mirror of
https://github.com/pivpn/pivpn.git
synced 2024-12-18 19:00:15 +00:00
parent
d691321b3e
commit
b8f89ab015
21 changed files with 507 additions and 692 deletions
|
@ -24,12 +24,12 @@ PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install"
|
|||
PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true"
|
||||
|
||||
# Dependencies that are required by the script, regardless of the VPN protocol chosen
|
||||
BASE_DEPS=(git tar wget curl grep dnsutils whiptail net-tools bsdmainutils)
|
||||
BASE_DEPS=(git tar wget grep dnsutils whiptail net-tools bsdmainutils)
|
||||
|
||||
# Dependencies that where actually installed by the script. For example if the script requires
|
||||
# grep and dnsutils but dnsutils is already installed, we save grep here. This way when uninstalling
|
||||
# PiVPN we won't prompt to remove packages that may have been installed by the user for other reasons
|
||||
INSTALLED_PACKAGES=()
|
||||
TO_INSTALL=()
|
||||
|
||||
easyrsaVer="3.0.6"
|
||||
easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz"
|
||||
|
@ -59,6 +59,11 @@ c=$(( columns / 2 ))
|
|||
r=$(( r < 20 ? 20 : r ))
|
||||
c=$(( c < 70 ? 70 : c ))
|
||||
|
||||
# Find IP used to route to outside world
|
||||
IPv4addr=$(ip route get 192.0.2.1 | awk '{print $7}')
|
||||
IPv4gw=$(ip route get 192.0.2.1 | awk '{print $3}')
|
||||
availableInterfaces=$(ip -o link | awk '/state UP/ {print $2}' | cut -d':' -f1 | cut -d'@' -f1)
|
||||
|
||||
######## SCRIPT ############
|
||||
|
||||
main(){
|
||||
|
@ -190,7 +195,7 @@ main(){
|
|||
fi
|
||||
|
||||
# Save installation setting to the final location
|
||||
echo "INSTALLED_PACKAGES=(${INSTALLED_PACKAGES[*]})" >> /tmp/setupVars.conf
|
||||
echo "TO_INSTALL=(${TO_INSTALL[*]})" >> /tmp/setupVars.conf
|
||||
$SUDO cp /tmp/setupVars.conf "$setupVars"
|
||||
|
||||
installScripts
|
||||
|
@ -230,7 +235,7 @@ askAboutExistingInstall(){
|
|||
# distroCheck, maybeOSSupport, noOSSupport
|
||||
distroCheck(){
|
||||
# if lsb_release command is on their system
|
||||
if command -v lsb_release > /dev/null; then
|
||||
if hash lsb_release 2>/dev/null; then
|
||||
|
||||
PLAT=$(lsb_release -si)
|
||||
OSCN=$(lsb_release -sc)
|
||||
|
@ -330,7 +335,7 @@ spinner(){
|
|||
local pid=$1
|
||||
local delay=0.50
|
||||
local spinstr='/-\|'
|
||||
while ps a | awk '{print $1}' | grep -q "$pid"; do
|
||||
while ps a | awk '{print $1}' | grep "${pid}"; do
|
||||
local temp=${spinstr#?}
|
||||
printf " [%c] " "${spinstr}"
|
||||
local spinstr=${temp}${spinstr%"$temp"}
|
||||
|
@ -394,7 +399,7 @@ updatePackageCache(){
|
|||
echo ":::"
|
||||
echo -ne "::: ${PKG_MANAGER} update has not been run today. Running now...\\n"
|
||||
# shellcheck disable=SC2086
|
||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null
|
||||
echo " done!"
|
||||
fi
|
||||
}
|
||||
|
@ -431,7 +436,7 @@ preconfigurePackages(){
|
|||
|
||||
# if ufw is enabled, configure that.
|
||||
# running as root because sometimes the executable is not in the user's $PATH
|
||||
if $SUDO bash -c 'command -v ufw' > /dev/null; then
|
||||
if $SUDO bash -c 'hash ufw' 2>/dev/null; then
|
||||
if LANG=en_US.UTF-8 $SUDO ufw status | grep -q inactive; then
|
||||
USING_UFW=0
|
||||
else
|
||||
|
@ -451,8 +456,6 @@ preconfigurePackages(){
|
|||
}
|
||||
|
||||
installDependentPackages(){
|
||||
declare -a TO_INSTALL=()
|
||||
|
||||
# Install packages passed in via argument array
|
||||
# No spinner - conflicts with set -e
|
||||
declare -a argArray1=("${!1}")
|
||||
|
@ -460,37 +463,18 @@ installDependentPackages(){
|
|||
for i in "${argArray1[@]}"; do
|
||||
echo -n "::: Checking for $i..."
|
||||
if dpkg-query -W -f='${Status}' "${i}" 2>/dev/null | grep -q "ok installed"; then
|
||||
echo " already installed!"
|
||||
echo " installed!"
|
||||
else
|
||||
echo " not installed!"
|
||||
# Add this package to the list of packages in the argument array that need to be installed
|
||||
TO_INSTALL+=("${i}")
|
||||
echo " not installed!"
|
||||
fi
|
||||
done
|
||||
|
||||
if command -v debconf-apt-progress > /dev/null; then
|
||||
if command -v debconf-apt-progress &> /dev/null; then
|
||||
# shellcheck disable=SC2086
|
||||
$SUDO debconf-apt-progress -- ${PKG_INSTALL} "${TO_INSTALL[@]}"
|
||||
$SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}"
|
||||
else
|
||||
# shellcheck disable=SC2086
|
||||
$SUDO ${PKG_INSTALL} "${TO_INSTALL[@]}"
|
||||
fi
|
||||
|
||||
local FAILED=0
|
||||
|
||||
for i in "${TO_INSTALL[@]}"; do
|
||||
if dpkg-query -W -f='${Status}' "${i}" 2>/dev/null | grep -q "ok installed"; then
|
||||
echo "::: Package $i successfully installed!"
|
||||
# Add this package to the total list of packages that were actually installed by the script
|
||||
INSTALLED_PACKAGES+=("${i}")
|
||||
else
|
||||
echo "::: Failed to install $i!"
|
||||
((FAILED++))
|
||||
fi
|
||||
done
|
||||
|
||||
if [ "$FAILED" -gt 0 ]; then
|
||||
exit 1
|
||||
${PKG_INSTALL} "${argArray1[@]}"
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -523,9 +507,6 @@ local chooseInterfaceOptions
|
|||
# Loop sentinel variable
|
||||
local firstloop=1
|
||||
|
||||
# Find network interfaces whose state is UP, so as to skip virtual interfaces and the loopback interface
|
||||
availableInterfaces=$(ip -o link | awk '/state UP/ {print $2}' | cut -d':' -f1 | cut -d'@' -f1)
|
||||
|
||||
if [ -z "$availableInterfaces" ]; then
|
||||
echo "::: Could not find any active network interface, exiting"
|
||||
exit 1
|
||||
|
@ -608,56 +589,39 @@ validIP(){
|
|||
return $stat
|
||||
}
|
||||
|
||||
validIPAndNetmask(){
|
||||
local ip=$1
|
||||
local stat=1
|
||||
ip="${ip/\//.}"
|
||||
|
||||
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,2}$ ]]; then
|
||||
OIFS=$IFS
|
||||
IFS='.'
|
||||
read -r -a ip <<< "$ip"
|
||||
IFS=$OIFS
|
||||
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 \
|
||||
&& ${ip[2]} -le 255 && ${ip[3]} -le 255 \
|
||||
&& ${ip[4]} -le 32 ]]
|
||||
stat=$?
|
||||
fi
|
||||
return $stat
|
||||
}
|
||||
|
||||
getStaticIPv4Settings() {
|
||||
# Find the gateway IP used to route to outside world
|
||||
CurrentIPv4gw="$(ip -o route get 192.0.2.1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk 'NR==2')"
|
||||
|
||||
# Find the IP address (and netmask) of the desidered interface
|
||||
CurrentIPv4addr="$(ip -o -f inet address show dev "${IPv4dev}" | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/[0-9]{1,2}')"
|
||||
|
||||
# Grab their current DNS servers
|
||||
IPv4dns=$(grep -v "^#" /etc/resolv.conf | grep -w nameserver | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | xargs)
|
||||
# Grab their current DNS Server
|
||||
IPv4dns=$(grep nameserver /etc/resolv.conf | awk '{print $2}' | xargs)
|
||||
|
||||
if [ "${runUnattended}" = 'true' ]; then
|
||||
|
||||
if [ -z "$dhcpReserv" ] || [ "$dhcpReserv" -ne 1 ]; then
|
||||
local MISSING_STATIC_IPV4_SETTINGS=0
|
||||
local INVALID_STATIC_IPV4_SETTINGS=0
|
||||
|
||||
if [ -z "$IPv4addr" ]; then
|
||||
echo "::: Missing static IP address"
|
||||
((MISSING_STATIC_IPV4_SETTINGS++))
|
||||
INVALID_STATIC_IPV4_SETTINGS=1
|
||||
fi
|
||||
|
||||
if [ -z "$IPv4gw" ]; then
|
||||
echo "::: Missing static IP gateway"
|
||||
((MISSING_STATIC_IPV4_SETTINGS++))
|
||||
INVALID_STATIC_IPV4_SETTINGS=1
|
||||
fi
|
||||
|
||||
if [ "$MISSING_STATIC_IPV4_SETTINGS" -eq 0 ]; then
|
||||
if [ "$INVALID_STATIC_IPV4_SETTINGS" -eq 1 ]; then
|
||||
echo "::: Incomplete static IP settings"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# If both settings are not empty, check if they are valid and proceed
|
||||
if validIPAndNetmask "${IPv4addr}"; then
|
||||
if [ -z "$IPv4addr" ] && [ -z "$IPv4gw" ]; then
|
||||
echo "::: No static IP settings, using current settings"
|
||||
echo "::: Your static IPv4 address: ${IPv4addr}"
|
||||
echo "::: Your static IPv4 gateway: ${IPv4gw}"
|
||||
else
|
||||
if validIP "${IPv4addr%/*}"; then
|
||||
echo "::: Your static IPv4 address: ${IPv4addr}"
|
||||
else
|
||||
echo "::: ${IPv4addr} is not a valid IP address"
|
||||
echo "::: ${IPv4addr%/*} is not a valid IP address"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
@ -667,45 +631,26 @@ getStaticIPv4Settings() {
|
|||
echo "::: ${IPv4gw} is not a valid IP address"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
elif [ "$MISSING_STATIC_IPV4_SETTINGS" -eq 1 ]; then
|
||||
|
||||
# If either of the settings is missing, consider the input inconsistent
|
||||
echo "::: Incomplete static IP settings"
|
||||
exit 1
|
||||
|
||||
elif [ "$MISSING_STATIC_IPV4_SETTINGS" -eq 2 ]; then
|
||||
|
||||
# If both of the settings are missing, assume the user wants to use current settings
|
||||
IPv4addr="${CurrentIPv4addr}"
|
||||
IPv4gw="${CurrentIPv4gw}"
|
||||
echo "::: No static IP settings, using current settings"
|
||||
echo "::: Your static IPv4 address: ${IPv4addr}"
|
||||
echo "::: Your static IPv4 gateway: ${IPv4gw}"
|
||||
|
||||
fi
|
||||
else
|
||||
echo "::: Skipping setting static IP address"
|
||||
fi
|
||||
|
||||
echo "dhcpReserv=${dhcpReserv}" >> /tmp/setupVars.conf
|
||||
echo "IPv4addr=${IPv4addr}" >> /tmp/setupVars.conf
|
||||
echo "IPv4addr=${IPv4addr%/*}" >> /tmp/setupVars.conf
|
||||
echo "IPv4gw=${IPv4gw}" >> /tmp/setupVars.conf
|
||||
return
|
||||
fi
|
||||
|
||||
local ipSettingsCorrect
|
||||
local IPv4AddrValid
|
||||
local IPv4gwValid
|
||||
# Some users reserve IP addresses on another DHCP Server or on their routers,
|
||||
# Lets ask them if they want to make any changes to their interfaces.
|
||||
|
||||
if (whiptail --backtitle "Calibrating network interface" --title "DHCP Reservation" --yesno --defaultno \
|
||||
if (whiptail --backtitle "Calibrating network interface" --title "DHCP Reservation" --yesno \
|
||||
"Are you Using DHCP Reservation on your Router/DHCP Server?
|
||||
These are your current Network Settings:
|
||||
|
||||
IP address: ${CurrentIPv4addr}
|
||||
Gateway: ${CurrentIPv4gw}
|
||||
IP address: ${IPv4addr}
|
||||
Gateway: ${IPv4gw}
|
||||
|
||||
Yes: Keep using DHCP reservation
|
||||
No: Setup static IP address
|
||||
|
@ -713,20 +658,16 @@ Don't know what DHCP Reservation is? Answer No." ${r} ${c}); then
|
|||
dhcpReserv=1
|
||||
# shellcheck disable=SC2129
|
||||
echo "dhcpReserv=${dhcpReserv}" >> /tmp/setupVars.conf
|
||||
# We don't really need to save them as we won't set a static IP but they might be useful for debugging
|
||||
echo "IPv4addr=${CurrentIPv4addr}" >> /tmp/setupVars.conf
|
||||
echo "IPv4gw=${CurrentIPv4gw}" >> /tmp/setupVars.conf
|
||||
echo "IPv4addr=${IPv4addr%/*}" >> /tmp/setupVars.conf
|
||||
echo "IPv4gw=${IPv4gw}" >> /tmp/setupVars.conf
|
||||
else
|
||||
# Ask if the user wants to use DHCP settings as their static IP
|
||||
if (whiptail --backtitle "Calibrating network interface" --title "Static IP Address" --yesno "Do you want to use your current network settings as a static address?
|
||||
IP address: ${IPv4addr}
|
||||
Gateway: ${IPv4gw}" ${r} ${c}); then
|
||||
|
||||
IP address: ${CurrentIPv4addr}
|
||||
Gateway: ${CurrentIPv4gw}" ${r} ${c}); then
|
||||
IPv4addr=${CurrentIPv4addr}
|
||||
IPv4gw=${CurrentIPv4gw}
|
||||
echo "IPv4addr=${IPv4addr}" >> /tmp/setupVars.conf
|
||||
echo "IPv4addr=${IPv4addr%/*}" >> /tmp/setupVars.conf
|
||||
echo "IPv4gw=${IPv4gw}" >> /tmp/setupVars.conf
|
||||
|
||||
# If they choose yes, let the user know that the IP address will not be available via DHCP and may cause a conflict.
|
||||
whiptail --msgbox --backtitle "IP information" --title "FYI: IP Conflict" "It is possible your router could still try to assign this IP to a device, which would cause a conflict. But in most cases the router is smart enough to not do that.
|
||||
If you are worried, either manually set the address, or modify the DHCP reservation pool so it does not include the IP you want.
|
||||
|
@ -737,58 +678,36 @@ It is also possible to use a DHCP reservation, but if you are going to do that,
|
|||
# Start by getting the IPv4 address (pre-filling it with info gathered from DHCP)
|
||||
# Start a loop to let the user enter their information with the chance to go back and edit it if necessary
|
||||
until [[ ${ipSettingsCorrect} = True ]]; do
|
||||
|
||||
until [[ ${IPv4AddrValid} = True ]]; do
|
||||
# Ask for the IPv4 address
|
||||
if IPv4addr=$(whiptail --backtitle "Calibrating network interface" --title "IPv4 address" --inputbox "Enter your desired IPv4 address" ${r} ${c} "${CurrentIPv4addr}" 3>&1 1>&2 2>&3) ; then
|
||||
if validIPAndNetmask "${IPv4addr}"; then
|
||||
if IPv4addr=$(whiptail --backtitle "Calibrating network interface" --title "IPv4 address" --inputbox "Enter your desired IPv4 address" ${r} ${c} "${IPv4addr}" 3>&1 1>&2 2>&3) ; then
|
||||
echo "::: Your static IPv4 address: ${IPv4addr}"
|
||||
IPv4AddrValid=True
|
||||
else
|
||||
whiptail --msgbox --backtitle "Calibrating network interface" --title "IPv4 address" "You've entered an invalid IP address: ${IPv4addr}\\n\\nPlease enter an IP address in the CIDR notation, example: 192.168.23.211/24\\n\\nIf you are not sure, please just keep the default." ${r} ${c}
|
||||
echo "::: Invalid IPv4 address: ${IPv4addr}"
|
||||
IPv4AddrValid=False
|
||||
fi
|
||||
else
|
||||
# Cancelling IPv4 settings window
|
||||
echo "::: Cancel selected. Exiting..."
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
until [[ ${IPv4gwValid} = True ]]; do
|
||||
# Ask for the gateway
|
||||
if IPv4gw=$(whiptail --backtitle "Calibrating network interface" --title "IPv4 gateway (router)" --inputbox "Enter your desired IPv4 default gateway" ${r} ${c} "${CurrentIPv4gw}" 3>&1 1>&2 2>&3) ; then
|
||||
if validIP "${IPv4gw}"; then
|
||||
if IPv4gw=$(whiptail --backtitle "Calibrating network interface" --title "IPv4 gateway (router)" --inputbox "Enter your desired IPv4 default gateway" ${r} ${c} "${IPv4gw}" 3>&1 1>&2 2>&3) ; then
|
||||
echo "::: Your static IPv4 gateway: ${IPv4gw}"
|
||||
IPv4gwValid=True
|
||||
else
|
||||
whiptail --msgbox --backtitle "Calibrating network interface" --title "IPv4 gateway (router)" "You've entered an invalid gateway IP: ${IPv4gw}\\n\\nPlease enter the IP address of your gateway (router), example: 192.168.23.1\\n\\nIf you are not sure, please just keep the default." ${r} ${c}
|
||||
echo "::: Invalid IPv4 gateway: ${IPv4gw}"
|
||||
IPv4gwValid=False
|
||||
fi
|
||||
else
|
||||
# Cancelling gateway settings window
|
||||
echo "::: Cancel selected. Exiting..."
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
# Give the user a chance to review their settings before moving on
|
||||
if (whiptail --backtitle "Calibrating network interface" --title "Static IP Address" --yesno "Are these settings correct?
|
||||
|
||||
IP address: ${IPv4addr}
|
||||
Gateway: ${IPv4gw}" ${r} ${c}); then
|
||||
# If the settings are correct, then we need to set the pivpnIP
|
||||
echo "IPv4addr=${IPv4addr}" >> /tmp/setupVars.conf
|
||||
echo "IPv4addr=${IPv4addr%/*}" >> /tmp/setupVars.conf
|
||||
echo "IPv4gw=${IPv4gw}" >> /tmp/setupVars.conf
|
||||
# After that's done, the loop ends and we move on
|
||||
ipSettingsCorrect=True
|
||||
else
|
||||
# If the settings are wrong, the loop continues
|
||||
ipSettingsCorrect=False
|
||||
IPv4AddrValid=False
|
||||
IPv4gwValid=False
|
||||
fi
|
||||
else
|
||||
# Cancelling gateway settings window
|
||||
ipSettingsCorrect=False
|
||||
echo "::: Cancel selected. Exiting..."
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
# Cancelling IPv4 settings window
|
||||
ipSettingsCorrect=False
|
||||
echo "::: Cancel selected. Exiting..."
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
# End the if statement for DHCP vs. static
|
||||
|
@ -1045,29 +964,18 @@ askWhichVPN(){
|
|||
installOpenVPN(){
|
||||
local PIVPN_DEPS
|
||||
|
||||
echo "::: Installing OpenVPN from Debian package... "
|
||||
|
||||
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then
|
||||
echo "::: Adding OpenVPN repository... "
|
||||
# gnupg is used to add the openvpn PGP key to the APT keyring
|
||||
PIVPN_DEPS=(gnupg)
|
||||
installDependentPackages PIVPN_DEPS[@]
|
||||
|
||||
# We will download the repository key regardless of whether the user
|
||||
# has already enabled the openvpn repository or not, just to make sure
|
||||
# we have the right key
|
||||
echo "::: Adding repository key..."
|
||||
wget -qO- https://swupdate.openvpn.net/repos/repo-public.gpg | $SUDO apt-key add -
|
||||
|
||||
if ! grep -qR "deb http.\?://build.openvpn.net/debian/openvpn/stable.\? $OSCN main" /etc/apt/sources.list*; then
|
||||
echo "::: Adding OpenVPN repository... "
|
||||
echo "deb https://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/pivpn-openvpn-repo.list > /dev/null
|
||||
fi
|
||||
|
||||
echo "::: Updating package cache..."
|
||||
# shellcheck disable=SC2086
|
||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null
|
||||
fi
|
||||
|
||||
echo "::: Installing OpenVPN from Debian package... "
|
||||
# grepcidr is used to redact IPs in the debug log whereas expect is used
|
||||
# to feed easy-rsa with passwords
|
||||
PIVPN_DEPS=(openvpn grepcidr expect)
|
||||
|
@ -1075,8 +983,6 @@ installOpenVPN(){
|
|||
}
|
||||
|
||||
installWireGuard(){
|
||||
local PIVPN_DEPS
|
||||
|
||||
if [ "$PLAT" = "Raspbian" ]; then
|
||||
|
||||
# If the running kernel is older than the kernel from the repo, dkms will
|
||||
|
@ -1130,28 +1036,19 @@ installWireGuard(){
|
|||
if [ "$(uname -m)" = "armv7l" ]; then
|
||||
|
||||
echo "::: Installing WireGuard from Debian package... "
|
||||
# dirmngr is used to download repository keys for the unstable repo
|
||||
PIVPN_DEPS=(dirmngr)
|
||||
# dirmngr is used to download repository keys, whereas qrencode is used to generate qrcodes
|
||||
# from config file, for use with mobile clients
|
||||
PIVPN_DEPS=(dirmngr qrencode)
|
||||
installDependentPackages PIVPN_DEPS[@]
|
||||
|
||||
echo "::: Adding repository keys..."
|
||||
$SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138
|
||||
|
||||
# This regular expression should match combinations like http[s]://mirror.example.com/debian[/] unstable main
|
||||
if ! grep -qR 'deb http.\?://.*/debian.\? unstable main' /etc/apt/sources.list*; then
|
||||
# Do not upgrade packages from the unstable repository except for wireguard
|
||||
echo "::: Adding Debian repository... "
|
||||
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
|
||||
fi
|
||||
|
||||
# Do not upgrade packages from the unstable repository except for wireguard
|
||||
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release a=unstable\nPin-Priority: 500\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null
|
||||
|
||||
echo "::: Updating package cache..."
|
||||
$SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138
|
||||
# shellcheck disable=SC2086
|
||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||
|
||||
# qrencode is used to generate qrcodes from config file, for use with mobile clients
|
||||
PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms qrencode)
|
||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null
|
||||
PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms)
|
||||
installDependentPackages PIVPN_DEPS[@]
|
||||
|
||||
elif [ "$(uname -m)" = "armv6l" ]; then
|
||||
|
@ -1167,7 +1064,7 @@ installWireGuard(){
|
|||
WG_TOOLS_SOURCE="https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-${WG_TOOLS_SNAPSHOT}.tar.xz"
|
||||
|
||||
echo "::: Downloading wireguard-tools source code... "
|
||||
wget -qO- "${WG_TOOLS_SOURCE}" | $SUDO tar xJ --directory /usr/src
|
||||
wget -qO- "${WG_TOOLS_SOURCE}" | $SUDO tar Jxf - --directory /usr/src
|
||||
echo "done!"
|
||||
|
||||
## || exits if cd fails.
|
||||
|
@ -1188,7 +1085,7 @@ installWireGuard(){
|
|||
# files from the file system
|
||||
echo "::: Installing WireGuard tools... "
|
||||
if $SUDO checkinstall --pkgname wireguard-tools --pkgversion "${WG_TOOLS_SNAPSHOT}" -y; then
|
||||
INSTALLED_PACKAGES+=("wireguard-tools")
|
||||
TO_INSTALL+=("wireguard-tools")
|
||||
echo "done!"
|
||||
else
|
||||
echo "failed!"
|
||||
|
@ -1201,16 +1098,16 @@ installWireGuard(){
|
|||
WG_MODULE_SOURCE="https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${WG_MODULE_SNAPSHOT}.tar.xz"
|
||||
|
||||
echo "::: Downloading wireguard-linux-compat source code... "
|
||||
wget -qO- "${WG_MODULE_SOURCE}" | $SUDO tar xJ --directory /usr/src
|
||||
wget -qO- "${WG_MODULE_SOURCE}" | $SUDO tar Jxf - --directory /usr/src
|
||||
echo "done!"
|
||||
|
||||
# Rename wireguard-linux-compat folder and move the source code to the parent folder
|
||||
# such that dkms picks up the module when referencing wireguard/"${WG_MODULE_SNAPSHOT}"
|
||||
cd /usr/src && \
|
||||
$SUDO mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}" && \
|
||||
$SUDO mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}"
|
||||
cd wireguard-"${WG_MODULE_SNAPSHOT}" && \
|
||||
$SUDO mv src/* . && \
|
||||
$SUDO rmdir src || exit 1
|
||||
$SUDO rmdir src
|
||||
|
||||
echo "::: Adding WireGuard modules via DKMS... "
|
||||
if $SUDO dkms add wireguard/"${WG_MODULE_SNAPSHOT}"; then
|
||||
|
@ -1232,7 +1129,7 @@ installWireGuard(){
|
|||
|
||||
echo "::: Installing WireGuard modules via DKMS... "
|
||||
if $SUDO dkms install wireguard/"${WG_MODULE_SNAPSHOT}"; then
|
||||
INSTALLED_PACKAGES+=("wireguard-dkms")
|
||||
TO_INSTALL+=("wireguard-dkms")
|
||||
echo "done!"
|
||||
else
|
||||
echo "failed!"
|
||||
|
@ -1247,17 +1144,11 @@ installWireGuard(){
|
|||
elif [ "$PLAT" = "Debian" ]; then
|
||||
|
||||
echo "::: Installing WireGuard from Debian package... "
|
||||
if ! grep -qR 'deb http.\?://.*/debian.\? unstable main' /etc/apt/sources.list*; then
|
||||
echo "::: Adding Debian repository... "
|
||||
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
|
||||
fi
|
||||
|
||||
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null
|
||||
|
||||
echo "::: Updating package cache..."
|
||||
# shellcheck disable=SC2086
|
||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||
|
||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null
|
||||
PIVPN_DEPS=(linux-headers-amd64 qrencode wireguard wireguard-tools wireguard-dkms)
|
||||
installDependentPackages PIVPN_DEPS[@]
|
||||
|
||||
|
@ -1265,11 +1156,7 @@ installWireGuard(){
|
|||
|
||||
echo "::: Installing WireGuard from PPA... "
|
||||
$SUDO add-apt-repository ppa:wireguard/wireguard -y
|
||||
|
||||
echo "::: Updating package cache..."
|
||||
# shellcheck disable=SC2086
|
||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||
|
||||
$SUDO ${UPDATE_PKG_CACHE}
|
||||
PIVPN_DEPS=(qrencode wireguard wireguard-tools wireguard-dkms linux-headers-generic)
|
||||
installDependentPackages PIVPN_DEPS[@]
|
||||
|
||||
|
@ -1415,10 +1302,11 @@ askClientDNS(){
|
|||
fi
|
||||
|
||||
# Detect and offer to use Pi-hole
|
||||
if command -v pihole > /dev/null; then
|
||||
if command -v pihole &>/dev/null; then
|
||||
if (whiptail --backtitle "Setup PiVPN" --title "Pi-hole" --yesno "We have detected a Pi-hole installation, do you want to use it as the DNS server for the VPN, so you get ad blocking on the go?" ${r} ${c}); then
|
||||
pivpnDNS1="$vpnGw"
|
||||
echo "interface=$pivpnDEV" | $SUDO tee /etc/dnsmasq.d/02-pivpn.conf > /dev/null
|
||||
$SUDO pihole restartdns
|
||||
echo "pivpnDNS1=${pivpnDNS1}" >> /tmp/setupVars.conf
|
||||
echo "pivpnDNS2=${pivpnDNS2}" >> /tmp/setupVars.conf
|
||||
return
|
||||
|
@ -1592,45 +1480,35 @@ askPublicIPOrDNS(){
|
|||
return
|
||||
fi
|
||||
|
||||
local publicDNSCorrect
|
||||
local publicDNSValid
|
||||
|
||||
if METH=$(whiptail --title "Public IP or DNS" --radiolist "Will clients use a Public IP or DNS Name to connect to your server (press space to select)?" ${r} ${c} 2 \
|
||||
METH=$(whiptail --title "Public IP or DNS" --radiolist "Will clients use a Public IP or DNS Name to connect to your server (press space to select)?" ${r} ${c} 2 \
|
||||
"$IPv4pub" "Use this public IP" "ON" \
|
||||
"DNS Entry" "Use a public DNS" "OFF" 3>&1 1>&2 2>&3); then
|
||||
"DNS Entry" "Use a public DNS" "OFF" 3>&1 1>&2 2>&3)
|
||||
|
||||
if [ "$METH" = "$IPv4pub" ]; then
|
||||
exitstatus=$?
|
||||
if [ $exitstatus != 0 ]; then
|
||||
echo "::: Cancel selected. Exiting..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$METH" == "$IPv4pub" ]; then
|
||||
pivpnHOST="${IPv4pub}"
|
||||
else
|
||||
until [[ ${publicDNSCorrect} = True ]]; do
|
||||
|
||||
until [[ ${publicDNSValid} = True ]]; do
|
||||
if PUBLICDNS=$(whiptail --title "PiVPN Setup" --inputbox "What is the public DNS name of this Server?" ${r} ${c} 3>&1 1>&2 2>&3); then
|
||||
if validDomain "$PUBLICDNS"; then
|
||||
publicDNSValid=True
|
||||
until [[ $publicDNSCorrect = True ]]
|
||||
do
|
||||
PUBLICDNS=$(whiptail --title "PiVPN Setup" --inputbox "What is the public DNS name of this Server?" ${r} ${c} 3>&1 1>&2 2>&3)
|
||||
exitstatus=$?
|
||||
if [ $exitstatus != 0 ]; then
|
||||
echo "::: Cancel selected. Exiting..."
|
||||
exit 1
|
||||
fi
|
||||
if (whiptail --backtitle "Confirm DNS Name" --title "Confirm DNS Name" --yesno "Is this correct?\\n\\n Public DNS Name: $PUBLICDNS" ${r} ${c}) then
|
||||
publicDNSCorrect=True
|
||||
pivpnHOST="${PUBLICDNS}"
|
||||
else
|
||||
whiptail --msgbox --backtitle "PiVPN Setup" --title "Invalid DNS name" "This DNS name is invalid. Please try again.\\n\\n DNS name: $PUBLICDNS\\n" ${r} ${c}
|
||||
publicDNSValid=False
|
||||
fi
|
||||
else
|
||||
echo "::: Cancel selected. Exiting..."
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
if (whiptail --backtitle "PiVPN Setup" --title "Confirm DNS Name" --yesno "Is this correct?\\n\\n Public DNS Name: $PUBLICDNS" ${r} ${c}) then
|
||||
publicDNSCorrect=True
|
||||
else
|
||||
publicDNSCorrect=False
|
||||
publicDNSValid=False
|
||||
fi
|
||||
done
|
||||
fi
|
||||
else
|
||||
echo "::: Cancel selected. Exiting..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "pivpnHOST=${pivpnHOST}" >> /tmp/setupVars.conf
|
||||
}
|
||||
|
@ -1669,21 +1547,17 @@ askEncryption(){
|
|||
fi
|
||||
fi
|
||||
|
||||
if [ -z "$USE_PREDEFINED_DH_PARAM" ]; then
|
||||
USE_PREDEFINED_DH_PARAM=1
|
||||
echo "::: Pre-defined DH parameters will be used"
|
||||
else
|
||||
if [ "$USE_PREDEFINED_DH_PARAM" -eq 1 ]; then
|
||||
echo "::: Pre-defined DH parameters will be used"
|
||||
else
|
||||
if [ -z "$DOWNLOAD_DH_PARAM" ] || [ "$DOWNLOAD_DH_PARAM" -ne 1 ]; then
|
||||
DOWNLOAD_DH_PARAM=0
|
||||
echo "::: DH parameters will be generated locally"
|
||||
fi
|
||||
else
|
||||
echo "::: DH parameters will be downloaded from \"2 Ton Digital\""
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "TWO_POINT_FOUR=${TWO_POINT_FOUR}" >> /tmp/setupVars.conf
|
||||
echo "pivpnENCRYPT=${pivpnENCRYPT}" >> /tmp/setupVars.conf
|
||||
echo "USE_PREDEFINED_DH_PARAM=${USE_PREDEFINED_DH_PARAM}" >> /tmp/setupVars.conf
|
||||
echo "DOWNLOAD_DH_PARAM=${DOWNLOAD_DH_PARAM}" >> /tmp/setupVars.conf
|
||||
return
|
||||
fi
|
||||
|
||||
|
@ -1709,15 +1583,15 @@ askEncryption(){
|
|||
exit 1
|
||||
fi
|
||||
|
||||
if ([ "$pivpnENCRYPT" -ge 2048 ] && whiptail --backtitle "Setup OpenVPN" --title "Generate Diffie-Hellman Parameters" --yesno "Generating DH parameters can take many hours on a Raspberry Pi. You can instead use Pre-defined DH parameters recommended by the Internet Engineering Task Force.\\n\\nMore information about those can be found here: https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups\\n\\nIf you want unique parameters, choose 'No' and new Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then
|
||||
USE_PREDEFINED_DH_PARAM=1
|
||||
if ([ "$pivpnENCRYPT" -ge 3072 ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\\n\\nGenerating DH parameters for a $pivpnENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from their database.\\nMore information about this service can be found here: https://2ton.com.au/safeprimes/\\n\\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then
|
||||
DOWNLOAD_DH_PARAM=1
|
||||
else
|
||||
USE_PREDEFINED_DH_PARAM=0
|
||||
DOWNLOAD_DH_PARAM=0
|
||||
fi
|
||||
|
||||
echo "TWO_POINT_FOUR=${TWO_POINT_FOUR}" >> /tmp/setupVars.conf
|
||||
echo "pivpnENCRYPT=${pivpnENCRYPT}" >> /tmp/setupVars.conf
|
||||
echo "USE_PREDEFINED_DH_PARAM=${USE_PREDEFINED_DH_PARAM}" >> /tmp/setupVars.conf
|
||||
echo "DOWNLOAD_DH_PARAM=${DOWNLOAD_DH_PARAM}" >> /tmp/setupVars.conf
|
||||
}
|
||||
|
||||
confOpenVPN(){
|
||||
|
@ -1743,7 +1617,7 @@ confOpenVPN(){
|
|||
fi
|
||||
|
||||
# Get easy-rsa
|
||||
wget -qO- "${easyrsaRel}" | $SUDO tar xz --directory /etc/openvpn
|
||||
wget -qO- "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn
|
||||
$SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa
|
||||
# fix ownership
|
||||
$SUDO chown -R root:root /etc/openvpn/easy-rsa
|
||||
|
@ -1786,13 +1660,13 @@ set_var EASYRSA_ALGO ${pivpnCERT}" | $SUDO tee vars >/dev/null
|
|||
${SUDOE} ./easyrsa --batch build-ca nopass
|
||||
printf "\\n::: CA Complete.\\n"
|
||||
|
||||
if [ "$pivpnCERT" = "rsa" ] && [ "$USE_PREDEFINED_DH_PARAM" -ne 1 ]; then
|
||||
if [ "$pivpnCERT" = "rsa" ]; then
|
||||
if [ "${runUnattended}" = 'true' ]; then
|
||||
echo "::: The server key, Diffie-Hellman parameters, and HMAC key will now be generated."
|
||||
else
|
||||
whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman parameters, and HMAC key will now be generated." ${r} ${c}
|
||||
fi
|
||||
elif [ "$pivpnCERT" = "ec" ] || { [ "$pivpnCERT" = "rsa" ] && [ "$USE_PREDEFINED_DH_PARAM" -eq 1 ]; }; then
|
||||
elif [ "$pivpnCERT" = "ec" ]; then
|
||||
if [ "${runUnattended}" = 'true' ]; then
|
||||
echo "::: The server key and HMAC key will now be generated."
|
||||
else
|
||||
|
@ -1804,13 +1678,13 @@ set_var EASYRSA_ALGO ${pivpnCERT}" | $SUDO tee vars >/dev/null
|
|||
EASYRSA_CERT_EXPIRE=3650 ${SUDOE} ./easyrsa build-server-full "${SERVER_NAME}" nopass
|
||||
|
||||
if [ "$pivpnCERT" = "rsa" ]; then
|
||||
if [ "${USE_PREDEFINED_DH_PARAM}" -eq 1 ]; then
|
||||
# Use Diffie-Hellman parameters from RFC 7919 (FFDHE)
|
||||
${SUDOE} install -m 644 "${pivpnFilesDir}"/files/etc/openvpn/easy-rsa/pki/ffdhe"${pivpnENCRYPT}".pem pki/dh"${pivpnENCRYPT}".pem
|
||||
if [ ${DOWNLOAD_DH_PARAM} -eq 1 ]; then
|
||||
# Downloading parameters
|
||||
${SUDOE} curl -s "https://2ton.com.au/getprimes/random/dhparam/${pivpnENCRYPT}" -o "/etc/openvpn/easy-rsa/pki/dh${pivpnENCRYPT}.pem"
|
||||
else
|
||||
# Generate Diffie-Hellman key exchange
|
||||
${SUDOE} ./easyrsa gen-dh
|
||||
${SUDOE} mv pki/dh.pem pki/dh"${pivpnENCRYPT}".pem
|
||||
${SUDOE} mv "pki/dh.pem" "pki/dh${pivpnENCRYPT}.pem"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -1826,7 +1700,7 @@ set_var EASYRSA_ALGO ${pivpnCERT}" | $SUDO tee vars >/dev/null
|
|||
${SUDOE} chown "$debianOvpnUserGroup" /etc/openvpn/crl.pem
|
||||
|
||||
# Write config file for server using the template.txt file
|
||||
$SUDO install -m 644 "$pivpnFilesDir"/files/etc/openvpn/server_config.txt /etc/openvpn/server.conf
|
||||
$SUDO cp $pivpnFilesDir/server_config.txt /etc/openvpn/server.conf
|
||||
|
||||
# Apply client DNS settings
|
||||
${SUDOE} sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${pivpnDNS1}'\"/' /etc/openvpn/server.conf
|
||||
|
@ -1873,7 +1747,7 @@ set_var EASYRSA_ALGO ${pivpnCERT}" | $SUDO tee vars >/dev/null
|
|||
}
|
||||
|
||||
confOVPN(){
|
||||
$SUDO install -m 644 "$pivpnFilesDir"/files/etc/openvpn/easy-rsa/pki/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt
|
||||
$SUDO cp $pivpnFilesDir/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt
|
||||
|
||||
$SUDO sed -i 's/IPv4pub/'"$pivpnHOST"'/' /etc/openvpn/easy-rsa/pki/Default.txt
|
||||
|
||||
|
@ -2077,10 +1951,6 @@ restartServices(){
|
|||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -f /etc/dnsmasq.d/02-pivpn.conf ]; then
|
||||
$SUDO pihole restartdns
|
||||
fi
|
||||
}
|
||||
|
||||
askUnattendedUpgrades(){
|
||||
|
@ -2112,7 +1982,7 @@ askUnattendedUpgrades(){
|
|||
|
||||
confUnattendedUpgrades(){
|
||||
local PIVPN_DEPS
|
||||
PIVPN_DEPS=(unattended-upgrades)
|
||||
PIVPN_DEPS+=(unattended-upgrades)
|
||||
installDependentPackages PIVPN_DEPS[@]
|
||||
aptConfDir="/etc/apt/apt.conf.d"
|
||||
|
||||
|
@ -2129,13 +1999,10 @@ confUnattendedUpgrades(){
|
|||
|
||||
# Fix Raspbian config
|
||||
if [ "$PLAT" = "Raspbian" ]; then
|
||||
wget -qO- "$UNATTUPG_CONFIG" | $SUDO tar xz --directory "${aptConfDir}" "unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" --strip-components 2
|
||||
if test -s "${aptConfDir}/50unattended-upgrades.Raspbian"; then
|
||||
$SUDO mv "${aptConfDir}/50unattended-upgrades.Raspbian" "${aptConfDir}/50unattended-upgrades"
|
||||
else
|
||||
echo "$0: ERR: Failed to download \"50unattended-upgrades.Raspbian\"."
|
||||
exit 1
|
||||
fi
|
||||
wget -q -O "/tmp/${UNATTUPG_RELEASE}.tar.gz" "$UNATTUPG_CONFIG"
|
||||
cd /tmp/ && $SUDO tar xzf "/tmp/${UNATTUPG_RELEASE}.tar.gz"
|
||||
$SUDO cp /tmp/"unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" "${aptConfDir}/50unattended-upgrades"
|
||||
$SUDO rm -rf "/tmp/unattended-upgrades-$UNATTUPG_RELEASE"
|
||||
fi
|
||||
|
||||
# Add the remaining settings for all other distributions
|
||||
|
@ -2166,10 +2033,13 @@ installScripts(){
|
|||
$SUDO chmod 0755 /opt/pivpn
|
||||
fi
|
||||
|
||||
$SUDO install -m 755 "$pivpnFilesDir"/scripts/*.sh -t /opt/pivpn
|
||||
$SUDO install -m 755 "$pivpnFilesDir"/scripts/"$VPN"/*.sh -t /opt/pivpn
|
||||
$SUDO install -m 755 "$pivpnFilesDir"/scripts/"$VPN"/pivpn /usr/local/bin/pivpn
|
||||
$SUDO install -m 644 "$pivpnFilesDir"/scripts/"$VPN"/bash-completion /etc/bash_completion.d/pivpn
|
||||
$SUDO cp "$pivpnFilesDir"/scripts/*.sh /opt/pivpn/
|
||||
$SUDO cp "$pivpnFilesDir"/scripts/"$VPN"/*.sh /opt/pivpn/
|
||||
$SUDO chmod 0755 /opt/pivpn/*.sh
|
||||
$SUDO cp "$pivpnFilesDir"/scripts/"$VPN"/pivpn /usr/local/bin/pivpn
|
||||
$SUDO chmod 0755 /usr/local/bin/pivpn
|
||||
$SUDO cp "$pivpnFilesDir"/scripts/"$VPN"/bash-completion /etc/bash_completion.d/pivpn
|
||||
$SUDO chmod 0644 /etc/bash_completion.d/pivpn
|
||||
# shellcheck disable=SC1091
|
||||
. /etc/bash_completion.d/pivpn
|
||||
echo " done."
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||
-----END DH PARAMETERS-----
|
|
@ -1,11 +0,0 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
|
||||
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
|
||||
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu
|
||||
N///////////AgEC
|
||||
-----END DH PARAMETERS-----
|
|
@ -1,13 +0,0 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
|
||||
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
|
||||
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
|
||||
8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
|
||||
iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
|
||||
zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
|
||||
-----END DH PARAMETERS-----
|
|
@ -1,16 +1,9 @@
|
|||
#!/bin/bash
|
||||
|
||||
# shellcheck disable=SC1091
|
||||
source /etc/pivpn/setupVars.conf
|
||||
# shellcheck disable=SC1090
|
||||
backupdir=pivpnbackup
|
||||
date=$(date +%Y%m%d-%H%M%S)
|
||||
setupVars="/etc/pivpn/setupVars.conf"
|
||||
|
||||
if [ ! -f "${setupVars}" ]; then
|
||||
echo "::: Missing setup vars file!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# shellcheck disable=SC1090
|
||||
source "${setupVars}"
|
||||
|
||||
checkbackupdir(){
|
||||
|
||||
|
|
|
@ -91,7 +91,7 @@ do
|
|||
NO_PASS="1"
|
||||
;;
|
||||
-b|--bitwarden)
|
||||
if command -v bw > /dev/null; then
|
||||
if command -v bw &> /dev/null; then
|
||||
BITWARDEN="2"
|
||||
else
|
||||
echo "Bitwarden not found, please install bitwarden"
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
# This scripts runs as root
|
||||
|
||||
setupVars="/etc/pivpn/setupVars.conf"
|
||||
ERR=0
|
||||
|
||||
if [ ! -f "${setupVars}" ]; then
|
||||
echo "::: Missing setup vars file!"
|
||||
|
@ -16,6 +17,14 @@ echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::"
|
|||
git --git-dir /etc/.pivpn/.git log -n 1
|
||||
printf "=============================================\n"
|
||||
echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::"
|
||||
# Use the wildcard so setupVars.conf.update.bak from the previous install is not shown
|
||||
for filename in /etc/pivpn/*; do
|
||||
if [[ "$filename" != "/etc/pivpn/setupVars.conf"* ]]; then
|
||||
echo "$filename -> $(cat "$filename")"
|
||||
fi
|
||||
done
|
||||
printf "=============================================\n"
|
||||
echo -e "::::\t\e[4msetupVars file shown below\e[0m\t ::::"
|
||||
sed "s/$pivpnHOST/REDACTED/" < /etc/pivpn/setupVars.conf
|
||||
printf "=============================================\n"
|
||||
echo -e ":::: \e[4mServer configuration shown below\e[0m ::::"
|
||||
|
@ -28,7 +37,152 @@ echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::: \e[4m/etc/openv
|
|||
ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial
|
||||
printf "=============================================\n"
|
||||
echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::"
|
||||
/opt/pivpn/self_check.sh
|
||||
|
||||
if [ "$(cat /proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then
|
||||
echo ":: [OK] IP forwarding is enabled"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
|
||||
sysctl -p
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$USING_UFW" -eq 0 ]; then
|
||||
|
||||
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables MASQUERADE rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule"
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
|
||||
|
||||
if iptables -C INPUT -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables INPUT rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
iptables -I INPUT 1 -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule"
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
|
||||
|
||||
if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables FORWARD rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
||||
iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
else
|
||||
|
||||
if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
|
||||
echo ":: [OK] Ufw is enabled"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
ufw enable
|
||||
fi
|
||||
fi
|
||||
|
||||
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables MASQUERADE rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE -m comment --comment ${VPN}-nat-rule\nCOMMIT\n" -i /etc/ufw/before.rules
|
||||
ufw reload
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
if iptables -C ufw-user-input -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT &> /dev/null; then
|
||||
echo ":: [OK] Ufw input rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
ufw insert 1 allow "$pivpnPORT"/"$pivpnPROTO"
|
||||
ufw reload
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then
|
||||
echo ":: [OK] Ufw forwarding rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any
|
||||
ufw reload
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
if systemctl is-active -q openvpn; then
|
||||
echo ":: [OK] OpenVPN is running"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] OpenVPN is not running, try to start now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
systemctl start openvpn
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
if systemctl is-enabled -q openvpn; then
|
||||
echo ":: [OK] OpenVPN is enabled (it will automatically start on reboot)"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] OpenVPN is not enabled, try to enable now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
systemctl enable openvpn
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
# grep -w (whole word) is used so port 11940 won't match when looking for 1194
|
||||
if netstat -uanpt | grep openvpn | grep -w "${pivpnPORT}" | grep -q "${pivpnPROTO}"; then
|
||||
echo ":: [OK] OpenVPN is listening on port ${pivpnPORT}/${pivpnPROTO}"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] OpenVPN is not listening, try to restart now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
systemctl restart openvpn
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$ERR" -eq 1 ]; then
|
||||
echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues"
|
||||
fi
|
||||
|
||||
printf "=============================================\n"
|
||||
echo -e ":::: \e[4mSnippet of the server log\e[0m ::::"
|
||||
tail -20 /var/log/openvpn.log > /tmp/snippet
|
||||
|
|
|
@ -1,170 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
subnetClass="24"
|
||||
setupVars="/etc/pivpn/setupVars.conf"
|
||||
ERR=0
|
||||
|
||||
if [ ! -f "${setupVars}" ]; then
|
||||
echo "::: Missing setup vars file!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
source "${setupVars}"
|
||||
|
||||
if [ "$VPN" = "wireguard" ]; then
|
||||
pivpnPROTO="udp"
|
||||
pivpnDEV="wg0"
|
||||
pivpnNET="10.6.0.0"
|
||||
VPN_SERVICE="wg-quick@wg0"
|
||||
VPN_PRETTY_NAME="WireGuard"
|
||||
elif [ "$VPN" = "openvpn" ]; then
|
||||
pivpnDEV="tun0"
|
||||
pivpnNET="10.8.0.0"
|
||||
VPN_SERVICE="openvpn"
|
||||
VPN_PRETTY_NAME="OpenVPN"
|
||||
fi
|
||||
|
||||
if [ "$(</proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then
|
||||
echo ":: [OK] IP forwarding is enabled"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
|
||||
sysctl -p
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$USING_UFW" -eq 0 ]; then
|
||||
|
||||
if iptables -t nat -C POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables MASQUERADE rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
iptables -t nat -I POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule"
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
|
||||
|
||||
if iptables -C INPUT -i "${IPv4dev}" -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT -m comment --comment "${VPN}-input-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables INPUT rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
iptables -I INPUT 1 -i "${IPv4dev}" -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT -m comment --comment "${VPN}-input-rule"
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
|
||||
|
||||
if iptables -C FORWARD -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT -m comment --comment "${VPN}-forward-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables FORWARD rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
iptables -I FORWARD 1 -d "${pivpnNET}/${subnetClass}" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
||||
iptables -I FORWARD 2 -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
else
|
||||
|
||||
if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
|
||||
echo ":: [OK] Ufw is enabled"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
ufw enable
|
||||
fi
|
||||
fi
|
||||
|
||||
if iptables -t nat -C POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables MASQUERADE rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s ${pivpnNET}/${subnetClass} -o ${IPv4dev} -j MASQUERADE -m comment --comment ${VPN}-nat-rule\nCOMMIT\n" -i /etc/ufw/before.rules
|
||||
ufw reload
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
if iptables -C ufw-user-input -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT &> /dev/null; then
|
||||
echo ":: [OK] Ufw input rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
ufw insert 1 allow "${pivpnPORT}"/"${pivpnPROTO}"
|
||||
ufw reload
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
if iptables -C ufw-user-forward -i "${pivpnDEV}" -o "${IPv4dev}" -s "${pivpnNET}/${subnetClass}" -j ACCEPT &> /dev/null; then
|
||||
echo ":: [OK] Ufw forwarding rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
ufw route insert 1 allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any
|
||||
ufw reload
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
if systemctl is-active -q "${VPN_SERVICE}"; then
|
||||
echo ":: [OK] ${VPN_PRETTY_NAME} is running"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] ${VPN_PRETTY_NAME} is not running, try to start now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
systemctl start "${VPN_SERVICE}"
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
if systemctl is-enabled -q "${VPN_SERVICE}"; then
|
||||
echo ":: [OK] ${VPN_PRETTY_NAME} is enabled (it will automatically start on reboot)"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] ${VPN_PRETTY_NAME} is not enabled, try to enable now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
systemctl enable "${VPN_SERVICE}"
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
# grep -w (whole word) is used so port 11940 won't match when looking for 1194
|
||||
if netstat -antu | grep -wqE "${pivpnPROTO}.*${pivpnPORT}"; then
|
||||
echo ":: [OK] ${VPN_PRETTY_NAME} is listening on port ${pivpnPORT}/${pivpnPROTO}"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] ${VPN_PRETTY_NAME} is not listening, try to restart now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
systemctl restart "${VPN_SERVICE}"
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$ERR" -eq 1 ]; then
|
||||
echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues"
|
||||
fi
|
|
@ -5,7 +5,6 @@
|
|||
### FIXME: use variables where appropriate, reduce magic numbers by 99.9%, at least.
|
||||
|
||||
PKG_MANAGER="apt-get"
|
||||
UPDATE_PKG_CACHE="${PKG_MANAGER} update"
|
||||
subnetClass="24"
|
||||
setupVars="/etc/pivpn/setupVars.conf"
|
||||
|
||||
|
@ -34,7 +33,7 @@ spinner(){
|
|||
local pid=$1
|
||||
local delay=0.50
|
||||
local spinstr='/-\|'
|
||||
while ps a | awk '{print $1}' | grep -q "$pid"; do
|
||||
while ps a | awk '{print $1}' | grep "$pid"; do
|
||||
local temp=${spinstr#?}
|
||||
printf " [%c] " "$spinstr"
|
||||
local spinstr=$temp${spinstr%"$temp"}
|
||||
|
@ -102,7 +101,7 @@ removeAll(){
|
|||
# Purge dependencies
|
||||
echo "::: Purge dependencies..."
|
||||
|
||||
for i in "${INSTALLED_PACKAGES[@]}"; do
|
||||
for i in "${TO_INSTALL[@]}"; do
|
||||
while true; do
|
||||
read -rp "::: Do you wish to remove $i from your system? [Y/n]: " yn
|
||||
case $yn in
|
||||
|
@ -114,11 +113,11 @@ removeAll(){
|
|||
if [ "$PLAT" = "Debian" ] || { [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv7l" ]; }; then
|
||||
rm -f /etc/apt/sources.list.d/pivpn-unstable.list
|
||||
rm -f /etc/apt/preferences.d/pivpn-limit-unstable
|
||||
$PKG_MANAGER update &> /dev/null
|
||||
elif [ "$PLAT" = "Ubuntu" ]; then
|
||||
add-apt-repository ppa:wireguard/wireguard -r -y
|
||||
$PKG_MANAGER update &> /dev/null
|
||||
fi
|
||||
echo "::: Updating package cache..."
|
||||
${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||
|
||||
elif [ "${i}" = "wireguard-dkms" ]; then
|
||||
|
||||
|
@ -136,6 +135,12 @@ removeAll(){
|
|||
rm -rf /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}"
|
||||
fi
|
||||
|
||||
elif [ "${i}" = "dirmngr" ]; then
|
||||
|
||||
# If dirmngr was installed, then we had previously installed wireguard on armv7l Raspbian
|
||||
# so we remove the repository keys
|
||||
apt-key remove E1CF20DDFFE4B89E802658F1E0B11894F66AEC98 80D15823B7FD1561F9F7BCDDDC30D7C23CBBABEE &> /dev/null
|
||||
|
||||
elif [ "${i}" = "unattended-upgrades" ]; then
|
||||
|
||||
### REALLY???
|
||||
|
@ -147,8 +152,7 @@ removeAll(){
|
|||
|
||||
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then
|
||||
rm -f /etc/apt/sources.list.d/pivpn-openvpn-repo.list
|
||||
echo "::: Updating package cache..."
|
||||
${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||
$PKG_MANAGER update &> /dev/null
|
||||
fi
|
||||
deluser openvpn
|
||||
rm -f /etc/rsyslog.d/30-openvpn.conf
|
||||
|
|
|
@ -15,17 +15,6 @@ fi
|
|||
|
||||
source "${setupVars}"
|
||||
|
||||
scriptusage(){
|
||||
echo "::: Updates PiVPN scripts"
|
||||
echo ":::"
|
||||
echo "::: Usage: pivpn <-up|update> [-t|--test]"
|
||||
echo ":::"
|
||||
echo "::: Commands:"
|
||||
echo "::: [none] Updates from master branch"
|
||||
echo "::: -t, test Updates from test branch"
|
||||
echo "::: -h, help Show this usage dialog"
|
||||
}
|
||||
|
||||
###Functions
|
||||
##Updates scripts
|
||||
updatepivpnscripts(){
|
||||
|
@ -79,6 +68,14 @@ cloneupdttest(){
|
|||
git -C "$pivpnlocalpath" checkout master
|
||||
}
|
||||
|
||||
scriptusage(){
|
||||
echo -e "Updates pivpn scripts,
|
||||
|
||||
Usage:
|
||||
pivpn update | updates from master branch
|
||||
pivpn update -t or --test | updates from test branch"
|
||||
}
|
||||
|
||||
## SCRIPT
|
||||
|
||||
if [[ $# -eq 0 ]]; then
|
||||
|
@ -86,11 +83,11 @@ if [[ $# -eq 0 ]]; then
|
|||
else
|
||||
while true; do
|
||||
case "$1" in
|
||||
-t|test)
|
||||
-t|--test|test)
|
||||
updatefromtest
|
||||
exit 0
|
||||
;;
|
||||
-h|help)
|
||||
-h|--help|help)
|
||||
scriptusage
|
||||
exit 0
|
||||
;;
|
||||
|
|
|
@ -4,8 +4,8 @@ _pivpn()
|
|||
COMPREPLY=()
|
||||
cur="${COMP_WORDS[COMP_CWORD]}"
|
||||
prev="${COMP_WORDS[COMP_CWORD-1]}"
|
||||
dashopts="-a -c -d -l -qr -r -h -u -up -wg -bk"
|
||||
opts="add clients debug list qrcode remove help uninstall update wgupdate backup"
|
||||
dashopts="-a -c -d -l -qr -r -h -u -up -bk"
|
||||
opts="add clients debug list qrcode remove help uninstall update backup"
|
||||
if [ "${#COMP_WORDS[@]}" -eq 2 ]
|
||||
then
|
||||
if [[ ${cur} == -* ]] ; then
|
||||
|
|
|
@ -10,11 +10,7 @@ hr(){
|
|||
numfmt --to=iec-i --suffix=B "$1"
|
||||
}
|
||||
|
||||
if DUMP="$(wg show wg0 dump)"; then
|
||||
DUMP="$(tail -n +2 <<< "$DUMP")"
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
DUMP="$(wg show wg0 dump | tail -n +2)"
|
||||
|
||||
printf "\e[1m::: Connected Clients List :::\e[0m\n"
|
||||
|
||||
|
@ -32,7 +28,7 @@ while IFS= read -r LINE; do
|
|||
CLIENT_NAME="$(grep "$PUBLIC_KEY" clients.txt | awk '{ print $1 }')"
|
||||
|
||||
if [ "$LAST_SEEN" -ne 0 ]; then
|
||||
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "$(date -d @"$LAST_SEEN" '+%b %d %Y - %T')"
|
||||
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "$(date -d @"$LAST_SEEN" '+%b %m %Y - %T')"
|
||||
else
|
||||
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "(not yet)"
|
||||
fi
|
||||
|
|
|
@ -2,13 +2,6 @@
|
|||
|
||||
setupVars="/etc/pivpn/setupVars.conf"
|
||||
|
||||
if [ ! -f "${setupVars}" ]; then
|
||||
echo "::: Missing setup vars file!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
source "${setupVars}"
|
||||
|
||||
helpFunc(){
|
||||
echo "::: Create a client conf profile"
|
||||
echo ":::"
|
||||
|
@ -46,6 +39,13 @@ while test $# -gt 0; do
|
|||
shift
|
||||
done
|
||||
|
||||
if [ ! -f "${setupVars}" ]; then
|
||||
echo "::: Missing setup vars file!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
source "${setupVars}"
|
||||
|
||||
# The home folder variable was sourced from the settings file.
|
||||
if [ ! -d "${install_home}/configs" ]; then
|
||||
mkdir "${install_home}/configs"
|
||||
|
|
|
@ -54,11 +54,6 @@ updateScripts(){
|
|||
exit 0
|
||||
}
|
||||
|
||||
updateWireGuard(){
|
||||
$SUDO /opt/pivpn/wgUPDATE.sh
|
||||
exit 0
|
||||
}
|
||||
|
||||
backup(){
|
||||
$SUDO /opt/pivpn/backup.sh
|
||||
}
|
||||
|
@ -78,8 +73,7 @@ showHelp(){
|
|||
echo "::: -h, help Show this help dialog"
|
||||
echo "::: -u, uninstall Uninstall pivpn from your system!"
|
||||
echo "::: -up, update Updates PiVPN Scripts"
|
||||
echo "::: -wg, wgupdate Updates WireGuard"
|
||||
echo "::: -bk, backup Backup VPN configs and user profiles"
|
||||
echo "::: -bk, Backup Backup vpn configs and user profiles"
|
||||
exit 0
|
||||
}
|
||||
|
||||
|
@ -98,7 +92,6 @@ case "$1" in
|
|||
"-h" | "help" ) showHelp;;
|
||||
"-u" | "uninstall" ) uninstallServer;;
|
||||
"-up" | "update" ) updateScripts "$@" ;;
|
||||
"-wg" | "wgupdate" ) updateWireGuard ;;
|
||||
"-bk" | "backup" ) backup ;;
|
||||
* ) showHelp;;
|
||||
esac
|
||||
|
|
|
@ -10,6 +10,9 @@ fi
|
|||
|
||||
source "${setupVars}"
|
||||
|
||||
EXAMPLE="$(head -1 /etc/wireguard/configs/clients.txt | awk '{print $1}')"
|
||||
ERR=0
|
||||
|
||||
echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::"
|
||||
printf "=============================================\n"
|
||||
echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::"
|
||||
|
@ -23,17 +26,16 @@ cd /etc/wireguard/keys
|
|||
cp ../wg0.conf ../wg0.tmp
|
||||
# Replace every key in the server configuration with just its file name
|
||||
for k in *; do
|
||||
sed "s#$(<"$k")#$k#" -i ../wg0.tmp
|
||||
sed "s#$(cat "$k")#$k#" -i ../wg0.tmp
|
||||
done
|
||||
cat ../wg0.tmp
|
||||
rm ../wg0.tmp
|
||||
printf "=============================================\n"
|
||||
echo -e ":::: \e[4mClient configuration shown below\e[0m ::::"
|
||||
EXAMPLE="$(head -1 /etc/wireguard/configs/clients.txt | awk '{print $1}')"
|
||||
if [ -n "$EXAMPLE" ]; then
|
||||
cp ../configs/"$EXAMPLE".conf ../configs/"$EXAMPLE".tmp
|
||||
for k in *; do
|
||||
sed "s#$(<"$k")#$k#" -i ../configs/"$EXAMPLE".tmp
|
||||
sed "s#$(cat "$k")#$k#" -i ../configs/"$EXAMPLE".tmp
|
||||
done
|
||||
sed "s/$pivpnHOST/REDACTED/" < ../configs/"$EXAMPLE".tmp
|
||||
rm ../configs/"$EXAMPLE".tmp
|
||||
|
@ -46,7 +48,151 @@ echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::::\e\t[4m/etc/wir
|
|||
ls -LR /etc/wireguard
|
||||
printf "=============================================\n"
|
||||
echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::"
|
||||
/opt/pivpn/self_check.sh
|
||||
|
||||
if [ "$(cat /proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then
|
||||
echo ":: [OK] IP forwarding is enabled"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
|
||||
sysctl -p
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$USING_UFW" -eq 0 ]; then
|
||||
|
||||
if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables MASQUERADE rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
iptables -t nat -I POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule"
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
|
||||
|
||||
if iptables -C INPUT -i "$IPv4dev" -p udp --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables INPUT rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
iptables -I INPUT 1 -i "$IPv4dev" -p udp --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule"
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
|
||||
|
||||
if iptables -C FORWARD -s 10.6.0.0/24 -i wg0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables FORWARD rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
iptables -I FORWARD 1 -d 10.6.0.0/24 -i "$IPv4dev" -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
||||
iptables -I FORWARD 2 -s 10.6.0.0/24 -i wg0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
else
|
||||
|
||||
if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
|
||||
echo ":: [OK] Ufw is enabled"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
ufw enable
|
||||
fi
|
||||
fi
|
||||
|
||||
if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
|
||||
echo ":: [OK] Iptables MASQUERADE rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.6.0.0/24 -o $IPv4dev -j MASQUERADE -m comment --comment ${VPN}-nat-rule\nCOMMIT\n" -i /etc/ufw/before.rules
|
||||
ufw reload
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
if iptables -C ufw-user-input -p udp --dport "${pivpnPORT}" -j ACCEPT &> /dev/null; then
|
||||
echo ":: [OK] Ufw input rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
ufw insert 1 allow "$pivpnPORT"/udp
|
||||
ufw reload
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
if iptables -C ufw-user-forward -i wg0 -o "${IPv4dev}" -s 10.6.0.0/24 -j ACCEPT &> /dev/null; then
|
||||
echo ":: [OK] Ufw forwarding rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
ufw route insert 1 allow in on wg0 from 10.6.0.0/24 out on "$IPv4dev" to any
|
||||
ufw reload
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
if systemctl is-active -q wg-quick@wg0; then
|
||||
echo ":: [OK] WireGuard is running"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] WireGuard is not running, try to start now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
systemctl start wg-quick@wg0
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
if systemctl is-enabled -q wg-quick@wg0; then
|
||||
echo ":: [OK] WireGuard is enabled (it will automatically start on reboot)"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] WireGuard is not enabled, try to enable now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
systemctl enable wg-quick@wg0
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
# grep -w (whole word) is used so port 11940 won't match when looking for 1194
|
||||
if netstat -uanp | grep -w "${pivpnPORT}" | grep -q 'udp'; then
|
||||
echo ":: [OK] WireGuard is listening on port ${pivpnPORT}/udp"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] WireGuard is not listening, try to restart now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
systemctl restart wg-quick@wg0
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$ERR" -eq 1 ]; then
|
||||
echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues"
|
||||
fi
|
||||
printf "=============================================\n"
|
||||
echo -e ":::: \e[1mWARNING\e[0m: This script should have automatically masked sensitive ::::"
|
||||
echo -e ":::: information, however, still make sure that \e[4mPrivateKey\e[0m, \e[4mPublicKey\e[0m ::::"
|
||||
|
|
|
@ -2,13 +2,6 @@
|
|||
|
||||
setupVars="/etc/pivpn/setupVars.conf"
|
||||
|
||||
if [ ! -f "${setupVars}" ]; then
|
||||
echo "::: Missing setup vars file!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
source "${setupVars}"
|
||||
|
||||
helpFunc(){
|
||||
echo "::: Remove a client conf profile"
|
||||
echo ":::"
|
||||
|
@ -36,6 +29,13 @@ do
|
|||
shift
|
||||
done
|
||||
|
||||
if [ ! -f "${setupVars}" ]; then
|
||||
echo "::: Missing setup vars file!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
source "${setupVars}"
|
||||
|
||||
cd /etc/wireguard
|
||||
if [ ! -s configs/clients.txt ]; then
|
||||
echo "::: There are no clients to remove"
|
||||
|
|
|
@ -1,132 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
setupVars="/etc/pivpn/setupVars.conf"
|
||||
|
||||
if [ ! -f "${setupVars}" ]; then
|
||||
echo "::: Missing setup vars file!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
source "${setupVars}"
|
||||
|
||||
if [ "$(uname -m)" != "armv6l" ]; then
|
||||
echo "On your system, WireGuard updates via the package manager"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
CURRENT_WG_TOOLS_SNAPSHOT="${WG_TOOLS_SNAPSHOT}"
|
||||
WG_TOOLS_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-tools"."version"')"
|
||||
|
||||
if dpkg --compare-versions "${WG_TOOLS_SNAPSHOT}" gt "${CURRENT_WG_TOOLS_SNAPSHOT}"; then
|
||||
|
||||
read -r -p "A new wireguard-tools update is available (${WG_TOOLS_SNAPSHOT}), install? [Y/n]: "
|
||||
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
|
||||
echo "::: Upgrading wireguard-tools from ${CURRENT_WG_TOOLS_SNAPSHOT} to ${WG_TOOLS_SNAPSHOT}..."
|
||||
|
||||
WG_TOOLS_SOURCE="https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-${WG_TOOLS_SNAPSHOT}.tar.xz"
|
||||
echo "::: Downloading wireguard-tools source code... "
|
||||
wget -qO- "${WG_TOOLS_SOURCE}" | tar xJ --directory /usr/src
|
||||
echo "done!"
|
||||
|
||||
## || exits if cd fails.
|
||||
cd /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}/src" || exit 1
|
||||
|
||||
# We install the userspace tools manually since DKMS only compiles and
|
||||
# installs the kernel module
|
||||
echo "::: Compiling WireGuard tools... "
|
||||
if make; then
|
||||
echo "done!"
|
||||
else
|
||||
echo "failed!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Use checkinstall to install userspace tools so if the user wants to uninstall
|
||||
# PiVPN we can just do apt remove wireguard-tools, instead of manually removing
|
||||
# files from the file system
|
||||
echo "::: Installing WireGuard tools... "
|
||||
if checkinstall --pkgname wireguard-tools --pkgversion "${WG_TOOLS_SNAPSHOT}" -y; then
|
||||
echo "done!"
|
||||
else
|
||||
echo "failed!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "::: Removing old source code ..."
|
||||
rm -rf /usr/src/wireguard-tools-"${CURRENT_WG_TOOLS_SNAPSHOT}"
|
||||
|
||||
sed "s/WG_TOOLS_SNAPSHOT=${CURRENT_WG_TOOLS_SNAPSHOT}/WG_TOOLS_SNAPSHOT=${WG_TOOLS_SNAPSHOT}/" -i "${setupVars}"
|
||||
|
||||
echo "::: Upgrade completed!"
|
||||
fi
|
||||
else
|
||||
echo "::: You are running the lastest version of wireguard-tools (${CURRENT_WG_TOOLS_SNAPSHOT})"
|
||||
fi
|
||||
|
||||
CURRENT_WG_MODULE_SNAPSHOT="${WG_MODULE_SNAPSHOT}"
|
||||
WG_MODULE_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-linuxcompat"."version"')"
|
||||
|
||||
if dpkg --compare-versions "${WG_MODULE_SNAPSHOT}" gt "${CURRENT_WG_MODULE_SNAPSHOT}"; then
|
||||
|
||||
read -r -p "A new wireguard-dkms update is available (${WG_MODULE_SNAPSHOT}), install? [Y/n]: "
|
||||
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
|
||||
echo "::: Upgrading wireguard-dkms from ${CURRENT_WG_MODULE_SNAPSHOT} to ${WG_MODULE_SNAPSHOT}..."
|
||||
|
||||
WG_MODULE_SOURCE="https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${WG_MODULE_SNAPSHOT}.tar.xz"
|
||||
echo "::: Downloading wireguard-linux-compat source code... "
|
||||
wget -qO- "${WG_MODULE_SOURCE}" | tar xJ --directory /usr/src
|
||||
echo "done!"
|
||||
|
||||
# Rename wireguard-linux-compat folder and move the source code to the parent folder
|
||||
# such that dkms picks up the module when referencing wireguard/"${WG_MODULE_SNAPSHOT}"
|
||||
cd /usr/src && \
|
||||
mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}" && \
|
||||
cd wireguard-"${WG_MODULE_SNAPSHOT}" && \
|
||||
mv src/* . && \
|
||||
rmdir src || exit 1
|
||||
|
||||
echo "::: Adding WireGuard module via DKMS... "
|
||||
if dkms add wireguard/"${WG_MODULE_SNAPSHOT}"; then
|
||||
echo "done!"
|
||||
else
|
||||
echo "failed!"
|
||||
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "::: Compiling WireGuard module via DKMS... "
|
||||
if dkms build wireguard/"${WG_MODULE_SNAPSHOT}"; then
|
||||
echo "done!"
|
||||
else
|
||||
echo "failed!"
|
||||
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "::: Installing WireGuard module via DKMS... "
|
||||
if dkms install wireguard/"${WG_MODULE_SNAPSHOT}"; then
|
||||
echo "done!"
|
||||
else
|
||||
echo "failed!"
|
||||
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "::: Removing old kernel module and source code..."
|
||||
if dkms remove wireguard/"${CURRENT_WG_MODULE_SNAPSHOT}" --all; then
|
||||
rm -rf /usr/src/wireguard-"${CURRENT_WG_MODULE_SNAPSHOT}"
|
||||
echo "done!"
|
||||
else
|
||||
echo "failed!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
sed "s/WG_TOOLS_SNAPSHOT=${CURRENT_WG_MODULE_SNAPSHOT}/WG_TOOLS_SNAPSHOT=${WG_MODULE_SNAPSHOT}/" -i "${setupVars}"
|
||||
|
||||
echo "::: Upgrade completed!"
|
||||
fi
|
||||
else
|
||||
echo "::: You are running the lastest version of wireguard-dkms (${CURRENT_WG_MODULE_SNAPSHOT})"
|
||||
fi
|
|
@ -1,6 +1,4 @@
|
|||
IPv4dev=eth0
|
||||
IPv4addr=192.168.23.211/24
|
||||
IPv4gw=192.168.23.1
|
||||
dhcpReserv=0
|
||||
install_user=pi
|
||||
VPN=openvpn
|
||||
|
@ -12,5 +10,5 @@ pivpnHOST=pivpn.example.com
|
|||
pivpnENCRYPT=256
|
||||
pivpnSEARCHDOMAIN=searchdomain.example.com
|
||||
TWO_POINT_FOUR=1
|
||||
USE_PREDEFINED_DH_PARAM=1
|
||||
DOWNLOAD_DH_PARAM=0
|
||||
UNATTUPG=1
|
|
@ -1,6 +1,4 @@
|
|||
IPv4dev=eth0
|
||||
IPv4addr=192.168.23.211/24
|
||||
IPv4gw=192.168.23.1
|
||||
dhcpReserv=0
|
||||
install_user=pi
|
||||
VPN=wireguard
|
Loading…
Reference in a new issue