From 9679a600c165a7f100b638ea29b813a8005ea918 Mon Sep 17 00:00:00 2001 From: Orazio Date: Mon, 27 Jan 2020 14:44:03 +0100 Subject: [PATCH] Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories - Added a basic sanity check to downloaded DH paramenters, which doubles as a check for missing .pem file. - Fix 'pivpn -c' showing the month number instead of the day of the month when using WireGuard. - Removing APT keys is risky, it would break APT update/upgrade if the user already was already using the unstable repo. - Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for $i... already installed'. - Check whether the OpenVPN repo and the Debian unstable repo are already used. --- auto_install/install.sh | 60 ++++++++++++++++++++++++++------- scripts/uninstall.sh | 12 ++----- scripts/wireguard/clientSTAT.sh | 2 +- 3 files changed, 50 insertions(+), 24 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 91d6cf9..074685c 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -468,7 +468,7 @@ installDependentPackages(){ for i in "${argArray1[@]}"; do echo -n "::: Checking for $i..." if dpkg-query -W -f='${Status}' "${i}" 2>/dev/null | grep -q "ok installed"; then - echo " installed!" + echo " already installed!" else echo " not installed!" # Add this package to the list of packages in the argument array that need to be installed @@ -1069,19 +1069,29 @@ askWhichVPN(){ installOpenVPN(){ local PIVPN_DEPS + echo "::: Installing OpenVPN from Debian package... " + if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then - echo "::: Adding OpenVPN repository... " # gnupg is used to add the openvpn PGP key to the APT keyring PIVPN_DEPS=(gnupg) installDependentPackages PIVPN_DEPS[@] + + # We will download the repository key regardless of whether the user + # has already enabled the openvpn repository or not, just to make sure + # we have the right key + echo "::: Adding repository key..." wget -qO- https://swupdate.openvpn.net/repos/repo-public.gpg | $SUDO apt-key add - - echo "deb https://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/pivpn-openvpn-repo.list > /dev/null + + if ! grep -qR "deb http.\?://build.openvpn.net/debian/openvpn/stable.\? $OSCN main" /etc/apt/sources.list*; then + echo "::: Adding OpenVPN repository... " + echo "deb https://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/pivpn-openvpn-repo.list > /dev/null + fi + echo "::: Updating package cache..." # shellcheck disable=SC2086 $SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! fi - echo "::: Installing OpenVPN from Debian package... " # grepcidr is used to redact IPs in the debug log whereas expect is used # to feed easy-rsa with passwords PIVPN_DEPS=(openvpn grepcidr expect) @@ -1101,20 +1111,28 @@ installWireGuard(){ if [ "$(uname -m)" = "armv7l" ]; then echo "::: Installing WireGuard from Debian package... " - # dirmngr is used to download repository keys, whereas qrencode is used to generate qrcodes - # from config file, for use with mobile clients - PIVPN_DEPS=(dirmngr qrencode) + # dirmngr is used to download repository keys for the unstable repo + PIVPN_DEPS=(dirmngr) installDependentPackages PIVPN_DEPS[@] + + echo "::: Adding repository keys..." + $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138 + + # This regular expression should match combinations like http[s]://mirror.example.com/debian[/] unstable main + if ! grep -qR 'deb http.\?://.*/debian.\? unstable main' /etc/apt/sources.list*; then + echo "::: Adding Debian repository... " + echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null + fi + # Do not upgrade packages from the unstable repository except for wireguard - echo "::: Adding Debian repository... " - echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null printf 'Package: *\nPin: release a=unstable\nPin-Priority: 1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release a=unstable\nPin-Priority: 500\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null - $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138 echo "::: Updating package cache..." # shellcheck disable=SC2086 $SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! - PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms) + + # qrencode is used to generate qrcodes from config file, for use with mobile clients + PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms qrencode) installDependentPackages PIVPN_DEPS[@] elif [ "$(uname -m)" = "armv6l" ]; then @@ -1210,12 +1228,17 @@ installWireGuard(){ elif [ "$PLAT" = "Debian" ]; then echo "::: Installing WireGuard from Debian package... " - echo "::: Adding Debian repository... " - echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null + if ! grep -qR 'deb http.\?://.*/debian.\? unstable main' /etc/apt/sources.list*; then + echo "::: Adding Debian repository... " + echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null + fi + printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null + echo "::: Updating package cache..." # shellcheck disable=SC2086 $SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! + PIVPN_DEPS=(linux-headers-amd64 qrencode wireguard wireguard-tools wireguard-dkms) installDependentPackages PIVPN_DEPS[@] @@ -1223,9 +1246,11 @@ installWireGuard(){ echo "::: Installing WireGuard from PPA... " $SUDO add-apt-repository ppa:wireguard/wireguard -y + echo "::: Updating package cache..." # shellcheck disable=SC2086 $SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! + PIVPN_DEPS=(qrencode wireguard wireguard-tools wireguard-dkms linux-headers-generic) installDependentPackages PIVPN_DEPS[@] @@ -1759,6 +1784,15 @@ set_var EASYRSA_ALGO ${pivpnCERT}" | $SUDO tee vars >/dev/null if [ ${DOWNLOAD_DH_PARAM} -eq 1 ]; then # Downloading parameters ${SUDOE} curl -s "https://2ton.com.au/getprimes/random/dhparam/${pivpnENCRYPT}" -o "/etc/openvpn/easy-rsa/pki/dh${pivpnENCRYPT}.pem" + # Basic sanity check + if DH_MSG="$(${SUDOE} openssl dhparam -check -noout -in "/etc/openvpn/easy-rsa/pki/dh${pivpnENCRYPT}.pem" 2>&1 | tee /dev/tty)"; then + if [ "$DH_MSG" != "DH parameters appear to be ok." ]; then + echo "Invalid DH parameters, exiting..." + exit 1 + fi + else + exit 1 + fi else # Generate Diffie-Hellman key exchange ${SUDOE} ./easyrsa gen-dh diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index b570fd1..defba8f 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -114,13 +114,11 @@ removeAll(){ if [ "$PLAT" = "Debian" ] || { [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv7l" ]; }; then rm -f /etc/apt/sources.list.d/pivpn-unstable.list rm -f /etc/apt/preferences.d/pivpn-limit-unstable - echo "::: Updating package cache..." - ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! elif [ "$PLAT" = "Ubuntu" ]; then add-apt-repository ppa:wireguard/wireguard -r -y - echo "::: Updating package cache..." - ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! fi + echo "::: Updating package cache..." + ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! elif [ "${i}" = "wireguard-dkms" ]; then @@ -138,12 +136,6 @@ removeAll(){ rm -rf /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}" fi - elif [ "${i}" = "dirmngr" ]; then - - # If dirmngr was installed, then we had previously installed wireguard on armv7l Raspbian - # so we remove the repository keys - apt-key remove E1CF20DDFFE4B89E802658F1E0B11894F66AEC98 80D15823B7FD1561F9F7BCDDDC30D7C23CBBABEE &> /dev/null - elif [ "${i}" = "unattended-upgrades" ]; then ### REALLY??? diff --git a/scripts/wireguard/clientSTAT.sh b/scripts/wireguard/clientSTAT.sh index a63d176..f75050f 100755 --- a/scripts/wireguard/clientSTAT.sh +++ b/scripts/wireguard/clientSTAT.sh @@ -32,7 +32,7 @@ while IFS= read -r LINE; do CLIENT_NAME="$(grep "$PUBLIC_KEY" clients.txt | awk '{ print $1 }')" if [ "$LAST_SEEN" -ne 0 ]; then - printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "$(date -d @"$LAST_SEEN" '+%b %m %Y - %T')" + printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "$(date -d @"$LAST_SEEN" '+%b %d %Y - %T')" else printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "(not yet)" fi