Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-18 19:00:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'test' into shellcheck4test

Browse source
This commit is contained in:
Orazio 2019-12-10 14:53:11 +01:00 committed by GitHub
commit 85907f6b80
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 58 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
auto_install/install.sh
View file

@ -14,6 +14,8 @@
setupVars=/etc/pivpn/setupVars.conf setupVars=/etc/pivpn/setupVars.conf
pivpnFilesDir="/etc/.pivpn" pivpnFilesDir="/etc/.pivpn"
debianOvpnUserGroup="openvpn:openvpn"
### PKG Vars ### ### PKG Vars ###
PKG_MANAGER="apt-get" PKG_MANAGER="apt-get"
PKG_CACHE="/var/lib/apt/lists/" PKG_CACHE="/var/lib/apt/lists/"
@ -33,6 +35,8 @@ pivpnGitUrl="https://github.com/pivpn/pivpn.git"
easyrsaVer="3.0.6" easyrsaVer="3.0.6"
easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz" easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz"
subnetClass="24"
# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config # Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config
UNATTUPG_RELEASE="1.14" UNATTUPG_RELEASE="1.14"
UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/${UNATTUPG_RELEASE}.tar.gz" UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/${UNATTUPG_RELEASE}.tar.gz"
@ -706,6 +710,7 @@ askWhichVPN(){
pivpnDEV="tun0" pivpnDEV="tun0"
pivpnNET="10.8.0.0" pivpnNET="10.8.0.0"
fi fi
vpnGw="${pivpnNET/.0/.1}"
echo "VPN=${VPN}" >> /tmp/setupVars.conf echo "VPN=${VPN}" >> /tmp/setupVars.conf
} }
@ -991,8 +996,10 @@ askClientDNS(){
fi fi
DNSChoseCmd=(whiptail --separate-output --radiolist "Select the DNS Provider DNSChoseCmd=(whiptail --separate-output --radiolist "Select the DNS Provider
for your VPN Clients (press space to select). To use your own, select Custom." for your VPN Clients (press space to select). To use your own, select
"${r}" "${c}" 6) Custom.\\n\\nIn case you have a local resolver running, i.e. unbound, select
\"PiVPN-is-local-DNS\" and make sure your resolver is listening on
\"$vpnGw\", allowing requests from \"${pivpnNET}/${subnetClass}\"." ${r} ${c} 6)
DNSChooseOptions=(Google "" on DNSChooseOptions=(Google "" on
OpenDNS "" off OpenDNS "" off
Level3 "" off Level3 "" off
@ -1000,6 +1007,7 @@ askClientDNS(){
Norton "" off Norton "" off
FamilyShield "" off FamilyShield "" off
CloudFlare "" off CloudFlare "" off
PiVPN-is-local-DNS "" off
Custom "" off) Custom "" off)
if DNSchoices=$("${DNSChoseCmd[@]}" "${DNSChooseOptions[@]}" 2>&1 >/dev/tty) if DNSchoices=$("${DNSChoseCmd[@]}" "${DNSChooseOptions[@]}" 2>&1 >/dev/tty)
@ -1014,7 +1022,8 @@ askClientDNS(){
["DNS.WATCH"]="84.200.69.80 84.200.70.40" ["DNS.WATCH"]="84.200.69.80 84.200.70.40"
["Norton"]="199.85.126.10 199.85.127.10" ["Norton"]="199.85.126.10 199.85.127.10"
["FamilyShield"]="208.67.222.123 208.67.220.123" ["FamilyShield"]="208.67.222.123 208.67.220.123"
["CloudFlare"]="1.1.1.1 1.0.0.1") ["CloudFlare"]="1.1.1.1 1.0.0.1"
["PiVPN-is-local-DNS"]="$vpnGw")
pivpnDNS1=$(awk '{print $1}' <<< "${DNS_MAP["${DNSchoices}"]}") pivpnDNS1=$(awk '{print $1}' <<< "${DNS_MAP["${DNSchoices}"]}")
pivpnDNS2=$(awk '{print $2}' <<< "${DNS_MAP["${DNSchoices}"]}") pivpnDNS2=$(awk '{print $2}' <<< "${DNS_MAP["${DNSchoices}"]}")
@ -1307,7 +1316,10 @@ set_var EASYRSA_KEY_SIZE ${pivpnENCRYPT}" | $SUDO tee vars >/dev/null
# Generate an empty Certificate Revocation List # Generate an empty Certificate Revocation List
${SUDOE} ./easyrsa gen-crl ${SUDOE} ./easyrsa gen-crl
${SUDOE} cp pki/crl.pem /etc/openvpn/crl.pem ${SUDOE} cp pki/crl.pem /etc/openvpn/crl.pem
${SUDOE} chown nobody:nogroup /etc/openvpn/crl.pem if ! getent passwd openvpn; then
${SUDOE} adduser --system --home /var/lib/openvpn/ --no-create-home --group --disabled-login ${debianOvpnUserGroup%:*}
fi
${SUDOE} chown "$debianOvpnUserGroup" /etc/openvpn/crl.pem
# Write config file for server using the template.txt file # Write config file for server using the template.txt file
$SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf $SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf
@ -1399,7 +1411,7 @@ confWireGuard(){
echo "[Interface] echo "[Interface]
PrivateKey = $($SUDO cat /etc/wireguard/keys/server_priv) PrivateKey = $($SUDO cat /etc/wireguard/keys/server_priv)
Address = 10.6.0.1/24 Address = ${vpnGw}/${subnetClass}
ListenPort = ${pivpnPORT}" | $SUDO tee /etc/wireguard/wg0.conf &> /dev/null ListenPort = ${pivpnPORT}" | $SUDO tee /etc/wireguard/wg0.conf &> /dev/null
echo "::: Server config generated." echo "::: Server config generated."
} }
@ -1418,10 +1430,10 @@ confNetwork(){
USING_UFW=1 USING_UFW=1
echo "::: Detected UFW is enabled." echo "::: Detected UFW is enabled."
echo "::: Adding UFW rules..." echo "::: Adding UFW rules..."
$SUDO sed "/delete these required/i *nat\\n:POSTROUTING ACCEPT [0:0]\\n-I POSTROUTING -s ${pivpnNET}\\/24 -o ${IPv4dev} -j MASQUERADE\\nCOMMIT\\n" -i /etc/ufw/before.rules $SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s ${pivpnNET}\/${subnetClass} -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
# Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic) # Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic)
$SUDO ufw insert 1 allow "${pivpnPORT}"/"${pivpnPROTO}" >/dev/null $SUDO ufw insert 1 allow "${pivpnPORT}"/"${pivpnPROTO}" >/dev/null
$SUDO ufw route insert 1 allow in on "${pivpnDEV}" from "${pivpnNET}/24" out on "${IPv4dev}" to any >/dev/null $SUDO ufw route insert 1 allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any >/dev/null
$SUDO ufw reload >/dev/null $SUDO ufw reload >/dev/null
echo "::: UFW configuration completed." echo "::: UFW configuration completed."
@ -1434,7 +1446,7 @@ confNetwork(){
# Now some checks to detect which rules we need to add. On a newly installed system all policies # Now some checks to detect which rules we need to add. On a newly installed system all policies
# should be ACCEPT, so the only required rule would be the MASQUERADE one. # should be ACCEPT, so the only required rule would be the MASQUERADE one.
$SUDO iptables -t nat -I POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE $SUDO iptables -t nat -I POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE
# Count how many rules are in the INPUT and FORWARD chain. When parsing input from # Count how many rules are in the INPUT and FORWARD chain. When parsing input from
# iptables -S, '^-P' skips the policies and 'ufw-' skips ufw chains (in case ufw was found # iptables -S, '^-P' skips the policies and 'ufw-' skips ufw chains (in case ufw was found
@ -1460,8 +1472,8 @@ confNetwork(){
fi fi
if [ "$FORWARD_RULES_COUNT" -ne 0 ] || [ "$FORWARD_POLICY" != "ACCEPT" ]; then if [ "$FORWARD_RULES_COUNT" -ne 0 ] || [ "$FORWARD_POLICY" != "ACCEPT" ]; then
$SUDO iptables -I FORWARD 1 -d "${pivpnNET}/24" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $SUDO iptables -I FORWARD 1 -d "${pivpnNET}/${subnetClass}" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$SUDO iptables -I FORWARD 2 -s "${pivpnNET}/24" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT $SUDO iptables -I FORWARD 2 -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT
FORWARD_CHAIN_EDITED=1 FORWARD_CHAIN_EDITED=1
else else
FORWARD_CHAIN_EDITED=0 FORWARD_CHAIN_EDITED=0

59
scripts/uninstall.sh
View file

@ -1,6 +1,9 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# PiVPN: Uninstall Script # PiVPN: Uninstall Script
### FIXME: global: config storage, refactor all scripts to adhere to the storage
### FIXME: use variables where appropriate, reduce magic numbers by 99.9%, at least.
PKG_MANAGER="apt-get" PKG_MANAGER="apt-get"
setupVars="/etc/pivpn/setupVars.conf" setupVars="/etc/pivpn/setupVars.conf"
@ -9,12 +12,13 @@ if [ ! -f "${setupVars}" ]; then
exit 1 exit 1
fi fi
# shellcheck disable=SC1090
source "${setupVars}" source "${setupVars}"
# Find the rows and columns. Will default to 80x24 if it can not be detected. # Find the rows and columns. Will default to 80x24 if it can not be detected.
screen_size=$(stty size 2>/dev/null || echo 24 80) screen_size=$(stty size 2>/dev/null || echo 24 80)
rows=$(echo $screen_size | awk '{print $1}') rows=$(echo "$screen_size" | awk '{print $1}')
columns=$(echo $screen_size | awk '{print $2}') columns=$(echo "$screen_size" | awk '{print $2}')
# Divide by two so the dialogs take up half of the screen, which looks nice. # Divide by two so the dialogs take up half of the screen, which looks nice.
r=$(( rows / 2 )) r=$(( rows / 2 ))
@ -23,18 +27,19 @@ c=$(( columns / 2 ))
r=$(( r < 20 ? 20 : r )) r=$(( r < 20 ? 20 : r ))
c=$(( c < 70 ? 70 : c )) c=$(( c < 70 ? 70 : c ))
### FIXME: introduce global lib
spinner(){ spinner(){
local pid=$1 local pid=$1
local delay=0.50 local delay=0.50
local spinstr='/-\|' local spinstr='/-\|'
while [ "$(ps a | awk '{print $1}' | grep "$pid")" ]; do while ps a | awk '{print $1}' | grep "$pid"; do
local temp=${spinstr#?} local temp=${spinstr#?}
printf " [%c] " "$spinstr" printf " [%c] " "$spinstr"
local spinstr=$temp${spinstr%"$temp"} local spinstr=$temp${spinstr%"$temp"}
sleep $delay sleep $delay
printf "\b\b\b\b\b\b" printf "\\b\\b\\b\\b\\b\\b"
done done
printf " \b\b\b\b" printf " \\b\\b\\b\\b"
} }
removeAll(){ removeAll(){
@ -52,6 +57,7 @@ removeAll(){
# Removing firewall rules. # Removing firewall rules.
echo "::: Removing firewall rules..." echo "::: Removing firewall rules..."
### FIXME: introduce global config space!
if [ "$VPN" = "wireguard" ]; then if [ "$VPN" = "wireguard" ]; then
pivpnPROTO="udp" pivpnPROTO="udp"
pivpnDEV="wg0" pivpnDEV="wg0"
@ -63,9 +69,11 @@ removeAll(){
if [ "$USING_UFW" -eq 1 ]; then if [ "$USING_UFW" -eq 1 ]; then
### FIXME: SC2154
ufw delete allow "${pivpnPORT}"/"${pivpnPROTO}" > /dev/null ufw delete allow "${pivpnPORT}"/"${pivpnPROTO}" > /dev/null
### FIXME: SC2154
ufw route delete allow in on "${pivpnDEV}" from "${pivpnNET}/24" out on "${IPv4dev}" to any > /dev/null ufw route delete allow in on "${pivpnDEV}" from "${pivpnNET}/24" out on "${IPv4dev}" to any > /dev/null
sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s ${pivpnNET}\/24 -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules sed -z "s/*nat\\n:POSTROUTING ACCEPT \\[0:0\\]\\n-I POSTROUTING -s ${pivpnNET}\\/24 -o ${IPv4dev} -j MASQUERADE\\nCOMMIT\\n\\n//" -i /etc/ufw/before.rules
iptables -t nat -D POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE iptables -t nat -D POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE
ufw reload &> /dev/null ufw reload &> /dev/null
@ -100,6 +108,7 @@ removeAll(){
# On Debian and armv7l Raspbian, remove the unstable repo (on armv6l Raspbian # On Debian and armv7l Raspbian, remove the unstable repo (on armv6l Raspbian
# there is no wireguard package). On Ubuntu, remove the PPA. # there is no wireguard package). On Ubuntu, remove the PPA.
### FIXME: unconditionally rm'ing unstable.list isn't a good idea, it appears. What if someone else put it there manually?
if [ "$PLAT" = "Debian" ] || { [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv7l" ]; }; then if [ "$PLAT" = "Debian" ] || { [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv7l" ]; }; then
rm /etc/apt/sources.list.d/unstable.list rm /etc/apt/sources.list.d/unstable.list
rm /etc/apt/preferences.d/limit-unstable rm /etc/apt/preferences.d/limit-unstable
@ -126,27 +135,30 @@ removeAll(){
elif [ "${i}" = "unattended-upgrades" ]; then elif [ "${i}" = "unattended-upgrades" ]; then
### REALLY???
rm -rf /var/log/unattended-upgrades rm -rf /var/log/unattended-upgrades
rm -rf /etc/apt/apt.conf.d/*periodic rm -rf /etc/apt/apt.conf.d/*periodic
rm -rf /etc/apt/apt.conf.d/*unattended-upgrades rm -rf /etc/apt/apt.conf.d/*unattended-upgrades
elif [ "${i}" = "openvpn" ]; then
deluser openvpn
fi fi
printf ":::\tRemoving %s..." "$i"; $PKG_MANAGER -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n"; printf ":::\\tRemoving %s..." "$i"; $PKG_MANAGER -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\\n";
break break
;; ;;
[Nn]* ) printf ":::\tSkipping %s\n" "$i"; [Nn]* ) printf ":::\\tSkipping %s\\n" "$i";
break break
;; ;;
* ) printf "::: You must answer yes or no!\n";; * ) printf "::: You must answer yes or no!\\n";;
esac esac
done done
done done
# Take care of any additional package cleaning # Take care of any additional package cleaning
printf "::: Auto removing remaining dependencies..." printf "::: Auto removing remaining dependencies..."
$PKG_MANAGER -y autoremove &> /dev/null & spinner $!; printf "done!\n"; $PKG_MANAGER -y autoremove &> /dev/null & spinner $!; printf "done!\\n";
printf "::: Auto cleaning remaining dependencies..." printf "::: Auto cleaning remaining dependencies..."
$PKG_MANAGER -y autoclean &> /dev/null & spinner $!; printf "done!\n"; $PKG_MANAGER -y autoclean &> /dev/null & spinner $!; printf "done!\\n";
echo ":::" echo ":::"
# Removing pivpn files # Removing pivpn files
@ -160,7 +172,7 @@ removeAll(){
rm -rf /opt/pivpn rm -rf /opt/pivpn
rm -rf /etc/.pivpn rm -rf /etc/.pivpn
rm -rf /etc/pivpn rm -rf /etc/pivpn
rm -rf /var/log/*pivpn* rm -f /var/log/*pivpn*
rm -f /usr/local/bin/pivpn rm -f /usr/local/bin/pivpn
rm -f /etc/bash_completion.d/pivpn rm -f /etc/bash_completion.d/pivpn
@ -169,28 +181,29 @@ removeAll(){
if [ "$VPN" = "wireguard" ]; then if [ "$VPN" = "wireguard" ]; then
rm -f /etc/wireguard/wg0.conf rm -f /etc/wireguard/wg0.conf
rm -rf /etc/wireguard/configs rm -f /etc/wireguard/configs
rm -rf /etc/wireguard/keys rm -f /etc/wireguard/keys
rm -rf $install_home/configs ### FIXME SC2154
rm -f "$install_home/configs"
elif [ "$VPN" = "openvpn" ]; then elif [ "$VPN" = "openvpn" ]; then
rm -rf /var/log/*openvpn* rm -f /var/log/*openvpn*
rm -f /etc/openvpn/server.conf rm -f /etc/openvpn/server.conf
rm -f /etc/openvpn/crl.pem rm -f /etc/openvpn/crl.pem
rm -rf /etc/openvpn/easy-rsa rm -f /etc/openvpn/easy-rsa
rm -rf $install_home/ovpns rm -f "$install_home/ovpns"
fi fi
echo ":::" echo ":::"
printf "::: Finished removing PiVPN from your system.\n" printf "::: Finished removing PiVPN from your system.\\n"
printf "::: Reinstall by simpling running\n:::\n:::\tcurl -L https://install.pivpn.io | bash\n:::\n::: at any time!\n:::\n" printf "::: Reinstall by simpling running\\n:::\\n:::\\tcurl -L https://install.pivpn.io | bash\\n:::\\n::: at any time!\\n:::\\n"
} }
askreboot(){ askreboot(){
printf "It is \e[1mstrongly\e[0m recommended to reboot after un-installation.\n" printf "It is \\e[1mstrongly\\e[0m recommended to reboot after un-installation.\\n"
read -p "Would you like to reboot now? [y/n]: " -n 1 -r read -p "Would you like to reboot now? [y/n]: " -n 1 -r
echo echo
if [[ ${REPLY} =~ ^[Yy]$ ]]; then if [[ ${REPLY} =~ ^[Yy]$ ]]; then
printf "\nRebooting system...\n" printf "\\nRebooting system...\\n"
sleep 3 sleep 3
shutdown -r now shutdown -r now
fi fi
@ -204,6 +217,6 @@ while true; do
case $yn in case $yn in
[Yy]* ) removeAll; askreboot; break;; [Yy]* ) removeAll; askreboot; break;;
[Nn]* ) printf "::: Not removing anything, exiting...\n"; break;; [Nn]* ) printf "::: Not removing anything, exiting...\\n"; break;;
esac esac
done done