Unattended installation

2024-12-18 10:50:16 +00:00 · 2019-11-16 14:58:58 +01:00 · 2019-11-16 14:58:58 +01:00 · d7ebb4cca9
commit d7ebb4cca9
parent 5cb8a05317
7 changed files with 108 additions and 67 deletions
--- a/auto_install/install.sh
+++ b/auto_install/install.sh
@ -679,7 +679,7 @@ askWhichVPN(){
 			fi
 		fi
 	else
-		if (whiptail --backtitle "Setup PiVPN" --title "Installation mode" --yesno "WireGuard is a new kind of VPN that provides near-istantaneous connection speed, high performance, modern cryptography.\n\nIt's the recommended choise expecially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\n\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol. Or if you need features like TCP and custom search domain.\n\nChoose 'Yes' to use WireGuard of 'No' to use OpenVPN." ${r} ${c});
+		if (whiptail --backtitle "Setup PiVPN" --title "Installation mode" --yesno "WireGuard is a new kind of VPN that provides near-istantaneous connection speed, high performance, modern cryptography.\n\nIt's the recommended choise expecially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\n\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol. Or if you need features like TCP and custom search domain.\n\nChoose 'Yes' to use WireGuard or 'No' to use OpenVPN." ${r} ${c});
 		then
 			VPN="wireguard"
 		else
@ -1075,7 +1075,7 @@ askCustomDomain(){

 	DomainSettingsCorrect=False

-	if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno "Would you like to add a custom search domain? \n (This is only for advanced users who have their own domain)\n" ${r} ${c}); then
+	if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno --defaultno "Would you like to add a custom search domain? \n (This is only for advanced users who have their own domain)\n" ${r} ${c}); then

 		until [[ $DomainSettingsCorrect = True ]]
 		do
@ -1217,16 +1217,27 @@ confOpenVPN(){
 	# Create a unique server name using the host name and UUID
 	SERVER_NAME="${host_name}_${NEW_UUID}"

+	# Backup the openvpn folder
+	OPENVPN_BACKUP="openvpn_$(date +%Y-%m-%d-%H%M%S).tar.gz"
+	echo "::: Backing up the openvpn folder to /etc/${OPENVPN_BACKUP}"
+	$SUDO tar czf "/etc/${OPENVPN_BACKUP}" /etc/openvpn
+
+	if [ -f /etc/openvpn/server.conf ]; then
+		$SUDO rm /etc/openvpn/server.conf
+	fi
+
 	# If easy-rsa exists, remove it
 	if [[ -d /etc/openvpn/easy-rsa/ ]]; then
 		$SUDO rm -rf /etc/openvpn/easy-rsa/
 	fi

 	# Get easy-rsa
-	wget -qO- "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn && $SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa
+	wget -qO- "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn
+	$SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa
 	# fix ownership
 	$SUDO chown -R root:root /etc/openvpn/easy-rsa
 	$SUDO mkdir /etc/openvpn/easy-rsa/pki
+	$SUDO chmod 700 /etc/openvpn/easy-rsa/pki

 	cd /etc/openvpn/easy-rsa || exit

@ -1300,7 +1311,7 @@ set_var EASYRSA_KEY_SIZE   ${pivpnENCRYPT}" | $SUDO tee vars >/dev/null
 		$SUDO sed -i "s/proto udp/proto tcp/g" /etc/openvpn/server.conf
 	fi

-	if [ -z "$pivpnDOMAIN" ]; then
+	if [ -n "$pivpnDOMAIN" ]; then
 		$SUDO sed -i "0,/\(.*dhcp-option.*\)/s//\push \"dhcp-option DOMAIN ${pivpnDOMAIN}\" \n&/" /etc/openvpn/server.conf
 	fi

@ -1326,30 +1337,35 @@ confOVPN(){

 	# verify server name to strengthen security
 	$SUDO sed -i "s/SRVRNAME/${SERVER_NAME}/" /etc/openvpn/easy-rsa/pki/Default.txt
-
-	if [ ! -d "$install_home/ovpns" ]; then
-		$SUDO mkdir "$install_home/ovpns"
-	fi
-	$SUDO chmod 0750 "$install_home/ovpns"
-	$SUDO chown $install_user:$install_user "$install_home/ovpns"
 }

 confWireGuard(){
 	if [ -d /etc/wireguard ]; then
-		$SUDO rm -r /etc/wireguard
+		# Backup the wireguard folder
+		WIREGUARD_BACKUP="wireguard_$(date +%Y-%m-%d-%H%M%S).tar.gz"
+		echo "::: Backing up the wireguard folder to /etc/${WIREGUARD_BACKUP}"
+		$SUDO tar czf "/etc/${WIREGUARD_BACKUP}" /etc/wireguard
+
+		if [ -f /etc/wireguard/wg0.conf ]; then
+			$SUDO rm /etc/wireguard/wg0.conf
+		fi
+	else
+		# If compiled from source, the wireguard folder is not being created
 		$SUDO mkdir /etc/wireguard
-		$SUDO chown root:root /etc/wireguard
-		$SUDO chmod 700 /etc/wireguard
 	fi

+	# Ensure that only root is able to enter the wireguard folder
+	$SUDO chown root:root /etc/wireguard
+	$SUDO chmod 700 /etc/wireguard
+
 	if [ "${runUnattended}" = 'true' ]; then
 		echo "::: The Server Keys and Pre-Shared key will now be generated."
 	else
 		whiptail --title "Server Information" --msgbox "The Server Keys and Pre-Shared key will now be generated." "${r}" "${c}"
 	fi
-	$SUDO mkdir /etc/wireguard/configs
+	$SUDO mkdir -p /etc/wireguard/configs
 	$SUDO touch /etc/wireguard/configs/clients.txt
-	$SUDO mkdir /etc/wireguard/keys
+	$SUDO mkdir -p /etc/wireguard/keys

 	# Generate private key and derive public key from it
 	wg genkey | $SUDO tee /etc/wireguard/keys/server_priv &> /dev/null
@ -1442,7 +1458,7 @@ confNetwork(){
 }

 confLogging() {
-  echo "if \$programname == 'ovpn-server' then /var/log/openvpn.log
+	echo "if \$programname == 'ovpn-server' then /var/log/openvpn.log
 if \$programname == 'ovpn-server' then stop" | $SUDO tee /etc/rsyslog.d/30-openvpn.conf > /dev/null

  echo "/var/log/openvpn.log
@ -1459,7 +1475,7 @@ if \$programname == 'ovpn-server' then stop" | $SUDO tee /etc/rsyslog.d/30-openv
 	endscript
 }" | $SUDO tee /etc/logrotate.d/openvpn > /dev/null

-  # Restart the logging service
+	# Restart the logging service
 	case ${PLAT} in
 		Debian|Raspbian)
 			$SUDO systemctl restart rsyslog.service || true
@ -1521,32 +1537,29 @@ askUnattendedUpgrades(){
 }

 confUnattendedUpgrades(){
-	if [ "$UNATTUPG" -eq 1 ]; then
-		PIVPN_DEPS=(unattended-upgrades)
-		installDependentPackages PIVPN_DEPS[@]
+	PIVPN_DEPS=(unattended-upgrades)
+	installDependentPackages PIVPN_DEPS[@]

-		cd /etc/apt/apt.conf.d
+	cd /etc/apt/apt.conf.d

-		if [ "$PLAT" = "Raspbian" ]; then
-			wget -qO- "$UNATTUPG_CONFIG" | $SUDO tar xz
-			$SUDO cp "unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" 50unattended-upgrades
-			$SUDO rm -rf "unattended-upgrades-$UNATTUPG_RELEASE"
-		fi
-
-		# On architectures different from armv6l, where we install wireguard from source, enable
-		# automatic updates via the unstable repository
-		if [ "$VPN" = "wireguard" ] && [ "$(uname -m)" != "armv6l" ]; then
-			$SUDO sed -i '/Unattended-Upgrade::Origins-Pattern {/a"o=Debian,a=unstable";' 50unattended-upgrades
-		fi
-
-		# Add the remaining settings for all other distributions
-		echo "APT::Periodic::Enable \"1\";
-		APT::Periodic::Update-Package-Lists \"1\";
-		APT::Periodic::Download-Upgradeable-Packages \"1\";
-		APT::Periodic::Unattended-Upgrade \"1\";
-		APT::Periodic::AutocleanInterval \"7\";
-		APT::Periodic::Verbose \"0\";" | $SUDO tee 02periodic > /dev/null
+	if [ "$PLAT" = "Raspbian" ]; then
+		wget -qO- "$UNATTUPG_CONFIG" | $SUDO tar xz
+		$SUDO cp "unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" 50unattended-upgrades
+		$SUDO rm -rf "unattended-upgrades-$UNATTUPG_RELEASE"
 	fi
+
+	# Enable automatic updates via the unstable repository when installing from debian package
+	if [ "$VPN" = "wireguard" ] && [ "$(uname -m)" != "armv6l" ]; then
+		$SUDO sed -i '/Unattended-Upgrade::Origins-Pattern {/a"o=Debian,a=unstable";' 50unattended-upgrades
+	fi
+
+	# Add the remaining settings for all other distributions
+	echo "APT::Periodic::Enable \"1\";
+	APT::Periodic::Update-Package-Lists \"1\";
+	APT::Periodic::Download-Upgradeable-Packages \"1\";
+	APT::Periodic::Unattended-Upgrade \"1\";
+	APT::Periodic::AutocleanInterval \"7\";
+	APT::Periodic::Verbose \"0\";" | $SUDO tee 02periodic > /dev/null
 }

 installScripts(){
@ -1704,11 +1717,15 @@ main(){

 	# Ask if unattended-upgrades will be enabled
 	askUnattendedUpgrades
-	confUnattendedUpgrades

+	if [ "$UNATTUPG" -eq 1 ]; then
+		confUnattendedUpgrades
+	fi
+
+	# Save installation setting to the final location
 	echo "TO_INSTALL=(${TO_INSTALL[*]})" >> /tmp/setupVars.conf
-
 	$SUDO cp /tmp/setupVars.conf "$setupVars"
+
 	installScripts

 	# Ensure that cached writes reach persistent storage
--- a/scripts/openvpn/makeOVPN.sh
+++ b/scripts/openvpn/makeOVPN.sh
@ -213,6 +213,7 @@ EOF
 #make sure ovpns dir exists
 if [ ! -d "$install_home/ovpns" ]; then
    mkdir "$install_home/ovpns"
+    chown "$install_user":"$install_user" "$install_home/ovpns"
    chmod 0750 "$install_home/ovpns"
 fi

@ -339,16 +340,10 @@ if [ "$iOS" = "1" ]; then
    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' < "issued/${NAME}${CRT}"
    echo "</cert>"

-    #Finally, append the TA Private Key
-    if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then
-      echo "<tls-crypt>"
-      cat "${TA}"
-      echo "</tls-crypt>"
-    else
-      echo "<tls-auth>"
-      cat "${TA}"
-      echo "</tls-auth>"
-    fi
+    #Finally, append the tls Private Key
+    echo "<tls-auth>"
+    cat "${TA}"
+    echo "</tls-auth>"

 	} > "${NAME}${FILEEXT}"

@ -401,7 +396,7 @@ fi

 # Copy the .ovpn profile to the home directory for convenient remote access
 cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "$install_home/ovpns/$NAME$FILEEXT"
-chown "$install_user" "$install_home/ovpns/$NAME$FILEEXT"
+chown "$install_user":"$install_user" "$install_home/ovpns/$NAME$FILEEXT"
 chmod 640 "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT"
 chmod 640 "$install_home/ovpns/$NAME$FILEEXT"
 printf "\n\n"
--- a/scripts/openvpn/pivpnDebug.sh
+++ b/scripts/openvpn/pivpnDebug.sh
@ -205,7 +205,7 @@ echo -e "::::      \e[4mSnippet of the server log\e[0m      ::::"
 tail -20 /var/log/openvpn.log > /tmp/snippet

 # Regular expession taken from https://superuser.com/a/202835, it will match invalid IPs
-# like 123.456.789.012 but it's fine because the log only contains valid ones.
+# like 123.456.789.012 but it's fine since the log only contains valid ones.
 declare -a IPS_TO_HIDE=($(grepcidr -v 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 /tmp/snippet | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | uniq))
 for IP in "${IPS_TO_HIDE[@]}"; do
    sed -i "s/$IP/REDACTED/g" /tmp/snippet
--- a/scripts/uninstall.sh
+++ b/scripts/uninstall.sh
@ -67,6 +67,7 @@ removeAll(){
 		ufw delete allow "${pivpnPORT}"/"${pivpnPROTO}" > /dev/null
 		ufw route delete allow in on "${pivpnDEV}" from "${pivpnNET}/24" out on "${IPv4dev}" to any > /dev/null
 		sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s ${pivpnNET}\/24 -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
+		iptables -t nat -D POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE
 		ufw reload &> /dev/null

 	elif [ "$USING_UFW" -eq 0 ]; then
@ -77,7 +78,7 @@ removeAll(){

 		if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
 			iptables -D FORWARD -d "${pivpnNET}/24" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-			iptables -D FORWARD -s "${pivpnNET}/24" -i "${pivpnDEV}/24" -o "${IPv4dev}" -j ACCEPT
+			iptables -D FORWARD -s "${pivpnNET}/24" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT
 		fi

 		iptables -t nat -D POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE
@ -103,8 +104,6 @@ removeAll(){
 								rm /etc/apt/preferences.d/limit-unstable
 								$PKG_MANAGER update &> /dev/null
 							fi
-							rm -rf /etc/wireguard
-							rm -rf $install_home/configs

 						elif [ "${i}" = "wireguard-dkms" ]; then

@ -123,12 +122,6 @@ removeAll(){
 							# so we remove the repository keys
 							apt-key remove E1CF20DDFFE4B89E802658F1E0B11894F66AEC98 80D15823B7FD1561F9F7BCDDDC30D7C23CBBABEE &> /dev/null

-						elif [ "${i}" = "openvpn" ]; then
-
-							rm -rf /var/log/*openvpn*
-							rm -rf /etc/openvpn
-							rm -rf $install_home/ovpns
-
 						elif [ "${i}" = "unattended-upgrades" ]; then

 							rm -rf /var/log/unattended-upgrades
@ -158,7 +151,7 @@ removeAll(){
 	echo "::: Removing pivpn system files..."

 	if [ -f /etc/dnsmasq.d/02-pivpn.conf ]; then
-		rm /etc/dnsmasq.d/02-pivpn.conf
+		rm -f /etc/dnsmasq.d/02-pivpn.conf
 		pihole restartdns
 	fi

@ -166,8 +159,24 @@ removeAll(){
 	rm -rf /etc/.pivpn
 	rm -rf /etc/pivpn
 	rm -rf /var/log/*pivpn*
-	rm /usr/local/bin/pivpn
-	rm /etc/bash_completion.d/pivpn
+	rm -f /usr/local/bin/pivpn
+	rm -f /etc/bash_completion.d/pivpn
+
+	echo ":::"
+	echo "::: Removing VPN configuration files..."
+
+	if [ "$VPN" = "wireguard" ]; then
+		rm -f /etc/wireguard/wg0.conf
+		rm -rf /etc/wireguard/configs
+		rm -rf /etc/wireguard/keys
+		rm -rf $install_home/configs
+	elif [ "$VPN" = "openvpn" ]; then
+		rm -rf /var/log/*openvpn*
+		rm -f /etc/openvpn/server.conf
+		rm -f /etc/openvpn/crl.pem
+		rm -rf /etc/openvpn/easy-rsa
+		rm -rf $install_home/ovpns
+	fi

 	echo ":::"
 	printf "::: Finished removing PiVPN from your system.\n"
--- a/scripts/wireguard/pivpnDEBUG.sh
+++ b/scripts/wireguard/pivpnDEBUG.sh
@ -24,7 +24,7 @@ printf "=============================================\n"
 echo -e "::::  \e[4mServer configuration shown below\e[0m   ::::"
 cd /etc/wireguard/keys
 cp ../wg0.conf ../wg0.tmp
-# Replace every key in the server configuration with just it's file name
+# Replace every key in the server configuration with just its file name
 for k in *; do
    sed "s#$(cat "$k")#$k#" -i ../wg0.tmp
 done
--- a/unattended_openvpn_example.conf
+++ b/unattended_openvpn_example.conf
@ -0,0 +1,12 @@
+IPv4dev=eth0
+install_user=pi
+VPN=openvpn
+pivpnPROTO=udp
+pivpnPORT=1194
+pivpnDNS1=8.8.8.8
+pivpnDNS2=8.8.4.4
+pivpnHOST=pivpn.example.com
+pivpnENCRYPT=2048
+pivpnDOMAIN=domain.example.com
+DOWNLOAD_DH_PARAM=0
+UNATTUPG=1
--- a/unattended_wireguard_example.conf
+++ b/unattended_wireguard_example.conf
@ -0,0 +1,8 @@
+IPv4dev=eth0
+install_user=pi
+VPN=wireguard
+pivpnPORT=51820
+pivpnDNS1=8.8.8.8
+pivpnDNS2=8.8.4.4
+pivpnHOST=pivpn.example.com
+UNATTUPG=1