Use variables to define VPN ranges instead of hard coding IPs

2024-12-18 19:00:15 +00:00 · 2020-02-16 09:09:09 +01:00 · 2020-02-16 09:09:09 +01:00 · 9846d3787a
commit 9846d3787a
parent edbd23a2a1
7 changed files with 46 additions and 26 deletions
--- a/auto_install/install.sh
+++ b/auto_install/install.sh
@ -1038,7 +1038,11 @@ askWhichVPN(){
 	fi

 	if [ "$VPN" = "wireguard" ]; then
+		# Since WireGuard only uses UDP, askCustomProto() is never called so we
+		# set the protocol here (it's not actually required to save the value, but
+		# it might be useful for the user when port forwarding).
 		pivpnPROTO="udp"
+		echo "pivpnPROTO=${pivpnPROTO}" >> /tmp/setupVars.conf
 		pivpnDEV="wg0"
 		pivpnNET="10.6.0.0"
 	elif [ "$VPN" = "openvpn" ]; then
@ -1048,6 +1052,9 @@ askWhichVPN(){
 	vpnGw="${pivpnNET/.0.0/.0.1}"

 	echo "VPN=${VPN}" >> /tmp/setupVars.conf
+	echo "pivpnDEV=${pivpnDEV}" >> /tmp/setupVars.conf
+	echo "pivpnNET=${pivpnNET}" >> /tmp/setupVars.conf
+	echo "subnetClass=${subnetClass}" >> /tmp/setupVars.conf
 }

 installOpenVPN(){
@ -1762,6 +1769,13 @@ askEncryption(){
 	echo "USE_PREDEFINED_DH_PARAM=${USE_PREDEFINED_DH_PARAM}" >> /tmp/setupVars.conf
 }

+cidrToMask(){
+	# Source: https://stackoverflow.com/a/20767392
+	set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0
+	[ $1 -gt 1 ] && shift $1 || shift
+	echo ${1-0}.${2-0}.${3-0}.${4-0}
+}
+
 confOpenVPN(){
 	# Grab the existing Hostname
 	host_name=$(hostname -s)
@ -1905,6 +1919,16 @@ set_var EASYRSA_ALGO       ${pivpnCERT}" | $SUDO tee vars >/dev/null
 		$SUDO sed -i "s#\\(dh /etc/openvpn/easy-rsa/pki/dh\\).*#\\1${pivpnENCRYPT}.pem#" /etc/openvpn/server.conf
 	fi

+	# if they modified VPN network put value in server.conf
+	if [ "$pivpnNET" != "10.8.0.0" ]; then
+		$SUDO sed -i "s/10.8.0.0/${pivpnNET}/g" /etc/openvpn/server.conf
+	fi
+
+	# if they modified VPN subnet class put value in server.conf
+	if [ "$(cidrToMask "$subnetClass")" != "255.255.255.0" ]; then
+		$SUDO sed -i "s/255.255.255.0/$(cidrToMask "$subnetClass")/g" /etc/openvpn/server.conf
+	fi
+
 	# if they modified port put value in server.conf
 	if [ "$pivpnPORT" != 1194 ]; then
 		$SUDO sed -i "s/1194/${pivpnPORT}/g" /etc/openvpn/server.conf
--- a/scripts/openvpn/makeOVPN.sh
+++ b/scripts/openvpn/makeOVPN.sh
@ -405,20 +405,29 @@ else

 fi

+cidrToMask(){
+	# Source: https://stackoverflow.com/a/20767392
+	set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0
+	[ $1 -gt 1 ] && shift $1 || shift
+	echo ${1-0}.${2-0}.${3-0}.${4-0}
+}
+
+NET_REDUCED="${pivpnNET::-2}"
+
 # Find an unused number for the last octet of the client IP
 for i in {2..254}; do
    # find returns 0 if the folder is empty, so we create the 'ls -A [...]'
    # exception to stop at the first static IP (10.8.0.2). Otherwise it would
    # cycle to the end without finding and available octet.
-    if [ -z "$(ls -A /etc/openvpn/ccd)" ] || ! find /etc/openvpn/ccd -type f -exec grep -q "10.8.0.$i" {} +; then
-        COUNT="$i"
-        echo "ifconfig-push 10.8.0.$i 255.255.255.0" >> /etc/openvpn/ccd/"${NAME}"
+    if [ -z "$(ls -A /etc/openvpn/ccd)" ] || ! find /etc/openvpn/ccd -type f -exec grep -q "${NET_REDUCED}.${i}" {} +; then
+        COUNT="${i}"
+        echo "ifconfig-push ${NET_REDUCED}.${i} $(cidrToMask "$subnetClass")" >> /etc/openvpn/ccd/"${NAME}"
        break
    fi
 done

 if [ -f /etc/pivpn/hosts.openvpn ]; then
-    echo "10.8.0.${COUNT} ${NAME}.pivpn" >> /etc/pivpn/hosts.openvpn
+    echo "${NET_REDUCED}.${COUNT} ${NAME}.pivpn" >> /etc/pivpn/hosts.openvpn
    if killall -SIGHUP pihole-FTL; then
        echo "::: Updated hosts file for Pi-hole"
    else
--- a/scripts/openvpn/removeOVPN.sh
+++ b/scripts/openvpn/removeOVPN.sh
@ -121,7 +121,8 @@ for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
    rm -rf "pki/issued/${CERTS_TO_REVOKE[ii]}.crt"

    # Grab the client IP address
-    STATIC_IP=$(grep -v "^#" /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}" | grep -w ifconfig-push | grep -oE '10.8.0\.[0-9]{1,3}')
+    NET_REDUCED="${pivpnNET::-2}"
+    STATIC_IP=$(grep -v "^#" /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}" | grep -w ifconfig-push | grep -oE "${NET_REDUCED}\.[0-9]{1,3}")
    rm -rf /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}"

    rm -rf "${install_home}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn"
--- a/scripts/self_check.sh
+++ b/scripts/self_check.sh
@ -1,6 +1,5 @@
 #!/bin/bash

-subnetClass="24"
 setupVars="/etc/pivpn/setupVars.conf"
 ERR=0

@ -12,14 +11,9 @@ fi
 source "${setupVars}"

 if [ "$VPN" = "wireguard" ]; then
-	pivpnPROTO="udp"
-	pivpnDEV="wg0"
-	pivpnNET="10.6.0.0"
 	VPN_SERVICE="wg-quick@wg0"
 	VPN_PRETTY_NAME="WireGuard"
 elif [ "$VPN" = "openvpn" ]; then
-	pivpnDEV="tun0"
-	pivpnNET="10.8.0.0"
 	VPN_SERVICE="openvpn"
 	VPN_PRETTY_NAME="OpenVPN"
 fi
--- a/scripts/uninstall.sh
+++ b/scripts/uninstall.sh
@ -6,7 +6,6 @@

 PKG_MANAGER="apt-get"
 UPDATE_PKG_CACHE="${PKG_MANAGER} update"
-subnetClass="24"
 dnsmasqConfig="/etc/dnsmasq.d/02-pivpn.conf"
 setupVars="/etc/pivpn/setupVars.conf"

@ -60,16 +59,6 @@ removeAll(){
 	# Removing firewall rules.
 	echo "::: Removing firewall rules..."

-  ### FIXME: introduce global config space!
-	if [ "$VPN" = "wireguard" ]; then
-		pivpnPROTO="udp"
-		pivpnDEV="wg0"
-		pivpnNET="10.6.0.0"
-	elif [ "$VPN" = "openvpn" ]; then
-		pivpnDEV="tun0"
-		pivpnNET="10.8.0.0"
-	fi
-
 	if [ "$USING_UFW" -eq 1 ]; then

    ### FIXME: SC2154
--- a/scripts/wireguard/makeCONF.sh
+++ b/scripts/wireguard/makeCONF.sh
@ -86,9 +86,11 @@ for i in {2..254}; do
    fi
 done

+NET_REDUCED="${pivpnNET::-2}"
+
 echo -n "[Interface]
 PrivateKey = $(cat "keys/${CLIENT_NAME}_priv")
-Address = 10.6.0.${COUNT}/24
+Address = ${NET_REDUCED}.${COUNT}/${subnetClass}
 DNS = ${pivpnDNS1}" > "configs/${CLIENT_NAME}.conf"

 if [ -n "${pivpnDNS2}" ]; then
@ -109,12 +111,12 @@ echo "# begin ${CLIENT_NAME}
 [Peer]
 PublicKey = $(cat "keys/${CLIENT_NAME}_pub")
 PresharedKey = $(cat keys/psk)
-AllowedIPs = 10.6.0.${COUNT}/32
+AllowedIPs = ${NET_REDUCED}.${COUNT}/32
 # end ${CLIENT_NAME}" >> wg0.conf
 echo "::: Updated server config"

 if [ -f /etc/pivpn/hosts.wireguard ]; then
-    echo "10.6.0.${COUNT} ${CLIENT_NAME}.pivpn" >> /etc/pivpn/hosts.wireguard
+    echo "${NET_REDUCED}.${COUNT} ${CLIENT_NAME}.pivpn" >> /etc/pivpn/hosts.wireguard
    if killall -SIGHUP pihole-FTL; then
        echo "::: Updated hosts file for Pi-hole"
    else
--- a/scripts/wireguard/removeCONF.sh
+++ b/scripts/wireguard/removeCONF.sh
@ -106,7 +106,8 @@ for CLIENT_NAME in "${CLIENTS_TO_REMOVE[@]}"; do

            # If using Pi-hole, remove the client from the hosts file
            if [ -f /etc/pivpn/hosts.wireguard ]; then
-                sed "\#10.6.0.${COUNT} ${CLIENT_NAME}.pivpn#d" -i /etc/pivpn/hosts.wireguard
+                NET_REDUCED="${pivpnNET::-2}"
+                sed "\#${NET_REDUCED}.${COUNT} ${CLIENT_NAME}.pivpn#d" -i /etc/pivpn/hosts.wireguard
                if killall -SIGHUP pihole-FTL; then
                    echo "::: Updated hosts file for Pi-hole"
                else