diff --git a/auto_install/install.sh b/auto_install/install.sh index afa5f89..fa9b8eb 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -976,7 +976,41 @@ confNetwork() { # else configure iptables if [[ $noUFW -eq 1 ]]; then echo 1 > /tmp/noUFW + + # Now some checks to detect which rules we need to add. On a newly installed system all policies + # should be ACCEPT, so the only required rule would be the MASQUERADE one. + $SUDO iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "$IPv4dev" -j MASQUERADE + + # Count how many rules are in the INPUT and FORWARD chain. When parsing input from + # iptables -S, '^-P' skips the policies and 'ufw-' skips ufw chains (in case ufw was found + # installed but not enabled). + + INPUT_RULES_COUNT="$($SUDO iptables -S INPUT | grep -vcE '(^-P|ufw-)')" + FORWARD_RULES_COUNT="$($SUDO iptables -S FORWARD | grep -vcE '(^-P|ufw-)')" + + INPUT_POLICY="$($SUDO iptables -S INPUT | grep '^-P' | awk '{print $3}')" + FORWARD_POLICY="$($SUDO iptables -S FORWARD | grep '^-P' | awk '{print $3}')" + + # If rules count is not zero, we assume we need to explicitly allow traffic. Same conclusion if + # there are no rules and the policy is not ACCEPT. Note that rules are being added to the top of the + # chain (using -I). + + if [ "$INPUT_RULES_COUNT" -ne 0 ] || [ "$INPUT_POLICY" != "ACCEPT" ]; then + $SUDO iptables -I INPUT 1 -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT + INPUT_CHAIN_EDITED=1 + else + INPUT_CHAIN_EDITED=0 + fi + + if [ "$FORWARD_RULES_COUNT" -ne 0 ] || [ "$FORWARD_POLICY" != "ACCEPT" ]; then + $SUDO iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + $SUDO iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT + FORWARD_CHAIN_EDITED=1 + else + FORWARD_CHAIN_EDITED=0 + fi + case ${PLAT} in Ubuntu|Debian|Devuan) $SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null @@ -989,7 +1023,12 @@ confNetwork() { echo 0 > /tmp/noUFW fi + echo "$INPUT_CHAIN_EDITED" > /tmp/INPUT_CHAIN_EDITED + echo "$FORWARD_CHAIN_EDITED" > /tmp/FORWARD_CHAIN_EDITED + $SUDO cp /tmp/noUFW /etc/pivpn/NO_UFW + $SUDO cp /tmp/INPUT_CHAIN_EDITED /etc/pivpn/INPUT_CHAIN_EDITED + $SUDO cp /tmp/FORWARD_CHAIN_EDITED /etc/pivpn/FORWARD_CHAIN_EDITED } confOVPN() { diff --git a/scripts/pivpnDebug.sh b/scripts/pivpnDebug.sh index 849c70d..ff912f3 100755 --- a/scripts/pivpnDebug.sh +++ b/scripts/pivpnDebug.sh @@ -56,11 +56,39 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then iptables -t nat -F iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE iptables-save > /etc/iptables/rules.v4 - iptables-restore < /etc/iptables/rules.v4 echo "Done" fi fi + if [ "$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" -eq 1 ]; then + if iptables -C INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT &> /dev/null; then + echo ":: [OK] Iptables INPUT rule set" + else + ERR=1 + read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + iptables -I INPUT 1 -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT + iptables-save > /etc/iptables/rules.v4 + echo "Done" + fi + fi + fi + + if [ "$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" -eq 1 ]; then + if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then + echo ":: [OK] Iptables FORWARD rule set" + else + ERR=1 + read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT + iptables-save > /etc/iptables/rules.v4 + echo "Done" + fi + fi + fi + else if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 99192aa..f1edea4 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -1,27 +1,14 @@ #!/usr/bin/env bash # PiVPN: Uninstall Script -# Must be root to uninstall -if [[ $EUID -eq 0 ]];then - echo "::: You are root." -else - echo "::: Sudo will be used for the uninstall." - # Check if it is actually installed - # If it isn't, exit because the unnstall cannot complete - if [[ $(dpkg-query -s sudo) ]];then - export SUDO="sudo" - else - echo "::: Please install sudo or run this as root." - exit 1 - fi -fi - INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) PLAT=$(cat /etc/pivpn/DET_PLATFORM) NO_UFW=$(cat /etc/pivpn/NO_UFW) PORT=$(cat /etc/pivpn/INSTALL_PORT) PROTO=$(cat /etc/pivpn/INSTALL_PROTO) IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" +INPUT_CHAIN_EDITED="$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" +FORWARD_CHAIN_EDITED="$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" # Find the rows and columns. Will default to 80x24 if it can not be detected. screen_size=$(stty size 2>/dev/null || echo 24 80) @@ -59,7 +46,7 @@ echo ":::" while true; do read -rp "::: Do you wish to remove $i from your system? [y/n]: " yn case $yn in - [Yy]* ) printf ":::\tRemoving %s..." "$i"; $SUDO apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n"; + [Yy]* ) printf ":::\tRemoving %s..." "$i"; apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n"; if [ "$i" == "openvpn" ]; then UINST_OVPN=1 ; fi if [ "$i" == "unattended-upgrades" ]; then UINST_UNATTUPG=1 ; fi break;; @@ -74,44 +61,57 @@ echo ":::" # Take care of any additional package cleaning printf "::: Auto removing remaining dependencies..." - $SUDO apt-get -y autoremove &> /dev/null & spinner $!; printf "done!\n"; + apt-get -y autoremove &> /dev/null & spinner $!; printf "done!\n"; printf "::: Auto cleaning remaining dependencies..." - $SUDO apt-get -y autoclean &> /dev/null & spinner $!; printf "done!\n"; + apt-get -y autoclean &> /dev/null & spinner $!; printf "done!\n"; echo ":::" # Removing pivpn files echo "::: Removing pivpn system files..." - $SUDO rm -rf /opt/pivpn &> /dev/null - $SUDO rm -rf /etc/.pivpn &> /dev/null - $SUDO rm -rf /home/$INSTALL_USER/ovpns &> /dev/null + rm -rf /opt/pivpn &> /dev/null + rm -rf /etc/.pivpn &> /dev/null + rm -rf /home/$INSTALL_USER/ovpns &> /dev/null - $SUDO rm -rf /var/log/*pivpn* &> /dev/null - $SUDO rm -rf /var/log/*openvpn* &> /dev/null + rm -rf /var/log/*pivpn* &> /dev/null + rm -rf /var/log/*openvpn* &> /dev/null if [[ $UINST_OVPN = 1 ]]; then - $SUDO rm -rf /etc/openvpn &> /dev/null + rm -rf /etc/openvpn &> /dev/null if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then printf "::: Removing openvpn apt source..." - $SUDO rm -rf /etc/apt/sources.list.d/swupdate.openvpn.net.list &> /dev/null - $SUDO apt-get -qq update & spinner $!; printf "done!\n"; + rm -rf /etc/apt/sources.list.d/swupdate.openvpn.net.list &> /dev/null + apt-get -qq update & spinner $!; printf "done!\n"; fi fi if [[ $UINST_UNATTUPG = 1 ]]; then - $SUDO rm -rf /var/log/unattended-upgrades - $SUDO rm -rf /etc/apt/apt.conf.d/*periodic + rm -rf /var/log/unattended-upgrades + rm -rf /etc/apt/apt.conf.d/*periodic fi - $SUDO rm -rf /etc/pivpn &> /dev/null - $SUDO rm /usr/local/bin/pivpn &> /dev/null - $SUDO rm /etc/bash_completion.d/pivpn + rm -rf /etc/pivpn &> /dev/null + rm /usr/local/bin/pivpn &> /dev/null + rm /etc/bash_completion.d/pivpn # Disable IPv4 forwarding sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf sysctl -p if [[ $NO_UFW -eq 0 ]]; then - $SUDO sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules - $SUDO ufw delete allow "$PORT"/"$PROTO" >/dev/null - $SUDO ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null - $SUDO ufw reload >/dev/null + sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules + ufw delete allow "$PORT"/"$PROTO" >/dev/null + ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + ufw reload >/dev/null + else + iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE + + if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then + iptables -D INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT + fi + + if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then + iptables -D FORWARD -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -D FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT + fi + + iptables-save > /etc/iptables/rules.v4 fi echo ":::"