Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-18 19:00:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

General fixes and improvements

Browse source
This commit is contained in:
Orazio 2019-03-03 10:18:45 +01:00
parent 9755bf9401
commit e3f729f260
13 changed files with 207 additions and 139 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
ISSUE_TEMPLATE.md
View file

@ -33,22 +33,6 @@ PiVPN is no longer maintained, see the README
Output Here Output Here
``` ```
## Console Output of `sudo iptables -t nat -S`
```
Output Here
```
## Console Output of `sudo iptables -S`
```
Output Here
```
## output of `sudo netstat -uanp | grep openvpn`
```
Output Here
```
## Have you taken any steps towards solving your issue? ## Have you taken any steps towards solving your issue?
which? which?

12
README.md
View file

@ -54,11 +54,13 @@ curl -L https://install.pivpn.io | bash
The script will first update your APT repositories, upgrade packages, and install OpenVPN, The script will first update your APT repositories, upgrade packages, and install OpenVPN,
which will take some time. which will take some time.
It will ask which encryption method you wish the guts of your server to use, 1024-bit, 2048-bit, or 4096-bit. It will ask which authentication method you wish the guts of your server to use, 1024-bit, 2048-bit, or 4096-bit.
If you're unsure or don't have a convincing reason one way or the other I'd use 2048 today. From the OpenVPN site: If you're unsure or don't have a convincing reason one way or the other I'd use 2048 today. From the OpenVPN site:
> For asymmetric keys, general wisdom is that 1024-bit keys are no longer sufficient to protect against well-equipped adversaries. Use of 2048-bit is a good minimum. It is wise to ensure all keys across your active PKI (including the CA root keypair) are using at least 2048-bit keys. > For asymmetric keys, general wisdom is that 1024-bit keys are no longer sufficient to protect against well-equipped adversaries. Use of 2048-bit is a good minimum. It is wise to ensure all keys across your active PKI (including the CA root keypair) are using at least 2048-bit keys.
> Up to 4096-bit is accepted by nearly all RSA systems (including OpenVPN,) but use of keys this large will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations; the benefit beyond 2048-bit keys is small enough not to be of great use at the current time. It is often a larger benefit to consider lower validity times than more bits past 2048, but that is for you to decide. > Up to 4096-bit is accepted by nearly all RSA systems (including OpenVPN), but use of keys this large will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations; the benefit beyond 2048-bit keys is small enough not to be of great use at the current time. It is often a larger benefit to consider lower validity times than more bits past 2048, but that is for you to decide.
Luckily, OpenVPN 2.4 supports ECDSA certificates, which are based on Elliptic Curves, allowing much smaller keys while providing an equivalent security level (256 bit long, equivalent to 3072 bit RSA). For this reason, PiVPN now uses ECDSA certs if you choose to enable OpenVPN 2.4 features. If not, the usual RSA certificates are generated in case the user has clients running an older version of OpenVPN.
After this, the script will go back to the command line as it builds the server's own After this, the script will go back to the command line as it builds the server's own
certificate authority. The script will ask you if you'd like to change the certificate fields, certificate authority. The script will ask you if you'd like to change the certificate fields,
@ -70,7 +72,11 @@ and have a working configuration at the end.
Finally, the script will take some time to build the server's Diffie-Hellman key Finally, the script will take some time to build the server's Diffie-Hellman key
exchange. If you chose 1024-bit encryption, this will just take a few minutes, but if you exchange. If you chose 1024-bit encryption, this will just take a few minutes, but if you
chose 2048-bit, it will take much longer (anywhere from 40 minutes to several hours on a chose 2048-bit, it will take much longer (anywhere from 40 minutes to several hours on a
Model B+). The script will also make some changes to your system to allow it to forward Model B+).
NOTE: Diffie-Hellman parameters are NOT generated if you choose not to use OpenVPN 2.4.
The script will also make some changes to your system to allow it to forward
internet traffic and allow VPN connections through the Pi's firewall. When the script internet traffic and allow VPN connections through the Pi's firewall. When the script
informs you that it has finished configuring OpenVPN, it will ask if you want to reboot. informs you that it has finished configuring OpenVPN, it will ask if you want to reboot.
I have it where you do not need to reboot when done but it also can't hurt. I have it where you do not need to reboot when done but it also can't hurt.

97
auto_install/install.sh
View file

@ -9,12 +9,9 @@
# #
# curl -L https://install.pivpn.io | bash # curl -L https://install.pivpn.io | bash
# Make sure you have `curl` installed # Make sure you have `curl` installed
set -e set -e
######## VARIABLES #########
tmpLog="/tmp/pivpn-install.log" ######## VARIABLES #########
instalLogLoc="/etc/pivpn/install.log"
setupVars=/etc/pivpn/setupVars.conf setupVars=/etc/pivpn/setupVars.conf
useUpdateVars=false useUpdateVars=false
@ -29,11 +26,12 @@ PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whipta
pivpnGitUrl="https://github.com/pivpn/pivpn.git" pivpnGitUrl="https://github.com/pivpn/pivpn.git"
pivpnFilesDir="/etc/.pivpn" pivpnFilesDir="/etc/.pivpn"
easyrsaVer="3.0.4" easyrsaVer="3.0.6"
easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz" easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz"
# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config # Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config
UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/1.4.tar.gz" UNATTUPG_RELEASE="1.9"
UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/${UNATTUPG_RELEASE}.tar.gz"
# Find the rows and columns. Will default to 80x24 if it can not be detected. # Find the rows and columns. Will default to 80x24 if it can not be detected.
screen_size=$(stty size 2>/dev/null || echo 24 80) screen_size=$(stty size 2>/dev/null || echo 24 80)
@ -340,7 +338,7 @@ It is also possible to use a DHCP reservation, but if you are going to do that,
setDHCPCD() { setDHCPCD() {
# Append these lines to dhcpcd.conf to enable a static IP # Append these lines to dhcpcd.conf to enable a static IP
echo "interface ${pivpnInterface} echo "interface ${pivpnInterface}
static ip_address=${IPv4addr} static ip_address=${IPv4addr}/24
static routers=${IPv4gw} static routers=${IPv4gw}
static domain_name_servers=${IPv4dns}" | $SUDO tee -a ${dhcpcdFile} >/dev/null static domain_name_servers=${IPv4dns}" | $SUDO tee -a ${dhcpcdFile} >/dev/null
} }
@ -352,7 +350,7 @@ setStaticIPv4() {
echo "::: Static IP already configured." echo "::: Static IP already configured."
else else
setDHCPCD setDHCPCD
$SUDO ip addr replace dev "${pivpnInterface}" "${IPv4addr}" $SUDO ip addr replace dev "${pivpnInterface}" "${IPv4addr}/24"
echo ":::" echo ":::"
echo "::: Setting IP to ${IPv4addr}. You may need to restart after the install is complete." echo "::: Setting IP to ${IPv4addr}. You may need to restart after the install is complete."
echo ":::" echo ":::"
@ -473,14 +471,13 @@ install_dependent_packages() {
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections
if command -v debconf-apt-progress &> /dev/null; then # Add support for https repositories if there are any that use it otherwise the installation will silently fail
if grep -q https /etc/apt/sources.list; then
PIVPN_DEPS+=("apt-transport-https")
fi
# Use appropriate argument if the package manager uses https otherwise the installation will silently fail if command -v debconf-apt-progress &> /dev/null; then
if grep -q https /etc/apt/sources.list; then $SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}"
$SUDO debconf-apt-progress -- ${PKG_INSTALL} -y apt-transport-https "${argArray1[@]}"
else
$SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}"
fi
else else
for i in "${argArray1[@]}"; do for i in "${argArray1[@]}"; do
echo -n "::: Checking for $i..." echo -n "::: Checking for $i..."
@ -729,20 +726,20 @@ confOpenVPN() {
if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then
ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "RSA encryption strength" --radiolist \ ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "RSA certificate size" --radiolist \
"Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications, it is recommended to use 2048 bits. If you are testing, you can use 1024 bits to speed things up, but do not use this for normal use! If you are paranoid about ... things... then grab a cup of joe and pick 4096 bits." ${r} ${c} 3 \ "Choose the desired size of your certificate (press space to select):\n This is a certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 2048 bits. If you are testing, you can use 1024 bits to speed things up, but do not use this for normal use! If you are paranoid about ... things... then grab a cup of joe and pick 4096 bits." ${r} ${c} 3 \
"1024" "Use 1024-bit encryption (testing only)" OFF \ "1024" "Use a 1024-bit certificate (testing only)" OFF \
"2048" "Use 2048-bit encryption (recommended level)" ON \ "2048" "Use a 2048-bit certificate (recommended level)" ON \
"4096" "Use 4096-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3) "4096" "Use a 4096-bit certificate (paranoid level)" OFF 3>&1 1>&2 2>&3)
else else
declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1") declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1")
ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA encryption strength" --radiolist \ ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA certificate size" --radiolist \
"Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \ "Choose the desired size of your certificate (press space to select):\n This is an certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \
"256" "Use 256-bit encryption (recommended level)" ON \ "256" "Use a 256-bit certificate (recommended level)" ON \
"384" "Use 384-bit encryption" OFF \ "384" "Use a 384-bit certificate" OFF \
"521" "Use 521-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3) "521" "Use a 521-bit certificate (paranoid level)" OFF 3>&1 1>&2 2>&3)
fi fi
@ -758,8 +755,8 @@ confOpenVPN() {
$SUDO rm -rf /etc/openvpn/easy-rsa/ $SUDO rm -rf /etc/openvpn/easy-rsa/
fi fi
# Get the PiVPN easy-rsa # Get easy-rsa
wget -q -O - "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn && $SUDO mv /etc/openvpn/EasyRSA-${easyrsaVer} /etc/openvpn/easy-rsa wget -q -O - "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn && $SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa
# fix ownership # fix ownership
$SUDO chown -R root:root /etc/openvpn/easy-rsa $SUDO chown -R root:root /etc/openvpn/easy-rsa
$SUDO mkdir /etc/openvpn/easy-rsa/pki $SUDO mkdir /etc/openvpn/easy-rsa/pki
@ -799,7 +796,7 @@ EOF
if [[ ${useUpdateVars} == false ]]; then if [[ ${useUpdateVars} == false ]]; then
if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then
whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c} whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman parameters, and HMAC key will now be generated." ${r} ${c}
fi fi
fi fi
@ -886,8 +883,8 @@ EOT
# Fix Raspbian config # Fix Raspbian config
if [[ $PLAT == "Raspbian" ]]; then if [[ $PLAT == "Raspbian" ]]; then
wget -q -O - "$UNATTUPG_CONFIG" | $SUDO tar xz wget -q -O - "$UNATTUPG_CONFIG" | $SUDO tar xz
$SUDO cp unattended-upgrades-1.4/data/50unattended-upgrades.Raspbian 50unattended-upgrades $SUDO cp "unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" 50unattended-upgrades
$SUDO rm -rf unattended-upgrades-1.4 $SUDO rm -rf "unattended-upgrades-$UNATTUPG_RELEASE"
fi fi
# Add the remaining settings for all other distributions # Add the remaining settings for all other distributions
@ -909,21 +906,20 @@ confNetwork() {
$SUDO sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf $SUDO sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
$SUDO sysctl -p $SUDO sysctl -p
# if ufw enabled, configure that # if ufw enabled, configure that (running as root because sometimes the executable is not in the user's $PATH, on Debian for example)
if hash ufw 2>/dev/null; then if $SUDO bash -c 'hash ufw' 2>/dev/null; then
if LANG=en_US.UTF-8 $SUDO ufw status | grep -q inactive if LANG=en_US.UTF-8 $SUDO ufw status | grep -q inactive
then then
noUFW=1 noUFW=1
else else
echo "::: Detected UFW is enabled." echo "::: Detected UFW is enabled."
echo "::: Adding UFW rules..." echo "::: Adding UFW rules..."
$SUDO cp /etc/.pivpn/ufw_add.txt /tmp/ufw_add.txt $SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
$SUDO sed -i 's/IPv4dev/'"$IPv4dev"'/' /tmp/ufw_add.txt # Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic)
$SUDO sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw $SUDO ufw insert 1 allow "$PORT"/"$PROTO" >/dev/null
$SUDO sed -i -e '/delete these required/r /tmp/ufw_add.txt' -e//N /etc/ufw/before.rules # Don't forward everything, just the traffic originated from the VPN subnet
$SUDO ufw allow "${PORT}/${PROTO}" $SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
$SUDO ufw allow from 10.8.0.0/24 $SUDO ufw reload >/dev/null
$SUDO ufw reload
echo "::: UFW configuration completed." echo "::: UFW configuration completed."
fi fi
else else
@ -932,7 +928,7 @@ confNetwork() {
# else configure iptables # else configure iptables
if [[ $noUFW -eq 1 ]]; then if [[ $noUFW -eq 1 ]]; then
echo 1 > /tmp/noUFW echo 1 > /tmp/noUFW
$SUDO iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o "$IPv4dev" -j MASQUERADE $SUDO iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "$IPv4dev" -j MASQUERADE
case ${PLAT} in case ${PLAT} in
Ubuntu|Debian|Devuan) Ubuntu|Debian|Devuan)
$SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null $SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null
@ -1021,7 +1017,7 @@ confOVPN() {
confLogging() { confLogging() {
echo "if \$programname == 'ovpn-server' then /var/log/openvpn.log echo "if \$programname == 'ovpn-server' then /var/log/openvpn.log
if \$programname == 'ovpn-server' then ~" | $SUDO tee /etc/rsyslog.d/30-openvpn.conf > /dev/null if \$programname == 'ovpn-server' then stop" | $SUDO tee /etc/rsyslog.d/30-openvpn.conf > /dev/null
echo "/var/log/openvpn.log echo "/var/log/openvpn.log
{ {
@ -1138,8 +1134,7 @@ updatePiVPN() {
displayFinalMessage() { displayFinalMessage() {
# Final completion message to user # Final completion message to user
whiptail --msgbox --backtitle "Make it so." --title "Installation Complete!" "Now run 'pivpn add' to create the ovpn profiles. whiptail --msgbox --backtitle "Make it so." --title "Installation Complete!" "Now run 'pivpn add' to create the ovpn profiles.
Run 'pivpn help' to see what else you can do! Run 'pivpn help' to see what else you can do!" ${r} ${c}
The install log is in /etc/pivpn." ${r} ${c}
if (whiptail --title "Reboot" --yesno --defaultno "It is strongly recommended you reboot after installation. Would you like to reboot now?" ${r} ${c}); then if (whiptail --title "Reboot" --yesno --defaultno "It is strongly recommended you reboot after installation. Would you like to reboot now?" ${r} ${c}); then
whiptail --title "Rebooting" --msgbox "The system will now reboot." ${r} ${c} whiptail --title "Rebooting" --msgbox "The system will now reboot." ${r} ${c}
printf "\nRebooting system...\n" printf "\nRebooting system...\n"
@ -1278,9 +1273,11 @@ main() {
clone_or_update_repos clone_or_update_repos
# Install and log everything to a file # Install and log everything to a file
installPiVPN | tee ${tmpLog} if installPiVPN; then
echo "::: Install Complete..."
echo "::: Install Complete..." else
exit 1
fi
else else
# Source ${setupVars} for use in the rest of the functions. # Source ${setupVars} for use in the rest of the functions.
source ${setupVars} source ${setupVars}
@ -1314,12 +1311,9 @@ main() {
clone_or_update_repos clone_or_update_repos
updatePiVPN | tee ${tmpLog} updatePiVPN
fi fi
#Move the install log into /etc/pivpn for storage
$SUDO mv ${tmpLog} ${instalLogLoc}
echo "::: Restarting services..." echo "::: Restarting services..."
# Start services # Start services
case ${PLAT} in case ${PLAT} in
@ -1349,7 +1343,6 @@ main() {
fi fi
echo ":::" echo ":::"
echo "::: The install log is located at: ${instalLogLoc}"
} }
if [[ "${PIVPN_TEST}" != true ]] ; then if [[ "${PIVPN_TEST}" != true ]] ; then

8
ca_info.txt
View file

@ -1,8 +0,0 @@
CO
ST
CITY
ORG
ORG-UNIT
COMMON-NAME
NAME
EMAIL

3
firewall-openvpn-rules.txt
View file

@ -1,3 +0,0 @@
#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o IPv4dev -j MASQUERADE

18
pivpn
View file

@ -27,30 +27,12 @@ function listOVPNFunc {
} }
function debugFunc { function debugFunc {
noUFW=$(cat /etc/pivpn/NO_UFW)
echo "::: Generating Debug Output" echo "::: Generating Debug Output"
$SUDO /opt/pivpn/pivpnDebug.sh | tee /tmp/debug.txt $SUDO /opt/pivpn/pivpnDebug.sh | tee /tmp/debug.txt
echo "::: " echo "::: "
echo "::: Debug output completed above." echo "::: Debug output completed above."
echo "::: Copy saved to /tmp/debug.txt" echo "::: Copy saved to /tmp/debug.txt"
echo "::: " echo "::: "
if [[ ${noUFW} -eq 1 ]]; then
IPTABLES_FIX=`$SUDO iptables -t nat -L -n -v | grep -c 'MASQUERADE.*10.8.0.0\/24'`
$SUDO iptables -t nat -L -n -v | grep -q 'MASQUERADE.*10.8.0.0\/24'
if [ $? -ne 0 ]; then
IPTABLES_FIX=2
fi
if [[ ${IPTABLES_FIX} -gt 1 ]]; then
echo "::: We detected some potential issues with your iptables."
read -p "::: Would you like us to try to fix this? [y/n]: " -n 1 -r
echo
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
$SUDO /opt/pivpn/fix_iptables.sh
fi
echo "::: Attempt at fix completed."
echo "::: Run 'pivpn debug' again to see if we detect issues."
fi
fi
exit 1 exit 1
} }

0
scripts/clientStat.sh Normal file → Executable file
View file

9
scripts/fix_iptables.sh
View file

@ -1,9 +0,0 @@
#!/usr/bin/env bash
# PiVPN: Fix iptables script
# called by pivpnDebug.sh
IPv4dev=$(ip route get 8.8.8.8 | awk '{for(i=1;i<=NF;i++)if($i~/dev/)print $(i+1)}')
iptables -t nat -F
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${IPv4dev} -j MASQUERADE
iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4

0
scripts/listOVPN.sh Normal file → Executable file
View file

164
scripts/pivpnDebug.sh Normal file → Executable file
View file

@ -1,23 +1,155 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# This scripts runs as root # This scripts runs as root
printf ":::\t\t\t\t\t:::\n::\t\tPiVPN Debug\t\t ::\n"
printf ":::\t\t\t\t\t:::\n::\tLatest Commit\t\t\t ::\n:::\t\t\t\t\t:::\n" PORT=$(cat /etc/pivpn/INSTALL_PORT)
PROTO=$(cat /etc/pivpn/INSTALL_PROTO)
IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)"
REMOTE="$(grep 'remote ' /etc/openvpn/easy-rsa/pki/Default.txt | awk '{print $2}')"
ERR=0
echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::"
printf "=============================================\n"
echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::"
git --git-dir /etc/.pivpn/.git log -n 1 git --git-dir /etc/.pivpn/.git log -n 1
printf ":::\t\t\t\t\t:::\n::\tRecursive list of files in\t ::\n" printf "=============================================\n"
printf "::\t/etc/openvpn/easy-rsa/pki\t ::\n:::\t\t\t\t\t:::\n" echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::"
ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial
printf ":::\t\t\t\t\t:::\n::\tOutput of /etc/pivpn/*\t\t ::\n:::\t\t\t\t\t:::\n"
for filename in /etc/pivpn/*; do for filename in /etc/pivpn/*; do
if [[ "${filename}" != "/etc/pivpn/install.log" ]]; then if [ "$filename" != "/etc/pivpn/setupVars.conf" ]; then
echo ":: START $filename ::" echo "$filename -> $(cat "$filename")"
cat "$filename"
echo ":: END $filename ::"
fi fi
done done
printf ":::\t\t\t\t\t:::\n:: /etc/openvpn/easy-rsa/pki/Default.txt ::\n:::\t\t\t\t\t:::\n" printf "=============================================\n"
cat /etc/openvpn/easy-rsa/pki/Default.txt echo -e "::::\t\e[4msetupVars file shown below\e[0m\t ::::"
if [[ ${noUFW} -eq 1 ]]; then sed "s/$REMOTE/REMOTE/" < /etc/pivpn/setupVars.conf
printf ":::\t\t\t\t\t:::\n::\tOutput of iptables\t\t ::\n:::\t\t\t\t\t:::\n" printf "=============================================\n"
iptables -t nat -L -n -v echo -e ":::: \e[4mServer configuration shown below\e[0m ::::"
cat /etc/openvpn/server.conf
printf "=============================================\n"
echo -e ":::: \e[4mClient template file shown below\e[0m ::::"
sed "s/$REMOTE/REMOTE/" < /etc/openvpn/easy-rsa/pki/Default.txt
printf "=============================================\n"
echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::: \e[4m/etc/openvpn/easy-rsa/pki shows below\e[0m :::"
ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial
printf "=============================================\n"
echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::"
if [ "$(cat /proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then
echo ":: [OK] IP forwarding is enabled"
else
ERR=1
read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
sysctl -p
echo "Done"
fi
fi fi
printf ":::\t\t\t\t\t:::\n::\tDebug Output Complete\t\t ::\n:::\t\t\t\t\t:::\n"
if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
iptables -t nat -F
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE
iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4
echo "Done"
fi
fi
else
if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
echo ":: [OK] Ufw is enabled"
else
ERR=1
read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
ufw enable
fi
fi
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
ufw reload
echo "Done"
fi
fi
if iptables -C ufw-user-input -p "${PROTO}" --dport "${PORT}" -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw input rule set"
else
ERR=1
read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
ufw insert 1 allow "$PORT"/"$PROTO"
ufw reload
echo "Done"
fi
fi
if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw forwarding rule set"
else
ERR=1
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any
ufw reload
echo "Done"
fi
fi
fi
if systemctl is-active -q openvpn; then
echo ":: [OK] OpenVPN is running"
else
ERR=1
read -r -p ":: [ERR] OpenVPN is not running, try to start now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
systemctl start openvpn
echo "Done"
fi
fi
if systemctl is-enabled -q openvpn; then
echo ":: [OK] OpenVPN is enabled (it will automatically start on reboot)"
else
ERR=1
read -r -p ":: [ERR] OpenVPN is not enabled, try to enable now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
systemctl enable openvpn
echo "Done"
fi
fi
# grep -w (whole word) is used so port 111940 with now match when looking for 1194
if netstat -uanpt | grep openvpn | grep -w "${PORT}" | grep -q "${PROTO}"; then
echo ":: [OK] OpenVPN is listening on port ${PORT}/${PROTO}"
else
ERR=1
read -r -p ":: [ERR] OpenVPN is not listening, try to restart now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
systemctl restart openvpn
echo "Done"
fi
fi
if [ "$ERR" -eq 1 ]; then
echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues"
fi
printf "=============================================\n"
echo -e ":::: \e[4mSnippet of the server log\e[0m ::::"
tail -20 /var/log/openvpn.log
printf "=============================================\n"
echo -e "::::\t\t\e[4mDebug complete\e[0m\t\t ::::"

0
scripts/removeOVPN.sh Normal file → Executable file
View file

10
scripts/uninstall.sh Normal file → Executable file
View file

@ -21,6 +21,7 @@ PLAT=$(cat /etc/pivpn/DET_PLATFORM)
NO_UFW=$(cat /etc/pivpn/NO_UFW) NO_UFW=$(cat /etc/pivpn/NO_UFW)
PORT=$(cat /etc/pivpn/INSTALL_PORT) PORT=$(cat /etc/pivpn/INSTALL_PORT)
PROTO=$(cat /etc/pivpn/INSTALL_PROTO) PROTO=$(cat /etc/pivpn/INSTALL_PROTO)
IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)"
# Find the rows and columns. Will default to 80x24 if it can not be detected. # Find the rows and columns. Will default to 80x24 if it can not be detected.
screen_size=$(stty size 2>/dev/null || echo 24 80) screen_size=$(stty size 2>/dev/null || echo 24 80)
@ -107,11 +108,10 @@ echo ":::"
sysctl -p sysctl -p
if [[ $NO_UFW -eq 0 ]]; then if [[ $NO_UFW -eq 0 ]]; then
$SUDO sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"DROP\"/" /etc/default/ufw $SUDO sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
$SUDO sed -i '/START OPENVPN RULES/,/END OPENVPN RULES/ d' /etc/ufw/before.rules $SUDO ufw delete allow "$PORT"/"$PROTO" >/dev/null
$SUDO ufw delete allow from 10.8.0.0/24 >/dev/null $SUDO ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
$SUDO ufw delete allow ${PORT}/${PROTO} >/dev/null $SUDO ufw reload >/dev/null
$SUDO ufw reload
fi fi
echo ":::" echo ":::"

9
ufw_add.txt
View file

@ -1,9 +0,0 @@
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to masquerade
-A POSTROUTING -s 10.8.0.0/24 -o IPv4dev -j MASQUERADE
COMMIT
# END OPENVPN RULES