Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2025-04-26 09:10:10 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'test' into test

Browse source
This commit is contained in:
mquirin 2020-12-26 23:39:48 +00:00 committed by GitHub
commit 6448cc268a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
28 changed files with 1520 additions and 699 deletions
Download patch file Download diff file Expand all files Collapse all files

55
scripts/backup.sh
View file

@ -1,12 +1,57 @@
#!/bin/bash
# PiVPN: Backup Script
# Find the rows and columns. Will default to 80x24 if it can not be detected.
screen_size=$(stty size 2>/dev/null || echo 24 80)
rows=$(echo "$screen_size" | awk '{print $1}')
columns=$(echo "$screen_size" | awk '{print $2}')
# Divide by two so the dialogs take up half of the screen, which looks nice.
r=$(( rows / 2 ))
c=$(( columns / 2 ))
# Unless the screen is tiny
r=$(( r < 20 ? 20 : r ))
c=$(( c < 70 ? 70 : c ))
backupdir=pivpnbackup
date=$(date +%Y%m%d-%H%M%S)
setupVars="/etc/pivpn/setupVars.conf"
setupVarsFile="setupVars.conf"
setupConfigDir="/etc/pivpn"
if [ -r "${setupConfigDir}/wireguard/${setupVarsFile}" ] && [ -r "${setupConfigDir}/openvpn/${setupVarsFile}" ]; then
# Two protocols have been installed, check if the script has passed
# an argument, otherwise ask the user which one he wants to remove
if [ $# -ge 1 ]; then
VPN="$1"
echo "::: Backing up VPN: $VPN"
else
chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Backup" --separate-output --radiolist "Both OpenVPN and WireGuard are installed, choose a VPN to backup (press space to select):" "${r}" "${c}" 2)
VPNChooseOptions=(WireGuard "" on
OpenVPN "" off)
if VPN=$("${chooseVPNCmd[@]}" "${VPNChooseOptions[@]}" 2>&1 >/dev/tty) ; then
echo "::: Backing up VPN: $VPN"
VPN="${VPN,,}"
else
echo "::: Cancel selected, exiting...."
exit 1
fi
fi
setupVars="${setupConfigDir}/${VPN}/${setupVarsFile}"
else
if [ -r "${setupConfigDir}/wireguard/${setupVarsFile}" ]; then
setupVars="${setupConfigDir}/wireguard/${setupVarsFile}"
elif [ -r "${setupConfigDir}/openvpn/${setupVarsFile}" ]; then
setupVars="${setupConfigDir}/openvpn/${setupVarsFile}"
fi
fi
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
echo "::: Missing setup vars file!"
exit 1
fi
# shellcheck disable=SC1090
@ -28,7 +73,7 @@ backup_openvpn(){
backupzip=$date-pivpnovpnbackup.tgz
# shellcheck disable=SC2210
tar czpf "$install_home"/"$backupdir"/"$backupzip" "$openvpndir" "$ovpnsdir" > /dev/null 2>&1
echo -e "Backup crated to $install_home/$backupdir/$backupzip \nTo restore the backup, follow instructions at:\nhttps://github.com/pivpn/pivpn/wiki/FAQ#how-can-i-migrate-my-configs-to-another-pivpn-instance"
echo -e "Backup created in $install_home/$backupdir/$backupzip \nTo restore the backup, follow instructions at:\nhttps://github.com/pivpn/pivpn/wiki/OpenVPN#how-can-i-migrate-my-configs-to-another-pivpn-instance"
}
@ -39,7 +84,7 @@ backup_wireguard(){
checkbackupdir
backupzip=$date-pivpnwgbackup.tgz
tar czpf "$install_home"/"$backupdir"/"$backupzip" "$wireguarddir" "$configsdir" > /dev/null 2>&1
echo -e "Backup crated to $install_home/$backupdir/$backupzip \nTo restore the backup, follow instructions at:\nhttps://github.com/pivpn/pivpn/wiki/FAQ#how-can-i-migrate-my-configs-to-another-pivpn-instance"
echo -e "Backup created in $install_home/$backupdir/$backupzip \nTo restore the backup, follow instructions at:\nhttps://github.com/pivpn/pivpn/wiki/WireGuard#how-can-i-migrate-my-configs-to-another-pivpn-instance"
}

20
scripts/openvpn/listOVPN.sh
View file

@ -8,7 +8,15 @@ if [ ! -f "${INDEX}" ]; then
exit 1
fi
printf ": NOTE : The first entry should always be your valid server!\n"
EASYRSA="/etc/openvpn/easy-rsa/easyrsa"
if [ ! -f "${EASYRSA}" ]; then
echo "The file: $EASYRSA was not found!"
exit 1
fi
$EASYRSA update-db >> /dev/null 2>&1
printf ": NOTE : The first entry is your server, which should always be valid!\n"
printf "\\n"
printf "\\e[1m::: Certificate Status List :::\\e[0m\\n"
{
@ -16,15 +24,17 @@ printf "\\e[4mStatus\\e[0m \t \\e[4mName\\e[0m\\e[0m \t \\e[4mExpiration\\e[
while read -r line || [ -n "$line" ]; do
STATUS=$(echo "$line" | awk '{print $1}')
NAME=$(echo "$line" | awk '{print $5}' | awk -FCN= '{print $2}')
NAME=$(echo "$line" | awk -FCN= '{print $2}')
EXPD=$(echo "$line" | awk '{if (length($2) == 15) print $2; else print "20"$2}' | cut -b 1-8 | date +"%b %d %Y" -f -)
if [ "${STATUS}" == "V" ]; then
printf "Valid \t %s \t %s\\n" "$NAME" "$EXPD"
printf "Valid \t %s \t %s\\n" "$(echo -e "$NAME")" "$EXPD"
elif [ "${STATUS}" == "R" ]; then
printf "Revoked \t %s \t %s\\n" "$NAME" "$EXPD"
printf "Revoked \t %s \t %s\\n" "$(echo -e "$NAME")" "$EXPD"
elif [ "${STATUS}" == "E" ]; then
printf "Expired \t %s \t %s\\n" "$(echo -e "$NAME")" "$EXPD"
else
printf "Unknown \t %s \t %s\\n" "$NAME" "$EXPD"
printf "Unknown \t %s \t %s\\n" "$(echo -e "$NAME")" "$EXPD"
fi
done <${INDEX}

116
scripts/openvpn/makeOVPN.sh
View file

@ -1,7 +1,7 @@
#!/bin/bash
# Create OVPN Client
# Default Variable Declarations
setupVars="/etc/pivpn/setupVars.conf"
setupVars="/etc/pivpn/openvpn/setupVars.conf"
DEFAULT="Default.txt"
FILEEXT=".ovpn"
CRT=".crt"
@ -20,7 +20,7 @@ source "${setupVars}"
helpFunc() {
echo "::: Create a client ovpn profile, optional nopass"
echo ":::"
echo "::: Usage: pivpn <-a|add> [-n|--name <arg>] [-p|--password <arg>]|[nopass] [-d|--days <number>] [-b|--bitwarden] [-i|--iOS] [-h|--help]"
echo "::: Usage: pivpn <-a|add> [-n|--name <arg>] [-p|--password <arg>]|[nopass] [-d|--days <number>] [-b|--bitwarden] [-i|--iOS] [-o|--ovpn] [-h|--help]"
echo ":::"
echo "::: Commands:"
echo "::: [none] Interactive mode"
@ -30,6 +30,7 @@ helpFunc() {
echo "::: -d,--days Expire the certificate after specified number of days (default: 1080)"
echo "::: -b,--bitwarden Create and save a client through Bitwarden"
echo "::: -i,--iOS Generate a certificate that leverages iOS keychain"
echo "::: -o,--ovpn Regenerate a .ovpn config file for an existing client"
echo "::: -h,--help Show this help dialog"
}
@ -97,6 +98,10 @@ do
echo "Bitwarden not found, please install bitwarden"
exit 1
fi
;;
-o|--ovpn)
GENOVPNONLY=1
;;
*)
echo "Error: Got an unexpected argument '$1'"
@ -208,8 +213,8 @@ function keyPASS() {
set timeout -1
set env(EASYRSA_CERT_EXPIRE) "${DAYS}"
spawn ./easyrsa build-client-full "${NAME}"
expect "Enter PEM pass phrase" { send -- "${PASSWD}\r" }
expect "Verifying - Enter PEM pass phrase" { send -- "${PASSWD}\r" }
expect "Enter PEM pass phrase" { sleep 0.1; send -- "${PASSWD}\r" }
expect "Verifying - Enter PEM pass phrase" { sleep 0.1; send -- "${PASSWD}\r" }
expect eof
EOF
cd pki || exit
@ -243,59 +248,68 @@ if [[ "${NAME}" =~ [^a-zA-Z0-9.@_-] ]]; then
exit 1
fi
if [[ "${NAME}" =~ ^[0-9]+$ ]]; then
echo "Names cannot be integers."
exit 1
fi
if [[ -z "${NAME}" ]]; then
echo "You cannot leave the name blank."
exit 1
fi
# Check if name is already in use
while read -r line || [ -n "${line}" ]; do
STATUS=$(echo "$line" | awk '{print $1}')
if [ "${STATUS}" == "V" ]; then
CERT=$(echo "$line" | sed -e 's:.*/CN=::')
if [ "${CERT}" == "${NAME}" ]; then
INUSE="1"
break
fi
fi
done <${INDEX}
if [ "${INUSE}" == "1" ]; then
printf "\n!! This name is already in use by a Valid Certificate."
printf "\nPlease choose another name or revoke this certificate first.\n"
exit 1
fi
# Check if name is reserved
if [ "${NAME}" == "ta" ] || [ "${NAME}" == "server" ] || [ "${NAME}" == "ca" ]; then
echo "Sorry, this is in use by the server and cannot be used by clients."
exit 1
fi
#As of EasyRSA 3.0.6, by default certificates last 1080 days, see https://github.com/OpenVPN/easy-rsa/blob/6b7b6bf1f0d3c9362b5618ad18c66677351cacd1/easyrsa3/vars.example
if [ -z "${DAYS}" ]; then
read -r -e -p "How many days should the certificate last? " -i 1080 DAYS
fi
if [[ ! "$DAYS" =~ ^[0-9]+$ ]] || [ "$DAYS" -lt 1 ] || [ "$DAYS" -gt 3650 ]; then
#The CRL lasts 3650 days so it doesn't make much sense that certificates would last longer
echo "Please input a valid number of days, between 1 and 3650 inclusive."
exit 1
fi
cd /etc/openvpn/easy-rsa || exit
if [[ "${NO_PASS}" =~ "1" ]]; then
if [[ -n "${PASSWD}" ]]; then
echo "Both nopass and password arguments passed to the script. Please use either one."
exit 1
else
keynoPASS
fi
if [ "${GENOVPNONLY}" == "1" ]; then
# Generate .ovpn configuration file
cd /etc/openvpn/easy-rsa/pki || exit
else
keyPASS
# Check if name is already in use
while read -r line || [ -n "${line}" ]; do
STATUS=$(echo "$line" | awk '{print $1}')
if [ "${STATUS}" == "V" ]; then
CERT=$(echo "$line" | sed -e 's:.*/CN=::')
if [ "${CERT}" == "${NAME}" ]; then
INUSE="1"
break
fi
fi
done <${INDEX}
if [ "${INUSE}" == "1" ]; then
printf "\n!! This name is already in use by a Valid Certificate."
printf "\nPlease choose another name or revoke this certificate first.\n"
exit 1
fi
# Check if name is reserved
if [ "${NAME}" == "ta" ] || [ "${NAME}" == "server" ] || [ "${NAME}" == "ca" ]; then
echo "Sorry, this is in use by the server and cannot be used by clients."
exit 1
fi
#As of EasyRSA 3.0.6, by default certificates last 1080 days, see https://github.com/OpenVPN/easy-rsa/blob/6b7b6bf1f0d3c9362b5618ad18c66677351cacd1/easyrsa3/vars.example
if [ -z "${DAYS}" ]; then
read -r -e -p "How many days should the certificate last? " -i 1080 DAYS
fi
if [[ ! "$DAYS" =~ ^[0-9]+$ ]] || [ "$DAYS" -lt 1 ] || [ "$DAYS" -gt 3650 ]; then
#The CRL lasts 3650 days so it doesn't make much sense that certificates would last longer
echo "Please input a valid number of days, between 1 and 3650 inclusive."
exit 1
fi
cd /etc/openvpn/easy-rsa || exit
if [[ "${NO_PASS}" =~ "1" ]]; then
if [[ -n "${PASSWD}" ]]; then
echo "Both nopass and password arguments passed to the script. Please use either one."
exit 1
else
keynoPASS
fi
else
keyPASS
fi
fi
#1st Verify that clients Public Key Exists

31
scripts/openvpn/pivpn → scripts/openvpn/pivpn.sh
View file

@ -10,62 +10,56 @@ if [[ ! $EUID -eq 0 ]];then
fi
fi
scriptDir="/opt/pivpn"
vpn="openvpn"
function makeOVPNFunc {
shift
$SUDO /opt/pivpn/makeOVPN.sh "$@"
$SUDO ${scriptDir}/${vpn}/makeOVPN.sh "$@"
exit 0
}
function listClientsFunc {
shift
$SUDO /opt/pivpn/clientStat.sh "$@"
$SUDO ${scriptDir}/${vpn}/clientStat.sh "$@"
exit 0
}
function listOVPNFunc {
$SUDO /opt/pivpn/listOVPN.sh
$SUDO ${scriptDir}/${vpn}/listOVPN.sh
exit 0
}
function debugFunc {
echo "::: Generating Debug Output"
$SUDO /opt/pivpn/pivpnDebug.sh | tee /tmp/debug.txt
$SUDO ${scriptDir}/${vpn}/pivpnDebug.sh | tee /tmp/debug.log
echo "::: "
echo "::: Debug output completed above."
echo "::: Copy saved to /tmp/debug.txt"
echo "::: Copy saved to /tmp/debug.log"
echo "::: "
exit 0
}
function removeOVPNFunc {
shift
$SUDO /opt/pivpn/removeOVPN.sh "$@"
$SUDO ${scriptDir}/${vpn}/removeOVPN.sh "$@"
exit 0
}
function uninstallFunc {
$SUDO /opt/pivpn/uninstall.sh
$SUDO ${scriptDir}/uninstall.sh "${vpn}"
exit 0
}
function versionFunc {
printf "\e[1mVersion 1.9\e[0m\n"
}
function update {
shift
$SUDO /opt/pivpn/update.sh "$@"
$SUDO ${scriptDir}/update.sh "$@"
exit 0
}
function backup {
$SUDO /opt/pivpn/backup.sh
$SUDO ${scriptDir}/backup.sh "${vpn}"
exit 0
}
@ -100,7 +94,6 @@ case "$1" in
"-r" | "revoke" ) removeOVPNFunc "$@";;
"-h" | "help" ) helpFunc;;
"-u" | "uninstall" ) uninstallFunc;;
"-v" ) versionFunc;;
"-up"| "update" ) update "$@" ;;
"-bk"| "backup" ) backup;;
* ) helpFunc;;

30
scripts/openvpn/pivpnDebug.sh
View file

@ -1,7 +1,7 @@
#!/usr/bin/env bash
# This scripts runs as root
setupVars="/etc/pivpn/setupVars.conf"
setupVars="/etc/pivpn/openvpn/setupVars.conf"
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
@ -13,10 +13,10 @@ source "${setupVars}"
echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::"
printf "=============================================\n"
echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::"
git --git-dir /etc/.pivpn/.git log -n 1
git --git-dir /usr/local/src/pivpn/.git log -n 1
printf "=============================================\n"
echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::"
sed "s/$pivpnHOST/REDACTED/" < /etc/pivpn/setupVars.conf
sed "s/$pivpnHOST/REDACTED/" < ${setupVars}
printf "=============================================\n"
echo -e ":::: \e[4mServer configuration shown below\e[0m ::::"
cat /etc/openvpn/server.conf
@ -28,35 +28,21 @@ echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::: \e[4m/etc/openv
ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial
printf "=============================================\n"
echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::"
/opt/pivpn/self_check.sh
/opt/pivpn/self_check.sh ${VPN}
printf "=============================================\n"
echo -e ":::: Having trouble connecting? Take a look at the FAQ:"
echo -e ":::: \e[1mhttps://github.com/pivpn/pivpn/wiki/FAQ\e[0m"
printf "=============================================\n"
echo -e ":::: \e[4mSnippet of the server log\e[0m ::::"
tail -20 /var/log/openvpn.log > /tmp/snippet
OVPNLOG="$(tail -n 20 /var/log/openvpn.log)"
# Regular expession taken from https://superuser.com/a/202835, it will match invalid IPs
# like 123.456.789.012 but it's fine since the log only contains valid ones.
declare -a IPS_TO_HIDE=($(grepcidr -v 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 /tmp/snippet | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | uniq))
declare -a IPS_TO_HIDE=($(grepcidr -v 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 <<< "$OVPNLOG" | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | uniq))
for IP in "${IPS_TO_HIDE[@]}"; do
sed -i "s/$IP/REDACTED/g" /tmp/snippet
OVPNLOG="${OVPNLOG//"$IP"/REDACTED}"
done
cat /tmp/snippet
rm /tmp/snippet
echo "$OVPNLOG"
printf "=============================================\n"
echo -e "::::\t\t\e[4mDebug complete\e[0m\t\t ::::"
# Telekom Hybrid Check
wget -O /tmp/hybcheck http://speedport.ip &>/dev/null
if grep -Fq "Speedport Pro" /tmp/hybcheck || grep -Fq "Speedport Hybrid" /tmp/hybcheck
then
printf ":::\t\t\t\t\t:::\n::\tTelekom Hybrid Check\t\t ::\n:::\t\t\t\t\t:::\n"
echo "Are you using Telekom Hybrid (found a hybrid compatible router)?"
echo "If yes and you have problems with the connections you can test the following:"
echo "Add 'tun-mtu 1316' in /etc/openvpn/easy-rsa/pki/Default.txt to set a hybrid compatible MTU size (new .ovpn files)."
echo "For already existing .ovpn files 'tun-mtu 1316' can also be inserted there manually."
echo "With Telekom hybrid connections, you may have to experiment a little with MTU (tun-mtu, link-mtu and mssfix)."
fi
rm /tmp/hybcheck

78
scripts/openvpn/removeOVPN.sh
View file

@ -1,7 +1,7 @@
#!/usr/bin/env bash
# PiVPN: revoke client script
setupVars="/etc/pivpn/setupVars.conf"
setupVars="/etc/pivpn/openvpn/setupVars.conf"
INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
if [ ! -f "${setupVars}" ]; then
@ -14,11 +14,12 @@ source "${setupVars}"
helpFunc() {
echo "::: Revoke a client ovpn profile"
echo ":::"
echo "::: Usage: pivpn <-r|revoke> [-h|--help] [<client-1>] ... [<client-n>] ..."
echo "::: Usage: pivpn <-r|revoke> [-y|--yes] [-h|--help] [<client-1>] ... [<client-n>] ..."
echo ":::"
echo "::: Commands:"
echo "::: [none] Interactive mode"
echo "::: <client> Client(s) to to revoke"
echo "::: -y,--yes Remove Client(s) without confirmation"
echo "::: -h,--help Show this help dialog"
}
@ -31,6 +32,9 @@ do
helpFunc
exit 0
;;
-y|--yes)
CONFIRM=true
;;
*)
CERTS_TO_REVOKE+=("$1")
;;
@ -52,17 +56,23 @@ if [[ -z "${CERTS_TO_REVOKE}" ]]; then
STATUS=$(echo "$line" | awk '{print $1}')
if [[ "${STATUS}" = "V" ]]; then
NAME=$(echo "$line" | sed -e 's:.*/CN=::')
CERTS[$i]=${NAME}
if [ "$i" != 0 ]; then
# Prevent printing "server" certificate
printf " %s\n" "$NAME"
CERTS[$i]=$(echo -e "${NAME}")
fi
let i=i+1
fi
done <${INDEX}
i=1
len=${#CERTS[@]}
while [ $i -le ${len} ]; do
printf "%0${#len}s) %s\r\n" ${i} ${CERTS[(($i))]}
((i++))
done
printf "\n"
echo -n "::: Please enter the Name of the client to be revoked from the list above: "
echo -n "::: Please enter the Index/Name of the client to be revoked from the list above: "
read -r NAME
if [[ -z "${NAME}" ]]; then
@ -70,6 +80,11 @@ if [[ -z "${CERTS_TO_REVOKE}" ]]; then
exit 1
fi
re='^[0-9]+$'
if [[ ${NAME} =~ $re ]] ; then
NAME=${CERTS[$(($NAME))]}
fi
for((x=1;x<=i;++x)); do
if [ "${CERTS[$x]}" = "${NAME}" ]; then
VALID=1
@ -87,7 +102,7 @@ else
while read -r line || [ -n "$line" ]; do
STATUS=$(echo "$line" | awk '{print $1}')
if [[ "${STATUS}" = "V" ]]; then
NAME=$(echo "$line" | sed -e 's:.*/CN=::')
NAME=$(echo -e "$line" | sed -e 's:.*/CN=::')
CERTS[$i]=${NAME}
let i=i+1
fi
@ -111,31 +126,38 @@ fi
cd /etc/openvpn/easy-rsa || exit
for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}"
./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}"
./easyrsa gen-crl
printf "\n::: Certificate revoked, and CRL file updated.\n"
printf "::: Removing certs and client configuration for this profile.\n"
rm -rf "pki/reqs/${CERTS_TO_REVOKE[ii]}.req"
rm -rf "pki/private/${CERTS_TO_REVOKE[ii]}.key"
rm -rf "pki/issued/${CERTS_TO_REVOKE[ii]}.crt"
if [ -n "$CONFIRM" ]; then
REPLY="y"
else
read -r -p "Do you really want to revoke ${CERTS_TO_REVOKE[ii]}? [Y/n] "
fi
if [[ $REPLY =~ ^[Yy]$ ]]; then
printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}"
./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}"
./easyrsa gen-crl
printf "\n::: Certificate revoked, and CRL file updated.\n"
printf "::: Removing certs and client configuration for this profile.\n"
rm -rf "pki/reqs/${CERTS_TO_REVOKE[ii]}.req"
rm -rf "pki/private/${CERTS_TO_REVOKE[ii]}.key"
rm -rf "pki/issued/${CERTS_TO_REVOKE[ii]}.crt"
# Grab the client IP address
NET_REDUCED="${pivpnNET::-2}"
STATIC_IP=$(grep -v "^#" /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}" | grep -w ifconfig-push | grep -oE "${NET_REDUCED}\.[0-9]{1,3}")
rm -rf /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}"
# Grab the client IP address
NET_REDUCED="${pivpnNET::-2}"
STATIC_IP=$(grep -v "^#" /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}" | grep -w ifconfig-push | grep -oE "${NET_REDUCED}\.[0-9]{1,3}")
rm -rf /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}"
rm -rf "${install_home}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn"
rm -rf "/etc/openvpn/easy-rsa/pki/${CERTS_TO_REVOKE[ii]}.ovpn"
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
rm -rf "${install_home}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn"
rm -rf "/etc/openvpn/easy-rsa/pki/${CERTS_TO_REVOKE[ii]}.ovpn"
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
# If using Pi-hole, remove the client from the hosts file
if [ -f /etc/pivpn/hosts.openvpn ]; then
sed "\#${STATIC_IP} ${CERTS_TO_REVOKE[ii]}.pivpn#d" -i /etc/pivpn/hosts.openvpn
if killall -SIGHUP pihole-FTL; then
echo "::: Updated hosts file for Pi-hole"
else
echo "::: Failed to reload pihole-FTL configuration"
# If using Pi-hole, remove the client from the hosts file
if [ -f /etc/pivpn/hosts.openvpn ]; then
sed "\#${STATIC_IP} ${CERTS_TO_REVOKE[ii]}.pivpn#d" -i /etc/pivpn/hosts.openvpn
if killall -SIGHUP pihole-FTL; then
echo "::: Updated hosts file for Pi-hole"
else
echo "::: Failed to reload pihole-FTL configuration"
fi
fi
fi
done

49
scripts/pivpn Executable file
View file

@ -0,0 +1,49 @@
#!/bin/bash
# Must be root to use this tool
if [ $EUID -ne 0 ];then
if dpkg-query -s sudo &> /dev/null; then
export SUDO="sudo"
else
echo "::: Please install sudo or run this as root."
exit 1
fi
fi
scriptDir="/opt/pivpn"
uninstallServer(){
$SUDO ${scriptDir}/uninstall.sh
exit 0
}
backup(){
$SUDO ${scriptDir}/backup.sh
exit 0
}
showHelp(){
echo "::: To pass off to the pivpn command for each protocol"
echo ":::"
echo "::: Usage: pivpn wg <command> [option]"
echo "::: Usage: pivpn ovpn <command> [option]"
echo ":::"
echo "::: -h, help Show this help dialog"
echo "::: -u, uninstall Uninstall pivpn from your system!"
echo "::: -bk, backup Backup VPN configs and user profiles"
exit 0
}
if [ $# = 0 ]; then
showHelp
fi
# Handle redirecting to specific functions based on arguments
case "$1" in
wg ) "${scriptDir}/wireguard/pivpn.sh" "${@:2}";;
ovpn ) "${scriptDir}/openvpn/pivpn.sh" "${@:2}";;
"-h" | "help" ) showHelp;;
"-u" | "uninstall" ) uninstallServer;;
"-bk" | "backup" ) backup ;;
* ) showHelp;;
esac

4
scripts/self_check.sh
View file

@ -1,6 +1,8 @@
#!/bin/bash
setupVars="/etc/pivpn/setupVars.conf"
# dual protocol, VPN type supplied as $1
VPN=$1
setupVars="/etc/pivpn/${VPN}/setupVars.conf"
ERR=0
if [ ! -f "${setupVars}" ]; then

132
scripts/uninstall.sh
View file

@ -4,19 +4,6 @@
### FIXME: global: config storage, refactor all scripts to adhere to the storage
### FIXME: use variables where appropriate, reduce magic numbers by 99.9%, at least.
PKG_MANAGER="apt-get"
UPDATE_PKG_CACHE="${PKG_MANAGER} update"
dnsmasqConfig="/etc/dnsmasq.d/02-pivpn.conf"
setupVars="/etc/pivpn/setupVars.conf"
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
# shellcheck disable=SC1090
source "${setupVars}"
# Find the rows and columns. Will default to 80x24 if it can not be detected.
screen_size=$(stty size 2>/dev/null || echo 24 80)
rows=$(echo "$screen_size" | awk '{print $1}')
@ -29,6 +16,55 @@ c=$(( columns / 2 ))
r=$(( r < 20 ? 20 : r ))
c=$(( c < 70 ? 70 : c ))
PKG_MANAGER="apt-get"
UPDATE_PKG_CACHE="${PKG_MANAGER} update"
dnsmasqConfig="/etc/dnsmasq.d/02-pivpn.conf"
setupVarsFile="setupVars.conf"
setupConfigDir="/etc/pivpn"
pivpnFilesDir="/usr/local/src/pivpn"
pivpnScriptDir="/opt/pivpn"
if [ -r "${setupConfigDir}/wireguard/${setupVarsFile}" ] && [ -r "${setupConfigDir}/openvpn/${setupVarsFile}" ]; then
vpnStillExists=1
# Two protocols have been installed, check if the script has passed
# an argument, otherwise ask the user which one he wants to remove
if [ $# -ge 1 ]; then
VPN="$1"
echo "::: Uninstalling VPN: $VPN"
else
chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Uninstall" --separate-output --radiolist "Both OpenVPN and WireGuard are installed, choose a VPN to uninstall (press space to select):" "${r}" "${c}" 2)
VPNChooseOptions=(WireGuard "" on
OpenVPN "" off)
if VPN=$("${chooseVPNCmd[@]}" "${VPNChooseOptions[@]}" 2>&1 >/dev/tty) ; then
echo "::: Uninstalling VPN: $VPN"
VPN="${VPN,,}"
else
echo "::: Cancel selected, exiting...."
exit 1
fi
fi
setupVars="${setupConfigDir}/${VPN}/${setupVarsFile}"
else
vpnStillExists=0
if [ -r "${setupConfigDir}/wireguard/${setupVarsFile}" ]; then
setupVars="${setupConfigDir}/wireguard/${setupVarsFile}"
elif [ -r "${setupConfigDir}/openvpn/${setupVarsFile}" ]; then
setupVars="${setupConfigDir}/openvpn/${setupVarsFile}"
fi
fi
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
# shellcheck disable=SC1090
source "${setupVars}"
### FIXME: introduce global lib
spinner(){
local pid=$1
@ -65,7 +101,7 @@ removeAll(){
ufw delete allow "${pivpnPORT}"/"${pivpnPROTO}" > /dev/null
### FIXME: SC2154
ufw route delete allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any > /dev/null
sed -z "s/*nat\\n:POSTROUTING ACCEPT \\[0:0\\]\\n-I POSTROUTING -s ${pivpnNET}\\/${subnetClass} -o ${IPv4dev} -j MASQUERADE -m comment --comment ${VPN}-nat-rule\\nCOMMIT\\n\\n//" -i /etc/ufw/before.rules
sed "/-I POSTROUTING -s ${pivpnNET}\\/${subnetClass} -o ${IPv4dev} -j MASQUERADE -m comment --comment ${VPN}-nat-rule/d" -i /etc/ufw/before.rules
iptables -t nat -D POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule"
ufw reload &> /dev/null
@ -86,8 +122,10 @@ removeAll(){
fi
# Disable IPv4 forwarding
sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf
sysctl -p
if [ "${vpnStillExists}" -eq 0 ]; then
sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf
sysctl -p
fi
# Purge dependencies
echo "::: Purge dependencies..."
@ -96,17 +134,21 @@ removeAll(){
while true; do
read -rp "::: Do you wish to remove $i from your system? [Y/n]: " yn
case $yn in
[Yy]* ) if [ "${i}" = "wireguard" ]; then
[Yy]* ) if [ "${i}" = "wireguard-tools" ]; then
# On Debian and Raspbian, remove the bullseye repo. On Ubuntu, remove the PPA.
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Raspbian" ]; then
rm -f /etc/apt/sources.list.d/pivpn-bullseye.list
# The bullseye repo may not exist if wireguard was available at the
# time of installation.
if [ -f /etc/apt/sources.list.d/pivpn-bullseye-repo.list ]; then
echo "::: Removing Debian Bullseye repo..."
rm -f /etc/apt/sources.list.d/pivpn-bullseye-repo.list
rm -f /etc/apt/preferences.d/pivpn-limit-bullseye
elif [ "$PLAT" = "Ubuntu" ]; then
add-apt-repository ppa:wireguard/wireguard -r -y
echo "::: Updating package cache..."
${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
fi
if [ -f /etc/systemd/system/wg-quick@.service.d/override.conf ]; then
rm -f /etc/systemd/system/wg-quick@.service.d/override.conf
fi
echo "::: Updating package cache..."
${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
elif [ "${i}" = "unattended-upgrades" ]; then
@ -116,7 +158,8 @@ removeAll(){
elif [ "${i}" = "openvpn" ]; then
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then
if [ -f /etc/apt/sources.list.d/pivpn-openvpn-repo.list ]; then
echo "::: Removing OpenVPN software repo..."
rm -f /etc/apt/sources.list.d/pivpn-openvpn-repo.list
echo "::: Updating package cache..."
${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
@ -143,22 +186,12 @@ removeAll(){
printf "::: Auto cleaning remaining dependencies..."
$PKG_MANAGER -y autoclean &> /dev/null & spinner $!; printf "done!\\n";
echo ":::"
# Removing pivpn files
echo "::: Removing pivpn system files..."
if [ -f "$dnsmasqConfig" ]; then
rm -f "$dnsmasqConfig"
pihole restartdns
fi
rm -rf /opt/pivpn
rm -rf /etc/.pivpn
rm -rf /etc/pivpn
rm -f /var/log/*pivpn*
rm -f /usr/local/bin/pivpn
rm -f /etc/bash_completion.d/pivpn
echo ":::"
echo "::: Removing VPN configuration files..."
@ -177,6 +210,35 @@ removeAll(){
rm -rf "$install_home/ovpns"
fi
if [ "${vpnStillExists}" -eq 0 ]; then
echo ":::"
echo "::: Removing pivpn system files..."
rm -rf "${setupConfigDir}"
rm -rf "${pivpnFilesDir}"
rm -f /var/log/*pivpn*
rm -f /etc/bash_completion.d/pivpn
unlink "${pivpnScriptDir}"
unlink /usr/local/bin/pivpn
else
if [[ ${VPN} == 'wireguard' ]]; then
othervpn='openvpn'
else
othervpn='wireguard'
fi
echo ":::"
echo "::: Other VPN ${othervpn} still present, so not"
echo "::: removing pivpn system files"
rm -f "${setupConfigDir}/${VPN}/${setupVarsFile}"
# Restore single pivpn script and bash completion for the remaining VPN
$SUDO unlink /usr/local/bin/pivpn
$SUDO ln -s -T "${pivpnFilesDir}/scripts/${othervpn}/pivpn.sh" /usr/local/bin/pivpn
$SUDO ln -s -T "${pivpnFilesDir}/scripts/${othervpn}/bash-completion" /etc/bash_completion.d/pivpn
# shellcheck disable=SC1091
. /etc/bash_completion.d/pivpn
fi
echo ":::"
printf "::: Finished removing PiVPN from your system.\\n"
printf "::: Reinstall by simpling running\\n:::\\n:::\\tcurl -L https://install.pivpn.io | bash\\n:::\\n::: at any time!\\n:::\\n"

31
scripts/update.sh
View file

@ -6,7 +6,36 @@ pivpnrepo="https://github.com/pivpn/pivpn.git"
pivpnlocalpath="/etc/.pivpn"
pivpnscripts="/opt/pivpn/"
bashcompletiondir="/etc/bash_completion.d/"
setupVars="/etc/pivpn/setupVars.conf"
# Find the rows and columns. Will default to 80x24 if it can not be detected.
screen_size=$(stty size 2>/dev/null || echo 24 80)
rows=$(echo "$screen_size" | awk '{print $1}')
columns=$(echo "$screen_size" | awk '{print $2}')
# Divide by two so the dialogs take up half of the screen, which looks nice.
r=$(( rows / 2 ))
c=$(( columns / 2 ))
# Unless the screen is tiny
r=$(( r < 20 ? 20 : r ))
c=$(( c < 70 ? 70 : c ))
echo "::: The updating functionality for PiVPN scripts is temporarily disabled"
echo "::: To keep the VPN (and the system) up to date, use 'apt update' and 'apt upgrade'"
exit 0
chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "Choose a VPN to update (press space to select):" "${r}" "${c}" 2)
VPNChooseOptions=(WireGuard "" on
OpenVPN "" off)
if VPN=$("${chooseVPNCmd[@]}" "${VPNChooseOptions[@]}" 2>&1 >/dev/tty) ; then
echo "::: Using VPN: $VPN"
VPN="${VPN,,}"
else
echo "::: Cancel selected, exiting...."
exit 1
fi
setupVars="/etc/pivpn/${VPN}/setupVars.conf"
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"

4
scripts/wireguard/bash-completion
View file

@ -4,8 +4,8 @@ _pivpn()
COMPREPLY=()
cur="${COMP_WORDS[COMP_CWORD]}"
prev="${COMP_WORDS[COMP_CWORD-1]}"
dashopts="-a -c -d -l -qr -r -h -u -up -wg -bk"
opts="add clients debug list qrcode remove help uninstall update wgupdate backup"
dashopts="-a -c -d -l -qr -r -h -u -up -bk -off -on"
opts="add clients debug list qrcode remove help uninstall update backup (temp) off (temp) on"
if [ "${#COMP_WORDS[@]}" -eq 2 ]
then
if [[ ${cur} == -* ]] ; then

45
scripts/wireguard/clientSTAT.sh
View file

@ -2,6 +2,7 @@
# PiVPN: client status script
CLIENTS_FILE="/etc/wireguard/configs/clients.txt"
CONF_FILE="/etc/wireguard/wg0.conf"
if [ ! -s "$CLIENTS_FILE" ]; then
echo "::: There are no clients to list"
@ -36,33 +37,37 @@ listClients(){
printf "\e[4mName\e[0m \t \e[4mRemote IP\e[0m \t \e[4mVirtual IP\e[0m \t \e[4mBytes Received\e[0m \t \e[4mBytes Sent\e[0m \t \e[4mLast Seen\e[0m\n"
while IFS= read -r LINE; do
PUBLIC_KEY="$(awk '{ print $1 }' <<< "$LINE")"
REMOTE_IP="$(awk '{ print $3 }' <<< "$LINE")"
VIRTUAL_IP="$(awk '{ print $4 }' <<< "$LINE")"
BYTES_RECEIVED="$(awk '{ print $6 }' <<< "$LINE")"
BYTES_SENT="$(awk '{ print $7 }' <<< "$LINE")"
LAST_SEEN="$(awk '{ print $5 }' <<< "$LINE")"
CLIENT_NAME="$(grep "$PUBLIC_KEY" "$CLIENTS_FILE" | awk '{ print $1 }')"
if [ "$HR" = 1 ]; then
if [ "$LAST_SEEN" -ne 0 ]; then
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "$(date -d @"$LAST_SEEN" '+%b %d %Y - %T')"
if [ -n "${LINE}" ]; then
PUBLIC_KEY="$(awk '{ print $1 }' <<< "$LINE")"
REMOTE_IP="$(awk '{ print $3 }' <<< "$LINE")"
VIRTUAL_IP="$(awk '{ print $4 }' <<< "$LINE")"
BYTES_RECEIVED="$(awk '{ print $6 }' <<< "$LINE")"
BYTES_SENT="$(awk '{ print $7 }' <<< "$LINE")"
LAST_SEEN="$(awk '{ print $5 }' <<< "$LINE")"
CLIENT_NAME="$(grep "$PUBLIC_KEY" "$CLIENTS_FILE" | awk '{ print $1 }')"
if [ "$HR" = 1 ]; then
if [ "$LAST_SEEN" -ne 0 ]; then
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "$(date -d @"$LAST_SEEN" '+%b %d %Y - %T')"
else
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "(not yet)"
fi
else
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "(not yet)"
fi
else
if [ "$LAST_SEEN" -ne 0 ]; then
printf "%s \t %s \t %s \t %'d \t %'d \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$BYTES_RECEIVED" "$BYTES_SENT" "$(date -d @"$LAST_SEEN" '+%b %d %Y - %T')"
else
printf "%s \t %s \t %s \t %'d \t %'d \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$BYTES_RECEIVED" "$BYTES_SENT" "(not yet)"
if [ "$LAST_SEEN" -ne 0 ]; then
printf "%s \t %s \t %s \t %'d \t %'d \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$BYTES_RECEIVED" "$BYTES_SENT" "$(date -d @"$LAST_SEEN" '+%b %d %Y - %T')"
else
printf "%s \t %s \t %s \t %'d \t %'d \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$BYTES_RECEIVED" "$BYTES_SENT" "(not yet)"
fi
fi
fi
done <<< "$DUMP"
printf "\n"
} | column -t -s $'\t'
cd /etc/wireguard || return
echo "::: Disabled clients :::"
grep '\[disabled\] ### begin' wg0.conf | sed 's/#//g; s/begin//'
}
if [[ $# -eq 0 ]]; then

120
scripts/wireguard/disableCONF.sh Executable file
View file

@ -0,0 +1,120 @@
#!/bin/bash
setupVars="/etc/pivpn/wireguard/setupVars.conf"
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
helpFunc(){
echo "::: Disable client conf profiles"
echo ":::"
echo "::: Usage: pivpn <-off|off> [-h|--help] [-v] [<client-1> ... [<client-2>] ...] "
echo ":::"
echo "::: Commands:"
echo "::: [none] Interactive mode"
echo "::: <client> Client"
echo "::: -y,--yes Disable client(s) without confirmation"
echo "::: -v Show disabled clients only"
echo "::: -h,--help Show this help dialog"
}
# Parse input arguments
while test $# -gt 0
do
_key="$1"
case "$_key" in
-h|--help)
helpFunc
exit 0
;;
-y|--yes)
CONFIRM=true
;;
-v)
DISPLAY_DISABLED=true
;;
*)
CLIENTS_TO_CHANGE+=("$1")
;;
esac
shift
done
cd /etc/wireguard
if [ ! -s configs/clients.txt ]; then
echo "::: There are no clients to change"
exit 1
fi
if [ "$DISPLAY_DISABLED" ]; then
grep '\[disabled\] ### begin' wg0.conf | sed 's/#//g; s/begin//'
exit 1
fi
LIST=($(awk '{print $1}' configs/clients.txt))
if [ "${#CLIENTS_TO_CHANGE[@]}" -eq 0 ]; then
echo -e "::\e[4m Client list \e[0m::"
len=${#LIST[@]}
COUNTER=1
while [ $COUNTER -le ${len} ]; do
printf "%0${#len}s) %s\r\n" ${COUNTER} ${LIST[(($COUNTER-1))]}
((COUNTER++))
done
read -r -p "Please enter the Index/Name of the Client to be removed from the list above: " CLIENTS_TO_CHANGE
if [ -z "${CLIENTS_TO_CHANGE}" ]; then
echo "::: You can not leave this blank!"
exit 1
fi
fi
CHANGED_COUNT=0
for CLIENT_NAME in "${CLIENTS_TO_CHANGE[@]}"; do
re='^[0-9]+$'
if [[ ${CLIENT_NAME} =~ $re ]] ; then
CLIENT_NAME=${LIST[$(($CLIENT_NAME -1))]}
fi
if ! grep -q "^${CLIENT_NAME} " configs/clients.txt; then
echo -e "::: \e[1m${CLIENT_NAME}\e[0m does not exist"
elif grep -q "#\[disabled\] ### begin ${CLIENT_NAME}" wg0.conf; then
echo -e "::: \e[1m${CLIENT_NAME}\e[0m is already disabled"
else
if [ -n "$CONFIRM" ]; then
REPLY="y"
else
read -r -p "Confirm you want to disable $CLIENT_NAME? [Y/n] "
fi
if [[ $REPLY =~ ^[Yy]$ ]]; then
# Disable the peer section from the server config
echo "${CLIENT_NAME}"
sed -e "/### begin ${CLIENT_NAME}/,/end ${CLIENT_NAME}/ s/^/#\[disabled\] /" -i wg0.conf
echo "::: Updated server config"
((CHANGED_COUNT++))
echo "::: Successfully disabled ${CLIENT_NAME}"
fi
fi
done
# Restart WireGuard only if some clients were actually deleted
if [ "${CHANGED_COUNT}" -gt 0 ]; then
if systemctl reload wg-quick@wg0; then
echo "::: WireGuard reloaded"
else
echo "::: Failed to reload WireGuard"
fi
fi

116
scripts/wireguard/enableCONF.sh Executable file
View file

@ -0,0 +1,116 @@
#!/bin/bash
setupVars="/etc/pivpn/wireguard/setupVars.conf"
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
helpFunc(){
echo "::: Enables client conf profiles"
echo ":::"
echo "::: Usage: pivpn <-on|on> [-h|--help] [-v] [<client-1> ... [<client-2>] ...] "
echo ":::"
echo "::: Commands:"
echo "::: [none] Interactive mode"
echo "::: <client> Client"
echo "::: -y,--yes Enable client(s) without confirmation"
echo "::: -v Show disabled clients only"
echo "::: -h,--help Show this help dialog"
}
# Parse input arguments
while test $# -gt 0
do
_key="$1"
case "$_key" in
-h|--help)
helpFunc
exit 0
;;
-y|--yes)
CONFIRM=true
;;
-v)
DISPLAY_DISABLED=true
;;
*)
CLIENTS_TO_CHANGE+=("$1")
;;
esac
shift
done
cd /etc/wireguard
if [ ! -s configs/clients.txt ]; then
echo "::: There are no clients to change"
exit 1
fi
if [ "$DISPLAY_DISABLED" ]; then
grep '\[disabled\] ### begin' wg0.conf | sed 's/#//g; s/begin//'
exit 1
fi
LIST=($(awk '{print $1}' configs/clients.txt))
if [ "${#CLIENTS_TO_CHANGE[@]}" -eq 0 ]; then
echo -e "::\e[4m Client list \e[0m::"
len=${#LIST[@]}
COUNTER=1
while [ $COUNTER -le ${len} ]; do
printf "%0${#len}s) %s\r\n" ${COUNTER} ${LIST[(($COUNTER-1))]}
((COUNTER++))
done
read -r -p "Please enter the Index/Name of the Client to be enabled from the list above: " CLIENTS_TO_CHANGE
if [ -z "${CLIENTS_TO_CHANGE}" ]; then
echo "::: You can not leave this blank!"
exit 1
fi
fi
CHANGED_COUNT=0
for CLIENT_NAME in "${CLIENTS_TO_CHANGE[@]}"; do
re='^[0-9]+$'
if [[ ${CLIENT_NAME} =~ $re ]] ; then
CLIENT_NAME=${LIST[$(($CLIENT_NAME -1))]}
fi
if ! grep -q "^${CLIENT_NAME} " configs/clients.txt; then
echo -e "::: \e[1m${CLIENT_NAME}\e[0m does not exist"
else
if [ -n "$CONFIRM" ]; then
REPLY="y"
else
read -r -p "Confirm you want to enable $CLIENT_NAME? [Y/n] "
fi
if [[ $REPLY =~ ^[Yy]$ ]]; then
# Enable the peer section from the server config
echo "${CLIENT_NAME}"
sed -e "/begin ${CLIENT_NAME}/,/end ${CLIENT_NAME}/ s/#\[disabled\] //" -i wg0.conf
echo "::: Updated server config"
((CHANGED_COUNT++))
echo "::: Successfully enabled ${CLIENT_NAME}"
fi
fi
done
# Restart WireGuard only if some clients were actually deleted
if [ "${CHANGED_COUNT}" -gt 0 ]; then
if systemctl reload wg-quick@wg0; then
echo "::: WireGuard reloaded"
else
echo "::: Failed to reload WireGuard"
fi
fi

7
scripts/wireguard/listCONF.sh
View file

@ -25,4 +25,9 @@ while read -r LINE; do
echo -e "$CLIENT_NAME \t $PUBLIC_KEY \t $CD_FORMAT"
done < clients.txt
} | column -t -s $'\t'
} | column -t -s $'\t'
cd /etc/wireguard || return
echo "::: Disabled clients :::"
grep '\[disabled\] ### begin' wg0.conf | sed 's/#//g; s/begin//'

24
scripts/wireguard/makeCONF.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash
setupVars="/etc/pivpn/setupVars.conf"
setupVars="/etc/pivpn/wireguard/setupVars.conf"
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
@ -64,6 +64,11 @@ if [[ "${CLIENT_NAME}" =~ [^a-zA-Z0-9.@_-] ]]; then
exit 1
fi
if [[ "${CLIENT_NAME}" =~ ^[0-9]+$ ]]; then
echo "Names cannot be integers."
exit 1
fi
if [ -z "${CLIENT_NAME}" ]; then
echo "::: You cannot leave the name blank."
exit 1
@ -75,6 +80,7 @@ if [ -f "configs/${CLIENT_NAME}.conf" ]; then
fi
wg genkey | tee "keys/${CLIENT_NAME}_priv" | wg pubkey > "keys/${CLIENT_NAME}_pub"
wg genpsk | tee "keys/${CLIENT_NAME}_psk" &> /dev/null
echo "::: Client Keys generated"
# Find an unused number for the last octet of the client IP
@ -102,17 +108,17 @@ echo >> "configs/${CLIENT_NAME}.conf"
echo "[Peer]
PublicKey = $(cat keys/server_pub)
PresharedKey = $(cat keys/psk)
PresharedKey = $(cat "keys/${CLIENT_NAME}_psk")
Endpoint = ${pivpnHOST}:${pivpnPORT}
AllowedIPs = 0.0.0.0/0, ::0/0" >> "configs/${CLIENT_NAME}.conf"
AllowedIPs = ${ALLOWED_IPS}" >> "configs/${CLIENT_NAME}.conf"
echo "::: Client config generated"
echo "# begin ${CLIENT_NAME}
echo "### begin ${CLIENT_NAME} ###
[Peer]
PublicKey = $(cat "keys/${CLIENT_NAME}_pub")
PresharedKey = $(cat keys/psk)
PresharedKey = $(cat "keys/${CLIENT_NAME}_psk")
AllowedIPs = ${NET_REDUCED}.${COUNT}/32
# end ${CLIENT_NAME}" >> wg0.conf
### end ${CLIENT_NAME} ###" >> wg0.conf
echo "::: Updated server config"
if [ -f /etc/pivpn/hosts.wireguard ]; then
@ -124,10 +130,10 @@ if [ -f /etc/pivpn/hosts.wireguard ]; then
fi
fi
if systemctl restart wg-quick@wg0; then
echo "::: WireGuard restarted"
if systemctl reload wg-quick@wg0; then
echo "::: WireGuard reloaded"
else
echo "::: Failed to restart WireGuard"
echo "::: Failed to reload WireGuard"
fi
cp "configs/${CLIENT_NAME}.conf" "${install_home}/configs/${CLIENT_NAME}.conf"

99
scripts/wireguard/pivpn
View file

@ -1,99 +0,0 @@
#!/bin/bash
# Must be root to use this tool
if [ $EUID -ne 0 ];then
if dpkg-query -s sudo &> /dev/null; then
export SUDO="sudo"
else
echo "::: Please install sudo or run this as root."
exit 1
fi
fi
makeConf(){
shift
$SUDO /opt/pivpn/makeCONF.sh "$@"
exit 0
}
listConnected(){
shift
$SUDO /opt/pivpn/clientSTAT.sh "$@"
exit 0
}
debug(){
$SUDO /opt/pivpn/pivpnDEBUG.sh
exit 0
}
listClients(){
$SUDO /opt/pivpn/listCONF.sh
exit 0
}
showQrcode(){
shift
$SUDO /opt/pivpn/qrcodeCONF.sh "$@"
exit 0
}
removeClient(){
shift
$SUDO /opt/pivpn/removeCONF.sh "$@"
exit 0
}
uninstallServer(){
$SUDO /opt/pivpn/uninstall.sh
exit 0
}
updateScripts(){
shift
$SUDO /opt/pivpn/update.sh "$@"
exit 0
}
backup(){
$SUDO /opt/pivpn/backup.sh
}
showHelp(){
echo "::: Control all PiVPN specific functions!"
echo ":::"
echo "::: Usage: pivpn <command> [option]"
echo ":::"
echo "::: Commands:"
echo "::: -a, add Create a client conf profile"
echo "::: -c, clients List any connected clients to the server"
echo "::: -d, debug Start a debugging session if having trouble"
echo "::: -l, list List all clients"
echo "::: -qr, qrcode Show the qrcode of a client for use with the mobile app"
echo "::: -r, remove Remove a client"
echo "::: -h, help Show this help dialog"
echo "::: -u, uninstall Uninstall pivpn from your system!"
echo "::: -up, update Updates PiVPN Scripts"
echo "::: -bk, backup Backup VPN configs and user profiles"
exit 0
}
if [ $# = 0 ]; then
showHelp
fi
# Handle redirecting to specific functions based on arguments
case "$1" in
"-a" | "add" ) makeConf "$@";;
"-c" | "clients" ) listConnected "$@";;
"-d" | "debug" ) debug;;
"-l" | "list" ) listClients;;
"-qr" | "qrcode" ) showQrcode "$@";;
"-r" | "remove" ) removeClient "$@";;
"-h" | "help" ) showHelp;;
"-u" | "uninstall" ) uninstallServer;;
"-up" | "update" ) updateScripts "$@" ;;
"-wg" | "wgupdate" ) updateWireGuard ;;
"-bk" | "backup" ) backup ;;
* ) showHelp;;
esac

123
scripts/wireguard/pivpn.sh Executable file
View file

@ -0,0 +1,123 @@
#!/bin/bash
# Must be root to use this tool
if [ $EUID -ne 0 ];then
if dpkg-query -s sudo &> /dev/null; then
export SUDO="sudo"
else
echo "::: Please install sudo or run this as root."
exit 1
fi
fi
scriptdir="/opt/pivpn"
vpn="wireguard"
makeConf(){
shift
$SUDO ${scriptdir}/${vpn}/makeCONF.sh "$@"
exit 0
}
listConnected(){
shift
$SUDO ${scriptdir}/${vpn}/clientSTAT.sh "$@"
exit 0
}
debug(){
echo "::: Generating Debug Output"
$SUDO ${scriptdir}/${vpn}/pivpnDEBUG.sh | tee /tmp/debug.log
echo "::: "
echo "::: Debug output completed above."
echo "::: Copy saved to /tmp/debug.log"
echo "::: "
exit 0
}
listClients(){
$SUDO ${scriptdir}/${vpn}/listCONF.sh
exit 0
}
showQrcode(){
shift
$SUDO ${scriptdir}/${vpn}/qrcodeCONF.sh "$@"
exit 0
}
removeClient(){
shift
$SUDO ${scriptdir}/${vpn}/removeCONF.sh "$@"
exit 0
}
disableClient(){
shift
$SUDO ${scriptdir}/${vpn}/disableCONF.sh "$@"
exit 0
}
enableClient(){
shift
$SUDO ${scriptdir}/${vpn}/enableCONF.sh "$@"
exit 0
}
uninstallServer(){
$SUDO ${scriptdir}/uninstall.sh "${vpn}"
exit 0
}
updateScripts(){
shift
$SUDO ${scriptdir}/update.sh "$@"
exit 0
}
backup(){
$SUDO ${scriptdir}/backup.sh "${vpn}"
exit 0
}
showHelp(){
echo "::: Control all PiVPN specific functions!"
echo ":::"
echo "::: Usage: pivpn <command> [option]"
echo ":::"
echo "::: Commands:"
echo "::: -a, add Create a client conf profile"
echo "::: -c, clients List any connected clients to the server"
echo "::: -d, debug Start a debugging session if having trouble"
echo "::: -l, list List all clients"
echo "::: -qr, qrcode Show the qrcode of a client for use with the mobile app"
echo "::: -r, remove Remove a client"
echo "::: -off, off Disable a user"
echo "::: -on, on Enable a user"
echo "::: -h, help Show this help dialog"
echo "::: -u, uninstall Uninstall pivpn from your system!"
echo "::: -up, update Updates PiVPN Scripts"
echo "::: -bk, backup Backup VPN configs and user profiles"
exit 0
}
if [ $# = 0 ]; then
showHelp
fi
# Handle redirecting to specific functions based on arguments
case "$1" in
"-a" | "add" ) makeConf "$@";;
"-c" | "clients" ) listConnected "$@";;
"-d" | "debug" ) debug;;
"-l" | "list" ) listClients;;
"-qr" | "qrcode" ) showQrcode "$@";;
"-r" | "remove" ) removeClient "$@";;
"-off" | "off" ) disableClient "$@";;
"-on" | "on" ) enableClient "$@";;
"-h" | "help" ) showHelp;;
"-u" | "uninstall" ) uninstallServer;;
"-up" | "update" ) updateScripts "$@" ;;
"-bk" | "backup" ) backup ;;
* ) showHelp;;
esac

8
scripts/wireguard/pivpnDEBUG.sh
View file

@ -1,7 +1,7 @@
#!/usr/bin/env bash
# This scripts runs as root
setupVars="/etc/pivpn/setupVars.conf"
setupVars="/etc/pivpn/wireguard/setupVars.conf"
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
@ -13,10 +13,10 @@ source "${setupVars}"
echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::"
printf "=============================================\n"
echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::"
git --git-dir /etc/.pivpn/.git log -n 1
git --git-dir /usr/local/src/pivpn/.git log -n 1
printf "=============================================\n"
echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::"
sed "s/$pivpnHOST/REDACTED/" < /etc/pivpn/setupVars.conf
sed "s/$pivpnHOST/REDACTED/" < ${setupVars}
printf "=============================================\n"
echo -e ":::: \e[4mServer configuration shown below\e[0m ::::"
cd /etc/wireguard/keys
@ -46,7 +46,7 @@ echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::::\e\t[4m/etc/wir
ls -LR /etc/wireguard
printf "=============================================\n"
echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::"
/opt/pivpn/self_check.sh
/opt/pivpn/self_check.sh ${VPN}
printf "=============================================\n"
echo -e ":::: Having trouble connecting? Take a look at the FAQ:"
echo -e ":::: \e[1mhttps://github.com/pivpn/pivpn/wiki/FAQ\e[0m"

15
scripts/wireguard/qrcodeCONF.sh
View file

@ -33,17 +33,18 @@ if [ ! -s clients.txt ]; then
exit 1
fi
LIST=($(awk '{print $1}' clients.txt))
if [ "${#CLIENTS_TO_SHOW[@]}" -eq 0 ]; then
echo -e "::\e[4m Client list \e[0m::"
LIST=($(awk '{print $1}' clients.txt))
len=${#LIST[@]}
COUNTER=1
while [ $COUNTER -le ${#LIST[@]} ]; do
echo "${LIST[(($COUNTER-1))]}"
while [ $COUNTER -le ${len} ]; do
printf "%0${#len}s) %s\r\n" ${COUNTER} ${LIST[(($COUNTER-1))]}
((COUNTER++))
done
read -r -p "Please enter the Name of the Client to show: " CLIENTS_TO_SHOW
read -r -p "Please enter the Index/Name of the Client to show: " CLIENTS_TO_SHOW
if [ -z "${CLIENTS_TO_SHOW}" ]; then
echo "::: You can not leave this blank!"
@ -52,6 +53,10 @@ if [ "${#CLIENTS_TO_SHOW[@]}" -eq 0 ]; then
fi
for CLIENT_NAME in "${CLIENTS_TO_SHOW[@]}"; do
re='^[0-9]+$'
if [[ ${CLIENT_NAME} =~ $re ]] ; then
CLIENT_NAME=${LIST[$(($CLIENT_NAME -1))]}
fi
if grep -qw "${CLIENT_NAME}" clients.txt; then
echo -e "::: Showing client \e[1m${CLIENT_NAME}\e[0m below"
echo "====================================================================="
@ -60,4 +65,4 @@ for CLIENT_NAME in "${CLIENTS_TO_SHOW[@]}"; do
else
echo -e "::: \e[1m${CLIENT_NAME}\e[0m does not exist"
fi
done
done

46
scripts/wireguard/removeCONF.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash
setupVars="/etc/pivpn/setupVars.conf"
setupVars="/etc/pivpn/wireguard/setupVars.conf"
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
@ -12,11 +12,12 @@ source "${setupVars}"
helpFunc(){
echo "::: Remove a client conf profile"
echo ":::"
echo "::: Usage: pivpn <-r|remove> [-h|--help] [<client-1>] ... [<client-n>] ..."
echo "::: Usage: pivpn <-r|remove> [-y|--yes] [-h|--help] [<client-1>] ... [<client-n>] ..."
echo ":::"
echo "::: Commands:"
echo "::: [none] Interactive mode"
echo "::: <client> Client(s) to remove"
echo "::: -y,--yes Remove Client(s) without confirmation"
echo "::: -h,--help Show this help dialog"
}
@ -29,6 +30,9 @@ do
helpFunc
exit 0
;;
-y|--yes)
CONFIRM=true
;;
*)
CLIENTS_TO_REMOVE+=("$1")
;;
@ -42,17 +46,17 @@ if [ ! -s configs/clients.txt ]; then
exit 1
fi
LIST=($(awk '{print $1}' configs/clients.txt))
if [ "${#CLIENTS_TO_REMOVE[@]}" -eq 0 ]; then
echo -e "::\e[4m Client list \e[0m::"
LIST=($(awk '{print $1}' configs/clients.txt))
len=${#LIST[@]}
COUNTER=1
while [ $COUNTER -le ${#LIST[@]} ]; do
echo "${LIST[(($COUNTER-1))]}"
while [ $COUNTER -le ${len} ]; do
printf "%0${#len}s) %s\r\n" ${COUNTER} ${LIST[(($COUNTER-1))]}
((COUNTER++))
done
read -r -p "Please enter the Name of the Client to be removed from the list above: " CLIENTS_TO_REMOVE
read -r -p "Please enter the Index/Name of the Client to be removed from the list above: " CLIENTS_TO_REMOVE
if [ -z "${CLIENTS_TO_REMOVE}" ]; then
echo "::: You can not leave this blank!"
@ -64,26 +68,35 @@ DELETED_COUNT=0
for CLIENT_NAME in "${CLIENTS_TO_REMOVE[@]}"; do
if ! grep -qw "${CLIENT_NAME}" configs/clients.txt; then
re='^[0-9]+$'
if [[ ${CLIENT_NAME} =~ $re ]] ; then
CLIENT_NAME=${LIST[$(($CLIENT_NAME -1))]}
fi
if ! grep -q "^${CLIENT_NAME} " configs/clients.txt; then
echo -e "::: \e[1m${CLIENT_NAME}\e[0m does not exist"
else
REQUESTED="$(sha256sum "configs/${CLIENT_NAME}.conf" | cut -c 1-64)"
read -r -p "Do you really want to delete $CLIENT_NAME? [y/N] "
if [ -n "$CONFIRM" ]; then
REPLY="y"
else
read -r -p "Do you really want to delete $CLIENT_NAME? [y/N] "
fi
if [[ $REPLY =~ ^[Yy]$ ]]; then
# Grab the least significant octed of the client IP address
COUNT=$(grep "${CLIENT_NAME}" configs/clients.txt | awk '{print $4}')
COUNT=$(grep "^${CLIENT_NAME} " configs/clients.txt | awk '{print $4}')
# The creation date of the client
CREATION_DATE="$(grep "${CLIENT_NAME}" configs/clients.txt | awk '{print $3}')"
CREATION_DATE="$(grep "^${CLIENT_NAME} " configs/clients.txt | awk '{print $3}')"
# And its public key
PUBLIC_KEY="$(grep "${CLIENT_NAME}" configs/clients.txt | awk '{print $2}')"
PUBLIC_KEY="$(grep "^${CLIENT_NAME} " configs/clients.txt | awk '{print $2}')"
# Then remove the client matching the variables above
sed "\#${CLIENT_NAME} ${PUBLIC_KEY} ${CREATION_DATE} ${COUNT}#d" -i configs/clients.txt
# Remove the peer section from the server config
sed "/# begin ${CLIENT_NAME}/,/# end ${CLIENT_NAME}/d" -i wg0.conf
sed "/### begin ${CLIENT_NAME} ###/,/### end ${CLIENT_NAME} ###/d" -i wg0.conf
echo "::: Updated server config"
rm "configs/${CLIENT_NAME}.conf"
@ -91,6 +104,7 @@ for CLIENT_NAME in "${CLIENTS_TO_REMOVE[@]}"; do
rm "keys/${CLIENT_NAME}_priv"
rm "keys/${CLIENT_NAME}_pub"
rm "keys/${CLIENT_NAME}_psk"
echo "::: Client Keys for ${CLIENT_NAME} removed"
# Find all .conf files in the home folder of the user matching the checksum of the
@ -125,9 +139,9 @@ done
# Restart WireGuard only if some clients were actually deleted
if [ "${DELETED_COUNT}" -gt 0 ]; then
if systemctl restart wg-quick@wg0; then
echo "::: WireGuard restarted"
if systemctl reload wg-quick@wg0; then
echo "::: WireGuard reloaded"
else
echo "::: Failed to restart WireGuard"
echo "::: Failed to reload WireGuard"
fi
fi