diff --git a/ISSUE_TEMPLATE.md b/ISSUE_TEMPLATE.md index e3da04b..6853205 100644 --- a/ISSUE_TEMPLATE.md +++ b/ISSUE_TEMPLATE.md @@ -31,22 +31,6 @@ Output Here ``` -## Console Output of `sudo iptables -t nat -S` -``` - Output Here -``` - -## Console Output of `sudo iptables -S` -``` - Output Here -``` - -## output of `sudo netstat -uanp | grep openvpn` - -``` - Output Here -``` - ## Have you taken any steps towards solving your issue? which? diff --git a/README.md b/README.md index 2df09c7..2b30ab5 100644 --- a/README.md +++ b/README.md @@ -54,11 +54,13 @@ curl -L https://install.pivpn.io | bash The script will first update your APT repositories, upgrade packages, and install OpenVPN, which will take some time. -It will ask which encryption method you wish the guts of your server to use, 1024-bit, 2048-bit, or 4096-bit. +It will ask which authentication method you wish the guts of your server to use, 1024-bit, 2048-bit, or 4096-bit. If you're unsure or don't have a convincing reason one way or the other I'd use 2048 today. From the OpenVPN site: > For asymmetric keys, general wisdom is that 1024-bit keys are no longer sufficient to protect against well-equipped adversaries. Use of 2048-bit is a good minimum. It is wise to ensure all keys across your active PKI (including the CA root keypair) are using at least 2048-bit keys. -> Up to 4096-bit is accepted by nearly all RSA systems (including OpenVPN,) but use of keys this large will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations; the benefit beyond 2048-bit keys is small enough not to be of great use at the current time. It is often a larger benefit to consider lower validity times than more bits past 2048, but that is for you to decide. +> Up to 4096-bit is accepted by nearly all RSA systems (including OpenVPN), but use of keys this large will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations; the benefit beyond 2048-bit keys is small enough not to be of great use at the current time. It is often a larger benefit to consider lower validity times than more bits past 2048, but that is for you to decide. + +Luckily, OpenVPN 2.4 supports ECDSA certificates, which are based on Elliptic Curves, allowing much smaller keys while providing an equivalent security level (256 bit long, equivalent to 3072 bit RSA). For this reason, PiVPN now uses ECDSA certs if you choose to enable OpenVPN 2.4 features. If not, the usual RSA certificates are generated in case the user has clients running an older version of OpenVPN. After this, the script will go back to the command line as it builds the server's own certificate authority. The script will ask you if you'd like to change the certificate fields, @@ -70,7 +72,11 @@ and have a working configuration at the end. Finally, the script will take some time to build the server's Diffie-Hellman key exchange. If you chose 1024-bit encryption, this will just take a few minutes, but if you chose 2048-bit, it will take much longer (anywhere from 40 minutes to several hours on a -Model B+). The script will also make some changes to your system to allow it to forward +Model B+). + +NOTE: Diffie-Hellman parameters are NOT generated if you choose not to use OpenVPN 2.4. + +The script will also make some changes to your system to allow it to forward internet traffic and allow VPN connections through the Pi's firewall. When the script informs you that it has finished configuring OpenVPN, it will ask if you want to reboot. I have it where you do not need to reboot when done but it also can't hurt. diff --git a/auto_install/install.sh b/auto_install/install.sh index afd0f3b..ea915f3 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -9,12 +9,9 @@ # # curl -L https://install.pivpn.io | bash # Make sure you have `curl` installed - set -e -######## VARIABLES ######### -tmpLog="/tmp/pivpn-install.log" -instalLogLoc="/etc/pivpn/install.log" +######## VARIABLES ######### setupVars=/etc/pivpn/setupVars.conf useUpdateVars=false @@ -29,11 +26,12 @@ PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whipta pivpnGitUrl="https://github.com/pivpn/pivpn.git" pivpnFilesDir="/etc/.pivpn" -easyrsaVer="3.0.4" -easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz" +easyrsaVer="3.0.6" +easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz" -# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config -UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/1.4.tar.gz" +# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config +UNATTUPG_RELEASE="1.9" +UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/${UNATTUPG_RELEASE}.tar.gz" # Find the rows and columns. Will default to 80x24 if it can not be detected. screen_size=$(stty size 2>/dev/null || echo 24 80) @@ -340,7 +338,7 @@ It is also possible to use a DHCP reservation, but if you are going to do that, setDHCPCD() { # Append these lines to dhcpcd.conf to enable a static IP echo "interface ${pivpnInterface} - static ip_address=${IPv4addr} + static ip_address=${IPv4addr}/24 static routers=${IPv4gw} static domain_name_servers=${IPv4dns}" | $SUDO tee -a ${dhcpcdFile} >/dev/null } @@ -352,7 +350,7 @@ setStaticIPv4() { echo "::: Static IP already configured." else setDHCPCD - $SUDO ip addr replace dev "${pivpnInterface}" "${IPv4addr}" + $SUDO ip addr replace dev "${pivpnInterface}" "${IPv4addr}/24" echo ":::" echo "::: Setting IP to ${IPv4addr}. You may need to restart after the install is complete." echo ":::" @@ -485,14 +483,13 @@ install_dependent_packages() { echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections - if command -v debconf-apt-progress &> /dev/null; then + # Add support for https repositories if there are any that use it otherwise the installation will silently fail + if grep -q https /etc/apt/sources.list; then + PIVPN_DEPS+=("apt-transport-https") + fi - # Use appropriate argument if the package manager uses https otherwise the installation will silently fail - if grep -q https /etc/apt/sources.list; then - $SUDO debconf-apt-progress -- ${PKG_INSTALL} -y apt-transport-https "${argArray1[@]}" - else - $SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}" - fi + if command -v debconf-apt-progress &> /dev/null; then + $SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}" else for i in "${argArray1[@]}"; do echo -n "::: Checking for $i..." @@ -775,20 +772,20 @@ confOpenVPN() { if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then - ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "RSA encryption strength" --radiolist \ - "Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications, it is recommended to use 2048 bits. If you are testing, you can use 1024 bits to speed things up, but do not use this for normal use! If you are paranoid about ... things... then grab a cup of joe and pick 4096 bits." ${r} ${c} 3 \ - "1024" "Use 1024-bit encryption (testing only)" OFF \ - "2048" "Use 2048-bit encryption (recommended level)" ON \ - "4096" "Use 4096-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3) + ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "RSA certificate size" --radiolist \ + "Choose the desired size of your certificate (press space to select):\n This is a certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 2048 bits. If you are testing, you can use 1024 bits to speed things up, but do not use this for normal use! If you are paranoid about ... things... then grab a cup of joe and pick 4096 bits." ${r} ${c} 3 \ + "1024" "Use a 1024-bit certificate (testing only)" OFF \ + "2048" "Use a 2048-bit certificate (recommended level)" ON \ + "4096" "Use a 4096-bit certificate (paranoid level)" OFF 3>&1 1>&2 2>&3) else declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1") - ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA encryption strength" --radiolist \ - "Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \ - "256" "Use 256-bit encryption (recommended level)" ON \ - "384" "Use 384-bit encryption" OFF \ - "521" "Use 521-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3) + ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA certificate size" --radiolist \ + "Choose the desired size of your certificate (press space to select):\n This is an certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \ + "256" "Use a 256-bit certificate (recommended level)" ON \ + "384" "Use a 384-bit certificate" OFF \ + "521" "Use a 521-bit certificate (paranoid level)" OFF 3>&1 1>&2 2>&3) fi @@ -804,8 +801,8 @@ confOpenVPN() { $SUDO rm -rf /etc/openvpn/easy-rsa/ fi - # Get the PiVPN easy-rsa - wget -q -O - "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn && $SUDO mv /etc/openvpn/EasyRSA-${easyrsaVer} /etc/openvpn/easy-rsa + # Get easy-rsa + wget -q -O - "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn && $SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa # fix ownership $SUDO chown -R root:root /etc/openvpn/easy-rsa $SUDO mkdir /etc/openvpn/easy-rsa/pki @@ -845,7 +842,7 @@ EOF if [[ ${useUpdateVars} == false ]]; then if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then - whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c} + whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman parameters, and HMAC key will now be generated." ${r} ${c} fi fi @@ -932,8 +929,8 @@ EOT # Fix Raspbian config if [[ $PLAT == "Raspbian" ]]; then wget -q -O - "$UNATTUPG_CONFIG" | $SUDO tar xz - $SUDO cp unattended-upgrades-1.4/data/50unattended-upgrades.Raspbian 50unattended-upgrades - $SUDO rm -rf unattended-upgrades-1.4 + $SUDO cp "unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" 50unattended-upgrades + $SUDO rm -rf "unattended-upgrades-$UNATTUPG_RELEASE" fi # Add the remaining settings for all other distributions @@ -955,21 +952,20 @@ confNetwork() { $SUDO sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf $SUDO sysctl -p - # if ufw enabled, configure that - if hash ufw 2>/dev/null; then + # if ufw enabled, configure that (running as root because sometimes the executable is not in the user's $PATH, on Debian for example) + if $SUDO bash -c 'hash ufw' 2>/dev/null; then if LANG=en_US.UTF-8 $SUDO ufw status | grep -q inactive then noUFW=1 else echo "::: Detected UFW is enabled." echo "::: Adding UFW rules..." - $SUDO cp /etc/.pivpn/ufw_add.txt /tmp/ufw_add.txt - $SUDO sed -i 's/IPv4dev/'"$IPv4dev"'/' /tmp/ufw_add.txt - $SUDO sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw - $SUDO sed -i -e '/delete these required/r /tmp/ufw_add.txt' -e//N /etc/ufw/before.rules - $SUDO ufw allow "${PORT}/${PROTO}" - $SUDO ufw allow from 10.8.0.0/24 - $SUDO ufw reload + $SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules + # Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic) + $SUDO ufw insert 1 allow "$PORT"/"$PROTO" >/dev/null + # Don't forward everything, just the traffic originated from the VPN subnet + $SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + $SUDO ufw reload >/dev/null echo "::: UFW configuration completed." fi else @@ -978,7 +974,7 @@ confNetwork() { # else configure iptables if [[ $noUFW -eq 1 ]]; then echo 1 > /tmp/noUFW - $SUDO iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o "$IPv4dev" -j MASQUERADE + $SUDO iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "$IPv4dev" -j MASQUERADE case ${PLAT} in Ubuntu|Debian|Devuan) $SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null @@ -1067,7 +1063,7 @@ confOVPN() { confLogging() { echo "if \$programname == 'ovpn-server' then /var/log/openvpn.log -if \$programname == 'ovpn-server' then ~" | $SUDO tee /etc/rsyslog.d/30-openvpn.conf > /dev/null +if \$programname == 'ovpn-server' then stop" | $SUDO tee /etc/rsyslog.d/30-openvpn.conf > /dev/null echo "/var/log/openvpn.log { @@ -1185,8 +1181,7 @@ updatePiVPN() { displayFinalMessage() { # Final completion message to user whiptail --msgbox --backtitle "Make it so." --title "Installation Complete!" "Now run 'pivpn add' to create the ovpn profiles. -Run 'pivpn help' to see what else you can do! -The install log is in /etc/pivpn." ${r} ${c} +Run 'pivpn help' to see what else you can do!" ${r} ${c} if (whiptail --title "Reboot" --yesno --defaultno "It is strongly recommended you reboot after installation. Would you like to reboot now?" ${r} ${c}); then whiptail --title "Rebooting" --msgbox "The system will now reboot." ${r} ${c} printf "\nRebooting system...\n" @@ -1324,10 +1319,12 @@ main() { # Clone/Update the repos clone_or_update_repos - # Install and log everything to a file - installPiVPN | tee ${tmpLog} - - echo "::: Install Complete..." + # Install + if installPiVPN; then + echo "::: Install Complete..." + else + exit 1 + fi else # Source ${setupVars} for use in the rest of the functions. source ${setupVars} @@ -1361,12 +1358,9 @@ main() { clone_or_update_repos - updatePiVPN | tee ${tmpLog} + updatePiVPN fi - #Move the install log into /etc/pivpn for storage - $SUDO mv ${tmpLog} ${instalLogLoc} - echo "::: Restarting services..." # Start services case ${PLAT} in @@ -1396,7 +1390,6 @@ main() { fi echo ":::" - echo "::: The install log is located at: ${instalLogLoc}" } if [[ "${PIVPN_TEST}" != true ]] ; then diff --git a/ca_info.txt b/ca_info.txt deleted file mode 100644 index df01b22..0000000 --- a/ca_info.txt +++ /dev/null @@ -1,8 +0,0 @@ -CO -ST -CITY -ORG -ORG-UNIT -COMMON-NAME -NAME -EMAIL diff --git a/firewall-openvpn-rules.txt b/firewall-openvpn-rules.txt deleted file mode 100644 index 1fc98bf..0000000 --- a/firewall-openvpn-rules.txt +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o IPv4dev -j MASQUERADE diff --git a/pivpn b/pivpn index 4b191c0..8f82a93 100644 --- a/pivpn +++ b/pivpn @@ -27,30 +27,12 @@ function listOVPNFunc { } function debugFunc { - noUFW=$(cat /etc/pivpn/NO_UFW) echo "::: Generating Debug Output" $SUDO /opt/pivpn/pivpnDebug.sh | tee /tmp/debug.txt echo "::: " echo "::: Debug output completed above." echo "::: Copy saved to /tmp/debug.txt" echo "::: " - if [[ ${noUFW} -eq 1 ]]; then - IPTABLES_FIX=`$SUDO iptables -t nat -L -n -v | grep -c 'MASQUERADE.*10.8.0.0\/24'` - $SUDO iptables -t nat -L -n -v | grep -q 'MASQUERADE.*10.8.0.0\/24' - if [ $? -ne 0 ]; then - IPTABLES_FIX=2 - fi - if [[ ${IPTABLES_FIX} -gt 1 ]]; then - echo "::: We detected some potential issues with your iptables." - read -p "::: Would you like us to try to fix this? [y/n]: " -n 1 -r - echo - if [[ ${REPLY} =~ ^[Yy]$ ]]; then - $SUDO /opt/pivpn/fix_iptables.sh - fi - echo "::: Attempt at fix completed." - echo "::: Run 'pivpn debug' again to see if we detect issues." - fi - fi exit 1 } diff --git a/scripts/clientStat.sh b/scripts/clientStat.sh old mode 100644 new mode 100755 diff --git a/scripts/fix_iptables.sh b/scripts/fix_iptables.sh deleted file mode 100644 index 697191a..0000000 --- a/scripts/fix_iptables.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env bash -# PiVPN: Fix iptables script -# called by pivpnDebug.sh - -IPv4dev=$(ip route get 8.8.8.8 | awk '{for(i=1;i<=NF;i++)if($i~/dev/)print $(i+1)}') -iptables -t nat -F -iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${IPv4dev} -j MASQUERADE -iptables-save > /etc/iptables/rules.v4 -iptables-restore < /etc/iptables/rules.v4 diff --git a/scripts/listOVPN.sh b/scripts/listOVPN.sh old mode 100644 new mode 100755 diff --git a/scripts/pivpnDebug.sh b/scripts/pivpnDebug.sh old mode 100644 new mode 100755 index b850032..849c70d --- a/scripts/pivpnDebug.sh +++ b/scripts/pivpnDebug.sh @@ -1,25 +1,160 @@ #!/usr/bin/env bash # This scripts runs as root -printf ":::\t\t\t\t\t:::\n::\t\tPiVPN Debug\t\t ::\n" -printf ":::\t\t\t\t\t:::\n::\tLatest Commit\t\t\t ::\n:::\t\t\t\t\t:::\n" + +PORT=$(cat /etc/pivpn/INSTALL_PORT) +PROTO=$(cat /etc/pivpn/INSTALL_PROTO) +IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" +REMOTE="$(grep 'remote ' /etc/openvpn/easy-rsa/pki/Default.txt | awk '{print $2}')" +ERR=0 + +echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::" +printf "=============================================\n" +echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::" git --git-dir /etc/.pivpn/.git log -n 1 -printf ":::\t\t\t\t\t:::\n::\tRecursive list of files in\t ::\n" -printf "::\t/etc/openvpn/easy-rsa/pki\t ::\n:::\t\t\t\t\t:::\n" -ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial -printf ":::\t\t\t\t\t:::\n::\tOutput of /etc/pivpn/*\t\t ::\n:::\t\t\t\t\t:::\n" +printf "=============================================\n" +echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::" for filename in /etc/pivpn/*; do - if [[ "${filename}" != "/etc/pivpn/install.log" ]]; then - echo ":: START $filename ::" - cat "$filename" - echo ":: END $filename ::" + if [ "$filename" != "/etc/pivpn/setupVars.conf" ]; then + echo "$filename -> $(cat "$filename")" fi done -printf ":::\t\t\t\t\t:::\n:: /etc/openvpn/easy-rsa/pki/Default.txt ::\n:::\t\t\t\t\t:::\n" -cat /etc/openvpn/easy-rsa/pki/Default.txt -if [[ ${noUFW} -eq 1 ]]; then - printf ":::\t\t\t\t\t:::\n::\tOutput of iptables\t\t ::\n:::\t\t\t\t\t:::\n" - iptables -t nat -L -n -v +printf "=============================================\n" +echo -e "::::\t\e[4msetupVars file shown below\e[0m\t ::::" +sed "s/$REMOTE/REMOTE/" < /etc/pivpn/setupVars.conf +printf "=============================================\n" +echo -e ":::: \e[4mServer configuration shown below\e[0m ::::" +cat /etc/openvpn/server.conf +printf "=============================================\n" +echo -e ":::: \e[4mClient template file shown below\e[0m ::::" +sed "s/$REMOTE/REMOTE/" < /etc/openvpn/easy-rsa/pki/Default.txt +printf "=============================================\n" +echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::: \e[4m/etc/openvpn/easy-rsa/pki shows below\e[0m :::" +ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial +printf "=============================================\n" +echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::" + +if [ "$(cat /proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then + echo ":: [OK] IP forwarding is enabled" +else + ERR=1 + read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf + sysctl -p + echo "Done" + fi fi + +if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then + + if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then + echo ":: [OK] Iptables MASQUERADE rule set" + else + ERR=1 + read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + iptables -t nat -F + iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE + iptables-save > /etc/iptables/rules.v4 + iptables-restore < /etc/iptables/rules.v4 + echo "Done" + fi + fi + +else + + if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then + echo ":: [OK] Ufw is enabled" + else + ERR=1 + read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + ufw enable + fi + fi + + if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then + echo ":: [OK] Iptables MASQUERADE rule set" + else + ERR=1 + read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules + ufw reload + echo "Done" + fi + fi + + if iptables -C ufw-user-input -p "${PROTO}" --dport "${PORT}" -j ACCEPT &> /dev/null; then + echo ":: [OK] Ufw input rule set" + else + ERR=1 + read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + ufw insert 1 allow "$PORT"/"$PROTO" + ufw reload + echo "Done" + fi + fi + + if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then + echo ":: [OK] Ufw forwarding rule set" + else + ERR=1 + read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any + ufw reload + echo "Done" + fi + fi + +fi + +if systemctl is-active -q openvpn; then + echo ":: [OK] OpenVPN is running" +else + ERR=1 + read -r -p ":: [ERR] OpenVPN is not running, try to start now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + systemctl start openvpn + echo "Done" + fi +fi + +if systemctl is-enabled -q openvpn; then + echo ":: [OK] OpenVPN is enabled (it will automatically start on reboot)" +else + ERR=1 + read -r -p ":: [ERR] OpenVPN is not enabled, try to enable now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + systemctl enable openvpn + echo "Done" + fi +fi + +# grep -w (whole word) is used so port 111940 with now match when looking for 1194 +if netstat -uanpt | grep openvpn | grep -w "${PORT}" | grep -q "${PROTO}"; then + echo ":: [OK] OpenVPN is listening on port ${PORT}/${PROTO}" +else + ERR=1 + read -r -p ":: [ERR] OpenVPN is not listening, try to restart now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + systemctl restart openvpn + echo "Done" + fi +fi + +if [ "$ERR" -eq 1 ]; then + echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues" +fi + +printf "=============================================\n" +echo -e ":::: \e[4mSnippet of the server log\e[0m ::::" +tail -20 /var/log/openvpn.log +printf "=============================================\n" +echo -e "::::\t\t\e[4mDebug complete\e[0m\t\t ::::" + # Telekom Hybrid Check wget -O /tmp/hybcheck http://speedport.ip &>/dev/null if grep -Fq "Speedport Pro" /tmp/hybcheck || grep -Fq "Speedport Hybrid" /tmp/hybcheck @@ -32,4 +167,3 @@ then echo "With Telekom hybrid connections, you may have to experiment a little with MTU (tun-mtu, link-mtu and mssfix)." fi rm /tmp/hybcheck -printf ":::\t\t\t\t\t:::\n::\tDebug Output Complete\t\t ::\n:::\t\t\t\t\t:::\n" diff --git a/scripts/removeOVPN.sh b/scripts/removeOVPN.sh old mode 100644 new mode 100755 diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh old mode 100644 new mode 100755 index 4c3f4e3..99192aa --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -21,6 +21,7 @@ PLAT=$(cat /etc/pivpn/DET_PLATFORM) NO_UFW=$(cat /etc/pivpn/NO_UFW) PORT=$(cat /etc/pivpn/INSTALL_PORT) PROTO=$(cat /etc/pivpn/INSTALL_PROTO) +IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" # Find the rows and columns. Will default to 80x24 if it can not be detected. screen_size=$(stty size 2>/dev/null || echo 24 80) @@ -107,11 +108,10 @@ echo ":::" sysctl -p if [[ $NO_UFW -eq 0 ]]; then - $SUDO sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"DROP\"/" /etc/default/ufw - $SUDO sed -i '/START OPENVPN RULES/,/END OPENVPN RULES/ d' /etc/ufw/before.rules - $SUDO ufw delete allow from 10.8.0.0/24 >/dev/null - $SUDO ufw delete allow ${PORT}/${PROTO} >/dev/null - $SUDO ufw reload + $SUDO sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules + $SUDO ufw delete allow "$PORT"/"$PROTO" >/dev/null + $SUDO ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + $SUDO ufw reload >/dev/null fi echo ":::" diff --git a/ufw_add.txt b/ufw_add.txt deleted file mode 100644 index 0a17f59..0000000 --- a/ufw_add.txt +++ /dev/null @@ -1,9 +0,0 @@ -# START OPENVPN RULES -# NAT table rules -*nat -:POSTROUTING ACCEPT [0:0] -# Allow traffic from OpenVPN client to masquerade --A POSTROUTING -s 10.8.0.0/24 -o IPv4dev -j MASQUERADE -COMMIT -# END OPENVPN RULES -