Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-19 03:10:16 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #2 from pivpn/test

Browse source 
Pulling test branch
This commit is contained in:
Jelle Dekker 2017-10-11 22:14:58 -05:00 committed by GitHub
commit e3f77afc95
6 changed files with 72 additions and 63 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
README.md
View file

@ -137,6 +137,17 @@ to keep things sorted.
You can also join #pivpn <ircs://freenode/pivpn> on freenode in IRC for community support or general questions. You can also join #pivpn <ircs://freenode/pivpn> on freenode in IRC for community support or general questions.
Related Projects
--------
[StarshipEngineer/OpenVPN-Setup](https://github.com/StarshipEngineer/OpenVPN-Setup)
Shell script to set up a OpenVPN server.
[InnovativeInventor/docker-pivpn](https://github.com/InnovativeInventor/docker-pivpn)
A secure docker container that sets up PiVPN and SSH.
[OpenVPN](https://openvpn.net)
The foundation for all open-source VPN projects.
Contributions Contributions
------------- -------------
@ -158,4 +169,3 @@ sources.
4. And as always the ever vigilant [EFF](https://www.eff.org/) 4. And as always the ever vigilant [EFF](https://www.eff.org/)
I don't take donations at this time but if you want to show your appreciation to me, then contribute or leave feedback on suggestions or improvements. I don't take donations at this time but if you want to show your appreciation to me, then contribute or leave feedback on suggestions or improvements.

60
auto_install/install.sh
View file

@ -61,14 +61,14 @@ dhcpcdFile=/etc/dhcpcd.conf
# Next see if we are on a tested and supported OS # Next see if we are on a tested and supported OS
function noOS_Support() { function noOS_Support() {
whiptail --msgbox --backtitle "INVALID OS DETECTED" --title "Invalid OS" "We have not been able to detect a supported OS. whiptail --msgbox --backtitle "INVALID OS DETECTED" --title "Invalid OS" "We have not been able to detect a supported OS.
Currently this installer supports Raspbian (or Devuan) jessie, Ubuntu 14.04 (trusty), and Ubuntu 16.04 (xenial). Currently this installer supports Raspbian and Debian (Jessie and Stretch), Devuan (Jessie) and Ubuntu from 14.04 (trusty) to 17.04 (zesty).
If you think you received this message in error, you can post an issue on the GitHub at https://github.com/pivpn/pivpn/issues." ${r} ${c} If you think you received this message in error, you can post an issue on the GitHub at https://github.com/pivpn/pivpn/issues." ${r} ${c}
exit 1 exit 1
} }
function maybeOS_Support() { function maybeOS_Support() {
if (whiptail --backtitle "Not Supported OS" --title "Not Supported OS" --yesno "You are on an OS that we have not tested but MAY work. if (whiptail --backtitle "Not Supported OS" --title "Not Supported OS" --yesno "You are on an OS that we have not tested but MAY work.
Currently this installer supports Raspbian (or Devuan) jessie, Ubuntu 14.04 (trusty), and Ubuntu 16.04 (xenial). Currently this installer supports Raspbian and Debian (Jessie and Stretch), Devuan (Jessie) and Ubuntu from 14.04 (trusty) to 17.04 (zesty).
Would you like to continue anyway?" ${r} ${c}) then Would you like to continue anyway?" ${r} ${c}) then
echo "::: Did not detect perfectly supported OS but," echo "::: Did not detect perfectly supported OS but,"
echo "::: Continuing installation at user's own risk..." echo "::: Continuing installation at user's own risk..."
@ -88,7 +88,7 @@ distro_check() {
case ${PLAT} in case ${PLAT} in
Ubuntu|Raspbian|Debian|Devuan) Ubuntu|Raspbian|Debian|Devuan)
case ${OSCN} in case ${OSCN} in
trusty|xenial|jessie) trusty|xenial|jessie|stretch)
;; ;;
*) *)
maybeOS_Support maybeOS_Support
@ -111,6 +111,9 @@ distro_check() {
if grep -q jessie /etc/os-release; then if grep -q jessie /etc/os-release; then
PLAT="Raspbian" PLAT="Raspbian"
OSCN="jessie" OSCN="jessie"
elif grep -q stretch /etc/os-release; then
PLAT="Raspbian"
OSCN="stretch"
else else
PLAT="Ubuntu" PLAT="Ubuntu"
OSCN="unknown" OSCN="unknown"
@ -435,19 +438,6 @@ update_package_cache() {
timestampAsDate=$(date -d @"${timestamp}" "+%b %e") timestampAsDate=$(date -d @"${timestamp}" "+%b %e")
today=$(date "+%b %e") today=$(date "+%b %e")
case ${PLAT} in
Ubuntu|Debian|Devuan)
case ${OSCN} in
trusty|jessie|wheezy)
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg| $SUDO apt-key add -
echo "deb http://swupdate.openvpn.net/apt $OSCN main" | $SUDO tee /etc/apt/sources.list.d/swupdate.openvpn.net.list > /dev/null
echo -n "::: Adding OpenVPN repo for $PLAT $OSCN ..."
$SUDO apt-get -qq update & spinner $!
echo " done!"
;;
esac
;;
esac
if [ ! "${today}" == "${timestampAsDate}" ]; then if [ ! "${today}" == "${timestampAsDate}" ]; then
#update package lists #update package lists
@ -534,7 +524,7 @@ checkForDependencies() {
case ${PLAT} in case ${PLAT} in
Ubuntu|Debian|Devuan) Ubuntu|Debian|Devuan)
case ${OSCN} in case ${OSCN} in
trusty|jessie|wheezy) trusty|jessie|wheezy|stretch)
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg| $SUDO apt-key add - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg| $SUDO apt-key add -
echo "deb http://swupdate.openvpn.net/apt $OSCN main" | $SUDO tee /etc/apt/sources.list.d/swupdate.openvpn.net.list > /dev/null echo "deb http://swupdate.openvpn.net/apt $OSCN main" | $SUDO tee /etc/apt/sources.list.d/swupdate.openvpn.net.list > /dev/null
echo -n "::: Adding OpenVPN repo for $PLAT $OSCN ..." echo -n "::: Adding OpenVPN repo for $PLAT $OSCN ..."
@ -544,6 +534,15 @@ checkForDependencies() {
esac esac
;; ;;
esac esac
if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then
if [[ $OSCN == "trusty" || $OSCN == "jessie" || $OSCN == "wheezy" || $OSCN == "stretch" ]]; then
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg| $SUDO apt-key add -
echo "deb http://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/swupdate.openvpn.net.list > /dev/null
echo -n "::: Adding OpenVPN repo for $PLAT $OSCN ..."
$SUDO apt-get -qq update & spinner $!
echo " done!"
fi
fi
if [ ! "$today" == "$timestampAsDate" ]; then if [ ! "$today" == "$timestampAsDate" ]; then
#update package lists #update package lists
@ -797,15 +796,17 @@ setClientDNS() {
} }
confOpenVPN() { confOpenVPN() {
SERVER_NAME="server" # Generate a random, alphanumeric identifier of 16 characters for this server so that we can use verify-x509-name later that is unique for this server installation. Source: Earthgecko (https://gist.github.com/earthgecko/3089509)
NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
SERVER_NAME="server_${NEW_UUID}"
if [[ ${useUpdateVars} == false ]]; then if [[ ${useUpdateVars} == false ]]; then
# Ask user for desired level of encryption # Ask user for desired level of encryption
ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "Encryption Strength" --radiolist \ ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "Encryption strength" --radiolist \
"Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications it is recommended to use 2048 bit. If you are testing or just want to get through it quicker you can use 1024. If you are paranoid about ... things... then grab a cup of joe and pick 4096." ${r} ${c} 3 \ "Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications, it is recommended to use 2048 bits. If you are testing, you can use 1024 bits to speed things up, but do not use this for normal use! If you are paranoid about ... things... then grab a cup of joe and pick 4096 bits." ${r} ${c} 3 \
"2048" "Use 2048-bit encryption. Recommended level." ON \ "1024" "Use 1024-bit encryption (testing only)" OFF \
"1024" "Use 1024-bit encryption. Test level." OFF \ "2048" "Use 2048-bit encryption (recommended level)" ON \
"4096" "Use 4096-bit encryption. Paranoid level." OFF 3>&1 1>&2 2>&3) "4096" "Use 4096-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3)
exitstatus=$? exitstatus=$?
if [ $exitstatus != 0 ]; then if [ $exitstatus != 0 ]; then
@ -859,7 +860,7 @@ EOF
fi fi
# Build the server # Build the server
${SUDOE} ./easyrsa build-server-full server nopass ${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass
if [[ ${useUpdateVars} == false ]]; then if [[ ${useUpdateVars} == false ]]; then
if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}) if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c})
@ -884,6 +885,11 @@ EOF
# Generate static HMAC key to defend against DDoS # Generate static HMAC key to defend against DDoS
${SUDOE} openvpn --genkey --secret pki/ta.key ${SUDOE} openvpn --genkey --secret pki/ta.key
# Generate an empty Certificate Revocation List
${SUDOE} ./easyrsa gen-crl
${SUDOE} cp pki/crl.pem /etc/openvpn/crl.pem
${SUDOE} chown nobody:nogroup /etc/openvpn/crl.pem
# Write config file for server using the template .txt file # Write config file for server using the template .txt file
$SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf $SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf
@ -992,10 +998,6 @@ confOVPN() {
$SUDO cp /tmp/pivpnUSR /etc/pivpn/INSTALL_USER $SUDO cp /tmp/pivpnUSR /etc/pivpn/INSTALL_USER
$SUDO cp /tmp/DET_PLATFORM /etc/pivpn/DET_PLATFORM $SUDO cp /tmp/DET_PLATFORM /etc/pivpn/DET_PLATFORM
# Set status that no certs have been revoked
echo 0 > /tmp/REVOKE_STATUS
$SUDO cp /tmp/REVOKE_STATUS /etc/pivpn/REVOKE_STATUS
$SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt $SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt
if [[ ${useUpdateVars} == false ]]; then if [[ ${useUpdateVars} == false ]]; then
@ -1344,7 +1346,7 @@ main() {
echo ":::" echo ":::"
if [[ "${useUpdateVars}" == false ]]; then if [[ "${useUpdateVars}" == false ]]; then
echo "::: Installation Complete!" echo "::: Installation Complete!"
echo "::: Now run 'pivpn add' to create the ovpn profiles." echo "::: Now run 'pivpn add' to create an ovpn profile for each of your devices."
echo "::: Run 'pivpn help' to see what else you can do!" echo "::: Run 'pivpn help' to see what else you can do!"
echo "::: It is strongly recommended you reboot after installation." echo "::: It is strongly recommended you reboot after installation."
else else

15
scripts/clientStat.sh
View file

@ -2,6 +2,11 @@
# PiVPN: client status script # PiVPN: client status script
STATUS_LOG="/var/log/openvpn-status.log" STATUS_LOG="/var/log/openvpn-status.log"
function hr() {
numfmt --to=iec-i --suffix=B "$1"
}
printf "\n" printf "\n"
if [ ! -f "${STATUS_LOG}" ]; then if [ ! -f "${STATUS_LOG}" ]; then
echo "The file: $STATUS_LOG was not found!" echo "The file: $STATUS_LOG was not found!"
@ -15,7 +20,15 @@ printf "\e[1m::: Client Status List :::\e[0m\n"
printf "\t\t\t\t\t\t\tBytes\t\tBytes\t\n" printf "\t\t\t\t\t\t\tBytes\t\tBytes\t\n"
printf "\e[4mName\e[0m\t\t\e[4mRemote IP\e[0m\t\t\e[4mVirtual IP\e[0m\t\e[4mReceived\e[0m\t\e[4mSent\e[0m\t\t\e[4mConnected Since\e[0m \n" printf "\e[4mName\e[0m\t\t\e[4mRemote IP\e[0m\t\t\e[4mVirtual IP\e[0m\t\e[4mReceived\e[0m\t\e[4mSent\e[0m\t\t\e[4mConnected Since\e[0m \n"
if grep -q "^CLIENT_LIST" "${STATUS_LOG}"; then if grep -q "^CLIENT_LIST" "${STATUS_LOG}"; then
awk -F' ' -v s='CLIENT_LIST' '$1 == s {print $2"\t\t"$3"\t"$4"\t"$5"\t\t"$6"\t\t"$8" "$9" "$11" -- "$10}' ${STATUS_LOG} if [ -n $(type -t numfmt) ]; then
while read -r line; do
read -r -a array <<< $line
[[ ${array[0]} = CLIENT_LIST ]] || continue
printf "%s\t\t%s\t%s\t%s\t\t%s\t\t%s %s %s - %s" ${array[1]} ${array[2]} ${array[3]} $(hr ${array[4]}) $(hr ${array[5]}) ${array[7]} ${array[8]} ${array[10]} ${array[9]}
done <$STATUS_LOG
else
awk -F' ' -v s='CLIENT_LIST' '$1 == s {print $2"\t\t"$3"\t"$4"\t"$5"\t\t"$6"\t\t"$8" "$9" "$11" - "$10}' ${STATUS_LOG}
fi
else else
printf "\nNo Clients Connected!\n" printf "\nNo Clients Connected!\n"
fi fi

3
scripts/makeOVPN.sh
View file

@ -240,5 +240,6 @@ printf "========================================================\n"
printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME$FILEEXT" printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME$FILEEXT"
printf "%s was copied to:\n" "$NAME$FILEEXT" printf "%s was copied to:\n" "$NAME$FILEEXT"
printf " /home/%s/ovpns\n" "$INSTALL_USER" printf " /home/%s/ovpns\n" "$INSTALL_USER"
printf "for easy transfer.\n" printf "for easy transfer. Please use this profile only on one\n"
printf "device and create additional profiles for other devices.\n"
printf "========================================================\n\n" printf "========================================================\n\n"

17
scripts/removeOVPN.sh
View file

@ -2,7 +2,6 @@
# PiVPN: revoke client script # PiVPN: revoke client script
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
REVOKE_STATUS=$(cat /etc/pivpn/REVOKE_STATUS)
PLAT=$(cat /etc/pivpn/DET_PLATFORM) PLAT=$(cat /etc/pivpn/DET_PLATFORM)
INDEX="/etc/openvpn/easy-rsa/pki/index.txt" INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
@ -105,22 +104,6 @@ fi
cd /etc/openvpn/easy-rsa || exit cd /etc/openvpn/easy-rsa || exit
if [ "${REVOKE_STATUS}" == 0 ]; then
echo 1 > /etc/pivpn/REVOKE_STATUS
printf "\nThis seems to be the first time you have revoked a cert.\n"
printf "First we need to initialize the Certificate Revocation List.\n"
printf "Then add the CRL to your server config and restart openvpn.\n"
./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn/crl.pem
chown nobody:nogroup /etc/openvpn/crl.pem
sed -i '/#crl-verify/c\crl-verify /etc/openvpn/crl.pem' /etc/openvpn/server.conf
if [[ ${PLAT} == "Ubuntu" || ${PLAT} == "Debian" ]]; then
service openvpn restart
else
systemctl restart openvpn.service
fi
fi
for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}" printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}"
./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}" ./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}"

6
server_config.txt
View file

@ -4,7 +4,7 @@ port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh1024.pem dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet topology subnet
server 10.8.0.0 255.255.255.0 server 10.8.0.0 255.255.255.0
# server and remote endpoints # server and remote endpoints
@ -23,8 +23,8 @@ push "dhcp-option DNS 8.8.4.4"
# overriding but not wiping out the original default gateway. # overriding but not wiping out the original default gateway.
push "redirect-gateway def1" push "redirect-gateway def1"
client-to-client client-to-client
duplicate-cn
keepalive 10 120 keepalive 10 120
remote-cert-tls client
tls-version-min 1.2 tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0 tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC cipher AES-256-CBC
@ -34,7 +34,7 @@ user nobody
group nogroup group nogroup
persist-key persist-key
persist-tun persist-tun
#crl-verify /etc/openvpn/crl.pem crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20 status /var/log/openvpn-status.log 20
status-version 3 status-version 3
log /var/log/openvpn.log log /var/log/openvpn.log