From d7ebb4cca99f10c8a707b3ecf5a0b531045d3de7 Mon Sep 17 00:00:00 2001 From: Orazio Date: Sat, 16 Nov 2019 14:58:58 +0100 Subject: [PATCH] Unattended installation --- auto_install/install.sh | 101 +++++++++++++++++------------- scripts/openvpn/makeOVPN.sh | 17 ++--- scripts/openvpn/pivpnDebug.sh | 2 +- scripts/uninstall.sh | 33 ++++++---- scripts/wireguard/pivpnDEBUG.sh | 2 +- unattended_openvpn_example.conf | 12 ++++ unattended_wireguard_example.conf | 8 +++ 7 files changed, 108 insertions(+), 67 deletions(-) create mode 100644 unattended_openvpn_example.conf create mode 100644 unattended_wireguard_example.conf diff --git a/auto_install/install.sh b/auto_install/install.sh index 827c599..5e5f80a 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -679,7 +679,7 @@ askWhichVPN(){ fi fi else - if (whiptail --backtitle "Setup PiVPN" --title "Installation mode" --yesno "WireGuard is a new kind of VPN that provides near-istantaneous connection speed, high performance, modern cryptography.\n\nIt's the recommended choise expecially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\n\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol. Or if you need features like TCP and custom search domain.\n\nChoose 'Yes' to use WireGuard of 'No' to use OpenVPN." ${r} ${c}); + if (whiptail --backtitle "Setup PiVPN" --title "Installation mode" --yesno "WireGuard is a new kind of VPN that provides near-istantaneous connection speed, high performance, modern cryptography.\n\nIt's the recommended choise expecially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\n\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol. Or if you need features like TCP and custom search domain.\n\nChoose 'Yes' to use WireGuard or 'No' to use OpenVPN." ${r} ${c}); then VPN="wireguard" else @@ -1075,7 +1075,7 @@ askCustomDomain(){ DomainSettingsCorrect=False - if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno "Would you like to add a custom search domain? \n (This is only for advanced users who have their own domain)\n" ${r} ${c}); then + if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno --defaultno "Would you like to add a custom search domain? \n (This is only for advanced users who have their own domain)\n" ${r} ${c}); then until [[ $DomainSettingsCorrect = True ]] do @@ -1217,16 +1217,27 @@ confOpenVPN(){ # Create a unique server name using the host name and UUID SERVER_NAME="${host_name}_${NEW_UUID}" + # Backup the openvpn folder + OPENVPN_BACKUP="openvpn_$(date +%Y-%m-%d-%H%M%S).tar.gz" + echo "::: Backing up the openvpn folder to /etc/${OPENVPN_BACKUP}" + $SUDO tar czf "/etc/${OPENVPN_BACKUP}" /etc/openvpn + + if [ -f /etc/openvpn/server.conf ]; then + $SUDO rm /etc/openvpn/server.conf + fi + # If easy-rsa exists, remove it if [[ -d /etc/openvpn/easy-rsa/ ]]; then $SUDO rm -rf /etc/openvpn/easy-rsa/ fi # Get easy-rsa - wget -qO- "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn && $SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa + wget -qO- "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn + $SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa # fix ownership $SUDO chown -R root:root /etc/openvpn/easy-rsa $SUDO mkdir /etc/openvpn/easy-rsa/pki + $SUDO chmod 700 /etc/openvpn/easy-rsa/pki cd /etc/openvpn/easy-rsa || exit @@ -1300,7 +1311,7 @@ set_var EASYRSA_KEY_SIZE ${pivpnENCRYPT}" | $SUDO tee vars >/dev/null $SUDO sed -i "s/proto udp/proto tcp/g" /etc/openvpn/server.conf fi - if [ -z "$pivpnDOMAIN" ]; then + if [ -n "$pivpnDOMAIN" ]; then $SUDO sed -i "0,/\(.*dhcp-option.*\)/s//\push \"dhcp-option DOMAIN ${pivpnDOMAIN}\" \n&/" /etc/openvpn/server.conf fi @@ -1326,30 +1337,35 @@ confOVPN(){ # verify server name to strengthen security $SUDO sed -i "s/SRVRNAME/${SERVER_NAME}/" /etc/openvpn/easy-rsa/pki/Default.txt - - if [ ! -d "$install_home/ovpns" ]; then - $SUDO mkdir "$install_home/ovpns" - fi - $SUDO chmod 0750 "$install_home/ovpns" - $SUDO chown $install_user:$install_user "$install_home/ovpns" } confWireGuard(){ if [ -d /etc/wireguard ]; then - $SUDO rm -r /etc/wireguard + # Backup the wireguard folder + WIREGUARD_BACKUP="wireguard_$(date +%Y-%m-%d-%H%M%S).tar.gz" + echo "::: Backing up the wireguard folder to /etc/${WIREGUARD_BACKUP}" + $SUDO tar czf "/etc/${WIREGUARD_BACKUP}" /etc/wireguard + + if [ -f /etc/wireguard/wg0.conf ]; then + $SUDO rm /etc/wireguard/wg0.conf + fi + else + # If compiled from source, the wireguard folder is not being created $SUDO mkdir /etc/wireguard - $SUDO chown root:root /etc/wireguard - $SUDO chmod 700 /etc/wireguard fi + # Ensure that only root is able to enter the wireguard folder + $SUDO chown root:root /etc/wireguard + $SUDO chmod 700 /etc/wireguard + if [ "${runUnattended}" = 'true' ]; then echo "::: The Server Keys and Pre-Shared key will now be generated." else whiptail --title "Server Information" --msgbox "The Server Keys and Pre-Shared key will now be generated." "${r}" "${c}" fi - $SUDO mkdir /etc/wireguard/configs + $SUDO mkdir -p /etc/wireguard/configs $SUDO touch /etc/wireguard/configs/clients.txt - $SUDO mkdir /etc/wireguard/keys + $SUDO mkdir -p /etc/wireguard/keys # Generate private key and derive public key from it wg genkey | $SUDO tee /etc/wireguard/keys/server_priv &> /dev/null @@ -1442,7 +1458,7 @@ confNetwork(){ } confLogging() { - echo "if \$programname == 'ovpn-server' then /var/log/openvpn.log + echo "if \$programname == 'ovpn-server' then /var/log/openvpn.log if \$programname == 'ovpn-server' then stop" | $SUDO tee /etc/rsyslog.d/30-openvpn.conf > /dev/null echo "/var/log/openvpn.log @@ -1459,7 +1475,7 @@ if \$programname == 'ovpn-server' then stop" | $SUDO tee /etc/rsyslog.d/30-openv endscript }" | $SUDO tee /etc/logrotate.d/openvpn > /dev/null - # Restart the logging service + # Restart the logging service case ${PLAT} in Debian|Raspbian) $SUDO systemctl restart rsyslog.service || true @@ -1521,32 +1537,29 @@ askUnattendedUpgrades(){ } confUnattendedUpgrades(){ - if [ "$UNATTUPG" -eq 1 ]; then - PIVPN_DEPS=(unattended-upgrades) - installDependentPackages PIVPN_DEPS[@] + PIVPN_DEPS=(unattended-upgrades) + installDependentPackages PIVPN_DEPS[@] - cd /etc/apt/apt.conf.d + cd /etc/apt/apt.conf.d - if [ "$PLAT" = "Raspbian" ]; then - wget -qO- "$UNATTUPG_CONFIG" | $SUDO tar xz - $SUDO cp "unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" 50unattended-upgrades - $SUDO rm -rf "unattended-upgrades-$UNATTUPG_RELEASE" - fi - - # On architectures different from armv6l, where we install wireguard from source, enable - # automatic updates via the unstable repository - if [ "$VPN" = "wireguard" ] && [ "$(uname -m)" != "armv6l" ]; then - $SUDO sed -i '/Unattended-Upgrade::Origins-Pattern {/a"o=Debian,a=unstable";' 50unattended-upgrades - fi - - # Add the remaining settings for all other distributions - echo "APT::Periodic::Enable \"1\"; - APT::Periodic::Update-Package-Lists \"1\"; - APT::Periodic::Download-Upgradeable-Packages \"1\"; - APT::Periodic::Unattended-Upgrade \"1\"; - APT::Periodic::AutocleanInterval \"7\"; - APT::Periodic::Verbose \"0\";" | $SUDO tee 02periodic > /dev/null + if [ "$PLAT" = "Raspbian" ]; then + wget -qO- "$UNATTUPG_CONFIG" | $SUDO tar xz + $SUDO cp "unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" 50unattended-upgrades + $SUDO rm -rf "unattended-upgrades-$UNATTUPG_RELEASE" fi + + # Enable automatic updates via the unstable repository when installing from debian package + if [ "$VPN" = "wireguard" ] && [ "$(uname -m)" != "armv6l" ]; then + $SUDO sed -i '/Unattended-Upgrade::Origins-Pattern {/a"o=Debian,a=unstable";' 50unattended-upgrades + fi + + # Add the remaining settings for all other distributions + echo "APT::Periodic::Enable \"1\"; + APT::Periodic::Update-Package-Lists \"1\"; + APT::Periodic::Download-Upgradeable-Packages \"1\"; + APT::Periodic::Unattended-Upgrade \"1\"; + APT::Periodic::AutocleanInterval \"7\"; + APT::Periodic::Verbose \"0\";" | $SUDO tee 02periodic > /dev/null } installScripts(){ @@ -1704,11 +1717,15 @@ main(){ # Ask if unattended-upgrades will be enabled askUnattendedUpgrades - confUnattendedUpgrades + if [ "$UNATTUPG" -eq 1 ]; then + confUnattendedUpgrades + fi + + # Save installation setting to the final location echo "TO_INSTALL=(${TO_INSTALL[*]})" >> /tmp/setupVars.conf - $SUDO cp /tmp/setupVars.conf "$setupVars" + installScripts # Ensure that cached writes reach persistent storage diff --git a/scripts/openvpn/makeOVPN.sh b/scripts/openvpn/makeOVPN.sh index d37769c..674732f 100755 --- a/scripts/openvpn/makeOVPN.sh +++ b/scripts/openvpn/makeOVPN.sh @@ -213,6 +213,7 @@ EOF #make sure ovpns dir exists if [ ! -d "$install_home/ovpns" ]; then mkdir "$install_home/ovpns" + chown "$install_user":"$install_user" "$install_home/ovpns" chmod 0750 "$install_home/ovpns" fi @@ -339,16 +340,10 @@ if [ "$iOS" = "1" ]; then sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' < "issued/${NAME}${CRT}" echo "" - #Finally, append the TA Private Key - if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then - echo "" - cat "${TA}" - echo "" - else - echo "" - cat "${TA}" - echo "" - fi + #Finally, append the tls Private Key + echo "" + cat "${TA}" + echo "" } > "${NAME}${FILEEXT}" @@ -401,7 +396,7 @@ fi # Copy the .ovpn profile to the home directory for convenient remote access cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "$install_home/ovpns/$NAME$FILEEXT" -chown "$install_user" "$install_home/ovpns/$NAME$FILEEXT" +chown "$install_user":"$install_user" "$install_home/ovpns/$NAME$FILEEXT" chmod 640 "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" chmod 640 "$install_home/ovpns/$NAME$FILEEXT" printf "\n\n" diff --git a/scripts/openvpn/pivpnDebug.sh b/scripts/openvpn/pivpnDebug.sh index 348e7de..a205ba0 100755 --- a/scripts/openvpn/pivpnDebug.sh +++ b/scripts/openvpn/pivpnDebug.sh @@ -205,7 +205,7 @@ echo -e ":::: \e[4mSnippet of the server log\e[0m ::::" tail -20 /var/log/openvpn.log > /tmp/snippet # Regular expession taken from https://superuser.com/a/202835, it will match invalid IPs -# like 123.456.789.012 but it's fine because the log only contains valid ones. +# like 123.456.789.012 but it's fine since the log only contains valid ones. declare -a IPS_TO_HIDE=($(grepcidr -v 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 /tmp/snippet | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | uniq)) for IP in "${IPS_TO_HIDE[@]}"; do sed -i "s/$IP/REDACTED/g" /tmp/snippet diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 1381192..646de20 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -67,6 +67,7 @@ removeAll(){ ufw delete allow "${pivpnPORT}"/"${pivpnPROTO}" > /dev/null ufw route delete allow in on "${pivpnDEV}" from "${pivpnNET}/24" out on "${IPv4dev}" to any > /dev/null sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s ${pivpnNET}\/24 -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules + iptables -t nat -D POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE ufw reload &> /dev/null elif [ "$USING_UFW" -eq 0 ]; then @@ -77,7 +78,7 @@ removeAll(){ if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then iptables -D FORWARD -d "${pivpnNET}/24" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -D FORWARD -s "${pivpnNET}/24" -i "${pivpnDEV}/24" -o "${IPv4dev}" -j ACCEPT + iptables -D FORWARD -s "${pivpnNET}/24" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT fi iptables -t nat -D POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE @@ -103,8 +104,6 @@ removeAll(){ rm /etc/apt/preferences.d/limit-unstable $PKG_MANAGER update &> /dev/null fi - rm -rf /etc/wireguard - rm -rf $install_home/configs elif [ "${i}" = "wireguard-dkms" ]; then @@ -123,12 +122,6 @@ removeAll(){ # so we remove the repository keys apt-key remove E1CF20DDFFE4B89E802658F1E0B11894F66AEC98 80D15823B7FD1561F9F7BCDDDC30D7C23CBBABEE &> /dev/null - elif [ "${i}" = "openvpn" ]; then - - rm -rf /var/log/*openvpn* - rm -rf /etc/openvpn - rm -rf $install_home/ovpns - elif [ "${i}" = "unattended-upgrades" ]; then rm -rf /var/log/unattended-upgrades @@ -158,7 +151,7 @@ removeAll(){ echo "::: Removing pivpn system files..." if [ -f /etc/dnsmasq.d/02-pivpn.conf ]; then - rm /etc/dnsmasq.d/02-pivpn.conf + rm -f /etc/dnsmasq.d/02-pivpn.conf pihole restartdns fi @@ -166,8 +159,24 @@ removeAll(){ rm -rf /etc/.pivpn rm -rf /etc/pivpn rm -rf /var/log/*pivpn* - rm /usr/local/bin/pivpn - rm /etc/bash_completion.d/pivpn + rm -f /usr/local/bin/pivpn + rm -f /etc/bash_completion.d/pivpn + + echo ":::" + echo "::: Removing VPN configuration files..." + + if [ "$VPN" = "wireguard" ]; then + rm -f /etc/wireguard/wg0.conf + rm -rf /etc/wireguard/configs + rm -rf /etc/wireguard/keys + rm -rf $install_home/configs + elif [ "$VPN" = "openvpn" ]; then + rm -rf /var/log/*openvpn* + rm -f /etc/openvpn/server.conf + rm -f /etc/openvpn/crl.pem + rm -rf /etc/openvpn/easy-rsa + rm -rf $install_home/ovpns + fi echo ":::" printf "::: Finished removing PiVPN from your system.\n" diff --git a/scripts/wireguard/pivpnDEBUG.sh b/scripts/wireguard/pivpnDEBUG.sh index bdd7f3e..b7c0311 100755 --- a/scripts/wireguard/pivpnDEBUG.sh +++ b/scripts/wireguard/pivpnDEBUG.sh @@ -24,7 +24,7 @@ printf "=============================================\n" echo -e ":::: \e[4mServer configuration shown below\e[0m ::::" cd /etc/wireguard/keys cp ../wg0.conf ../wg0.tmp -# Replace every key in the server configuration with just it's file name +# Replace every key in the server configuration with just its file name for k in *; do sed "s#$(cat "$k")#$k#" -i ../wg0.tmp done diff --git a/unattended_openvpn_example.conf b/unattended_openvpn_example.conf new file mode 100644 index 0000000..6f96a74 --- /dev/null +++ b/unattended_openvpn_example.conf @@ -0,0 +1,12 @@ +IPv4dev=eth0 +install_user=pi +VPN=openvpn +pivpnPROTO=udp +pivpnPORT=1194 +pivpnDNS1=8.8.8.8 +pivpnDNS2=8.8.4.4 +pivpnHOST=pivpn.example.com +pivpnENCRYPT=2048 +pivpnDOMAIN=domain.example.com +DOWNLOAD_DH_PARAM=0 +UNATTUPG=1 diff --git a/unattended_wireguard_example.conf b/unattended_wireguard_example.conf new file mode 100644 index 0000000..4ed1752 --- /dev/null +++ b/unattended_wireguard_example.conf @@ -0,0 +1,8 @@ +IPv4dev=eth0 +install_user=pi +VPN=wireguard +pivpnPORT=51820 +pivpnDNS1=8.8.8.8 +pivpnDNS2=8.8.4.4 +pivpnHOST=pivpn.example.com +UNATTUPG=1