integrated bitwarden password manager into pivpn

2025-04-25 16:50:12 +00:00 · 2019-07-23 22:12:35 +02:00 · 2019-07-23 22:12:35 +02:00 · b60a06791d
commit b60a06791d
parent 8e3a951524
5 changed files with 206 additions and 50 deletions
--- a/scripts/makeOVPN.sh
+++ b/scripts/makeOVPN.sh
@ -13,11 +13,12 @@ INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
 helpFunc() {
    echo "::: Create a client ovpn profile, optional nopass"
    echo ":::"
-    echo "::: Usage: pivpn <-a|add> [-n|--name <arg>] [-p|--password <arg>]|[nopass] [-d|--days <number>] [-h|--help]"
+    echo "::: Usage: pivpn <-a|add> [-b|--bitwarden] [-n|--name <arg>] [-p|--password <arg>]|[nopass] [-d|--days <number>] [-h|--help]"
    echo ":::"
    echo "::: Commands:"
    echo ":::  [none]               Interactive mode"
    echo ":::  nopass               Create a client without a password"
+    echo ":::  -b,--bitwarden       Create and save a client through Bitwarden"
    echo ":::  -d,--days            Expire the certificate after specified number of days (default: 1080)"
    echo ":::  -n,--name            Name for the Client (default: '"$(hostname)"')"
    echo ":::  -p,--password        Password for the Client (no default)"
@ -66,6 +67,9 @@ do
        nopass)
            NO_PASS="1"
            ;;
+        -b|--bitwarden)
+            BITWARDEN="2"
+            ;;
        *)
            echo "Error: Got an unexpected argument '$1'"
            helpFunc
@ -91,6 +95,52 @@ EOF

 }

+function useBitwarden() {
+
+    # login and unlock vault
+    printf "****Bitwarden Login****"
+    printf "\n"
+    SESSION_KEY=`bw login --raw`
+    export BW_SESSION=$SESSION_KEY
+    printf "Successfully Logged in!"
+    printf "\n"
+
+    # ask user for username
+    printf "Enter the username:  "
+    read -r NAME
+
+    # check name
+    until [[ "$NAME" =~ ^[a-zA-Z0-9.@_-]+$ && ${NAME::1} != "." && ${NAME::1} != "-"  ]]
+    do
+      	echo "Name can only contain alphanumeric characters and these characters (.-@_). The name also cannot start with a dot (.) or a dash (-). Please try again."
+      	# ask user for username again
+      	printf "Enter the username: "
+      	read -r NAME
+    done
+
+
+    # ask user for length of password
+    printf "Please enter the length of characters you want your password to be (minimum 12): "
+    read -r LENGTH
+
+    # check length
+    until [[ "$LENGTH" -gt 11 && "$LENGTH" -lt 129 ]]
+    do
+      	echo "Password must be between from 12 to 128 characters, please try again."
+      	# ask user for length of password
+      	printf "Enter the length of characters you want your password to be (minimum 12): "
+      	read -r LENGTH
+    done
+
+    printf "Creating a PiVPN item for your vault..."
+    printf "\n"
+    # create a new item for your PiVPN Password
+    PASSWD=`bw generate -usln --length $LENGTH`
+    bw get template item | jq '.login.type = "1"'| jq '.name = "PiVPN"' | jq -r --arg NAME "$NAME" '.login.username = $NAME' | jq -r --arg PASSWD "$PASSWD" '.login.password = $PASSWD' |  bw encode | bw create item
+    bw logout
+
+}
+
 function keyPASS() {

    if [[ -z "${PASSWD}" ]]; then
@ -137,6 +187,11 @@ EOF

 }

+# bitWarden first
+if [[ "${BITWARDEN}" =~ "2" ]]; then
+    useBitwarden
+fi
+
 if [ -z "${NAME}" ]; then
    printf "Enter a Name for the Client:  "
    read -r NAME
@ -147,7 +202,7 @@ if [[ ${NAME::1} == "." ]] || [[ ${NAME::1} == "-" ]]; then
    exit 1
 fi

-if [[ "${NAME}" =~ [^a-zA-Z0-9\.\-\@\_] ]]; then
+if [[ "${NAME}" =~ [^a-zA-Z0-9.@_-] ]]; then
    echo "Name can only contain alphanumeric characters and these characters (.-@_)."
    exit 1
 fi
--- a/scripts/pivpnDebug.sh
+++ b/scripts/pivpnDebug.sh
@ -13,8 +13,9 @@ echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::"
 git --git-dir /etc/.pivpn/.git log -n 1
 printf "=============================================\n"
 echo -e "::::\t    \e[4mInstallation settings\e[0m    \t ::::"
+# Use the wildcard so setupVars.conf.update.bak from the previous install is not shown
 for filename in /etc/pivpn/*; do
-    if [ "$filename" != "/etc/pivpn/setupVars.conf" ]; then
+    if [[ "$filename" != "/etc/pivpn/setupVars.conf"* ]]; then
        echo "$filename -> $(cat "$filename")"
    fi
 done
@ -56,11 +57,39 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then
            iptables -t nat -F
            iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE
            iptables-save > /etc/iptables/rules.v4
-            iptables-restore < /etc/iptables/rules.v4
            echo "Done"
        fi
    fi

+    if [ "$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" -eq 1 ]; then
+        if iptables -C INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT &> /dev/null; then
+            echo ":: [OK] Iptables INPUT rule set"
+        else
+            ERR=1
+            read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
+            if [[ ${REPLY} =~ ^[Yy]$ ]]; then
+                iptables -I INPUT 1 -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT
+                iptables-save > /etc/iptables/rules.v4
+                echo "Done"
+            fi
+        fi
+    fi
+
+    if [ "$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" -eq 1 ]; then
+        if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then
+            echo ":: [OK] Iptables FORWARD rule set"
+        else
+            ERR=1
+            read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
+            if [[ ${REPLY} =~ ^[Yy]$ ]]; then
+                iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+                iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT
+                iptables-save > /etc/iptables/rules.v4
+                echo "Done"
+            fi
+        fi
+    fi
+
 else

    if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
@ -151,7 +180,17 @@ fi

 printf "=============================================\n"
 echo -e "::::      \e[4mSnippet of the server log\e[0m      ::::"
-tail -20 /var/log/openvpn.log
+tail -20 /var/log/openvpn.log > /tmp/snippet
+
+# Regular expession taken from https://superuser.com/a/202835, it will match invalid IPs
+# like 123.456.789.012 but it's fine because the log only contains valid ones.
+declare -a IPS_TO_HIDE=($(grepcidr -v 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 /tmp/snippet | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | uniq))
+for IP in "${IPS_TO_HIDE[@]}"; do
+    sed -i "s/$IP/REDACTED/g" /tmp/snippet
+done
+
+cat /tmp/snippet
+rm /tmp/snippet
 printf "=============================================\n"
 echo -e "::::\t\t\e[4mDebug complete\e[0m\t\t ::::"

--- a/scripts/uninstall.sh
+++ b/scripts/uninstall.sh
@ -1,27 +1,14 @@
 #!/usr/bin/env bash
 # PiVPN: Uninstall Script

-# Must be root to uninstall
-if [[ $EUID -eq 0 ]];then
-    echo "::: You are root."
-else
-    echo "::: Sudo will be used for the uninstall."
-  # Check if it is actually installed
-  # If it isn't, exit because the unnstall cannot complete
-  if [[ $(dpkg-query -s sudo) ]];then
-        export SUDO="sudo"
-  else
-    echo "::: Please install sudo or run this as root."
-    exit 1
-  fi
-fi
-
 INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
 PLAT=$(cat /etc/pivpn/DET_PLATFORM)
 NO_UFW=$(cat /etc/pivpn/NO_UFW)
 PORT=$(cat /etc/pivpn/INSTALL_PORT)
 PROTO=$(cat /etc/pivpn/INSTALL_PROTO)
 IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)"
+INPUT_CHAIN_EDITED="$(cat /etc/pivpn/INPUT_CHAIN_EDITED)"
+FORWARD_CHAIN_EDITED="$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)"

 # Find the rows and columns. Will default to 80x24 if it can not be detected.
 screen_size=$(stty size 2>/dev/null || echo 24 80)
@ -59,7 +46,7 @@ echo ":::"
            while true; do
                read -rp "::: Do you wish to remove $i from your system? [y/n]: " yn
                case $yn in
-                    [Yy]* ) printf ":::\tRemoving %s..." "$i"; $SUDO apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n";
+                    [Yy]* ) printf ":::\tRemoving %s..." "$i"; apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n";
                            if [ "$i" == "openvpn" ]; then UINST_OVPN=1 ; fi
                            if [ "$i" == "unattended-upgrades" ]; then UINST_UNATTUPG=1 ; fi
                            break;;
@ -74,44 +61,57 @@ echo ":::"

    # Take care of any additional package cleaning
    printf "::: Auto removing remaining dependencies..."
-    $SUDO apt-get -y autoremove &> /dev/null & spinner $!; printf "done!\n";
+    apt-get -y autoremove &> /dev/null & spinner $!; printf "done!\n";
    printf "::: Auto cleaning remaining dependencies..."
-    $SUDO apt-get -y autoclean &> /dev/null & spinner $!; printf "done!\n";
+    apt-get -y autoclean &> /dev/null & spinner $!; printf "done!\n";

    echo ":::"
    # Removing pivpn files
    echo "::: Removing pivpn system files..."
-    $SUDO rm -rf /opt/pivpn &> /dev/null
-    $SUDO rm -rf /etc/.pivpn &> /dev/null
-    $SUDO rm -rf /home/$INSTALL_USER/ovpns &> /dev/null
+    rm -rf /opt/pivpn &> /dev/null
+    rm -rf /etc/.pivpn &> /dev/null
+    rm -rf /home/$INSTALL_USER/ovpns &> /dev/null

-    $SUDO rm -rf /var/log/*pivpn* &> /dev/null
-    $SUDO rm -rf /var/log/*openvpn* &> /dev/null
+    rm -rf /var/log/*pivpn* &> /dev/null
+    rm -rf /var/log/*openvpn* &> /dev/null
    if [[ $UINST_OVPN = 1 ]]; then
-        $SUDO rm -rf /etc/openvpn &> /dev/null
+        rm -rf /etc/openvpn &> /dev/null
        if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then
            printf "::: Removing openvpn apt source..."
-            $SUDO rm -rf /etc/apt/sources.list.d/swupdate.openvpn.net.list &> /dev/null
-            $SUDO apt-get -qq update & spinner $!; printf "done!\n";
+            rm -rf /etc/apt/sources.list.d/swupdate.openvpn.net.list &> /dev/null
+            apt-get -qq update & spinner $!; printf "done!\n";
        fi
    fi
    if [[ $UINST_UNATTUPG = 1 ]]; then
-        $SUDO rm -rf /var/log/unattended-upgrades
-        $SUDO rm -rf /etc/apt/apt.conf.d/*periodic
+        rm -rf /var/log/unattended-upgrades
+        rm -rf /etc/apt/apt.conf.d/*periodic
    fi
-    $SUDO rm -rf /etc/pivpn &> /dev/null
-    $SUDO rm /usr/local/bin/pivpn &> /dev/null
-    $SUDO rm /etc/bash_completion.d/pivpn
+    rm -rf /etc/pivpn &> /dev/null
+    rm /usr/local/bin/pivpn &> /dev/null
+    rm /etc/bash_completion.d/pivpn

    # Disable IPv4 forwarding
    sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf
    sysctl -p

    if [[ $NO_UFW -eq 0 ]]; then
-        $SUDO sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
-        $SUDO ufw delete allow "$PORT"/"$PROTO" >/dev/null
-        $SUDO ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
-        $SUDO ufw reload >/dev/null
+      sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
+      ufw delete allow "$PORT"/"$PROTO" >/dev/null
+      ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
+      ufw reload >/dev/null
+  else
+      iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE
+
+      if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
+          iptables -D INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT
+      fi
+
+      if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
+          iptables -D FORWARD -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+          iptables -D FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT
+      fi
+
+      iptables-save > /etc/iptables/rules.v4
    fi

    echo ":::"