Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-18 10:50:16 +00:00
Code Issues Projects Releases Packages Wiki Activity

Unattended installation

Browse source
This commit is contained in:
Orazio 2019-11-16 14:58:58 +01:00
parent 5cb8a05317
commit d7ebb4cca9
7 changed files with 108 additions and 67 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

101
auto_install/install.sh
View file

@ -679,7 +679,7 @@ askWhichVPN(){
fi fi
fi fi
else else
if (whiptail --backtitle "Setup PiVPN" --title "Installation mode" --yesno "WireGuard is a new kind of VPN that provides near-istantaneous connection speed, high performance, modern cryptography.\n\nIt's the recommended choise expecially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\n\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol. Or if you need features like TCP and custom search domain.\n\nChoose 'Yes' to use WireGuard of 'No' to use OpenVPN." ${r} ${c}); if (whiptail --backtitle "Setup PiVPN" --title "Installation mode" --yesno "WireGuard is a new kind of VPN that provides near-istantaneous connection speed, high performance, modern cryptography.\n\nIt's the recommended choise expecially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\n\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol. Or if you need features like TCP and custom search domain.\n\nChoose 'Yes' to use WireGuard or 'No' to use OpenVPN." ${r} ${c});
then then
VPN="wireguard" VPN="wireguard"
else else
@ -1075,7 +1075,7 @@ askCustomDomain(){
DomainSettingsCorrect=False DomainSettingsCorrect=False
if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno "Would you like to add a custom search domain? \n (This is only for advanced users who have their own domain)\n" ${r} ${c}); then if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno --defaultno "Would you like to add a custom search domain? \n (This is only for advanced users who have their own domain)\n" ${r} ${c}); then
until [[ $DomainSettingsCorrect = True ]] until [[ $DomainSettingsCorrect = True ]]
do do
@ -1217,16 +1217,27 @@ confOpenVPN(){
# Create a unique server name using the host name and UUID # Create a unique server name using the host name and UUID
SERVER_NAME="${host_name}_${NEW_UUID}" SERVER_NAME="${host_name}_${NEW_UUID}"
# Backup the openvpn folder
OPENVPN_BACKUP="openvpn_$(date +%Y-%m-%d-%H%M%S).tar.gz"
echo "::: Backing up the openvpn folder to /etc/${OPENVPN_BACKUP}"
$SUDO tar czf "/etc/${OPENVPN_BACKUP}" /etc/openvpn
if [ -f /etc/openvpn/server.conf ]; then
$SUDO rm /etc/openvpn/server.conf
fi
# If easy-rsa exists, remove it # If easy-rsa exists, remove it
if [[ -d /etc/openvpn/easy-rsa/ ]]; then if [[ -d /etc/openvpn/easy-rsa/ ]]; then
$SUDO rm -rf /etc/openvpn/easy-rsa/ $SUDO rm -rf /etc/openvpn/easy-rsa/
fi fi
# Get easy-rsa # Get easy-rsa
wget -qO- "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn && $SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa wget -qO- "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn
$SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa
# fix ownership # fix ownership
$SUDO chown -R root:root /etc/openvpn/easy-rsa $SUDO chown -R root:root /etc/openvpn/easy-rsa
$SUDO mkdir /etc/openvpn/easy-rsa/pki $SUDO mkdir /etc/openvpn/easy-rsa/pki
$SUDO chmod 700 /etc/openvpn/easy-rsa/pki
cd /etc/openvpn/easy-rsa || exit cd /etc/openvpn/easy-rsa || exit
@ -1300,7 +1311,7 @@ set_var EASYRSA_KEY_SIZE ${pivpnENCRYPT}" | $SUDO tee vars >/dev/null
$SUDO sed -i "s/proto udp/proto tcp/g" /etc/openvpn/server.conf $SUDO sed -i "s/proto udp/proto tcp/g" /etc/openvpn/server.conf
fi fi
if [ -z "$pivpnDOMAIN" ]; then if [ -n "$pivpnDOMAIN" ]; then
$SUDO sed -i "0,/\(.*dhcp-option.*\)/s//\push \"dhcp-option DOMAIN ${pivpnDOMAIN}\" \n&/" /etc/openvpn/server.conf $SUDO sed -i "0,/\(.*dhcp-option.*\)/s//\push \"dhcp-option DOMAIN ${pivpnDOMAIN}\" \n&/" /etc/openvpn/server.conf
fi fi
@ -1326,30 +1337,35 @@ confOVPN(){
# verify server name to strengthen security # verify server name to strengthen security
$SUDO sed -i "s/SRVRNAME/${SERVER_NAME}/" /etc/openvpn/easy-rsa/pki/Default.txt $SUDO sed -i "s/SRVRNAME/${SERVER_NAME}/" /etc/openvpn/easy-rsa/pki/Default.txt
if [ ! -d "$install_home/ovpns" ]; then
$SUDO mkdir "$install_home/ovpns"
fi
$SUDO chmod 0750 "$install_home/ovpns"
$SUDO chown $install_user:$install_user "$install_home/ovpns"
} }
confWireGuard(){ confWireGuard(){
if [ -d /etc/wireguard ]; then if [ -d /etc/wireguard ]; then
$SUDO rm -r /etc/wireguard # Backup the wireguard folder
WIREGUARD_BACKUP="wireguard_$(date +%Y-%m-%d-%H%M%S).tar.gz"
echo "::: Backing up the wireguard folder to /etc/${WIREGUARD_BACKUP}"
$SUDO tar czf "/etc/${WIREGUARD_BACKUP}" /etc/wireguard
if [ -f /etc/wireguard/wg0.conf ]; then
$SUDO rm /etc/wireguard/wg0.conf
fi
else
# If compiled from source, the wireguard folder is not being created
$SUDO mkdir /etc/wireguard $SUDO mkdir /etc/wireguard
$SUDO chown root:root /etc/wireguard
$SUDO chmod 700 /etc/wireguard
fi fi
# Ensure that only root is able to enter the wireguard folder
$SUDO chown root:root /etc/wireguard
$SUDO chmod 700 /etc/wireguard
if [ "${runUnattended}" = 'true' ]; then if [ "${runUnattended}" = 'true' ]; then
echo "::: The Server Keys and Pre-Shared key will now be generated." echo "::: The Server Keys and Pre-Shared key will now be generated."
else else
whiptail --title "Server Information" --msgbox "The Server Keys and Pre-Shared key will now be generated." "${r}" "${c}" whiptail --title "Server Information" --msgbox "The Server Keys and Pre-Shared key will now be generated." "${r}" "${c}"
fi fi
$SUDO mkdir /etc/wireguard/configs $SUDO mkdir -p /etc/wireguard/configs
$SUDO touch /etc/wireguard/configs/clients.txt $SUDO touch /etc/wireguard/configs/clients.txt
$SUDO mkdir /etc/wireguard/keys $SUDO mkdir -p /etc/wireguard/keys
# Generate private key and derive public key from it # Generate private key and derive public key from it
wg genkey | $SUDO tee /etc/wireguard/keys/server_priv &> /dev/null wg genkey | $SUDO tee /etc/wireguard/keys/server_priv &> /dev/null
@ -1442,7 +1458,7 @@ confNetwork(){
} }
confLogging() { confLogging() {
echo "if \$programname == 'ovpn-server' then /var/log/openvpn.log echo "if \$programname == 'ovpn-server' then /var/log/openvpn.log
if \$programname == 'ovpn-server' then stop" | $SUDO tee /etc/rsyslog.d/30-openvpn.conf > /dev/null if \$programname == 'ovpn-server' then stop" | $SUDO tee /etc/rsyslog.d/30-openvpn.conf > /dev/null
echo "/var/log/openvpn.log echo "/var/log/openvpn.log
@ -1459,7 +1475,7 @@ if \$programname == 'ovpn-server' then stop" | $SUDO tee /etc/rsyslog.d/30-openv
endscript endscript
}" | $SUDO tee /etc/logrotate.d/openvpn > /dev/null }" | $SUDO tee /etc/logrotate.d/openvpn > /dev/null
# Restart the logging service # Restart the logging service
case ${PLAT} in case ${PLAT} in
Debian|Raspbian) Debian|Raspbian)
$SUDO systemctl restart rsyslog.service || true $SUDO systemctl restart rsyslog.service || true
@ -1521,32 +1537,29 @@ askUnattendedUpgrades(){
} }
confUnattendedUpgrades(){ confUnattendedUpgrades(){
if [ "$UNATTUPG" -eq 1 ]; then PIVPN_DEPS=(unattended-upgrades)
PIVPN_DEPS=(unattended-upgrades) installDependentPackages PIVPN_DEPS[@]
installDependentPackages PIVPN_DEPS[@]
cd /etc/apt/apt.conf.d cd /etc/apt/apt.conf.d
if [ "$PLAT" = "Raspbian" ]; then if [ "$PLAT" = "Raspbian" ]; then
wget -qO- "$UNATTUPG_CONFIG" | $SUDO tar xz wget -qO- "$UNATTUPG_CONFIG" | $SUDO tar xz
$SUDO cp "unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" 50unattended-upgrades $SUDO cp "unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" 50unattended-upgrades
$SUDO rm -rf "unattended-upgrades-$UNATTUPG_RELEASE" $SUDO rm -rf "unattended-upgrades-$UNATTUPG_RELEASE"
fi
# On architectures different from armv6l, where we install wireguard from source, enable
# automatic updates via the unstable repository
if [ "$VPN" = "wireguard" ] && [ "$(uname -m)" != "armv6l" ]; then
$SUDO sed -i '/Unattended-Upgrade::Origins-Pattern {/a"o=Debian,a=unstable";' 50unattended-upgrades
fi
# Add the remaining settings for all other distributions
echo "APT::Periodic::Enable \"1\";
APT::Periodic::Update-Package-Lists \"1\";
APT::Periodic::Download-Upgradeable-Packages \"1\";
APT::Periodic::Unattended-Upgrade \"1\";
APT::Periodic::AutocleanInterval \"7\";
APT::Periodic::Verbose \"0\";" | $SUDO tee 02periodic > /dev/null
fi fi
# Enable automatic updates via the unstable repository when installing from debian package
if [ "$VPN" = "wireguard" ] && [ "$(uname -m)" != "armv6l" ]; then
$SUDO sed -i '/Unattended-Upgrade::Origins-Pattern {/a"o=Debian,a=unstable";' 50unattended-upgrades
fi
# Add the remaining settings for all other distributions
echo "APT::Periodic::Enable \"1\";
APT::Periodic::Update-Package-Lists \"1\";
APT::Periodic::Download-Upgradeable-Packages \"1\";
APT::Periodic::Unattended-Upgrade \"1\";
APT::Periodic::AutocleanInterval \"7\";
APT::Periodic::Verbose \"0\";" | $SUDO tee 02periodic > /dev/null
} }
installScripts(){ installScripts(){
@ -1704,11 +1717,15 @@ main(){
# Ask if unattended-upgrades will be enabled # Ask if unattended-upgrades will be enabled
askUnattendedUpgrades askUnattendedUpgrades
confUnattendedUpgrades
if [ "$UNATTUPG" -eq 1 ]; then
confUnattendedUpgrades
fi
# Save installation setting to the final location
echo "TO_INSTALL=(${TO_INSTALL[*]})" >> /tmp/setupVars.conf echo "TO_INSTALL=(${TO_INSTALL[*]})" >> /tmp/setupVars.conf
$SUDO cp /tmp/setupVars.conf "$setupVars" $SUDO cp /tmp/setupVars.conf "$setupVars"
installScripts installScripts
# Ensure that cached writes reach persistent storage # Ensure that cached writes reach persistent storage

17
scripts/openvpn/makeOVPN.sh
View file

@ -213,6 +213,7 @@ EOF
#make sure ovpns dir exists #make sure ovpns dir exists
if [ ! -d "$install_home/ovpns" ]; then if [ ! -d "$install_home/ovpns" ]; then
mkdir "$install_home/ovpns" mkdir "$install_home/ovpns"
chown "$install_user":"$install_user" "$install_home/ovpns"
chmod 0750 "$install_home/ovpns" chmod 0750 "$install_home/ovpns"
fi fi
@ -339,16 +340,10 @@ if [ "$iOS" = "1" ]; then
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' < "issued/${NAME}${CRT}" sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' < "issued/${NAME}${CRT}"
echo "</cert>" echo "</cert>"
#Finally, append the TA Private Key #Finally, append the tls Private Key
if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then echo "<tls-auth>"
echo "<tls-crypt>" cat "${TA}"
cat "${TA}" echo "</tls-auth>"
echo "</tls-crypt>"
else
echo "<tls-auth>"
cat "${TA}"
echo "</tls-auth>"
fi
} > "${NAME}${FILEEXT}" } > "${NAME}${FILEEXT}"
@ -401,7 +396,7 @@ fi
# Copy the .ovpn profile to the home directory for convenient remote access # Copy the .ovpn profile to the home directory for convenient remote access
cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "$install_home/ovpns/$NAME$FILEEXT" cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "$install_home/ovpns/$NAME$FILEEXT"
chown "$install_user" "$install_home/ovpns/$NAME$FILEEXT" chown "$install_user":"$install_user" "$install_home/ovpns/$NAME$FILEEXT"
chmod 640 "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" chmod 640 "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT"
chmod 640 "$install_home/ovpns/$NAME$FILEEXT" chmod 640 "$install_home/ovpns/$NAME$FILEEXT"
printf "\n\n" printf "\n\n"

2
scripts/openvpn/pivpnDebug.sh
View file

@ -205,7 +205,7 @@ echo -e ":::: \e[4mSnippet of the server log\e[0m ::::"
tail -20 /var/log/openvpn.log > /tmp/snippet tail -20 /var/log/openvpn.log > /tmp/snippet
# Regular expession taken from https://superuser.com/a/202835, it will match invalid IPs # Regular expession taken from https://superuser.com/a/202835, it will match invalid IPs
# like 123.456.789.012 but it's fine because the log only contains valid ones. # like 123.456.789.012 but it's fine since the log only contains valid ones.
declare -a IPS_TO_HIDE=($(grepcidr -v 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 /tmp/snippet | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | uniq)) declare -a IPS_TO_HIDE=($(grepcidr -v 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 /tmp/snippet | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | uniq))
for IP in "${IPS_TO_HIDE[@]}"; do for IP in "${IPS_TO_HIDE[@]}"; do
sed -i "s/$IP/REDACTED/g" /tmp/snippet sed -i "s/$IP/REDACTED/g" /tmp/snippet

33
scripts/uninstall.sh
View file

@ -67,6 +67,7 @@ removeAll(){
ufw delete allow "${pivpnPORT}"/"${pivpnPROTO}" > /dev/null ufw delete allow "${pivpnPORT}"/"${pivpnPROTO}" > /dev/null
ufw route delete allow in on "${pivpnDEV}" from "${pivpnNET}/24" out on "${IPv4dev}" to any > /dev/null ufw route delete allow in on "${pivpnDEV}" from "${pivpnNET}/24" out on "${IPv4dev}" to any > /dev/null
sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s ${pivpnNET}\/24 -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s ${pivpnNET}\/24 -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
iptables -t nat -D POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE
ufw reload &> /dev/null ufw reload &> /dev/null
elif [ "$USING_UFW" -eq 0 ]; then elif [ "$USING_UFW" -eq 0 ]; then
@ -77,7 +78,7 @@ removeAll(){
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
iptables -D FORWARD -d "${pivpnNET}/24" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -D FORWARD -d "${pivpnNET}/24" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -D FORWARD -s "${pivpnNET}/24" -i "${pivpnDEV}/24" -o "${IPv4dev}" -j ACCEPT iptables -D FORWARD -s "${pivpnNET}/24" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT
fi fi
iptables -t nat -D POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE iptables -t nat -D POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE
@ -103,8 +104,6 @@ removeAll(){
rm /etc/apt/preferences.d/limit-unstable rm /etc/apt/preferences.d/limit-unstable
$PKG_MANAGER update &> /dev/null $PKG_MANAGER update &> /dev/null
fi fi
rm -rf /etc/wireguard
rm -rf $install_home/configs
elif [ "${i}" = "wireguard-dkms" ]; then elif [ "${i}" = "wireguard-dkms" ]; then
@ -123,12 +122,6 @@ removeAll(){
# so we remove the repository keys # so we remove the repository keys
apt-key remove E1CF20DDFFE4B89E802658F1E0B11894F66AEC98 80D15823B7FD1561F9F7BCDDDC30D7C23CBBABEE &> /dev/null apt-key remove E1CF20DDFFE4B89E802658F1E0B11894F66AEC98 80D15823B7FD1561F9F7BCDDDC30D7C23CBBABEE &> /dev/null
elif [ "${i}" = "openvpn" ]; then
rm -rf /var/log/*openvpn*
rm -rf /etc/openvpn
rm -rf $install_home/ovpns
elif [ "${i}" = "unattended-upgrades" ]; then elif [ "${i}" = "unattended-upgrades" ]; then
rm -rf /var/log/unattended-upgrades rm -rf /var/log/unattended-upgrades
@ -158,7 +151,7 @@ removeAll(){
echo "::: Removing pivpn system files..." echo "::: Removing pivpn system files..."
if [ -f /etc/dnsmasq.d/02-pivpn.conf ]; then if [ -f /etc/dnsmasq.d/02-pivpn.conf ]; then
rm /etc/dnsmasq.d/02-pivpn.conf rm -f /etc/dnsmasq.d/02-pivpn.conf
pihole restartdns pihole restartdns
fi fi
@ -166,8 +159,24 @@ removeAll(){
rm -rf /etc/.pivpn rm -rf /etc/.pivpn
rm -rf /etc/pivpn rm -rf /etc/pivpn
rm -rf /var/log/*pivpn* rm -rf /var/log/*pivpn*
rm /usr/local/bin/pivpn rm -f /usr/local/bin/pivpn
rm /etc/bash_completion.d/pivpn rm -f /etc/bash_completion.d/pivpn
echo ":::"
echo "::: Removing VPN configuration files..."
if [ "$VPN" = "wireguard" ]; then
rm -f /etc/wireguard/wg0.conf
rm -rf /etc/wireguard/configs
rm -rf /etc/wireguard/keys
rm -rf $install_home/configs
elif [ "$VPN" = "openvpn" ]; then
rm -rf /var/log/*openvpn*
rm -f /etc/openvpn/server.conf
rm -f /etc/openvpn/crl.pem
rm -rf /etc/openvpn/easy-rsa
rm -rf $install_home/ovpns
fi
echo ":::" echo ":::"
printf "::: Finished removing PiVPN from your system.\n" printf "::: Finished removing PiVPN from your system.\n"

2
scripts/wireguard/pivpnDEBUG.sh
View file

@ -24,7 +24,7 @@ printf "=============================================\n"
echo -e ":::: \e[4mServer configuration shown below\e[0m ::::" echo -e ":::: \e[4mServer configuration shown below\e[0m ::::"
cd /etc/wireguard/keys cd /etc/wireguard/keys
cp ../wg0.conf ../wg0.tmp cp ../wg0.conf ../wg0.tmp
# Replace every key in the server configuration with just it's file name # Replace every key in the server configuration with just its file name
for k in *; do for k in *; do
sed "s#$(cat "$k")#$k#" -i ../wg0.tmp sed "s#$(cat "$k")#$k#" -i ../wg0.tmp
done done

12
unattended_openvpn_example.conf Normal file
View file

@ -0,0 +1,12 @@
IPv4dev=eth0
install_user=pi
VPN=openvpn
pivpnPROTO=udp
pivpnPORT=1194
pivpnDNS1=8.8.8.8
pivpnDNS2=8.8.4.4
pivpnHOST=pivpn.example.com
pivpnENCRYPT=2048
pivpnDOMAIN=domain.example.com
DOWNLOAD_DH_PARAM=0
UNATTUPG=1

8
unattended_wireguard_example.conf Normal file
View file

@ -0,0 +1,8 @@
IPv4dev=eth0
install_user=pi
VPN=wireguard
pivpnPORT=51820
pivpnDNS1=8.8.8.8
pivpnDNS2=8.8.4.4
pivpnHOST=pivpn.example.com
UNATTUPG=1