Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2025-04-25 00:30:20 +00:00
Code Issues Projects Releases Packages Wiki Activity

More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code

Browse source 
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
  - Use POSIX 'command -v' instead of 'hash'.
  - Check if packages have actually been installed and abort execution if they have not.
  - Fixed issue with getStaticIPv4Settings() that prevented existing network settings
    to be used as static IP settings when running the script unattended with empty
    $IPv4addr and $IPv4gw variables.
  - Exit if processing wireguard-linux-compat fails.
  - Exit if 50unattended-upgrades fails to extract.
  - Exit clientSTAT.sh if the wg0 interface is not available.
  - Moved the Self Check to a single script since dedicated versions were very similar.
  - Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
This commit is contained in:
Orazio 2020-01-24 17:12:36 +01:00
parent e725b8cdb5
commit deee38b20e
16 changed files with 444 additions and 382 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/openvpn/makeOVPN.sh
View file

@ -91,7 +91,7 @@ do
NO_PASS="1"
;;
-b|--bitwarden)
if command -v bw &> /dev/null; then
if command -v bw > /dev/null; then
BITWARDEN="2"
else
echo "Bitwarden not found, please install bitwarden"

156
scripts/openvpn/pivpnDebug.sh
View file

@ -2,7 +2,6 @@
# This scripts runs as root
setupVars="/etc/pivpn/setupVars.conf"
ERR=0
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
@ -17,14 +16,6 @@ echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::"
git --git-dir /etc/.pivpn/.git log -n 1
printf "=============================================\n"
echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::"
# Use the wildcard so setupVars.conf.update.bak from the previous install is not shown
for filename in /etc/pivpn/*; do
if [[ "$filename" != "/etc/pivpn/setupVars.conf"* ]]; then
echo "$filename -> $(cat "$filename")"
fi
done
printf "=============================================\n"
echo -e "::::\t\e[4msetupVars file shown below\e[0m\t ::::"
sed "s/$pivpnHOST/REDACTED/" < /etc/pivpn/setupVars.conf
printf "=============================================\n"
echo -e ":::: \e[4mServer configuration shown below\e[0m ::::"
@ -37,152 +28,7 @@ echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::: \e[4m/etc/openv
ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial
printf "=============================================\n"
echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::"
if [ "$(cat /proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then
echo ":: [OK] IP forwarding is enabled"
else
ERR=1
read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
sysctl -p
echo "Done"
fi
fi
if [ "$USING_UFW" -eq 0 ]; then
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule"
iptables-save > /etc/iptables/rules.v4
echo "Done"
fi
fi
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
if iptables -C INPUT -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule" &> /dev/null; then
echo ":: [OK] Iptables INPUT rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
iptables -I INPUT 1 -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule"
iptables-save > /etc/iptables/rules.v4
echo "Done"
fi
fi
fi
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule" &> /dev/null; then
echo ":: [OK] Iptables FORWARD rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "${VPN}-forward-rule"
iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule"
iptables-save > /etc/iptables/rules.v4
echo "Done"
fi
fi
fi
else
if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
echo ":: [OK] Ufw is enabled"
else
ERR=1
read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
ufw enable
fi
fi
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE -m comment --comment ${VPN}-nat-rule\nCOMMIT\n" -i /etc/ufw/before.rules
ufw reload
echo "Done"
fi
fi
if iptables -C ufw-user-input -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw input rule set"
else
ERR=1
read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
ufw insert 1 allow "$pivpnPORT"/"$pivpnPROTO"
ufw reload
echo "Done"
fi
fi
if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw forwarding rule set"
else
ERR=1
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any
ufw reload
echo "Done"
fi
fi
fi
if systemctl is-active -q openvpn; then
echo ":: [OK] OpenVPN is running"
else
ERR=1
read -r -p ":: [ERR] OpenVPN is not running, try to start now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
systemctl start openvpn
echo "Done"
fi
fi
if systemctl is-enabled -q openvpn; then
echo ":: [OK] OpenVPN is enabled (it will automatically start on reboot)"
else
ERR=1
read -r -p ":: [ERR] OpenVPN is not enabled, try to enable now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
systemctl enable openvpn
echo "Done"
fi
fi
# grep -w (whole word) is used so port 11940 won't match when looking for 1194
if netstat -uanpt | grep openvpn | grep -w "${pivpnPORT}" | grep -q "${pivpnPROTO}"; then
echo ":: [OK] OpenVPN is listening on port ${pivpnPORT}/${pivpnPROTO}"
else
ERR=1
read -r -p ":: [ERR] OpenVPN is not listening, try to restart now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
systemctl restart openvpn
echo "Done"
fi
fi
if [ "$ERR" -eq 1 ]; then
echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues"
fi
/opt/pivpn/self_check.sh
printf "=============================================\n"
echo -e ":::: \e[4mSnippet of the server log\e[0m ::::"
tail -20 /var/log/openvpn.log > /tmp/snippet