Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-19 03:10:16 +00:00
Code Issues Projects Releases Packages Wiki Activity

More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code

Browse source 
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
  - Use POSIX 'command -v' instead of 'hash'.
  - Check if packages have actually been installed and abort execution if they have not.
  - Fixed issue with getStaticIPv4Settings() that prevented existing network settings
    to be used as static IP settings when running the script unattended with empty
    $IPv4addr and $IPv4gw variables.
  - Exit if processing wireguard-linux-compat fails.
  - Exit if 50unattended-upgrades fails to extract.
  - Exit clientSTAT.sh if the wg0 interface is not available.
  - Moved the Self Check to a single script since dedicated versions were very similar.
  - Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
This commit is contained in:
Orazio 2020-01-24 17:12:36 +01:00
parent e725b8cdb5
commit deee38b20e
16 changed files with 444 additions and 382 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

109
auto_install/install.sh
View file

@ -24,12 +24,12 @@ PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install"
PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true" PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true"
# Dependencies that are required by the script, regardless of the VPN protocol chosen # Dependencies that are required by the script, regardless of the VPN protocol chosen
BASE_DEPS=(git tar wget grep dnsutils whiptail net-tools bsdmainutils) BASE_DEPS=(git tar wget curl grep dnsutils whiptail net-tools bsdmainutils)
# Dependencies that where actually installed by the script. For example if the script requires # Dependencies that where actually installed by the script. For example if the script requires
# grep and dnsutils but dnsutils is already installed, we save grep here. This way when uninstalling # grep and dnsutils but dnsutils is already installed, we save grep here. This way when uninstalling
# PiVPN we won't prompt to remove packages that may have been installed by the user for other reasons # PiVPN we won't prompt to remove packages that may have been installed by the user for other reasons
TO_INSTALL=() INSTALLED_PACKAGES=()
easyrsaVer="3.0.6" easyrsaVer="3.0.6"
easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz" easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz"
@ -60,8 +60,8 @@ r=$(( r < 20 ? 20 : r ))
c=$(( c < 70 ? 70 : c )) c=$(( c < 70 ? 70 : c ))
# Find IP used to route to outside world # Find IP used to route to outside world
IPv4addr=$(ip route get 192.0.2.1 | awk '{print $7}') CurrentIPv4addr=$(ip route get 192.0.2.1 | awk '{print $7}')
IPv4gw=$(ip route get 192.0.2.1 | awk '{print $3}') CurrentIPv4gw=$(ip route get 192.0.2.1 | awk '{print $3}')
availableInterfaces=$(ip -o link | awk '/state UP/ {print $2}' | cut -d':' -f1 | cut -d'@' -f1) availableInterfaces=$(ip -o link | awk '/state UP/ {print $2}' | cut -d':' -f1 | cut -d'@' -f1)
######## SCRIPT ############ ######## SCRIPT ############
@ -195,7 +195,7 @@ main(){
fi fi
# Save installation setting to the final location # Save installation setting to the final location
echo "TO_INSTALL=(${TO_INSTALL[*]})" >> /tmp/setupVars.conf echo "INSTALLED_PACKAGES=(${INSTALLED_PACKAGES[*]})" >> /tmp/setupVars.conf
$SUDO cp /tmp/setupVars.conf "$setupVars" $SUDO cp /tmp/setupVars.conf "$setupVars"
installScripts installScripts
@ -235,7 +235,7 @@ askAboutExistingInstall(){
# distroCheck, maybeOSSupport, noOSSupport # distroCheck, maybeOSSupport, noOSSupport
distroCheck(){ distroCheck(){
# if lsb_release command is on their system # if lsb_release command is on their system
if hash lsb_release 2>/dev/null; then if command -v lsb_release > /dev/null; then
PLAT=$(lsb_release -si) PLAT=$(lsb_release -si)
OSCN=$(lsb_release -sc) OSCN=$(lsb_release -sc)
@ -436,7 +436,7 @@ preconfigurePackages(){
# if ufw is enabled, configure that. # if ufw is enabled, configure that.
# running as root because sometimes the executable is not in the user's $PATH # running as root because sometimes the executable is not in the user's $PATH
if $SUDO bash -c 'hash ufw' 2>/dev/null; then if $SUDO bash -c 'command -v ufw' > /dev/null; then
if LANG=en_US.UTF-8 $SUDO ufw status | grep -q inactive; then if LANG=en_US.UTF-8 $SUDO ufw status | grep -q inactive; then
USING_UFW=0 USING_UFW=0
else else
@ -456,6 +456,8 @@ preconfigurePackages(){
} }
installDependentPackages(){ installDependentPackages(){
declare -a TO_INSTALL=()
# Install packages passed in via argument array # Install packages passed in via argument array
# No spinner - conflicts with set -e # No spinner - conflicts with set -e
declare -a argArray1=("${!1}") declare -a argArray1=("${!1}")
@ -465,16 +467,35 @@ installDependentPackages(){
if dpkg-query -W -f='${Status}' "${i}" 2>/dev/null | grep -q "ok installed"; then if dpkg-query -W -f='${Status}' "${i}" 2>/dev/null | grep -q "ok installed"; then
echo " installed!" echo " installed!"
else else
TO_INSTALL+=("${i}")
echo " not installed!" echo " not installed!"
# Add this package to the list of packages in the argument array that need to be installed
TO_INSTALL+=("${i}")
fi fi
done done
if command -v debconf-apt-progress &> /dev/null; then if command -v debconf-apt-progress > /dev/null; then
# shellcheck disable=SC2086 # shellcheck disable=SC2086
$SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}" $SUDO debconf-apt-progress -- ${PKG_INSTALL} "${TO_INSTALL[@]}"
else else
${PKG_INSTALL} "${argArray1[@]}" # shellcheck disable=SC2086
$SUDO ${PKG_INSTALL} "${TO_INSTALL[@]}"
fi
local FAILED=0
for i in "${TO_INSTALL[@]}"; do
if dpkg-query -W -f='${Status}' "${i}" 2>/dev/null | grep -q "ok installed"; then
echo "::: Package $i successfully installed!"
# Add this package to the total list of packages that were actually installed by the script
INSTALLED_PACKAGES+=("${i}")
else
echo "::: Failed to install $i!"
((FAILED++))
fi
done
if [ "$FAILED" -gt 0 ]; then
exit 1
fi fi
} }
@ -596,28 +617,21 @@ getStaticIPv4Settings() {
if [ "${runUnattended}" = 'true' ]; then if [ "${runUnattended}" = 'true' ]; then
if [ -z "$dhcpReserv" ] || [ "$dhcpReserv" -ne 1 ]; then if [ -z "$dhcpReserv" ] || [ "$dhcpReserv" -ne 1 ]; then
local INVALID_STATIC_IPV4_SETTINGS=0 local MISSING_STATIC_IPV4_SETTINGS=0
if [ -z "$IPv4addr" ]; then if [ -z "$IPv4addr" ]; then
echo "::: Missing static IP address" echo "::: Missing static IP address"
INVALID_STATIC_IPV4_SETTINGS=1 ((MISSING_STATIC_IPV4_SETTINGS++))
fi fi
if [ -z "$IPv4gw" ]; then if [ -z "$IPv4gw" ]; then
echo "::: Missing static IP gateway" echo "::: Missing static IP gateway"
INVALID_STATIC_IPV4_SETTINGS=1 ((MISSING_STATIC_IPV4_SETTINGS++))
fi fi
if [ "$INVALID_STATIC_IPV4_SETTINGS" -eq 1 ]; then if [ "$MISSING_STATIC_IPV4_SETTINGS" -eq 0 ]; then
echo "::: Incomplete static IP settings"
exit 1
fi
if [ -z "$IPv4addr" ] && [ -z "$IPv4gw" ]; then # If both settings are not empty, check if they are valid and proceed
echo "::: No static IP settings, using current settings"
echo "::: Your static IPv4 address: ${IPv4addr}"
echo "::: Your static IPv4 gateway: ${IPv4gw}"
else
if validIP "${IPv4addr%/*}"; then if validIP "${IPv4addr%/*}"; then
echo "::: Your static IPv4 address: ${IPv4addr}" echo "::: Your static IPv4 address: ${IPv4addr}"
else else
@ -631,6 +645,22 @@ getStaticIPv4Settings() {
echo "::: ${IPv4gw} is not a valid IP address" echo "::: ${IPv4gw} is not a valid IP address"
exit 1 exit 1
fi fi
elif [ "$MISSING_STATIC_IPV4_SETTINGS" -eq 1 ]; then
# If either of the settings is missing, consider the input inconsistent
echo "::: Incomplete static IP settings"
exit 1
elif [ "$MISSING_STATIC_IPV4_SETTINGS" -eq 2 ]; then
# If both of the settings are missing, assume the user wants to use current settings
IPv4addr="${CurrentIPv4addr}"
IPv4gw="${CurrentIPv4gw}"
echo "::: No static IP settings, using current settings"
echo "::: Your static IPv4 address: ${IPv4addr}"
echo "::: Your static IPv4 gateway: ${IPv4gw}"
fi fi
else else
echo "::: Skipping setting static IP address" echo "::: Skipping setting static IP address"
@ -645,6 +675,8 @@ getStaticIPv4Settings() {
local ipSettingsCorrect local ipSettingsCorrect
# Some users reserve IP addresses on another DHCP Server or on their routers, # Some users reserve IP addresses on another DHCP Server or on their routers,
# Lets ask them if they want to make any changes to their interfaces. # Lets ask them if they want to make any changes to their interfaces.
IPv4addr="${CurrentIPv4addr}"
IPv4gw="${CurrentIPv4gw}"
if (whiptail --backtitle "Calibrating network interface" --title "DHCP Reservation" --yesno \ if (whiptail --backtitle "Calibrating network interface" --title "DHCP Reservation" --yesno \
"Are you Using DHCP Reservation on your Router/DHCP Server? "Are you Using DHCP Reservation on your Router/DHCP Server?
These are your current Network Settings: These are your current Network Settings:
@ -1021,7 +1053,7 @@ installWireGuard(){
WG_TOOLS_SOURCE="https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-${WG_TOOLS_SNAPSHOT}.tar.xz" WG_TOOLS_SOURCE="https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-${WG_TOOLS_SNAPSHOT}.tar.xz"
echo "::: Downloading wireguard-tools source code... " echo "::: Downloading wireguard-tools source code... "
wget -qO- "${WG_TOOLS_SOURCE}" | $SUDO tar Jxf - --directory /usr/src wget -qO- "${WG_TOOLS_SOURCE}" | $SUDO tar xJ --directory /usr/src
echo "done!" echo "done!"
## || exits if cd fails. ## || exits if cd fails.
@ -1042,7 +1074,7 @@ installWireGuard(){
# files from the file system # files from the file system
echo "::: Installing WireGuard tools... " echo "::: Installing WireGuard tools... "
if $SUDO checkinstall --pkgname wireguard-tools --pkgversion "${WG_TOOLS_SNAPSHOT}" -y; then if $SUDO checkinstall --pkgname wireguard-tools --pkgversion "${WG_TOOLS_SNAPSHOT}" -y; then
TO_INSTALL+=("wireguard-tools") INSTALLED_PACKAGES+=("wireguard-tools")
echo "done!" echo "done!"
else else
echo "failed!" echo "failed!"
@ -1055,16 +1087,16 @@ installWireGuard(){
WG_MODULE_SOURCE="https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${WG_MODULE_SNAPSHOT}.tar.xz" WG_MODULE_SOURCE="https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${WG_MODULE_SNAPSHOT}.tar.xz"
echo "::: Downloading wireguard-linux-compat source code... " echo "::: Downloading wireguard-linux-compat source code... "
wget -qO- "${WG_MODULE_SOURCE}" | $SUDO tar Jxf - --directory /usr/src wget -qO- "${WG_MODULE_SOURCE}" | $SUDO tar xJ --directory /usr/src
echo "done!" echo "done!"
# Rename wireguard-linux-compat folder and move the source code to the parent folder # Rename wireguard-linux-compat folder and move the source code to the parent folder
# such that dkms picks up the module when referencing wireguard/"${WG_MODULE_SNAPSHOT}" # such that dkms picks up the module when referencing wireguard/"${WG_MODULE_SNAPSHOT}"
cd /usr/src && \ cd /usr/src && \
$SUDO mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}" $SUDO mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}" && \
cd wireguard-"${WG_MODULE_SNAPSHOT}" && \ cd wireguard-"${WG_MODULE_SNAPSHOT}" && \
$SUDO mv src/* . && \ $SUDO mv src/* . && \
$SUDO rmdir src $SUDO rmdir src || exit 1
echo "::: Adding WireGuard modules via DKMS... " echo "::: Adding WireGuard modules via DKMS... "
if $SUDO dkms add wireguard/"${WG_MODULE_SNAPSHOT}"; then if $SUDO dkms add wireguard/"${WG_MODULE_SNAPSHOT}"; then
@ -1086,7 +1118,7 @@ installWireGuard(){
echo "::: Installing WireGuard modules via DKMS... " echo "::: Installing WireGuard modules via DKMS... "
if $SUDO dkms install wireguard/"${WG_MODULE_SNAPSHOT}"; then if $SUDO dkms install wireguard/"${WG_MODULE_SNAPSHOT}"; then
TO_INSTALL+=("wireguard-dkms") INSTALLED_PACKAGES+=("wireguard-dkms")
echo "done!" echo "done!"
else else
echo "failed!" echo "failed!"
@ -1113,7 +1145,7 @@ installWireGuard(){
echo "::: Installing WireGuard from PPA... " echo "::: Installing WireGuard from PPA... "
$SUDO add-apt-repository ppa:wireguard/wireguard -y $SUDO add-apt-repository ppa:wireguard/wireguard -y
$SUDO ${UPDATE_PKG_CACHE} $SUDO ${UPDATE_PKG_CACHE} &> /dev/null
PIVPN_DEPS=(qrencode wireguard wireguard-tools wireguard-dkms linux-headers-generic) PIVPN_DEPS=(qrencode wireguard wireguard-tools wireguard-dkms linux-headers-generic)
installDependentPackages PIVPN_DEPS[@] installDependentPackages PIVPN_DEPS[@]
@ -1259,7 +1291,7 @@ askClientDNS(){
fi fi
# Detect and offer to use Pi-hole # Detect and offer to use Pi-hole
if command -v pihole &>/dev/null; then if command -v pihole > /dev/null; then
if (whiptail --backtitle "Setup PiVPN" --title "Pi-hole" --yesno "We have detected a Pi-hole installation, do you want to use it as the DNS server for the VPN, so you get ad blocking on the go?" ${r} ${c}); then if (whiptail --backtitle "Setup PiVPN" --title "Pi-hole" --yesno "We have detected a Pi-hole installation, do you want to use it as the DNS server for the VPN, so you get ad blocking on the go?" ${r} ${c}); then
pivpnDNS1="$vpnGw" pivpnDNS1="$vpnGw"
echo "interface=$pivpnDEV" | $SUDO tee /etc/dnsmasq.d/02-pivpn.conf > /dev/null echo "interface=$pivpnDEV" | $SUDO tee /etc/dnsmasq.d/02-pivpn.conf > /dev/null
@ -1574,7 +1606,7 @@ confOpenVPN(){
fi fi
# Get easy-rsa # Get easy-rsa
wget -qO- "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn wget -qO- "${easyrsaRel}" | $SUDO tar xz --directory /etc/openvpn
$SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa $SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa
# fix ownership # fix ownership
$SUDO chown -R root:root /etc/openvpn/easy-rsa $SUDO chown -R root:root /etc/openvpn/easy-rsa
@ -1939,7 +1971,7 @@ askUnattendedUpgrades(){
confUnattendedUpgrades(){ confUnattendedUpgrades(){
local PIVPN_DEPS local PIVPN_DEPS
PIVPN_DEPS+=(unattended-upgrades) PIVPN_DEPS=(unattended-upgrades)
installDependentPackages PIVPN_DEPS[@] installDependentPackages PIVPN_DEPS[@]
aptConfDir="/etc/apt/apt.conf.d" aptConfDir="/etc/apt/apt.conf.d"
@ -1956,10 +1988,13 @@ confUnattendedUpgrades(){
# Fix Raspbian config # Fix Raspbian config
if [ "$PLAT" = "Raspbian" ]; then if [ "$PLAT" = "Raspbian" ]; then
wget -q -O "/tmp/${UNATTUPG_RELEASE}.tar.gz" "$UNATTUPG_CONFIG" wget -qO- "$UNATTUPG_CONFIG" | $SUDO tar xz --directory "${aptConfDir}" "unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" --strip-components 2
cd /tmp/ && $SUDO tar xzf "/tmp/${UNATTUPG_RELEASE}.tar.gz" if test -s "${aptConfDir}/50unattended-upgrades.Raspbian"; then
$SUDO cp /tmp/"unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" "${aptConfDir}/50unattended-upgrades" $SUDO mv "${aptConfDir}/50unattended-upgrades.Raspbian" "${aptConfDir}/50unattended-upgrades"
$SUDO rm -rf "/tmp/unattended-upgrades-$UNATTUPG_RELEASE" else
echo "$0: ERR: Failed to download \"50unattended-upgrades.Raspbian\"."
exit 1
fi
fi fi
# Add the remaining settings for all other distributions # Add the remaining settings for all other distributions

13
scripts/backup.sh
View file

@ -1,9 +1,16 @@
#!/bin/bash #!/bin/bash
# shellcheck disable=SC1091
source /etc/pivpn/setupVars.conf
# shellcheck disable=SC1090
backupdir=pivpnbackup backupdir=pivpnbackup
date=$(date +%Y%m%d-%H%M%S) date=$(date +%Y%m%d-%H%M%S)
setupVars="/etc/pivpn/setupVars.conf"
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
# shellcheck disable=SC1090
source "${setupVars}"
checkbackupdir(){ checkbackupdir(){

2
scripts/openvpn/makeOVPN.sh
View file

@ -91,7 +91,7 @@ do
NO_PASS="1" NO_PASS="1"
;; ;;
-b|--bitwarden) -b|--bitwarden)
if command -v bw &> /dev/null; then if command -v bw > /dev/null; then
BITWARDEN="2" BITWARDEN="2"
else else
echo "Bitwarden not found, please install bitwarden" echo "Bitwarden not found, please install bitwarden"

156
scripts/openvpn/pivpnDebug.sh
View file

@ -2,7 +2,6 @@
# This scripts runs as root # This scripts runs as root
setupVars="/etc/pivpn/setupVars.conf" setupVars="/etc/pivpn/setupVars.conf"
ERR=0
if [ ! -f "${setupVars}" ]; then if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!" echo "::: Missing setup vars file!"
@ -17,14 +16,6 @@ echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::"
git --git-dir /etc/.pivpn/.git log -n 1 git --git-dir /etc/.pivpn/.git log -n 1
printf "=============================================\n" printf "=============================================\n"
echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::" echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::"
# Use the wildcard so setupVars.conf.update.bak from the previous install is not shown
for filename in /etc/pivpn/*; do
if [[ "$filename" != "/etc/pivpn/setupVars.conf"* ]]; then
echo "$filename -> $(cat "$filename")"
fi
done
printf "=============================================\n"
echo -e "::::\t\e[4msetupVars file shown below\e[0m\t ::::"
sed "s/$pivpnHOST/REDACTED/" < /etc/pivpn/setupVars.conf sed "s/$pivpnHOST/REDACTED/" < /etc/pivpn/setupVars.conf
printf "=============================================\n" printf "=============================================\n"
echo -e ":::: \e[4mServer configuration shown below\e[0m ::::" echo -e ":::: \e[4mServer configuration shown below\e[0m ::::"
@ -37,152 +28,7 @@ echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::: \e[4m/etc/openv
ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial
printf "=============================================\n" printf "=============================================\n"
echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::" echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::"
/opt/pivpn/self_check.sh
if [ "$(cat /proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then
echo ":: [OK] IP forwarding is enabled"
else
ERR=1
read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
sysctl -p
echo "Done"
fi
fi
if [ "$USING_UFW" -eq 0 ]; then
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule"
iptables-save > /etc/iptables/rules.v4
echo "Done"
fi
fi
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
if iptables -C INPUT -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule" &> /dev/null; then
echo ":: [OK] Iptables INPUT rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
iptables -I INPUT 1 -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule"
iptables-save > /etc/iptables/rules.v4
echo "Done"
fi
fi
fi
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule" &> /dev/null; then
echo ":: [OK] Iptables FORWARD rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "${VPN}-forward-rule"
iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule"
iptables-save > /etc/iptables/rules.v4
echo "Done"
fi
fi
fi
else
if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
echo ":: [OK] Ufw is enabled"
else
ERR=1
read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
ufw enable
fi
fi
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE -m comment --comment ${VPN}-nat-rule\nCOMMIT\n" -i /etc/ufw/before.rules
ufw reload
echo "Done"
fi
fi
if iptables -C ufw-user-input -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw input rule set"
else
ERR=1
read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
ufw insert 1 allow "$pivpnPORT"/"$pivpnPROTO"
ufw reload
echo "Done"
fi
fi
if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw forwarding rule set"
else
ERR=1
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any
ufw reload
echo "Done"
fi
fi
fi
if systemctl is-active -q openvpn; then
echo ":: [OK] OpenVPN is running"
else
ERR=1
read -r -p ":: [ERR] OpenVPN is not running, try to start now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
systemctl start openvpn
echo "Done"
fi
fi
if systemctl is-enabled -q openvpn; then
echo ":: [OK] OpenVPN is enabled (it will automatically start on reboot)"
else
ERR=1
read -r -p ":: [ERR] OpenVPN is not enabled, try to enable now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
systemctl enable openvpn
echo "Done"
fi
fi
# grep -w (whole word) is used so port 11940 won't match when looking for 1194
if netstat -uanpt | grep openvpn | grep -w "${pivpnPORT}" | grep -q "${pivpnPROTO}"; then
echo ":: [OK] OpenVPN is listening on port ${pivpnPORT}/${pivpnPROTO}"
else
ERR=1
read -r -p ":: [ERR] OpenVPN is not listening, try to restart now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
systemctl restart openvpn
echo "Done"
fi
fi
if [ "$ERR" -eq 1 ]; then
echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues"
fi
printf "=============================================\n" printf "=============================================\n"
echo -e ":::: \e[4mSnippet of the server log\e[0m ::::" echo -e ":::: \e[4mSnippet of the server log\e[0m ::::"
tail -20 /var/log/openvpn.log > /tmp/snippet tail -20 /var/log/openvpn.log > /tmp/snippet

170
scripts/self_check.sh Executable file
View file

@ -0,0 +1,170 @@
#!/bin/bash
subnetClass="24"
setupVars="/etc/pivpn/setupVars.conf"
ERR=0
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
if [ "$VPN" = "wireguard" ]; then
pivpnPROTO="udp"
pivpnDEV="wg0"
pivpnNET="10.6.0.0"
VPN_SERVICE="wg-quick@wg0"
VPN_PRETTY_NAME="WireGuard"
elif [ "$VPN" = "openvpn" ]; then
pivpnDEV="tun0"
pivpnNET="10.8.0.0"
VPN_SERVICE="openvpn"
VPN_PRETTY_NAME="OpenVPN"
fi
if [ "$(</proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then
echo ":: [OK] IP forwarding is enabled"
else
ERR=1
read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
sysctl -p
echo "Done"
fi
fi
if [ "$USING_UFW" -eq 0 ]; then
if iptables -t nat -C POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
iptables -t nat -I POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule"
iptables-save > /etc/iptables/rules.v4
echo "Done"
fi
fi
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
if iptables -C INPUT -i "${IPv4dev}" -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT -m comment --comment "${VPN}-input-rule" &> /dev/null; then
echo ":: [OK] Iptables INPUT rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
iptables -I INPUT 1 -i "${IPv4dev}" -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT -m comment --comment "${VPN}-input-rule"
iptables-save > /etc/iptables/rules.v4
echo "Done"
fi
fi
fi
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
if iptables -C FORWARD -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT -m comment --comment "${VPN}-forward-rule" &> /dev/null; then
echo ":: [OK] Iptables FORWARD rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
iptables -I FORWARD 1 -d "${pivpnNET}/${subnetClass}" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "${VPN}-forward-rule"
iptables -I FORWARD 2 -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT -m comment --comment "${VPN}-forward-rule"
iptables-save > /etc/iptables/rules.v4
echo "Done"
fi
fi
fi
else
if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
echo ":: [OK] Ufw is enabled"
else
ERR=1
read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
ufw enable
fi
fi
if iptables -t nat -C POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s ${pivpnNET}/${subnetClass} -o ${IPv4dev} -j MASQUERADE -m comment --comment ${VPN}-nat-rule\nCOMMIT\n" -i /etc/ufw/before.rules
ufw reload
echo "Done"
fi
fi
if iptables -C ufw-user-input -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw input rule set"
else
ERR=1
read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
ufw insert 1 allow "${pivpnPORT}"/"${pivpnPROTO}"
ufw reload
echo "Done"
fi
fi
if iptables -C ufw-user-forward -i "${pivpnDEV}" -o "${IPv4dev}" -s "${pivpnNET}/${subnetClass}" -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw forwarding rule set"
else
ERR=1
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
ufw route insert 1 allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any
ufw reload
echo "Done"
fi
fi
fi
if systemctl is-active -q "${VPN_SERVICE}"; then
echo ":: [OK] ${VPN_PRETTY_NAME} is running"
else
ERR=1
read -r -p ":: [ERR] ${VPN_PRETTY_NAME} is not running, try to start now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
systemctl start "${VPN_SERVICE}"
echo "Done"
fi
fi
if systemctl is-enabled -q "${VPN_SERVICE}"; then
echo ":: [OK] ${VPN_PRETTY_NAME} is enabled (it will automatically start on reboot)"
else
ERR=1
read -r -p ":: [ERR] ${VPN_PRETTY_NAME} is not enabled, try to enable now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
systemctl enable "${VPN_SERVICE}"
echo "Done"
fi
fi
# grep -w (whole word) is used so port 11940 won't match when looking for 1194
if netstat -antu | grep -wqE "${pivpnPROTO}.*${pivpnPORT}"; then
echo ":: [OK] ${VPN_PRETTY_NAME} is listening on port ${pivpnPORT}/${pivpnPROTO}"
else
ERR=1
read -r -p ":: [ERR] ${VPN_PRETTY_NAME} is not listening, try to restart now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
systemctl restart "${VPN_SERVICE}"
echo "Done"
fi
fi
if [ "$ERR" -eq 1 ]; then
echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues"
fi

2
scripts/uninstall.sh
View file

@ -101,7 +101,7 @@ removeAll(){
# Purge dependencies # Purge dependencies
echo "::: Purge dependencies..." echo "::: Purge dependencies..."
for i in "${TO_INSTALL[@]}"; do for i in "${INSTALLED_PACKAGES[@]}"; do
while true; do while true; do
read -rp "::: Do you wish to remove $i from your system? [Y/n]: " yn read -rp "::: Do you wish to remove $i from your system? [Y/n]: " yn
case $yn in case $yn in

23
scripts/update.sh
View file

@ -15,6 +15,17 @@ fi
source "${setupVars}" source "${setupVars}"
scriptusage(){
echo "::: Updates PiVPN scripts"
echo ":::"
echo "::: Usage: pivpn <-up|update> [-t|--test]"
echo ":::"
echo "::: Commands:"
echo "::: [none] Updates from master branch"
echo "::: -t, test Updates from test branch"
echo "::: -h, help Show this usage dialog"
}
###Functions ###Functions
##Updates scripts ##Updates scripts
updatepivpnscripts(){ updatepivpnscripts(){
@ -68,14 +79,6 @@ cloneupdttest(){
git -C "$pivpnlocalpath" checkout master git -C "$pivpnlocalpath" checkout master
} }
scriptusage(){
echo -e "Updates pivpn scripts,
Usage:
pivpn update | updates from master branch
pivpn update -t or --test | updates from test branch"
}
## SCRIPT ## SCRIPT
if [[ $# -eq 0 ]]; then if [[ $# -eq 0 ]]; then
@ -83,11 +86,11 @@ if [[ $# -eq 0 ]]; then
else else
while true; do while true; do
case "$1" in case "$1" in
-t|--test|test) -t|test)
updatefromtest updatefromtest
exit 0 exit 0
;; ;;
-h|--help|help) -h|help)
scriptusage scriptusage
exit 0 exit 0
;; ;;

4
scripts/wireguard/bash-completion
View file

@ -4,8 +4,8 @@ _pivpn()
COMPREPLY=() COMPREPLY=()
cur="${COMP_WORDS[COMP_CWORD]}" cur="${COMP_WORDS[COMP_CWORD]}"
prev="${COMP_WORDS[COMP_CWORD-1]}" prev="${COMP_WORDS[COMP_CWORD-1]}"
dashopts="-a -c -d -l -qr -r -h -u -up -bk" dashopts="-a -c -d -l -qr -r -h -u -up -wg -bk"
opts="add clients debug list qrcode remove help uninstall update backup" opts="add clients debug list qrcode remove help uninstall update wgupdate backup"
if [ "${#COMP_WORDS[@]}" -eq 2 ] if [ "${#COMP_WORDS[@]}" -eq 2 ]
then then
if [[ ${cur} == -* ]] ; then if [[ ${cur} == -* ]] ; then

6
scripts/wireguard/clientSTAT.sh
View file

@ -10,7 +10,11 @@ hr(){
numfmt --to=iec-i --suffix=B "$1" numfmt --to=iec-i --suffix=B "$1"
} }
DUMP="$(wg show wg0 dump | tail -n +2)" if DUMP="$(wg show wg0 dump)"; then
DUMP="$(tail -n +2 <<< "$DUMP")"
else
exit 1
fi
printf "\e[1m::: Connected Clients List :::\e[0m\n" printf "\e[1m::: Connected Clients List :::\e[0m\n"

14
scripts/wireguard/makeCONF.sh
View file

@ -2,6 +2,13 @@
setupVars="/etc/pivpn/setupVars.conf" setupVars="/etc/pivpn/setupVars.conf"
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
helpFunc(){ helpFunc(){
echo "::: Create a client conf profile" echo "::: Create a client conf profile"
echo ":::" echo ":::"
@ -39,13 +46,6 @@ while test $# -gt 0; do
shift shift
done done
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
# The home folder variable was sourced from the settings file. # The home folder variable was sourced from the settings file.
if [ ! -d "${install_home}/configs" ]; then if [ ! -d "${install_home}/configs" ]; then
mkdir "${install_home}/configs" mkdir "${install_home}/configs"

9
scripts/wireguard/pivpn
View file

@ -54,6 +54,11 @@ updateScripts(){
exit 0 exit 0
} }
updateWireGuard(){
$SUDO /opt/pivpn/wgUPDATE.sh
exit 0
}
backup(){ backup(){
$SUDO /opt/pivpn/backup.sh $SUDO /opt/pivpn/backup.sh
} }
@ -73,7 +78,8 @@ showHelp(){
echo "::: -h, help Show this help dialog" echo "::: -h, help Show this help dialog"
echo "::: -u, uninstall Uninstall pivpn from your system!" echo "::: -u, uninstall Uninstall pivpn from your system!"
echo "::: -up, update Updates PiVPN Scripts" echo "::: -up, update Updates PiVPN Scripts"
echo "::: -bk, Backup Backup vpn configs and user profiles" echo "::: -wg, wgupdate Updates WireGuard"
echo "::: -bk, backup Backup VPN configs and user profiles"
exit 0 exit 0
} }
@ -92,6 +98,7 @@ case "$1" in
"-h" | "help" ) showHelp;; "-h" | "help" ) showHelp;;
"-u" | "uninstall" ) uninstallServer;; "-u" | "uninstall" ) uninstallServer;;
"-up" | "update" ) updateScripts "$@" ;; "-up" | "update" ) updateScripts "$@" ;;
"-wg" | "wgupdate" ) updateWireGuard ;;
"-bk" | "backup" ) backup ;; "-bk" | "backup" ) backup ;;
* ) showHelp;; * ) showHelp;;
esac esac

154
scripts/wireguard/pivpnDEBUG.sh
View file

@ -10,9 +10,6 @@ fi
source "${setupVars}" source "${setupVars}"
EXAMPLE="$(head -1 /etc/wireguard/configs/clients.txt | awk '{print $1}')"
ERR=0
echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::" echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::"
printf "=============================================\n" printf "=============================================\n"
echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::" echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::"
@ -26,16 +23,17 @@ cd /etc/wireguard/keys
cp ../wg0.conf ../wg0.tmp cp ../wg0.conf ../wg0.tmp
# Replace every key in the server configuration with just its file name # Replace every key in the server configuration with just its file name
for k in *; do for k in *; do
sed "s#$(cat "$k")#$k#" -i ../wg0.tmp sed "s#$(<"$k")#$k#" -i ../wg0.tmp
done done
cat ../wg0.tmp cat ../wg0.tmp
rm ../wg0.tmp rm ../wg0.tmp
printf "=============================================\n" printf "=============================================\n"
echo -e ":::: \e[4mClient configuration shown below\e[0m ::::" echo -e ":::: \e[4mClient configuration shown below\e[0m ::::"
EXAMPLE="$(head -1 /etc/wireguard/configs/clients.txt | awk '{print $1}')"
if [ -n "$EXAMPLE" ]; then if [ -n "$EXAMPLE" ]; then
cp ../configs/"$EXAMPLE".conf ../configs/"$EXAMPLE".tmp cp ../configs/"$EXAMPLE".conf ../configs/"$EXAMPLE".tmp
for k in *; do for k in *; do
sed "s#$(cat "$k")#$k#" -i ../configs/"$EXAMPLE".tmp sed "s#$(<"$k")#$k#" -i ../configs/"$EXAMPLE".tmp
done done
sed "s/$pivpnHOST/REDACTED/" < ../configs/"$EXAMPLE".tmp sed "s/$pivpnHOST/REDACTED/" < ../configs/"$EXAMPLE".tmp
rm ../configs/"$EXAMPLE".tmp rm ../configs/"$EXAMPLE".tmp
@ -48,151 +46,7 @@ echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::::\e\t[4m/etc/wir
ls -LR /etc/wireguard ls -LR /etc/wireguard
printf "=============================================\n" printf "=============================================\n"
echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::" echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::"
/opt/pivpn/self_check.sh
if [ "$(cat /proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then
echo ":: [OK] IP forwarding is enabled"
else
ERR=1
read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
sysctl -p
echo "Done"
fi
fi
if [ "$USING_UFW" -eq 0 ]; then
if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
iptables -t nat -I POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule"
iptables-save > /etc/iptables/rules.v4
echo "Done"
fi
fi
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
if iptables -C INPUT -i "$IPv4dev" -p udp --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule" &> /dev/null; then
echo ":: [OK] Iptables INPUT rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
iptables -I INPUT 1 -i "$IPv4dev" -p udp --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule"
iptables-save > /etc/iptables/rules.v4
echo "Done"
fi
fi
fi
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
if iptables -C FORWARD -s 10.6.0.0/24 -i wg0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule" &> /dev/null; then
echo ":: [OK] Iptables FORWARD rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
iptables -I FORWARD 1 -d 10.6.0.0/24 -i "$IPv4dev" -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "${VPN}-forward-rule"
iptables -I FORWARD 2 -s 10.6.0.0/24 -i wg0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule"
iptables-save > /etc/iptables/rules.v4
echo "Done"
fi
fi
fi
else
if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
echo ":: [OK] Ufw is enabled"
else
ERR=1
read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
ufw enable
fi
fi
if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.6.0.0/24 -o $IPv4dev -j MASQUERADE -m comment --comment ${VPN}-nat-rule\nCOMMIT\n" -i /etc/ufw/before.rules
ufw reload
echo "Done"
fi
fi
if iptables -C ufw-user-input -p udp --dport "${pivpnPORT}" -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw input rule set"
else
ERR=1
read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
ufw insert 1 allow "$pivpnPORT"/udp
ufw reload
echo "Done"
fi
fi
if iptables -C ufw-user-forward -i wg0 -o "${IPv4dev}" -s 10.6.0.0/24 -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw forwarding rule set"
else
ERR=1
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
ufw route insert 1 allow in on wg0 from 10.6.0.0/24 out on "$IPv4dev" to any
ufw reload
echo "Done"
fi
fi
fi
if systemctl is-active -q wg-quick@wg0; then
echo ":: [OK] WireGuard is running"
else
ERR=1
read -r -p ":: [ERR] WireGuard is not running, try to start now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
systemctl start wg-quick@wg0
echo "Done"
fi
fi
if systemctl is-enabled -q wg-quick@wg0; then
echo ":: [OK] WireGuard is enabled (it will automatically start on reboot)"
else
ERR=1
read -r -p ":: [ERR] WireGuard is not enabled, try to enable now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
systemctl enable wg-quick@wg0
echo "Done"
fi
fi
# grep -w (whole word) is used so port 11940 won't match when looking for 1194
if netstat -uanp | grep -w "${pivpnPORT}" | grep -q 'udp'; then
echo ":: [OK] WireGuard is listening on port ${pivpnPORT}/udp"
else
ERR=1
read -r -p ":: [ERR] WireGuard is not listening, try to restart now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
systemctl restart wg-quick@wg0
echo "Done"
fi
fi
if [ "$ERR" -eq 1 ]; then
echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues"
fi
printf "=============================================\n" printf "=============================================\n"
echo -e ":::: \e[1mWARNING\e[0m: This script should have automatically masked sensitive ::::" echo -e ":::: \e[1mWARNING\e[0m: This script should have automatically masked sensitive ::::"
echo -e ":::: information, however, still make sure that \e[4mPrivateKey\e[0m, \e[4mPublicKey\e[0m ::::" echo -e ":::: information, however, still make sure that \e[4mPrivateKey\e[0m, \e[4mPublicKey\e[0m ::::"

14
scripts/wireguard/removeCONF.sh
View file

@ -2,6 +2,13 @@
setupVars="/etc/pivpn/setupVars.conf" setupVars="/etc/pivpn/setupVars.conf"
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
helpFunc(){ helpFunc(){
echo "::: Remove a client conf profile" echo "::: Remove a client conf profile"
echo ":::" echo ":::"
@ -29,13 +36,6 @@ do
shift shift
done done
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
cd /etc/wireguard cd /etc/wireguard
if [ ! -s configs/clients.txt ]; then if [ ! -s configs/clients.txt ]; then
echo "::: There are no clients to remove" echo "::: There are no clients to remove"

132
scripts/wireguard/wgUPDATE.sh Executable file
View file

@ -0,0 +1,132 @@
#!/bin/bash
setupVars="/etc/pivpn/setupVars.conf"
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
if [ "$(uname -m)" != "armv6l" ]; then
echo "On your system, WireGuard updates via the package manager"
exit 0
fi
CURRENT_WG_TOOLS_SNAPSHOT="${WG_TOOLS_SNAPSHOT}"
WG_TOOLS_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-tools"."version"')"
if dpkg --compare-versions "${WG_TOOLS_SNAPSHOT}" gt "${CURRENT_WG_TOOLS_SNAPSHOT}"; then
read -r -p "A new wireguard-tools update is available (${WG_TOOLS_SNAPSHOT}), install? [Y/n]: "
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
echo "::: Upgrading wireguard-tools from ${CURRENT_WG_TOOLS_SNAPSHOT} to ${WG_TOOLS_SNAPSHOT}..."
WG_TOOLS_SOURCE="https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-${WG_TOOLS_SNAPSHOT}.tar.xz"
echo "::: Downloading wireguard-tools source code... "
wget -qO- "${WG_TOOLS_SOURCE}" | tar xJ --directory /usr/src
echo "done!"
## || exits if cd fails.
cd /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}/src" || exit 1
# We install the userspace tools manually since DKMS only compiles and
# installs the kernel module
echo "::: Compiling WireGuard tools... "
if make; then
echo "done!"
else
echo "failed!"
exit 1
fi
# Use checkinstall to install userspace tools so if the user wants to uninstall
# PiVPN we can just do apt remove wireguard-tools, instead of manually removing
# files from the file system
echo "::: Installing WireGuard tools... "
if checkinstall --pkgname wireguard-tools --pkgversion "${WG_TOOLS_SNAPSHOT}" -y; then
echo "done!"
else
echo "failed!"
exit 1
fi
echo "::: Removing old source code ..."
rm -rf /usr/src/wireguard-tools-"${CURRENT_WG_TOOLS_SNAPSHOT}"
sed "s/WG_TOOLS_SNAPSHOT=${CURRENT_WG_TOOLS_SNAPSHOT}/WG_TOOLS_SNAPSHOT=${WG_TOOLS_SNAPSHOT}/" -i "${setupVars}"
echo "::: Upgrade completed!"
fi
else
echo "::: You are running the lastest version of wireguard-tools (${CURRENT_WG_TOOLS_SNAPSHOT})"
fi
CURRENT_WG_MODULE_SNAPSHOT="${WG_MODULE_SNAPSHOT}"
WG_MODULE_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-linuxcompat"."version"')"
if dpkg --compare-versions "${WG_MODULE_SNAPSHOT}" gt "${CURRENT_WG_MODULE_SNAPSHOT}"; then
read -r -p "A new wireguard-dkms update is available (${WG_MODULE_SNAPSHOT}), install? [Y/n]: "
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
echo "::: Upgrading wireguard-dkms from ${CURRENT_WG_MODULE_SNAPSHOT} to ${WG_MODULE_SNAPSHOT}..."
WG_MODULE_SOURCE="https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${WG_MODULE_SNAPSHOT}.tar.xz"
echo "::: Downloading wireguard-linux-compat source code... "
wget -qO- "${WG_MODULE_SOURCE}" | tar xJ --directory /usr/src
echo "done!"
# Rename wireguard-linux-compat folder and move the source code to the parent folder
# such that dkms picks up the module when referencing wireguard/"${WG_MODULE_SNAPSHOT}"
cd /usr/src && \
mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}" && \
cd wireguard-"${WG_MODULE_SNAPSHOT}" && \
mv src/* . && \
rmdir src || exit 1
echo "::: Adding WireGuard module via DKMS... "
if dkms add wireguard/"${WG_MODULE_SNAPSHOT}"; then
echo "done!"
else
echo "failed!"
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
exit 1
fi
echo "::: Compiling WireGuard module via DKMS... "
if dkms build wireguard/"${WG_MODULE_SNAPSHOT}"; then
echo "done!"
else
echo "failed!"
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
exit 1
fi
echo "::: Installing WireGuard module via DKMS... "
if dkms install wireguard/"${WG_MODULE_SNAPSHOT}"; then
echo "done!"
else
echo "failed!"
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
exit 1
fi
echo "::: Removing old kernel module and source code..."
if dkms remove wireguard/"${CURRENT_WG_MODULE_SNAPSHOT}" --all; then
rm -rf /usr/src/wireguard-"${CURRENT_WG_MODULE_SNAPSHOT}"
echo "done!"
else
echo "failed!"
exit 1
fi
sed "s/WG_TOOLS_SNAPSHOT=${CURRENT_WG_MODULE_SNAPSHOT}/WG_TOOLS_SNAPSHOT=${WG_MODULE_SNAPSHOT}/" -i "${setupVars}"
echo "::: Upgrade completed!"
fi
else
echo "::: You are running the lastest version of wireguard-dkms (${CURRENT_WG_MODULE_SNAPSHOT})"
fi

2
unattended_openvpn_example.conf
View file

@ -1,4 +1,6 @@
IPv4dev=eth0 IPv4dev=eth0
IPv4addr=192.168.23.211
IPv4gw=192.168.23.1
dhcpReserv=0 dhcpReserv=0
install_user=pi install_user=pi
VPN=openvpn VPN=openvpn

2
unattended_wireguard_example.conf
View file

@ -1,4 +1,6 @@
IPv4dev=eth0 IPv4dev=eth0
IPv4addr=192.168.23.211
IPv4gw=192.168.23.1
dhcpReserv=0 dhcpReserv=0
install_user=pi install_user=pi
VPN=wireguard VPN=wireguard