mirror of
https://github.com/pivpn/pivpn.git
synced 2025-04-26 01:00:11 +00:00
Merge branch 'test' into ufw-care
This commit is contained in:
Orazio
GitHub
commit
95b5934814
4 changed files with 70 additions and 41 deletions
|
|
@ -14,6 +14,8 @@
|
|||
setupVars=/etc/pivpn/setupVars.conf
|
||||
pivpnFilesDir="/etc/.pivpn"
|
||||
|
||||
debianOvpnUserGroup="openvpn:openvpn"
|
||||
|
||||
### PKG Vars ###
|
||||
PKG_MANAGER="apt-get"
|
||||
PKG_CACHE="/var/lib/apt/lists/"
|
||||
|
|
@ -22,7 +24,7 @@ PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install"
|
|||
PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true"
|
||||
|
||||
# Dependencies that are required by the script, regardless of the VPN protocol chosen
|
||||
BASE_DEPS=(git tar wget grep iptables-persistent dnsutils whiptail net-tools)
|
||||
BASE_DEPS=(git tar wget grep iptables-persistent dnsutils whiptail net-tools bsdmainutils)
|
||||
|
||||
# Dependencies that where actually installed by the script. For example if the script requires
|
||||
# grep and dnsutils but dnsutils is already installed, we save grep here. This way when uninstalling
|
||||
|
|
@ -33,6 +35,8 @@ pivpnGitUrl="https://github.com/pivpn/pivpn.git"
|
|||
easyrsaVer="3.0.6"
|
||||
easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz"
|
||||
|
||||
subnetClass="24"
|
||||
|
||||
# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config
|
||||
UNATTUPG_RELEASE="1.14"
|
||||
UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/${UNATTUPG_RELEASE}.tar.gz"
|
||||
|
|
@ -692,15 +696,16 @@ askWhichVPN(){
|
|||
pivpnDEV="tun0"
|
||||
pivpnNET="10.8.0.0"
|
||||
fi
|
||||
vpnGw="${pivpnNET/.0/.1}"
|
||||
|
||||
echo "VPN=${VPN}" >> /tmp/setupVars.conf
|
||||
}
|
||||
|
||||
installOpenVPN(){
|
||||
echo "::: Installing OpenVPN from Debian package... "
|
||||
# grepcidr is used to redact IPs in the debug log, expect is used to feed easy-rsa
|
||||
# with passwords, bsdmainutils provides column to format the terminal output
|
||||
PIVPN_DEPS=(openvpn grepcidr expect bsdmainutils)
|
||||
# grepcidr is used to redact IPs in the debug log whereas expect is used
|
||||
# to feed easy-rsa with passwords
|
||||
PIVPN_DEPS=(openvpn grepcidr expect)
|
||||
installDependentPackages PIVPN_DEPS[@]
|
||||
}
|
||||
|
||||
|
|
@ -975,7 +980,11 @@ askClientDNS(){
|
|||
fi
|
||||
fi
|
||||
|
||||
DNSChoseCmd=(whiptail --separate-output --radiolist "Select the DNS Provider for your VPN Clients (press space to select). To use your own, select Custom." ${r} ${c} 6)
|
||||
DNSChoseCmd=(whiptail --separate-output --radiolist "Select the DNS Provider
|
||||
for your VPN Clients (press space to select). To use your own, select
|
||||
Custom.\\n\\nIn case you have a local resolver running, i.e. unbound, select
|
||||
\"PiVPN-is-local-DNS\" and make sure your resolver is listening on
|
||||
\"$vpnGw\", allowing requests from \"${pivpnNET}/${subnetClass}\"." ${r} ${c} 6)
|
||||
DNSChooseOptions=(Google "" on
|
||||
OpenDNS "" off
|
||||
Level3 "" off
|
||||
|
|
@ -983,6 +992,7 @@ askClientDNS(){
|
|||
Norton "" off
|
||||
FamilyShield "" off
|
||||
CloudFlare "" off
|
||||
PiVPN-is-local-DNS "" off
|
||||
Custom "" off)
|
||||
|
||||
if DNSchoices=$("${DNSChoseCmd[@]}" "${DNSChooseOptions[@]}" 2>&1 >/dev/tty)
|
||||
|
|
@ -997,7 +1007,8 @@ askClientDNS(){
|
|||
["DNS.WATCH"]="84.200.69.80 84.200.70.40"
|
||||
["Norton"]="199.85.126.10 199.85.127.10"
|
||||
["FamilyShield"]="208.67.222.123 208.67.220.123"
|
||||
["CloudFlare"]="1.1.1.1 1.0.0.1")
|
||||
["CloudFlare"]="1.1.1.1 1.0.0.1"
|
||||
["PiVPN-is-local-DNS"]="$vpnGw")
|
||||
|
||||
pivpnDNS1=$(awk '{print $1}' <<< "${DNS_MAP["${DNSchoices}"]}")
|
||||
pivpnDNS2=$(awk '{print $2}' <<< "${DNS_MAP["${DNSchoices}"]}")
|
||||
|
|
@ -1290,7 +1301,10 @@ set_var EASYRSA_KEY_SIZE ${pivpnENCRYPT}" | $SUDO tee vars >/dev/null
|
|||
# Generate an empty Certificate Revocation List
|
||||
${SUDOE} ./easyrsa gen-crl
|
||||
${SUDOE} cp pki/crl.pem /etc/openvpn/crl.pem
|
||||
${SUDOE} chown nobody:nogroup /etc/openvpn/crl.pem
|
||||
if ! getent passwd openvpn; then
|
||||
${SUDOE} adduser --system --home /var/lib/openvpn/ --no-create-home --group --disabled-login ${debianOvpnUserGroup%:*}
|
||||
fi
|
||||
${SUDOE} chown "$debianOvpnUserGroup" /etc/openvpn/crl.pem
|
||||
|
||||
# Write config file for server using the template.txt file
|
||||
$SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf
|
||||
|
|
@ -1382,7 +1396,7 @@ confWireGuard(){
|
|||
|
||||
echo "[Interface]
|
||||
PrivateKey = $($SUDO cat /etc/wireguard/keys/server_priv)
|
||||
Address = 10.6.0.1/24
|
||||
Address = ${vpnGw}/${subnetClass}
|
||||
ListenPort = ${pivpnPORT}" | $SUDO tee /etc/wireguard/wg0.conf &> /dev/null
|
||||
echo "::: Server config generated."
|
||||
}
|
||||
|
|
@ -1413,11 +1427,11 @@ confNetwork(){
|
|||
if grep -q "*nat" /etc/ufw/before.rules; then
|
||||
$SUDO sed "/^*nat/{n;s/\(:POSTROUTING ACCEPT .*\)/\1\n-I POSTROUTING -s ${pivpnNET}\/24 -o ${IPv4dev} -j MASQUERADE/}" -i /etc/ufw/before.rules
|
||||
else
|
||||
$SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s ${pivpnNET}\/24 -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
|
||||
fi
|
||||
$SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s ${pivpnNET}\/${subnetClass} -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
|
||||
fi
|
||||
# Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic)
|
||||
$SUDO ufw insert 1 allow "${pivpnPORT}"/"${pivpnPROTO}" >/dev/null
|
||||
$SUDO ufw route insert 1 allow in on "${pivpnDEV}" from "${pivpnNET}/24" out on "${IPv4dev}" to any >/dev/null
|
||||
$SUDO ufw route insert 1 allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any >/dev/null
|
||||
|
||||
$SUDO ufw reload >/dev/null
|
||||
echo "::: UFW configuration completed."
|
||||
|
|
@ -1430,7 +1444,7 @@ confNetwork(){
|
|||
# Now some checks to detect which rules we need to add. On a newly installed system all policies
|
||||
# should be ACCEPT, so the only required rule would be the MASQUERADE one.
|
||||
|
||||
$SUDO iptables -t nat -I POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE
|
||||
$SUDO iptables -t nat -I POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE
|
||||
|
||||
# Count how many rules are in the INPUT and FORWARD chain. When parsing input from
|
||||
# iptables -S, '^-P' skips the policies and 'ufw-' skips ufw chains (in case ufw was found
|
||||
|
|
@ -1456,8 +1470,8 @@ confNetwork(){
|
|||
fi
|
||||
|
||||
if [ "$FORWARD_RULES_COUNT" -ne 0 ] || [ "$FORWARD_POLICY" != "ACCEPT" ]; then
|
||||
$SUDO iptables -I FORWARD 1 -d "${pivpnNET}/24" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
$SUDO iptables -I FORWARD 2 -s "${pivpnNET}/24" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT
|
||||
$SUDO iptables -I FORWARD 1 -d "${pivpnNET}/${subnetClass}" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
$SUDO iptables -I FORWARD 2 -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT
|
||||
FORWARD_CHAIN_EDITED=1
|
||||
else
|
||||
FORWARD_CHAIN_EDITED=0
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue