn.sh /usr/local/bin/pivpn + fi # if the other protocol file exists it has been installed if [[ ${VPN} == 'wireguard' ]]; then - othervpn='openvpn' + othervpn='openvpn' else - othervpn='wireguard' + othervpn='wireguard' fi if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile}" ]; then - # both are installed - # dont need a link, copy the common script to the location instead - $SUDO rm -f /usr/local/bin/pivpn - $SUDO install -m 755 -t /usr/local/bin /${pivpnFilesDir}/scripts/pivpn + # both are installed + # dont need a link, copy the common script to the location instead + $SUDO rm -f /usr/local/bin/pivpn + $SUDO install -m 755 -t /usr/local/bin /${pivpnFilesDir}/scripts/pivpn fi if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile}" ]; then - # both are installed, no bash completion, delete if already there - $SUDO rm -f /etc/bash_completion.d/pivpn + # both are installed, no bash completion, delete if already there + $SUDO rm -f /etc/bash_completion.d/pivpn else - # only one protocol is installed, put bash completion in place - $SUDO cp "${pivpnFilesDir}/scripts/${VPN}/bash-completion" /etc/bash_completion.d/pivpn - $SUDO chown root:root /etc/bash_completion.d/pivpn - $SUDO chmod 755 /etc/bash_completion.d/pivpn - # shellcheck disable=SC1091 - . /etc/bash_completion.d/pivpn + # only one protocol is installed, put bash completion in place + $SUDO cp "${pivpnFilesDir}/scripts/${VPN}/bash-completion" /etc/bash_completion.d/pivpn + $SUDO chown root:root /etc/bash_completion.d/pivpn + $SUDO chmod 755 /etc/bash_completion.d/pivpn + # shellcheck disable=SC1091 + . /etc/bash_completion.d/pivpn fi echo " done." } From b0c473c9ccb8e92ad674db682d7685b82efc26ab Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Fri, 22 May 2020 15:26:05 +0000 Subject: [PATCH 029/114] self check better check of incompatible versions --- scripts/self_check.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/scripts/self_check.sh b/scripts/self_check.sh index 64b93e4..10ad25c 100755 --- a/scripts/self_check.sh +++ b/scripts/self_check.sh @@ -166,9 +166,9 @@ setupVars="/etc/pivpn/wireguard/setupVars.conf" ERR=0 if [ ! -f "${setupVars}" ]; then - echo "::: Missing ${setupVars}i, wireguard not installed" + echo "::: Missing ${setupVars}i, wireguard not installed" else - echo "::: Selfcheck for wireguard, config from ${setupVars}" + echo ":: [OK] Selfcheck for wireguard, config from ${setupVars}" runselfcheck dualprot='yes' fi @@ -177,9 +177,9 @@ setupVars="/etc/pivpn/openvpn/setupVars.conf" ERR=0 if [ ! -f "${setupVars}" ]; then - echo "::: Missing ${setupVars}, openvpn not installed" + echo ":: Missing ${setupVars}, openvpn not installed" else - echo "::: Selfcheck for openvpn, config from ${setupVars}" + echo ":: [OK] Selfcheck for openvpn, config from ${setupVars}" runselfcheck dualprot='yes' fi @@ -187,9 +187,9 @@ fi # add check for a mixed up installation setupVars="/etc/pivpn/setupVars.conf" -if [ ${dualprot} == 'yes' && -f "${setupVars}" ]; then - echo "::: Older ${setupVars} exists, should not be there, - echo "::: two versions have been installed which are not compatible" +if [[ ${dualprot} == 'yes' && -f "${setupVars}" ]]; then + echo ":: [ERR] Older ${setupVars} exists, should not be there," + echo ":: [ERR] two incompatible versions have been installed" fi From 4ac28559909cc6d64f0628863001733390c7c4c6 Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Fri, 22 May 2020 17:47:01 +0100 Subject: [PATCH 030/114] Update install.sh remove refs to /etc/pivpn/setupVars in selfcheck and debug scripts tidy indenting on install, check if symlink already exists before making one to avoid error uninstall indicates which vpns are available for uninstall selfcheck checks both protocols if both present install - additional text in reconfigure saying 2nd protocol can be added change to use pivpn ovpn instaed of pivpn opv when dual protocols exist --- auto_install/install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 229ea04..92a36df 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -10,11 +10,11 @@ # curl -L https://install.pivpn.io | bash # Make sure you have `curl` installed -# timestamp 2020/5/22 12:30BST +# timestamp 2020/5/22 17:44BST ######## VARIABLES ######### -#pivpnGitUrl="https://github.com/pivpn/pivpn.git" -pivpnGitUrl="/home/pi/repos/pivpn" +pivpnGitUrl="https://github.com/pivpn/pivpn.git" +#pivpnGitUrl="/home/pi/repos/pivpn" setupVarsFile="setupVars.conf" setupConfigDir="/etc/pivpn" tempsetupVarsFile="/tmp/setupVars.conf" From aa959ac9e3f542ab1a847c756ac6366c1120e1f0 Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Fri, 22 May 2020 17:51:17 +0100 Subject: [PATCH 031/114] Update README.md Mention dual protocols less prominently, its not a major use case --- README.md | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/README.md b/README.md index ed8da7b..d506f9f 100644 --- a/README.md +++ b/README.md @@ -5,11 +5,6 @@ About ----- -TS: 20/5/2020 starting change - -Modification that allows installing both openvpn and wireguard on the same machine. To do this, run the installer twice locally, makeing sure you are going to pull branch test. - - Visit the [PiVPN](https://pivpn.io) site for more information. This is a set of shell scripts initially developed by **@0-kaladin** that serve to easily turn your Raspberry Pi (TM) into a VPN server using two free, open-source protocols: @@ -19,7 +14,7 @@ into a VPN server using two free, open-source protocols: Have you been looking for a good guide or tutorial for setting up a VPN server on a Raspberry Pi or Ubuntu based server? Run this script and you don't need a guide or tutorial, this will do it all for you, in a fraction of the time and with hardened security settings in place by default. -The master branch of this script installs and configures either WireGuard or OpenVPN on Raspbian, Debian or Ubuntu and it as been tested to run not only on Raspberry Pi but also in any Cloud Provider VPS. +The master branch of this script installs and configures either WireGuard or OpenVPN (or both) on Raspbian, Debian or Ubuntu and it as been tested to run not only on Raspberry Pi but also in any Cloud Provider VPS. We recommend using the latest Raspbian Lite image on a Raspberry Pi in your home so you can VPN into your home from a unsecure remote locations and safely use the internet. However, the scripts do try to detect different distributions and make adjustments accordingly. They should work on the majority of Ubuntu and Debian based distributions including those using UFW by default instead of raw iptables. From 2913f2701fa7c617dfe0358b6051cf87c34240ab Mon Sep 17 00:00:00 2001 From: Orazio Date: Sat, 23 May 2020 11:08:51 +0200 Subject: [PATCH 032/114] Fix issue #1037 --- scripts/openvpn/makeOVPN.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/openvpn/makeOVPN.sh b/scripts/openvpn/makeOVPN.sh index 719e670..e9ac7fb 100755 --- a/scripts/openvpn/makeOVPN.sh +++ b/scripts/openvpn/makeOVPN.sh @@ -208,8 +208,8 @@ function keyPASS() { set timeout -1 set env(EASYRSA_CERT_EXPIRE) "${DAYS}" spawn ./easyrsa build-client-full "${NAME}" - expect "Enter PEM pass phrase" { send -- "${PASSWD}\r" } - expect "Verifying - Enter PEM pass phrase" { send -- "${PASSWD}\r" } + expect "Enter PEM pass phrase" { sleep 0.1; send -- "${PASSWD}\r" } + expect "Verifying - Enter PEM pass phrase" { sleep 0.1; send -- "${PASSWD}\r" } expect eof EOF cd pki || exit From 3ec566c7623180f318450153294dc98e5fb90ecc Mon Sep 17 00:00:00 2001 From: Orazio Date: Sat, 23 May 2020 15:12:14 +0200 Subject: [PATCH 033/114] Fix issue #1015 --- auto_install/install.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 84c06bb..a943bdc 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -462,11 +462,6 @@ preconfigurePackages(){ fi fi - if [[ ${OSCN} == "buster" ]]; then - $SUDO update-alternatives --set iptables /usr/sbin/iptables-legacy - $SUDO update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy - fi - # if ufw is enabled, configure that. # running as root because sometimes the executable is not in the user's $PATH if $SUDO bash -c 'command -v ufw' > /dev/null; then From 5dc7ac2a3815775d2acb64b9faaa673e9350ca16 Mon Sep 17 00:00:00 2001 From: Orazio Date: Sat, 23 May 2020 15:26:03 +0200 Subject: [PATCH 034/114] Fix issue #1047 --- auto_install/install.sh | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index a943bdc..7d58cfa 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -1552,13 +1552,8 @@ askClientDNS(){ #Call this function to use a regex to check user input for a valid custom domain validDomain(){ - local domain=$1 - local stat=1 - - if [[ $domain =~ ^(([a-zA-Z0-9]{1,63}|([a-zA-Z0-9]{1,60}[-a-zA-Z0-9()]{0,2}[a-zA-Z0-9]{1,60}))\.){1,6}([a-zA-Z]{2,})$ ]]; then - stat=$? - fi - return $stat + local domain="$1" + grep -qP '(?=^.{4,253}$)(^(?:[a-zA-Z0-9](?:(?:[a-zA-Z0-9\-]){0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$)' <<< "$domain" } #This procedure allows a user to specify a custom search domain if they have one. From f06f6d79203c29ebd785f860a81a15e9caac4fc9 Mon Sep 17 00:00:00 2001 From: Orazio Date: Mon, 25 May 2020 10:14:15 +0200 Subject: [PATCH 035/114] Temporarily disable 'pivpn -up' until a proper update strategy is defined - 'pivpn -up' pulls the latest scripts from github, however, as of now, its usefulness is limited since usually a change in those scripts is a result of a change in the installation process, and those changes can't be applied to an older installation. --- scripts/openvpn/pivpn.sh | 4 +++- scripts/wireguard/pivpn.sh | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/scripts/openvpn/pivpn.sh b/scripts/openvpn/pivpn.sh index 66ab5cc..de98539 100755 --- a/scripts/openvpn/pivpn.sh +++ b/scripts/openvpn/pivpn.sh @@ -58,7 +58,9 @@ function versionFunc { function update { shift - $SUDO ${scriptDir}/update.sh "$@" + # $SUDO ${scriptDir}/update.sh "$@" + echo "::: The updating functionality for PiVPN scripts is temporarily disabled" + echo "::: To keep the VPN (and the system) up to date, use 'apt update' and 'apt upgrade'" exit 0 diff --git a/scripts/wireguard/pivpn.sh b/scripts/wireguard/pivpn.sh index 73bcf88..04f3eea 100755 --- a/scripts/wireguard/pivpn.sh +++ b/scripts/wireguard/pivpn.sh @@ -54,7 +54,9 @@ uninstallServer(){ updateScripts(){ shift - $SUDO ${scriptdir}/update.sh "$@" + # $SUDO ${scriptdir}/update.sh "$@" + echo "::: The updating functionality for PiVPN scripts is temporarily disabled" + echo "::: To keep the VPN (and the system) up to date, use 'apt update' and 'apt upgrade'" exit 0 } From 15804dff39a67997122693aa15343ad80b63f7be Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Mon, 25 May 2020 15:24:50 +0100 Subject: [PATCH 036/114] selfcheck checks one VPN type again --- auto_install/install.sh | 4 +-- scripts/openvpn/pivpnDebug.sh | 2 +- scripts/self_check.sh | 49 +++++++-------------------------- scripts/wireguard/pivpnDEBUG.sh | 2 +- 4 files changed, 14 insertions(+), 43 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 92a36df..fd2e2c0 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -13,8 +13,8 @@ # timestamp 2020/5/22 17:44BST ######## VARIABLES ######### -pivpnGitUrl="https://github.com/pivpn/pivpn.git" -#pivpnGitUrl="/home/pi/repos/pivpn" +#pivpnGitUrl="https://github.com/pivpn/pivpn.git" +pivpnGitUrl="/home/pi/repos/pivpn" setupVarsFile="setupVars.conf" setupConfigDir="/etc/pivpn" tempsetupVarsFile="/tmp/setupVars.conf" diff --git a/scripts/openvpn/pivpnDebug.sh b/scripts/openvpn/pivpnDebug.sh index f3b0e5e..c73ba46 100755 --- a/scripts/openvpn/pivpnDebug.sh +++ b/scripts/openvpn/pivpnDebug.sh @@ -28,7 +28,7 @@ echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::: \e[4m/etc/openv ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial printf "=============================================\n" echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::" -/opt/pivpn/self_check.sh +/opt/pivpn/self_check.sh ${VPN} printf "=============================================\n" echo -e ":::: Having trouble connecting? Take a look at the FAQ:" echo -e ":::: \e[1mhttps://github.com/pivpn/pivpn/wiki/FAQ\e[0m" diff --git a/scripts/self_check.sh b/scripts/self_check.sh index 10ad25c..d317120 100755 --- a/scripts/self_check.sh +++ b/scripts/self_check.sh @@ -1,7 +1,15 @@ #!/bin/bash -runselfcheck() -{ +# dual protocol, VPN type supplied as $1 + +setupVars="/etc/pivpn/${VPN}/setupVars.conf" +ERR=0 + +if [ ! -f "${setupVars}" ]; then + echo "::: Missing setup vars file!" + exit 1 +fi + source "${setupVars}" if [ "$VPN" = "wireguard" ]; then @@ -156,40 +164,3 @@ fi if [ "$ERR" -eq 1 ]; then echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues" fi - -} # end function - -# now there are two places setupVars.conf can be, so check each one - -dualprot='no' -setupVars="/etc/pivpn/wireguard/setupVars.conf" -ERR=0 - -if [ ! -f "${setupVars}" ]; then - echo "::: Missing ${setupVars}i, wireguard not installed" -else - echo ":: [OK] Selfcheck for wireguard, config from ${setupVars}" - runselfcheck - dualprot='yes' -fi - -setupVars="/etc/pivpn/openvpn/setupVars.conf" -ERR=0 - -if [ ! -f "${setupVars}" ]; then - echo ":: Missing ${setupVars}, openvpn not installed" -else - echo ":: [OK] Selfcheck for openvpn, config from ${setupVars}" - runselfcheck - dualprot='yes' -fi - -# add check for a mixed up installation -setupVars="/etc/pivpn/setupVars.conf" - -if [[ ${dualprot} == 'yes' && -f "${setupVars}" ]]; then - echo ":: [ERR] Older ${setupVars} exists, should not be there," - echo ":: [ERR] two incompatible versions have been installed" -fi - - diff --git a/scripts/wireguard/pivpnDEBUG.sh b/scripts/wireguard/pivpnDEBUG.sh index 80b80df..268ee86 100755 --- a/scripts/wireguard/pivpnDEBUG.sh +++ b/scripts/wireguard/pivpnDEBUG.sh @@ -46,7 +46,7 @@ echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::::\e\t[4m/etc/wir ls -LR /etc/wireguard printf "=============================================\n" echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::" -/opt/pivpn/self_check.sh +/opt/pivpn/self_check.sh ${VPN} printf "=============================================\n" echo -e ":::: Having trouble connecting? Take a look at the FAQ:" echo -e ":::: \e[1mhttps://github.com/pivpn/pivpn/wiki/FAQ\e[0m" From 6cfe936f55e11e72b2c2d973a1738b6a84eed38d Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Mon, 25 May 2020 15:43:31 +0100 Subject: [PATCH 037/114] self_check assign parameter --- auto_install/install.sh | 2 +- scripts/self_check.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index fd2e2c0..ea3e798 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -10,7 +10,7 @@ # curl -L https://install.pivpn.io | bash # Make sure you have `curl` installed -# timestamp 2020/5/22 17:44BST +# timestamp 2020/5/24 15:44BST ######## VARIABLES ######### #pivpnGitUrl="https://github.com/pivpn/pivpn.git" diff --git a/scripts/self_check.sh b/scripts/self_check.sh index d317120..57b2e3e 100755 --- a/scripts/self_check.sh +++ b/scripts/self_check.sh @@ -1,7 +1,7 @@ #!/bin/bash # dual protocol, VPN type supplied as $1 - +VPN=$1 setupVars="/etc/pivpn/${VPN}/setupVars.conf" ERR=0 From 3f1b2ba5763fda4bb078ded4882254d71cb0705e Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Mon, 25 May 2020 15:54:39 +0100 Subject: [PATCH 038/114] put repository back to pivpn/pivpn --- auto_install/install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index ea3e798..0ba87e4 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -10,11 +10,11 @@ # curl -L https://install.pivpn.io | bash # Make sure you have `curl` installed -# timestamp 2020/5/24 15:44BST +# timestamp 2020/5/24 15:53BST ######## VARIABLES ######### -#pivpnGitUrl="https://github.com/pivpn/pivpn.git" -pivpnGitUrl="/home/pi/repos/pivpn" +pivpnGitUrl="https://github.com/pivpn/pivpn.git" +#pivpnGitUrl="/home/pi/repos/pivpn" setupVarsFile="setupVars.conf" setupConfigDir="/etc/pivpn" tempsetupVarsFile="/tmp/setupVars.conf" From 823afa3fbb1199f66782111d9fc41a35c582d015 Mon Sep 17 00:00:00 2001 From: Orazio Date: Wed, 27 May 2020 16:36:26 +0200 Subject: [PATCH 039/114] Improved dual VPN uninstallation, remove duplicate code/script - Allow using 'pivpn vpn -u' to directly uninstall VPN 'vpn' - Also allow using 'pivpn -u' with two VPNs (will present a dialog). - During uninstall, ask which VPN to remove only if there are two VPNs - PiVPN git repo will be downloaded to '/usr/local/src/pivpn'. All scripts in /opt/pivpn, the main pivpn script and the bash completion file, are now just symbolic links. Resolves issue #695. - Remove unused call to updateWireGuard(). --- auto_install/install.sh | 81 +++++++++---------- scripts/openvpn/pivpn.sh | 16 +--- scripts/openvpn/pivpnDebug.sh | 2 +- scripts/pivpn | 8 +- scripts/uninstall.sh | 138 ++++++++++++++++---------------- scripts/update.sh | 4 + scripts/wireguard/pivpn.sh | 7 +- scripts/wireguard/pivpnDEBUG.sh | 2 +- 8 files changed, 121 insertions(+), 137 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index c2d7525..697126f 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -18,7 +18,7 @@ pivpnGitUrl="https://github.com/pivpn/pivpn.git" setupVarsFile="setupVars.conf" setupConfigDir="/etc/pivpn" tempsetupVarsFile="/tmp/setupVars.conf" -pivpnFilesDir="/etc/.pivpn" +pivpnFilesDir="/usr/local/src/pivpn" pivpnScriptDir="/opt/pivpn" piholeSetupVars="/etc/pihole/setupVars.conf" @@ -950,11 +950,11 @@ updateRepo(){ ### FIXME: Never call rm -rf with a plain variable. Never again as SU! #$SUDO rm -rf "${1}" if test -n "$1"; then - $SUDO rm -rf "$(dirname "$1")/.pivpn" + $SUDO rm -rf "$(dirname "$1")/pivpn" fi - # Go back to /etc otherwise git will complain when the current working - # directory has just been deleted (/etc/.pivpn). - cd /etc && \ + # Go back to /usr/local/src otherwise git will complain when the current working + # directory has just been deleted (/usr/local/src/pivpn). + cd /usr/local/src && \ $SUDO git clone -q --depth 1 --no-single-branch "${2}" "${1}" > /dev/null & spinner $! cd "${1}" || exit 1 if [ -z "${TESTING+x}" ]; then @@ -972,11 +972,11 @@ makeRepo(){ ### FIXME: Never call rm -rf with a plain variable. Never again as SU! #$SUDO rm -rf "${1}" if test -n "$1"; then - $SUDO rm -rf "$(dirname "$1")/.pivpn" + $SUDO rm -rf "$(dirname "$1")/pivpn" fi - # Go back to /etc otherwhise git will complain when the current working - # directory has just been deleted (/etc/.pivpn). - cd /etc && \ + # Go back to /usr/local/src otherwhise git will complain when the current working + # directory has just been deleted (/usr/local/src/pivpn). + cd /usr/local/src && \ $SUDO git clone -q --depth 1 --no-single-branch "${2}" "${1}" > /dev/null & spinner $! cd "${1}" || exit 1 if [ -z "${TESTING+x}" ]; then @@ -2224,43 +2224,34 @@ confUnattendedUpgrades(){ } installScripts(){ - # Install the scripts from /etc/.pivpn to their various locations - echo -n -e "::: Installing scripts to ${pivpnScriptDir}...\n" - if [ ! -d "${pivpnScriptDir}/${VPN}" ]; then - $SUDO install -m 0755 -o root -d ${pivpnScriptDir}/${VPN} - fi - $SUDO install -m 755 -t ${pivpnScriptDir} ${pivpnFilesDir}/scripts/*.sh - $SUDO install -m 755 -t ${pivpnScriptDir}/${VPN} ${pivpnFilesDir}/scripts/${VPN}/*.sh - # make a link for a single command being installed - # may already exist if installing the second protocol - if [ ! -e "/usr/local/bin/pivpn" ]; then - $SUDO ln -s -T ${pivpnScriptDir}/${VPN}/pivpn.sh /usr/local/bin/pivpn - fi - # if the other protocol file exists it has been installed - if [[ ${VPN} == 'wireguard' ]]; then - othervpn='openvpn' - else - othervpn='wireguard' - fi - - if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile}" ]; then - # both are installed - # dont need a link, copy the common script to the location instead - $SUDO rm -f /usr/local/bin/pivpn - $SUDO install -m 755 -t /usr/local/bin /${pivpnFilesDir}/scripts/pivpn - fi - - if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile}" ]; then - # both are installed, no bash completion, delete if already there - $SUDO rm -f /etc/bash_completion.d/pivpn + if [[ ${VPN} == 'wireguard' ]]; then + othervpn='openvpn' else - # only one protocol is installed, put bash completion in place - $SUDO cp "${pivpnFilesDir}/scripts/${VPN}/bash-completion" /etc/bash_completion.d/pivpn - $SUDO chown root:root /etc/bash_completion.d/pivpn - $SUDO chmod 755 /etc/bash_completion.d/pivpn - # shellcheck disable=SC1091 - . /etc/bash_completion.d/pivpn - fi + othervpn='wireguard' + fi + + # Symlink scripts from /usr/local/src/pivpn to their various locations + echo -n -e "::: Installing scripts to ${pivpnScriptDir}...\n" + + # if the other protocol file exists it has been installed + if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile}" ]; then + # Both are installed, no bash completion, unlink if already there + $SUDO unlink /etc/bash_completion.d/pivpn + + # Unlink the protocol specific pivpn script and symlink the common + # script to the location instead + $SUDO unlink /usr/local/bin/pivpn + $SUDO ln -s -T "${pivpnFilesDir}/scripts/pivpn" /usr/local/bin/pivpn + else + # Only one protocol is installed, symlink bash completion, the pivpn script + # and the script directory + $SUDO ln -s -T "${pivpnFilesDir}/scripts/${VPN}/bash-completion" /etc/bash_completion.d/pivpn + $SUDO ln -s -T "${pivpnFilesDir}/scripts/${VPN}/pivpn.sh" /usr/local/bin/pivpn + $SUDO ln -s "${pivpnFilesDir}/scripts/" "${pivpnScriptDir}" + # shellcheck disable=SC1091 + . /etc/bash_completion.d/pivpn + fi + echo " done." } diff --git a/scripts/openvpn/pivpn.sh b/scripts/openvpn/pivpn.sh index de98539..58fdca1 100755 --- a/scripts/openvpn/pivpn.sh +++ b/scripts/openvpn/pivpn.sh @@ -47,30 +47,19 @@ function removeOVPNFunc { } function uninstallFunc { - $SUDO ${scriptDir}/uninstall.sh + $SUDO ${scriptDir}/uninstall.sh "${vpn}" exit 0 } -function versionFunc { - printf "\e[1mVersion 1.9\e[0m\n" -} - function update { - shift - # $SUDO ${scriptDir}/update.sh "$@" - echo "::: The updating functionality for PiVPN scripts is temporarily disabled" - echo "::: To keep the VPN (and the system) up to date, use 'apt update' and 'apt upgrade'" + $SUDO ${scriptDir}/update.sh "$@" exit 0 - - } function backup { - $SUDO ${scriptDir}/backup.sh exit 0 - } @@ -105,7 +94,6 @@ case "$1" in "-r" | "revoke" ) removeOVPNFunc "$@";; "-h" | "help" ) helpFunc;; "-u" | "uninstall" ) uninstallFunc;; -"-v" ) versionFunc;; "-up"| "update" ) update "$@" ;; "-bk"| "backup" ) backup;; * ) helpFunc;; diff --git a/scripts/openvpn/pivpnDebug.sh b/scripts/openvpn/pivpnDebug.sh index c73ba46..a3e86cf 100755 --- a/scripts/openvpn/pivpnDebug.sh +++ b/scripts/openvpn/pivpnDebug.sh @@ -13,7 +13,7 @@ source "${setupVars}" echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::" printf "=============================================\n" echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::" -git --git-dir /etc/.pivpn/.git log -n 1 +git --git-dir /usr/local/src/pivpn/.git log -n 1 printf "=============================================\n" echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::" sed "s/$pivpnHOST/REDACTED/" < ${setupVars} diff --git a/scripts/pivpn b/scripts/pivpn index c48aaa0..c43ece5 100755 --- a/scripts/pivpn +++ b/scripts/pivpn @@ -11,7 +11,11 @@ if [ $EUID -ne 0 ];then fi scriptDir="/opt/pivpn" -vpn="wireguard" + +uninstallServer(){ + $SUDO ${scriptDir}/uninstall.sh + exit 0 +} showHelp(){ echo "::: To pass off to the pivpn command for each protocol" @@ -20,6 +24,7 @@ showHelp(){ echo "::: Usage: pivpn ovpn [option]" echo ":::" echo "::: -h, help Show this help dialog" + echo "::: -u, uninstall Uninstall pivpn from your system!" exit 0 } @@ -32,5 +37,6 @@ case "$1" in wg ) "${scriptDir}/wireguard/pivpn.sh" "${@:2}";; ovpn ) "${scriptDir}/openvpn/pivpn.sh" "${@:2}";; "-h" | "help" ) showHelp;; +"-u" | "uninstall" ) uninstallServer;; * ) showHelp;; esac diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 7afd8af..52bbded 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -4,24 +4,6 @@ ### FIXME: global: config storage, refactor all scripts to adhere to the storage ### FIXME: use variables where appropriate, reduce magic numbers by 99.9%, at least. -# what is already installed? -setupVars="/etc/pivpn/openvpn/setupVars.conf" -foundins='' -if [ -f "${setupVars}" ]; then - foundins="openvpn" -fi - -setupVars="/etc/pivpn/wireguard/setupVars.conf" -if [ -f "${setupVars}" ]; then - foundins="${foundins} wireguard" -fi - -if [ -z ${foundins} ]; then - foundins="nothing found" -fi - - - # Find the rows and columns. Will default to 80x24 if it can not be detected. screen_size=$(stty size 2>/dev/null || echo 24 80) rows=$(echo "$screen_size" | awk '{print $1}') @@ -34,24 +16,46 @@ c=$(( columns / 2 )) r=$(( r < 20 ? 20 : r )) c=$(( c < 70 ? 70 : c )) - chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "WireGuard is a new kind of VPN that provides near-instantaneous connection speed, high performance, and modern cryptography.\\n\\nIt's the recommended choice especially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\\n\\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol or if you need features like TCP and custom search domain.\\n\\nChoose a VPN (${foundins}) to uninstall (press space to select):" "${r}" "${c}" 2) - VPNChooseOptions=(WireGuard "" on - OpenVPN "" off) - - if VPN=$("${chooseVPNCmd[@]}" "${VPNChooseOptions[@]}" 2>&1 >/dev/tty) ; then - echo "::: Using VPN: $VPN" - VPN="${VPN,,}" - else - echo "::: Cancel selected, exiting...." - exit 1 - fi - PKG_MANAGER="apt-get" UPDATE_PKG_CACHE="${PKG_MANAGER} update" dnsmasqConfig="/etc/dnsmasq.d/02-pivpn.conf" -setupConfigDir="/etc/pivpn" setupVarsFile="setupVars.conf" -setupVars="${setupConfigDir}/${VPN}/${setupVarsFile}" +setupConfigDir="/etc/pivpn" +pivpnFilesDir="/usr/local/src/pivpn" +pivpnScriptDir="/opt/pivpn" + +if [ -r "${setupConfigDir}/wireguard/${setupVarsFile}" ] && [ -r "${setupConfigDir}/openvpn/${setupVarsFile}" ]; then + vpnStillExists=1 + + # Two protocols have been installed, check if the script has passed + # an argument, otherwise ask the user which one he wants to remove + if [ $# -ge 1 ]; then + VPN="$1" + echo "::: Uninstalling VPN: $VPN" + else + chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Uninstall" --separate-output --radiolist "Both OpenVPN and WireGuard are installed, choose a VPN to uninstall (press space to select):" "${r}" "${c}" 2) + VPNChooseOptions=(WireGuard "" on + OpenVPN "" off) + + if VPN=$("${chooseVPNCmd[@]}" "${VPNChooseOptions[@]}" 2>&1 >/dev/tty) ; then + echo "::: Uninstalling VPN: $VPN" + VPN="${VPN,,}" + else + echo "::: Cancel selected, exiting...." + exit 1 + fi + fi + + setupVars="${setupConfigDir}/${VPN}/${setupVarsFile}" +else + vpnStillExists=0 + + if [ -r "${setupConfigDir}/wireguard/${setupVarsFile}" ]; then + setupVars="${setupConfigDir}/wireguard/${setupVarsFile}" + elif [ -r "${setupConfigDir}/openvpn/${setupVarsFile}" ]; then + setupVars="${setupConfigDir}/openvpn/${setupVarsFile}" + fi +fi if [ ! -f "${setupVars}" ]; then echo "::: Missing setup vars file!" @@ -61,12 +65,6 @@ fi # shellcheck disable=SC1090 source "${setupVars}" -if [[ ${VPN} == 'wireguard' ]]; then - othervpn='openvpn' -else - othervpn='wireguard' -fi - ### FIXME: introduce global lib spinner(){ local pid=$1 @@ -123,25 +121,11 @@ removeAll(){ fi - vpnStillExists='no' - - if [ -r "${setupConfigDir}/${othervpn}/${setupVarsFile}" ]; then - vpnStillExists='yes' - $SUDO rm -f /usr/local/bin/pivpn - $SUDO ln -s -T /opt/pivpn/${othervpn}/pivpn.sh /usr/local/bin/pivpn - echo ":::" - echo "::: Two VPN protocols exist, you should remove ${othervpn} too" - echo ":::" - - else - rm -f /etc/bash_completion.d/pivpn - fi - # Disable IPv4 forwarding - if [ ${vpnStillExists} == 'no' ]; then - sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf - sysctl -p - fi + if [ "${vpnStillExists}" -eq 0 ]; then + sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf + sysctl -p + fi # Purge dependencies echo "::: Purge dependencies..." @@ -221,20 +205,34 @@ removeAll(){ rm -rf "$install_home/ovpns" fi - if [ ${vpnStillExists} == 'no' ]; then - echo ":::" - echo "::: Removing pivpn system files..." - rm -rf /etc/.pivpn - rm -rf /etc/pivpn - rm -f /var/log/*pivpn* - rm -rf /opt/pivpn - rm -f /usr/local/bin/pivpn - else - echo ":::" - echo "::: Other protocol still present, so not" - echo "::: removing pivpn system files" - rm -f "${setupConfigDir}/${VPN}/${setupVarsFile}" - fi + if [ "${vpnStillExists}" -eq 0 ]; then + echo ":::" + echo "::: Removing pivpn system files..." + rm -rf "${setupConfigDir}" + rm -rf "${pivpnFilesDir}" + rm -f /var/log/*pivpn* + rm -f /etc/bash_completion.d/pivpn + unlink "${pivpnScriptDir}" + unlink /usr/local/bin/pivpn + else + if [[ ${VPN} == 'wireguard' ]]; then + othervpn='openvpn' + else + othervpn='wireguard' + fi + + echo ":::" + echo "::: Other VPN ${othervpn} still present, so not" + echo "::: removing pivpn system files" + rm -f "${setupConfigDir}/${VPN}/${setupVarsFile}" + + # Restore single pivpn script and bash completion for the remaining VPN + $SUDO unlink /usr/local/bin/pivpn + $SUDO ln -s -T "${pivpnFilesDir}/scripts/${othervpn}/pivpn.sh" /usr/local/bin/pivpn + $SUDO ln -s -T "${pivpnFilesDir}/scripts/${othervpn}/bash-completion" /etc/bash_completion.d/pivpn + # shellcheck disable=SC1091 + . /etc/bash_completion.d/pivpn + fi echo ":::" printf "::: Finished removing PiVPN from your system.\\n" diff --git a/scripts/update.sh b/scripts/update.sh index eed1ce8..603de1b 100755 --- a/scripts/update.sh +++ b/scripts/update.sh @@ -19,6 +19,10 @@ c=$(( columns / 2 )) r=$(( r < 20 ? 20 : r )) c=$(( c < 70 ? 70 : c )) +echo "::: The updating functionality for PiVPN scripts is temporarily disabled" +echo "::: To keep the VPN (and the system) up to date, use 'apt update' and 'apt upgrade'" +exit 0 + chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "Choose a VPN to update (press space to select):" "${r}" "${c}" 2) VPNChooseOptions=(WireGuard "" on OpenVPN "" off) diff --git a/scripts/wireguard/pivpn.sh b/scripts/wireguard/pivpn.sh index 04f3eea..e000f25 100755 --- a/scripts/wireguard/pivpn.sh +++ b/scripts/wireguard/pivpn.sh @@ -48,15 +48,13 @@ removeClient(){ } uninstallServer(){ - $SUDO ${scriptdir}/uninstall.sh + $SUDO ${scriptdir}/uninstall.sh "${vpn}" exit 0 } updateScripts(){ shift - # $SUDO ${scriptdir}/update.sh "$@" - echo "::: The updating functionality for PiVPN scripts is temporarily disabled" - echo "::: To keep the VPN (and the system) up to date, use 'apt update' and 'apt upgrade'" + $SUDO ${scriptdir}/update.sh "$@" exit 0 } @@ -98,7 +96,6 @@ case "$1" in "-h" | "help" ) showHelp;; "-u" | "uninstall" ) uninstallServer;; "-up" | "update" ) updateScripts "$@" ;; -"-wg" | "wgupdate" ) updateWireGuard ;; "-bk" | "backup" ) backup ;; * ) showHelp;; esac diff --git a/scripts/wireguard/pivpnDEBUG.sh b/scripts/wireguard/pivpnDEBUG.sh index 268ee86..5f59f3e 100755 --- a/scripts/wireguard/pivpnDEBUG.sh +++ b/scripts/wireguard/pivpnDEBUG.sh @@ -13,7 +13,7 @@ source "${setupVars}" echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::" printf "=============================================\n" echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::" -git --git-dir /etc/.pivpn/.git log -n 1 +git --git-dir /usr/local/src/pivpn/.git log -n 1 printf "=============================================\n" echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::" sed "s/$pivpnHOST/REDACTED/" < ${setupVars} From 61c7151e3b98e87472d135249bb160ad8a57365b Mon Sep 17 00:00:00 2001 From: Orazio Date: Thu, 28 May 2020 12:09:02 +0200 Subject: [PATCH 040/114] Create directory structure if missing - /usr/local/src, when cloning the git repository - /opt (this one was already taken into account but I had accidentally removed the mkdir command in the previous commit). --- auto_install/install.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/auto_install/install.sh b/auto_install/install.sh index 697126f..4ecf1a4 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -999,6 +999,9 @@ getGitFiles(){ } cloneOrUpdateRepos(){ + # /usr/local should always exist, not sure about the src subfolder though + $SUDO mkdir -p /usr/local/src + # Get Git files getGitFiles ${pivpnFilesDir} ${pivpnGitUrl} || \ { echo "!!! Unable to clone ${pivpnGitUrl} into ${pivpnFilesDir}, unable to continue."; \ @@ -2224,6 +2227,9 @@ confUnattendedUpgrades(){ } installScripts(){ + # Ensure /opt exists (issue #607) + $SUDO mkdir -p /opt + if [[ ${VPN} == 'wireguard' ]]; then othervpn='openvpn' else From ba4c2c91db0e75dd4c2728e63fdabd532da55d99 Mon Sep 17 00:00:00 2001 From: Orazio Date: Thu, 28 May 2020 13:59:18 +0200 Subject: [PATCH 041/114] Allow (potentially) unsupported network interfaces via the '--show-unsupported-nics' argument --- auto_install/install.sh | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 4ecf1a4..8658120 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -62,6 +62,7 @@ OPENVPN_KEY_URL="https://swupdate.openvpn.net/repos/repo-public.gpg" runUnattended=false skipSpaceCheck=false reconfigure=false +showUnsupportedNICs=false ######## SCRIPT ######## @@ -106,6 +107,7 @@ main(){ "--i_do_not_follow_recommendations" ) skipSpaceCheck=false;; "--unattended" ) runUnattended=true;; "--reconfigure" ) reconfigure=true;; + "--show-unsupported-nics" ) showUnsupportedNICs=true;; esac done @@ -556,8 +558,14 @@ local chooseInterfaceOptions # Loop sentinel variable local firstloop=1 -# Find network interfaces whose state is UP, so as to skip virtual interfaces and the loopback interface -availableInterfaces=$(ip -o link | awk '/state UP/ {print $2}' | cut -d':' -f1 | cut -d'@' -f1) +if [[ "${showUnsupportedNICs}" == true ]]; then + # Show every network interface, could be useful for those who install PiVPN inside virtual machines + # or on Raspberry Pis with USB adapters (the loopback interfaces is still skipped) + availableInterfaces=$(ip -o link | awk '{print $2}' | cut -d':' -f1 | cut -d'@' -f1 | grep -v -w 'lo') +else + # Find network interfaces whose state is UP, so as to skip virtual interfaces and the loopback interface + availableInterfaces=$(ip -o link | awk '/state UP/ {print $2}' | cut -d':' -f1 | cut -d'@' -f1) +fi if [ -z "$availableInterfaces" ]; then echo "::: Could not find any active network interface, exiting" From c8a9e2100ac8f16104d19e4afa82efbee9511ca5 Mon Sep 17 00:00:00 2001 From: Orazio Date: Thu, 28 May 2020 15:16:45 +0200 Subject: [PATCH 042/114] Changed how undocumented flags are managed - Renamed '--i_do_not_follow_recommendations' to '--skip-space-check', since the argument actually skips the space check. - Obtain the unattended configuration dynamically, by looking at the argument next to '--unattended', instead of looking at the second argument, which was a too fragile parsing. - Because of the previous one, figuring out when no argument has been passed to '--unattended' doesn't seem trivial, because the next argument could be an undocumented flag as well, which would be intepreted as a filename. --- auto_install/install.sh | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 8658120..dae00c4 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -102,25 +102,27 @@ main(){ fi # Check arguments for the undocumented flags - for var in "$@"; do - case "$var" in - "--i_do_not_follow_recommendations" ) skipSpaceCheck=false;; - "--unattended" ) runUnattended=true;; - "--reconfigure" ) reconfigure=true;; + for ((i=1; i <= "$#"; i++)); do + j="$((i+1))" + case "${!i}" in + "--skip-space-check" ) skipSpaceCheck=true;; + "--unattended" ) runUnattended=true; unattendedConfig="${!j}";; + "--reconfigure" ) reconfigure=true;; "--show-unsupported-nics" ) showUnsupportedNICs=true;; esac done if [[ "${runUnattended}" == true ]]; then echo "::: --unattended passed to install script, no whiptail dialogs will be displayed" - if [ -z "$2" ]; then - echo "::: No configuration file passed, using default settings..." + if [ -z "$unattendedConfig" ]; then + echo "::: No configuration file passed" + exit 1 else - if [ -r "$2" ]; then - # shellcheck disable=SC1090 - source "$2" + if [ -r "$unattendedConfig" ]; then + # shellcheck disable=SC1090 + source "$unattendedConfig" else - echo "::: Can't open $2" + echo "::: Can't open $unattendedConfig" exit 1 fi fi @@ -165,7 +167,7 @@ main(){ # Start the installer # Verify there is enough disk space for the install if [[ "${skipSpaceCheck}" == true ]]; then - echo "::: --i_do_not_follow_recommendations passed to script, skipping free disk space verification!" + echo "::: --skip-space-check passed to script, skipping free disk space verification!" else verifyFreeDiskSpace fi From ba7c46aae8a563268717300b197deefe6d1b9985 Mon Sep 17 00:00:00 2001 From: Orazio Date: Fri, 29 May 2020 15:56:43 +0200 Subject: [PATCH 043/114] Avoid hardcoding distribution codenames - Actually check for apt >= 1.5 instead of checking for distributions known for having a newer package --- auto_install/install.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index dae00c4..1b4f62c 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -458,10 +458,11 @@ notifyPackageUpdatesAvailable(){ } preconfigurePackages(){ - # Add support for https repositories that will be used later on + # If apt is older than 1.5 we need to install an additional package to add + # support for https repositories that will be used later on if [[ -f /etc/apt/sources.list ]]; then - # buster and bionic have apt >= 1.5 which has https support built in - if [[ ${OSCN} != "buster" ]] && [[ ${OSCN} != "bionic" ]]; then + INSTALLED_APT="$(apt-cache policy apt | grep -m1 'Installed: ' | grep -v '(none)' | awk '{print $2}')" + if dpkg --compare-versions "$INSTALLED_APT" lt 1.5; then BASE_DEPS+=("apt-transport-https") fi fi From 427c484cacf32c938574e58486773b69b9e2b386 Mon Sep 17 00:00:00 2001 From: Orazio Date: Fri, 29 May 2020 17:46:04 +0200 Subject: [PATCH 044/114] Updated backup scripts for dual VPN --- scripts/backup.sh | 56 ++++++++++++++++++++++++++------------ scripts/openvpn/pivpn.sh | 2 +- scripts/pivpn | 7 +++++ scripts/wireguard/pivpn.sh | 3 +- 4 files changed, 48 insertions(+), 20 deletions(-) diff --git a/scripts/backup.sh b/scripts/backup.sh index a632a81..65f6f15 100755 --- a/scripts/backup.sh +++ b/scripts/backup.sh @@ -1,7 +1,5 @@ #!/bin/bash - -backupdir=pivpnbackup -date=$(date +%Y%m%d-%H%M%S) +# PiVPN: Backup Script # Find the rows and columns. Will default to 80x24 if it can not be detected. screen_size=$(stty size 2>/dev/null || echo 24 80) @@ -15,23 +13,45 @@ c=$(( columns / 2 )) r=$(( r < 20 ? 20 : r )) c=$(( c < 70 ? 70 : c )) - chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "Choose a VPN configuration to backup (press space to select):" "${r}" "${c}" 2) - VPNChooseOptions=(WireGuard "" on - OpenVPN "" off) +backupdir=pivpnbackup +date=$(date +%Y%m%d-%H%M%S) +setupVarsFile="setupVars.conf" +setupConfigDir="/etc/pivpn" - if VPN=$("${chooseVPNCmd[@]}" "${VPNChooseOptions[@]}" 2>&1 >/dev/tty) ; then - echo "::: Using VPN: $VPN" - VPN="${VPN,,}" - else - echo "::: Cancel selected, exiting...." - exit 1 - fi +if [ -r "${setupConfigDir}/wireguard/${setupVarsFile}" ] && [ -r "${setupConfigDir}/openvpn/${setupVarsFile}" ]; then -setupVars="/etc/pivpn/${VPN}/setupVars.conf" + # Two protocols have been installed, check if the script has passed + # an argument, otherwise ask the user which one he wants to remove + if [ $# -ge 1 ]; then + VPN="$1" + echo "::: Backing up VPN: $VPN" + else + chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Backup" --separate-output --radiolist "Both OpenVPN and WireGuard are installed, choose a VPN to backup (press space to select):" "${r}" "${c}" 2) + VPNChooseOptions=(WireGuard "" on + OpenVPN "" off) + + if VPN=$("${chooseVPNCmd[@]}" "${VPNChooseOptions[@]}" 2>&1 >/dev/tty) ; then + echo "::: Backing up VPN: $VPN" + VPN="${VPN,,}" + else + echo "::: Cancel selected, exiting...." + exit 1 + fi + fi + + setupVars="${setupConfigDir}/${VPN}/${setupVarsFile}" +else + + if [ -r "${setupConfigDir}/wireguard/${setupVarsFile}" ]; then + setupVars="${setupConfigDir}/wireguard/${setupVarsFile}" + elif [ -r "${setupConfigDir}/openvpn/${setupVarsFile}" ]; then + setupVars="${setupConfigDir}/openvpn/${setupVarsFile}" + fi +fi if [ ! -f "${setupVars}" ]; then - echo "::: Missing setup vars file!" - exit 1 + echo "::: Missing setup vars file!" + exit 1 fi # shellcheck disable=SC1090 @@ -53,7 +73,7 @@ backup_openvpn(){ backupzip=$date-pivpnovpnbackup.tgz # shellcheck disable=SC2210 tar czpf "$install_home"/"$backupdir"/"$backupzip" "$openvpndir" "$ovpnsdir" > /dev/null 2>&1 - echo -e "Backup created in $install_home/$backupdir/$backupzip \nTo restore the backup, follow instructions at:\nhttps://github.com/pivpn/pivpn/wiki/FAQ#how-can-i-migrate-my-configs-to-another-pivpn-instance" + echo -e "Backup created in $install_home/$backupdir/$backupzip \nTo restore the backup, follow instructions at:\nhttps://github.com/pivpn/pivpn/wiki/OpenVPN#how-can-i-migrate-my-configs-to-another-pivpn-instance" } @@ -64,7 +84,7 @@ backup_wireguard(){ checkbackupdir backupzip=$date-pivpnwgbackup.tgz tar czpf "$install_home"/"$backupdir"/"$backupzip" "$wireguarddir" "$configsdir" > /dev/null 2>&1 - echo -e "Backup created in $install_home/$backupdir/$backupzip \nTo restore the backup, follow instructions at:\nhttps://github.com/pivpn/pivpn/wiki/FAQ#how-can-i-migrate-my-configs-to-another-pivpn-instance" + echo -e "Backup created in $install_home/$backupdir/$backupzip \nTo restore the backup, follow instructions at:\nhttps://github.com/pivpn/pivpn/wiki/WireGuard#how-can-i-migrate-my-configs-to-another-pivpn-instance" } diff --git a/scripts/openvpn/pivpn.sh b/scripts/openvpn/pivpn.sh index 58fdca1..0b7feb7 100755 --- a/scripts/openvpn/pivpn.sh +++ b/scripts/openvpn/pivpn.sh @@ -58,7 +58,7 @@ function update { } function backup { - $SUDO ${scriptDir}/backup.sh + $SUDO ${scriptDir}/backup.sh "${vpn}" exit 0 } diff --git a/scripts/pivpn b/scripts/pivpn index c43ece5..f63c285 100755 --- a/scripts/pivpn +++ b/scripts/pivpn @@ -17,6 +17,11 @@ uninstallServer(){ exit 0 } +backup(){ + $SUDO ${scriptDir}/backup.sh + exit 0 +} + showHelp(){ echo "::: To pass off to the pivpn command for each protocol" echo ":::" @@ -25,6 +30,7 @@ showHelp(){ echo ":::" echo "::: -h, help Show this help dialog" echo "::: -u, uninstall Uninstall pivpn from your system!" + echo "::: -bk, backup Backup VPN configs and user profiles" exit 0 } @@ -38,5 +44,6 @@ case "$1" in ovpn ) "${scriptDir}/openvpn/pivpn.sh" "${@:2}";; "-h" | "help" ) showHelp;; "-u" | "uninstall" ) uninstallServer;; +"-bk" | "backup" ) backup ;; * ) showHelp;; esac diff --git a/scripts/wireguard/pivpn.sh b/scripts/wireguard/pivpn.sh index e000f25..61db6d9 100755 --- a/scripts/wireguard/pivpn.sh +++ b/scripts/wireguard/pivpn.sh @@ -59,7 +59,8 @@ updateScripts(){ } backup(){ - $SUDO ${scriptdir}/backup.sh + $SUDO ${scriptdir}/backup.sh "${vpn}" + exit 0 } showHelp(){ From ad363b717b967b1edb3453007529c068a23653aa Mon Sep 17 00:00:00 2001 From: Orazio Date: Fri, 29 May 2020 17:49:25 +0200 Subject: [PATCH 045/114] Moved package check to relevant preconfigurePackages() function --- auto_install/install.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 1b4f62c..93b266f 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -302,10 +302,6 @@ distroCheck(){ ;; esac - if [ "$PLAT" = "Raspbian" ]; then - BASE_DEPS+=(dhcpcd5) - fi - echo "PLAT=${PLAT}" > ${tempsetupVarsFile} echo "OSCN=${OSCN}" >> ${tempsetupVarsFile} } @@ -467,6 +463,11 @@ preconfigurePackages(){ fi fi + # We set static IP only on Raspbian + if [ "$PLAT" = "Raspbian" ]; then + BASE_DEPS+=(dhcpcd5) + fi + # if ufw is enabled, configure that. # running as root because sometimes the executable is not in the user's $PATH if $SUDO bash -c 'command -v ufw' > /dev/null; then From 46c463d1d5a3bd206e04bfcf25a5cbb9b5453c71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=ACr0?= <32790661+Hir0-84@users.noreply.github.com> Date: Mon, 1 Jun 2020 00:39:18 +0200 Subject: [PATCH 046/114] Fix issue pivpn#281 --- scripts/openvpn/makeOVPN.sh | 105 +++++++++++++++++++----------------- scripts/openvpn/pivpn.sh | 2 + 2 files changed, 59 insertions(+), 48 deletions(-) diff --git a/scripts/openvpn/makeOVPN.sh b/scripts/openvpn/makeOVPN.sh index e9ac7fb..3c61a4e 100755 --- a/scripts/openvpn/makeOVPN.sh +++ b/scripts/openvpn/makeOVPN.sh @@ -20,7 +20,7 @@ source "${setupVars}" helpFunc() { echo "::: Create a client ovpn profile, optional nopass" echo ":::" - echo "::: Usage: pivpn <-a|add> [-n|--name ] [-p|--password ]|[nopass] [-d|--days ] [-b|--bitwarden] [-i|--iOS] [-h|--help]" + echo "::: Usage: pivpn <-a|add> [-n|--name ] [-p|--password ]|[nopass] [-d|--days ] [-b|--bitwarden] [-i|--iOS] [-c|--config-file] [-h|--help]" echo ":::" echo "::: Commands:" echo "::: [none] Interactive mode" @@ -30,6 +30,7 @@ helpFunc() { echo "::: -d,--days Expire the certificate after specified number of days (default: 1080)" echo "::: -b,--bitwarden Create and save a client through Bitwarden" echo "::: -i,--iOS Generate a certificate that leverages iOS keychain" + echo "::: -c,--config-file Generate .ovpn configuration file for an existing client" echo "::: -h,--help Show this help dialog" } @@ -97,6 +98,10 @@ do echo "Bitwarden not found, please install bitwarden" exit 1 fi + + ;; + -c|--config-file) + GENOVPNONLY=1 ;; *) echo "Error: Got an unexpected argument '$1'" @@ -248,54 +253,58 @@ if [[ -z "${NAME}" ]]; then exit 1 fi -# Check if name is already in use -while read -r line || [ -n "${line}" ]; do - STATUS=$(echo "$line" | awk '{print $1}') - - if [ "${STATUS}" == "V" ]; then - CERT=$(echo "$line" | sed -e 's:.*/CN=::') - if [ "${CERT}" == "${NAME}" ]; then - INUSE="1" - break - fi - fi -done <${INDEX} - -if [ "${INUSE}" == "1" ]; then - printf "\n!! This name is already in use by a Valid Certificate." - printf "\nPlease choose another name or revoke this certificate first.\n" - exit 1 -fi - -# Check if name is reserved -if [ "${NAME}" == "ta" ] || [ "${NAME}" == "server" ] || [ "${NAME}" == "ca" ]; then - echo "Sorry, this is in use by the server and cannot be used by clients." - exit 1 -fi - -#As of EasyRSA 3.0.6, by default certificates last 1080 days, see https://github.com/OpenVPN/easy-rsa/blob/6b7b6bf1f0d3c9362b5618ad18c66677351cacd1/easyrsa3/vars.example -if [ -z "${DAYS}" ]; then - read -r -e -p "How many days should the certificate last? " -i 1080 DAYS -fi - -if [[ ! "$DAYS" =~ ^[0-9]+$ ]] || [ "$DAYS" -lt 1 ] || [ "$DAYS" -gt 3650 ]; then - #The CRL lasts 3650 days so it doesn't make much sense that certificates would last longer - echo "Please input a valid number of days, between 1 and 3650 inclusive." - exit 1 - -fi - -cd /etc/openvpn/easy-rsa || exit - -if [[ "${NO_PASS}" =~ "1" ]]; then - if [[ -n "${PASSWD}" ]]; then - echo "Both nopass and password arguments passed to the script. Please use either one." - exit 1 - else - keynoPASS - fi +if [ "${GENOVPNONLY}" == "1" ]; then + # Generate .ovpn configuration file + cd /etc/openvpn/easy-rsa/pki || exit else - keyPASS + # Check if name is already in use + while read -r line || [ -n "${line}" ]; do + STATUS=$(echo "$line" | awk '{print $1}') + + if [ "${STATUS}" == "V" ]; then + CERT=$(echo "$line" | sed -e 's:.*/CN=::') + if [ "${CERT}" == "${NAME}" ]; then + INUSE="1" + break + fi + fi + done <${INDEX} + + if [ "${INUSE}" == "1" ]; then + printf "\n!! This name is already in use by a Valid Certificate." + printf "\nPlease choose another name or revoke this certificate first.\n" + exit 1 + fi + + # Check if name is reserved + if [ "${NAME}" == "ta" ] || [ "${NAME}" == "server" ] || [ "${NAME}" == "ca" ]; then + echo "Sorry, this is in use by the server and cannot be used by clients." + exit 1 + fi + + #As of EasyRSA 3.0.6, by default certificates last 1080 days, see https://github.com/OpenVPN/easy-rsa/blob/6b7b6bf1f0d3c9362b5618ad18c66677351cacd1/easyrsa3/vars.example + if [ -z "${DAYS}" ]; then + read -r -e -p "How many days should the certificate last? " -i 1080 DAYS + fi + + if [[ ! "$DAYS" =~ ^[0-9]+$ ]] || [ "$DAYS" -lt 1 ] || [ "$DAYS" -gt 3650 ]; then + #The CRL lasts 3650 days so it doesn't make much sense that certificates would last longer + echo "Please input a valid number of days, between 1 and 3650 inclusive." + exit 1 + fi + + cd /etc/openvpn/easy-rsa || exit + + if [[ "${NO_PASS}" =~ "1" ]]; then + if [[ -n "${PASSWD}" ]]; then + echo "Both nopass and password arguments passed to the script. Please use either one." + exit 1 + else + keynoPASS + fi + else + keyPASS + fi fi #1st Verify that clients Public Key Exists diff --git a/scripts/openvpn/pivpn.sh b/scripts/openvpn/pivpn.sh index 0b7feb7..81d75b9 100755 --- a/scripts/openvpn/pivpn.sh +++ b/scripts/openvpn/pivpn.sh @@ -73,6 +73,7 @@ function helpFunc { echo "::: -c, clients List any connected clients to the server" echo "::: -d, debug Start a debugging session if having trouble" echo "::: -l, list List all valid and revoked certificates" + echo "::: -o, ovpn Generate a .ovpn config file for an existing client" echo "::: -r, revoke Revoke a client ovpn profile" echo "::: -h, help Show this help dialog" echo "::: -u, uninstall Uninstall PiVPN from your system!" @@ -91,6 +92,7 @@ case "$1" in "-c" | "clients" ) listClientsFunc "$@";; "-d" | "debug" ) debugFunc;; "-l" | "list" ) listOVPNFunc;; +"-o" | "ovpn" ) makeOVPNFunc "$@" -c;; "-r" | "revoke" ) removeOVPNFunc "$@";; "-h" | "help" ) helpFunc;; "-u" | "uninstall" ) uninstallFunc;; From 8e514a5f74ea4a8a936d3e605cfa21edb383d860 Mon Sep 17 00:00:00 2001 From: Orazio Date: Sat, 6 Jun 2020 15:39:37 +0200 Subject: [PATCH 047/114] Update EasyRSA and unattended upgrades config - EasyRSA 3.0.6 -> 3.0.7 - Unattended upgrades config 1.16 -> 2.4 --- auto_install/install.sh | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 93b266f..be43e70 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -48,11 +48,11 @@ BASE_DEPS=(git tar wget curl grep dnsutils whiptail net-tools bsdmainutils) INSTALLED_PACKAGES=() ######## URLs ######## -easyrsaVer="3.0.6" -easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz" +easyrsaVer="3.0.7" +easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz" # Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config -UNATTUPG_RELEASE="1.16" +UNATTUPG_RELEASE="2.4" UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/${UNATTUPG_RELEASE}.tar.gz" # Fallback url for the OpenVPN key @@ -1811,8 +1811,12 @@ confOpenVPN(){ fi # Get easy-rsa - wget -qO- "${easyrsaRel}" | $SUDO tar xz --directory /etc/openvpn - $SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa + wget -qO- "${easyrsaRel}" | $SUDO tar xz --one-top-level=/etc/openvpn/easy-rsa --strip-components 1 + if ! test -s /etc/openvpn/easy-rsa/easyrsa; then + echo "$0: ERR: Failed to download EasyRSA." + exit 1 + fi + # fix ownership $SUDO chown -R root:root /etc/openvpn/easy-rsa $SUDO mkdir /etc/openvpn/easy-rsa/pki From 71bae41cda730ebb279b73532f4fcc9959797744 Mon Sep 17 00:00:00 2001 From: Orazio Date: Sun, 7 Jun 2020 13:59:51 +0200 Subject: [PATCH 048/114] Simplified the OpenVPN installation flow by moving some settings behind a "customize" dialog. Additional features could fall in there without compromising the simplicity of PiVPN. --- auto_install/install.sh | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/auto_install/install.sh b/auto_install/install.sh index be43e70..145de92 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -1031,6 +1031,7 @@ installPiVPN(){ pivpnNET="10.8.0.0" vpnGw="${pivpnNET/.0.0/.0.1}" + askAboutCustomizing installOpenVPN askCustomProto askCustomPort @@ -1051,6 +1052,7 @@ installPiVPN(){ pivpnDEV="wg0" pivpnNET="10.6.0.0" vpnGw="${pivpnNET/.0.0/.0.1}" + CUSTOMIZE=0 installWireGuard askCustomPort @@ -1121,6 +1123,14 @@ askWhichVPN(){ echo "VPN=${VPN}" >> ${tempsetupVarsFile} } +askAboutCustomizing(){ + if (whiptail --backtitle "Setup PiVPN" --title "Installation mode" --yesno --defaultno "PiVPN uses some settings that we believe are good defaults for most users.\n\n- UDP or TCP protocol: UDP\n- Custom search domain for the DNS field: None\n- Modern features or best compatibility: Modern features (256 bit certificate + additional TLS encryption)\n\nHowever, we still want to keep flexibility, so if you need to customize them, choose Yes." ${r} ${c}); then + CUSTOMIZE=1 + else + CUSTOMIZE=0 + fi +} + downloadVerifyKey(){ local KEY_URL="$1" local EXPECTED_KEY_ID="$2" @@ -1324,6 +1334,14 @@ askCustomProto(){ return fi + if [ "$CUSTOMIZE" -eq 0 ]; then + if [ "$VPN" = "openvpn" ]; then + pivpnPROTO="udp" + echo "pivpnPROTO=${pivpnPROTO}" >> ${tempsetupVarsFile} + return + fi + fi + # Set the available protocols into an array so it can be used with a whiptail dialog if pivpnPROTO=$(whiptail --title "Protocol" --radiolist \ "Choose a protocol (press space to select). Please only choose TCP if you know why you need TCP." ${r} ${c} 2 \ @@ -1588,6 +1606,13 @@ askCustomDomain(){ return fi + if [ "$CUSTOMIZE" -eq 0 ]; then + if [ "$VPN" = "openvpn" ]; then + echo "pivpnSEARCHDOMAIN=${pivpnSEARCHDOMAIN}" >> ${tempsetupVarsFile} + return + fi + fi + DomainSettingsCorrect=False if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno --defaultno "Would you like to add a custom search domain? \\n (This is only for advanced users who have their own domain)\\n" ${r} ${c}); then @@ -1738,6 +1763,17 @@ askEncryption(){ return fi + if [ "$CUSTOMIZE" -eq 0 ]; then + if [ "$VPN" = "openvpn" ]; then + TWO_POINT_FOUR=1 + pivpnENCRYPT=256 + echo "TWO_POINT_FOUR=${TWO_POINT_FOUR}" >> ${tempsetupVarsFile} + echo "pivpnENCRYPT=${pivpnENCRYPT}" >> ${tempsetupVarsFile} + echo "USE_PREDEFINED_DH_PARAM=${USE_PREDEFINED_DH_PARAM}" >> ${tempsetupVarsFile} + return + fi + fi + if (whiptail --backtitle "Setup OpenVPN" --title "Installation mode" --yesno "OpenVPN 2.4 can take advantage of Elliptic Curves to provide higher connection speed and improved security over RSA, while keeping smaller certificates.\\n\\nMoreover, the 'tls-crypt' directive encrypts the certificates being used while authenticating, increasing privacy.\\n\\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility." "${r}" "${c}"); then TWO_POINT_FOUR=1 pivpnENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA certificate size" --radiolist \ From e74ad23e8eb0395ae7137dce83b98115dadc99c7 Mon Sep 17 00:00:00 2001 From: Orazio Date: Sun, 7 Jun 2020 14:08:48 +0200 Subject: [PATCH 049/114] Fixed DNS provider dialog formatting --- auto_install/install.sh | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 145de92..68a920d 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -1499,11 +1499,7 @@ askClientDNS(){ fi fi - DNSChoseCmd=(whiptail --separate-output --radiolist "Select the DNS Provider - for your VPN Clients (press space to select). To use your own, select - Custom.\\n\\nIn case you have a local resolver running, i.e. unbound, select - \"PiVPN-is-local-DNS\" and make sure your resolver is listening on - \"$vpnGw\", allowing requests from \"${pivpnNET}/${subnetClass}\"." "${r}" "${c}" 6) + DNSChoseCmd=(whiptail --backtitle "Setup PiVPN" --title "DNS Provider" --separate-output --radiolist "Select the DNS Provider for your VPN Clients (press space to select).\nTo use your own, select Custom.\n\nIn case you have a local resolver running, i.e. unbound, select \"PiVPN-is-local-DNS\" and make sure your resolver is listening on \"$vpnGw\", allowing requests from \"${pivpnNET}/${subnetClass}\"." "${r}" "${c}" 6) DNSChooseOptions=(Quad9 "" on OpenDNS "" off Level3 "" off From e7df6752cd50a7b810c7f9de27f837394b65846d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=ACr0?= <32790661+Hir0-84@users.noreply.github.com> Date: Sun, 7 Jun 2020 16:09:55 +0200 Subject: [PATCH 050/114] #281 CHANGED Minor changes after cross-check --- scripts/openvpn/makeOVPN.sh | 6 +++--- scripts/openvpn/pivpn.sh | 2 -- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/scripts/openvpn/makeOVPN.sh b/scripts/openvpn/makeOVPN.sh index 3c61a4e..5300a2b 100755 --- a/scripts/openvpn/makeOVPN.sh +++ b/scripts/openvpn/makeOVPN.sh @@ -20,7 +20,7 @@ source "${setupVars}" helpFunc() { echo "::: Create a client ovpn profile, optional nopass" echo ":::" - echo "::: Usage: pivpn <-a|add> [-n|--name ] [-p|--password ]|[nopass] [-d|--days ] [-b|--bitwarden] [-i|--iOS] [-c|--config-file] [-h|--help]" + echo "::: Usage: pivpn <-a|add> [-n|--name ] [-p|--password ]|[nopass] [-d|--days ] [-b|--bitwarden] [-i|--iOS] [-o|--ovpn] [-h|--help]" echo ":::" echo "::: Commands:" echo "::: [none] Interactive mode" @@ -30,7 +30,7 @@ helpFunc() { echo "::: -d,--days Expire the certificate after specified number of days (default: 1080)" echo "::: -b,--bitwarden Create and save a client through Bitwarden" echo "::: -i,--iOS Generate a certificate that leverages iOS keychain" - echo "::: -c,--config-file Generate .ovpn configuration file for an existing client" + echo "::: -o,--ovpn Regenerate a .ovpn config file for an existing client" echo "::: -h,--help Show this help dialog" } @@ -100,7 +100,7 @@ do fi ;; - -c|--config-file) + -o|--ovpn) GENOVPNONLY=1 ;; *) diff --git a/scripts/openvpn/pivpn.sh b/scripts/openvpn/pivpn.sh index 81d75b9..0b7feb7 100755 --- a/scripts/openvpn/pivpn.sh +++ b/scripts/openvpn/pivpn.sh @@ -73,7 +73,6 @@ function helpFunc { echo "::: -c, clients List any connected clients to the server" echo "::: -d, debug Start a debugging session if having trouble" echo "::: -l, list List all valid and revoked certificates" - echo "::: -o, ovpn Generate a .ovpn config file for an existing client" echo "::: -r, revoke Revoke a client ovpn profile" echo "::: -h, help Show this help dialog" echo "::: -u, uninstall Uninstall PiVPN from your system!" @@ -92,7 +91,6 @@ case "$1" in "-c" | "clients" ) listClientsFunc "$@";; "-d" | "debug" ) debugFunc;; "-l" | "list" ) listOVPNFunc;; -"-o" | "ovpn" ) makeOVPNFunc "$@" -c;; "-r" | "revoke" ) removeOVPNFunc "$@";; "-h" | "help" ) helpFunc;; "-u" | "uninstall" ) uninstallFunc;; From 8e1f53f34e4edf2c3ef88f64447765c61674bf0c Mon Sep 17 00:00:00 2001 From: Orazio Date: Mon, 8 Jun 2020 09:38:53 +0200 Subject: [PATCH 051/114] Updated askAboutCustomizing() function - Tweaked dialog text - Don't show dialog if runnning unattended --- auto_install/install.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 68a920d..b73f7ed 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -1124,10 +1124,12 @@ askWhichVPN(){ } askAboutCustomizing(){ - if (whiptail --backtitle "Setup PiVPN" --title "Installation mode" --yesno --defaultno "PiVPN uses some settings that we believe are good defaults for most users.\n\n- UDP or TCP protocol: UDP\n- Custom search domain for the DNS field: None\n- Modern features or best compatibility: Modern features (256 bit certificate + additional TLS encryption)\n\nHowever, we still want to keep flexibility, so if you need to customize them, choose Yes." ${r} ${c}); then - CUSTOMIZE=1 - else - CUSTOMIZE=0 + if [ "${runUnattended}" = 'false' ]; then + if (whiptail --backtitle "Setup PiVPN" --title "Installation mode" --yesno --defaultno "PiVPN uses the following settings that we believe are good defaults for most users. However, we still want to keep flexibility, so if you need to customize them, choose Yes.\n\n* UDP or TCP protocol: UDP\n* Custom search domain for the DNS field: None\n* Modern features or best compatibility: Modern features (256 bit certificate + additional TLS encryption)" ${r} ${c}); then + CUSTOMIZE=1 + else + CUSTOMIZE=0 + fi fi } From de127173dd26452053fb087244b3a2d50c49ead4 Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 9 Jun 2020 12:25:41 +0200 Subject: [PATCH 052/114] Less fragile way to add and remove clients (issue #1050) --- scripts/wireguard/makeCONF.sh | 4 ++-- scripts/wireguard/removeCONF.sh | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/scripts/wireguard/makeCONF.sh b/scripts/wireguard/makeCONF.sh index 09ee2db..e919e4a 100755 --- a/scripts/wireguard/makeCONF.sh +++ b/scripts/wireguard/makeCONF.sh @@ -108,12 +108,12 @@ Endpoint = ${pivpnHOST}:${pivpnPORT} AllowedIPs = 0.0.0.0/0, ::0/0" >> "configs/${CLIENT_NAME}.conf" echo "::: Client config generated" -echo "# begin ${CLIENT_NAME} +echo "### begin ${CLIENT_NAME} ### [Peer] PublicKey = $(cat "keys/${CLIENT_NAME}_pub") PresharedKey = $(cat "keys/${CLIENT_NAME}_psk") AllowedIPs = ${NET_REDUCED}.${COUNT}/32 -# end ${CLIENT_NAME}" >> wg0.conf +### end ${CLIENT_NAME} ###" >> wg0.conf echo "::: Updated server config" if [ -f /etc/pivpn/hosts.wireguard ]; then diff --git a/scripts/wireguard/removeCONF.sh b/scripts/wireguard/removeCONF.sh index 7b44e35..345a670 100755 --- a/scripts/wireguard/removeCONF.sh +++ b/scripts/wireguard/removeCONF.sh @@ -64,7 +64,7 @@ DELETED_COUNT=0 for CLIENT_NAME in "${CLIENTS_TO_REMOVE[@]}"; do - if ! grep -qw "${CLIENT_NAME}" configs/clients.txt; then + if ! grep -q "^${CLIENT_NAME} " configs/clients.txt; then echo -e "::: \e[1m${CLIENT_NAME}\e[0m does not exist" else REQUESTED="$(sha256sum "configs/${CLIENT_NAME}.conf" | cut -c 1-64)" @@ -73,17 +73,17 @@ for CLIENT_NAME in "${CLIENTS_TO_REMOVE[@]}"; do if [[ $REPLY =~ ^[Yy]$ ]]; then # Grab the least significant octed of the client IP address - COUNT=$(grep "${CLIENT_NAME}" configs/clients.txt | awk '{print $4}') + COUNT=$(grep "^${CLIENT_NAME} " configs/clients.txt | awk '{print $4}') # The creation date of the client - CREATION_DATE="$(grep "${CLIENT_NAME}" configs/clients.txt | awk '{print $3}')" + CREATION_DATE="$(grep "^${CLIENT_NAME} " configs/clients.txt | awk '{print $3}')" # And its public key - PUBLIC_KEY="$(grep "${CLIENT_NAME}" configs/clients.txt | awk '{print $2}')" + PUBLIC_KEY="$(grep "^${CLIENT_NAME} " configs/clients.txt | awk '{print $2}')" # Then remove the client matching the variables above sed "\#${CLIENT_NAME} ${PUBLIC_KEY} ${CREATION_DATE} ${COUNT}#d" -i configs/clients.txt # Remove the peer section from the server config - sed "/# begin ${CLIENT_NAME}/,/# end ${CLIENT_NAME}/d" -i wg0.conf + sed "/### begin ${CLIENT_NAME} ###/,/### end ${CLIENT_NAME} ###/d" -i wg0.conf echo "::: Updated server config" rm "configs/${CLIENT_NAME}.conf" From 9d0ed1ec00b39d097862ff835bceb974953d106f Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 9 Jun 2020 13:17:02 +0200 Subject: [PATCH 053/114] Remove just the MASQUERADE line, not the whole NAT section of the UFW configuration. - The sed command would not work if there were other user-defined rules or if another VPN was installed. --- scripts/uninstall.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 52bbded..631f355 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -101,7 +101,7 @@ removeAll(){ ufw delete allow "${pivpnPORT}"/"${pivpnPROTO}" > /dev/null ### FIXME: SC2154 ufw route delete allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any > /dev/null - sed -z "s/*nat\\n:POSTROUTING ACCEPT \\[0:0\\]\\n-I POSTROUTING -s ${pivpnNET}\\/${subnetClass} -o ${IPv4dev} -j MASQUERADE -m comment --comment ${VPN}-nat-rule\\nCOMMIT\\n\\n//" -i /etc/ufw/before.rules + sed "/-I POSTROUTING -s ${pivpnNET}\\/${subnetClass} -o ${IPv4dev} -j MASQUERADE -m comment --comment ${VPN}-nat-rule/d" -i /etc/ufw/before.rules iptables -t nat -D POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" ufw reload &> /dev/null From 2028f0be3f9d9f73be88e45d95f75aec179a3399 Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 9 Jun 2020 13:56:58 +0200 Subject: [PATCH 054/114] Update LatestUpdate.md --- LatestUpdate.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/LatestUpdate.md b/LatestUpdate.md index a5d6cef..26b01df 100644 --- a/LatestUpdate.md +++ b/LatestUpdate.md @@ -5,6 +5,16 @@ patch release notes. Everytime Test branch is merged into master, a new entry should be created with the date and changes being merged. +## Jun 9th 2020 + +- Dual VPN mode, use both WireGuard and OpenVPN by running the installer script over an existing installation. +- Generate a unique pre-shared key for each client as per the WireGuard protocol to improve post-quantum resistance. +- Added the ability to regenerate the .ovpn config when the client template changes (issue #281). Use 'pivpn -a -o'. +- Added the '--show-unsupported-nics' argument to the install script for those who need PiVPN on virtual servers where the available network interfaces may not be detected reliably (issue #994). +- Clone the git repo to '/usr/local/src/pivpn' and replace all other locations with symlinks (issue #695). +- Simplified the OpenVPN installation flow by moving some settings behind a "customize" dialog. +- Temporarily disable 'pivpn -up' until a proper update strategy is defined. See [this commit](https://github.com/pivpn/pivpn/commit/f06f6d79203c29ebd785f860a81a15e9caac4fc9) for more information. + ## Mar 17th 2020 - Switch to Bullseye repository on Debian/Raspbian. The bullseye repository is less likely to offer broken packages and it's also supported by Raspbian, meaning there is no need to manually compile WireGuard on older Raspberry Pis. From b2ab7fc862e31da92576d51609f250701eb6e02c Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 9 Jun 2020 15:45:38 +0200 Subject: [PATCH 055/114] Fix change from pull request #1000 that prevented 'pivpn -l' to show revoked client names --- scripts/openvpn/listOVPN.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/openvpn/listOVPN.sh b/scripts/openvpn/listOVPN.sh index 1a7da35..c87ecfd 100755 --- a/scripts/openvpn/listOVPN.sh +++ b/scripts/openvpn/listOVPN.sh @@ -16,7 +16,7 @@ printf "\\e[4mStatus\\e[0m \t \\e[4mName\\e[0m\\e[0m \t \\e[4mExpiration\\e[ while read -r line || [ -n "$line" ]; do STATUS=$(echo "$line" | awk '{print $1}') - NAME=$(echo "$line" | awk '{print $5}' | awk -FCN= '{print $2}') + NAME=$(echo "$line" | awk -FCN= '{print $2}') EXPD=$(echo "$line" | awk '{if (length($2) == 15) print $2; else print "20"$2}' | cut -b 1-8 | date +"%b %d %Y" -f -) if [ "${STATUS}" == "V" ]; then From 934aff8871cd3d1eb9077b6177007e98cbd2937e Mon Sep 17 00:00:00 2001 From: GizMoCuz Date: Wed, 8 Jul 2020 15:32:19 +0200 Subject: [PATCH 056/114] Add Index for Wireguard remove/qr commands --- scripts/wireguard/qrcodeCONF.sh | 15 ++++++++++----- scripts/wireguard/removeCONF.sh | 15 ++++++++++----- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/scripts/wireguard/qrcodeCONF.sh b/scripts/wireguard/qrcodeCONF.sh index 0420eb5..2927da9 100755 --- a/scripts/wireguard/qrcodeCONF.sh +++ b/scripts/wireguard/qrcodeCONF.sh @@ -33,17 +33,18 @@ if [ ! -s clients.txt ]; then exit 1 fi +LIST=($(awk '{print $1}' clients.txt)) if [ "${#CLIENTS_TO_SHOW[@]}" -eq 0 ]; then echo -e "::\e[4m Client list \e[0m::" - LIST=($(awk '{print $1}' clients.txt)) + len=${#LIST[@]} COUNTER=1 - while [ $COUNTER -le ${#LIST[@]} ]; do - echo "• ${LIST[(($COUNTER-1))]}" + while [ $COUNTER -le ${len} ]; do + printf "• [%0${#len}s] %s\r\n" ${COUNTER} ${LIST[(($COUNTER-1))]} ((COUNTER++)) done - read -r -p "Please enter the Name of the Client to show: " CLIENTS_TO_SHOW + read -r -p "Please enter the Index/Name of the Client to show: " CLIENTS_TO_SHOW if [ -z "${CLIENTS_TO_SHOW}" ]; then echo "::: You can not leave this blank!" @@ -52,6 +53,10 @@ if [ "${#CLIENTS_TO_SHOW[@]}" -eq 0 ]; then fi for CLIENT_NAME in "${CLIENTS_TO_SHOW[@]}"; do + re='^[0-9]+$' + if [[ ${CLIENT_NAME} =~ $re ]] ; then + CLIENT_NAME=${LIST[$(($CLIENT_NAME -1))]} + fi if grep -qw "${CLIENT_NAME}" clients.txt; then echo -e "::: Showing client \e[1m${CLIENT_NAME}\e[0m below" echo "=====================================================================" @@ -60,4 +65,4 @@ for CLIENT_NAME in "${CLIENTS_TO_SHOW[@]}"; do else echo -e "::: \e[1m${CLIENT_NAME}\e[0m does not exist" fi -done \ No newline at end of file +done diff --git a/scripts/wireguard/removeCONF.sh b/scripts/wireguard/removeCONF.sh index 345a670..7a72328 100755 --- a/scripts/wireguard/removeCONF.sh +++ b/scripts/wireguard/removeCONF.sh @@ -42,17 +42,17 @@ if [ ! -s configs/clients.txt ]; then exit 1 fi +LIST=($(awk '{print $1}' configs/clients.txt)) if [ "${#CLIENTS_TO_REMOVE[@]}" -eq 0 ]; then - echo -e "::\e[4m Client list \e[0m::" - LIST=($(awk '{print $1}' configs/clients.txt)) + len=${#LIST[@]} COUNTER=1 - while [ $COUNTER -le ${#LIST[@]} ]; do - echo "• ${LIST[(($COUNTER-1))]}" + while [ $COUNTER -le ${len} ]; do + printf "• [%0${#len}s] %s\r\n" ${COUNTER} ${LIST[(($COUNTER-1))]} ((COUNTER++)) done - read -r -p "Please enter the Name of the Client to be removed from the list above: " CLIENTS_TO_REMOVE + read -r -p "Please enter the Index/Name of the Client to be removed from the list above: " CLIENTS_TO_REMOVE if [ -z "${CLIENTS_TO_REMOVE}" ]; then echo "::: You can not leave this blank!" @@ -64,6 +64,11 @@ DELETED_COUNT=0 for CLIENT_NAME in "${CLIENTS_TO_REMOVE[@]}"; do + re='^[0-9]+$' + if [[ ${CLIENT_NAME} =~ $re ]] ; then + CLIENT_NAME=${LIST[$(($CLIENT_NAME -1))]} + fi + if ! grep -q "^${CLIENT_NAME} " configs/clients.txt; then echo -e "::: \e[1m${CLIENT_NAME}\e[0m does not exist" else From c00e208286547e7c494b09e6868340b8d83e1039 Mon Sep 17 00:00:00 2001 From: GizMoCuz Date: Wed, 8 Jul 2020 16:36:23 +0200 Subject: [PATCH 057/114] Add Index for OpenVPN remover command --- scripts/openvpn/removeOVPN.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/scripts/openvpn/removeOVPN.sh b/scripts/openvpn/removeOVPN.sh index 4f79385..79a5936 100755 --- a/scripts/openvpn/removeOVPN.sh +++ b/scripts/openvpn/removeOVPN.sh @@ -52,17 +52,23 @@ if [[ -z "${CERTS_TO_REVOKE}" ]]; then STATUS=$(echo "$line" | awk '{print $1}') if [[ "${STATUS}" = "V" ]]; then NAME=$(echo "$line" | sed -e 's:.*/CN=::') - CERTS[$i]=${NAME} if [ "$i" != 0 ]; then # Prevent printing "server" certificate - printf " %s\n" "$NAME" + CERTS[$i]=${NAME} fi let i=i+1 fi done <${INDEX} + + i=1 + len=${#CERTS[@]} + while [ $i -le ${len} ]; do + printf "[%0${#len}s] %s\r\n" ${i} ${CERTS[(($i))]} + ((i++)) + done printf "\n" - echo -n "::: Please enter the Name of the client to be revoked from the list above: " + echo -n "::: Please enter the Index/Name of the client to be revoked from the list above: " read -r NAME if [[ -z "${NAME}" ]]; then @@ -70,6 +76,10 @@ if [[ -z "${CERTS_TO_REVOKE}" ]]; then exit 1 fi + if [[ ${NAME} =~ $re ]] ; then + NAME=${CERTS[$(($NAME))]} + fi + for((x=1;x<=i;++x)); do if [ "${CERTS[$x]}" = "${NAME}" ]; then VALID=1 From 7aa91fc67af28d5d64b07c7b0ef101283530b45b Mon Sep 17 00:00:00 2001 From: GizMoCuz Date: Wed, 8 Jul 2020 16:36:50 +0200 Subject: [PATCH 058/114] Removed middle-dot in print function --- scripts/wireguard/qrcodeCONF.sh | 2 +- scripts/wireguard/removeCONF.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/wireguard/qrcodeCONF.sh b/scripts/wireguard/qrcodeCONF.sh index 2927da9..0000a69 100755 --- a/scripts/wireguard/qrcodeCONF.sh +++ b/scripts/wireguard/qrcodeCONF.sh @@ -40,7 +40,7 @@ if [ "${#CLIENTS_TO_SHOW[@]}" -eq 0 ]; then len=${#LIST[@]} COUNTER=1 while [ $COUNTER -le ${len} ]; do - printf "• [%0${#len}s] %s\r\n" ${COUNTER} ${LIST[(($COUNTER-1))]} + printf "[%0${#len}s] %s\r\n" ${COUNTER} ${LIST[(($COUNTER-1))]} ((COUNTER++)) done diff --git a/scripts/wireguard/removeCONF.sh b/scripts/wireguard/removeCONF.sh index 7a72328..5cd325c 100755 --- a/scripts/wireguard/removeCONF.sh +++ b/scripts/wireguard/removeCONF.sh @@ -48,7 +48,7 @@ if [ "${#CLIENTS_TO_REMOVE[@]}" -eq 0 ]; then len=${#LIST[@]} COUNTER=1 while [ $COUNTER -le ${len} ]; do - printf "• [%0${#len}s] %s\r\n" ${COUNTER} ${LIST[(($COUNTER-1))]} + printf "[%0${#len}s] %s\r\n" ${COUNTER} ${LIST[(($COUNTER-1))]} ((COUNTER++)) done From e6b081e0f9ce6d6529ec568930ff71f46e4681c2 Mon Sep 17 00:00:00 2001 From: GizMoCuz Date: Wed, 8 Jul 2020 16:43:32 +0200 Subject: [PATCH 059/114] Added missing regex --- scripts/openvpn/removeOVPN.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/openvpn/removeOVPN.sh b/scripts/openvpn/removeOVPN.sh index 79a5936..d8e1061 100755 --- a/scripts/openvpn/removeOVPN.sh +++ b/scripts/openvpn/removeOVPN.sh @@ -76,6 +76,7 @@ if [[ -z "${CERTS_TO_REVOKE}" ]]; then exit 1 fi + re='^[0-9]+$' if [[ ${NAME} =~ $re ]] ; then NAME=${CERTS[$(($NAME))]} fi From c1dc825ace34d8a571908606c29e60fa055fdbab Mon Sep 17 00:00:00 2001 From: giotto Date: Sat, 11 Jul 2020 21:38:11 +0200 Subject: [PATCH 060/114] add parameter to force remove profile --- scripts/wireguard/removeCONF.sh | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/scripts/wireguard/removeCONF.sh b/scripts/wireguard/removeCONF.sh index 345a670..0b3aa06 100755 --- a/scripts/wireguard/removeCONF.sh +++ b/scripts/wireguard/removeCONF.sh @@ -12,11 +12,12 @@ source "${setupVars}" helpFunc(){ echo "::: Remove a client conf profile" echo ":::" - echo "::: Usage: pivpn <-r|remove> [-h|--help] [] ... [] ..." + echo "::: Usage: pivpn <-r|remove> [-f|--force] [-h|--help] [] ... [] ..." echo ":::" echo "::: Commands:" echo "::: [none] Interactive mode" echo "::: Client(s) to remove" + echo "::: -f,--force Remove Client(s) without confirmation" echo "::: -h,--help Show this help dialog" } @@ -29,6 +30,9 @@ do helpFunc exit 0 ;; + -f|--force) + FORCE=true + ;; *) CLIENTS_TO_REMOVE+=("$1") ;; @@ -68,7 +72,11 @@ for CLIENT_NAME in "${CLIENTS_TO_REMOVE[@]}"; do echo -e "::: \e[1m${CLIENT_NAME}\e[0m does not exist" else REQUESTED="$(sha256sum "configs/${CLIENT_NAME}.conf" | cut -c 1-64)" - read -r -p "Do you really want to delete $CLIENT_NAME? [Y/n] " + if [ -n "$FORCE" ]; then + REPLY="y" + else + read -r -p "Do you really want to delete $CLIENT_NAME? [Y/n] " + fi if [[ $REPLY =~ ^[Yy]$ ]]; then From 960a0848666fc90c67f88df686e23b76da1be0fb Mon Sep 17 00:00:00 2001 From: Rob Peters Date: Tue, 14 Jul 2020 13:27:40 +0200 Subject: [PATCH 061/114] Better list presentation --- scripts/openvpn/removeOVPN.sh | 2 +- scripts/wireguard/qrcodeCONF.sh | 2 +- scripts/wireguard/removeCONF.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/openvpn/removeOVPN.sh b/scripts/openvpn/removeOVPN.sh index d8e1061..475140a 100755 --- a/scripts/openvpn/removeOVPN.sh +++ b/scripts/openvpn/removeOVPN.sh @@ -63,7 +63,7 @@ if [[ -z "${CERTS_TO_REVOKE}" ]]; then i=1 len=${#CERTS[@]} while [ $i -le ${len} ]; do - printf "[%0${#len}s] %s\r\n" ${i} ${CERTS[(($i))]} + printf "%0${#len}s) %s\r\n" ${i} ${CERTS[(($i))]} ((i++)) done printf "\n" diff --git a/scripts/wireguard/qrcodeCONF.sh b/scripts/wireguard/qrcodeCONF.sh index 0000a69..6d980fe 100755 --- a/scripts/wireguard/qrcodeCONF.sh +++ b/scripts/wireguard/qrcodeCONF.sh @@ -40,7 +40,7 @@ if [ "${#CLIENTS_TO_SHOW[@]}" -eq 0 ]; then len=${#LIST[@]} COUNTER=1 while [ $COUNTER -le ${len} ]; do - printf "[%0${#len}s] %s\r\n" ${COUNTER} ${LIST[(($COUNTER-1))]} + printf "%0${#len}s) %s\r\n" ${COUNTER} ${LIST[(($COUNTER-1))]} ((COUNTER++)) done diff --git a/scripts/wireguard/removeCONF.sh b/scripts/wireguard/removeCONF.sh index 5cd325c..33967b9 100755 --- a/scripts/wireguard/removeCONF.sh +++ b/scripts/wireguard/removeCONF.sh @@ -48,7 +48,7 @@ if [ "${#CLIENTS_TO_REMOVE[@]}" -eq 0 ]; then len=${#LIST[@]} COUNTER=1 while [ $COUNTER -le ${len} ]; do - printf "[%0${#len}s] %s\r\n" ${COUNTER} ${LIST[(($COUNTER-1))]} + printf "%0${#len}s) %s\r\n" ${COUNTER} ${LIST[(($COUNTER-1))]} ((COUNTER++)) done From 92f900637e3b315d4fc5bf5dcd1ec0322f306380 Mon Sep 17 00:00:00 2001 From: gi8 Date: Thu, 16 Jul 2020 15:00:35 +0200 Subject: [PATCH 062/114] rename param -f|--force to -y|--yes --- scripts/wireguard/removeCONF.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/wireguard/removeCONF.sh b/scripts/wireguard/removeCONF.sh index 0b3aa06..61e7a35 100755 --- a/scripts/wireguard/removeCONF.sh +++ b/scripts/wireguard/removeCONF.sh @@ -12,12 +12,12 @@ source "${setupVars}" helpFunc(){ echo "::: Remove a client conf profile" echo ":::" - echo "::: Usage: pivpn <-r|remove> [-f|--force] [-h|--help] [] ... [] ..." + echo "::: Usage: pivpn <-r|remove> [-y|--yes] [-h|--help] [] ... [] ..." echo ":::" echo "::: Commands:" echo "::: [none] Interactive mode" echo "::: Client(s) to remove" - echo "::: -f,--force Remove Client(s) without confirmation" + echo "::: -y,--yes Remove Client(s) without confirmation" echo "::: -h,--help Show this help dialog" } @@ -30,8 +30,8 @@ do helpFunc exit 0 ;; - -f|--force) - FORCE=true + -yes|--yes) + CONFIRM=true ;; *) CLIENTS_TO_REMOVE+=("$1") @@ -72,7 +72,7 @@ for CLIENT_NAME in "${CLIENTS_TO_REMOVE[@]}"; do echo -e "::: \e[1m${CLIENT_NAME}\e[0m does not exist" else REQUESTED="$(sha256sum "configs/${CLIENT_NAME}.conf" | cut -c 1-64)" - if [ -n "$FORCE" ]; then + if [ -n "$CONFIRM" ]; then REPLY="y" else read -r -p "Do you really want to delete $CLIENT_NAME? [Y/n] " From aa297e5296caafd1a83d18a5827d45d59899d309 Mon Sep 17 00:00:00 2001 From: gi8 Date: Thu, 16 Jul 2020 15:01:27 +0200 Subject: [PATCH 063/114] add parameter to force remove profile --- scripts/openvpn/removeOVPN.sh | 57 +++++++++++++++++++++-------------- 1 file changed, 34 insertions(+), 23 deletions(-) diff --git a/scripts/openvpn/removeOVPN.sh b/scripts/openvpn/removeOVPN.sh index 4f79385..4d9296e 100755 --- a/scripts/openvpn/removeOVPN.sh +++ b/scripts/openvpn/removeOVPN.sh @@ -14,11 +14,12 @@ source "${setupVars}" helpFunc() { echo "::: Revoke a client ovpn profile" echo ":::" - echo "::: Usage: pivpn <-r|revoke> [-h|--help] [] ... [] ..." + echo "::: Usage: pivpn <-r|revoke> [-y|--yes] [-h|--help] [] ... [] ..." echo ":::" echo "::: Commands:" echo "::: [none] Interactive mode" echo "::: Client(s) to to revoke" + echo "::: -y,--yes Remove Client(s) without confirmation" echo "::: -h,--help Show this help dialog" } @@ -31,6 +32,9 @@ do helpFunc exit 0 ;; + -y|--yes) + CONFIRM=true + ;; *) CERTS_TO_REVOKE+=("$1") ;; @@ -111,31 +115,38 @@ fi cd /etc/openvpn/easy-rsa || exit for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do - printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}" - ./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}" - ./easyrsa gen-crl - printf "\n::: Certificate revoked, and CRL file updated.\n" - printf "::: Removing certs and client configuration for this profile.\n" - rm -rf "pki/reqs/${CERTS_TO_REVOKE[ii]}.req" - rm -rf "pki/private/${CERTS_TO_REVOKE[ii]}.key" - rm -rf "pki/issued/${CERTS_TO_REVOKE[ii]}.crt" + if [ -n "$CONFIRM" ]; then + REPLY="y" + else + read -r -p "Do you really want to revoke ${CERTS_TO_REVOKE[ii]}? [Y/n] " + fi + if [[ $REPLY =~ ^[Yy]$ ]]; then + printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}" + ./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}" + ./easyrsa gen-crl + printf "\n::: Certificate revoked, and CRL file updated.\n" + printf "::: Removing certs and client configuration for this profile.\n" + rm -rf "pki/reqs/${CERTS_TO_REVOKE[ii]}.req" + rm -rf "pki/private/${CERTS_TO_REVOKE[ii]}.key" + rm -rf "pki/issued/${CERTS_TO_REVOKE[ii]}.crt" - # Grab the client IP address - NET_REDUCED="${pivpnNET::-2}" - STATIC_IP=$(grep -v "^#" /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}" | grep -w ifconfig-push | grep -oE "${NET_REDUCED}\.[0-9]{1,3}") - rm -rf /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}" + # Grab the client IP address + NET_REDUCED="${pivpnNET::-2}" + STATIC_IP=$(grep -v "^#" /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}" | grep -w ifconfig-push | grep -oE "${NET_REDUCED}\.[0-9]{1,3}") + rm -rf /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}" - rm -rf "${install_home}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn" - rm -rf "/etc/openvpn/easy-rsa/pki/${CERTS_TO_REVOKE[ii]}.ovpn" - cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem + rm -rf "${install_home}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn" + rm -rf "/etc/openvpn/easy-rsa/pki/${CERTS_TO_REVOKE[ii]}.ovpn" + cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem - # If using Pi-hole, remove the client from the hosts file - if [ -f /etc/pivpn/hosts.openvpn ]; then - sed "\#${STATIC_IP} ${CERTS_TO_REVOKE[ii]}.pivpn#d" -i /etc/pivpn/hosts.openvpn - if killall -SIGHUP pihole-FTL; then - echo "::: Updated hosts file for Pi-hole" - else - echo "::: Failed to reload pihole-FTL configuration" + # If using Pi-hole, remove the client from the hosts file + if [ -f /etc/pivpn/hosts.openvpn ]; then + sed "\#${STATIC_IP} ${CERTS_TO_REVOKE[ii]}.pivpn#d" -i /etc/pivpn/hosts.openvpn + if killall -SIGHUP pihole-FTL; then + echo "::: Updated hosts file for Pi-hole" + else + echo "::: Failed to reload pihole-FTL configuration" + fi fi fi done From 689b77b73e3c5c5510630d99a13d5b7a0bcbabc2 Mon Sep 17 00:00:00 2001 From: giotto Date: Sun, 19 Jul 2020 21:46:18 +0200 Subject: [PATCH 064/114] lgtm Co-authored-by: Orazio --- scripts/wireguard/removeCONF.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/wireguard/removeCONF.sh b/scripts/wireguard/removeCONF.sh index 61e7a35..9f62a4d 100755 --- a/scripts/wireguard/removeCONF.sh +++ b/scripts/wireguard/removeCONF.sh @@ -30,7 +30,7 @@ do helpFunc exit 0 ;; - -yes|--yes) + -y|--yes) CONFIRM=true ;; *) From f72a531ce771e2e11d00d94553a02098bf924793 Mon Sep 17 00:00:00 2001 From: Orazio Date: Thu, 23 Jul 2020 11:07:19 +0200 Subject: [PATCH 065/114] Downloading the entire unattended upgrades git release was overkill, so now we simply copy the Raspbian config from the PiVPN repo and provide a link to the source in the install script. --- auto_install/install.sh | 17 +- .../apt.conf.d/50unattended-upgrades.Raspbian | 152 ++++++++++++++++++ 2 files changed, 156 insertions(+), 13 deletions(-) create mode 100644 files/etc/apt/apt.conf.d/50unattended-upgrades.Raspbian diff --git a/auto_install/install.sh b/auto_install/install.sh index b73f7ed..85f8f87 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -51,10 +51,6 @@ INSTALLED_PACKAGES=() easyrsaVer="3.0.7" easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz" -# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config -UNATTUPG_RELEASE="2.4" -UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/${UNATTUPG_RELEASE}.tar.gz" - # Fallback url for the OpenVPN key OPENVPN_KEY_URL="https://swupdate.openvpn.net/repos/repo-public.gpg" @@ -2232,7 +2228,7 @@ confUnattendedUpgrades(){ local PIVPN_DEPS PIVPN_DEPS=(unattended-upgrades) installDependentPackages PIVPN_DEPS[@] - aptConfDir="/etc/apt/apt.conf.d" + aptConfDir="/etc/apt/apt.conf.d" if [ "$PLAT" = "Ubuntu" ]; then @@ -2245,15 +2241,10 @@ confUnattendedUpgrades(){ else - # Fix Raspbian config + # Raspbian's unattended-upgrades package downloads Debian's config, so we copy over the proper config + # Source: https://github.com/mvo5/unattended-upgrades/blob/master/data/50unattended-upgrades.Raspbian if [ "$PLAT" = "Raspbian" ]; then - wget -qO- "$UNATTUPG_CONFIG" | $SUDO tar xz --directory "${aptConfDir}" "unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" --strip-components 2 - if test -s "${aptConfDir}/50unattended-upgrades.Raspbian"; then - $SUDO mv "${aptConfDir}/50unattended-upgrades.Raspbian" "${aptConfDir}/50unattended-upgrades" - else - echo "$0: ERR: Failed to download \"50unattended-upgrades.Raspbian\"." - exit 1 - fi + $SUDO install -m 644 "${pivpnFilesDir}/files${aptConfDir}/50unattended-upgrades.Raspbian" "${aptConfDir}/50unattended-upgrades" fi # Add the remaining settings for all other distributions diff --git a/files/etc/apt/apt.conf.d/50unattended-upgrades.Raspbian b/files/etc/apt/apt.conf.d/50unattended-upgrades.Raspbian new file mode 100644 index 0000000..b255343 --- /dev/null +++ b/files/etc/apt/apt.conf.d/50unattended-upgrades.Raspbian @@ -0,0 +1,152 @@ +// Unattended-Upgrade::Origins-Pattern controls which packages are +// upgraded. +// +// Lines below have the format "keyword=value,...". A +// package will be upgraded only if the values in its metadata match +// all the supplied keywords in a line. (In other words, omitted +// keywords are wild cards.) The keywords originate from the Release +// file, but several aliases are accepted. The accepted keywords are: +// a,archive,suite (eg, "stable") +// c,component (eg, "main", "contrib", "non-free") +// l,label (eg, "Rapsbian", "Raspbian") +// o,origin (eg, "Raspbian", "Unofficial Multimedia Packages") +// n,codename (eg, "jessie", "jessie-updates") +// site (eg, "http.debian.net") +// The available values on the system are printed by the command +// "apt-cache policy", and can be debugged by running +// "unattended-upgrades -d" and looking at the log file. +// +// Within lines unattended-upgrades allows 2 macros whose values are +// derived from /etc/debian_version: +// ${distro_id} Installed origin. +// ${distro_codename} Installed codename (eg, "jessie") +Unattended-Upgrade::Origins-Pattern { + // Codename based matching: + // This will follow the migration of a release through different + // archives (e.g. from testing to stable and later oldstable). +// "o=Raspbian,n=jessie"; +// "o=Raspbian,n=jessie-updates"; +// "o=Raspbian,n=jessie-proposed-updates"; +// "o=Raspbian,n=jessie,l=Raspbian"; + + // Archive or Suite based matching: + // Note that this will silently match a different release after + // migration to the specified archive (e.g. testing becomes the + // new stable). +// "o=Raspbian,a=stable"; +// "o=Raspbian,a=testing"; + "origin=Raspbian,codename=${distro_codename},label=Raspbian"; + + // Additionally, for those running Raspbian on a Raspberry Pi, + // match packages from the Raspberry Pi Foundation as well. + "origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation"; +}; + +// Python regular expressions, matching packages to exclude from upgrading +Unattended-Upgrade::Package-Blacklist { + // The following matches all packages starting with linux- +// "linux-"; + + // Use $ to explicitely define the end of a package name. Without + // the $, "libc6" would match all of them. +// "libc6$"; +// "libc6-dev$"; +// "libc6-i686$"; + + // Special characters need escaping +// "libstdc\+\+6$"; + + // The following matches packages like xen-system-amd64, xen-utils-4.1, + // xenstore-utils and libxenstore3.0 +// "(lib)?xen(store)?"; + + // For more information about Python regular expressions, see + // https://docs.python.org/3/howto/regex.html +}; + +// This option allows you to control if on a unclean dpkg exit +// unattended-upgrades will automatically run +// dpkg --force-confold --configure -a +// The default is true, to ensure updates keep getting installed +//Unattended-Upgrade::AutoFixInterruptedDpkg "true"; + +// Split the upgrade into the smallest possible chunks so that +// they can be interrupted with SIGTERM. This makes the upgrade +// a bit slower but it has the benefit that shutdown while a upgrade +// is running is possible (with a small delay) +//Unattended-Upgrade::MinimalSteps "true"; + +// Install all updates when the machine is shutting down +// instead of doing it in the background while the machine is running. +// This will (obviously) make shutdown slower. +// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s. +// This allows more time for unattended-upgrades to shut down gracefully +// or even install a few packages in InstallOnShutdown mode, but is still a +// big step back from the 30 minutes allowed for InstallOnShutdown previously. +// Users enabling InstallOnShutdown mode are advised to increase +// InhibitDelayMaxSec even further, possibly to 30 minutes. +//Unattended-Upgrade::InstallOnShutdown "false"; + +// Send email to this address for problems or packages upgrades +// If empty or unset then no email is sent, make sure that you +// have a working mail setup on your system. A package that provides +// 'mailx' must be installed. E.g. "user@example.com" +//Unattended-Upgrade::Mail ""; + +// Set this value to one of: +// "always", "only-on-error" or "on-change" +// If this is not set, then any legacy MailOnlyOnError (boolean) value +// is used to chose between "only-on-error" and "on-change" +//Unattended-Upgrade::MailReport "on-change"; + +// Remove unused automatically installed kernel-related packages +// (kernel images, kernel headers and kernel version locked tools). +//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; + +// Do automatic removal of newly unused dependencies after the upgrade +//Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; + +// Do automatic removal of unused packages after the upgrade +// (equivalent to apt-get autoremove) +//Unattended-Upgrade::Remove-Unused-Dependencies "false"; + +// Automatically reboot *WITHOUT CONFIRMATION* if +// the file /var/run/reboot-required is found after the upgrade +//Unattended-Upgrade::Automatic-Reboot "false"; + +// Automatically reboot even if there are users currently logged in +// when Unattended-Upgrade::Automatic-Reboot is set to true +//Unattended-Upgrade::Automatic-Reboot-WithUsers "true"; + +// If automatic reboot is enabled and needed, reboot at the specific +// time instead of immediately +// Default: "now" +//Unattended-Upgrade::Automatic-Reboot-Time "02:00"; + +// Use apt bandwidth limit feature, this example limits the download +// speed to 70kb/sec +//Acquire::http::Dl-Limit "70"; + +// Enable logging to syslog. Default is False +// Unattended-Upgrade::SyslogEnable "false"; + +// Specify syslog facility. Default is daemon +// Unattended-Upgrade::SyslogFacility "daemon"; + +// Download and install upgrades only on AC power +// (i.e. skip or gracefully stop updates on battery) +// Unattended-Upgrade::OnlyOnACPower "true"; + +// Download and install upgrades only on non-metered connection +// (i.e. skip or gracefully stop updates on a metered connection) +// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true"; + +// Verbose logging +// Unattended-Upgrade::Verbose "false"; + +// Print debugging information both in unattended-upgrades and +// in unattended-upgrade-shutdown +// Unattended-Upgrade::Debug "false"; + +// Allow package downgrade if Pin-Priority exceeds 1000 +// Unattended-Upgrade::Allow-downgrade "false"; From 5b2bc9ba70a24250246da8c942a31e123a431096 Mon Sep 17 00:00:00 2001 From: Orazio Date: Thu, 23 Jul 2020 11:41:59 +0200 Subject: [PATCH 066/114] Set Pi-hole to "Listen on all interfaces, permit all origins" when using it as DNS for the VPN - Letting dnsmasq additionally listen on a specific VPN interface when Pi-hole is listening on the physical interface only may be more secure than letting dnsmasq listen on all interfaces, however, dnsmasq will stop listening on the physical interface (breaking LAN resolution) if the user changes the listening behavior at a later time. For the target audience of PiVPN, it is more likely that users will set the listening behavior to all when deciding to use Pi-hole via VPN (which is suggested in the Pi-hole guide and most guides on the web), instead of digging into configuration file. This option is safe if the Raspberry Pi is inside the local network and the user has not forwarded port 53 on their router, which is unlikely as they are installing PiVPN precisely to avoid doing that. --- auto_install/install.sh | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 85f8f87..2b7b157 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -1475,18 +1475,10 @@ askClientDNS(){ # Then create an empty hosts file or clear if it exists. $SUDO bash -c "> /etc/pivpn/hosts.$VPN" - # If the listening behavior is "Listen only on interface whatever", which is the - # default, tell dnsmasq to listen on the VPN interface as well. Other listening - # behaviors are permissive enough. - - # Source in a subshell to prevent overwriting script's variables - DNSMASQ_LISTENING="$(source "$piholeSetupVars" && echo "${DNSMASQ_LISTENING}")" - - # $DNSMASQ_LISTENING is not set if you never edit/save settings in the DNS page, - # so if the variable is empty, we still add the 'interface=' directive. - if [ -z "${DNSMASQ_LISTENING}" ] || [ "${DNSMASQ_LISTENING}" = "single" ]; then - echo "interface=$pivpnDEV" | $SUDO tee -a "$dnsmasqConfig" > /dev/null - fi + # Set Pi-hole to "Listen on all interfaces, permit all origins" to allow dnsmasq + # to listen on the VPN interface as well. This setting matches what's suggested + # in the official guide: https://docs.pi-hole.net/guides/vpn/dual-operation + $SUDO pihole -a -i all # Use the Raspberry Pi VPN IP as DNS server. pivpnDNS1="$vpnGw" @@ -2191,10 +2183,6 @@ restartServices(){ fi ;; esac - - if [ -f "$dnsmasqConfig" ]; then - $SUDO pihole restartdns - fi } askUnattendedUpgrades(){ From 0200ce545cf218ed76d8c2811aedadc466221813 Mon Sep 17 00:00:00 2001 From: Orazio Date: Thu, 23 Jul 2020 14:08:06 +0200 Subject: [PATCH 067/114] When asking the user to upgrade the system, show the kernel package version instead of the kernel version. --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 2b7b157..0a24d16 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -1229,7 +1229,7 @@ installWireGuard(){ echo "::: curl -L https://install.pivpn.io | bash" exit 1 else - if (whiptail --title "Install WireGuard" --yesno "Your Raspberry Pi is running kernel $(uname -r), which is not the latest.\n\nInstalling WireGuard requires the latest kernel, so to continue, first you need to upgrade all packages, then reboot, and then run the script again.\n\nProceed to the upgrade?" ${r} ${c}); then + if (whiptail --title "Install WireGuard" --yesno "Your Raspberry Pi is running kernel package ${INSTALLED_KERNEL}, however the latest version is ${CANDIDATE_KERNEL}.\n\nInstalling WireGuard requires the latest kernel, so to continue, first you need to upgrade all packages, then reboot, and then run the script again.\n\nProceed to the upgrade?" ${r} ${c}); then if command -v debconf-apt-progress &> /dev/null; then # shellcheck disable=SC2086 $SUDO debconf-apt-progress -- ${PKG_MANAGER} upgrade -y From 85478aaea02ff5168c66c7a10001f486ba59251f Mon Sep 17 00:00:00 2001 From: Orazio Date: Thu, 23 Jul 2020 14:50:59 +0200 Subject: [PATCH 068/114] Disallow integers as client names to avoid ambiguity when removing a client by index. --- scripts/openvpn/makeOVPN.sh | 5 +++++ scripts/wireguard/makeCONF.sh | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/scripts/openvpn/makeOVPN.sh b/scripts/openvpn/makeOVPN.sh index 5300a2b..b03af64 100755 --- a/scripts/openvpn/makeOVPN.sh +++ b/scripts/openvpn/makeOVPN.sh @@ -248,6 +248,11 @@ if [[ "${NAME}" =~ [^a-zA-Z0-9.@_-] ]]; then exit 1 fi +if [[ "${NAME}" =~ ^[0-9]+$ ]]; then + echo "Names cannot be integers." + exit 1 +fi + if [[ -z "${NAME}" ]]; then echo "You cannot leave the name blank." exit 1 diff --git a/scripts/wireguard/makeCONF.sh b/scripts/wireguard/makeCONF.sh index e919e4a..e0669b8 100755 --- a/scripts/wireguard/makeCONF.sh +++ b/scripts/wireguard/makeCONF.sh @@ -64,6 +64,11 @@ if [[ "${CLIENT_NAME}" =~ [^a-zA-Z0-9.@_-] ]]; then exit 1 fi +if [[ "${CLIENT_NAME}" =~ ^[0-9]+$ ]]; then + echo "Names cannot be integers." + exit 1 +fi + if [ -z "${CLIENT_NAME}" ]; then echo "::: You cannot leave the name blank." exit 1 From 5602922c24e47be6e09c159a2b4e979e5738da05 Mon Sep 17 00:00:00 2001 From: Orazio Date: Thu, 23 Jul 2020 16:05:14 +0200 Subject: [PATCH 069/114] Update README.md --- README.md | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index d506f9f..f740e97 100644 --- a/README.md +++ b/README.md @@ -56,22 +56,17 @@ Installation curl -L https://install.pivpn.io | bash ``` -**Method 2** +**Method 2 (direct link)** ```Shell -curl -L https://install.pivpn.io > pivpn.sh -sudo bash pivpn.sh +curl -L https://raw.githubusercontent.com/pivpn/pivpn/master/auto_install/install.sh | bash ``` -**Method 3** +**Method 3 (clone repo)** ```Shell git clone https://github.com/pivpn/pivpn.git -sudo bash pivpn/auto_install/install.sh +bash pivpn/auto_install/install.sh ``` -**OBS:** -In alternative to install.pivpn.io you can use the raw github link: -https://raw.githubusercontent.com/pivpn/pivpn/master/auto_install/install.sh - **To install from Test/Development branch** Check our [Wiki Page](https://github.com/pivpn/pivpn/wiki#testing) @@ -80,7 +75,9 @@ Check our [Wiki Page](https://github.com/pivpn/pivpn/wiki#testing) The script will first update your APT repositories, upgrade packages, and install WireGuard (default) or OpenVPN, which will take some time. -It will ask which authentication method you wish the guts of your server to use. If you go for WireGuard, you don't get to choose: you will use a Curve25519 public key, which provides 128-bit security. On the other end, if you prefer OpenVPN, you can choose between a 2048-bit, 3072-bit, or 4096-bit RSA certificate. If you're unsure or don't have a convincing reason one way or the other I'd use 2048 today (provides 112-bit security). +It will ask which authentication method you wish the guts of your server to use. If you go for WireGuard, you don't get to choose: you will use a Curve25519 public key, which provides 128-bit security. On the other end, if you prefer OpenVPN, default settings will generate ECDSA certificates, which are based on Elliptic Curves, allowing much smaller keys while providing an equivalent security level to traditional RSA (256 bit long, equivalent to 3072 bit RSA). You can also use 384-bit and 521-bit, even though they are quite overkill. + +If you decide to customize settings, you will still be able to use RSA certificates if you need backward compatibility with older gear. You can choose between a 2048-bit, 3072-bit, or 4096-bit certificate. If you're unsure or don't have a convincing reason one way or the other I'd use 2048 today (provides 112-bit security). From the OpenVPN site: @@ -88,11 +85,12 @@ From the OpenVPN site: > Up to 4096-bit is accepted by nearly all RSA systems (including OpenVPN), but use of keys this large will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations; the benefit beyond 2048-bit keys is small enough not to be of great use at the current time. It is often a larger benefit to consider lower validity times than more bits past 2048, but that is for you to decide. + After this, the script will go back to the command line as it builds the server's own certificate authority (OpenVPN only). The script will ask you if you'd like to change the default port, protocol, client's DNS server, etc. If you know you want to change these things, feel free, and the script will put all the information where it needs to go in the various config files. If you aren't sure, it has been designed that you can simply hit 'Enter' through all the questions and have a working configuration at the end. -Finally, the script will take some time to build the server's Diffie-Hellman key exchange (OpenVPN only). If you chose 2048-bit encryption, it will take about 40 minutes on a Model B+, and several hours if you choose a larger size. +Finally, if you are using RSA, the script will take some time to build the server's Diffie-Hellman key exchange (OpenVPN only). If you chose 2048-bit encryption, it will take about 40 minutes on a Model B+, and several hours if you choose a larger size. The script will also make some changes to your system to allow it to forward internet traffic and allow VPN connections through the Pi's firewall. When the script informs you that it has finished configuring PiVPN, it will ask if you want to reboot. I have it where you do not need to reboot when done but it also can't hurt. From 4fc2fbf0efda9bd6c7aff65a0ac3c2dd50fc7a5d Mon Sep 17 00:00:00 2001 From: Orazio Date: Thu, 23 Jul 2020 16:38:58 +0200 Subject: [PATCH 070/114] Redirect is not required when using direct link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f740e97..5366518 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ curl -L https://install.pivpn.io | bash **Method 2 (direct link)** ```Shell -curl -L https://raw.githubusercontent.com/pivpn/pivpn/master/auto_install/install.sh | bash +curl https://raw.githubusercontent.com/pivpn/pivpn/master/auto_install/install.sh | bash ``` **Method 3 (clone repo)** From 139f16594d41ab49991c1307ec7399ec60d09db7 Mon Sep 17 00:00:00 2001 From: Orazio Date: Fri, 24 Jul 2020 14:44:59 +0200 Subject: [PATCH 071/114] Allowing queries only from the local subnet is enough for the functionality of PiVPN. From the man page of dnsmasq: --local-service Accept DNS queries only from hosts whose address is on a local subnet, ie a subnet for which an interface exists on the server. This option only has effect if there are no --interface, --except-interface, --listen-address or --auth-server options. It is intended to be set as a default on installation, to allow unconfigured installations to be useful but also safe from being used for DNS amplification attacks. --- auto_install/install.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 0a24d16..3fc82fb 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -1475,10 +1475,10 @@ askClientDNS(){ # Then create an empty hosts file or clear if it exists. $SUDO bash -c "> /etc/pivpn/hosts.$VPN" - # Set Pi-hole to "Listen on all interfaces, permit all origins" to allow dnsmasq - # to listen on the VPN interface as well. This setting matches what's suggested - # in the official guide: https://docs.pi-hole.net/guides/vpn/dual-operation - $SUDO pihole -a -i all + # Setting Pi-hole to "Listen on all interfaces" allows dnsmasq to listen on the + # VPN interface while permitting queries only from hosts whose address is on + # the LAN and VPN subnets. + $SUDO pihole -a -i local # Use the Raspberry Pi VPN IP as DNS server. pivpnDNS1="$vpnGw" From 32bd1c628af9e1926f3f4471c0bf49c74deff7c7 Mon Sep 17 00:00:00 2001 From: Orazio Date: Fri, 24 Jul 2020 18:52:57 +0200 Subject: [PATCH 072/114] Update LatestUpdate.md --- LatestUpdate.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/LatestUpdate.md b/LatestUpdate.md index 26b01df..01fba5a 100644 --- a/LatestUpdate.md +++ b/LatestUpdate.md @@ -5,6 +5,12 @@ patch release notes. Everytime Test branch is merged into master, a new entry should be created with the date and changes being merged. +## Jul 24th 2020 + +- Added ability to remove client by index. For example, when the user is presented with '2) phone' he can remove the client by typing either '2' or 'phone'. +- Added ability to remove a client non-interactively with 'pivpn -r phone -y'. +- When choosing to use Pi-hole, do not whitelist the specific VPN interface. Instead, use Pi-hole's built-in command 'pihole -a -i local' to allow listening from on the VPN interface. DNS resolution on the LAN shouldn't break anymore in some circumstances if the user changes Pi-hole's listening behavior after installing PiVPN. + ## Jun 9th 2020 - Dual VPN mode, use both WireGuard and OpenVPN by running the installer script over an existing installation. From 6099ea34ca51e52cf57bbd931eea8040b760290a Mon Sep 17 00:00:00 2001 From: stevoh6 Date: Mon, 31 Aug 2020 21:24:47 +0200 Subject: [PATCH 073/114] Add Ubuntu 20.04 (Focal Fossa) into supported OS --- auto_install/install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 3fc82fb..a2e8b1d 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -269,7 +269,7 @@ distroCheck(){ source /etc/os-release PLAT=$(awk '{print $1}' <<< "$NAME") VER="$VERSION_ID" - declare -A VER_MAP=(["9"]="stretch" ["10"]="buster" ["16.04"]="xenial" ["18.04"]="bionic") + declare -A VER_MAP=(["9"]="stretch" ["10"]="buster" ["16.04"]="xenial" ["18.04"]="bionic" ["20.04"]="focal") OSCN=${VER_MAP["${VER}"]} fi @@ -285,7 +285,7 @@ distroCheck(){ case ${PLAT} in Debian|Raspbian|Ubuntu) case ${OSCN} in - buster|xenial|bionic|stretch) + buster|xenial|bionic|stretch|focal) : ;; *) From d3992b3ff9f55204955e3d38ad1608b98f3bbbf3 Mon Sep 17 00:00:00 2001 From: stevoh6 Date: Thu, 3 Sep 2020 12:39:26 +0200 Subject: [PATCH 074/114] WireGuard on arm with Ubuntu 20.04 Focal Fosa Allow install WireGuard on arm devices with Ubuntu 20.04 Focal Fosa --- auto_install/install.sh | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index a2e8b1d..d739fed 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -16,7 +16,7 @@ pivpnGitUrl="https://github.com/pivpn/pivpn.git" #pivpnGitUrl="/home/pi/repos/pivpn" setupVarsFile="setupVars.conf" -setupConfigDir="/etc/pivpn" +setupConfigDir="/etc/pivpn" tempsetupVarsFile="/tmp/setupVars.conf" pivpnFilesDir="/usr/local/src/pivpn" pivpnScriptDir="/opt/pivpn" @@ -129,9 +129,9 @@ main(){ setupVars="${setupConfigDir}/wireguard/${setupVarsFile}" elif [ -r "${setupConfigDir}/openvpn/${setupVarsFile}" ]; then setupVars="${setupConfigDir}/openvpn/${setupVarsFile}" - fi + fi - if [ -r "$setupVars" ]; then + if [ -r "$setupVars" ]; then if [[ "${reconfigure}" == true ]]; then echo "::: --reconfigure passed to install script, will reinstall PiVPN overwriting existing settings" UpdateCmd="Reconfigure" @@ -150,7 +150,7 @@ main(){ exit 0 elif [ "$UpdateCmd" = "Repair" ]; then # shellcheck disable=SC1090 - source "$setupVars" + source "$setupVars" runUnattended=true fi @@ -219,7 +219,7 @@ main(){ echo "INSTALLED_PACKAGES=(${INSTALLED_PACKAGES[*]})" >> ${tempsetupVarsFile} echo "::: Setupfiles copied to ${setupConfigDir}/${VPN}/${setupVarsFile}" $SUDO mkdir "${setupConfigDir}/${VPN}/" - $SUDO cp ${tempsetupVarsFile} "${setupConfigDir}/${VPN}/${setupVarsFile}" + $SUDO cp ${tempsetupVarsFile} "${setupConfigDir}/${VPN}/${setupVarsFile}" installScripts @@ -1068,7 +1068,8 @@ installPiVPN(){ askWhichVPN(){ if [ "${runUnattended}" = 'true' ]; then - if [ "$PLAT" = "Raspbian" ] || [ "$X86_SYSTEM" -eq 1 ]; then + # [ "$OSCN" = "focal" ] > WireGuard is supported in Ubuntu 20.04 on all architectures + if [ "$PLAT" = "Raspbian" ] || [ "$OSCN" = "focal" ] || [ "$X86_SYSTEM" -eq 1 ]; then if [ -z "$VPN" ]; then echo ":: No VPN protocol specified, using WireGuard" VPN="wireguard" @@ -1098,7 +1099,8 @@ askWhichVPN(){ fi fi else - if [ "$PLAT" = "Raspbian" ] || [ "$X86_SYSTEM" -eq 1 ]; then + # [ "$OSCN" = "focal" ] > WireGuard is supported in Ubuntu 20.04 on all architectures + if [ "$PLAT" = "Raspbian" ] || [ "$OSCN" = "focal" ] || [ "$X86_SYSTEM" -eq 1 ]; then chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "WireGuard is a new kind of VPN that provides near-instantaneous connection speed, high performance, and modern cryptography.\\n\\nIt's the recommended choice especially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\\n\\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol or if you need features like TCP and custom search domain.\\n\\nChoose a VPN (press space to select):" "${r}" "${c}" 2) VPNChooseOptions=(WireGuard "" on OpenVPN "" off) From 5c26782925e981012c763208de31a9a58b0193cc Mon Sep 17 00:00:00 2001 From: Ludwig Lautenbacher Date: Thu, 10 Sep 2020 14:55:35 +0200 Subject: [PATCH 075/114] Showing expired certificates as such. --- scripts/openvpn/listOVPN.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/openvpn/listOVPN.sh b/scripts/openvpn/listOVPN.sh index c87ecfd..55826c6 100755 --- a/scripts/openvpn/listOVPN.sh +++ b/scripts/openvpn/listOVPN.sh @@ -8,6 +8,8 @@ if [ ! -f "${INDEX}" ]; then exit 1 fi +/etc/openvpn/easy-rsa/easyrsa update-db >> /var/log/easyrsa_update-db.log 2>1 + printf ": NOTE : The first entry should always be your valid server!\n" printf "\\n" printf "\\e[1m::: Certificate Status List :::\\e[0m\\n" @@ -23,6 +25,8 @@ while read -r line || [ -n "$line" ]; do printf "Valid \t %s \t %s\\n" "$NAME" "$EXPD" elif [ "${STATUS}" == "R" ]; then printf "Revoked \t %s \t %s\\n" "$NAME" "$EXPD" + elif [ "${STATUS}" == "E" ]; then + printf " Expired :: %s\n" "$NAME" else printf "Unknown \t %s \t %s\\n" "$NAME" "$EXPD" fi From 551af5f351e3d5c27faecee9cba7f80cad8d64e9 Mon Sep 17 00:00:00 2001 From: Orazio Date: Mon, 14 Sep 2020 12:25:31 +0200 Subject: [PATCH 076/114] Improved OpenVPN and WireGuard availability detection --- auto_install/install.sh | 172 +++++++++++++++++++++++----------------- scripts/uninstall.sh | 19 ++--- 2 files changed, 111 insertions(+), 80 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index d739fed..0b261c5 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -273,19 +273,10 @@ distroCheck(){ OSCN=${VER_MAP["${VER}"]} fi - if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then - DPKG_ARCH="$(dpkg --print-architecture)" - if [ "$DPKG_ARCH" = "amd64" ] || [ "$DPKG_ARCH" = "i386" ]; then - X86_SYSTEM=1 - else - X86_SYSTEM=0 - fi - fi - case ${PLAT} in Debian|Raspbian|Ubuntu) case ${OSCN} in - buster|xenial|bionic|stretch|focal) + stretch|buster|xenial|bionic|focal) : ;; *) @@ -464,6 +455,61 @@ preconfigurePackages(){ BASE_DEPS+=(dhcpcd5) fi + AVAILABLE_OPENVPN="$(apt-cache policy openvpn | grep -m1 'Candidate: ' | grep -v '(none)' | awk '{print $2}')" + DPKG_ARCH="$(dpkg --print-architecture)" + NEED_OPENVPN_REPO=0 + + # We require OpenVPN 2.4 or later for ECC support. If not available in the + # repositories but we are running x86 Debian or Ubuntu, add the official repo + # which provides the updated package. + if [ -n "$AVAILABLE_OPENVPN" ] && dpkg --compare-versions "$AVAILABLE_OPENVPN" ge 2.4; then + OPENVPN_SUPPORT=1 + else + if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then + if [ "$DPKG_ARCH" = "amd64" ] || [ "$DPKG_ARCH" = "i386" ]; then + NEED_OPENVPN_REPO=1 + OPENVPN_SUPPORT=1 + else + OPENVPN_SUPPORT=0 + fi + else + OPENVPN_SUPPORT=0 + fi + fi + + AVAILABLE_WIREGUARD="$(apt-cache policy wireguard | grep -m1 'Candidate: ' | grep -v '(none)' | awk '{print $2}')" + WIREGUARD_BUILTIN=0 + NEED_WIREGUARD_REPO=0 + + if [ -n "$AVAILABLE_WIREGUARD" ]; then + if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then + # If a wireguard kernel object is found and is part of any installed package, then + # it has not been build via DKMS or manually (installing via wireguard-dkms does not + # make the module part of the package since the module itself is built at install time + # and not part of the .deb). + # Source: https://github.com/MichaIng/DietPi/blob/7bf5e1041f3b2972d7827c48215069d1c90eee07/dietpi/dietpi-software#L1807-L1815 + for i in /lib/modules/*/kernel/net/wireguard/wireguard.ko; do + [[ -f $i ]] || continue + dpkg-query -S "$i" &> /dev/null || continue + WIREGUARD_BUILTIN=1 + break + done + fi + WIREGUARD_SUPPORT=1 + else + if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Raspbian" ]; then + NEED_WIREGUARD_REPO=1 + WIREGUARD_SUPPORT=1 + else + WIREGUARD_SUPPORT=0 + fi + fi + + if [ "$OPENVPN_SUPPORT" -eq 0 ] && [ "$WIREGUARD_SUPPORT" -eq 0 ]; then + echo "::: Neither OpenVPN nor WireGuard are available to install by PiVPN, exiting..." + exit 1 + fi + # if ufw is enabled, configure that. # running as root because sometimes the executable is not in the user's $PATH if $SUDO bash -c 'command -v ufw' > /dev/null; then @@ -1068,8 +1114,7 @@ installPiVPN(){ askWhichVPN(){ if [ "${runUnattended}" = 'true' ]; then - # [ "$OSCN" = "focal" ] > WireGuard is supported in Ubuntu 20.04 on all architectures - if [ "$PLAT" = "Raspbian" ] || [ "$OSCN" = "focal" ] || [ "$X86_SYSTEM" -eq 1 ]; then + if [ "$WIREGUARD_SUPPORT" -eq 1 ]; then if [ -z "$VPN" ]; then echo ":: No VPN protocol specified, using WireGuard" VPN="wireguard" @@ -1084,7 +1129,7 @@ askWhichVPN(){ exit 1 fi fi - elif [ "$X86_SYSTEM" -eq 0 ]; then + else if [ -z "$VPN" ]; then echo ":: No VPN protocol specified, using OpenVPN" VPN="openvpn" @@ -1099,8 +1144,7 @@ askWhichVPN(){ fi fi else - # [ "$OSCN" = "focal" ] > WireGuard is supported in Ubuntu 20.04 on all architectures - if [ "$PLAT" = "Raspbian" ] || [ "$OSCN" = "focal" ] || [ "$X86_SYSTEM" -eq 1 ]; then + if [ "$WIREGUARD_SUPPORT" -eq 1 ] && [ "$OPENVPN_SUPPORT" -eq 1 ]; then chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "WireGuard is a new kind of VPN that provides near-instantaneous connection speed, high performance, and modern cryptography.\\n\\nIt's the recommended choice especially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\\n\\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol or if you need features like TCP and custom search domain.\\n\\nChoose a VPN (press space to select):" "${r}" "${c}" 2) VPNChooseOptions=(WireGuard "" on OpenVPN "" off) @@ -1112,9 +1156,12 @@ askWhichVPN(){ echo "::: Cancel selected, exiting...." exit 1 fi - elif [ "$X86_SYSTEM" -eq 0 ]; then + elif [ "$OPENVPN_SUPPORT" -eq 1 ] && [ "$WIREGUARD_SUPPORT" -eq 0 ]; then echo "::: Using VPN: OpenVPN" VPN="openvpn" + elif [ "$OPENVPN_SUPPORT" -eq 0 ] && [ "$WIREGUARD_SUPPORT" -eq 1 ]; then + echo "::: Using VPN: WireGuard" + VPN="wireguard" fi fi @@ -1162,41 +1209,31 @@ installOpenVPN(){ echo "::: Installing OpenVPN from Debian package... " - # Use x86-only OpenVPN APT repo on x86 Debian/Ubuntu systems - if [ "$PLAT" != "Raspbian" ] && [ "$X86_SYSTEM" -eq 1 ]; then + if [ "$NEED_OPENVPN_REPO" -eq 1 ]; then + # gnupg is used by apt-key to import the openvpn GPG key into the + # APT keyring + PIVPN_DEPS=(gnupg) + installDependentPackages PIVPN_DEPS[@] - AVAILABLE_OPENVPN="$(apt-cache policy openvpn | grep -m1 'Candidate: ' | grep -v '(none)' | awk '{print $2}')" - - # If there is an available openvpn package and its version is at least 2.4 - # (required for ECC support), do not add the repository - if [ -n "$AVAILABLE_OPENVPN" ] && dpkg --compare-versions "$AVAILABLE_OPENVPN" ge 2.4; then - echo "::: OpenVPN is already available in the repositories" - else - # gnupg is used by apt-key to import the openvpn GPG key into the - # APT keyring - PIVPN_DEPS=(gnupg) - installDependentPackages PIVPN_DEPS[@] - - # We will download the repository key for the official repository from a - # keyserver. If we fail, we will attempt to download the key via HTTPS - echo "::: Adding repository key..." - if ! $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys "$OPENVPN_KEY_ID"; then - echo "::: Import via keyserver failed, now trying wget" - if ! downloadVerifyKey "$OPENVPN_KEY_URL" "$OPENVPN_KEY_ID" | $SUDO apt-key add -; then - echo "::: Can't import OpenVPN GPG key" - exit 1 - else - echo "::: Acquired key $OPENVPN_KEY_ID" - fi + # We will download the repository key for the official repository from a + # keyserver. If we fail, we will attempt to download the key via HTTPS + echo "::: Adding repository key..." + if ! $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys "$OPENVPN_KEY_ID"; then + echo "::: Import via keyserver failed, now trying wget" + if ! downloadVerifyKey "$OPENVPN_KEY_URL" "$OPENVPN_KEY_ID" | $SUDO apt-key add -; then + echo "::: Can't import OpenVPN GPG key" + exit 1 + else + echo "::: Acquired key $OPENVPN_KEY_ID" fi - - echo "::: Adding OpenVPN repository... " - echo "deb https://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/pivpn-openvpn-repo.list > /dev/null - - echo "::: Updating package cache..." - # shellcheck disable=SC2086 - $SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! fi + + echo "::: Adding OpenVPN repository... " + echo "deb https://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/pivpn-openvpn-repo.list > /dev/null + + echo "::: Updating package cache..." + # shellcheck disable=SC2086 + $SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! fi # grepcidr is used to redact IPs in the debug log whereas expect is used @@ -1255,11 +1292,9 @@ installWireGuard(){ echo "::: Installing WireGuard from Debian package... " - if apt-cache policy wireguard 2> /dev/null | grep -m1 'Candidate: ' | grep -vq '(none)'; then - echo "::: WireGuard is already available in the repositories" - else + if [ "$NEED_WIREGUARD_REPO" -eq 1 ]; then echo "::: Adding Raspbian repository... " - echo "deb http://raspbian.raspberrypi.org/raspbian/ bullseye main" | $SUDO tee /etc/apt/sources.list.d/pivpn-bullseye.list > /dev/null + echo "deb http://raspbian.raspberrypi.org/raspbian/ bullseye main" | $SUDO tee /etc/apt/sources.list.d/pivpn-bullseye-repo.list > /dev/null # Do not upgrade packages from the bullseye repository except for wireguard printf 'Package: *\nPin: release n=bullseye\nPin-Priority: -1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release n=bullseye\nPin-Priority: 100\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-bullseye > /dev/null @@ -1270,18 +1305,16 @@ installWireGuard(){ fi # qrencode is used to generate qrcodes from config file, for use with mobile clients - PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms qrencode) + PIVPN_DEPS=(raspberrypi-kernel-headers wireguard-tools wireguard-dkms qrencode) installDependentPackages PIVPN_DEPS[@] elif [ "$PLAT" = "Debian" ]; then echo "::: Installing WireGuard from Debian package... " - if apt-cache policy wireguard 2> /dev/null | grep -m1 'Candidate: ' | grep -vq '(none)'; then - echo "::: WireGuard is already available in the repositories" - else + if [ "$NEED_WIREGUARD_REPO" -eq 1 ]; then echo "::: Adding Debian repository... " - echo "deb https://deb.debian.org/debian/ bullseye main" | $SUDO tee /etc/apt/sources.list.d/pivpn-bullseye.list > /dev/null + echo "deb https://deb.debian.org/debian/ bullseye main" | $SUDO tee /etc/apt/sources.list.d/pivpn-bullseye-repo.list > /dev/null printf 'Package: *\nPin: release n=bullseye\nPin-Priority: -1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release n=bullseye\nPin-Priority: 100\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-bullseye > /dev/null @@ -1290,27 +1323,24 @@ installWireGuard(){ $SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! fi - PIVPN_DEPS=(linux-headers-amd64 wireguard wireguard-tools wireguard-dkms qrencode) + PIVPN_DEPS=(wireguard-tools qrencode) + + if [ "$WIREGUARD_BUILTIN" -eq 0 ]; then + # Explicitly install the module if not built-in + PIVPN_DEPS+=(linux-headers-amd64 wireguard-dkms) + fi + installDependentPackages PIVPN_DEPS[@] elif [ "$PLAT" = "Ubuntu" ]; then echo "::: Installing WireGuard... " - if apt-cache policy wireguard 2> /dev/null | grep -m1 'Candidate: ' | grep -vq '(none)'; then - echo "::: WireGuard is already available in the repositories" - else - echo "::: Adding WireGuard PPA... " - PIVPN_DEPS=(software-properties-common) - installDependentPackages PIVPN_DEPS[@] - $SUDO add-apt-repository ppa:wireguard/wireguard -y - - echo "::: Updating package cache..." - # shellcheck disable=SC2086 - $SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! + if [ "$WIREGUARD_BUILTIN" -eq 0 ]; then + PIVPN_DEPS+=(linux-headers-generic wireguard-dkms) fi - PIVPN_DEPS=(linux-headers-generic wireguard wireguard-tools wireguard-dkms qrencode) + PIVPN_DEPS=(wireguard-tools qrencode) installDependentPackages PIVPN_DEPS[@] fi @@ -2249,7 +2279,7 @@ confUnattendedUpgrades(){ # Enable automatic updates via the bullseye repository when installing from debian package if [ "$VPN" = "wireguard" ]; then - if [ -f /etc/apt/sources.list.d/pivpn-bullseye.list ]; then + if [ -f /etc/apt/sources.list.d/pivpn-bullseye-repo.list ]; then if ! grep -q "\"o=$PLAT,n=bullseye\";" "${aptConfDir}/50unattended-upgrades"; then $SUDO sed -i "/Unattended-Upgrade::Origins-Pattern {/a\"o=$PLAT,n=bullseye\";" "${aptConfDir}/50unattended-upgrades" fi diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 631f355..7b00b78 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -134,17 +134,17 @@ removeAll(){ while true; do read -rp "::: Do you wish to remove $i from your system? [Y/n]: " yn case $yn in - [Yy]* ) if [ "${i}" = "wireguard" ]; then + [Yy]* ) if [ "${i}" = "wireguard-tools" ]; then - # On Debian and Raspbian, remove the bullseye repo. On Ubuntu, remove the PPA. - if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Raspbian" ]; then - rm -f /etc/apt/sources.list.d/pivpn-bullseye.list + # The bullseye repo may not exist if wireguard was available at the + # time of installation. + if [ -f /etc/apt/sources.list.d/pivpn-bullseye-repo.list ]; then + echo "::: Removing Debian Bullseye repo..." + rm -f /etc/apt/sources.list.d/pivpn-bullseye-repo.list rm -f /etc/apt/preferences.d/pivpn-limit-bullseye - elif [ "$PLAT" = "Ubuntu" ]; then - add-apt-repository ppa:wireguard/wireguard -r -y + echo "::: Updating package cache..." + ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! fi - echo "::: Updating package cache..." - ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! elif [ "${i}" = "unattended-upgrades" ]; then @@ -154,7 +154,8 @@ removeAll(){ elif [ "${i}" = "openvpn" ]; then - if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then + if [ -f /etc/apt/sources.list.d/pivpn-openvpn-repo.list ]; then + echo "::: Removing OpenVPN software repo..." rm -f /etc/apt/sources.list.d/pivpn-openvpn-repo.list echo "::: Updating package cache..." ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! From 03f5871c71da3fb189df91ede0fa39b684a8033d Mon Sep 17 00:00:00 2001 From: Orazio Date: Mon, 14 Sep 2020 16:19:40 +0200 Subject: [PATCH 077/114] Fixed WireGuard installation on Ubuntu when module is not built-in - PIVPN_DEPS array should be assigned before appending to it, not after, to avoid overwriting existing items. --- auto_install/install.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 0b261c5..e37ef3e 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -1336,11 +1336,12 @@ installWireGuard(){ echo "::: Installing WireGuard... " + PIVPN_DEPS=(wireguard-tools qrencode) + if [ "$WIREGUARD_BUILTIN" -eq 0 ]; then PIVPN_DEPS+=(linux-headers-generic wireguard-dkms) fi - PIVPN_DEPS=(wireguard-tools qrencode) installDependentPackages PIVPN_DEPS[@] fi From 0a65da118426361f3b475120e028df9977efb72f Mon Sep 17 00:00:00 2001 From: Orazio Date: Mon, 14 Sep 2020 17:00:35 +0200 Subject: [PATCH 078/114] Moved several paragraphs to the wiki --- README.md | 109 +----------------------------------------------------- 1 file changed, 2 insertions(+), 107 deletions(-) diff --git a/README.md b/README.md index 5366518..4328ec9 100644 --- a/README.md +++ b/README.md @@ -38,14 +38,13 @@ It is recommended that you use a fresh image of the latest Raspbian Lite from https://raspberrypi.org/downloads, but if you don't, be sure to make a backup image of your existing installation before proceeding. You should also setup your Pi with a static IP address -(see either source 1 or 2 at the bottom of this Readme) but it is not required as the script can do this for you. You will need to have your router forwarding UDP port 1194 or whatever custom port you may have chose in the installer (varies by model & manufacturer; consult your router manufacturer's documentation to do this). Enabling SSH on your Pi is also highly recommended, so that you can run a very compact headless server without a monitor or keyboard and be able to access it -even more conveniently (This is also covered by source 2). +even more conveniently. Installation @@ -94,111 +93,7 @@ Finally, if you are using RSA, the script will take some time to build the serve The script will also make some changes to your system to allow it to forward internet traffic and allow VPN connections through the Pi's firewall. When the script informs you that it has finished configuring PiVPN, it will ask if you want to reboot. I have it where you do not need to reboot when done but it also can't hurt. -After the installation is complete you can use the command `pivpn` to manage the server. The commands below are just to get started, run `pivpn -h` to see the full list of options. - -Managing the PiVPN (WireGuard) ----------------------- - -`pivpn add` -You will be prompted to enter a name for your client. Pick anything you like and hit 'enter'. -The script will assemble the client .conf file and place it in the directory 'configs' within your -home directory. - -`pivpn remove` -Asks you for the name of the client to remove. Once you remove a client, it will no longer allow you to use -the given client config (specifically its public key) to connect. This is useful for many reasons but some ex: -You have a profile on a mobile phone and it was lost or stolen. Remove its key and generate a new -one for your new phone. Or even if you suspect that a key may have been compromised in any way, -just remove it and generate a new one. - -`pivpn list` -If you add more than a few clients, this gives you a nice list of their names and associated keys. - -Managing the PiVPN (OpenVPN) ----------------------- - -`pivpn add` -You will be prompted to enter a name for your client. Pick anything you like and hit 'enter'. -You will be asked to enter a pass phrase for the client key; make sure it's one you'll remember. -The script will assemble the client .ovpn file and place it in the directory 'ovpns' within your -home directory. - -If you need to create a client certificate that is not password protected (IE for use on a router), -then you can use the 'pivpn add nopass' option to generate that. - -`pivpn revoke` -Asks you for the name of the client to revoke. Once you revoke a client, it will no longer allow you to use -the given client certificate (ovpn config) to connect. This is useful for many reasons but some ex: -You have a profile on a mobile phone and it was lost or stolen. Revoke its cert and generate a new -one for your new phone. Or even if you suspect that a cert may have been compromised in any way, -just revoke it and generate a new one. - -`pivpn list` -If you add more than a few clients, this gives you a nice list of their names and whether their certificate -is still valid or has been revoked. Great way to keep track of what you did with 'pivpn add' and 'pivpn revoke'. - -Importing Profiles on Client Machines --------------------------------------------- - -**Windows**: Use a program like WinSCP or Cyberduck. Note that you may need administrator permission to move files to some folders on your Windows machine, so if you have trouble transferring the profile to a particular folder with your chosen file transfer program, try moving it to your desktop. - -**Mac/Linux**: Open the Terminal app and copy the config from the Raspberry Pi using `scp pi-user@ip-of-your-raspberry:configs/whatever.conf .` (if using WireGuard) or `scp pi-user@ip-of-your-raspberry:ovpns/whatever.ovpn .` (if using OpenVPN). The file will be downloaded in the current working directory, which usually is the home folder of your PC. - -**Android/iOS** (WireGuard only): Just skip to _Connecting to the PiVPN server (WireGuard)_ - -**Android**: You can either retrieve it on PC and then move it to your device via USB, or you can use an app like Turbo FTP & SFTP client to retrieve it directly from your Android device. - -**iOS**: You can use an app that supports SFTP like Documents by Readdle to retrieve it directly from your iOS device. - -Connecting to the PiVPN server (WireGuard) --------------------------------------------- - -**Windows/Mac**: Download the [WireGuard GUI app](https://www.wireguard.com/install/), import the configuration and activate the tunnel. - -**Linux**: Install [WireGuard](https://www.wireguard.com/install/) following the instructions for your distribution. Now, as root user, create the /etc/wireguard folder and prevent anyone but root to enter it (you only need to do this the first time): -``` -mkdir -p /etc/wireguard -chown root:root /etc/wireguard -chmod 700 /etc/wireguard -``` -Move the config and activate the tunnel: -``` -mv whatever.conf /etc/wireguard/ -wg-quick up whatever -``` -Run `wg-quick down whatever` to deactivate the tunnel. - -**Android/iOS:** Run `pivpn -qr` on the PiVPN server to generate a QR code of your config, download the Wireguard app [Android link](https://play.google.com/store/apps/details?id=com.wireguard.android) / [iOS link](https://apps.apple.com/it/app/wireguard/id1441195209), click the '+' sign and scan the QR code with your phone's camera. Flip the switch to activate the tunnel. - -Connecting to the PiVPN server (OpenVPN) --------------------------------------------- - -**Windows**: Download the [OpenVPN GUI](https://openvpn.net/community-downloads/), install it, and place the profile in the 'config' folder of your OpenVPN directory, i.e., in 'C:\Program Files\OpenVPN\config'. After importing, connect to the VPN server on Windows by running the OpenVPN GUI with administrator permissions, right-clicking on the icon in the system tray, and clicking 'Connect'. - -**Linux**: Install OpenVPN using your package manager (APT in this example). Now, as root user, create the /etc/openvpn/client folder and prevent anyone but root to enter it (you only need to do this the first time): -``` -apt install openvpn -mkdir -p /etc/openvpn/client -chown root:root /etc/openvpn/client -chmod 700 /etc/openvpn/client -``` -Move the config and connect (input the pass phrase if you set one): -``` -mv whatever.ovpn /etc/openvpn/client/ -openvpn /etc/openvpn/client/whatever.ovpn -``` -Press CTRL-C to disconnect. - -**Mac**: You can use an OpenVPN client like [Tunnelblick](https://tunnelblick.net/downloads.html). Here's a [guide](https://tunnelblick.net/czUsing.html) to import the configuration. - -**Android**: Install the [OpenVPN Connect app](https://play.google.com/store/apps/details?id=net.openvpn.openvpn), select 'Import' from the drop-down menu in the upper right corner of the main screen, choose the directory on your device where you stored the .ovpn file, and select the file. Connect by selecting the profile under 'OpenVPN Profile' and pressing 'Connect'. - -**iOS**: Install the [OpenVPN Connect app](https://apps.apple.com/it/app/openvpn-connect/id590379981). Then go to the app where you copied the .ovpn file to, select the file, find an icon or button to 'Share' or 'Open with', and choose to open with the OpenVPN app. - -Removing PiVPN ----------------- - -If at any point you wish to remove PiVPN from your Pi and revert it to a pre-installation state, such as if you want to undo a failed installation to try again or you want to remove PiVPN without installing a fresh Raspbian image, just run `pivpn uninstall`. +After the installation is complete you can use the command `pivpn` to manage the server. Have a look at the [OpenVPN](https://github.com/pivpn/pivpn/wiki/OpenVPN) or [WireGuard](https://github.com/pivpn/pivpn/wiki/WireGuard) wiki for some example commands, connection instructions, FAQs, [troubleshooting steps](https://github.com/pivpn/pivpn/wiki/FAQ#how-do-i-troubleshoot-connection-issues). Feedback & Support -------- From 0fb22bd15f1ecf378ca7fae8cd173f422757ac57 Mon Sep 17 00:00:00 2001 From: Ludwig Lautenbacher Date: Thu, 1 Oct 2020 13:23:31 +0200 Subject: [PATCH 079/114] dump easyrsa output to /dev/null --- scripts/openvpn/listOVPN.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/scripts/openvpn/listOVPN.sh b/scripts/openvpn/listOVPN.sh index 55826c6..5b2f401 100755 --- a/scripts/openvpn/listOVPN.sh +++ b/scripts/openvpn/listOVPN.sh @@ -8,7 +8,13 @@ if [ ! -f "${INDEX}" ]; then exit 1 fi -/etc/openvpn/easy-rsa/easyrsa update-db >> /var/log/easyrsa_update-db.log 2>1 +EASYRSA="/etc/openvpn/easy-rsa/easyrsa" +if [ ! -f "${EASYRSA}" ]; then + echo "The file: $EASYRSA was not found!" + exit 1 +fi + +$EASYRSA update-db >> /dev/null 2>1 printf ": NOTE : The first entry should always be your valid server!\n" printf "\\n" From 66536272be89a2b296adf36697becfb1ed78be91 Mon Sep 17 00:00:00 2001 From: Ludwig Lautenbacher Date: Thu, 1 Oct 2020 13:24:02 +0200 Subject: [PATCH 080/114] clean up formattting of Expired certificates --- scripts/openvpn/listOVPN.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/openvpn/listOVPN.sh b/scripts/openvpn/listOVPN.sh index 5b2f401..75b6b09 100755 --- a/scripts/openvpn/listOVPN.sh +++ b/scripts/openvpn/listOVPN.sh @@ -32,7 +32,7 @@ while read -r line || [ -n "$line" ]; do elif [ "${STATUS}" == "R" ]; then printf "Revoked \t %s \t %s\\n" "$NAME" "$EXPD" elif [ "${STATUS}" == "E" ]; then - printf " Expired :: %s\n" "$NAME" + printf "Expired :: %s\n" "$NAME" else printf "Unknown \t %s \t %s\\n" "$NAME" "$EXPD" fi From 1cc66efba6684b87deb6e976b8f5f5e28452ba24 Mon Sep 17 00:00:00 2001 From: Ludwig Lautenbacher Date: Thu, 1 Oct 2020 13:40:49 +0200 Subject: [PATCH 081/114] fixed formatting --- scripts/openvpn/listOVPN.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/openvpn/listOVPN.sh b/scripts/openvpn/listOVPN.sh index 75b6b09..cd02790 100755 --- a/scripts/openvpn/listOVPN.sh +++ b/scripts/openvpn/listOVPN.sh @@ -32,7 +32,7 @@ while read -r line || [ -n "$line" ]; do elif [ "${STATUS}" == "R" ]; then printf "Revoked \t %s \t %s\\n" "$NAME" "$EXPD" elif [ "${STATUS}" == "E" ]; then - printf "Expired :: %s\n" "$NAME" + printf "Expired \t %s \t %s\\n" "$NAME" "$EXPD" else printf "Unknown \t %s \t %s\\n" "$NAME" "$EXPD" fi From 63733b44a59fb448f21fae5b0866c0102dcc4e6d Mon Sep 17 00:00:00 2001 From: Orazio Date: Sat, 3 Oct 2020 10:20:40 +0200 Subject: [PATCH 082/114] Reload WireGuard instead of restarting so it doesn't kick existing clients --- scripts/wireguard/makeCONF.sh | 6 +++--- scripts/wireguard/removeCONF.sh | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/scripts/wireguard/makeCONF.sh b/scripts/wireguard/makeCONF.sh index e0669b8..0564fb5 100755 --- a/scripts/wireguard/makeCONF.sh +++ b/scripts/wireguard/makeCONF.sh @@ -130,10 +130,10 @@ if [ -f /etc/pivpn/hosts.wireguard ]; then fi fi -if systemctl restart wg-quick@wg0; then - echo "::: WireGuard restarted" +if systemctl reload wg-quick@wg0; then + echo "::: WireGuard reloaded" else - echo "::: Failed to restart WireGuard" + echo "::: Failed to reload WireGuard" fi cp "configs/${CLIENT_NAME}.conf" "${install_home}/configs/${CLIENT_NAME}.conf" diff --git a/scripts/wireguard/removeCONF.sh b/scripts/wireguard/removeCONF.sh index cbf4dbb..6a9c6ab 100755 --- a/scripts/wireguard/removeCONF.sh +++ b/scripts/wireguard/removeCONF.sh @@ -136,9 +136,9 @@ done # Restart WireGuard only if some clients were actually deleted if [ "${DELETED_COUNT}" -gt 0 ]; then - if systemctl restart wg-quick@wg0; then - echo "::: WireGuard restarted" + if systemctl reload wg-quick@wg0; then + echo "::: WireGuard reloaded" else - echo "::: Failed to restart WireGuard" + echo "::: Failed to reload WireGuard" fi fi From 5d2761b94be19f34cdbcf64c309944ea061e24eb Mon Sep 17 00:00:00 2001 From: Douglas Orend <43975081+xptsp@users.noreply.github.com> Date: Tue, 20 Oct 2020 10:57:28 -0500 Subject: [PATCH 083/114] Update listOVPN.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit allows PiVPN scripts to display certificates with common names like "José" better. Prior to this commit, names like "José" would be shown as "Jos\xC3\xA9". --- scripts/openvpn/listOVPN.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/openvpn/listOVPN.sh b/scripts/openvpn/listOVPN.sh index cd02790..6fba929 100755 --- a/scripts/openvpn/listOVPN.sh +++ b/scripts/openvpn/listOVPN.sh @@ -28,13 +28,13 @@ while read -r line || [ -n "$line" ]; do EXPD=$(echo "$line" | awk '{if (length($2) == 15) print $2; else print "20"$2}' | cut -b 1-8 | date +"%b %d %Y" -f -) if [ "${STATUS}" == "V" ]; then - printf "Valid \t %s \t %s\\n" "$NAME" "$EXPD" + printf "Valid \t %s \t %s\\n" "$(echo -e "$NAME")" "$EXPD" elif [ "${STATUS}" == "R" ]; then - printf "Revoked \t %s \t %s\\n" "$NAME" "$EXPD" + printf "Revoked \t %s \t %s\\n" "$(echo -e "$NAME")" "$EXPD" elif [ "${STATUS}" == "E" ]; then - printf "Expired \t %s \t %s\\n" "$NAME" "$EXPD" + printf "Expired \t %s \t %s\\n" "$(echo -e "$NAME")" "$EXPD" else - printf "Unknown \t %s \t %s\\n" "$NAME" "$EXPD" + printf "Unknown \t %s \t %s\\n" "$(echo -e "$NAME")" "$EXPD" fi done <${INDEX} From 22cb5ee0ef704c2ca5f068a0a0dd096cd4848fcc Mon Sep 17 00:00:00 2001 From: Douglas Orend <43975081+xptsp@users.noreply.github.com> Date: Tue, 20 Oct 2020 11:00:35 -0500 Subject: [PATCH 084/114] Update removeOVPN.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit allows PiVPN scripts to revoke certificates with common names like "José" better. Prior to this commit, names like "José" could not be revoked using PiVPN tools. --- scripts/openvpn/removeOVPN.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/openvpn/removeOVPN.sh b/scripts/openvpn/removeOVPN.sh index 30bfac7..a77333b 100755 --- a/scripts/openvpn/removeOVPN.sh +++ b/scripts/openvpn/removeOVPN.sh @@ -58,7 +58,7 @@ if [[ -z "${CERTS_TO_REVOKE}" ]]; then NAME=$(echo "$line" | sed -e 's:.*/CN=::') if [ "$i" != 0 ]; then # Prevent printing "server" certificate - CERTS[$i]=${NAME} + CERTS[$i]=$(echo -e "${NAME}") fi let i=i+1 fi @@ -102,7 +102,7 @@ else while read -r line || [ -n "$line" ]; do STATUS=$(echo "$line" | awk '{print $1}') if [[ "${STATUS}" = "V" ]]; then - NAME=$(echo "$line" | sed -e 's:.*/CN=::') + NAME=$(echo -e "$line" | sed -e 's:.*/CN=::') CERTS[$i]=${NAME} let i=i+1 fi From 9dd67114f8cc2540ebe9555916b9e6315bcf2aa7 Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Wed, 21 Oct 2020 22:35:29 +0100 Subject: [PATCH 085/114] disable and enable wireguard clients --- auto_install/install.sh | 4 +- scripts/wireguard/bash-completion | 4 +- scripts/wireguard/disableCONF.sh | 120 ++++++++++++++++++++++++++++++ scripts/wireguard/enableCONF.sh | 116 +++++++++++++++++++++++++++++ scripts/wireguard/listCONF.sh | 7 +- scripts/wireguard/pivpn.sh | 36 ++++++--- 6 files changed, 272 insertions(+), 15 deletions(-) create mode 100755 scripts/wireguard/disableCONF.sh create mode 100755 scripts/wireguard/enableCONF.sh diff --git a/auto_install/install.sh b/auto_install/install.sh index e37ef3e..4472cf0 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -13,8 +13,8 @@ # timestamp 2020/5/24 15:53BST ######## VARIABLES ######### -pivpnGitUrl="https://github.com/pivpn/pivpn.git" -#pivpnGitUrl="/home/pi/repos/pivpn" +#pivpnGitUrl="https://github.com/pivpn/pivpn.git" +pivpnGitUrl="/home/pi/repos/pivpn" setupVarsFile="setupVars.conf" setupConfigDir="/etc/pivpn" tempsetupVarsFile="/tmp/setupVars.conf" diff --git a/scripts/wireguard/bash-completion b/scripts/wireguard/bash-completion index a971696..3af6c28 100644 --- a/scripts/wireguard/bash-completion +++ b/scripts/wireguard/bash-completion @@ -4,8 +4,8 @@ _pivpn() COMPREPLY=() cur="${COMP_WORDS[COMP_CWORD]}" prev="${COMP_WORDS[COMP_CWORD-1]}" - dashopts="-a -c -d -l -qr -r -h -u -up -bk" - opts="add clients debug list qrcode remove help uninstall update backup" + dashopts="-a -c -d -l -qr -r -h -u -up -bk -dis -ena" + opts="add clients debug list qrcode remove help uninstall update backup disable enable" if [ "${#COMP_WORDS[@]}" -eq 2 ] then if [[ ${cur} == -* ]] ; then diff --git a/scripts/wireguard/disableCONF.sh b/scripts/wireguard/disableCONF.sh new file mode 100755 index 0000000..e8a8b5b --- /dev/null +++ b/scripts/wireguard/disableCONF.sh @@ -0,0 +1,120 @@ +#!/bin/bash + +setupVars="/etc/pivpn/wireguard/setupVars.conf" + +if [ ! -f "${setupVars}" ]; then + echo "::: Missing setup vars file!" + exit 1 +fi + +source "${setupVars}" + +helpFunc(){ + echo "::: Disable client conf profiles" + echo ":::" + echo "::: Usage: pivpn <-dis|disable> [-h|--help] [-v] [ ... [] ...] " + echo ":::" + echo "::: Commands:" + echo "::: [none] Interactive mode" + echo "::: Client" + echo "::: -y,--yes Disable client(s) without confirmation" + echo "::: -v Show disabled clients only" + echo "::: -h,--help Show this help dialog" +} + +# Parse input arguments +while test $# -gt 0 +do + _key="$1" + case "$_key" in + -h|--help) + helpFunc + exit 0 + ;; + -y|--yes) + CONFIRM=true + ;; + -v) + DISPLAY_DISABLED=true + ;; + *) + CLIENTS_TO_CHANGE+=("$1") + ;; + esac + shift +done + +cd /etc/wireguard +if [ ! -s configs/clients.txt ]; then + echo "::: There are no clients to remove" + exit 1 +fi + + +if [ "$DISPLAY_DISABLED" ]; then + grep 'disabled### begin client' wg0.conf | sed 's/#//g; s/begin//' + exit 1 +fi + + +LIST=($(awk '{print $1}' configs/clients.txt)) +if [ "${#CLIENTS_TO_CHANGE[@]}" -eq 0 ]; then + echo -e "::\e[4m Client list \e[0m::" + len=${#LIST[@]} + COUNTER=1 + while [ $COUNTER -le ${len} ]; do + printf "%0${#len}s) %s\r\n" ${COUNTER} ${LIST[(($COUNTER-1))]} + ((COUNTER++)) + done + + read -r -p "Please enter the Index/Name of the Client to be removed from the list above: " CLIENTS_TO_CHANGE + + if [ -z "${CLIENTS_TO_CHANGE}" ]; then + echo "::: You can not leave this blank!" + exit 1 + fi +fi + +CHANGED_COUNT=0 + +for CLIENT_NAME in "${CLIENTS_TO_CHANGE[@]}"; do + + re='^[0-9]+$' + if [[ ${CLIENT_NAME} =~ $re ]] ; then + CLIENT_NAME=${LIST[$(($CLIENT_NAME -1))]} + fi + + if ! grep -q "^${CLIENT_NAME} " configs/clients.txt; then + echo -e "::: \e[1m${CLIENT_NAME}\e[0m does not exist" + elif grep -q "#disabled### begin ${CLIENT_NAME}" wg0.conf; then + echo -e "::: \e[1m${CLIENT_NAME}\e[0m is already disabled" + else + if [ -n "$CONFIRM" ]; then + REPLY="y" + else + read -r -p "Confirm you want to disable $CLIENT_NAME? [Y/n] " + fi + + if [[ $REPLY =~ ^[Yy]$ ]]; then + + # Disable the peer section from the server config + echo "${CLIENT_NAME}" + sed -e "/### begin ${CLIENT_NAME}/,/end ${CLIENT_NAME}/ s/^/#disabled/" -i wg0.conf + echo "::: Updated server config" + + ((CHANGED_COUNT++)) + echo "::: Successfully disabled ${CLIENT_NAME}" + + fi + fi + +done + +# Restart WireGuard only if some clients were actually deleted +if [ "${CHANGED_COUNT}" -gt 0 ]; then + if systemctl reload wg-quick@wg0; then + echo "::: WireGuard reloaded" + else + echo "::: Failed to reload WireGuard" + fi +fi diff --git a/scripts/wireguard/enableCONF.sh b/scripts/wireguard/enableCONF.sh new file mode 100755 index 0000000..0f20069 --- /dev/null +++ b/scripts/wireguard/enableCONF.sh @@ -0,0 +1,116 @@ +#!/bin/bash + +setupVars="/etc/pivpn/wireguard/setupVars.conf" + +if [ ! -f "${setupVars}" ]; then + echo "::: Missing setup vars file!" + exit 1 +fi + +source "${setupVars}" + +helpFunc(){ + echo "::: Enables client conf profiles" + echo ":::" + echo "::: Usage: pivpn <-ena|enable> [-h|--help] [-v] [ ... [] ...] " + echo ":::" + echo "::: Commands:" + echo "::: [none] Interactive mode" + echo "::: Client" + echo "::: -y,--yes Remove client(s) without confirmation" + echo "::: -v Show disabled clients only" + echo "::: -h,--help Show this help dialog" +} + +# Parse input arguments +while test $# -gt 0 +do + _key="$1" + case "$_key" in + -h|--help) + helpFunc + exit 0 + ;; + -y|--yes) + CONFIRM=true + ;; + -v) + DISPLAY_DISABLED=true + ;; + *) + CLIENTS_TO_CHANGE+=("$1") + ;; + esac + shift +done + +cd /etc/wireguard +if [ ! -s configs/clients.txt ]; then + echo "::: There are no clients to change" + exit 1 +fi + +if [ "$DISPLAY_DISABLED" ]; then + grep 'disabled### begin client' wg0.conf | sed 's/#//g; s/begin//' + exit 1 +fi + +LIST=($(awk '{print $1}' configs/clients.txt)) +if [ "${#CLIENTS_TO_CHANGE[@]}" -eq 0 ]; then + echo -e "::\e[4m Client list \e[0m::" + len=${#LIST[@]} + COUNTER=1 + while [ $COUNTER -le ${len} ]; do + printf "%0${#len}s) %s\r\n" ${COUNTER} ${LIST[(($COUNTER-1))]} + ((COUNTER++)) + done + + read -r -p "Please enter the Index/Name of the Client to be enabled from the list above: " CLIENTS_TO_CHANGE + + if [ -z "${CLIENTS_TO_CHANGE}" ]; then + echo "::: You can not leave this blank!" + exit 1 + fi +fi + +CHANGED_COUNT=0 + +for CLIENT_NAME in "${CLIENTS_TO_CHANGE[@]}"; do + + re='^[0-9]+$' + if [[ ${CLIENT_NAME} =~ $re ]] ; then + CLIENT_NAME=${LIST[$(($CLIENT_NAME -1))]} + fi + + if ! grep -q "^${CLIENT_NAME} " configs/clients.txt; then + echo -e "::: \e[1m${CLIENT_NAME}\e[0m does not exist" + else + if [ -n "$CONFIRM" ]; then + REPLY="y" + else + read -r -p "Confirm you want to enable $CLIENT_NAME? [Y/n] " + fi + + if [[ $REPLY =~ ^[Yy]$ ]]; then + + # Enable the peer section from the server config + echo "${CLIENT_NAME}" + sed -e "/begin ${CLIENT_NAME}/,/end ${CLIENT_NAME}/ s/#disabled//" -i wg0.conf + echo "::: Updated server config" + + ((CHANGED_COUNT++)) + echo "::: Successfully enabled ${CLIENT_NAME}" + + fi + fi + +done + +# Restart WireGuard only if some clients were actually deleted +if [ "${CHANGED_COUNT}" -gt 0 ]; then + if systemctl reload wg-quick@wg0; then + echo "::: WireGuard reloaded" + else + echo "::: Failed to reload WireGuard" + fi +fi diff --git a/scripts/wireguard/listCONF.sh b/scripts/wireguard/listCONF.sh index 6f8e198..d4ab8dd 100755 --- a/scripts/wireguard/listCONF.sh +++ b/scripts/wireguard/listCONF.sh @@ -25,4 +25,9 @@ while read -r LINE; do echo -e "$CLIENT_NAME \t $PUBLIC_KEY \t $CD_FORMAT" done < clients.txt -} | column -t -s $'\t' \ No newline at end of file +} | column -t -s $'\t' + + +cd /etc/wireguard || return +echo "::: Disabled clients :::" +grep 'disabled### begin client' wg0.conf | sed 's/#//g; s/begin//' diff --git a/scripts/wireguard/pivpn.sh b/scripts/wireguard/pivpn.sh index 61db6d9..963a8aa 100755 --- a/scripts/wireguard/pivpn.sh +++ b/scripts/wireguard/pivpn.sh @@ -47,6 +47,18 @@ removeClient(){ exit 0 } +disableClient(){ + shift + $SUDO ${scriptdir}/${vpn}/disableCONF.sh "$@" + exit 0 +} + +enableClient(){ + shift + $SUDO ${scriptdir}/${vpn}/enableCONF.sh "$@" + exit 0 +} + uninstallServer(){ $SUDO ${scriptdir}/uninstall.sh "${vpn}" exit 0 @@ -75,6 +87,8 @@ showHelp(){ echo "::: -l, list List all clients" echo "::: -qr, qrcode Show the qrcode of a client for use with the mobile app" echo "::: -r, remove Remove a client" + echo "::: -dis, disable Disable a user" + echo "::: -ena, enable Enable a user" echo "::: -h, help Show this help dialog" echo "::: -u, uninstall Uninstall pivpn from your system!" echo "::: -up, update Updates PiVPN Scripts" @@ -88,15 +102,17 @@ fi # Handle redirecting to specific functions based on arguments case "$1" in -"-a" | "add" ) makeConf "$@";; -"-c" | "clients" ) listConnected "$@";; -"-d" | "debug" ) debug;; -"-l" | "list" ) listClients;; -"-qr" | "qrcode" ) showQrcode "$@";; -"-r" | "remove" ) removeClient "$@";; -"-h" | "help" ) showHelp;; -"-u" | "uninstall" ) uninstallServer;; -"-up" | "update" ) updateScripts "$@" ;; -"-bk" | "backup" ) backup ;; +"-a" | "add" ) makeConf "$@";; +"-c" | "clients" ) listConnected "$@";; +"-d" | "debug" ) debug;; +"-l" | "list" ) listClients;; +"-qr" | "qrcode" ) showQrcode "$@";; +"-r" | "remove" ) removeClient "$@";; +"-dis" | "disable" ) disableClient "$@";; +"-ena" | "enable" ) enableClient "$@";; +"-h" | "help" ) showHelp;; +"-u" | "uninstall" ) uninstallServer;; +"-up" | "update" ) updateScripts "$@" ;; +"-bk" | "backup" ) backup ;; * ) showHelp;; esac From a0660979d4cca0a1a5e8731a5fc38b9bac16f1bd Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Wed, 21 Oct 2020 23:23:58 +0100 Subject: [PATCH 086/114] corrent enable help --- scripts/wireguard/enableCONF.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/wireguard/enableCONF.sh b/scripts/wireguard/enableCONF.sh index 0f20069..606adae 100755 --- a/scripts/wireguard/enableCONF.sh +++ b/scripts/wireguard/enableCONF.sh @@ -17,7 +17,7 @@ helpFunc(){ echo "::: Commands:" echo "::: [none] Interactive mode" echo "::: Client" - echo "::: -y,--yes Remove client(s) without confirmation" + echo "::: -y,--yes Enable client(s) without confirmation" echo "::: -v Show disabled clients only" echo "::: -h,--help Show this help dialog" } From 468ea296c06bf529f86f9a1ebbb8795ff66dc722 Mon Sep 17 00:00:00 2001 From: shelleycat485 <63857845+shelleycat485@users.noreply.github.com> Date: Thu, 22 Oct 2020 19:23:33 +0100 Subject: [PATCH 088/114] back to pivpn github repository --- auto_install/install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 4472cf0..e37ef3e 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -13,8 +13,8 @@ # timestamp 2020/5/24 15:53BST ######## VARIABLES ######### -#pivpnGitUrl="https://github.com/pivpn/pivpn.git" -pivpnGitUrl="/home/pi/repos/pivpn" +pivpnGitUrl="https://github.com/pivpn/pivpn.git" +#pivpnGitUrl="/home/pi/repos/pivpn" setupVarsFile="setupVars.conf" setupConfigDir="/etc/pivpn" tempsetupVarsFile="/tmp/setupVars.conf" From 9955f1fc024bcd5fb3ef76ee39af53ea16935cd7 Mon Sep 17 00:00:00 2001 From: Orazio Date: Sat, 24 Oct 2020 13:16:56 +0200 Subject: [PATCH 089/114] Updated WireGuard module detection to accommodate different paths --- auto_install/install.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index e37ef3e..1e2d083 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -77,6 +77,9 @@ c=$(( c < 70 ? 70 : c )) # Override localization settings so the output is in English language. export LC_ALL=C +# Enable recursive globbing to find wireguard.ko in /lib/modules. +shopt -s globstar + main(){ ######## FIRST CHECK ######## @@ -488,7 +491,7 @@ preconfigurePackages(){ # make the module part of the package since the module itself is built at install time # and not part of the .deb). # Source: https://github.com/MichaIng/DietPi/blob/7bf5e1041f3b2972d7827c48215069d1c90eee07/dietpi/dietpi-software#L1807-L1815 - for i in /lib/modules/*/kernel/net/wireguard/wireguard.ko; do + for i in /lib/modules/**/wireguard.ko; do [[ -f $i ]] || continue dpkg-query -S "$i" &> /dev/null || continue WIREGUARD_BUILTIN=1 From d860f1d40247a30556f819a06cbf87cda43c938e Mon Sep 17 00:00:00 2001 From: Orazio Date: Sat, 24 Oct 2020 13:41:07 +0200 Subject: [PATCH 090/114] Add systemd override for wg-quick units that don't yet implement reload - Discussed on pull request 1164 --- auto_install/install.sh | 7 +++++++ files/etc/systemd/system/wg-quick@.service.d/override.conf | 2 ++ scripts/uninstall.sh | 4 ++++ 3 files changed, 13 insertions(+) create mode 100644 files/etc/systemd/system/wg-quick@.service.d/override.conf diff --git a/auto_install/install.sh b/auto_install/install.sh index 1e2d083..7ed1c33 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -2037,6 +2037,13 @@ confOVPN(){ } confWireGuard(){ + # Reload job type is not yet available in wireguard-tools shipped with Ubuntu 20.04 + if ! grep -q 'ExecReload' /usr/lib/systemd/system/wg-quick@.service; then + echo "::: Adding additional reload job type for wg-quick unit" + $SUDOE install -m 644 "${pivpnFilesDir}"/files/etc/systemd/system/wg-quick@.service.d/override.conf /etc/systemd/system/wg-quick@.service.d/override.conf + $SUDO systemctl daemon-reload + fi + if [ -d /etc/wireguard ]; then # Backup the wireguard folder WIREGUARD_BACKUP="wireguard_$(date +%Y-%m-%d-%H%M%S).tar.gz" diff --git a/files/etc/systemd/system/wg-quick@.service.d/override.conf b/files/etc/systemd/system/wg-quick@.service.d/override.conf new file mode 100644 index 0000000..54e6bb8 --- /dev/null +++ b/files/etc/systemd/system/wg-quick@.service.d/override.conf @@ -0,0 +1,2 @@ +[Service] +ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)' diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 7b00b78..4e04f05 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -146,6 +146,10 @@ removeAll(){ ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! fi + if [ -f /etc/systemd/system/wg-quick@.service.d/override.conf ]; then + rm -f /etc/systemd/system/wg-quick@.service.d/override.conf + fi + elif [ "${i}" = "unattended-upgrades" ]; then rm -rf /var/log/unattended-upgrades From 43057b3f3b66225358b23362803fcb2782ab5f7f Mon Sep 17 00:00:00 2001 From: Orazio Date: Sat, 24 Oct 2020 16:00:26 +0200 Subject: [PATCH 091/114] Fixed typos, clarified 'pivpn -l' text. --- auto_install/install.sh | 2 +- scripts/openvpn/listOVPN.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 7ed1c33..0cabb26 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -2040,7 +2040,7 @@ confWireGuard(){ # Reload job type is not yet available in wireguard-tools shipped with Ubuntu 20.04 if ! grep -q 'ExecReload' /usr/lib/systemd/system/wg-quick@.service; then echo "::: Adding additional reload job type for wg-quick unit" - $SUDOE install -m 644 "${pivpnFilesDir}"/files/etc/systemd/system/wg-quick@.service.d/override.conf /etc/systemd/system/wg-quick@.service.d/override.conf + $SUDO install -m 644 "${pivpnFilesDir}"/files/etc/systemd/system/wg-quick@.service.d/override.conf /etc/systemd/system/wg-quick@.service.d/override.conf $SUDO systemctl daemon-reload fi diff --git a/scripts/openvpn/listOVPN.sh b/scripts/openvpn/listOVPN.sh index 6fba929..4718f60 100755 --- a/scripts/openvpn/listOVPN.sh +++ b/scripts/openvpn/listOVPN.sh @@ -14,9 +14,9 @@ if [ ! -f "${EASYRSA}" ]; then exit 1 fi -$EASYRSA update-db >> /dev/null 2>1 +$EASYRSA update-db >> /dev/null 2>&1 -printf ": NOTE : The first entry should always be your valid server!\n" +printf ": NOTE : The first entry is your server, which should always be valid!\n" printf "\\n" printf "\\e[1m::: Certificate Status List :::\\e[0m\\n" { From 915563610d5af47ec751824d5d4ca1a341e2afc0 Mon Sep 17 00:00:00 2001 From: Jeffry Suryadharma <41689493+jeffrysurya@users.noreply.github.com> Date: Sun, 25 Oct 2020 17:37:59 +0700 Subject: [PATCH 092/114] Update install.sh add -D option because wg-quick@.service.d folder is not yet created --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 0cabb26..0db151f 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -2040,7 +2040,7 @@ confWireGuard(){ # Reload job type is not yet available in wireguard-tools shipped with Ubuntu 20.04 if ! grep -q 'ExecReload' /usr/lib/systemd/system/wg-quick@.service; then echo "::: Adding additional reload job type for wg-quick unit" - $SUDO install -m 644 "${pivpnFilesDir}"/files/etc/systemd/system/wg-quick@.service.d/override.conf /etc/systemd/system/wg-quick@.service.d/override.conf + $SUDO install -D -m 644 "${pivpnFilesDir}"/files/etc/systemd/system/wg-quick@.service.d/override.conf /etc/systemd/system/wg-quick@.service.d/override.conf $SUDO systemctl daemon-reload fi From f1553985a65001f784be892c44d117863a9a26c3 Mon Sep 17 00:00:00 2001 From: Jeffry Suryadharma <41689493+jeffrysurya@users.noreply.github.com> Date: Sun, 25 Oct 2020 17:46:27 +0700 Subject: [PATCH 093/114] Update install.sh --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 0db151f..c2c331b 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -13,7 +13,7 @@ # timestamp 2020/5/24 15:53BST ######## VARIABLES ######### -pivpnGitUrl="https://github.com/pivpn/pivpn.git" +pivpnGitUrl="https://github.com/jeffrysurya/pivpn.git" #pivpnGitUrl="/home/pi/repos/pivpn" setupVarsFile="setupVars.conf" setupConfigDir="/etc/pivpn" From 1ce55658aa31e511c727046d4256a64316a4de61 Mon Sep 17 00:00:00 2001 From: Jeffry Suryadharma <41689493+jeffrysurya@users.noreply.github.com> Date: Sun, 25 Oct 2020 17:54:14 +0700 Subject: [PATCH 094/114] Update install.sh --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index c2c331b..0db151f 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -13,7 +13,7 @@ # timestamp 2020/5/24 15:53BST ######## VARIABLES ######### -pivpnGitUrl="https://github.com/jeffrysurya/pivpn.git" +pivpnGitUrl="https://github.com/pivpn/pivpn.git" #pivpnGitUrl="/home/pi/repos/pivpn" setupVarsFile="setupVars.conf" setupConfigDir="/etc/pivpn" From 4f9349b576166cca1c3906ecfce9331bed822133 Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 27 Oct 2020 08:52:51 +0100 Subject: [PATCH 095/114] Log debconf-apt-progress output to show errors in case of failed package install --- auto_install/install.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 0db151f..c3a1e7d 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -552,9 +552,11 @@ installDependentPackages(){ fi done + local APTLOGFILE="$(mktemp)" + if command -v debconf-apt-progress > /dev/null; then # shellcheck disable=SC2086 - $SUDO debconf-apt-progress -- ${PKG_INSTALL} "${TO_INSTALL[@]}" + $SUDO debconf-apt-progress --logfile "${APTLOGFILE}" -- ${PKG_INSTALL} "${TO_INSTALL[@]}" else # shellcheck disable=SC2086 $SUDO ${PKG_INSTALL} "${TO_INSTALL[@]}" @@ -574,6 +576,7 @@ installDependentPackages(){ done if [ "$FAILED" -gt 0 ]; then + cat "${APTLOGFILE}" exit 1 fi } From 8b69904b69994ed79914a881d3bfa4677cc73a92 Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 27 Oct 2020 09:03:34 +0100 Subject: [PATCH 096/114] Moved Telekom Hybrid help to the wiki: - https://github.com/pivpn/pivpn/wiki/OpenVPN#trouble-with-telekom-hybrid --- scripts/openvpn/pivpnDebug.sh | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/scripts/openvpn/pivpnDebug.sh b/scripts/openvpn/pivpnDebug.sh index a3e86cf..38a8d7e 100755 --- a/scripts/openvpn/pivpnDebug.sh +++ b/scripts/openvpn/pivpnDebug.sh @@ -47,16 +47,3 @@ cat /tmp/snippet rm /tmp/snippet printf "=============================================\n" echo -e "::::\t\t\e[4mDebug complete\e[0m\t\t ::::" - -# Telekom Hybrid Check -wget -O /tmp/hybcheck http://speedport.ip &>/dev/null -if grep -Fq "Speedport Pro" /tmp/hybcheck || grep -Fq "Speedport Hybrid" /tmp/hybcheck -then - printf ":::\t\t\t\t\t:::\n::\tTelekom Hybrid Check\t\t ::\n:::\t\t\t\t\t:::\n" - echo "Are you using Telekom Hybrid (found a hybrid compatible router)?" - echo "If yes and you have problems with the connections you can test the following:" - echo "Add 'tun-mtu 1316' in /etc/openvpn/easy-rsa/pki/Default.txt to set a hybrid compatible MTU size (new .ovpn files)." - echo "For already existing .ovpn files 'tun-mtu 1316' can also be inserted there manually." - echo "With Telekom hybrid connections, you may have to experiment a little with MTU (tun-mtu, link-mtu and mssfix)." -fi -rm /tmp/hybcheck From 7f1c5ba33cc3c1eee18e381532365e63108d5a33 Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 27 Oct 2020 12:19:46 +0100 Subject: [PATCH 097/114] Save debug to /tmp/debug.log for WireGuard too, do not use temporary file to redact IPs in the OpenVPN log. --- scripts/openvpn/pivpn.sh | 4 ++-- scripts/openvpn/pivpnDebug.sh | 9 ++++----- scripts/wireguard/pivpn.sh | 7 ++++++- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/scripts/openvpn/pivpn.sh b/scripts/openvpn/pivpn.sh index 0b7feb7..59ca5c1 100755 --- a/scripts/openvpn/pivpn.sh +++ b/scripts/openvpn/pivpn.sh @@ -32,10 +32,10 @@ function listOVPNFunc { function debugFunc { echo "::: Generating Debug Output" - $SUDO ${scriptDir}/${vpn}/pivpnDebug.sh | tee /tmp/debug.txt + $SUDO ${scriptDir}/${vpn}/pivpnDebug.sh | tee /tmp/debug.log echo "::: " echo "::: Debug output completed above." - echo "::: Copy saved to /tmp/debug.txt" + echo "::: Copy saved to /tmp/debug.log" echo "::: " exit 0 } diff --git a/scripts/openvpn/pivpnDebug.sh b/scripts/openvpn/pivpnDebug.sh index 38a8d7e..46d5edd 100755 --- a/scripts/openvpn/pivpnDebug.sh +++ b/scripts/openvpn/pivpnDebug.sh @@ -34,16 +34,15 @@ echo -e ":::: Having trouble connecting? Take a look at the FAQ:" echo -e ":::: \e[1mhttps://github.com/pivpn/pivpn/wiki/FAQ\e[0m" printf "=============================================\n" echo -e ":::: \e[4mSnippet of the server log\e[0m ::::" -tail -20 /var/log/openvpn.log > /tmp/snippet +OVPNLOG="$(tail -n 20 /var/log/openvpn.log)" # Regular expession taken from https://superuser.com/a/202835, it will match invalid IPs # like 123.456.789.012 but it's fine since the log only contains valid ones. -declare -a IPS_TO_HIDE=($(grepcidr -v 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 /tmp/snippet | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | uniq)) +declare -a IPS_TO_HIDE=($(grepcidr -v 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 <<< "$OVPNLOG" | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | uniq)) for IP in "${IPS_TO_HIDE[@]}"; do - sed -i "s/$IP/REDACTED/g" /tmp/snippet + OVPNLOG="${OVPNLOG//"$IP"/REDACTED}" done -cat /tmp/snippet -rm /tmp/snippet +echo "$OVPNLOG" printf "=============================================\n" echo -e "::::\t\t\e[4mDebug complete\e[0m\t\t ::::" diff --git a/scripts/wireguard/pivpn.sh b/scripts/wireguard/pivpn.sh index 61db6d9..ad4b0e7 100755 --- a/scripts/wireguard/pivpn.sh +++ b/scripts/wireguard/pivpn.sh @@ -26,7 +26,12 @@ listConnected(){ } debug(){ - $SUDO ${scriptdir}/${vpn}/pivpnDEBUG.sh + echo "::: Generating Debug Output" + $SUDO ${scriptdir}/${vpn}/pivpnDEBUG.sh | tee /tmp/debug.log + echo "::: " + echo "::: Debug output completed above." + echo "::: Copy saved to /tmp/debug.log" + echo "::: " exit 0 } From 18007bb01e8c52653c07573364dc87f42fe6af5d Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 27 Oct 2020 18:40:16 +0100 Subject: [PATCH 098/114] OpenVPN GPG key is static, so we might as well include the key in the PiVPN repo. --- auto_install/install.sh | 46 +--------- files/etc/apt/repo-public.gpg | 162 ++++++++++++++++++++++++++++++++++ 2 files changed, 166 insertions(+), 42 deletions(-) create mode 100644 files/etc/apt/repo-public.gpg diff --git a/auto_install/install.sh b/auto_install/install.sh index c3a1e7d..ed54931 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -28,9 +28,6 @@ dhcpcdFile="/etc/dhcpcd.conf" subnetClass="24" debianOvpnUserGroup="openvpn:openvpn" -# OpenVPN GPG fingerprint, you can look it up at https://keyserver.ubuntu.com (prepend '0x' before it) -OPENVPN_KEY_ID="30EBF4E73CCE63EEE124DD278E6DA8B4E158C569" - ######## PKG Vars ######## PKG_MANAGER="apt-get" PKG_CACHE="/var/lib/apt/lists/" @@ -51,9 +48,6 @@ INSTALLED_PACKAGES=() easyrsaVer="3.0.7" easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz" -# Fallback url for the OpenVPN key -OPENVPN_KEY_URL="https://swupdate.openvpn.net/repos/repo-public.gpg" - ######## Undocumented Flags. Shhh ######## runUnattended=false skipSpaceCheck=false @@ -1184,32 +1178,6 @@ askAboutCustomizing(){ fi } -downloadVerifyKey(){ - local KEY_URL="$1" - local EXPECTED_KEY_ID="$2" - - local KEY_CONTENT - local KEY_INFO - local DOWNLOADED_KEY_ID - - if ! KEY_CONTENT="$(wget -qO- "$KEY_URL")"; then - return 1 - fi - - if ! KEY_INFO="$(gpg --show-key --with-colons <<< "$KEY_CONTENT")"; then - return 1 - fi - - DOWNLOADED_KEY_ID="$(sed -n '/^pub:/,/^fpr:/p' <<< "$KEY_INFO" | grep '^fpr' | cut -d ':' -f 10)" - - if [ "$DOWNLOADED_KEY_ID" != "$EXPECTED_KEY_ID" ]; then - return 1 - fi - - echo "$KEY_CONTENT" - return 0 -} - installOpenVPN(){ local PIVPN_DEPS @@ -1221,17 +1189,11 @@ installOpenVPN(){ PIVPN_DEPS=(gnupg) installDependentPackages PIVPN_DEPS[@] - # We will download the repository key for the official repository from a - # keyserver. If we fail, we will attempt to download the key via HTTPS + # OpenVPN repo's public GPG key (fingerprint 0x30EBF4E73CCE63EEE124DD278E6DA8B4E158C569) echo "::: Adding repository key..." - if ! $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys "$OPENVPN_KEY_ID"; then - echo "::: Import via keyserver failed, now trying wget" - if ! downloadVerifyKey "$OPENVPN_KEY_URL" "$OPENVPN_KEY_ID" | $SUDO apt-key add -; then - echo "::: Can't import OpenVPN GPG key" - exit 1 - else - echo "::: Acquired key $OPENVPN_KEY_ID" - fi + if ! $SUDO apt-key add "${pivpnFilesDir}"/files/etc/apt/repo-public.gpg; then + echo "::: Can't import OpenVPN GPG key" + exit 1 fi echo "::: Adding OpenVPN repository... " diff --git a/files/etc/apt/repo-public.gpg b/files/etc/apt/repo-public.gpg new file mode 100644 index 0000000..eaae384 --- /dev/null +++ b/files/etc/apt/repo-public.gpg @@ -0,0 +1,162 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBE45PsIBCAC2K2LRZPQIUmJlCDKcncfR6vok2wowDpGpHZffvEEoUj/DoocR +LLpPHR5RB1zMWIs2IjF8vOtXMCBguDgtEvQTh6p6DM3D1fTnYp3pPlQyyzAuC81v +CQo44h09R4Nh2e38oMRVztmAnacC4g5aiSEamrZ4PbWdAdPc4uZdCPOGmUDJw8+q +aAYvL/8pM7YqEu05FqE+aNcG02K+mDhA2bqRLLKoLEFpeMSO6vV8BrE7Vw1Rs1PM +VLDJt9HdXmC6vP+WWqDuj7/qfRb2wwlSIp5+aFyRHOUNyFKnWZYIObeV3+Y6oG6h +gmBtU1673mHDqVy26TwfjpJeudMKHVCrKXVXABEBAAG0QVNhbXVsaSBTZXBww6Ru +ZW4gKE9wZW5WUE4gVGVjaG5vbG9naWVzLCBJbmMpIDxzYW11bGlAb3BlbnZwbi5u +ZXQ+iQE+BBMBAgAoAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCU+B6sAUJ +C0rWWQAKCRCObai04VjFaU2sB/9eB1ZhA7u0o1XsiJpKcoEmcFS9EmYt+RjeplJP +0ewYoGFOGbEupvBdhqg1tqBxFw046kAbbBxwxU6NCSSPsIRR7FMLzF7JbRmlJXJc +Frl2WZaAL9wwoGucpGhWITUaipCXOcAY74WYWIx01mx0RxK8uRIq8lhsC4LUzAmg +yA5H+nbF7A7FLtl9EUpnpqhnOC44ANlTSDo0whcrUoGaTvaepJrecypzQupMKYvd +cnraVXjTIr11CEXD8TS56sm9A3LPZTWD7jytUeRCh0kdixFI7ax1tkqDYtELfWg8 +0YRWmT30o/k5hMZKWF5uwddbebfPB3EVHUtxzrnsxHReEVZBiQFVBBMBCAA/AhsD +BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgBYhBDDr9Oc8zmPu4STdJ45tqLThWMVp +BQJfH7LvBQkaTHWtAAoJEI5tqLThWMVpwLkH/19yyUYxqoh2M53G7YZ/Uo3ihHYN +Nt4fAx6uRA0DHnrGD83EH1oNO6yQ15UazKXOlLKix+E3UN8rSP3eaZRoXusNpFZQ +o4CZ060fx5TJQk7d8N6mGpmLaf7rIZ9cjR9dtX3IY/c9PTryxPiJPkThg4GaZj0S +U3cpmWicK4EiRAhmPnNf1bI8qgdaEQTE8mnOFGTHmdwjKmg69P4r1AVO6GGTiPUl +2avInNDyQcDywRStmSYt1uXI0gTQGpO6tsqcu3GzO6I1qPGlssnKJEcRTYy3/SX+ +6kD4QS5qnpWGaUjmTfNp1QNCgMkyEtXxG/Aj+HO3AAUW1rLLEYLOSCQGB4SJARwE +EAEIAAYFAlVDl7cACgkQKwRyzuXQlJnMfQf9GhhvvpZzOSMqOSqlOwilr6Xoq+H+ +o4IyIc5UR7TlcxhuSu4PDmHXmINU3Qlm2SkmEMCjFvnqiQRPz2CEwgWPOOo5pGJ5 +Y5aTXLJ+7CpFI2/vB6J2xFyq54gNxRnix+n1+9OV90YowmzSMAgGdxo+akx5WIAM +2zPIcN7/CoUDmXWBovvTqCwb/i2YrdiCpQwY76umTk5g8GwY8Rx371hqd469Z/Jq +iIAAW4RF7oT+HjjGjpl9H5J/5Wr6SzPJ4I01UNdRJk/L+p+sGRAO6SUtuc3DWaMb +Yh9rQwuPO9NJJNIBF81j0WT2sA8/8GKm14ga4aL+mApyjLW/xzr5WNR/WIkBHAQQ +AQgABgUCVm262gAKCRBBCW2ponOmIW+PCAC4mTQ3lB1Q4TEBqMYmFAakNg4ZofBf ++dDDqoVdYz5SkgS7U62mXBRudzt2ww1esjnqN3snUtMl2S0yCNWDV1ut9xKedR8i +h1bs90vWOSTt13FXfgZuP6LksFq+nhVSXKPkFgunFXJykUELYv/1gWxgCnDrlSh4 +38bJZZzsYSfTuUGHPjQK9KGJPetoHKQVZNpM7EM0vLm+FJwLrAzQTyVJyRiCV2ob +K5+CV3vgVkjU97STrcunVOwNqXzRH1YwzBRchnPxni0winSqos6oItTIOPDo3fDb ++JKv01fKpDX0xdKvpf5s4q484zZEKn+/myHREagIwSaDZjLn1ZxfZZXWiQEcBBAB +CAAGBQJWeTLoAAoJEAwrK2U6ZdPRpxMH/1PxVwuyW4mKrpN34mI1QWnVBEWV8L4f +G0ejHrpZDWJw40Sqn/BThalqVJjt/SDzbBvyesjycd+BmOjPIk10JIK89CNthfFd +ya4xPSxz6E5MbX/w1FPc4axhVqNUpy02rbbvl072tsd1m+b0WMfq/+HbIU9Jm2ei +dEPdpp5OAJ3LZVam88IfvBRWgDp3NT37L1ZGoDsQXMlc4EP89vtxqH9Pc/wz66G2 +WAK0h47WxnFXpwe5D3zY1Ysn+FaUqJBSQgPE0HBAqh8lOGW67CcrqUZ9iJ/H8CpR +RhPOusKU4BDyUs1WmCA0u11VG4155g1Kbkm0TiPATFmKRmy9enFS09GJARwEEAEI +AAYFAlablJAACgkQULcymFDhYzLzrAf/ZYB9b+Q/khDFbebl5vQMJ1olD5Phaynk +uL5tz8Jv+9QUIC9i/Jgj0U79JlbYdZ798E53ZQcPwixiAOW8kzrjOv3jXHCjpzNO +Tr9zKLxObTAoM53OEoB3xFMXm/LsTWnOjZDa3iRk8/toK3mhzPzqFYtVEyVSkWUI +3Lt/f8L52AeDenMAzoZWm5G7L0iZb3kYOau1hHA0lho4WE2EvIfkCXz+aA47s4Mc +V3AZvmBaOk1iFVdUdAq5vNqpq9jvaGjojkhLEngTqtkAhoAcHbqu9yN1DzR6RovU +b6/cnlbES57nOd3C2EN6dKWWcVDDQbeBhP3vy+fuDQiIkDjXeyMY5YkBHAQQAQgA +BgUCVr4ugQAKCRCoyBY+CMzgYuXVB/9vao9PJD1tRPTtN0x+2Gr2VIXB5963Ghs4 +NB2YrRpfl8FSHs8k6E4SASWMHxxPSy1ZvEZhCN4D/IzTOQBHoj8qlvO7ulVE3CfJ +OgwNrVMkq9muOk8HiexUweQpHnWVhtVSZkRSd0lXUntqVcGKo6Z98tnOqjGk2ngo +Ha01hMHuG+3argEq3NZNDEOjfbOTYFD4x1SVTS0+nM1btuMmVOuthno+pURjcI5i +sIqA6sUdWKyil3UaV2ZvKDOBLyWJxjOKDB10cnCXd9y8O8wqnHX9uUf87JmGV1Xp +A84aWdOlh4+v8yMFxKYkPsDZBmUXeHuKkOodZ2H7ri67UQe6ia9wiQEcBBABCAAG +BQJYngo0AAoJECh/J03GgfleH4sH/1rt4VvZ+YkqhDDylxo/YKlThqZQEeTTxLNu +wokx0rUxIp/5UG2JybJyBgnW/znHKnJa8XHKetyscWY3bDbNFXURyl8VWCGEcxMt +vw2EuQciWg9HyYMkQBl+KRt+QM/77kCLXMJZ3SyX1t0/vUSIq0VbRnt6gouUDr03 +a6r7jhTOwR1qjYYn0ZmtaEkydBN3+qOfea49h1PfJagJUl8/jUk9C3KW1vV9KEtE +GbfcypCpDFibiMmwRoEzd6Anun/Et30CqgJ/zIXFZ9IIs2N/2RiAS4uVA8Wtc6pg +VdO0FcW9UxYVnQRgSk+je1pu8glQzYJDHLHbwnUyt03aKXHb1kGJAT4EEwECACgF +Ak45PsICGwMFCQWjmoAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEI5tqLTh +WMVpSMkH/27eO9gHJ/FTLEk46RS8OOUmO9ZBycfzovkLvx1WNWGp14gzT2f3uBED +80sxW2lGSbE30GRhgDGQMfE/vCZrJ5SMjfA2olc9+FNPHZfP7FBnPXnxYTM2bbGz +BhRA/7YHj0lk8sPE+ALS3kqgflEkJrLFkcxr3H8teudthxMQFaXG4burFjR6vTrx +knyYPlYMJc8XtQ6f6jHEysg693JyVmu0ShSe46XPIuTRv6CpAJxpDEyROiU2kKI5 +GfjPOUzQLQn9UbZZQxZm2jjN8tod07ogX8IQOtT8sJ8+sXVkTt9bOoYkAJpIXfAQ +U/k7uvvo7FlktdS4k9BqIZpJ4Vq0XvGJAhwEEAECAAYFAlOHUyAACgkQpIWg7VG4 +t8T1hg/8DDj9/KwjHTmbLstWaXypOXRzDMUMM9TMZAVD8darxsPqgFtWA6Bv431q +DAQnKPKI8RSi90VOOSv5LfDB8j20tHRH6hs1LVEfuQr7zfxuYh0MfqqiqtPv1BT7 +3Oxa2ETNoLi+LyzViM/E2bcTlygUrNM/h5T8T2YYWF7gbFtdhd991KCIsOUHKsOG +uVEo6lEvdgDZVs5SCnmsKgKAUKWD+nK8O7pW2K/wxPKJGwiLaJh9w1gHu0Sx4d8C +pm+7iwzhAvJzoSFvVGkGAjbNsQze32Bn9yw85D0qLEMAOis6jDIzTcU3UODkl41j ++TKn+W9Sv+Ldyz5WchmGtdZF+Gf20pFWRfPEso0NKFJ7PIcRPH38+wCNo2hg6lYq ++0xDnrGNjoHpmPCsiw82v/Zh05xhfb0bmIpRlB6wmA6OKvauRk8sMUHJ+4yk7Orq +upSWtzBc+Rut89Zhba5IFm92uY3utAh+EYnxoQEwTxgkfG6qZbhOlOPedHI/6gYx +Gwn1KsTl+S00lttsYPpsACNq9u+MCztKunbzoAMT6L3NBxItPAxR6u+clPFglOId +Ks+AO+E2eqinhAJ2s1SXNRhshXTz3eF1edBRorvXiy0XfZoXG26s7LSUKyghzWtD +Pa91aVhyzEmgst3wX0xPvJNPadXrQF49lIPYlhMAHkEs1MS4Z1iJAhwEEAECAAYF +AlYmU4wACgkQBOrlbTWPQ08eVQ//RSzf93kYYsmUIMEGKzQDnEVSMitRD6IFeIme +dKF2VluG7nkmo7B3Q6GPsOPYEDVFJ5+ZoY/0gN5O64IA0PE+1w772mz1khifGpQ8 +VeB9dcOpnclDJ6S/IYnuinUPvHoGo4JkaXAb0Yjrzp4iJjT4Fv2YmxZAFdCqMYp9 +zR0QAcZSl+mG6nAzhiC75BeIuLPlMDAPWRQkUL1tskB4Iu4ubX+XZkq45VUBDAz2 +14dTaA8y4/jhiNA61uCyLF5Xzx3h5qeO4Z64KMbVbwQ9GyDZjYETss1VWx2KseW6 +1wbJKekDG4OnzCDHDqV31z2vrsaAtCsSM8IXgP9dl/WKd9oZODOFQggBJX2UM7nH +jv645noDQ3bW07DPC4WIItDxPWj7ocQs1caFAh3HEMnJvqX5yaXRHqNCT/2iRfgF ++TZJvygJuA28hhPV2RnuOesaTzFy2Ghd6iOqpXM8zzjfaDhs9BgE7wiB3jccwE08 +UVVKkPYM1FpSJ4XupjHoShHi9POsMY2iD/QOAAOO+HxeFGzSSJ3LMp1A5xi05rYx +UUceNIMJPpESxAbx9Suzb6wGp7HRjoBecFkHrIx4SFv0A3ZCN39TZYtMl+eEBo61 +qRrJgyWGRNb+GIutWWpEMmzmq+kDE+6qmsuDL4zZ6bF4AP//WtJPYeadQPCdFdv8 +CWES182JAhwEEAEIAAYFAliZedsACgkQBZ5sZt7zN5ewYw//QJaLcPEyM5YuKccW +SNTDVAGjwB3TTy+SbG3Ref1b6Jie7B4bYOdRYU2gzMeitv85q2mTeHUV2YAHOisq +LQhsXMp2+CYM9Is2/Qd2cX24y8geKhGxGdkViG2mnVMYhwprUHsJfP8EHDZOikin +r9UGYJn1lmD9LGEaRWBM11o+6a+WKUk1MjmNBJydBlrGK4cr4PeoR7BEqQd7lTIq +iu3bVhY8VR5gObVwQjHW+tmMvgUHpB78Z+ZuOe24XDy7JPBJ5IJPKddYIp134sB3 +WHiD6WuVWJeNLajBwal/zgLZJ20nNoS7TVOwcTV+MIEXEQDfFwcyu1FT/gyjrmbW +7BuKspP7Gv0T3oTDGHjWfNAIB5FUa9NqzUq4s9B5Gj/i63AcdRcC3pm0lxlC7mmY +CsQIw7ZO5DV+tZlaBqJQ4lb77P/PpbIEzc+yRBjHjV9N6+0KOg81jnZWloSNqcCi +tenrpoRmz7zLldE4sLG04j7dRAl//ihonEEgczuiOstGNUKxuXTrDadJ7y8/WjtM +L8gq2MlbYIDhwBfB315WqsYNQdQ7vrRWQ88FakVsIIXR+jKF4qP96VJ3Hj+U2gMI +awxAVtDblMY6x+Vh+t6asXdnnJyhpzohWnSlRjCHlFpZ+OmzGGMT/TZwtSKnsg1L +rPg3YFWAl4kwWCp9uHf3iCDIzP6JAhwEEAEIAAYFAll3XHsACgkQ2zYzDZ7HxlVA +5g/+MKtdZNJBsZzt30Xrf27x7YcPnU9u99Cha2pOigv76hrADKAugwV64yq52p+v +WPcZLbeqGydxKzfNH4SKZ1QrjDFE9ynK1LbpjEZOnka61qxdBAeekBDImdtBbBVY +75faCr5Zge814Aw1/4m/y3Ua7s9I2PHGUHQaUTZiA2mU3Dex3YjaGH2ZdatmEo4q +iBBslHdiddukfzc30WCQtz1dDKs1UIuwsCNm527vwEajkn+QjdWggtVAHAr6EfLY +l0JnGL2sgngtduFhhUssuZ8nT+RVCTR9O19og2ahumRMYAzaIIKDQx+r/yjEGLRT +thlSRsY2jkkpY2qfJ4ygID1PRbx4Jg7FL915il4F9l5BtKEXQr3ESs9iXYJvDe7l +/2bmULQAzK41jMkVmw8dWrk/gmTSVLMoNFopdCKcUA8+PTOTh5Nk7KFWzLXe9yiP +BZ2KgTFjq8dQZeu2aeiF0VrAIe6GlmAIfM9ojOkWRiK8iP+xShY260+qXsGHr2Tl +T2ePaGeFI3sdV+roVie4OcwiDP61ZF7mgXjS+p+PV5BrYvEiKHNy/OZnJ+8icEqN +N+BhfCwkv5Zon/pck9i0FsX8H0DqpxQhEO9nyhQ/6t85SGiggYPKcOq34Siy0Chb +z2x6nmkTD9UL3//OPHQdGoTPW8CoEYnblBpaJBAc9d1x2+mJAjMEEAEKAB0WIQQZ +GDXtDq7GNipHOpJcG46CuAMPygUCWRyzUQAKCRBcG46CuAMPyu6wEACmGB3L7nkV +tWXzghepHxtRb95eATbUcDSKp5UkHFFVAABsvavUy1WsHQdIgcoByxNUcDiJ3E0p +uyRMOd1Tbp16RYZeBXLht6o1qYji2sMR+7ju9BpHBooBTyWXPDx97bUGeOSwLdo3 +pKsuk30jeLD/rYqS63k0d5dk2Tfxgek1FPKGwZWCGF2WJnfI4eDN3YnAt4gKlIeL +GjvdXcfQ2ZCNp4WW9Uzh6MrXvBvzUAmCNopEM2B4zHbnvXc7fEHCdH+mMCVblCiM +kbMbIEjO3YInahT2E0F7LeQjBarpQjTgz5dFSJqXawuMM2A051Cn3/1D3A88ecpa +cN2hqwsmoQ269xt+4wsNjFxf7p8j5aCD4lvBFv7A6f6RbbCkDpT1ilcVRqficT3H +1mWMVMCEfOhliZeBWGyXz3ZCzCNPxFWsPAF5QYAiTIEEKFdbWTUv/GF9/6uPv/c+ +DT2NuGJ3/6BL7dsSJq/u0FZ28RIYvGpWDGB8EDuoMG02jLbPAETLTTlT8F2p8YN0 +nv/65oUXY/vYNJGuR4+yU7zFunkASbac6VwQfmelc81AUh0k+v7j6/f1vF++YQR1 ++oeuXUMthYCpiTtGhWOvZZ/yTNwXw83HIYSoyjnJVWYxLZ4di56rR5UozRhHyQwD +Us3pMHa9RazC2yNU01biRBaQ4uoHMSthB4kCMwQQAQoAHRYhBNwe38uA0tosjq6u +IkljV0IYaftsBQJZLKjfAAoJEEljV0IYaftsScMP/0b32LbZJl27X37cfHkwr5v7 +XHkqkpYPmmiFpmMmnnfk2GqWmOT09Sjy5uAdMxCNz0Z+Lp15NMS33+73me+7u83R +Qg8ecycxOQETq+1tFzy3gBeqIByJKSCJRSjStBlkks3reLoOmWbKGyaE9eHG40z7 +4gMKnTv2Su6koVH0aMK0Q4kjdGUO7lec5EMfg2H2oI5m/PW/uSxxJHot5bk+e2UH +2zafxpcsFeI6DcBZPiPof5r5m/xGGDA6ZkehtBNnP4aAwEDdpzLJ5CBVDrTyszkn +i15BoAZPWtMnVPI6xnrZ/ae0B7T8/1THluHXb0hZTOhdmDEHEjYRIte3oXPkTkke +BGB2uqx327nwo2brETs3rtdbkvOGIFtbsoxVCnM0qKBOswkvkFX/6ijNFBpi1ekR +ejOxaJvuhpt4ttGrABO8Beh/CpjUbmzYtTgU4CztL/+aIMEG0DDfZipG/lpsktvP +It/RU4OVK6dDaLeEmAX4jYtPwAOLhGZ43xwclMnNgeSIT3CAYXMXWNFe3PPQ2A/H +jA9U40kO1SMbu7IQJJ2kZWS7/rQEQzBbYfpWcD9fy4+sKTFgLJDBRXhla553sz97 +KiyaTH0t+zb5dkUv619BRhLrmkbQiriy0n9a7p3upUAoGFNp3eAO/qG2JLMw/Ayv +RNK+zKVfI6cu3wj6gBVliQEzBBABCAAdFiEE+i7gS9aI2i6nUmgujfzQ7qCqWiAF +AlxWtEcACgkQjfzQ7qCqWiCIGQf/bjV3okhvC8RZr6o+qd+pOcwjEjEGQy+gP898 +gq50yVcq2ZKeqZWMqk7UFnUr/CPToUpJ7Or3jbgc4Fv8lP4UGifts+7AurCVfyP9 +ABXeAO5EPKcCWeKEmmulMBAntyCv+kUg+wC1bGX+CbLpIVfz4ipkGsHUrdsNDTPJ +a3dZwT8IokX+BPqW4x5ZNug2ay7dw1hGPBT96AeSLC/KYtyVynRCISfSOVD0MUgq +T3It0nKm0GgX6700ZxXgk6z/ApFniQjq1sF/Y3r3Acp6n+r3kvzBgw7j4+o/EtQK +yXq5jHeNlKIRZK7+TkmmHmCVDY1sRC6XIRINERXlq8WEFUxBRLkBDQROOT7CAQgA +6D4GOTxadvt9tvAEMNRqUuwgSAVSGytIsPlVVgHy06rt2OyFySn/cvB+RKyZTMS1 +cxfEhsNQ43W9sJBdmVAN7sTu5jkoU1bKLj5QnAsyuz6ip9525TMPFD6+ir/o0aX7 +aiWp3q9P9z+49v9E9mk52CgSSoUQ5MxFXPQNnADLPJgRYGvAMQI1sS2p58ws8hpQ +ZTNm9RzzQj4xgvoDNF7+60hZwGdnafJ1nRK9YpEnSU6zr17oqgVV4TlBfOZNeSPN +JtH143cAObaPQSMuem3/NHiEXyziXgct1F1Kfju0B29qGw1+BaY5+JAPxu2e7wOI +yIkx3wilWxlf/MIltJQKFwARAQABiQElBBgBAgAPAhsMBQJT4HruBQkLStanAAoJ +EI5tqLThWMVpYygIAKtajtTPqp556oANXzAJTjZlsDYlbKeWk5F13MUeQSB1ELZA +1Df0/hybke9lfl3kHTm9DQRSBpUq+u9FD0Cg5GKGsYwjFJzYfBi7npKBhZyhADQe +bSk0lkuF0wJewVRZ1t6h6xcTqTGj982Bw3h40zt5AUFEdRiBUcXHGNP9Nwx/u7vV +w3Ccu5z64/LrDSnrM1FhZ/KLoEsctM+KHWG+CNcq1WhOfjPnmF7pEp+RH2cZ7mzG +KPHNbvuAqsK8QgTJ3FuRaMw80oRCHsO4S/zdUXXRX1Qp5lxnpIBCoRsRJr/Ez1Wd +hEJRD9MKIO+7IvEQMmqDidI5FK+J4OqMUv+0EpmJATwEGAEIACYCGwwWIQQw6/Tn +PM5j7uEk3SeObai04VjFaQUCXx+zTwUJGkx2DQAKCRCObai04VjFaeXdB/0eH/mN +40u2RhftN0Ntj5cB3ILpK7tR8cPkQrlvyZAmwVkTUY7LDZ/Rqmc809B26qF3M2Lz +8cC66PrFY9f3y/uWc1QRqKg9GjZM85AS2BRzT+LMycuRiYq1S+V1p2xQglgKv3q+ +lrgzQDJ4QCszdCZVl0lufAqKlOuCcisBnTdLacjM/88pZh1ukzwvKm97yQjWpfFm +HLKKA/RgtbR/qINmdUsXoDS1ZYDMyzHbZ6x8YJOZsPzgPBS9uqN8AwMHz4AGgmEi +/eD5PDgVMzburMXNLNxFFLT6cVUCULTozKBfTp/bncEOHf4l+OG3Vgwe1RVdxU3c +VHxVxJNKrv1//EX/ +=qIrL +-----END PGP PUBLIC KEY BLOCK----- From 13d40399f3f2288444c198684a4ec2533801fe5d Mon Sep 17 00:00:00 2001 From: Roger Haxby <63857845+shelleycat485@users.noreply.github.com> Date: Tue, 27 Oct 2020 21:25:27 +0000 Subject: [PATCH 099/114] fix listing disabled clients --- scripts/wireguard/disableCONF.sh | 2 +- scripts/wireguard/enableCONF.sh | 2 +- scripts/wireguard/listCONF.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/wireguard/disableCONF.sh b/scripts/wireguard/disableCONF.sh index e8a8b5b..16dcfe7 100755 --- a/scripts/wireguard/disableCONF.sh +++ b/scripts/wireguard/disableCONF.sh @@ -52,7 +52,7 @@ fi if [ "$DISPLAY_DISABLED" ]; then - grep 'disabled### begin client' wg0.conf | sed 's/#//g; s/begin//' + grep 'disabled### begin' wg0.conf | sed 's/#//g; s/begin//' exit 1 fi diff --git a/scripts/wireguard/enableCONF.sh b/scripts/wireguard/enableCONF.sh index 606adae..dad65b6 100755 --- a/scripts/wireguard/enableCONF.sh +++ b/scripts/wireguard/enableCONF.sh @@ -51,7 +51,7 @@ if [ ! -s configs/clients.txt ]; then fi if [ "$DISPLAY_DISABLED" ]; then - grep 'disabled### begin client' wg0.conf | sed 's/#//g; s/begin//' + grep 'disabled### begin' wg0.conf | sed 's/#//g; s/begin//' exit 1 fi diff --git a/scripts/wireguard/listCONF.sh b/scripts/wireguard/listCONF.sh index d4ab8dd..a8f5e57 100755 --- a/scripts/wireguard/listCONF.sh +++ b/scripts/wireguard/listCONF.sh @@ -30,4 +30,4 @@ done < clients.txt cd /etc/wireguard || return echo "::: Disabled clients :::" -grep 'disabled### begin client' wg0.conf | sed 's/#//g; s/begin//' +grep 'disabled### begin' wg0.conf | sed 's/#//g; s/begin//' From 443ef51e293a1aaca57cf1f8505a5328ac148fda Mon Sep 17 00:00:00 2001 From: Orazio Date: Wed, 4 Nov 2020 11:45:36 +0100 Subject: [PATCH 100/114] Update LatestUpdate.md --- LatestUpdate.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/LatestUpdate.md b/LatestUpdate.md index 01fba5a..0ada3e7 100644 --- a/LatestUpdate.md +++ b/LatestUpdate.md @@ -1,10 +1,17 @@ # Information of Latest updates -This file has the objective of describing the major changes for each merge from test to master in a similar way as a -patch release notes. +This file has the objective of describing the major changes for each merge from test to master in a similar way as a patch release notes. Everytime Test branch is merged into master, a new entry should be created with the date and changes being merged. +## Nov 4th 2020 + +- Official support for Ubuntu Server 20.04 on Raspberry Pi (32-bit and 64-bit). +- Handle special characters better when managing OpenVPN clients. +- Show expired OpenVPN certificates as such when using 'pivpn -l'. +- Improved OpenVPN and WireGuard availability detection. +- Reload WireGuard instead of restarting so it doesn't kick existing clients. + ## Jul 24th 2020 - Added ability to remove client by index. For example, when the user is presented with '2) phone' he can remove the client by typing either '2' or 'phone'. From 3ed54bf71db9dcd989370821094ca0dfc9b48749 Mon Sep 17 00:00:00 2001 From: Orazio Date: Sat, 14 Nov 2020 09:35:51 +0100 Subject: [PATCH 101/114] Expose AllowedIPs settings inside setupVars.conf --- auto_install/install.sh | 4 ++++ scripts/wireguard/makeCONF.sh | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index ed54931..2649b18 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -1094,6 +1094,9 @@ installPiVPN(){ pivpnDEV="wg0" pivpnNET="10.6.0.0" vpnGw="${pivpnNET/.0.0/.0.1}" + # Forward all traffic through PiVPN (i.e. full-tunnel), may be modified by + # the user after the installation. + ALLOWED_IPS="0.0.0.0/0, ::0/0" CUSTOMIZE=0 installWireGuard @@ -1110,6 +1113,7 @@ installPiVPN(){ echo "pivpnDEV=${pivpnDEV}" >> ${tempsetupVarsFile} echo "pivpnNET=${pivpnNET}" >> ${tempsetupVarsFile} echo "subnetClass=${subnetClass}" >> ${tempsetupVarsFile} + echo "ALLOWED_IPS=\"${ALLOWED_IPS}\"" >> ${tempsetupVarsFile} } askWhichVPN(){ diff --git a/scripts/wireguard/makeCONF.sh b/scripts/wireguard/makeCONF.sh index 0564fb5..73bfd9b 100755 --- a/scripts/wireguard/makeCONF.sh +++ b/scripts/wireguard/makeCONF.sh @@ -110,7 +110,7 @@ echo "[Peer] PublicKey = $(cat keys/server_pub) PresharedKey = $(cat "keys/${CLIENT_NAME}_psk") Endpoint = ${pivpnHOST}:${pivpnPORT} -AllowedIPs = 0.0.0.0/0, ::0/0" >> "configs/${CLIENT_NAME}.conf" +AllowedIPs = ${ALLOWED_IPS}" >> "configs/${CLIENT_NAME}.conf" echo "::: Client config generated" echo "### begin ${CLIENT_NAME} ### From 49a9314325e9da9e543b6025998e65d48031f4fd Mon Sep 17 00:00:00 2001 From: Roger Haxby <63857845+shelleycat485@users.noreply.github.com> Date: Thu, 26 Nov 2020 15:36:00 +0000 Subject: [PATCH 102/114] change to on/off for temp enable/disable --- auto_install/install.sh | 1 - scripts/wireguard/pivpn.sh | 10 +++++----- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index ed54931..421daeb 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -10,7 +10,6 @@ # curl -L https://install.pivpn.io | bash # Make sure you have `curl` installed -# timestamp 2020/5/24 15:53BST ######## VARIABLES ######### pivpnGitUrl="https://github.com/pivpn/pivpn.git" diff --git a/scripts/wireguard/pivpn.sh b/scripts/wireguard/pivpn.sh index fba567e..b157431 100755 --- a/scripts/wireguard/pivpn.sh +++ b/scripts/wireguard/pivpn.sh @@ -92,8 +92,8 @@ showHelp(){ echo "::: -l, list List all clients" echo "::: -qr, qrcode Show the qrcode of a client for use with the mobile app" echo "::: -r, remove Remove a client" - echo "::: -dis, disable Disable a user" - echo "::: -ena, enable Enable a user" + echo "::: -off, off Disable a user" + echo "::: -on , on Enable a user" echo "::: -h, help Show this help dialog" echo "::: -u, uninstall Uninstall pivpn from your system!" echo "::: -up, update Updates PiVPN Scripts" @@ -113,11 +113,11 @@ case "$1" in "-l" | "list" ) listClients;; "-qr" | "qrcode" ) showQrcode "$@";; "-r" | "remove" ) removeClient "$@";; -"-dis" | "disable" ) disableClient "$@";; -"-ena" | "enable" ) enableClient "$@";; +"-off" | "off" ) disableClient "$@";; +"-on" | "on" ) enableClient "$@";; "-h" | "help" ) showHelp;; "-u" | "uninstall" ) uninstallServer;; "-up" | "update" ) updateScripts "$@" ;; "-bk" | "backup" ) backup ;; -* ) showHelp;; +* ) showHelp;; esac From df10cdded3a56f3ddc8b41c02826c9bd24c54885 Mon Sep 17 00:00:00 2001 From: 4s3ti <4s3ti@protonmail.com> Date: Wed, 2 Dec 2020 23:25:34 +0100 Subject: [PATCH 103/114] New pivpn status page Changed status page on README.md, new status page at https://status.pivpn.io --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4328ec9..1c22b0f 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ ![WireGuard + OpenVPN logo](logos.jpg) -**[Is pivpn.io down?](https://p.datadoghq.com/sb/od1t7p4rmqi6x1fm-cd513e61b0eb77a5d5f6a52fe0662205?theme=dark)** +**[Is pivpn.io down?](https://status.pivpn.io)** About ----- From 5aac8bca84744bbee9b65260836dd5ba3f386ae2 Mon Sep 17 00:00:00 2001 From: Orazio Date: Sat, 5 Dec 2020 11:35:56 +0100 Subject: [PATCH 104/114] Changed WireGuard unit path to /lib/systemd/system/wg-quick@.service - On Raspbian, /lib is not a symbolic link to /usr/lib, so the WireGuard unit won't be found. Therefore changed to /lib/... (which is the default location for units of installed packages). --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 2649b18..8aee5c8 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -2007,7 +2007,7 @@ confOVPN(){ confWireGuard(){ # Reload job type is not yet available in wireguard-tools shipped with Ubuntu 20.04 - if ! grep -q 'ExecReload' /usr/lib/systemd/system/wg-quick@.service; then + if ! grep -q 'ExecReload' /lib/systemd/system/wg-quick@.service; then echo "::: Adding additional reload job type for wg-quick unit" $SUDO install -D -m 644 "${pivpnFilesDir}"/files/etc/systemd/system/wg-quick@.service.d/override.conf /etc/systemd/system/wg-quick@.service.d/override.conf $SUDO systemctl daemon-reload From 308affe4e9aa69c66260026a00029c5f78c7d4e9 Mon Sep 17 00:00:00 2001 From: Orazio Date: Sat, 5 Dec 2020 12:24:22 +0100 Subject: [PATCH 105/114] Workaround for the following error on Ubuntu 20.04: - /usr/bin/debconf-apt-progress: can't open /tmp/tmp.0CoNypDEPj: Permission denied at /usr/bin/debconf-apt-progress line 249, line 3. Reason: https://askubuntu.com/questions/1250974/user-root-cant-write-to-file-in-tmp-owned-by-someone-else-in-20-04-but-can-in --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 8aee5c8..8b97991 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -546,7 +546,7 @@ installDependentPackages(){ fi done - local APTLOGFILE="$(mktemp)" + local APTLOGFILE="$($SUDO mktemp)" if command -v debconf-apt-progress > /dev/null; then # shellcheck disable=SC2086 From dc744a9810d22b845c7ddac634cec7acdb95ca33 Mon Sep 17 00:00:00 2001 From: Orazio Date: Sat, 5 Dec 2020 12:28:14 +0100 Subject: [PATCH 106/114] Fix directory and symbolic link creation when reconfiguring (writing over the same files) --- auto_install/install.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 8b97991..f2281f4 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -215,7 +215,7 @@ main(){ # Save installation setting to the final location echo "INSTALLED_PACKAGES=(${INSTALLED_PACKAGES[*]})" >> ${tempsetupVarsFile} echo "::: Setupfiles copied to ${setupConfigDir}/${VPN}/${setupVarsFile}" - $SUDO mkdir "${setupConfigDir}/${VPN}/" + $SUDO mkdir -p "${setupConfigDir}/${VPN}/" $SUDO cp ${tempsetupVarsFile} "${setupConfigDir}/${VPN}/${setupVarsFile}" installScripts @@ -2288,13 +2288,13 @@ installScripts(){ # Unlink the protocol specific pivpn script and symlink the common # script to the location instead $SUDO unlink /usr/local/bin/pivpn - $SUDO ln -s -T "${pivpnFilesDir}/scripts/pivpn" /usr/local/bin/pivpn + $SUDO ln -sf -T "${pivpnFilesDir}/scripts/pivpn" /usr/local/bin/pivpn else # Only one protocol is installed, symlink bash completion, the pivpn script # and the script directory - $SUDO ln -s -T "${pivpnFilesDir}/scripts/${VPN}/bash-completion" /etc/bash_completion.d/pivpn - $SUDO ln -s -T "${pivpnFilesDir}/scripts/${VPN}/pivpn.sh" /usr/local/bin/pivpn - $SUDO ln -s "${pivpnFilesDir}/scripts/" "${pivpnScriptDir}" + $SUDO ln -sf -T "${pivpnFilesDir}/scripts/${VPN}/bash-completion" /etc/bash_completion.d/pivpn + $SUDO ln -sf -T "${pivpnFilesDir}/scripts/${VPN}/pivpn.sh" /usr/local/bin/pivpn + $SUDO ln -sf "${pivpnFilesDir}/scripts/" "${pivpnScriptDir}" # shellcheck disable=SC1091 . /etc/bash_completion.d/pivpn fi From 6009e52e746df74c2474fb42e8d29f8eb1c45ec5 Mon Sep 17 00:00:00 2001 From: Roger Haxby <63857845+shelleycat485@users.noreply.github.com> Date: Tue, 8 Dec 2020 23:44:51 +0000 Subject: [PATCH 107/114] disabled in square brackets --- scripts/wireguard/bash-completion | 4 ++-- scripts/wireguard/disableCONF.sh | 8 ++++---- scripts/wireguard/pivpn.sh | 24 ++++++++++++------------ 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/scripts/wireguard/bash-completion b/scripts/wireguard/bash-completion index 3af6c28..ae57b41 100644 --- a/scripts/wireguard/bash-completion +++ b/scripts/wireguard/bash-completion @@ -4,8 +4,8 @@ _pivpn() COMPREPLY=() cur="${COMP_WORDS[COMP_CWORD]}" prev="${COMP_WORDS[COMP_CWORD-1]}" - dashopts="-a -c -d -l -qr -r -h -u -up -bk -dis -ena" - opts="add clients debug list qrcode remove help uninstall update backup disable enable" + dashopts="-a -c -d -l -qr -r -h -u -up -bk -off -on" + opts="add clients debug list qrcode remove help uninstall update backup (temp) off (temp) on" if [ "${#COMP_WORDS[@]}" -eq 2 ] then if [[ ${cur} == -* ]] ; then diff --git a/scripts/wireguard/disableCONF.sh b/scripts/wireguard/disableCONF.sh index 16dcfe7..61ea52e 100755 --- a/scripts/wireguard/disableCONF.sh +++ b/scripts/wireguard/disableCONF.sh @@ -46,13 +46,13 @@ done cd /etc/wireguard if [ ! -s configs/clients.txt ]; then - echo "::: There are no clients to remove" + echo "::: There are no clients to change" exit 1 fi if [ "$DISPLAY_DISABLED" ]; then - grep 'disabled### begin' wg0.conf | sed 's/#//g; s/begin//' + grep '\[disabled\] ### begin' wg0.conf | sed 's/#//g; s/begin//' exit 1 fi @@ -86,7 +86,7 @@ for CLIENT_NAME in "${CLIENTS_TO_CHANGE[@]}"; do if ! grep -q "^${CLIENT_NAME} " configs/clients.txt; then echo -e "::: \e[1m${CLIENT_NAME}\e[0m does not exist" - elif grep -q "#disabled### begin ${CLIENT_NAME}" wg0.conf; then + elif grep -q "#\[disabled\] ### begin ${CLIENT_NAME}" wg0.conf; then echo -e "::: \e[1m${CLIENT_NAME}\e[0m is already disabled" else if [ -n "$CONFIRM" ]; then @@ -99,7 +99,7 @@ for CLIENT_NAME in "${CLIENTS_TO_CHANGE[@]}"; do # Disable the peer section from the server config echo "${CLIENT_NAME}" - sed -e "/### begin ${CLIENT_NAME}/,/end ${CLIENT_NAME}/ s/^/#disabled/" -i wg0.conf + sed -e "/### begin ${CLIENT_NAME}/,/end ${CLIENT_NAME}/ s/^/#\[disabled\] /" -i wg0.conf echo "::: Updated server config" ((CHANGED_COUNT++)) diff --git a/scripts/wireguard/pivpn.sh b/scripts/wireguard/pivpn.sh index b157431..4679e13 100755 --- a/scripts/wireguard/pivpn.sh +++ b/scripts/wireguard/pivpn.sh @@ -86,18 +86,18 @@ showHelp(){ echo "::: Usage: pivpn [option]" echo ":::" echo "::: Commands:" - echo "::: -a, add Create a client conf profile" - echo "::: -c, clients List any connected clients to the server" - echo "::: -d, debug Start a debugging session if having trouble" - echo "::: -l, list List all clients" - echo "::: -qr, qrcode Show the qrcode of a client for use with the mobile app" - echo "::: -r, remove Remove a client" - echo "::: -off, off Disable a user" - echo "::: -on , on Enable a user" - echo "::: -h, help Show this help dialog" - echo "::: -u, uninstall Uninstall pivpn from your system!" - echo "::: -up, update Updates PiVPN Scripts" - echo "::: -bk, backup Backup VPN configs and user profiles" + echo "::: -a, add Create a client conf profile" + echo "::: -c, clients List any connected clients to the server" + echo "::: -d, debug Start a debugging session if having trouble" + echo "::: -l, list List all clients" + echo "::: -qr, qrcode Show the qrcode of a client for use with the mobile app" + echo "::: -r, remove Remove a client" + echo "::: -off, off Disable a user" + echo "::: -on, on Enable a user" + echo "::: -h, help Show this help dialog" + echo "::: -u, uninstall Uninstall pivpn from your system!" + echo "::: -up, update Updates PiVPN Scripts" + echo "::: -bk, backup Backup VPN configs and user profiles" exit 0 } From ff0ac0304c5af9ecf363c287c21ca2ae27abdfd8 Mon Sep 17 00:00:00 2001 From: 4s3ti <4s3ti@protonmail.com> Date: Wed, 9 Dec 2020 19:22:29 +0100 Subject: [PATCH 108/114] ProBot Stale Added probot integration to marke topics as inactives and automatically close them. read .github/stale.yml for more details. --- .github/stale.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .github/stale.yml diff --git a/.github/stale.yml b/.github/stale.yml new file mode 100644 index 0000000..f0df4b7 --- /dev/null +++ b/.github/stale.yml @@ -0,0 +1,17 @@ +daysUntilStale: 15 +daysUntilClose: 7 +exemptLabels: + - On Hold + - Fix in Test Branch + - Broken Dependency + - bug + - Good First Issue + - help wanted + - "status: In Progress" + - Waiting For Merge +staleLabel: Inactive +markComment: > + This issue has been automatically marked as stale because it has not had + recent activity. It will be closed if no further activity occurs. Thank you + for your contributions. +closeComment: true From a3b7af869c7c06083bc875644010ce1e05546630 Mon Sep 17 00:00:00 2001 From: Roger Haxby <63857845+shelleycat485@users.noreply.github.com> Date: Wed, 9 Dec 2020 23:07:28 +0000 Subject: [PATCH 109/114] more disabled in brackets --- auto_install/install.sh | 4 ++-- scripts/wireguard/enableCONF.sh | 4 ++-- scripts/wireguard/listCONF.sh | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 421daeb..2691d48 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -12,8 +12,8 @@ ######## VARIABLES ######### -pivpnGitUrl="https://github.com/pivpn/pivpn.git" -#pivpnGitUrl="/home/pi/repos/pivpn" +#pivpnGitUrl="https://github.com/pivpn/pivpn.git" +pivpnGitUrl="/home/pi/repos/pivpn" setupVarsFile="setupVars.conf" setupConfigDir="/etc/pivpn" tempsetupVarsFile="/tmp/setupVars.conf" diff --git a/scripts/wireguard/enableCONF.sh b/scripts/wireguard/enableCONF.sh index dad65b6..b45395f 100755 --- a/scripts/wireguard/enableCONF.sh +++ b/scripts/wireguard/enableCONF.sh @@ -51,7 +51,7 @@ if [ ! -s configs/clients.txt ]; then fi if [ "$DISPLAY_DISABLED" ]; then - grep 'disabled### begin' wg0.conf | sed 's/#//g; s/begin//' + grep '\[disabled\] ### begin' wg0.conf | sed 's/#//g; s/begin//' exit 1 fi @@ -95,7 +95,7 @@ for CLIENT_NAME in "${CLIENTS_TO_CHANGE[@]}"; do # Enable the peer section from the server config echo "${CLIENT_NAME}" - sed -e "/begin ${CLIENT_NAME}/,/end ${CLIENT_NAME}/ s/#disabled//" -i wg0.conf + sed -e "/begin ${CLIENT_NAME}/,/end ${CLIENT_NAME}/ s/#\[disabled\] //" -i wg0.conf echo "::: Updated server config" ((CHANGED_COUNT++)) diff --git a/scripts/wireguard/listCONF.sh b/scripts/wireguard/listCONF.sh index a8f5e57..150eb5a 100755 --- a/scripts/wireguard/listCONF.sh +++ b/scripts/wireguard/listCONF.sh @@ -30,4 +30,4 @@ done < clients.txt cd /etc/wireguard || return echo "::: Disabled clients :::" -grep 'disabled### begin' wg0.conf | sed 's/#//g; s/begin//' +grep '\[disabled\] ### begin' wg0.conf | sed 's/#//g; s/begin//' From 8bff0b6cb669c3c510e5b98ad5eead05a47d5d0a Mon Sep 17 00:00:00 2001 From: Roger Haxby <63857845+shelleycat485@users.noreply.github.com> Date: Thu, 10 Dec 2020 12:34:49 +0000 Subject: [PATCH 110/114] clientSTAT shows disabled clients at end --- scripts/wireguard/clientSTAT.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/scripts/wireguard/clientSTAT.sh b/scripts/wireguard/clientSTAT.sh index 166085f..ae07a72 100755 --- a/scripts/wireguard/clientSTAT.sh +++ b/scripts/wireguard/clientSTAT.sh @@ -2,6 +2,7 @@ # PiVPN: client status script CLIENTS_FILE="/etc/wireguard/configs/clients.txt" +CONF_FILE="/etc/wireguard/wg0.conf" if [ ! -s "$CLIENTS_FILE" ]; then echo "::: There are no clients to list" @@ -44,7 +45,6 @@ listClients(){ BYTES_SENT="$(awk '{ print $7 }' <<< "$LINE")" LAST_SEEN="$(awk '{ print $5 }' <<< "$LINE")" CLIENT_NAME="$(grep "$PUBLIC_KEY" "$CLIENTS_FILE" | awk '{ print $1 }')" - if [ "$HR" = 1 ]; then if [ "$LAST_SEEN" -ne 0 ]; then printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "$(date -d @"$LAST_SEEN" '+%b %d %Y - %T')" @@ -63,6 +63,11 @@ listClients(){ printf "\n" } | column -t -s $'\t' + + cd /etc/wireguard || return + echo "::: Disabled clients :::" + grep '\[disabled\] ### begin' wg0.conf | sed 's/#//g; s/begin//' + } if [[ $# -eq 0 ]]; then From 86de3eaa8ce16f1171117cab5b82dfa1d755f637 Mon Sep 17 00:00:00 2001 From: Roger Haxby <63857845+shelleycat485@users.noreply.github.com> Date: Thu, 10 Dec 2020 23:59:54 +0000 Subject: [PATCH 111/114] corect help on disable and enable --- auto_install/install.sh | 4 ++-- scripts/wireguard/disableCONF.sh | 2 +- scripts/wireguard/enableCONF.sh | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 2691d48..421daeb 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -12,8 +12,8 @@ ######## VARIABLES ######### -#pivpnGitUrl="https://github.com/pivpn/pivpn.git" -pivpnGitUrl="/home/pi/repos/pivpn" +pivpnGitUrl="https://github.com/pivpn/pivpn.git" +#pivpnGitUrl="/home/pi/repos/pivpn" setupVarsFile="setupVars.conf" setupConfigDir="/etc/pivpn" tempsetupVarsFile="/tmp/setupVars.conf" diff --git a/scripts/wireguard/disableCONF.sh b/scripts/wireguard/disableCONF.sh index 61ea52e..7d3d682 100755 --- a/scripts/wireguard/disableCONF.sh +++ b/scripts/wireguard/disableCONF.sh @@ -12,7 +12,7 @@ source "${setupVars}" helpFunc(){ echo "::: Disable client conf profiles" echo ":::" - echo "::: Usage: pivpn <-dis|disable> [-h|--help] [-v] [ ... [] ...] " + echo "::: Usage: pivpn <-off|off> [-h|--help] [-v] [ ... [] ...] " echo ":::" echo "::: Commands:" echo "::: [none] Interactive mode" diff --git a/scripts/wireguard/enableCONF.sh b/scripts/wireguard/enableCONF.sh index b45395f..4ce0cf7 100755 --- a/scripts/wireguard/enableCONF.sh +++ b/scripts/wireguard/enableCONF.sh @@ -12,7 +12,7 @@ source "${setupVars}" helpFunc(){ echo "::: Enables client conf profiles" echo ":::" - echo "::: Usage: pivpn <-ena|enable> [-h|--help] [-v] [ ... [] ...] " + echo "::: Usage: pivpn <-on|on> [-h|--help] [-v] [ ... [] ...] " echo ":::" echo "::: Commands:" echo "::: [none] Interactive mode" From 5077d70a2ffb91a494c531b71a3b5cad7446fb39 Mon Sep 17 00:00:00 2001 From: MichaIng Date: Sat, 12 Dec 2020 00:35:49 +0100 Subject: [PATCH 112/114] Fix WireGuard support detection Support was enabled automatically if a WireGuard package was found or could have been made available. But if the WireGuard kernel module is not available, it needs to be compiled. The required kernel headers are only reliably known for Raspberry Pi (Raspbian) and for amd64. This commit resolves the related issue where linux-image-amd64 was attempted to be installed on non-amd64 systems: https://github.com/pivpn/pivpn/issues/1180 Additionally this commit resolves the issue that kernel headers were required and a DKMS build done, even if the module was builtin, when no WireGuard package was found. The $NEED_WIREGUARD_REPO variable has been replaced with $AVAILABLE_WIREGUARD, which practically serves the same information and allows a simpler support check. Signed-off-by: MichaIng --- auto_install/install.sh | 52 +++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index f2281f4..b1f493a 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -475,31 +475,33 @@ preconfigurePackages(){ fi AVAILABLE_WIREGUARD="$(apt-cache policy wireguard | grep -m1 'Candidate: ' | grep -v '(none)' | awk '{print $2}')" - WIREGUARD_BUILTIN=0 - NEED_WIREGUARD_REPO=0 - if [ -n "$AVAILABLE_WIREGUARD" ]; then - if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then - # If a wireguard kernel object is found and is part of any installed package, then - # it has not been build via DKMS or manually (installing via wireguard-dkms does not - # make the module part of the package since the module itself is built at install time - # and not part of the .deb). - # Source: https://github.com/MichaIng/DietPi/blob/7bf5e1041f3b2972d7827c48215069d1c90eee07/dietpi/dietpi-software#L1807-L1815 - for i in /lib/modules/**/wireguard.ko; do - [[ -f $i ]] || continue - dpkg-query -S "$i" &> /dev/null || continue - WIREGUARD_BUILTIN=1 - break - done - fi + # If a wireguard kernel object is found and is part of any installed package, then + # it has not been build via DKMS or manually (installing via wireguard-dkms does not + # make the module part of the package since the module itself is built at install time + # and not part of the .deb). + # Source: https://github.com/MichaIng/DietPi/blob/7bf5e1041f3b2972d7827c48215069d1c90eee07/dietpi/dietpi-software#L1807-L1815 + WIREGUARD_BUILTIN=0 + for i in /lib/modules/**/wireguard.ko; do + [[ -f $i ]] || continue + dpkg-query -S "$i" &> /dev/null || continue + WIREGUARD_BUILTIN=1 + break + done + + if + # If the module is builtin and the package available, we only need to install wireguard-tools. + [[ $WIREGUARD_BUILTIN == 1 && -n $AVAILABLE_WIREGUARD ]] || + # If the package is not available, on Debian and Raspbian we can add it via Bullseye repository. + [[ $WIREGUARD_BUILTIN == 1 && ( $PLAT == 'Debian' || $PLAT == 'Raspbian' ) ]] || + # If the module is not builtin, on Raspbian we know the headers package: raspberrypi-kernel-headers + [[ $PLAT == 'Raspbian' ]] || + # On Debian (and Ubuntu), we can only reliably assume the headers package for amd64: linux-image-amd64 + [[ $PLAT == 'Debian' && $DPKG_ARCH == 'amd64' ]] || + # On Ubuntu, additionally the WireGuard package needs to be available, since we didn't test mixing Ubuntu repositories. + [[ $PLAT == 'Ubuntu' && $DPKG_ARCH == 'amd64' && -n $AVAILABLE_WIREGUARD ]] + then WIREGUARD_SUPPORT=1 - else - if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Raspbian" ]; then - NEED_WIREGUARD_REPO=1 - WIREGUARD_SUPPORT=1 - else - WIREGUARD_SUPPORT=0 - fi fi if [ "$OPENVPN_SUPPORT" -eq 0 ] && [ "$WIREGUARD_SUPPORT" -eq 0 ]; then @@ -1264,7 +1266,7 @@ installWireGuard(){ echo "::: Installing WireGuard from Debian package... " - if [ "$NEED_WIREGUARD_REPO" -eq 1 ]; then + if [ -z "$AVAILABLE_WIREGUARD" ]; then echo "::: Adding Raspbian repository... " echo "deb http://raspbian.raspberrypi.org/raspbian/ bullseye main" | $SUDO tee /etc/apt/sources.list.d/pivpn-bullseye-repo.list > /dev/null @@ -1284,7 +1286,7 @@ installWireGuard(){ echo "::: Installing WireGuard from Debian package... " - if [ "$NEED_WIREGUARD_REPO" -eq 1 ]; then + if [ -z "$AVAILABLE_WIREGUARD" ]; then echo "::: Adding Debian repository... " echo "deb https://deb.debian.org/debian/ bullseye main" | $SUDO tee /etc/apt/sources.list.d/pivpn-bullseye-repo.list > /dev/null From a52e53d123769497ab00ffae165eba5fdf4c0344 Mon Sep 17 00:00:00 2001 From: Orazio Date: Mon, 14 Dec 2020 15:15:29 +0100 Subject: [PATCH 113/114] 'sudo mktemp' creates file with 0600 mode, which means we need root to read it. --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index f2281f4..cf5e4f2 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -570,7 +570,7 @@ installDependentPackages(){ done if [ "$FAILED" -gt 0 ]; then - cat "${APTLOGFILE}" + $SUDO cat "${APTLOGFILE}" exit 1 fi } From ec32851e0c7682bbcd6f5e78710e53f119db0958 Mon Sep 17 00:00:00 2001 From: Roger Haxby <63857845+shelleycat485@users.noreply.github.com> Date: Tue, 15 Dec 2020 14:17:05 +0000 Subject: [PATCH 114/114] fix clientSTAT.sh error if all clients are disabled --- scripts/wireguard/clientSTAT.sh | 38 ++++++++++++++++----------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/scripts/wireguard/clientSTAT.sh b/scripts/wireguard/clientSTAT.sh index ae07a72..0df3664 100755 --- a/scripts/wireguard/clientSTAT.sh +++ b/scripts/wireguard/clientSTAT.sh @@ -37,28 +37,28 @@ listClients(){ printf "\e[4mName\e[0m \t \e[4mRemote IP\e[0m \t \e[4mVirtual IP\e[0m \t \e[4mBytes Received\e[0m \t \e[4mBytes Sent\e[0m \t \e[4mLast Seen\e[0m\n" while IFS= read -r LINE; do - - PUBLIC_KEY="$(awk '{ print $1 }' <<< "$LINE")" - REMOTE_IP="$(awk '{ print $3 }' <<< "$LINE")" - VIRTUAL_IP="$(awk '{ print $4 }' <<< "$LINE")" - BYTES_RECEIVED="$(awk '{ print $6 }' <<< "$LINE")" - BYTES_SENT="$(awk '{ print $7 }' <<< "$LINE")" - LAST_SEEN="$(awk '{ print $5 }' <<< "$LINE")" - CLIENT_NAME="$(grep "$PUBLIC_KEY" "$CLIENTS_FILE" | awk '{ print $1 }')" - if [ "$HR" = 1 ]; then - if [ "$LAST_SEEN" -ne 0 ]; then - printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "$(date -d @"$LAST_SEEN" '+%b %d %Y - %T')" + if [ -n "${LINE}" ]; then + PUBLIC_KEY="$(awk '{ print $1 }' <<< "$LINE")" + REMOTE_IP="$(awk '{ print $3 }' <<< "$LINE")" + VIRTUAL_IP="$(awk '{ print $4 }' <<< "$LINE")" + BYTES_RECEIVED="$(awk '{ print $6 }' <<< "$LINE")" + BYTES_SENT="$(awk '{ print $7 }' <<< "$LINE")" + LAST_SEEN="$(awk '{ print $5 }' <<< "$LINE")" + CLIENT_NAME="$(grep "$PUBLIC_KEY" "$CLIENTS_FILE" | awk '{ print $1 }')" + if [ "$HR" = 1 ]; then + if [ "$LAST_SEEN" -ne 0 ]; then + printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "$(date -d @"$LAST_SEEN" '+%b %d %Y - %T')" + else + printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "(not yet)" + fi else - printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "(not yet)" - fi - else - if [ "$LAST_SEEN" -ne 0 ]; then - printf "%s \t %s \t %s \t %'d \t %'d \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$BYTES_RECEIVED" "$BYTES_SENT" "$(date -d @"$LAST_SEEN" '+%b %d %Y - %T')" - else - printf "%s \t %s \t %s \t %'d \t %'d \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$BYTES_RECEIVED" "$BYTES_SENT" "(not yet)" + if [ "$LAST_SEEN" -ne 0 ]; then + printf "%s \t %s \t %s \t %'d \t %'d \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$BYTES_RECEIVED" "$BYTES_SENT" "$(date -d @"$LAST_SEEN" '+%b %d %Y - %T')" + else + printf "%s \t %s \t %s \t %'d \t %'d \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$BYTES_RECEIVED" "$BYTES_SENT" "(not yet)" + fi fi fi - done <<< "$DUMP" printf "\n"