mirror of
https://github.com/pivpn/pivpn.git
synced 2024-12-24 05:40:16 +00:00
Merge pull request #224 from EWouters/test
Implemented "--unattended" option (Issue #223)
This commit is contained in:
commit
c907a4bff8
5 changed files with 606 additions and 242 deletions
|
@ -133,7 +133,9 @@ welcome any feedback on your experience. If you have problems using it, feel
|
|||
free to post an issue here on github. I'll classify the issues the best I can
|
||||
to keep things sorted.
|
||||
|
||||
You can also post on the [Google Space](https://goo.gl/spaces/kgp2Mcy5RDfZ5SSf8) I created for PiVPN, especially suited for general questions or discussions.
|
||||
[[DISCONTINUED APRIL 17]] You can also post on the [Google Space](https://goo.gl/spaces/kgp2Mcy5RDfZ5SSf8) I created for PiVPN, especially suited for general questions or discussions.
|
||||
|
||||
You can also join #pivpn <ircs://freenode/pivpn> on freenode in IRC for community support or general questions.
|
||||
|
||||
Contributions
|
||||
-------------
|
||||
|
|
|
@ -10,11 +10,13 @@
|
|||
# curl -L https://install.pivpn.io | bash
|
||||
# Make sure you have `curl` installed
|
||||
|
||||
|
||||
set -e
|
||||
######## VARIABLES #########
|
||||
|
||||
tmpLog="/tmp/pivpn-install.log"
|
||||
instalLogLoc="/etc/pivpn/install.log"
|
||||
setupVars=/etc/pivpn/setupVars.conf
|
||||
useUpdateVars=false
|
||||
|
||||
### PKG Vars ###
|
||||
PKG_MANAGER="apt-get"
|
||||
|
@ -42,6 +44,11 @@ c=$(( columns / 2 ))
|
|||
r=$(( r < 20 ? 20 : r ))
|
||||
c=$(( c < 70 ? 70 : c ))
|
||||
|
||||
######## Undocumented Flags. Shhh ########
|
||||
skipSpaceCheck=false
|
||||
reconfigure=false
|
||||
runUnattended=false
|
||||
|
||||
# Find IP used to route to outside world
|
||||
|
||||
IPv4dev=$(ip route get 8.8.8.8 | awk '{for(i=1;i<=NF;i++)if($i~/dev/)print $(i+1)}')
|
||||
|
@ -51,24 +58,6 @@ IPv4gw=$(ip route get 8.8.8.8 | awk '{print $3}')
|
|||
availableInterfaces=$(ip -o link | grep "state UP" | awk '{print $2}' | cut -d':' -f1 | cut -d'@' -f1)
|
||||
dhcpcdFile=/etc/dhcpcd.conf
|
||||
|
||||
######## FIRST CHECK ########
|
||||
# Must be root to install
|
||||
echo ":::"
|
||||
if [[ $EUID -eq 0 ]];then
|
||||
echo "::: You are root."
|
||||
else
|
||||
echo "::: sudo will be used for the install."
|
||||
# Check if it is actually installed
|
||||
# If it isn't, exit because the install cannot complete
|
||||
if [[ $(dpkg-query -s sudo) ]];then
|
||||
export SUDO="sudo"
|
||||
export SUDOE="sudo -E"
|
||||
else
|
||||
echo "::: Please install sudo or run this as root."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Next see if we are on a tested and supported OS
|
||||
function noOS_Support() {
|
||||
whiptail --msgbox --backtitle "INVALID OS DETECTED" --title "Invalid OS" "We have not been able to detect a supported OS.
|
||||
|
@ -79,44 +68,47 @@ If you think you received this message in error, you can post an issue on the Gi
|
|||
|
||||
function maybeOS_Support() {
|
||||
if (whiptail --backtitle "Not Supported OS" --title "Not Supported OS" --yesno "You are on an OS that we have not tested but MAY work.
|
||||
Currently this installer supports Raspbian jessie, Ubuntu 14.04 (trusty), and Ubuntu 16.04 (xenial).
|
||||
Would you like to continue anyway?" ${r} ${c}) then
|
||||
echo "::: Did not detect perfectly supported OS but,"
|
||||
echo "::: Continuing installation at user's own risk..."
|
||||
else
|
||||
echo "::: Exiting due to unsupported OS"
|
||||
exit 1
|
||||
fi
|
||||
Currently this installer supports Raspbian jessie, Ubuntu 14.04 (trusty), and Ubuntu 16.04 (xenial).
|
||||
Would you like to continue anyway?" ${r} ${c}) then
|
||||
echo "::: Did not detect perfectly supported OS but,"
|
||||
echo "::: Continuing installation at user's own risk..."
|
||||
else
|
||||
echo "::: Exiting due to unsupported OS"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# if lsb_release command is on their system
|
||||
if hash lsb_release 2>/dev/null; then
|
||||
PLAT=$(lsb_release -si)
|
||||
OSCN=$(lsb_release -sc) # We want this to be trusty xenial or jessie
|
||||
|
||||
if [[ $PLAT == "Ubuntu" || $PLAT == "Raspbian" || $PLAT == "Debian" ]]; then
|
||||
if [[ $OSCN != "trusty" && $OSCN != "xenial" && $OSCN != "jessie" ]]; then
|
||||
maybeOS_Support
|
||||
fi
|
||||
else
|
||||
noOS_Support
|
||||
fi
|
||||
# else get info from os-release
|
||||
elif grep -q debian /etc/os-release; then
|
||||
if grep -q jessie /etc/os-release; then
|
||||
PLAT="Raspbian"
|
||||
OSCN="jessie"
|
||||
else
|
||||
PLAT="Ubuntu"
|
||||
OSCN="unknown"
|
||||
maybeOS_Support
|
||||
fi
|
||||
# else we prob don't want to install
|
||||
else
|
||||
noOS_Support
|
||||
fi
|
||||
|
||||
echo "${PLAT}" > /tmp/DET_PLATFORM
|
||||
# Compatibility
|
||||
distro_check() {
|
||||
# if lsb_release command is on their system
|
||||
if hash lsb_release 2>/dev/null; then
|
||||
PLAT=$(lsb_release -si)
|
||||
OSCN=$(lsb_release -sc) # We want this to be trusty xenial or jessie
|
||||
|
||||
if [[ $PLAT == "Ubuntu" || $PLAT == "Raspbian" || $PLAT == "Debian" ]]; then
|
||||
if [[ $OSCN != "trusty" && $OSCN != "xenial" && $OSCN != "jessie" ]]; then
|
||||
maybeOS_Support
|
||||
fi
|
||||
else
|
||||
noOS_Support
|
||||
fi
|
||||
# else get info from os-release
|
||||
elif grep -q debian /etc/os-release; then
|
||||
if grep -q jessie /etc/os-release; then
|
||||
PLAT="Raspbian"
|
||||
OSCN="jessie"
|
||||
else
|
||||
PLAT="Ubuntu"
|
||||
OSCN="unknown"
|
||||
maybeOS_Support
|
||||
fi
|
||||
# else we prob don't want to install
|
||||
else
|
||||
noOS_Support
|
||||
fi
|
||||
|
||||
echo "${PLAT}" > /tmp/DET_PLATFORM
|
||||
}
|
||||
|
||||
####### FUNCTIONS ##########
|
||||
spinner()
|
||||
|
@ -280,6 +272,7 @@ If you are in Amazon then you can not configure a static IP anyway. Just ensure
|
|||
}
|
||||
|
||||
getStaticIPv4Settings() {
|
||||
local ipSettingsCorrect
|
||||
# Grab their current DNS Server
|
||||
IPv4dns=$(nslookup 127.0.0.1 | grep Server: | awk '{print $2}')
|
||||
# Ask if the user wants to use DHCP settings as their static IP
|
||||
|
@ -347,7 +340,6 @@ setStaticIPv4() {
|
|||
if [[ -f /etc/dhcpcd.conf ]]; then
|
||||
if grep -q "${IPv4addr}" ${dhcpcdFile}; then
|
||||
echo "::: Static IP already configured."
|
||||
:
|
||||
else
|
||||
setDHCPCD
|
||||
$SUDO ip addr replace dev "${pivpnInterface}" "${IPv4addr}"
|
||||
|
@ -488,7 +480,6 @@ unattendedUpgrades() {
|
|||
|
||||
if (whiptail --backtitle "Security Updates" --title "Unattended Upgrades" --yesno "Do you want to enable unattended upgrades of security patches to this server?" ${r} ${c}) then
|
||||
UNATTUPG="unattended-upgrades"
|
||||
$SUDO apt-get --yes --quiet --no-install-recommends install "$UNATTUPG" > /dev/null & spinner $!
|
||||
else
|
||||
UNATTUPG=""
|
||||
fi
|
||||
|
@ -604,17 +595,21 @@ make_repo() {
|
|||
}
|
||||
|
||||
update_repo() {
|
||||
# Pull the latest commits
|
||||
echo -n "::: Updating repo in $1..."
|
||||
cd "${1}" || exit 1
|
||||
$SUDO git stash -q > /dev/null & spinner $!
|
||||
$SUDO git pull -q > /dev/null & spinner $!
|
||||
if [ -z "${TESTING+x}" ]; then
|
||||
:
|
||||
if [[ "${reconfigure}" == true ]]; then
|
||||
echo "::: --reconfigure passed to install script. Not downloading/updating local repos"
|
||||
else
|
||||
${SUDOE} git checkout test
|
||||
# Pull the latest commits
|
||||
echo -n "::: Updating repo in $1..."
|
||||
cd "${1}" || exit 1
|
||||
$SUDO git stash -q > /dev/null & spinner $!
|
||||
$SUDO git pull -q > /dev/null & spinner $!
|
||||
if [ -z "${TESTING+x}" ]; then
|
||||
:
|
||||
else
|
||||
${SUDOE} git checkout test
|
||||
fi
|
||||
echo " done!"
|
||||
fi
|
||||
echo " done!"
|
||||
}
|
||||
|
||||
setCustomProto() {
|
||||
|
@ -776,20 +771,21 @@ setClientDNS() {
|
|||
}
|
||||
|
||||
confOpenVPN() {
|
||||
# Ask user if want to modify default port
|
||||
SERVER_NAME="server"
|
||||
|
||||
# Ask user for desired level of encryption
|
||||
ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "Encryption Strength" --radiolist \
|
||||
"Choose your desired level of encryption:\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications it is recommended to use 2048 bit. If you are testing or just want to get through it quicker you can use 1024. If you are paranoid about ... things... then grab a cup of joe and pick 4096." ${r} ${c} 3 \
|
||||
"2048" "Use 2048-bit encryption. Recommended level." ON \
|
||||
"1024" "Use 1024-bit encryption. Test level." OFF \
|
||||
"4096" "Use 4096-bit encryption. Paranoid level." OFF 3>&1 1>&2 2>&3)
|
||||
|
||||
exitstatus=$?
|
||||
if [ $exitstatus != 0 ]; then
|
||||
echo "::: Cancel selected. Exiting..."
|
||||
exit 1
|
||||
|
||||
if [[ ${useUpdateVars} == false ]]; then
|
||||
# Ask user for desired level of encryption
|
||||
ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "Encryption Strength" --radiolist \
|
||||
"Choose your desired level of encryption:\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications it is recommended to use 2048 bit. If you are testing or just want to get through it quicker you can use 1024. If you are paranoid about ... things... then grab a cup of joe and pick 4096." ${r} ${c} 3 \
|
||||
"2048" "Use 2048-bit encryption. Recommended level." ON \
|
||||
"1024" "Use 1024-bit encryption. Test level." OFF \
|
||||
"4096" "Use 4096-bit encryption. Paranoid level." OFF 3>&1 1>&2 2>&3)
|
||||
|
||||
exitstatus=$?
|
||||
if [ $exitstatus != 0 ]; then
|
||||
echo "::: Cancel selected. Exiting..."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# If easy-rsa exists, remove it
|
||||
|
@ -804,6 +800,7 @@ confOpenVPN() {
|
|||
$SUDO mkdir /etc/openvpn/easy-rsa/pki
|
||||
|
||||
# Write out new vars file
|
||||
set +e
|
||||
IFS= read -d '' String <<"EOF"
|
||||
if [ -z "$EASYRSA_CALLER" ]; then
|
||||
echo "Nope." >&2
|
||||
|
@ -816,7 +813,8 @@ set_var EASYRSA_ALGO rsa
|
|||
set_var EASYRSA_CURVE secp384r1
|
||||
EOF
|
||||
|
||||
echo "${String}" | $SUDO tee /etc/openvpn/easy-rsa/vars >/dev/null
|
||||
echo "${String}" | $SUDO tee /etc/openvpn/easy-rsa/vars >/dev/null
|
||||
set -e
|
||||
|
||||
# Edit the KEY_SIZE variable in the vars file to set user chosen key size
|
||||
cd /etc/openvpn/easy-rsa || exit
|
||||
|
@ -830,21 +828,32 @@ echo "${String}" | $SUDO tee /etc/openvpn/easy-rsa/vars >/dev/null
|
|||
${SUDOE} ./easyrsa --batch build-ca nopass
|
||||
printf "\n::: CA Complete.\n"
|
||||
|
||||
whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c}
|
||||
|
||||
if [[ ${useUpdateVars} == false ]]; then
|
||||
whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c}
|
||||
fi
|
||||
|
||||
# Build the server
|
||||
${SUDOE} ./easyrsa build-server-full server nopass
|
||||
|
||||
if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c})
|
||||
then
|
||||
# Downloading parameters
|
||||
RANDOM_INDEX=$(( RANDOM % 128 ))
|
||||
${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "/etc/openvpn/easy-rsa/pki/dh${ENCRYPT}.pem"
|
||||
else
|
||||
# Generate Diffie-Hellman key exchange
|
||||
${SUDOE} ./easyrsa gen-dh
|
||||
${SUDOE} mv pki/dh.pem pki/dh${ENCRYPT}.pem
|
||||
fi
|
||||
if [[ ${useUpdateVars} == false ]]; then
|
||||
if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c})
|
||||
then
|
||||
DOWNLOAD_DH_PARAM=true
|
||||
else
|
||||
DOWNLOAD_DH_PARAM=false
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$ENCRYPT" -ge "4096" ] && [[ ${DOWNLOAD_DH_PARAM} == true ]]
|
||||
then
|
||||
# Downloading parameters
|
||||
RANDOM_INDEX=$(( RANDOM % 128 ))
|
||||
${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "/etc/openvpn/easy-rsa/pki/dh${ENCRYPT}.pem"
|
||||
else
|
||||
# Generate Diffie-Hellman key exchange
|
||||
${SUDOE} ./easyrsa gen-dh
|
||||
${SUDOE} mv pki/dh.pem pki/dh${ENCRYPT}.pem
|
||||
fi
|
||||
|
||||
# Generate static HMAC key to defend against DDoS
|
||||
${SUDOE} openvpn --genkey --secret pki/ta.key
|
||||
|
@ -875,6 +884,7 @@ fi
|
|||
|
||||
confUnattendedUpgrades() {
|
||||
if [[ $UNATTUPG == "unattended-upgrades" ]]; then
|
||||
$SUDO apt-get --yes --quiet --no-install-recommends install "$UNATTUPG" > /dev/null & spinner $!
|
||||
if [[ $PLAT == "Ubuntu" ]]; then
|
||||
# Ubuntu 50unattended-upgrades should already just have security enabled
|
||||
# so we just need to configure the 10periodic file
|
||||
|
@ -957,37 +967,40 @@ confOVPN() {
|
|||
echo 0 > /tmp/REVOKE_STATUS
|
||||
$SUDO cp /tmp/REVOKE_STATUS /etc/pivpn/REVOKE_STATUS
|
||||
|
||||
METH=$(whiptail --title "Public IP or DNS" --radiolist "Will clients use a Public IP or DNS Name to connect to your server?" ${r} ${c} 2 \
|
||||
"$IPv4pub" "Use this public IP" "ON" \
|
||||
"DNS Entry" "Use a public DNS" "OFF" 3>&1 1>&2 2>&3)
|
||||
|
||||
exitstatus=$?
|
||||
if [ $exitstatus != 0 ]; then
|
||||
echo "::: Cancel selected. Exiting..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
$SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt
|
||||
|
||||
if [ "$METH" == "$IPv4pub" ]; then
|
||||
$SUDO sed -i 's/IPv4pub/'"$IPv4pub"'/' /etc/openvpn/easy-rsa/pki/Default.txt
|
||||
else
|
||||
until [[ $publicDNSCorrect = True ]]
|
||||
do
|
||||
PUBLICDNS=$(whiptail --title "PiVPN Setup" --inputbox "What is the public DNS name of this Server?" ${r} ${c} 3>&1 1>&2 2>&3)
|
||||
exitstatus=$?
|
||||
if [ $exitstatus != 0 ]; then
|
||||
if [[ ${useUpdateVars} == false ]]; then
|
||||
METH=$(whiptail --title "Public IP or DNS" --radiolist "Will clients use a Public IP or DNS Name to connect to your server?" ${r} ${c} 2 \
|
||||
"$IPv4pub" "Use this public IP" "ON" \
|
||||
"DNS Entry" "Use a public DNS" "OFF" 3>&1 1>&2 2>&3)
|
||||
|
||||
exitstatus=$?
|
||||
if [ $exitstatus != 0 ]; then
|
||||
echo "::: Cancel selected. Exiting..."
|
||||
exit 1
|
||||
fi
|
||||
if (whiptail --backtitle "Confirm DNS Name" --title "Confirm DNS Name" --yesno "Is this correct?\n\n Public DNS Name: $PUBLICDNS" ${r} ${c}) then
|
||||
publicDNSCorrect=True
|
||||
$SUDO sed -i 's/IPv4pub/'"$PUBLICDNS"'/' /etc/openvpn/easy-rsa/pki/Default.txt
|
||||
else
|
||||
publicDNSCorrect=False
|
||||
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
if [ "$METH" == "$IPv4pub" ]; then
|
||||
$SUDO sed -i 's/IPv4pub/'"$IPv4pub"'/' /etc/openvpn/easy-rsa/pki/Default.txt
|
||||
else
|
||||
until [[ $publicDNSCorrect = True ]]
|
||||
do
|
||||
PUBLICDNS=$(whiptail --title "PiVPN Setup" --inputbox "What is the public DNS name of this Server?" ${r} ${c} 3>&1 1>&2 2>&3)
|
||||
exitstatus=$?
|
||||
if [ $exitstatus != 0 ]; then
|
||||
echo "::: Cancel selected. Exiting..."
|
||||
exit 1
|
||||
fi
|
||||
if (whiptail --backtitle "Confirm DNS Name" --title "Confirm DNS Name" --yesno "Is this correct?\n\n Public DNS Name: $PUBLICDNS" ${r} ${c}) then
|
||||
publicDNSCorrect=True
|
||||
$SUDO sed -i 's/IPv4pub/'"$PUBLICDNS"'/' /etc/openvpn/easy-rsa/pki/Default.txt
|
||||
else
|
||||
publicDNSCorrect=False
|
||||
fi
|
||||
done
|
||||
fi
|
||||
else
|
||||
$SUDO sed -i 's/IPv4pub/'"$PUBLICDNS"'/' /etc/openvpn/easy-rsa/pki/Default.txt
|
||||
fi
|
||||
|
||||
# if they modified port put value in Default.txt for clients to use
|
||||
|
@ -1003,15 +1016,60 @@ confOVPN() {
|
|||
# verify server name to strengthen security
|
||||
$SUDO sed -i "s/SRVRNAME/${SERVER_NAME}/" /etc/openvpn/easy-rsa/pki/Default.txt
|
||||
|
||||
$SUDO mkdir "/home/$pivpnUser/ovpns"
|
||||
if [ ! -d "/home/$pivpnUser/ovpns" ]; then
|
||||
$SUDO mkdir "/home/$pivpnUser/ovpns"
|
||||
fi
|
||||
$SUDO chmod 0777 -R "/home/$pivpnUser/ovpns"
|
||||
}
|
||||
|
||||
finalExports() {
|
||||
# Update variables in setupVars.conf file
|
||||
if [ -e "${setupVars}" ]; then
|
||||
sed -i.update.bak '/pivpnUser/d;/UNATTUPG/d;/pivpnInterface/d;/IPv4dns/d;/IPv4addr/d;/IPv4gw/d;/pivpnProto/d;/PORT/d;/ENCRYPT/d;/DOWNLOAD_DH_PARAM/d;/PUBLICDNS/d;/OVPNDNS1/d;/OVPNDNS2/d;' "${setupVars}"
|
||||
fi
|
||||
{
|
||||
echo "pivpnUser=${pivpnUser}"
|
||||
echo "UNATTUPG=${UNATTUPG}"
|
||||
echo "pivpnInterface=${pivpnInterface}"
|
||||
echo "IPv4dns=${IPv4dns}"
|
||||
echo "IPv4addr=${IPv4addr}"
|
||||
echo "IPv4gw=${IPv4gw}"
|
||||
echo "pivpnProto=${pivpnProto}"
|
||||
echo "PORT=${PORT}"
|
||||
echo "ENCRYPT=${ENCRYPT}"
|
||||
echo "DOWNLOAD_DH_PARAM=${DOWNLOAD_DH_PARAM}"
|
||||
echo "PUBLICDNS=${PUBLICDNS}"
|
||||
echo "OVPNDNS1=${OVPNDNS1}"
|
||||
echo "OVPNDNS2=${OVPNDNS2}"
|
||||
}>> "${setupVars}"
|
||||
}
|
||||
|
||||
|
||||
# I suggest replacing some of these names.
|
||||
|
||||
#accountForRefactor() {
|
||||
# # At some point in the future this list can be pruned, for now we'll need it to ensure updates don't break.
|
||||
#
|
||||
# # Refactoring of install script has changed the name of a couple of variables. Sort them out here.
|
||||
# sed -i 's/pivpnUser/PIVPN_USER/g' ${setupVars}
|
||||
# #sed -i 's/UNATTUPG/UNATTUPG/g' ${setupVars}
|
||||
# sed -i 's/pivpnInterface/PIVPN_INTERFACE/g' ${setupVars}
|
||||
# sed -i 's/IPv4dns/IPV4_DNS/g' ${setupVars}
|
||||
# sed -i 's/IPv4addr/IPV4_ADDRESS/g' ${setupVars}
|
||||
# sed -i 's/IPv4gw/IPV4_GATEWAY/g' ${setupVars}
|
||||
# sed -i 's/pivpnProto/TRANSPORT_LAYER/g' ${setupVars}
|
||||
# #sed -i 's/PORT/PORT/g' ${setupVars}
|
||||
# #sed -i 's/ENCRYPT/ENCRYPT/g' ${setupVars}
|
||||
# #sed -i 's/DOWNLOAD_DH_PARAM/DOWNLOAD_DH_PARAM/g' ${setupVars}
|
||||
# sed -i 's/PUBLICDNS/PUBLIC_DNS/g' ${setupVars}
|
||||
# sed -i 's/OVPNDNS1/OVPN_DNS_1/g' ${setupVars}
|
||||
# sed -i 's/OVPNDNS2/OVPN_DNS_2/g' ${setupVars}
|
||||
#}
|
||||
|
||||
installPiVPN() {
|
||||
stopServices
|
||||
confUnattendedUpgrades
|
||||
$SUDO mkdir -p /etc/pivpn/
|
||||
getGitFiles ${pivpnFilesDir} ${pivpnGitUrl}
|
||||
confUnattendedUpgrades
|
||||
installScripts
|
||||
setCustomProto
|
||||
setCustomPort
|
||||
|
@ -1019,17 +1077,38 @@ installPiVPN() {
|
|||
confNetwork
|
||||
confOVPN
|
||||
setClientDNS
|
||||
finalExports
|
||||
}
|
||||
|
||||
updatePiVPN() {
|
||||
#accountForRefactor
|
||||
stopServices
|
||||
confUnattendedUpgrades
|
||||
installScripts
|
||||
|
||||
# setCustomProto
|
||||
# write out the PROTO
|
||||
PROTO=$pivpnProto
|
||||
$SUDO cp /tmp/pivpnPROTO /etc/pivpn/INSTALL_PROTO
|
||||
|
||||
#setCustomPort
|
||||
# write out the port
|
||||
$SUDO cp /tmp/INSTALL_PORT /etc/pivpn/INSTALL_PORT
|
||||
|
||||
confOpenVPN
|
||||
confNetwork
|
||||
confOVPN
|
||||
|
||||
# ?? Is this always OK? Also if you only select one DNS server ??
|
||||
$SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf
|
||||
$SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf
|
||||
|
||||
finalExports #re-export setupVars.conf to account for any new vars added in new versions
|
||||
}
|
||||
|
||||
|
||||
displayFinalMessage() {
|
||||
# Final completion message to user
|
||||
if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then
|
||||
$SUDO service openvpn start
|
||||
else
|
||||
$SUDO systemctl enable openvpn.service
|
||||
$SUDO systemctl start openvpn.service
|
||||
fi
|
||||
|
||||
whiptail --msgbox --backtitle "Make it so." --title "Installation Complete!" "Now run 'pivpn add' to create the ovpn profiles.
|
||||
Run 'pivpn help' to see what else you can do!
|
||||
The install log is in /etc/pivpn." ${r} ${c}
|
||||
|
@ -1041,46 +1120,206 @@ The install log is in /etc/pivpn." ${r} ${c}
|
|||
fi
|
||||
}
|
||||
|
||||
update_dialogs() {
|
||||
# reconfigure
|
||||
if [ "${reconfigure}" = true ]; then
|
||||
opt1a="Repair"
|
||||
opt1b="This will retain existing settings"
|
||||
strAdd="You will remain on the same version"
|
||||
else
|
||||
opt1a="Update"
|
||||
opt1b="This will retain existing settings."
|
||||
strAdd="You will be updated to the latest version."
|
||||
fi
|
||||
opt2a="Reconfigure"
|
||||
opt2b="This will allow you to enter new settings"
|
||||
|
||||
UpdateCmd=$(whiptail --title "Existing Install Detected!" --menu "\n\nWe have detected an existing install.\n\nPlease choose from the following options: \n($strAdd)" ${r} ${c} 2 \
|
||||
"${opt1a}" "${opt1b}" \
|
||||
"${opt2a}" "${opt2b}" 3>&2 2>&1 1>&3) || \
|
||||
{ echo "::: Cancel selected. Exiting"; exit 1; }
|
||||
|
||||
case ${UpdateCmd} in
|
||||
${opt1a})
|
||||
echo "::: ${opt1a} option selected."
|
||||
useUpdateVars=true
|
||||
;;
|
||||
${opt2a})
|
||||
echo "::: ${opt2a} option selected"
|
||||
useUpdateVars=false
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
clone_or_update_repos() {
|
||||
if [[ "${reconfigure}" == true ]]; then
|
||||
echo "::: --reconfigure passed to install script. Not downloading/updating local repos"
|
||||
else
|
||||
# Get Git files
|
||||
getGitFiles ${pivpnFilesDir} ${pivpnGitUrl} || \
|
||||
{ echo "!!! Unable to clone ${pivpnGitUrl} into ${pivpnFilesDir}, unable to continue."; \
|
||||
exit 1; \
|
||||
}
|
||||
fi
|
||||
}
|
||||
|
||||
######## SCRIPT ############
|
||||
# Verify there is enough disk space for the install
|
||||
verifyFreeDiskSpace
|
||||
|
||||
# Install the packages (we do this first because we need whiptail)
|
||||
#checkForDependencies
|
||||
update_package_cache
|
||||
main() {
|
||||
|
||||
notify_package_updates_available
|
||||
######## FIRST CHECK ########
|
||||
# Must be root to install
|
||||
echo ":::"
|
||||
if [[ $EUID -eq 0 ]];then
|
||||
echo "::: You are root."
|
||||
else
|
||||
echo "::: sudo will be used for the install."
|
||||
# Check if it is actually installed
|
||||
# If it isn't, exit because the install cannot complete
|
||||
if [[ $(dpkg-query -s sudo) ]];then
|
||||
export SUDO="sudo"
|
||||
export SUDOE="sudo -E"
|
||||
else
|
||||
echo "::: Please install sudo or run this as root."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Check for supported distribution
|
||||
distro_check
|
||||
|
||||
# Check arguments for the undocumented flags
|
||||
for var in "$@"; do
|
||||
case "$var" in
|
||||
"--reconfigure" ) reconfigure=true;;
|
||||
"--i_do_not_follow_recommendations" ) skipSpaceCheck=false;;
|
||||
"--unattended" ) runUnattended=true;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [[ -f ${setupVars} ]]; then
|
||||
if [[ "${runUnattended}" == true ]]; then
|
||||
echo "::: --unattended passed to install script, no whiptail dialogs will be displayed"
|
||||
useUpdateVars=true
|
||||
else
|
||||
update_dialogs
|
||||
fi
|
||||
fi
|
||||
|
||||
# Start the installer
|
||||
# Verify there is enough disk space for the install
|
||||
if [[ "${skipSpaceCheck}" == true ]]; then
|
||||
echo "::: --i_do_not_follow_recommendations passed to script, skipping free disk space verification!"
|
||||
else
|
||||
verifyFreeDiskSpace
|
||||
fi
|
||||
|
||||
# Install the packages (we do this first because we need whiptail)
|
||||
#checkForDependencies
|
||||
update_package_cache
|
||||
|
||||
# Notify user of package availability
|
||||
notify_package_updates_available
|
||||
|
||||
# Install packages used by this installation script
|
||||
install_dependent_packages PIVPN_DEPS[@]
|
||||
|
||||
if [[ ${useUpdateVars} == false ]]; then
|
||||
# Display welcome dialogs
|
||||
welcomeDialogs
|
||||
|
||||
# Find interfaces and let the user choose one
|
||||
chooseInterface
|
||||
|
||||
# Only try to set static on Raspbian, otherwise let user do it
|
||||
if [[ $PLAT != "Raspbian" ]]; then
|
||||
avoidStaticIPv4Ubuntu
|
||||
else
|
||||
getStaticIPv4Settings
|
||||
setStaticIPv4
|
||||
fi
|
||||
|
||||
# Set the Network IP and Mask correctly
|
||||
setNetwork
|
||||
|
||||
# Choose the user for the ovpns
|
||||
chooseUser
|
||||
|
||||
# Ask if unattended-upgrades will be enabled
|
||||
unattendedUpgrades
|
||||
|
||||
# Clone/Update the repos
|
||||
clone_or_update_repos
|
||||
|
||||
# Install and log everything to a file
|
||||
installPiVPN | tee ${tmpLog}
|
||||
|
||||
echo "::: Install Complete..."
|
||||
else
|
||||
# Source ${setupVars} for use in the rest of the functions.
|
||||
source ${setupVars}
|
||||
|
||||
echo "::: Using IP address: $IPv4addr"
|
||||
echo "${IPv4addr%/*}" > /tmp/pivpnIP
|
||||
echo "::: Using interface: $pivpnInterface"
|
||||
echo "${pivpnInterface}" > /tmp/pivpnINT
|
||||
echo "::: Using User: $pivpnUser"
|
||||
echo "${pivpnUser}" > /tmp/pivpnUSR
|
||||
echo "::: Using protocol: $pivpnProto"
|
||||
echo "${pivpnProto}" > /tmp/pivpnPROTO
|
||||
echo "::: Using port: $PORT"
|
||||
echo ${PORT} > /tmp/INSTALL_PORT
|
||||
echo ":::"
|
||||
|
||||
# Only try to set static on Raspbian
|
||||
if [[ $PLAT != "Raspbian" ]]; then
|
||||
echo "::: IP Information"
|
||||
echo "::: Since we think you are not using Raspbian, we will not configure a static IP for you."
|
||||
echo "::: If you are in Amazon then you can not configure a static IP anyway."
|
||||
echo "::: Just ensure before this installer started you had set an elastic IP on your instance."
|
||||
else
|
||||
setStaticIPv4 # This might be a problem if a user tries to modify the ip in the config file and then runs an update because of the way we check for previous configuration in /etc/dhcpcd.conf
|
||||
fi
|
||||
|
||||
# Clone/Update the repos
|
||||
clone_or_update_repos
|
||||
|
||||
|
||||
updatePiVPN | tee ${tmpLog}
|
||||
fi
|
||||
|
||||
#Move the install log into /etc/pivpn for storage
|
||||
$SUDO mv ${tmpLog} ${instalLogLoc}
|
||||
|
||||
echo "::: Restarting services..."
|
||||
# Start services
|
||||
if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then
|
||||
$SUDO service openvpn start
|
||||
else
|
||||
$SUDO systemctl enable openvpn.service
|
||||
$SUDO systemctl start openvpn.service
|
||||
fi
|
||||
|
||||
echo "::: done."
|
||||
|
||||
if [[ "${useUpdateVars}" == false ]]; then
|
||||
displayFinalMessage
|
||||
fi
|
||||
|
||||
echo ":::"
|
||||
if [[ "${useUpdateVars}" == false ]]; then
|
||||
echo "::: Installation Complete!"
|
||||
echo "::: Now run 'pivpn add' to create the ovpn profiles."
|
||||
echo "::: Run 'pivpn help' to see what else you can do!"
|
||||
echo "::: It is strongly recommended you reboot after installation."
|
||||
else
|
||||
echo "::: Update complete!"
|
||||
fi
|
||||
|
||||
echo ":::"
|
||||
echo "::: The install log is located at: ${instalLogLoc}"
|
||||
}
|
||||
|
||||
install_dependent_packages PIVPN_DEPS[@]
|
||||
|
||||
# Start the installer
|
||||
welcomeDialogs
|
||||
|
||||
# Find interfaces and let the user choose one
|
||||
chooseInterface
|
||||
|
||||
# Only try to set static on Raspbian, otherwise let user do it
|
||||
if [[ $PLAT != "Raspbian" ]]; then
|
||||
avoidStaticIPv4Ubuntu
|
||||
else
|
||||
getStaticIPv4Settings
|
||||
setStaticIPv4
|
||||
if [[ "${PIVPN_TEST}" != true ]] ; then
|
||||
main "$@"
|
||||
fi
|
||||
|
||||
setNetwork
|
||||
|
||||
# Choose the user for the ovpns
|
||||
chooseUser
|
||||
|
||||
# Ask if unattended-upgrades will be enabled
|
||||
unattendedUpgrades
|
||||
|
||||
# Install
|
||||
installPiVPN | tee ${tmpLog}
|
||||
|
||||
#Move the install log into /etc/pivpn for storage
|
||||
$SUDO mv ${tmpLog} ${instalLogLoc}
|
||||
|
||||
displayFinalMessage
|
||||
|
||||
echo "::: Install Complete..."
|
||||
|
|
5
pivpn
5
pivpn
|
@ -55,7 +55,8 @@ function debugFunc {
|
|||
}
|
||||
|
||||
function removeOVPNFunc {
|
||||
$SUDO /opt/pivpn/removeOVPN.sh
|
||||
shift
|
||||
$SUDO /opt/pivpn/removeOVPN.sh "$@"
|
||||
exit 1
|
||||
}
|
||||
|
||||
|
@ -94,7 +95,7 @@ case "$1" in
|
|||
"-c" | "clients" ) listClientsFunc;;
|
||||
"-d" | "debug" ) debugFunc;;
|
||||
"-l" | "list" ) listOVPNFunc;;
|
||||
"-r" | "revoke" ) removeOVPNFunc;;
|
||||
"-r" | "revoke" ) removeOVPNFunc "$@";;
|
||||
"-h" | "help" ) helpFunc;;
|
||||
"-u" | "uninstall" ) uninstallFunc;;
|
||||
"-v" ) versionFunc;;
|
||||
|
|
|
@ -10,6 +10,60 @@ TA="ta.key"
|
|||
INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
|
||||
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
|
||||
|
||||
helpFunc() {
|
||||
echo "::: Create a client ovpn profile, optional nopass"
|
||||
echo ":::"
|
||||
echo "::: Usage: pivpn <-a|add> [-n|--name <arg>] [-p|--password <arg>]|[nopass] [-h|--help]"
|
||||
echo ":::"
|
||||
echo "::: Commands:"
|
||||
echo "::: [none] Interactive mode"
|
||||
echo "::: nopass Create a client without a password"
|
||||
echo "::: -n,--name Name for the Client (default: '"$(hostname)"')"
|
||||
echo "::: -p,--password Password for the Client (no default)"
|
||||
echo "::: -h,--help Show this help dialog"
|
||||
}
|
||||
|
||||
# Parse input arguments
|
||||
while test $# -gt 0
|
||||
do
|
||||
_key="$1"
|
||||
case "$_key" in
|
||||
-n|--name|--name=*)
|
||||
_val="${_key##--name=}"
|
||||
if test "$_val" = "$_key"
|
||||
then
|
||||
test $# -lt 2 && echo "Missing value for the optional argument '$_key'." && exit 1
|
||||
_val="$2"
|
||||
shift
|
||||
fi
|
||||
NAME="$_val"
|
||||
;;
|
||||
-p|--password|--password=*)
|
||||
_val="${_key##--password=}"
|
||||
if test "$_val" = "$_key"
|
||||
then
|
||||
test $# -lt 2 && echo "Missing value for the optional argument '$_key'." && exit 1
|
||||
_val="$2"
|
||||
shift
|
||||
fi
|
||||
PASSWD="$_val"
|
||||
;;
|
||||
-h|--help)
|
||||
helpFunc
|
||||
exit 0
|
||||
;;
|
||||
nopass)
|
||||
NO_PASS="1"
|
||||
;;
|
||||
*)
|
||||
echo "Error: Got an unexpected argument '$1'"
|
||||
helpFunc
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
# Functions def
|
||||
|
||||
function keynoPASS() {
|
||||
|
@ -27,24 +81,26 @@ EOF
|
|||
|
||||
function keyPASS() {
|
||||
|
||||
stty -echo
|
||||
while true
|
||||
do
|
||||
printf "Enter the password for the client: "
|
||||
read -r PASSWD
|
||||
printf "\n"
|
||||
printf "Enter the password again to verify: "
|
||||
read -r PASSWD2
|
||||
printf "\n"
|
||||
[ "${PASSWD}" = "${PASSWD2}" ] && break
|
||||
printf "Passwords do not match! Please try again.\n"
|
||||
done
|
||||
stty echo
|
||||
if [[ -z "${PASSWD}" ]]; then
|
||||
echo "You left the password blank"
|
||||
echo "If you don't want a password, please run:"
|
||||
echo "pivpn add nopass"
|
||||
exit 1
|
||||
stty -echo
|
||||
while true
|
||||
do
|
||||
printf "Enter the password for the client: "
|
||||
read -r PASSWD
|
||||
printf "\n"
|
||||
printf "Enter the password again to verify: "
|
||||
read -r PASSWD2
|
||||
printf "\n"
|
||||
[ "${PASSWD}" = "${PASSWD2}" ] && break
|
||||
printf "Passwords do not match! Please try again.\n"
|
||||
done
|
||||
stty echo
|
||||
if [[ -z "${PASSWD}" ]]; then
|
||||
echo "You left the password blank"
|
||||
echo "If you don't want a password, please run:"
|
||||
echo "pivpn add nopass"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
if [ ${#PASSWD} -lt 4 ] || [ ${#PASSWD} -gt 1024 ]
|
||||
then
|
||||
|
@ -69,8 +125,10 @@ EOF
|
|||
|
||||
}
|
||||
|
||||
printf "Enter a Name for the Client: "
|
||||
read -r NAME
|
||||
if [ -z "${NAME}" ]; then
|
||||
printf "Enter a Name for the Client: "
|
||||
read -r NAME
|
||||
fi
|
||||
|
||||
if [[ "${NAME}" =~ [^a-zA-Z0-9] ]]; then
|
||||
echo "Name can only contain alphanumeric characters."
|
||||
|
@ -86,10 +144,11 @@ fi
|
|||
while read -r line || [ -n "${line}" ]; do
|
||||
STATUS=$(echo "$line" | awk '{print $1}')
|
||||
|
||||
if [[ "${STATUS}" = "V" ]]; then
|
||||
if [ "${STATUS}" == "V" ]; then
|
||||
CERT=$(echo "$line" | sed -e 's:.*/CN=::')
|
||||
if [ "${CERT}" == "${NAME}" ]; then
|
||||
INUSE="1"
|
||||
break
|
||||
fi
|
||||
fi
|
||||
done <${INDEX}
|
||||
|
@ -108,8 +167,13 @@ fi
|
|||
|
||||
cd /etc/openvpn/easy-rsa || exit
|
||||
|
||||
if [[ "$@" =~ "nopass" ]]; then
|
||||
keynoPASS
|
||||
if [[ "${NO_PASS}" =~ "1" ]]; then
|
||||
if [[ -n "${PASSWD}" ]]; then
|
||||
echo "Both nopass and password arguments passed to the script. Please use either one."
|
||||
exit 1
|
||||
else
|
||||
keynoPASS
|
||||
fi
|
||||
else
|
||||
keyPASS
|
||||
fi
|
||||
|
|
|
@ -6,73 +6,131 @@ REVOKE_STATUS=$(cat /etc/pivpn/REVOKE_STATUS)
|
|||
PLAT=$(cat /etc/pivpn/DET_PLATFORM)
|
||||
INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
|
||||
|
||||
helpFunc() {
|
||||
echo "::: Revoke a client ovpn profile"
|
||||
echo ":::"
|
||||
echo "::: Usage: pivpn <-r|revoke> [-h|--help] [<client-1>] ... [<client-n>] ..."
|
||||
echo ":::"
|
||||
echo "::: Commands:"
|
||||
echo "::: [none] Interactive mode"
|
||||
echo "::: <client> Client(s) to to revoke"
|
||||
echo "::: -h,--help Show this help dialog"
|
||||
}
|
||||
|
||||
# Parse input arguments
|
||||
while test $# -gt 0
|
||||
do
|
||||
_key="$1"
|
||||
case "$_key" in
|
||||
-h|--help)
|
||||
helpFunc
|
||||
exit 0
|
||||
;;
|
||||
*)
|
||||
CERTS_TO_REVOKE+=("$1")
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
if [ ! -f "${INDEX}" ]; then
|
||||
printf "The file: %s was not found\n" "$INDEX"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
printf "\n"
|
||||
printf " ::\e[4m Certificate List \e[0m:: \n"
|
||||
|
||||
i=0
|
||||
while read -r line || [ -n "$line" ]; do
|
||||
STATUS=$(echo "$line" | awk '{print $1}')
|
||||
if [[ "${STATUS}" = "V" ]]; then
|
||||
NAME=$(echo "$line" | sed -e 's:.*/CN=::')
|
||||
CERTS[$i]=${NAME}
|
||||
if [ "$i" != 0 ]; then
|
||||
# Prevent printing "server" certificate
|
||||
printf " %s\n" "$NAME"
|
||||
if [[ -z "${CERTS_TO_REVOKE}" ]]; then
|
||||
printf "\n"
|
||||
printf " ::\e[4m Certificate List \e[0m:: \n"
|
||||
|
||||
i=0
|
||||
while read -r line || [ -n "$line" ]; do
|
||||
STATUS=$(echo "$line" | awk '{print $1}')
|
||||
if [[ "${STATUS}" = "V" ]]; then
|
||||
NAME=$(echo "$line" | sed -e 's:.*/CN=::')
|
||||
CERTS[$i]=${NAME}
|
||||
if [ "$i" != 0 ]; then
|
||||
# Prevent printing "server" certificate
|
||||
printf " %s\n" "$NAME"
|
||||
fi
|
||||
let i=i+1
|
||||
fi
|
||||
let i=i+1
|
||||
done <${INDEX}
|
||||
printf "\n"
|
||||
|
||||
echo "::: Please enter the Name of the client to be revoked from the list above:"
|
||||
read -r NAME
|
||||
|
||||
if [[ -z "${NAME}" ]]; then
|
||||
echo "You can not leave this blank!"
|
||||
exit 1
|
||||
fi
|
||||
done <${INDEX}
|
||||
printf "\n"
|
||||
|
||||
echo "::: Please enter the Name of the client to be revoked from the list above:"
|
||||
read -r NAME
|
||||
|
||||
if [[ -z "${NAME}" ]]; then
|
||||
echo "::: You can not leave this blank!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
for((x=1;x<=i;++x)); do
|
||||
if [ "${CERTS[$x]}" = "${NAME}" ]; then
|
||||
VALID=1
|
||||
|
||||
for((x=1;x<=i;++x)); do
|
||||
if [ "${CERTS[$x]}" = "${NAME}" ]; then
|
||||
VALID=1
|
||||
fi
|
||||
done
|
||||
|
||||
if [ -z "${VALID}" ]; then
|
||||
printf "You didn't enter a valid cert name!\n"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
if [ -z "${VALID}" ]; then
|
||||
printf "::: You didn't enter a valid cert name!\n"
|
||||
exit 1
|
||||
|
||||
CERTS_TO_REVOKE=( "${NAME}" )
|
||||
else
|
||||
i=0
|
||||
while read -r line || [ -n "$line" ]; do
|
||||
STATUS=$(echo "$line" | awk '{print $1}')
|
||||
if [[ "${STATUS}" = "V" ]]; then
|
||||
NAME=$(echo "$line" | sed -e 's:.*/CN=::')
|
||||
CERTS[$i]=${NAME}
|
||||
let i=i+1
|
||||
fi
|
||||
done <${INDEX}
|
||||
|
||||
for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
|
||||
VALID=0
|
||||
for((x=1;x<=i;++x)); do
|
||||
if [ "${CERTS[$x]}" = "${CERTS_TO_REVOKE[ii]}" ]; then
|
||||
VALID=1
|
||||
fi
|
||||
done
|
||||
|
||||
if [ "${VALID}" != 1 ]; then
|
||||
printf "You passed an invalid cert name: '"%s"'!\n" "${CERTS_TO_REVOKE[ii]}"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
cd /etc/openvpn/easy-rsa || exit
|
||||
|
||||
if [ "${REVOKE_STATUS}" == 0 ]; then
|
||||
echo 1 > /etc/pivpn/REVOKE_STATUS
|
||||
printf "\nThis seems to be the first time you have revoked a cert.\n"
|
||||
echo 1 > /etc/pivpn/REVOKE_STATUS
|
||||
printf "\nThis seems to be the first time you have revoked a cert.\n"
|
||||
printf "First we need to initialize the Certificate Revocation List.\n"
|
||||
printf "Then add the CRL to your server config and restart openvpn.\n"
|
||||
printf "Then add the CRL to your server config and restart openvpn.\n"
|
||||
./easyrsa gen-crl
|
||||
cp pki/crl.pem /etc/openvpn/crl.pem
|
||||
chown nobody:nogroup /etc/openvpn/crl.pem
|
||||
sed -i '/#crl-verify/c\crl-verify /etc/openvpn/crl.pem' /etc/openvpn/server.conf
|
||||
if [[ ${PLAT} == "Ubuntu" || ${PLAT} == "Debian" ]]; then
|
||||
service openvpn restart
|
||||
else
|
||||
systemctl restart openvpn.service
|
||||
fi
|
||||
sed -i '/#crl-verify/c\crl-verify /etc/openvpn/crl.pem' /etc/openvpn/server.conf
|
||||
if [[ ${PLAT} == "Ubuntu" || ${PLAT} == "Debian" ]]; then
|
||||
service openvpn restart
|
||||
else
|
||||
systemctl restart openvpn.service
|
||||
fi
|
||||
fi
|
||||
|
||||
./easyrsa --batch revoke "${NAME}"
|
||||
./easyrsa gen-crl
|
||||
printf "\n::: Certificate revoked, and CRL file updated.\n"
|
||||
printf "::: Removing certs and client configuration for this profile.\n"
|
||||
rm -rf "pki/reqs/${NAME}.req"
|
||||
rm -rf "pki/private/${NAME}.key"
|
||||
rm -rf "pki/issued/${NAME}.crt"
|
||||
rm -rf "/home/${INSTALL_USER}/ovpns/${NAME}.ovpn"
|
||||
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
|
||||
for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
|
||||
printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}"
|
||||
./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}"
|
||||
./easyrsa gen-crl
|
||||
printf "\n::: Certificate revoked, and CRL file updated.\n"
|
||||
printf "::: Removing certs and client configuration for this profile.\n"
|
||||
rm -rf "pki/reqs/${CERTS_TO_REVOKE[ii]}.req"
|
||||
rm -rf "pki/private/${CERTS_TO_REVOKE[ii]}.key"
|
||||
rm -rf "pki/issued/${CERTS_TO_REVOKE[ii]}.crt"
|
||||
rm -rf "/home/${INSTALL_USER}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn"
|
||||
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
|
||||
done
|
||||
printf "::: Completed!\n"
|
||||
|
|
Loading…
Reference in a new issue