mirror of
https://github.com/pivpn/pivpn.git
synced 2024-12-19 03:10:16 +00:00
Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
- Added a basic sanity check to downloaded DH paramenters, which doubles as a check for missing .pem file. - Fix 'pivpn -c' showing the month number instead of the day of the month when using WireGuard. - Removing APT keys is risky, it would break APT update/upgrade if the user already was already using the unstable repo. - Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for $i... already installed'. - Check whether the OpenVPN repo and the Debian unstable repo are already used.
This commit is contained in:
parent
b6a47a02c3
commit
9679a600c1
3 changed files with 50 additions and 24 deletions
|
@ -468,7 +468,7 @@ installDependentPackages(){
|
||||||
for i in "${argArray1[@]}"; do
|
for i in "${argArray1[@]}"; do
|
||||||
echo -n "::: Checking for $i..."
|
echo -n "::: Checking for $i..."
|
||||||
if dpkg-query -W -f='${Status}' "${i}" 2>/dev/null | grep -q "ok installed"; then
|
if dpkg-query -W -f='${Status}' "${i}" 2>/dev/null | grep -q "ok installed"; then
|
||||||
echo " installed!"
|
echo " already installed!"
|
||||||
else
|
else
|
||||||
echo " not installed!"
|
echo " not installed!"
|
||||||
# Add this package to the list of packages in the argument array that need to be installed
|
# Add this package to the list of packages in the argument array that need to be installed
|
||||||
|
@ -1069,19 +1069,29 @@ askWhichVPN(){
|
||||||
installOpenVPN(){
|
installOpenVPN(){
|
||||||
local PIVPN_DEPS
|
local PIVPN_DEPS
|
||||||
|
|
||||||
|
echo "::: Installing OpenVPN from Debian package... "
|
||||||
|
|
||||||
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then
|
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then
|
||||||
echo "::: Adding OpenVPN repository... "
|
|
||||||
# gnupg is used to add the openvpn PGP key to the APT keyring
|
# gnupg is used to add the openvpn PGP key to the APT keyring
|
||||||
PIVPN_DEPS=(gnupg)
|
PIVPN_DEPS=(gnupg)
|
||||||
installDependentPackages PIVPN_DEPS[@]
|
installDependentPackages PIVPN_DEPS[@]
|
||||||
|
|
||||||
|
# We will download the repository key regardless of whether the user
|
||||||
|
# has already enabled the openvpn repository or not, just to make sure
|
||||||
|
# we have the right key
|
||||||
|
echo "::: Adding repository key..."
|
||||||
wget -qO- https://swupdate.openvpn.net/repos/repo-public.gpg | $SUDO apt-key add -
|
wget -qO- https://swupdate.openvpn.net/repos/repo-public.gpg | $SUDO apt-key add -
|
||||||
|
|
||||||
|
if ! grep -qR "deb http.\?://build.openvpn.net/debian/openvpn/stable.\? $OSCN main" /etc/apt/sources.list*; then
|
||||||
|
echo "::: Adding OpenVPN repository... "
|
||||||
echo "deb https://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/pivpn-openvpn-repo.list > /dev/null
|
echo "deb https://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/pivpn-openvpn-repo.list > /dev/null
|
||||||
|
fi
|
||||||
|
|
||||||
echo "::: Updating package cache..."
|
echo "::: Updating package cache..."
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "::: Installing OpenVPN from Debian package... "
|
|
||||||
# grepcidr is used to redact IPs in the debug log whereas expect is used
|
# grepcidr is used to redact IPs in the debug log whereas expect is used
|
||||||
# to feed easy-rsa with passwords
|
# to feed easy-rsa with passwords
|
||||||
PIVPN_DEPS=(openvpn grepcidr expect)
|
PIVPN_DEPS=(openvpn grepcidr expect)
|
||||||
|
@ -1101,20 +1111,28 @@ installWireGuard(){
|
||||||
if [ "$(uname -m)" = "armv7l" ]; then
|
if [ "$(uname -m)" = "armv7l" ]; then
|
||||||
|
|
||||||
echo "::: Installing WireGuard from Debian package... "
|
echo "::: Installing WireGuard from Debian package... "
|
||||||
# dirmngr is used to download repository keys, whereas qrencode is used to generate qrcodes
|
# dirmngr is used to download repository keys for the unstable repo
|
||||||
# from config file, for use with mobile clients
|
PIVPN_DEPS=(dirmngr)
|
||||||
PIVPN_DEPS=(dirmngr qrencode)
|
|
||||||
installDependentPackages PIVPN_DEPS[@]
|
installDependentPackages PIVPN_DEPS[@]
|
||||||
# Do not upgrade packages from the unstable repository except for wireguard
|
|
||||||
|
echo "::: Adding repository keys..."
|
||||||
|
$SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138
|
||||||
|
|
||||||
|
# This regular expression should match combinations like http[s]://mirror.example.com/debian[/] unstable main
|
||||||
|
if ! grep -qR 'deb http.\?://.*/debian.\? unstable main' /etc/apt/sources.list*; then
|
||||||
echo "::: Adding Debian repository... "
|
echo "::: Adding Debian repository... "
|
||||||
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
|
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Do not upgrade packages from the unstable repository except for wireguard
|
||||||
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release a=unstable\nPin-Priority: 500\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null
|
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release a=unstable\nPin-Priority: 500\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null
|
||||||
|
|
||||||
$SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138
|
|
||||||
echo "::: Updating package cache..."
|
echo "::: Updating package cache..."
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||||
PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms)
|
|
||||||
|
# qrencode is used to generate qrcodes from config file, for use with mobile clients
|
||||||
|
PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms qrencode)
|
||||||
installDependentPackages PIVPN_DEPS[@]
|
installDependentPackages PIVPN_DEPS[@]
|
||||||
|
|
||||||
elif [ "$(uname -m)" = "armv6l" ]; then
|
elif [ "$(uname -m)" = "armv6l" ]; then
|
||||||
|
@ -1210,12 +1228,17 @@ installWireGuard(){
|
||||||
elif [ "$PLAT" = "Debian" ]; then
|
elif [ "$PLAT" = "Debian" ]; then
|
||||||
|
|
||||||
echo "::: Installing WireGuard from Debian package... "
|
echo "::: Installing WireGuard from Debian package... "
|
||||||
|
if ! grep -qR 'deb http.\?://.*/debian.\? unstable main' /etc/apt/sources.list*; then
|
||||||
echo "::: Adding Debian repository... "
|
echo "::: Adding Debian repository... "
|
||||||
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
|
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
|
||||||
|
fi
|
||||||
|
|
||||||
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null
|
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null
|
||||||
|
|
||||||
echo "::: Updating package cache..."
|
echo "::: Updating package cache..."
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||||
|
|
||||||
PIVPN_DEPS=(linux-headers-amd64 qrencode wireguard wireguard-tools wireguard-dkms)
|
PIVPN_DEPS=(linux-headers-amd64 qrencode wireguard wireguard-tools wireguard-dkms)
|
||||||
installDependentPackages PIVPN_DEPS[@]
|
installDependentPackages PIVPN_DEPS[@]
|
||||||
|
|
||||||
|
@ -1223,9 +1246,11 @@ installWireGuard(){
|
||||||
|
|
||||||
echo "::: Installing WireGuard from PPA... "
|
echo "::: Installing WireGuard from PPA... "
|
||||||
$SUDO add-apt-repository ppa:wireguard/wireguard -y
|
$SUDO add-apt-repository ppa:wireguard/wireguard -y
|
||||||
|
|
||||||
echo "::: Updating package cache..."
|
echo "::: Updating package cache..."
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||||
|
|
||||||
PIVPN_DEPS=(qrencode wireguard wireguard-tools wireguard-dkms linux-headers-generic)
|
PIVPN_DEPS=(qrencode wireguard wireguard-tools wireguard-dkms linux-headers-generic)
|
||||||
installDependentPackages PIVPN_DEPS[@]
|
installDependentPackages PIVPN_DEPS[@]
|
||||||
|
|
||||||
|
@ -1759,6 +1784,15 @@ set_var EASYRSA_ALGO ${pivpnCERT}" | $SUDO tee vars >/dev/null
|
||||||
if [ ${DOWNLOAD_DH_PARAM} -eq 1 ]; then
|
if [ ${DOWNLOAD_DH_PARAM} -eq 1 ]; then
|
||||||
# Downloading parameters
|
# Downloading parameters
|
||||||
${SUDOE} curl -s "https://2ton.com.au/getprimes/random/dhparam/${pivpnENCRYPT}" -o "/etc/openvpn/easy-rsa/pki/dh${pivpnENCRYPT}.pem"
|
${SUDOE} curl -s "https://2ton.com.au/getprimes/random/dhparam/${pivpnENCRYPT}" -o "/etc/openvpn/easy-rsa/pki/dh${pivpnENCRYPT}.pem"
|
||||||
|
# Basic sanity check
|
||||||
|
if DH_MSG="$(${SUDOE} openssl dhparam -check -noout -in "/etc/openvpn/easy-rsa/pki/dh${pivpnENCRYPT}.pem" 2>&1 | tee /dev/tty)"; then
|
||||||
|
if [ "$DH_MSG" != "DH parameters appear to be ok." ]; then
|
||||||
|
echo "Invalid DH parameters, exiting..."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
# Generate Diffie-Hellman key exchange
|
# Generate Diffie-Hellman key exchange
|
||||||
${SUDOE} ./easyrsa gen-dh
|
${SUDOE} ./easyrsa gen-dh
|
||||||
|
|
|
@ -114,13 +114,11 @@ removeAll(){
|
||||||
if [ "$PLAT" = "Debian" ] || { [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv7l" ]; }; then
|
if [ "$PLAT" = "Debian" ] || { [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv7l" ]; }; then
|
||||||
rm -f /etc/apt/sources.list.d/pivpn-unstable.list
|
rm -f /etc/apt/sources.list.d/pivpn-unstable.list
|
||||||
rm -f /etc/apt/preferences.d/pivpn-limit-unstable
|
rm -f /etc/apt/preferences.d/pivpn-limit-unstable
|
||||||
echo "::: Updating package cache..."
|
|
||||||
${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
|
||||||
elif [ "$PLAT" = "Ubuntu" ]; then
|
elif [ "$PLAT" = "Ubuntu" ]; then
|
||||||
add-apt-repository ppa:wireguard/wireguard -r -y
|
add-apt-repository ppa:wireguard/wireguard -r -y
|
||||||
|
fi
|
||||||
echo "::: Updating package cache..."
|
echo "::: Updating package cache..."
|
||||||
${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||||
fi
|
|
||||||
|
|
||||||
elif [ "${i}" = "wireguard-dkms" ]; then
|
elif [ "${i}" = "wireguard-dkms" ]; then
|
||||||
|
|
||||||
|
@ -138,12 +136,6 @@ removeAll(){
|
||||||
rm -rf /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}"
|
rm -rf /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
elif [ "${i}" = "dirmngr" ]; then
|
|
||||||
|
|
||||||
# If dirmngr was installed, then we had previously installed wireguard on armv7l Raspbian
|
|
||||||
# so we remove the repository keys
|
|
||||||
apt-key remove E1CF20DDFFE4B89E802658F1E0B11894F66AEC98 80D15823B7FD1561F9F7BCDDDC30D7C23CBBABEE &> /dev/null
|
|
||||||
|
|
||||||
elif [ "${i}" = "unattended-upgrades" ]; then
|
elif [ "${i}" = "unattended-upgrades" ]; then
|
||||||
|
|
||||||
### REALLY???
|
### REALLY???
|
||||||
|
|
|
@ -32,7 +32,7 @@ while IFS= read -r LINE; do
|
||||||
CLIENT_NAME="$(grep "$PUBLIC_KEY" clients.txt | awk '{ print $1 }')"
|
CLIENT_NAME="$(grep "$PUBLIC_KEY" clients.txt | awk '{ print $1 }')"
|
||||||
|
|
||||||
if [ "$LAST_SEEN" -ne 0 ]; then
|
if [ "$LAST_SEEN" -ne 0 ]; then
|
||||||
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "$(date -d @"$LAST_SEEN" '+%b %m %Y - %T')"
|
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "$(date -d @"$LAST_SEEN" '+%b %d %Y - %T')"
|
||||||
else
|
else
|
||||||
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "(not yet)"
|
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "(not yet)"
|
||||||
fi
|
fi
|
||||||
|
|
Loading…
Reference in a new issue