From deee38b20ef76291e912acab710e1257e90c3af2 Mon Sep 17 00:00:00 2001 From: Orazio Date: Fri, 24 Jan 2020 17:12:36 +0100 Subject: [PATCH] More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code - Add curl as a dependency for those who run the script without 'curl URL | bash'. - Use POSIX 'command -v' instead of 'hash'. - Check if packages have actually been installed and abort execution if they have not. - Fixed issue with getStaticIPv4Settings() that prevented existing network settings to be used as static IP settings when running the script unattended with empty $IPv4addr and $IPv4gw variables. - Exit if processing wireguard-linux-compat fails. - Exit if 50unattended-upgrades fails to extract. - Exit clientSTAT.sh if the wg0 interface is not available. - Moved the Self Check to a single script since dedicated versions were very similar. - Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel. --- auto_install/install.sh | 119 +++++++++++++-------- scripts/backup.sh | 13 ++- scripts/openvpn/makeOVPN.sh | 2 +- scripts/openvpn/pivpnDebug.sh | 156 +-------------------------- scripts/self_check.sh | 170 ++++++++++++++++++++++++++++++ scripts/uninstall.sh | 2 +- scripts/update.sh | 25 +++-- scripts/wireguard/bash-completion | 4 +- scripts/wireguard/clientSTAT.sh | 6 +- scripts/wireguard/makeCONF.sh | 14 +-- scripts/wireguard/pivpn | 9 +- scripts/wireguard/pivpnDEBUG.sh | 156 +-------------------------- scripts/wireguard/removeCONF.sh | 14 +-- scripts/wireguard/wgUPDATE.sh | 132 +++++++++++++++++++++++ unattended_openvpn_example.conf | 2 + unattended_wireguard_example.conf | 2 + 16 files changed, 444 insertions(+), 382 deletions(-) create mode 100755 scripts/self_check.sh create mode 100755 scripts/wireguard/wgUPDATE.sh diff --git a/auto_install/install.sh b/auto_install/install.sh index da79685..e4817c4 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -24,12 +24,12 @@ PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install" PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true" # Dependencies that are required by the script, regardless of the VPN protocol chosen -BASE_DEPS=(git tar wget grep dnsutils whiptail net-tools bsdmainutils) +BASE_DEPS=(git tar wget curl grep dnsutils whiptail net-tools bsdmainutils) # Dependencies that where actually installed by the script. For example if the script requires # grep and dnsutils but dnsutils is already installed, we save grep here. This way when uninstalling # PiVPN we won't prompt to remove packages that may have been installed by the user for other reasons -TO_INSTALL=() +INSTALLED_PACKAGES=() easyrsaVer="3.0.6" easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz" @@ -60,8 +60,8 @@ r=$(( r < 20 ? 20 : r )) c=$(( c < 70 ? 70 : c )) # Find IP used to route to outside world -IPv4addr=$(ip route get 192.0.2.1 | awk '{print $7}') -IPv4gw=$(ip route get 192.0.2.1 | awk '{print $3}') +CurrentIPv4addr=$(ip route get 192.0.2.1 | awk '{print $7}') +CurrentIPv4gw=$(ip route get 192.0.2.1 | awk '{print $3}') availableInterfaces=$(ip -o link | awk '/state UP/ {print $2}' | cut -d':' -f1 | cut -d'@' -f1) ######## SCRIPT ############ @@ -195,7 +195,7 @@ main(){ fi # Save installation setting to the final location - echo "TO_INSTALL=(${TO_INSTALL[*]})" >> /tmp/setupVars.conf + echo "INSTALLED_PACKAGES=(${INSTALLED_PACKAGES[*]})" >> /tmp/setupVars.conf $SUDO cp /tmp/setupVars.conf "$setupVars" installScripts @@ -235,7 +235,7 @@ askAboutExistingInstall(){ # distroCheck, maybeOSSupport, noOSSupport distroCheck(){ # if lsb_release command is on their system - if hash lsb_release 2>/dev/null; then + if command -v lsb_release > /dev/null; then PLAT=$(lsb_release -si) OSCN=$(lsb_release -sc) @@ -436,7 +436,7 @@ preconfigurePackages(){ # if ufw is enabled, configure that. # running as root because sometimes the executable is not in the user's $PATH - if $SUDO bash -c 'hash ufw' 2>/dev/null; then + if $SUDO bash -c 'command -v ufw' > /dev/null; then if LANG=en_US.UTF-8 $SUDO ufw status | grep -q inactive; then USING_UFW=0 else @@ -456,25 +456,46 @@ preconfigurePackages(){ } installDependentPackages(){ + declare -a TO_INSTALL=() + # Install packages passed in via argument array # No spinner - conflicts with set -e declare -a argArray1=("${!1}") for i in "${argArray1[@]}"; do echo -n "::: Checking for $i..." - if dpkg-query -W -f='${Status}' "${i}" 2>/dev/null | grep -q "ok installed"; then - echo " installed!" - else - TO_INSTALL+=("${i}") - echo " not installed!" - fi + if dpkg-query -W -f='${Status}' "${i}" 2>/dev/null | grep -q "ok installed"; then + echo " installed!" + else + echo " not installed!" + # Add this package to the list of packages in the argument array that need to be installed + TO_INSTALL+=("${i}") + fi done - if command -v debconf-apt-progress &> /dev/null; then + if command -v debconf-apt-progress > /dev/null; then # shellcheck disable=SC2086 - $SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}" + $SUDO debconf-apt-progress -- ${PKG_INSTALL} "${TO_INSTALL[@]}" else - ${PKG_INSTALL} "${argArray1[@]}" + # shellcheck disable=SC2086 + $SUDO ${PKG_INSTALL} "${TO_INSTALL[@]}" + fi + + local FAILED=0 + + for i in "${TO_INSTALL[@]}"; do + if dpkg-query -W -f='${Status}' "${i}" 2>/dev/null | grep -q "ok installed"; then + echo "::: Package $i successfully installed!" + # Add this package to the total list of packages that were actually installed by the script + INSTALLED_PACKAGES+=("${i}") + else + echo "::: Failed to install $i!" + ((FAILED++)) + fi + done + + if [ "$FAILED" -gt 0 ]; then + exit 1 fi } @@ -596,28 +617,21 @@ getStaticIPv4Settings() { if [ "${runUnattended}" = 'true' ]; then if [ -z "$dhcpReserv" ] || [ "$dhcpReserv" -ne 1 ]; then - local INVALID_STATIC_IPV4_SETTINGS=0 + local MISSING_STATIC_IPV4_SETTINGS=0 if [ -z "$IPv4addr" ]; then echo "::: Missing static IP address" - INVALID_STATIC_IPV4_SETTINGS=1 + ((MISSING_STATIC_IPV4_SETTINGS++)) fi if [ -z "$IPv4gw" ]; then echo "::: Missing static IP gateway" - INVALID_STATIC_IPV4_SETTINGS=1 + ((MISSING_STATIC_IPV4_SETTINGS++)) fi - if [ "$INVALID_STATIC_IPV4_SETTINGS" -eq 1 ]; then - echo "::: Incomplete static IP settings" - exit 1 - fi + if [ "$MISSING_STATIC_IPV4_SETTINGS" -eq 0 ]; then - if [ -z "$IPv4addr" ] && [ -z "$IPv4gw" ]; then - echo "::: No static IP settings, using current settings" - echo "::: Your static IPv4 address: ${IPv4addr}" - echo "::: Your static IPv4 gateway: ${IPv4gw}" - else + # If both settings are not empty, check if they are valid and proceed if validIP "${IPv4addr%/*}"; then echo "::: Your static IPv4 address: ${IPv4addr}" else @@ -631,6 +645,22 @@ getStaticIPv4Settings() { echo "::: ${IPv4gw} is not a valid IP address" exit 1 fi + + elif [ "$MISSING_STATIC_IPV4_SETTINGS" -eq 1 ]; then + + # If either of the settings is missing, consider the input inconsistent + echo "::: Incomplete static IP settings" + exit 1 + + elif [ "$MISSING_STATIC_IPV4_SETTINGS" -eq 2 ]; then + + # If both of the settings are missing, assume the user wants to use current settings + IPv4addr="${CurrentIPv4addr}" + IPv4gw="${CurrentIPv4gw}" + echo "::: No static IP settings, using current settings" + echo "::: Your static IPv4 address: ${IPv4addr}" + echo "::: Your static IPv4 gateway: ${IPv4gw}" + fi else echo "::: Skipping setting static IP address" @@ -645,6 +675,8 @@ getStaticIPv4Settings() { local ipSettingsCorrect # Some users reserve IP addresses on another DHCP Server or on their routers, # Lets ask them if they want to make any changes to their interfaces. + IPv4addr="${CurrentIPv4addr}" + IPv4gw="${CurrentIPv4gw}" if (whiptail --backtitle "Calibrating network interface" --title "DHCP Reservation" --yesno \ "Are you Using DHCP Reservation on your Router/DHCP Server? These are your current Network Settings: @@ -1021,7 +1053,7 @@ installWireGuard(){ WG_TOOLS_SOURCE="https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-${WG_TOOLS_SNAPSHOT}.tar.xz" echo "::: Downloading wireguard-tools source code... " - wget -qO- "${WG_TOOLS_SOURCE}" | $SUDO tar Jxf - --directory /usr/src + wget -qO- "${WG_TOOLS_SOURCE}" | $SUDO tar xJ --directory /usr/src echo "done!" ## || exits if cd fails. @@ -1042,7 +1074,7 @@ installWireGuard(){ # files from the file system echo "::: Installing WireGuard tools... " if $SUDO checkinstall --pkgname wireguard-tools --pkgversion "${WG_TOOLS_SNAPSHOT}" -y; then - TO_INSTALL+=("wireguard-tools") + INSTALLED_PACKAGES+=("wireguard-tools") echo "done!" else echo "failed!" @@ -1055,16 +1087,16 @@ installWireGuard(){ WG_MODULE_SOURCE="https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${WG_MODULE_SNAPSHOT}.tar.xz" echo "::: Downloading wireguard-linux-compat source code... " - wget -qO- "${WG_MODULE_SOURCE}" | $SUDO tar Jxf - --directory /usr/src + wget -qO- "${WG_MODULE_SOURCE}" | $SUDO tar xJ --directory /usr/src echo "done!" # Rename wireguard-linux-compat folder and move the source code to the parent folder # such that dkms picks up the module when referencing wireguard/"${WG_MODULE_SNAPSHOT}" cd /usr/src && \ - $SUDO mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}" + $SUDO mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}" && \ cd wireguard-"${WG_MODULE_SNAPSHOT}" && \ $SUDO mv src/* . && \ - $SUDO rmdir src + $SUDO rmdir src || exit 1 echo "::: Adding WireGuard modules via DKMS... " if $SUDO dkms add wireguard/"${WG_MODULE_SNAPSHOT}"; then @@ -1086,7 +1118,7 @@ installWireGuard(){ echo "::: Installing WireGuard modules via DKMS... " if $SUDO dkms install wireguard/"${WG_MODULE_SNAPSHOT}"; then - TO_INSTALL+=("wireguard-dkms") + INSTALLED_PACKAGES+=("wireguard-dkms") echo "done!" else echo "failed!" @@ -1113,7 +1145,7 @@ installWireGuard(){ echo "::: Installing WireGuard from PPA... " $SUDO add-apt-repository ppa:wireguard/wireguard -y - $SUDO ${UPDATE_PKG_CACHE} + $SUDO ${UPDATE_PKG_CACHE} &> /dev/null PIVPN_DEPS=(qrencode wireguard wireguard-tools wireguard-dkms linux-headers-generic) installDependentPackages PIVPN_DEPS[@] @@ -1259,7 +1291,7 @@ askClientDNS(){ fi # Detect and offer to use Pi-hole - if command -v pihole &>/dev/null; then + if command -v pihole > /dev/null; then if (whiptail --backtitle "Setup PiVPN" --title "Pi-hole" --yesno "We have detected a Pi-hole installation, do you want to use it as the DNS server for the VPN, so you get ad blocking on the go?" ${r} ${c}); then pivpnDNS1="$vpnGw" echo "interface=$pivpnDEV" | $SUDO tee /etc/dnsmasq.d/02-pivpn.conf > /dev/null @@ -1574,7 +1606,7 @@ confOpenVPN(){ fi # Get easy-rsa - wget -qO- "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn + wget -qO- "${easyrsaRel}" | $SUDO tar xz --directory /etc/openvpn $SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa # fix ownership $SUDO chown -R root:root /etc/openvpn/easy-rsa @@ -1939,7 +1971,7 @@ askUnattendedUpgrades(){ confUnattendedUpgrades(){ local PIVPN_DEPS - PIVPN_DEPS+=(unattended-upgrades) + PIVPN_DEPS=(unattended-upgrades) installDependentPackages PIVPN_DEPS[@] aptConfDir="/etc/apt/apt.conf.d" @@ -1956,10 +1988,13 @@ confUnattendedUpgrades(){ # Fix Raspbian config if [ "$PLAT" = "Raspbian" ]; then - wget -q -O "/tmp/${UNATTUPG_RELEASE}.tar.gz" "$UNATTUPG_CONFIG" - cd /tmp/ && $SUDO tar xzf "/tmp/${UNATTUPG_RELEASE}.tar.gz" - $SUDO cp /tmp/"unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" "${aptConfDir}/50unattended-upgrades" - $SUDO rm -rf "/tmp/unattended-upgrades-$UNATTUPG_RELEASE" + wget -qO- "$UNATTUPG_CONFIG" | $SUDO tar xz --directory "${aptConfDir}" "unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" --strip-components 2 + if test -s "${aptConfDir}/50unattended-upgrades.Raspbian"; then + $SUDO mv "${aptConfDir}/50unattended-upgrades.Raspbian" "${aptConfDir}/50unattended-upgrades" + else + echo "$0: ERR: Failed to download \"50unattended-upgrades.Raspbian\"." + exit 1 + fi fi # Add the remaining settings for all other distributions diff --git a/scripts/backup.sh b/scripts/backup.sh index a8e6a1d..56b46e5 100755 --- a/scripts/backup.sh +++ b/scripts/backup.sh @@ -1,9 +1,16 @@ #!/bin/bash -# shellcheck disable=SC1091 -source /etc/pivpn/setupVars.conf -# shellcheck disable=SC1090 + backupdir=pivpnbackup date=$(date +%Y%m%d-%H%M%S) +setupVars="/etc/pivpn/setupVars.conf" + +if [ ! -f "${setupVars}" ]; then + echo "::: Missing setup vars file!" + exit 1 +fi + +# shellcheck disable=SC1090 +source "${setupVars}" checkbackupdir(){ diff --git a/scripts/openvpn/makeOVPN.sh b/scripts/openvpn/makeOVPN.sh index ec89435..4e4bcc4 100755 --- a/scripts/openvpn/makeOVPN.sh +++ b/scripts/openvpn/makeOVPN.sh @@ -91,7 +91,7 @@ do NO_PASS="1" ;; -b|--bitwarden) - if command -v bw &> /dev/null; then + if command -v bw > /dev/null; then BITWARDEN="2" else echo "Bitwarden not found, please install bitwarden" diff --git a/scripts/openvpn/pivpnDebug.sh b/scripts/openvpn/pivpnDebug.sh index df4e938..d72fd8a 100755 --- a/scripts/openvpn/pivpnDebug.sh +++ b/scripts/openvpn/pivpnDebug.sh @@ -2,7 +2,6 @@ # This scripts runs as root setupVars="/etc/pivpn/setupVars.conf" -ERR=0 if [ ! -f "${setupVars}" ]; then echo "::: Missing setup vars file!" @@ -17,14 +16,6 @@ echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::" git --git-dir /etc/.pivpn/.git log -n 1 printf "=============================================\n" echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::" -# Use the wildcard so setupVars.conf.update.bak from the previous install is not shown -for filename in /etc/pivpn/*; do - if [[ "$filename" != "/etc/pivpn/setupVars.conf"* ]]; then - echo "$filename -> $(cat "$filename")" - fi -done -printf "=============================================\n" -echo -e "::::\t\e[4msetupVars file shown below\e[0m\t ::::" sed "s/$pivpnHOST/REDACTED/" < /etc/pivpn/setupVars.conf printf "=============================================\n" echo -e ":::: \e[4mServer configuration shown below\e[0m ::::" @@ -37,152 +28,7 @@ echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::: \e[4m/etc/openv ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial printf "=============================================\n" echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::" - -if [ "$(cat /proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then - echo ":: [OK] IP forwarding is enabled" -else - ERR=1 - read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf - sysctl -p - echo "Done" - fi -fi - -if [ "$USING_UFW" -eq 0 ]; then - - if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then - echo ":: [OK] Iptables MASQUERADE rule set" - else - ERR=1 - read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" - iptables-save > /etc/iptables/rules.v4 - echo "Done" - fi - fi - - if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then - - if iptables -C INPUT -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule" &> /dev/null; then - echo ":: [OK] Iptables INPUT rule set" - else - ERR=1 - read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - iptables -I INPUT 1 -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule" - iptables-save > /etc/iptables/rules.v4 - echo "Done" - fi - fi - fi - - if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then - - if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule" &> /dev/null; then - echo ":: [OK] Iptables FORWARD rule set" - else - ERR=1 - read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "${VPN}-forward-rule" - iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule" - iptables-save > /etc/iptables/rules.v4 - echo "Done" - fi - fi - fi - -else - - if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then - echo ":: [OK] Ufw is enabled" - else - ERR=1 - read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - ufw enable - fi - fi - - if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then - echo ":: [OK] Iptables MASQUERADE rule set" - else - ERR=1 - read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE -m comment --comment ${VPN}-nat-rule\nCOMMIT\n" -i /etc/ufw/before.rules - ufw reload - echo "Done" - fi - fi - - if iptables -C ufw-user-input -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT &> /dev/null; then - echo ":: [OK] Ufw input rule set" - else - ERR=1 - read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - ufw insert 1 allow "$pivpnPORT"/"$pivpnPROTO" - ufw reload - echo "Done" - fi - fi - - if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then - echo ":: [OK] Ufw forwarding rule set" - else - ERR=1 - read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any - ufw reload - echo "Done" - fi - fi - -fi - -if systemctl is-active -q openvpn; then - echo ":: [OK] OpenVPN is running" -else - ERR=1 - read -r -p ":: [ERR] OpenVPN is not running, try to start now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - systemctl start openvpn - echo "Done" - fi -fi - -if systemctl is-enabled -q openvpn; then - echo ":: [OK] OpenVPN is enabled (it will automatically start on reboot)" -else - ERR=1 - read -r -p ":: [ERR] OpenVPN is not enabled, try to enable now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - systemctl enable openvpn - echo "Done" - fi -fi - -# grep -w (whole word) is used so port 11940 won't match when looking for 1194 -if netstat -uanpt | grep openvpn | grep -w "${pivpnPORT}" | grep -q "${pivpnPROTO}"; then - echo ":: [OK] OpenVPN is listening on port ${pivpnPORT}/${pivpnPROTO}" -else - ERR=1 - read -r -p ":: [ERR] OpenVPN is not listening, try to restart now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - systemctl restart openvpn - echo "Done" - fi -fi - -if [ "$ERR" -eq 1 ]; then - echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues" -fi - +/opt/pivpn/self_check.sh printf "=============================================\n" echo -e ":::: \e[4mSnippet of the server log\e[0m ::::" tail -20 /var/log/openvpn.log > /tmp/snippet diff --git a/scripts/self_check.sh b/scripts/self_check.sh new file mode 100755 index 0000000..b6a2194 --- /dev/null +++ b/scripts/self_check.sh @@ -0,0 +1,170 @@ +#!/bin/bash + +subnetClass="24" +setupVars="/etc/pivpn/setupVars.conf" +ERR=0 + +if [ ! -f "${setupVars}" ]; then + echo "::: Missing setup vars file!" + exit 1 +fi + +source "${setupVars}" + +if [ "$VPN" = "wireguard" ]; then + pivpnPROTO="udp" + pivpnDEV="wg0" + pivpnNET="10.6.0.0" + VPN_SERVICE="wg-quick@wg0" + VPN_PRETTY_NAME="WireGuard" +elif [ "$VPN" = "openvpn" ]; then + pivpnDEV="tun0" + pivpnNET="10.8.0.0" + VPN_SERVICE="openvpn" + VPN_PRETTY_NAME="OpenVPN" +fi + +if [ "$( /dev/null; then + echo ":: [OK] Iptables MASQUERADE rule set" + else + ERR=1 + read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then + iptables -t nat -I POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" + iptables-save > /etc/iptables/rules.v4 + echo "Done" + fi + fi + + if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then + + if iptables -C INPUT -i "${IPv4dev}" -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT -m comment --comment "${VPN}-input-rule" &> /dev/null; then + echo ":: [OK] Iptables INPUT rule set" + else + ERR=1 + read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then + iptables -I INPUT 1 -i "${IPv4dev}" -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT -m comment --comment "${VPN}-input-rule" + iptables-save > /etc/iptables/rules.v4 + echo "Done" + fi + fi + fi + + if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then + + if iptables -C FORWARD -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT -m comment --comment "${VPN}-forward-rule" &> /dev/null; then + echo ":: [OK] Iptables FORWARD rule set" + else + ERR=1 + read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then + iptables -I FORWARD 1 -d "${pivpnNET}/${subnetClass}" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "${VPN}-forward-rule" + iptables -I FORWARD 2 -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT -m comment --comment "${VPN}-forward-rule" + iptables-save > /etc/iptables/rules.v4 + echo "Done" + fi + fi + fi + +else + + if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then + echo ":: [OK] Ufw is enabled" + else + ERR=1 + read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then + ufw enable + fi + fi + + if iptables -t nat -C POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then + echo ":: [OK] Iptables MASQUERADE rule set" + else + ERR=1 + read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then + sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s ${pivpnNET}/${subnetClass} -o ${IPv4dev} -j MASQUERADE -m comment --comment ${VPN}-nat-rule\nCOMMIT\n" -i /etc/ufw/before.rules + ufw reload + echo "Done" + fi + fi + + if iptables -C ufw-user-input -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT &> /dev/null; then + echo ":: [OK] Ufw input rule set" + else + ERR=1 + read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then + ufw insert 1 allow "${pivpnPORT}"/"${pivpnPROTO}" + ufw reload + echo "Done" + fi + fi + + if iptables -C ufw-user-forward -i "${pivpnDEV}" -o "${IPv4dev}" -s "${pivpnNET}/${subnetClass}" -j ACCEPT &> /dev/null; then + echo ":: [OK] Ufw forwarding rule set" + else + ERR=1 + read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then + ufw route insert 1 allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any + ufw reload + echo "Done" + fi + fi + +fi + +if systemctl is-active -q "${VPN_SERVICE}"; then + echo ":: [OK] ${VPN_PRETTY_NAME} is running" +else + ERR=1 + read -r -p ":: [ERR] ${VPN_PRETTY_NAME} is not running, try to start now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then + systemctl start "${VPN_SERVICE}" + echo "Done" + fi +fi + +if systemctl is-enabled -q "${VPN_SERVICE}"; then + echo ":: [OK] ${VPN_PRETTY_NAME} is enabled (it will automatically start on reboot)" +else + ERR=1 + read -r -p ":: [ERR] ${VPN_PRETTY_NAME} is not enabled, try to enable now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then + systemctl enable "${VPN_SERVICE}" + echo "Done" + fi +fi + +# grep -w (whole word) is used so port 11940 won't match when looking for 1194 +if netstat -antu | grep -wqE "${pivpnPROTO}.*${pivpnPORT}"; then + echo ":: [OK] ${VPN_PRETTY_NAME} is listening on port ${pivpnPORT}/${pivpnPROTO}" +else + ERR=1 + read -r -p ":: [ERR] ${VPN_PRETTY_NAME} is not listening, try to restart now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then + systemctl restart "${VPN_SERVICE}" + echo "Done" + fi +fi + +if [ "$ERR" -eq 1 ]; then + echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues" +fi diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 4546044..498b07e 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -101,7 +101,7 @@ removeAll(){ # Purge dependencies echo "::: Purge dependencies..." - for i in "${TO_INSTALL[@]}"; do + for i in "${INSTALLED_PACKAGES[@]}"; do while true; do read -rp "::: Do you wish to remove $i from your system? [Y/n]: " yn case $yn in diff --git a/scripts/update.sh b/scripts/update.sh index c11d8eb..609c273 100755 --- a/scripts/update.sh +++ b/scripts/update.sh @@ -15,6 +15,17 @@ fi source "${setupVars}" +scriptusage(){ + echo "::: Updates PiVPN scripts" + echo ":::" + echo "::: Usage: pivpn <-up|update> [-t|--test]" + echo ":::" + echo "::: Commands:" + echo "::: [none] Updates from master branch" + echo "::: -t, test Updates from test branch" + echo "::: -h, help Show this usage dialog" +} + ###Functions ##Updates scripts updatepivpnscripts(){ @@ -68,14 +79,6 @@ cloneupdttest(){ git -C "$pivpnlocalpath" checkout master } -scriptusage(){ - echo -e "Updates pivpn scripts, - - Usage: - pivpn update | updates from master branch - pivpn update -t or --test | updates from test branch" -} - ## SCRIPT if [[ $# -eq 0 ]]; then @@ -83,15 +86,15 @@ if [[ $# -eq 0 ]]; then else while true; do case "$1" in - -t|--test|test) + -t|test) updatefromtest exit 0 ;; - -h|--help|help) + -h|help) scriptusage exit 0 ;; - * ) + *) updatepivpnscripts exit 0 ;; diff --git a/scripts/wireguard/bash-completion b/scripts/wireguard/bash-completion index a971696..412072a 100644 --- a/scripts/wireguard/bash-completion +++ b/scripts/wireguard/bash-completion @@ -4,8 +4,8 @@ _pivpn() COMPREPLY=() cur="${COMP_WORDS[COMP_CWORD]}" prev="${COMP_WORDS[COMP_CWORD-1]}" - dashopts="-a -c -d -l -qr -r -h -u -up -bk" - opts="add clients debug list qrcode remove help uninstall update backup" + dashopts="-a -c -d -l -qr -r -h -u -up -wg -bk" + opts="add clients debug list qrcode remove help uninstall update wgupdate backup" if [ "${#COMP_WORDS[@]}" -eq 2 ] then if [[ ${cur} == -* ]] ; then diff --git a/scripts/wireguard/clientSTAT.sh b/scripts/wireguard/clientSTAT.sh index d8c94cd..93abc22 100755 --- a/scripts/wireguard/clientSTAT.sh +++ b/scripts/wireguard/clientSTAT.sh @@ -10,7 +10,11 @@ hr(){ numfmt --to=iec-i --suffix=B "$1" } -DUMP="$(wg show wg0 dump | tail -n +2)" +if DUMP="$(wg show wg0 dump)"; then + DUMP="$(tail -n +2 <<< "$DUMP")" +else + exit 1 +fi printf "\e[1m::: Connected Clients List :::\e[0m\n" diff --git a/scripts/wireguard/makeCONF.sh b/scripts/wireguard/makeCONF.sh index 561aa69..2a0b0d3 100755 --- a/scripts/wireguard/makeCONF.sh +++ b/scripts/wireguard/makeCONF.sh @@ -2,6 +2,13 @@ setupVars="/etc/pivpn/setupVars.conf" +if [ ! -f "${setupVars}" ]; then + echo "::: Missing setup vars file!" + exit 1 +fi + +source "${setupVars}" + helpFunc(){ echo "::: Create a client conf profile" echo ":::" @@ -39,13 +46,6 @@ while test $# -gt 0; do shift done -if [ ! -f "${setupVars}" ]; then - echo "::: Missing setup vars file!" - exit 1 -fi - -source "${setupVars}" - # The home folder variable was sourced from the settings file. if [ ! -d "${install_home}/configs" ]; then mkdir "${install_home}/configs" diff --git a/scripts/wireguard/pivpn b/scripts/wireguard/pivpn index 4400a3f..a08ca61 100755 --- a/scripts/wireguard/pivpn +++ b/scripts/wireguard/pivpn @@ -54,6 +54,11 @@ updateScripts(){ exit 0 } +updateWireGuard(){ + $SUDO /opt/pivpn/wgUPDATE.sh + exit 0 +} + backup(){ $SUDO /opt/pivpn/backup.sh } @@ -73,7 +78,8 @@ showHelp(){ echo "::: -h, help Show this help dialog" echo "::: -u, uninstall Uninstall pivpn from your system!" echo "::: -up, update Updates PiVPN Scripts" - echo "::: -bk, Backup Backup vpn configs and user profiles" + echo "::: -wg, wgupdate Updates WireGuard" + echo "::: -bk, backup Backup VPN configs and user profiles" exit 0 } @@ -92,6 +98,7 @@ case "$1" in "-h" | "help" ) showHelp;; "-u" | "uninstall" ) uninstallServer;; "-up" | "update" ) updateScripts "$@" ;; +"-wg" | "wgupdate" ) updateWireGuard ;; "-bk" | "backup" ) backup ;; * ) showHelp;; esac diff --git a/scripts/wireguard/pivpnDEBUG.sh b/scripts/wireguard/pivpnDEBUG.sh index f2fe45c..0aebdd6 100755 --- a/scripts/wireguard/pivpnDEBUG.sh +++ b/scripts/wireguard/pivpnDEBUG.sh @@ -10,32 +10,30 @@ fi source "${setupVars}" -EXAMPLE="$(head -1 /etc/wireguard/configs/clients.txt | awk '{print $1}')" -ERR=0 - echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::" printf "=============================================\n" echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::" git --git-dir /etc/.pivpn/.git log -n 1 printf "=============================================\n" echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::" -sed "s/$pivpnHOST/REDACTED/" < /etc/pivpn/setupVars.conf +sed "s/$pivpnHOST/REDACTED/" < /etc/pivpn/setupVars.conf printf "=============================================\n" echo -e ":::: \e[4mServer configuration shown below\e[0m ::::" cd /etc/wireguard/keys cp ../wg0.conf ../wg0.tmp # Replace every key in the server configuration with just its file name for k in *; do - sed "s#$(cat "$k")#$k#" -i ../wg0.tmp + sed "s#$(<"$k")#$k#" -i ../wg0.tmp done cat ../wg0.tmp rm ../wg0.tmp printf "=============================================\n" echo -e ":::: \e[4mClient configuration shown below\e[0m ::::" +EXAMPLE="$(head -1 /etc/wireguard/configs/clients.txt | awk '{print $1}')" if [ -n "$EXAMPLE" ]; then cp ../configs/"$EXAMPLE".conf ../configs/"$EXAMPLE".tmp for k in *; do - sed "s#$(cat "$k")#$k#" -i ../configs/"$EXAMPLE".tmp + sed "s#$(<"$k")#$k#" -i ../configs/"$EXAMPLE".tmp done sed "s/$pivpnHOST/REDACTED/" < ../configs/"$EXAMPLE".tmp rm ../configs/"$EXAMPLE".tmp @@ -48,151 +46,7 @@ echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::::\e\t[4m/etc/wir ls -LR /etc/wireguard printf "=============================================\n" echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::" - -if [ "$(cat /proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then - echo ":: [OK] IP forwarding is enabled" -else - ERR=1 - read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf - sysctl -p - echo "Done" - fi -fi - -if [ "$USING_UFW" -eq 0 ]; then - - if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then - echo ":: [OK] Iptables MASQUERADE rule set" - else - ERR=1 - read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - iptables -t nat -I POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" - iptables-save > /etc/iptables/rules.v4 - echo "Done" - fi - fi - - if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then - - if iptables -C INPUT -i "$IPv4dev" -p udp --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule" &> /dev/null; then - echo ":: [OK] Iptables INPUT rule set" - else - ERR=1 - read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - iptables -I INPUT 1 -i "$IPv4dev" -p udp --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule" - iptables-save > /etc/iptables/rules.v4 - echo "Done" - fi - fi - fi - - if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then - - if iptables -C FORWARD -s 10.6.0.0/24 -i wg0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule" &> /dev/null; then - echo ":: [OK] Iptables FORWARD rule set" - else - ERR=1 - read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - iptables -I FORWARD 1 -d 10.6.0.0/24 -i "$IPv4dev" -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "${VPN}-forward-rule" - iptables -I FORWARD 2 -s 10.6.0.0/24 -i wg0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule" - iptables-save > /etc/iptables/rules.v4 - echo "Done" - fi - fi - fi - -else - - if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then - echo ":: [OK] Ufw is enabled" - else - ERR=1 - read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - ufw enable - fi - fi - - if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then - echo ":: [OK] Iptables MASQUERADE rule set" - else - ERR=1 - read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.6.0.0/24 -o $IPv4dev -j MASQUERADE -m comment --comment ${VPN}-nat-rule\nCOMMIT\n" -i /etc/ufw/before.rules - ufw reload - echo "Done" - fi - fi - - if iptables -C ufw-user-input -p udp --dport "${pivpnPORT}" -j ACCEPT &> /dev/null; then - echo ":: [OK] Ufw input rule set" - else - ERR=1 - read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - ufw insert 1 allow "$pivpnPORT"/udp - ufw reload - echo "Done" - fi - fi - - if iptables -C ufw-user-forward -i wg0 -o "${IPv4dev}" -s 10.6.0.0/24 -j ACCEPT &> /dev/null; then - echo ":: [OK] Ufw forwarding rule set" - else - ERR=1 - read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - ufw route insert 1 allow in on wg0 from 10.6.0.0/24 out on "$IPv4dev" to any - ufw reload - echo "Done" - fi - fi - -fi - -if systemctl is-active -q wg-quick@wg0; then - echo ":: [OK] WireGuard is running" -else - ERR=1 - read -r -p ":: [ERR] WireGuard is not running, try to start now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - systemctl start wg-quick@wg0 - echo "Done" - fi -fi - -if systemctl is-enabled -q wg-quick@wg0; then - echo ":: [OK] WireGuard is enabled (it will automatically start on reboot)" -else - ERR=1 - read -r -p ":: [ERR] WireGuard is not enabled, try to enable now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - systemctl enable wg-quick@wg0 - echo "Done" - fi -fi - -# grep -w (whole word) is used so port 11940 won't match when looking for 1194 -if netstat -uanp | grep -w "${pivpnPORT}" | grep -q 'udp'; then - echo ":: [OK] WireGuard is listening on port ${pivpnPORT}/udp" -else - ERR=1 - read -r -p ":: [ERR] WireGuard is not listening, try to restart now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - systemctl restart wg-quick@wg0 - echo "Done" - fi -fi - -if [ "$ERR" -eq 1 ]; then - echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues" -fi +/opt/pivpn/self_check.sh printf "=============================================\n" echo -e ":::: \e[1mWARNING\e[0m: This script should have automatically masked sensitive ::::" echo -e ":::: information, however, still make sure that \e[4mPrivateKey\e[0m, \e[4mPublicKey\e[0m ::::" diff --git a/scripts/wireguard/removeCONF.sh b/scripts/wireguard/removeCONF.sh index b00deb6..36aa249 100755 --- a/scripts/wireguard/removeCONF.sh +++ b/scripts/wireguard/removeCONF.sh @@ -2,6 +2,13 @@ setupVars="/etc/pivpn/setupVars.conf" +if [ ! -f "${setupVars}" ]; then + echo "::: Missing setup vars file!" + exit 1 +fi + +source "${setupVars}" + helpFunc(){ echo "::: Remove a client conf profile" echo ":::" @@ -29,13 +36,6 @@ do shift done -if [ ! -f "${setupVars}" ]; then - echo "::: Missing setup vars file!" - exit 1 -fi - -source "${setupVars}" - cd /etc/wireguard if [ ! -s configs/clients.txt ]; then echo "::: There are no clients to remove" diff --git a/scripts/wireguard/wgUPDATE.sh b/scripts/wireguard/wgUPDATE.sh new file mode 100755 index 0000000..6a17993 --- /dev/null +++ b/scripts/wireguard/wgUPDATE.sh @@ -0,0 +1,132 @@ +#!/bin/bash + +setupVars="/etc/pivpn/setupVars.conf" + +if [ ! -f "${setupVars}" ]; then + echo "::: Missing setup vars file!" + exit 1 +fi + +source "${setupVars}" + +if [ "$(uname -m)" != "armv6l" ]; then + echo "On your system, WireGuard updates via the package manager" + exit 0 +fi + +CURRENT_WG_TOOLS_SNAPSHOT="${WG_TOOLS_SNAPSHOT}" +WG_TOOLS_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-tools"."version"')" + +if dpkg --compare-versions "${WG_TOOLS_SNAPSHOT}" gt "${CURRENT_WG_TOOLS_SNAPSHOT}"; then + + read -r -p "A new wireguard-tools update is available (${WG_TOOLS_SNAPSHOT}), install? [Y/n]: " + + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + echo "::: Upgrading wireguard-tools from ${CURRENT_WG_TOOLS_SNAPSHOT} to ${WG_TOOLS_SNAPSHOT}..." + + WG_TOOLS_SOURCE="https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-${WG_TOOLS_SNAPSHOT}.tar.xz" + echo "::: Downloading wireguard-tools source code... " + wget -qO- "${WG_TOOLS_SOURCE}" | tar xJ --directory /usr/src + echo "done!" + + ## || exits if cd fails. + cd /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}/src" || exit 1 + + # We install the userspace tools manually since DKMS only compiles and + # installs the kernel module + echo "::: Compiling WireGuard tools... " + if make; then + echo "done!" + else + echo "failed!" + exit 1 + fi + + # Use checkinstall to install userspace tools so if the user wants to uninstall + # PiVPN we can just do apt remove wireguard-tools, instead of manually removing + # files from the file system + echo "::: Installing WireGuard tools... " + if checkinstall --pkgname wireguard-tools --pkgversion "${WG_TOOLS_SNAPSHOT}" -y; then + echo "done!" + else + echo "failed!" + exit 1 + fi + + echo "::: Removing old source code ..." + rm -rf /usr/src/wireguard-tools-"${CURRENT_WG_TOOLS_SNAPSHOT}" + + sed "s/WG_TOOLS_SNAPSHOT=${CURRENT_WG_TOOLS_SNAPSHOT}/WG_TOOLS_SNAPSHOT=${WG_TOOLS_SNAPSHOT}/" -i "${setupVars}" + + echo "::: Upgrade completed!" + fi +else + echo "::: You are running the lastest version of wireguard-tools (${CURRENT_WG_TOOLS_SNAPSHOT})" +fi + +CURRENT_WG_MODULE_SNAPSHOT="${WG_MODULE_SNAPSHOT}" +WG_MODULE_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-linuxcompat"."version"')" + +if dpkg --compare-versions "${WG_MODULE_SNAPSHOT}" gt "${CURRENT_WG_MODULE_SNAPSHOT}"; then + + read -r -p "A new wireguard-dkms update is available (${WG_MODULE_SNAPSHOT}), install? [Y/n]: " + + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + echo "::: Upgrading wireguard-dkms from ${CURRENT_WG_MODULE_SNAPSHOT} to ${WG_MODULE_SNAPSHOT}..." + + WG_MODULE_SOURCE="https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${WG_MODULE_SNAPSHOT}.tar.xz" + echo "::: Downloading wireguard-linux-compat source code... " + wget -qO- "${WG_MODULE_SOURCE}" | tar xJ --directory /usr/src + echo "done!" + + # Rename wireguard-linux-compat folder and move the source code to the parent folder + # such that dkms picks up the module when referencing wireguard/"${WG_MODULE_SNAPSHOT}" + cd /usr/src && \ + mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}" && \ + cd wireguard-"${WG_MODULE_SNAPSHOT}" && \ + mv src/* . && \ + rmdir src || exit 1 + + echo "::: Adding WireGuard module via DKMS... " + if dkms add wireguard/"${WG_MODULE_SNAPSHOT}"; then + echo "done!" + else + echo "failed!" + dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all + exit 1 + fi + + echo "::: Compiling WireGuard module via DKMS... " + if dkms build wireguard/"${WG_MODULE_SNAPSHOT}"; then + echo "done!" + else + echo "failed!" + dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all + exit 1 + fi + + echo "::: Installing WireGuard module via DKMS... " + if dkms install wireguard/"${WG_MODULE_SNAPSHOT}"; then + echo "done!" + else + echo "failed!" + dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all + exit 1 + fi + + echo "::: Removing old kernel module and source code..." + if dkms remove wireguard/"${CURRENT_WG_MODULE_SNAPSHOT}" --all; then + rm -rf /usr/src/wireguard-"${CURRENT_WG_MODULE_SNAPSHOT}" + echo "done!" + else + echo "failed!" + exit 1 + fi + + sed "s/WG_TOOLS_SNAPSHOT=${CURRENT_WG_MODULE_SNAPSHOT}/WG_TOOLS_SNAPSHOT=${WG_MODULE_SNAPSHOT}/" -i "${setupVars}" + + echo "::: Upgrade completed!" + fi +else + echo "::: You are running the lastest version of wireguard-dkms (${CURRENT_WG_MODULE_SNAPSHOT})" +fi diff --git a/unattended_openvpn_example.conf b/unattended_openvpn_example.conf index f0094bc..091877a 100644 --- a/unattended_openvpn_example.conf +++ b/unattended_openvpn_example.conf @@ -1,4 +1,6 @@ IPv4dev=eth0 +IPv4addr=192.168.23.211 +IPv4gw=192.168.23.1 dhcpReserv=0 install_user=pi VPN=openvpn diff --git a/unattended_wireguard_example.conf b/unattended_wireguard_example.conf index 196d4d5..3fe774d 100644 --- a/unattended_wireguard_example.conf +++ b/unattended_wireguard_example.conf @@ -1,4 +1,6 @@ IPv4dev=eth0 +IPv4addr=192.168.23.211 +IPv4gw=192.168.23.1 dhcpReserv=0 install_user=pi VPN=wireguard