Revert "Merge test (#929)"

This reverts commit d691321b3e.
2025-04-24 00:00:11 +00:00 · 2020-01-31 20:24:31 +01:00 · 2020-01-31 20:24:31 +01:00 · b8f89ab015
commit b8f89ab015
parent d691321b3e
21 changed files with 507 additions and 692 deletions
--- a/scripts/openvpn/makeOVPN.sh
+++ b/scripts/openvpn/makeOVPN.sh
@ -91,7 +91,7 @@ do
            NO_PASS="1"
            ;;
        -b|--bitwarden)
-            if command -v bw > /dev/null; then
+            if command -v bw &> /dev/null; then
                BITWARDEN="2"
            else
               echo "Bitwarden not found, please install bitwarden"
--- a/scripts/openvpn/pivpnDebug.sh
+++ b/scripts/openvpn/pivpnDebug.sh
@ -2,6 +2,7 @@
 # This scripts runs as root

 setupVars="/etc/pivpn/setupVars.conf"
+ERR=0

 if [ ! -f "${setupVars}" ]; then
    echo "::: Missing setup vars file!"
@ -16,6 +17,14 @@ echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::"
 git --git-dir /etc/.pivpn/.git log -n 1
 printf "=============================================\n"
 echo -e "::::\t    \e[4mInstallation settings\e[0m    \t ::::"
+# Use the wildcard so setupVars.conf.update.bak from the previous install is not shown
+for filename in /etc/pivpn/*; do
+    if [[ "$filename" != "/etc/pivpn/setupVars.conf"* ]]; then
+        echo "$filename -> $(cat "$filename")"
+    fi
+done
+printf "=============================================\n"
+echo -e "::::\t\e[4msetupVars file shown below\e[0m\t ::::"
 sed "s/$pivpnHOST/REDACTED/" < /etc/pivpn/setupVars.conf
 printf "=============================================\n"
 echo -e "::::  \e[4mServer configuration shown below\e[0m   ::::"
@ -28,7 +37,152 @@ echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::: \e[4m/etc/openv
 ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial
 printf "=============================================\n"
 echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::"
-/opt/pivpn/self_check.sh
+
+if [ "$(cat /proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then
+    echo ":: [OK] IP forwarding is enabled"
+else
+    ERR=1
+    read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY
+    if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
+        sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
+        sysctl -p
+        echo "Done"
+    fi
+fi
+
+if [ "$USING_UFW" -eq 0 ]; then
+
+    if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
+        echo ":: [OK] Iptables MASQUERADE rule set"
+    else
+        ERR=1
+        read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
+        if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
+            iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule"
+            iptables-save > /etc/iptables/rules.v4
+            echo "Done"
+        fi
+    fi
+
+    if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
+
+        if iptables -C INPUT -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule" &> /dev/null; then
+            echo ":: [OK] Iptables INPUT rule set"
+        else
+            ERR=1
+            read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
+            if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
+                iptables -I INPUT 1 -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule"
+                iptables-save > /etc/iptables/rules.v4
+                echo "Done"
+            fi
+        fi
+    fi
+
+    if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
+
+        if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule" &> /dev/null; then
+            echo ":: [OK] Iptables FORWARD rule set"
+        else
+            ERR=1
+            read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
+            if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
+                iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "${VPN}-forward-rule"
+                iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule"
+                iptables-save > /etc/iptables/rules.v4
+                echo "Done"
+            fi
+        fi
+    fi
+
+else
+
+    if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
+        echo ":: [OK] Ufw is enabled"
+    else
+        ERR=1
+        read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY
+        if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
+            ufw enable
+        fi
+    fi
+
+    if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
+        echo ":: [OK] Iptables MASQUERADE rule set"
+    else
+        ERR=1
+        read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
+        if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
+            sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE -m comment --comment ${VPN}-nat-rule\nCOMMIT\n" -i /etc/ufw/before.rules
+            ufw reload
+            echo "Done"
+        fi
+    fi
+
+    if iptables -C ufw-user-input -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT &> /dev/null; then
+        echo ":: [OK] Ufw input rule set"
+    else
+        ERR=1
+        read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY
+        if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
+            ufw insert 1 allow "$pivpnPORT"/"$pivpnPROTO"
+            ufw reload
+            echo "Done"
+        fi
+    fi
+
+    if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then
+        echo ":: [OK] Ufw forwarding rule set"
+    else
+        ERR=1
+        read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
+        if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
+            ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any
+            ufw reload
+            echo "Done"
+        fi
+    fi
+
+fi
+
+if systemctl is-active -q openvpn; then
+    echo ":: [OK] OpenVPN is running"
+else
+    ERR=1
+    read -r -p ":: [ERR] OpenVPN is not running, try to start now? [Y/n] " REPLY
+    if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
+        systemctl start openvpn
+        echo "Done"
+    fi
+fi
+
+if systemctl is-enabled -q openvpn; then
+    echo ":: [OK] OpenVPN is enabled (it will automatically start on reboot)"
+else
+    ERR=1
+    read -r -p ":: [ERR] OpenVPN is not enabled, try to enable now? [Y/n] " REPLY
+    if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
+        systemctl enable openvpn
+        echo "Done"
+    fi
+fi
+
+# grep -w (whole word) is used so port 11940 won't match when looking for 1194
+if netstat -uanpt | grep openvpn | grep -w "${pivpnPORT}" | grep -q "${pivpnPROTO}"; then
+    echo ":: [OK] OpenVPN is listening on port ${pivpnPORT}/${pivpnPROTO}"
+else
+    ERR=1
+    read -r -p ":: [ERR] OpenVPN is not listening, try to restart now? [Y/n] " REPLY
+    if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
+        systemctl restart openvpn
+        echo "Done"
+    fi
+fi
+
+if [ "$ERR" -eq 1 ]; then
+    echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues"
+fi
+
 printf "=============================================\n"
 echo -e "::::      \e[4mSnippet of the server log\e[0m      ::::"
 tail -20 /var/log/openvpn.log > /tmp/snippet