mirror of
https://github.com/pivpn/pivpn.git
synced 2024-12-23 05:10:21 +00:00
Use variables to define VPN ranges instead of hard coding IPs
This commit is contained in:
parent
edbd23a2a1
commit
9846d3787a
7 changed files with 46 additions and 26 deletions
auto_install
scripts
|
@ -1038,7 +1038,11 @@ askWhichVPN(){
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$VPN" = "wireguard" ]; then
|
if [ "$VPN" = "wireguard" ]; then
|
||||||
|
# Since WireGuard only uses UDP, askCustomProto() is never called so we
|
||||||
|
# set the protocol here (it's not actually required to save the value, but
|
||||||
|
# it might be useful for the user when port forwarding).
|
||||||
pivpnPROTO="udp"
|
pivpnPROTO="udp"
|
||||||
|
echo "pivpnPROTO=${pivpnPROTO}" >> /tmp/setupVars.conf
|
||||||
pivpnDEV="wg0"
|
pivpnDEV="wg0"
|
||||||
pivpnNET="10.6.0.0"
|
pivpnNET="10.6.0.0"
|
||||||
elif [ "$VPN" = "openvpn" ]; then
|
elif [ "$VPN" = "openvpn" ]; then
|
||||||
|
@ -1048,6 +1052,9 @@ askWhichVPN(){
|
||||||
vpnGw="${pivpnNET/.0.0/.0.1}"
|
vpnGw="${pivpnNET/.0.0/.0.1}"
|
||||||
|
|
||||||
echo "VPN=${VPN}" >> /tmp/setupVars.conf
|
echo "VPN=${VPN}" >> /tmp/setupVars.conf
|
||||||
|
echo "pivpnDEV=${pivpnDEV}" >> /tmp/setupVars.conf
|
||||||
|
echo "pivpnNET=${pivpnNET}" >> /tmp/setupVars.conf
|
||||||
|
echo "subnetClass=${subnetClass}" >> /tmp/setupVars.conf
|
||||||
}
|
}
|
||||||
|
|
||||||
installOpenVPN(){
|
installOpenVPN(){
|
||||||
|
@ -1762,6 +1769,13 @@ askEncryption(){
|
||||||
echo "USE_PREDEFINED_DH_PARAM=${USE_PREDEFINED_DH_PARAM}" >> /tmp/setupVars.conf
|
echo "USE_PREDEFINED_DH_PARAM=${USE_PREDEFINED_DH_PARAM}" >> /tmp/setupVars.conf
|
||||||
}
|
}
|
||||||
|
|
||||||
|
cidrToMask(){
|
||||||
|
# Source: https://stackoverflow.com/a/20767392
|
||||||
|
set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0
|
||||||
|
[ $1 -gt 1 ] && shift $1 || shift
|
||||||
|
echo ${1-0}.${2-0}.${3-0}.${4-0}
|
||||||
|
}
|
||||||
|
|
||||||
confOpenVPN(){
|
confOpenVPN(){
|
||||||
# Grab the existing Hostname
|
# Grab the existing Hostname
|
||||||
host_name=$(hostname -s)
|
host_name=$(hostname -s)
|
||||||
|
@ -1905,6 +1919,16 @@ set_var EASYRSA_ALGO ${pivpnCERT}" | $SUDO tee vars >/dev/null
|
||||||
$SUDO sed -i "s#\\(dh /etc/openvpn/easy-rsa/pki/dh\\).*#\\1${pivpnENCRYPT}.pem#" /etc/openvpn/server.conf
|
$SUDO sed -i "s#\\(dh /etc/openvpn/easy-rsa/pki/dh\\).*#\\1${pivpnENCRYPT}.pem#" /etc/openvpn/server.conf
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# if they modified VPN network put value in server.conf
|
||||||
|
if [ "$pivpnNET" != "10.8.0.0" ]; then
|
||||||
|
$SUDO sed -i "s/10.8.0.0/${pivpnNET}/g" /etc/openvpn/server.conf
|
||||||
|
fi
|
||||||
|
|
||||||
|
# if they modified VPN subnet class put value in server.conf
|
||||||
|
if [ "$(cidrToMask "$subnetClass")" != "255.255.255.0" ]; then
|
||||||
|
$SUDO sed -i "s/255.255.255.0/$(cidrToMask "$subnetClass")/g" /etc/openvpn/server.conf
|
||||||
|
fi
|
||||||
|
|
||||||
# if they modified port put value in server.conf
|
# if they modified port put value in server.conf
|
||||||
if [ "$pivpnPORT" != 1194 ]; then
|
if [ "$pivpnPORT" != 1194 ]; then
|
||||||
$SUDO sed -i "s/1194/${pivpnPORT}/g" /etc/openvpn/server.conf
|
$SUDO sed -i "s/1194/${pivpnPORT}/g" /etc/openvpn/server.conf
|
||||||
|
|
|
@ -405,20 +405,29 @@ else
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
cidrToMask(){
|
||||||
|
# Source: https://stackoverflow.com/a/20767392
|
||||||
|
set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0
|
||||||
|
[ $1 -gt 1 ] && shift $1 || shift
|
||||||
|
echo ${1-0}.${2-0}.${3-0}.${4-0}
|
||||||
|
}
|
||||||
|
|
||||||
|
NET_REDUCED="${pivpnNET::-2}"
|
||||||
|
|
||||||
# Find an unused number for the last octet of the client IP
|
# Find an unused number for the last octet of the client IP
|
||||||
for i in {2..254}; do
|
for i in {2..254}; do
|
||||||
# find returns 0 if the folder is empty, so we create the 'ls -A [...]'
|
# find returns 0 if the folder is empty, so we create the 'ls -A [...]'
|
||||||
# exception to stop at the first static IP (10.8.0.2). Otherwise it would
|
# exception to stop at the first static IP (10.8.0.2). Otherwise it would
|
||||||
# cycle to the end without finding and available octet.
|
# cycle to the end without finding and available octet.
|
||||||
if [ -z "$(ls -A /etc/openvpn/ccd)" ] || ! find /etc/openvpn/ccd -type f -exec grep -q "10.8.0.$i" {} +; then
|
if [ -z "$(ls -A /etc/openvpn/ccd)" ] || ! find /etc/openvpn/ccd -type f -exec grep -q "${NET_REDUCED}.${i}" {} +; then
|
||||||
COUNT="$i"
|
COUNT="${i}"
|
||||||
echo "ifconfig-push 10.8.0.$i 255.255.255.0" >> /etc/openvpn/ccd/"${NAME}"
|
echo "ifconfig-push ${NET_REDUCED}.${i} $(cidrToMask "$subnetClass")" >> /etc/openvpn/ccd/"${NAME}"
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ -f /etc/pivpn/hosts.openvpn ]; then
|
if [ -f /etc/pivpn/hosts.openvpn ]; then
|
||||||
echo "10.8.0.${COUNT} ${NAME}.pivpn" >> /etc/pivpn/hosts.openvpn
|
echo "${NET_REDUCED}.${COUNT} ${NAME}.pivpn" >> /etc/pivpn/hosts.openvpn
|
||||||
if killall -SIGHUP pihole-FTL; then
|
if killall -SIGHUP pihole-FTL; then
|
||||||
echo "::: Updated hosts file for Pi-hole"
|
echo "::: Updated hosts file for Pi-hole"
|
||||||
else
|
else
|
||||||
|
|
|
@ -121,7 +121,8 @@ for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
|
||||||
rm -rf "pki/issued/${CERTS_TO_REVOKE[ii]}.crt"
|
rm -rf "pki/issued/${CERTS_TO_REVOKE[ii]}.crt"
|
||||||
|
|
||||||
# Grab the client IP address
|
# Grab the client IP address
|
||||||
STATIC_IP=$(grep -v "^#" /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}" | grep -w ifconfig-push | grep -oE '10.8.0\.[0-9]{1,3}')
|
NET_REDUCED="${pivpnNET::-2}"
|
||||||
|
STATIC_IP=$(grep -v "^#" /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}" | grep -w ifconfig-push | grep -oE "${NET_REDUCED}\.[0-9]{1,3}")
|
||||||
rm -rf /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}"
|
rm -rf /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}"
|
||||||
|
|
||||||
rm -rf "${install_home}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn"
|
rm -rf "${install_home}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn"
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
subnetClass="24"
|
|
||||||
setupVars="/etc/pivpn/setupVars.conf"
|
setupVars="/etc/pivpn/setupVars.conf"
|
||||||
ERR=0
|
ERR=0
|
||||||
|
|
||||||
|
@ -12,14 +11,9 @@ fi
|
||||||
source "${setupVars}"
|
source "${setupVars}"
|
||||||
|
|
||||||
if [ "$VPN" = "wireguard" ]; then
|
if [ "$VPN" = "wireguard" ]; then
|
||||||
pivpnPROTO="udp"
|
|
||||||
pivpnDEV="wg0"
|
|
||||||
pivpnNET="10.6.0.0"
|
|
||||||
VPN_SERVICE="wg-quick@wg0"
|
VPN_SERVICE="wg-quick@wg0"
|
||||||
VPN_PRETTY_NAME="WireGuard"
|
VPN_PRETTY_NAME="WireGuard"
|
||||||
elif [ "$VPN" = "openvpn" ]; then
|
elif [ "$VPN" = "openvpn" ]; then
|
||||||
pivpnDEV="tun0"
|
|
||||||
pivpnNET="10.8.0.0"
|
|
||||||
VPN_SERVICE="openvpn"
|
VPN_SERVICE="openvpn"
|
||||||
VPN_PRETTY_NAME="OpenVPN"
|
VPN_PRETTY_NAME="OpenVPN"
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -6,7 +6,6 @@
|
||||||
|
|
||||||
PKG_MANAGER="apt-get"
|
PKG_MANAGER="apt-get"
|
||||||
UPDATE_PKG_CACHE="${PKG_MANAGER} update"
|
UPDATE_PKG_CACHE="${PKG_MANAGER} update"
|
||||||
subnetClass="24"
|
|
||||||
dnsmasqConfig="/etc/dnsmasq.d/02-pivpn.conf"
|
dnsmasqConfig="/etc/dnsmasq.d/02-pivpn.conf"
|
||||||
setupVars="/etc/pivpn/setupVars.conf"
|
setupVars="/etc/pivpn/setupVars.conf"
|
||||||
|
|
||||||
|
@ -60,16 +59,6 @@ removeAll(){
|
||||||
# Removing firewall rules.
|
# Removing firewall rules.
|
||||||
echo "::: Removing firewall rules..."
|
echo "::: Removing firewall rules..."
|
||||||
|
|
||||||
### FIXME: introduce global config space!
|
|
||||||
if [ "$VPN" = "wireguard" ]; then
|
|
||||||
pivpnPROTO="udp"
|
|
||||||
pivpnDEV="wg0"
|
|
||||||
pivpnNET="10.6.0.0"
|
|
||||||
elif [ "$VPN" = "openvpn" ]; then
|
|
||||||
pivpnDEV="tun0"
|
|
||||||
pivpnNET="10.8.0.0"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$USING_UFW" -eq 1 ]; then
|
if [ "$USING_UFW" -eq 1 ]; then
|
||||||
|
|
||||||
### FIXME: SC2154
|
### FIXME: SC2154
|
||||||
|
|
|
@ -86,9 +86,11 @@ for i in {2..254}; do
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
NET_REDUCED="${pivpnNET::-2}"
|
||||||
|
|
||||||
echo -n "[Interface]
|
echo -n "[Interface]
|
||||||
PrivateKey = $(cat "keys/${CLIENT_NAME}_priv")
|
PrivateKey = $(cat "keys/${CLIENT_NAME}_priv")
|
||||||
Address = 10.6.0.${COUNT}/24
|
Address = ${NET_REDUCED}.${COUNT}/${subnetClass}
|
||||||
DNS = ${pivpnDNS1}" > "configs/${CLIENT_NAME}.conf"
|
DNS = ${pivpnDNS1}" > "configs/${CLIENT_NAME}.conf"
|
||||||
|
|
||||||
if [ -n "${pivpnDNS2}" ]; then
|
if [ -n "${pivpnDNS2}" ]; then
|
||||||
|
@ -109,12 +111,12 @@ echo "# begin ${CLIENT_NAME}
|
||||||
[Peer]
|
[Peer]
|
||||||
PublicKey = $(cat "keys/${CLIENT_NAME}_pub")
|
PublicKey = $(cat "keys/${CLIENT_NAME}_pub")
|
||||||
PresharedKey = $(cat keys/psk)
|
PresharedKey = $(cat keys/psk)
|
||||||
AllowedIPs = 10.6.0.${COUNT}/32
|
AllowedIPs = ${NET_REDUCED}.${COUNT}/32
|
||||||
# end ${CLIENT_NAME}" >> wg0.conf
|
# end ${CLIENT_NAME}" >> wg0.conf
|
||||||
echo "::: Updated server config"
|
echo "::: Updated server config"
|
||||||
|
|
||||||
if [ -f /etc/pivpn/hosts.wireguard ]; then
|
if [ -f /etc/pivpn/hosts.wireguard ]; then
|
||||||
echo "10.6.0.${COUNT} ${CLIENT_NAME}.pivpn" >> /etc/pivpn/hosts.wireguard
|
echo "${NET_REDUCED}.${COUNT} ${CLIENT_NAME}.pivpn" >> /etc/pivpn/hosts.wireguard
|
||||||
if killall -SIGHUP pihole-FTL; then
|
if killall -SIGHUP pihole-FTL; then
|
||||||
echo "::: Updated hosts file for Pi-hole"
|
echo "::: Updated hosts file for Pi-hole"
|
||||||
else
|
else
|
||||||
|
|
|
@ -106,7 +106,8 @@ for CLIENT_NAME in "${CLIENTS_TO_REMOVE[@]}"; do
|
||||||
|
|
||||||
# If using Pi-hole, remove the client from the hosts file
|
# If using Pi-hole, remove the client from the hosts file
|
||||||
if [ -f /etc/pivpn/hosts.wireguard ]; then
|
if [ -f /etc/pivpn/hosts.wireguard ]; then
|
||||||
sed "\#10.6.0.${COUNT} ${CLIENT_NAME}.pivpn#d" -i /etc/pivpn/hosts.wireguard
|
NET_REDUCED="${pivpnNET::-2}"
|
||||||
|
sed "\#${NET_REDUCED}.${COUNT} ${CLIENT_NAME}.pivpn#d" -i /etc/pivpn/hosts.wireguard
|
||||||
if killall -SIGHUP pihole-FTL; then
|
if killall -SIGHUP pihole-FTL; then
|
||||||
echo "::: Updated hosts file for Pi-hole"
|
echo "::: Updated hosts file for Pi-hole"
|
||||||
else
|
else
|
||||||
|
|
Loading…
Reference in a new issue