Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-20 03:40:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

Added all parameters, initial testing done

Browse source
This commit is contained in:
EWouters 2017-03-13 19:44:29 +13:00
parent 5db23185fd
commit 71021d6ffa
1 changed files with 104 additions and 61 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

85
auto_install/install.sh
View file

@ -480,7 +480,6 @@ unattendedUpgrades() {
if (whiptail --backtitle "Security Updates" --title "Unattended Upgrades" --yesno "Do you want to enable unattended upgrades of security patches to this server?" ${r} ${c}) then if (whiptail --backtitle "Security Updates" --title "Unattended Upgrades" --yesno "Do you want to enable unattended upgrades of security patches to this server?" ${r} ${c}) then
UNATTUPG="unattended-upgrades" UNATTUPG="unattended-upgrades"
$SUDO apt-get --yes --quiet --no-install-recommends install "$UNATTUPG" > /dev/null & spinner $!
else else
UNATTUPG="" UNATTUPG=""
fi fi
@ -772,9 +771,7 @@ setClientDNS() {
} }
confOpenVPN() { confOpenVPN() {
# Ask user if want to modify default port if [[ ${useUpdateVars} == false ]]; then
SERVER_NAME="server"
# Ask user for desired level of encryption # Ask user for desired level of encryption
ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "Encryption Strength" --radiolist \ ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "Encryption Strength" --radiolist \
"Choose your desired level of encryption:\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications it is recommended to use 2048 bit. If you are testing or just want to get through it quicker you can use 1024. If you are paranoid about ... things... then grab a cup of joe and pick 4096." ${r} ${c} 3 \ "Choose your desired level of encryption:\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications it is recommended to use 2048 bit. If you are testing or just want to get through it quicker you can use 1024. If you are paranoid about ... things... then grab a cup of joe and pick 4096." ${r} ${c} 3 \
@ -787,6 +784,7 @@ confOpenVPN() {
echo "::: Cancel selected. Exiting..." echo "::: Cancel selected. Exiting..."
exit 1 exit 1
fi fi
fi
# If easy-rsa exists, remove it # If easy-rsa exists, remove it
if [[ -d /etc/openvpn/easy-rsa/ ]]; then if [[ -d /etc/openvpn/easy-rsa/ ]]; then
@ -826,12 +824,23 @@ EOF
${SUDOE} ./easyrsa --batch build-ca nopass ${SUDOE} ./easyrsa --batch build-ca nopass
printf "\n::: CA Complete.\n" printf "\n::: CA Complete.\n"
if [[ ${useUpdateVars} == false ]]; then
whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c} whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c}
fi
# Build the server # Build the server
${SUDOE} ./easyrsa build-server-full server nopass ${SUDOE} ./easyrsa build-server-full server nopass
if [[ ${useUpdateVars} == false ]]; then
if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}) if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c})
then
DOWNLOAD_DH_PARAM=true
else
DOWNLOAD_DH_PARAM=false
fi
fi
if [ "$ENCRYPT" -ge "4096" ] && [[ ${DOWNLOAD_DH_PARAM} == true ]]
then then
# Downloading parameters # Downloading parameters
RANDOM_INDEX=$(( RANDOM % 128 )) RANDOM_INDEX=$(( RANDOM % 128 ))
@ -871,6 +880,7 @@ EOF
confUnattendedUpgrades() { confUnattendedUpgrades() {
if [[ $UNATTUPG == "unattended-upgrades" ]]; then if [[ $UNATTUPG == "unattended-upgrades" ]]; then
$SUDO apt-get --yes --quiet --no-install-recommends install "$UNATTUPG" > /dev/null & spinner $!
if [[ $PLAT == "Ubuntu" ]]; then if [[ $PLAT == "Ubuntu" ]]; then
# Ubuntu 50unattended-upgrades should already just have security enabled # Ubuntu 50unattended-upgrades should already just have security enabled
# so we just need to configure the 10periodic file # so we just need to configure the 10periodic file
@ -953,6 +963,9 @@ confOVPN() {
echo 0 > /tmp/REVOKE_STATUS echo 0 > /tmp/REVOKE_STATUS
$SUDO cp /tmp/REVOKE_STATUS /etc/pivpn/REVOKE_STATUS $SUDO cp /tmp/REVOKE_STATUS /etc/pivpn/REVOKE_STATUS
$SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt
if [[ ${useUpdateVars} == false ]]; then
METH=$(whiptail --title "Public IP or DNS" --radiolist "Will clients use a Public IP or DNS Name to connect to your server?" ${r} ${c} 2 \ METH=$(whiptail --title "Public IP or DNS" --radiolist "Will clients use a Public IP or DNS Name to connect to your server?" ${r} ${c} 2 \
"$IPv4pub" "Use this public IP" "ON" \ "$IPv4pub" "Use this public IP" "ON" \
"DNS Entry" "Use a public DNS" "OFF" 3>&1 1>&2 2>&3) "DNS Entry" "Use a public DNS" "OFF" 3>&1 1>&2 2>&3)
@ -963,8 +976,6 @@ confOVPN() {
exit 1 exit 1
fi fi
$SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt
if [ "$METH" == "$IPv4pub" ]; then if [ "$METH" == "$IPv4pub" ]; then
$SUDO sed -i 's/IPv4pub/'"$IPv4pub"'/' /etc/openvpn/easy-rsa/pki/Default.txt $SUDO sed -i 's/IPv4pub/'"$IPv4pub"'/' /etc/openvpn/easy-rsa/pki/Default.txt
else else
@ -981,10 +992,12 @@ confOVPN() {
$SUDO sed -i 's/IPv4pub/'"$PUBLICDNS"'/' /etc/openvpn/easy-rsa/pki/Default.txt $SUDO sed -i 's/IPv4pub/'"$PUBLICDNS"'/' /etc/openvpn/easy-rsa/pki/Default.txt
else else
publicDNSCorrect=False publicDNSCorrect=False
fi fi
done done
fi fi
else
$SUDO sed -i 's/IPv4pub/'"$PUBLICDNS"'/' /etc/openvpn/easy-rsa/pki/Default.txt
fi
# if they modified port put value in Default.txt for clients to use # if they modified port put value in Default.txt for clients to use
if [ $PORT != 1194 ]; then if [ $PORT != 1194 ]; then
@ -1006,32 +1019,47 @@ confOVPN() {
finalExports() { finalExports() {
# Update variables in setupVars.conf file # Update variables in setupVars.conf file
if [ -e "${setupVars}" ]; then if [ -e "${setupVars}" ]; then
sed -i.update.bak '/pivpnInterface/d;/IPv4dns/d;/IPv4addr/d;/IPv4gw/d;/pivpnUser/d;/UNATTUPG/d;' "${setupVars}" sed -i.update.bak '/pivpnUser/d;/UNATTUPG/d;/pivpnInterface/d;/IPv4dns/d;/IPv4addr/d;/IPv4gw/d;/pivpnProto/d;/PORT/d;/ENCRYPT/d;/DOWNLOAD_DH_PARAM/d;/PUBLICDNS/d;OVPNDNS1/d;OVPNDNS2/d;SERVER_NAME/d;' "${setupVars}"
fi fi
{ {
echo "pivpnUser=${pivpnUser}"
echo "UNATTUPG=${UNATTUPG}"
echo "pivpnInterface=${pivpnInterface}" echo "pivpnInterface=${pivpnInterface}"
echo "IPv4dns=${IPv4dns}" echo "IPv4dns=${IPv4dns}"
echo "IPv4addr=${IPv4addr}" echo "IPv4addr=${IPv4addr}"
echo "IPv4gw=${IPv4gw}" echo "IPv4gw=${IPv4gw}"
echo "pivpnUser=${pivpnUser}" echo "pivpnProto=${pivpnProto}"
echo "UNATTUPG=${UNATTUPG}" echo "PORT=${PORT}"
echo "ENCRYPT=${ENCRYPT}"
echo "DOWNLOAD_DH_PARAM=${DOWNLOAD_DH_PARAM}"
echo "PUBLICDNS=${PUBLICDNS}"
echo "OVPNDNS1=${OVPNDNS1}"
echo "OVPNDNS2=${OVPNDNS2}"
echo "SERVER_NAME=${SERVER_NAME}"
}>> "${setupVars}" }>> "${setupVars}"
} }
# I suggest replacing these names. # I suggest replacing some of these names.
#accountForRefactor() { #accountForRefactor() {
# # At some point in the future this list can be pruned, for now we'll need it to ensure updates don't break. # # At some point in the future this list can be pruned, for now we'll need it to ensure updates don't break.
# #
# # Refactoring of install script has changed the name of a couple of variables. Sort them out here. # # Refactoring of install script has changed the name of a couple of variables. Sort them out here.
# sed -i 's/pivpnUser/PIVPN_USER/g' ${setupVars}
# #sed -i 's/UNATTUPG/UNATTUPG/g' ${setupVars}
# sed -i 's/pivpnInterface/PIVPN_INTERFACE/g' ${setupVars} # sed -i 's/pivpnInterface/PIVPN_INTERFACE/g' ${setupVars}
# sed -i 's/IPv4dns/IPV4_DNS/g' ${setupVars} # sed -i 's/IPv4dns/IPV4_DNS/g' ${setupVars}
# sed -i 's/IPv4addr/IPV4_ADDRESS/g' ${setupVars} # sed -i 's/IPv4addr/IPV4_ADDRESS/g' ${setupVars}
# sed -i 's/IPv4gw/IPV4_GATEWAY/g' ${setupVars} # sed -i 's/IPv4gw/IPV4_GATEWAY/g' ${setupVars}
# sed -i 's/pivpnUser/PIVPN_USER/g' ${setupVars} # sed -i 's/pivpnProto/TRANSPORT_LAYER/g' ${setupVars}
# sed -i 's/IPv4dns/IPV4_DNS/g' ${setupVars} # #sed -i 's/PORT/PORT/g' ${setupVars}
# #sed -i 's/UNATTUPG/UNATTUPG/g' ${setupVars} # #sed -i 's/ENCRYPT/ENCRYPT/g' ${setupVars}
# #sed -i 's/DOWNLOAD_DH_PARAM/DOWNLOAD_DH_PARAM/g' ${setupVars}
# #sed -i 's/PUBLICDNS/PUBLICDNS/g' ${setupVars}
# #sed -i 's/OVPNDNS1/OVPNDNS1/g' ${setupVars}
# #sed -i 's/OVPNDNS2/OVPNDNS2/g' ${setupVars}
# #sed -i 's/SERVER_NAME/SERVER_NAME/g' ${setupVars}
#} #}
installPiVPN() { installPiVPN() {
@ -1043,22 +1071,37 @@ installPiVPN() {
setCustomPort setCustomPort
confOpenVPN confOpenVPN
confNetwork confNetwork
SERVER_NAME="server"
confOVPN confOVPN
setClientDNS setClientDNS
finalExports finalExports
} }
updatePiVPN() { # Could be replaced by installPiVPN, but keep structure close to pi-hole updatePiVPN() {
#accountForRefactor #accountForRefactor
stopServices stopServices
confUnattendedUpgrades confUnattendedUpgrades
installScripts installScripts
setCustomProto
setCustomPort # setCustomProto
echo "${pivpnProto}" > /tmp/pivpnPROTO
# write out the PROTO
PROTO=$pivpnProto
$SUDO cp /tmp/pivpnPROTO /etc/pivpn/INSTALL_PROTO
#setCustomPort
# write out the port
echo ${PORT} > /tmp/INSTALL_PORT
$SUDO cp /tmp/INSTALL_PORT /etc/pivpn/INSTALL_PORT
confOpenVPN confOpenVPN
confNetwork confNetwork
confOVPN confOVPN
setClientDNS
# ?? Is this always OK? Also if you only select one DNS server ??
$SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf
$SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf
finalExports #re-export setupVars.conf to account for any new vars added in new versions finalExports #re-export setupVars.conf to account for any new vars added in new versions
} }
@ -1212,6 +1255,9 @@ main() {
echo "::: Install Complete..." echo "::: Install Complete..."
else else
# Source ${setupVars} for use in the rest of the functions.
source ${setupVars}
# Only try to set static on Raspbian # Only try to set static on Raspbian
if [[ $PLAT != "Raspbian" ]]; then if [[ $PLAT != "Raspbian" ]]; then
echo "::: IP Information" echo "::: IP Information"
@ -1225,9 +1271,6 @@ main() {
# Clone/Update the repos # Clone/Update the repos
clone_or_update_repos clone_or_update_repos
# Source ${setupVars} for use in the rest of the functions.
source ${setupVars}
updatePiVPN | tee ${tmpLog} updatePiVPN | tee ${tmpLog}
fi fi