Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-18 19:00:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories

Browse source 
- Added a basic sanity check to downloaded DH paramenters, which doubles as a
    check for missing .pem file.
  - Fix 'pivpn -c' showing the month number instead of the day of the month when
    using WireGuard.
  - Removing APT keys is risky, it would break APT update/upgrade if the user
    already was already using the unstable repo.
  - Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
    $i... already installed'.
  - Check whether the OpenVPN repo and the Debian unstable repo are already used.
This commit is contained in:
Orazio 2020-01-27 14:44:03 +01:00
parent b6a47a02c3
commit 9679a600c1
3 changed files with 50 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
auto_install/install.sh
View file

@ -468,7 +468,7 @@ installDependentPackages(){
for i in "${argArray1[@]}"; do for i in "${argArray1[@]}"; do
echo -n "::: Checking for $i..." echo -n "::: Checking for $i..."
if dpkg-query -W -f='${Status}' "${i}" 2>/dev/null | grep -q "ok installed"; then if dpkg-query -W -f='${Status}' "${i}" 2>/dev/null | grep -q "ok installed"; then
echo " installed!" echo " already installed!"
else else
echo " not installed!" echo " not installed!"
# Add this package to the list of packages in the argument array that need to be installed # Add this package to the list of packages in the argument array that need to be installed
@ -1069,19 +1069,29 @@ askWhichVPN(){
installOpenVPN(){ installOpenVPN(){
local PIVPN_DEPS local PIVPN_DEPS
echo "::: Installing OpenVPN from Debian package... "
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then
echo "::: Adding OpenVPN repository... "
# gnupg is used to add the openvpn PGP key to the APT keyring # gnupg is used to add the openvpn PGP key to the APT keyring
PIVPN_DEPS=(gnupg) PIVPN_DEPS=(gnupg)
installDependentPackages PIVPN_DEPS[@] installDependentPackages PIVPN_DEPS[@]
# We will download the repository key regardless of whether the user
# has already enabled the openvpn repository or not, just to make sure
# we have the right key
echo "::: Adding repository key..."
wget -qO- https://swupdate.openvpn.net/repos/repo-public.gpg | $SUDO apt-key add - wget -qO- https://swupdate.openvpn.net/repos/repo-public.gpg | $SUDO apt-key add -
echo "deb https://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/pivpn-openvpn-repo.list > /dev/null
if ! grep -qR "deb http.\?://build.openvpn.net/debian/openvpn/stable.\? $OSCN main" /etc/apt/sources.list*; then
echo "::: Adding OpenVPN repository... "
echo "deb https://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/pivpn-openvpn-repo.list > /dev/null
fi
echo "::: Updating package cache..." echo "::: Updating package cache..."
# shellcheck disable=SC2086 # shellcheck disable=SC2086
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! $SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
fi fi
echo "::: Installing OpenVPN from Debian package... "
# grepcidr is used to redact IPs in the debug log whereas expect is used # grepcidr is used to redact IPs in the debug log whereas expect is used
# to feed easy-rsa with passwords # to feed easy-rsa with passwords
PIVPN_DEPS=(openvpn grepcidr expect) PIVPN_DEPS=(openvpn grepcidr expect)
@ -1101,20 +1111,28 @@ installWireGuard(){
if [ "$(uname -m)" = "armv7l" ]; then if [ "$(uname -m)" = "armv7l" ]; then
echo "::: Installing WireGuard from Debian package... " echo "::: Installing WireGuard from Debian package... "
# dirmngr is used to download repository keys, whereas qrencode is used to generate qrcodes # dirmngr is used to download repository keys for the unstable repo
# from config file, for use with mobile clients PIVPN_DEPS=(dirmngr)
PIVPN_DEPS=(dirmngr qrencode)
installDependentPackages PIVPN_DEPS[@] installDependentPackages PIVPN_DEPS[@]
echo "::: Adding repository keys..."
$SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138
# This regular expression should match combinations like http[s]://mirror.example.com/debian[/] unstable main
if ! grep -qR 'deb http.\?://.*/debian.\? unstable main' /etc/apt/sources.list*; then
echo "::: Adding Debian repository... "
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
fi
# Do not upgrade packages from the unstable repository except for wireguard # Do not upgrade packages from the unstable repository except for wireguard
echo "::: Adding Debian repository... "
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release a=unstable\nPin-Priority: 500\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null printf 'Package: *\nPin: release a=unstable\nPin-Priority: 1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release a=unstable\nPin-Priority: 500\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null
$SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138
echo "::: Updating package cache..." echo "::: Updating package cache..."
# shellcheck disable=SC2086 # shellcheck disable=SC2086
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! $SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms)
# qrencode is used to generate qrcodes from config file, for use with mobile clients
PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms qrencode)
installDependentPackages PIVPN_DEPS[@] installDependentPackages PIVPN_DEPS[@]
elif [ "$(uname -m)" = "armv6l" ]; then elif [ "$(uname -m)" = "armv6l" ]; then
@ -1210,12 +1228,17 @@ installWireGuard(){
elif [ "$PLAT" = "Debian" ]; then elif [ "$PLAT" = "Debian" ]; then
echo "::: Installing WireGuard from Debian package... " echo "::: Installing WireGuard from Debian package... "
echo "::: Adding Debian repository... " if ! grep -qR 'deb http.\?://.*/debian.\? unstable main' /etc/apt/sources.list*; then
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null echo "::: Adding Debian repository... "
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
fi
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null
echo "::: Updating package cache..." echo "::: Updating package cache..."
# shellcheck disable=SC2086 # shellcheck disable=SC2086
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! $SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
PIVPN_DEPS=(linux-headers-amd64 qrencode wireguard wireguard-tools wireguard-dkms) PIVPN_DEPS=(linux-headers-amd64 qrencode wireguard wireguard-tools wireguard-dkms)
installDependentPackages PIVPN_DEPS[@] installDependentPackages PIVPN_DEPS[@]
@ -1223,9 +1246,11 @@ installWireGuard(){
echo "::: Installing WireGuard from PPA... " echo "::: Installing WireGuard from PPA... "
$SUDO add-apt-repository ppa:wireguard/wireguard -y $SUDO add-apt-repository ppa:wireguard/wireguard -y
echo "::: Updating package cache..." echo "::: Updating package cache..."
# shellcheck disable=SC2086 # shellcheck disable=SC2086
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! $SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
PIVPN_DEPS=(qrencode wireguard wireguard-tools wireguard-dkms linux-headers-generic) PIVPN_DEPS=(qrencode wireguard wireguard-tools wireguard-dkms linux-headers-generic)
installDependentPackages PIVPN_DEPS[@] installDependentPackages PIVPN_DEPS[@]
@ -1759,6 +1784,15 @@ set_var EASYRSA_ALGO ${pivpnCERT}" | $SUDO tee vars >/dev/null
if [ ${DOWNLOAD_DH_PARAM} -eq 1 ]; then if [ ${DOWNLOAD_DH_PARAM} -eq 1 ]; then
# Downloading parameters # Downloading parameters
${SUDOE} curl -s "https://2ton.com.au/getprimes/random/dhparam/${pivpnENCRYPT}" -o "/etc/openvpn/easy-rsa/pki/dh${pivpnENCRYPT}.pem" ${SUDOE} curl -s "https://2ton.com.au/getprimes/random/dhparam/${pivpnENCRYPT}" -o "/etc/openvpn/easy-rsa/pki/dh${pivpnENCRYPT}.pem"
# Basic sanity check
if DH_MSG="$(${SUDOE} openssl dhparam -check -noout -in "/etc/openvpn/easy-rsa/pki/dh${pivpnENCRYPT}.pem" 2>&1 | tee /dev/tty)"; then
if [ "$DH_MSG" != "DH parameters appear to be ok." ]; then
echo "Invalid DH parameters, exiting..."
exit 1
fi
else
exit 1
fi
else else
# Generate Diffie-Hellman key exchange # Generate Diffie-Hellman key exchange
${SUDOE} ./easyrsa gen-dh ${SUDOE} ./easyrsa gen-dh

12
scripts/uninstall.sh
View file

@ -114,13 +114,11 @@ removeAll(){
if [ "$PLAT" = "Debian" ] || { [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv7l" ]; }; then if [ "$PLAT" = "Debian" ] || { [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv7l" ]; }; then
rm -f /etc/apt/sources.list.d/pivpn-unstable.list rm -f /etc/apt/sources.list.d/pivpn-unstable.list
rm -f /etc/apt/preferences.d/pivpn-limit-unstable rm -f /etc/apt/preferences.d/pivpn-limit-unstable
echo "::: Updating package cache..."
${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
elif [ "$PLAT" = "Ubuntu" ]; then elif [ "$PLAT" = "Ubuntu" ]; then
add-apt-repository ppa:wireguard/wireguard -r -y add-apt-repository ppa:wireguard/wireguard -r -y
echo "::: Updating package cache..."
${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
fi fi
echo "::: Updating package cache..."
${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
elif [ "${i}" = "wireguard-dkms" ]; then elif [ "${i}" = "wireguard-dkms" ]; then
@ -138,12 +136,6 @@ removeAll(){
rm -rf /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}" rm -rf /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}"
fi fi
elif [ "${i}" = "dirmngr" ]; then
# If dirmngr was installed, then we had previously installed wireguard on armv7l Raspbian
# so we remove the repository keys
apt-key remove E1CF20DDFFE4B89E802658F1E0B11894F66AEC98 80D15823B7FD1561F9F7BCDDDC30D7C23CBBABEE &> /dev/null
elif [ "${i}" = "unattended-upgrades" ]; then elif [ "${i}" = "unattended-upgrades" ]; then
### REALLY??? ### REALLY???

2
scripts/wireguard/clientSTAT.sh
View file

@ -32,7 +32,7 @@ while IFS= read -r LINE; do
CLIENT_NAME="$(grep "$PUBLIC_KEY" clients.txt | awk '{ print $1 }')" CLIENT_NAME="$(grep "$PUBLIC_KEY" clients.txt | awk '{ print $1 }')"
if [ "$LAST_SEEN" -ne 0 ]; then if [ "$LAST_SEEN" -ne 0 ]; then
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "$(date -d @"$LAST_SEEN" '+%b %m %Y - %T')" printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "$(date -d @"$LAST_SEEN" '+%b %d %Y - %T')"
else else
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "(not yet)" printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "(not yet)"
fi fi