mirror of
https://github.com/pivpn/pivpn.git
synced 2025-04-25 16:50:12 +00:00
Mostly changes to the install script, see below
Handle running the install script over an existing installation (as the script already did before branching to test-wireguard), providing:
- Update, downloads latest scripts from git repo
- Repair, reinstall PiVPN while keeping existing settings
- Reconfigure, start over overwriting the existing settings
Tag iptables rules as an attempt to make sure that the uninstall script only removes PiVPN rules
Change the armv6l installation to reflect the split of WireGuard snapshots into wireguard-linux-compat and wireguard-tools
This commit is contained in:
Orazio
parent
d17d381049
commit
a561607272
4 changed files with 371 additions and 248 deletions
|
|
@ -52,29 +52,27 @@ fi
|
|||
|
||||
if [ "$USING_UFW" -eq 0 ]; then
|
||||
|
||||
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
|
||||
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables MASQUERADE rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
iptables -t nat -F
|
||||
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE
|
||||
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule"
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
|
||||
|
||||
if iptables -C INPUT -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT &> /dev/null; then
|
||||
if iptables -C INPUT -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables INPUT rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
iptables -I INPUT 1 -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT
|
||||
iptables -I INPUT 1 -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule"
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
echo "Done"
|
||||
fi
|
||||
|
|
@ -83,14 +81,14 @@ if [ "$USING_UFW" -eq 0 ]; then
|
|||
|
||||
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
|
||||
|
||||
if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then
|
||||
if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables FORWARD rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT
|
||||
iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
||||
iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
echo "Done"
|
||||
fi
|
||||
|
|
@ -109,13 +107,13 @@ else
|
|||
fi
|
||||
fi
|
||||
|
||||
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
|
||||
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables MASQUERADE rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
|
||||
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE -m comment --comment ${VPN}-nat-rule\nCOMMIT\n" -i /etc/ufw/before.rules
|
||||
ufw reload
|
||||
echo "Done"
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -74,22 +74,22 @@ removeAll(){
|
|||
ufw delete allow "${pivpnPORT}"/"${pivpnPROTO}" > /dev/null
|
||||
### FIXME: SC2154
|
||||
ufw route delete allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any > /dev/null
|
||||
sed -z "s/*nat\\n:POSTROUTING ACCEPT \\[0:0\\]\\n-I POSTROUTING -s ${pivpnNET}\\/${subnetClass} -o ${IPv4dev} -j MASQUERADE\\nCOMMIT\\n\\n//" -i /etc/ufw/before.rules
|
||||
iptables -t nat -D POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE
|
||||
sed -z "s/*nat\\n:POSTROUTING ACCEPT \\[0:0\\]\\n-I POSTROUTING -s ${pivpnNET}\\/${subnetClass} -o ${IPv4dev} -j MASQUERADE -m comment --comment ${VPN}-nat-rule\\nCOMMIT\\n\\n//" -i /etc/ufw/before.rules
|
||||
iptables -t nat -D POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule"
|
||||
ufw reload &> /dev/null
|
||||
|
||||
elif [ "$USING_UFW" -eq 0 ]; then
|
||||
|
||||
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
|
||||
iptables -D INPUT -i "${IPv4dev}" -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT
|
||||
iptables -D INPUT -i "${IPv4dev}" -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT -m comment --comment "${VPN}-input-rule"
|
||||
fi
|
||||
|
||||
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
|
||||
iptables -D FORWARD -d "${pivpnNET}/${subnetClass}" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -D FORWARD -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT
|
||||
iptables -D FORWARD -d "${pivpnNET}/${subnetClass}" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
||||
iptables -D FORWARD -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
||||
fi
|
||||
|
||||
iptables -t nat -D POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE
|
||||
iptables -t nat -D POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule"
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
|
||||
fi
|
||||
|
|
@ -123,11 +123,17 @@ removeAll(){
|
|||
# On armv6l Raspbian we manually remove the kernel module and skip the apt
|
||||
# uninstallation (since it's not an actual package).
|
||||
if [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv6l" ]; then
|
||||
dkms remove wireguard/"${WG_SNAPSHOT}" --all
|
||||
rm -rf /usr/src/wireguard-*
|
||||
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
|
||||
rm -rf /usr/src/wireguard-"${WG_MODULE_SNAPSHOT}"
|
||||
break
|
||||
fi
|
||||
|
||||
elif [ "${i}" = "wireguard-tools" ]; then
|
||||
|
||||
if [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv6l" ]; then
|
||||
rm -rf /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}"
|
||||
fi
|
||||
|
||||
elif [ "${i}" = "dirmngr" ]; then
|
||||
|
||||
# If dirmngr was installed, then we had previously installed wireguard on armv7l Raspbian
|
||||
|
|
@ -187,7 +193,7 @@ removeAll(){
|
|||
### FIXME SC2154
|
||||
rm -rf "$install_home/configs"
|
||||
elif [ "$VPN" = "openvpn" ]; then
|
||||
rm -f /var/log/*openvpn*
|
||||
rm -rf /var/log/*openvpn*
|
||||
rm -f /etc/openvpn/server.conf
|
||||
rm -f /etc/openvpn/crl.pem
|
||||
rm -rf /etc/openvpn/easy-rsa
|
||||
|
|
|
|||
|
|
@ -63,20 +63,49 @@ fi
|
|||
|
||||
if [ "$USING_UFW" -eq 0 ]; then
|
||||
|
||||
if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
|
||||
if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables MASQUERADE rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
iptables -t nat -F
|
||||
iptables -t nat -I POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE
|
||||
iptables -t nat -I POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule"
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
iptables-restore < /etc/iptables/rules.v4
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
|
||||
|
||||
if iptables -C INPUT -i "$IPv4dev" -p udp --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables INPUT rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
iptables -I INPUT 1 -i "$IPv4dev" -p udp --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule"
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
|
||||
|
||||
if iptables -C FORWARD -s 10.6.0.0/24 -i wg0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables FORWARD rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
iptables -I FORWARD 1 -d 10.6.0.0/24 -i "$IPv4dev" -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
||||
iptables -I FORWARD 2 -s 10.6.0.0/24 -i wg0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
else
|
||||
|
||||
if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
|
||||
|
|
@ -89,13 +118,13 @@ else
|
|||
fi
|
||||
fi
|
||||
|
||||
if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
|
||||
if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables MASQUERADE rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.6.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
|
||||
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.6.0.0/24 -o $IPv4dev -j MASQUERADE -m comment --comment ${VPN}-nat-rule\nCOMMIT\n" -i /etc/ufw/before.rules
|
||||
ufw reload
|
||||
echo "Done"
|
||||
fi
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue