From 9846d3787a504de97ddb11cf2e51ae38a148a459 Mon Sep 17 00:00:00 2001 From: Orazio Date: Sun, 16 Feb 2020 09:09:09 +0100 Subject: [PATCH] Use variables to define VPN ranges instead of hard coding IPs --- auto_install/install.sh | 24 ++++++++++++++++++++++++ scripts/openvpn/makeOVPN.sh | 17 +++++++++++++---- scripts/openvpn/removeOVPN.sh | 3 ++- scripts/self_check.sh | 6 ------ scripts/uninstall.sh | 11 ----------- scripts/wireguard/makeCONF.sh | 8 +++++--- scripts/wireguard/removeCONF.sh | 3 ++- 7 files changed, 46 insertions(+), 26 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 82b3c6f..b109c60 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -1038,7 +1038,11 @@ askWhichVPN(){ fi if [ "$VPN" = "wireguard" ]; then + # Since WireGuard only uses UDP, askCustomProto() is never called so we + # set the protocol here (it's not actually required to save the value, but + # it might be useful for the user when port forwarding). pivpnPROTO="udp" + echo "pivpnPROTO=${pivpnPROTO}" >> /tmp/setupVars.conf pivpnDEV="wg0" pivpnNET="10.6.0.0" elif [ "$VPN" = "openvpn" ]; then @@ -1048,6 +1052,9 @@ askWhichVPN(){ vpnGw="${pivpnNET/.0.0/.0.1}" echo "VPN=${VPN}" >> /tmp/setupVars.conf + echo "pivpnDEV=${pivpnDEV}" >> /tmp/setupVars.conf + echo "pivpnNET=${pivpnNET}" >> /tmp/setupVars.conf + echo "subnetClass=${subnetClass}" >> /tmp/setupVars.conf } installOpenVPN(){ @@ -1762,6 +1769,13 @@ askEncryption(){ echo "USE_PREDEFINED_DH_PARAM=${USE_PREDEFINED_DH_PARAM}" >> /tmp/setupVars.conf } +cidrToMask(){ + # Source: https://stackoverflow.com/a/20767392 + set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0 + [ $1 -gt 1 ] && shift $1 || shift + echo ${1-0}.${2-0}.${3-0}.${4-0} +} + confOpenVPN(){ # Grab the existing Hostname host_name=$(hostname -s) @@ -1905,6 +1919,16 @@ set_var EASYRSA_ALGO ${pivpnCERT}" | $SUDO tee vars >/dev/null $SUDO sed -i "s#\\(dh /etc/openvpn/easy-rsa/pki/dh\\).*#\\1${pivpnENCRYPT}.pem#" /etc/openvpn/server.conf fi + # if they modified VPN network put value in server.conf + if [ "$pivpnNET" != "10.8.0.0" ]; then + $SUDO sed -i "s/10.8.0.0/${pivpnNET}/g" /etc/openvpn/server.conf + fi + + # if they modified VPN subnet class put value in server.conf + if [ "$(cidrToMask "$subnetClass")" != "255.255.255.0" ]; then + $SUDO sed -i "s/255.255.255.0/$(cidrToMask "$subnetClass")/g" /etc/openvpn/server.conf + fi + # if they modified port put value in server.conf if [ "$pivpnPORT" != 1194 ]; then $SUDO sed -i "s/1194/${pivpnPORT}/g" /etc/openvpn/server.conf diff --git a/scripts/openvpn/makeOVPN.sh b/scripts/openvpn/makeOVPN.sh index 2071744..c645c55 100755 --- a/scripts/openvpn/makeOVPN.sh +++ b/scripts/openvpn/makeOVPN.sh @@ -405,20 +405,29 @@ else fi +cidrToMask(){ + # Source: https://stackoverflow.com/a/20767392 + set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0 + [ $1 -gt 1 ] && shift $1 || shift + echo ${1-0}.${2-0}.${3-0}.${4-0} +} + +NET_REDUCED="${pivpnNET::-2}" + # Find an unused number for the last octet of the client IP for i in {2..254}; do # find returns 0 if the folder is empty, so we create the 'ls -A [...]' # exception to stop at the first static IP (10.8.0.2). Otherwise it would # cycle to the end without finding and available octet. - if [ -z "$(ls -A /etc/openvpn/ccd)" ] || ! find /etc/openvpn/ccd -type f -exec grep -q "10.8.0.$i" {} +; then - COUNT="$i" - echo "ifconfig-push 10.8.0.$i 255.255.255.0" >> /etc/openvpn/ccd/"${NAME}" + if [ -z "$(ls -A /etc/openvpn/ccd)" ] || ! find /etc/openvpn/ccd -type f -exec grep -q "${NET_REDUCED}.${i}" {} +; then + COUNT="${i}" + echo "ifconfig-push ${NET_REDUCED}.${i} $(cidrToMask "$subnetClass")" >> /etc/openvpn/ccd/"${NAME}" break fi done if [ -f /etc/pivpn/hosts.openvpn ]; then - echo "10.8.0.${COUNT} ${NAME}.pivpn" >> /etc/pivpn/hosts.openvpn + echo "${NET_REDUCED}.${COUNT} ${NAME}.pivpn" >> /etc/pivpn/hosts.openvpn if killall -SIGHUP pihole-FTL; then echo "::: Updated hosts file for Pi-hole" else diff --git a/scripts/openvpn/removeOVPN.sh b/scripts/openvpn/removeOVPN.sh index 4b5124c..50666f0 100755 --- a/scripts/openvpn/removeOVPN.sh +++ b/scripts/openvpn/removeOVPN.sh @@ -121,7 +121,8 @@ for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do rm -rf "pki/issued/${CERTS_TO_REVOKE[ii]}.crt" # Grab the client IP address - STATIC_IP=$(grep -v "^#" /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}" | grep -w ifconfig-push | grep -oE '10.8.0\.[0-9]{1,3}') + NET_REDUCED="${pivpnNET::-2}" + STATIC_IP=$(grep -v "^#" /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}" | grep -w ifconfig-push | grep -oE "${NET_REDUCED}\.[0-9]{1,3}") rm -rf /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}" rm -rf "${install_home}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn" diff --git a/scripts/self_check.sh b/scripts/self_check.sh index b6a2194..1ef555d 100755 --- a/scripts/self_check.sh +++ b/scripts/self_check.sh @@ -1,6 +1,5 @@ #!/bin/bash -subnetClass="24" setupVars="/etc/pivpn/setupVars.conf" ERR=0 @@ -12,14 +11,9 @@ fi source "${setupVars}" if [ "$VPN" = "wireguard" ]; then - pivpnPROTO="udp" - pivpnDEV="wg0" - pivpnNET="10.6.0.0" VPN_SERVICE="wg-quick@wg0" VPN_PRETTY_NAME="WireGuard" elif [ "$VPN" = "openvpn" ]; then - pivpnDEV="tun0" - pivpnNET="10.8.0.0" VPN_SERVICE="openvpn" VPN_PRETTY_NAME="OpenVPN" fi diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 2a7409c..35df520 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -6,7 +6,6 @@ PKG_MANAGER="apt-get" UPDATE_PKG_CACHE="${PKG_MANAGER} update" -subnetClass="24" dnsmasqConfig="/etc/dnsmasq.d/02-pivpn.conf" setupVars="/etc/pivpn/setupVars.conf" @@ -60,16 +59,6 @@ removeAll(){ # Removing firewall rules. echo "::: Removing firewall rules..." - ### FIXME: introduce global config space! - if [ "$VPN" = "wireguard" ]; then - pivpnPROTO="udp" - pivpnDEV="wg0" - pivpnNET="10.6.0.0" - elif [ "$VPN" = "openvpn" ]; then - pivpnDEV="tun0" - pivpnNET="10.8.0.0" - fi - if [ "$USING_UFW" -eq 1 ]; then ### FIXME: SC2154 diff --git a/scripts/wireguard/makeCONF.sh b/scripts/wireguard/makeCONF.sh index f978fcb..d99310d 100755 --- a/scripts/wireguard/makeCONF.sh +++ b/scripts/wireguard/makeCONF.sh @@ -86,9 +86,11 @@ for i in {2..254}; do fi done +NET_REDUCED="${pivpnNET::-2}" + echo -n "[Interface] PrivateKey = $(cat "keys/${CLIENT_NAME}_priv") -Address = 10.6.0.${COUNT}/24 +Address = ${NET_REDUCED}.${COUNT}/${subnetClass} DNS = ${pivpnDNS1}" > "configs/${CLIENT_NAME}.conf" if [ -n "${pivpnDNS2}" ]; then @@ -109,12 +111,12 @@ echo "# begin ${CLIENT_NAME} [Peer] PublicKey = $(cat "keys/${CLIENT_NAME}_pub") PresharedKey = $(cat keys/psk) -AllowedIPs = 10.6.0.${COUNT}/32 +AllowedIPs = ${NET_REDUCED}.${COUNT}/32 # end ${CLIENT_NAME}" >> wg0.conf echo "::: Updated server config" if [ -f /etc/pivpn/hosts.wireguard ]; then - echo "10.6.0.${COUNT} ${CLIENT_NAME}.pivpn" >> /etc/pivpn/hosts.wireguard + echo "${NET_REDUCED}.${COUNT} ${CLIENT_NAME}.pivpn" >> /etc/pivpn/hosts.wireguard if killall -SIGHUP pihole-FTL; then echo "::: Updated hosts file for Pi-hole" else diff --git a/scripts/wireguard/removeCONF.sh b/scripts/wireguard/removeCONF.sh index 0085809..414b492 100755 --- a/scripts/wireguard/removeCONF.sh +++ b/scripts/wireguard/removeCONF.sh @@ -106,7 +106,8 @@ for CLIENT_NAME in "${CLIENTS_TO_REMOVE[@]}"; do # If using Pi-hole, remove the client from the hosts file if [ -f /etc/pivpn/hosts.wireguard ]; then - sed "\#10.6.0.${COUNT} ${CLIENT_NAME}.pivpn#d" -i /etc/pivpn/hosts.wireguard + NET_REDUCED="${pivpnNET::-2}" + sed "\#${NET_REDUCED}.${COUNT} ${CLIENT_NAME}.pivpn#d" -i /etc/pivpn/hosts.wireguard if killall -SIGHUP pihole-FTL; then echo "::: Updated hosts file for Pi-hole" else