diff --git a/auto_install/install.sh b/auto_install/install.sh index cd9a60c..eec66af 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -971,8 +971,21 @@ confNetwork() { $SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules # Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic) $SUDO ufw insert 1 allow "$PORT"/"$PROTO" >/dev/null - # Don't forward everything, just the traffic originated from the VPN subnet - $SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + + # https://askubuntu.com/a/712202 + INSTALLED_UFW=$(dpkg-query --showformat='${Version}' --show ufw) + MINIMUM_UFW=0.34 + + if $SUDO dpkg --compare-versions "$INSTALLED_UFW" ge "$MINIMUM_UFW"; then + # Don't forward everything, just the traffic originated from the VPN subnet + $SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + echo 0 > /tmp/OLD_UFW + else + # This ufw version does not support route command, fallback to policy change + $SUDO sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw + echo 1 > /tmp/OLD_UFW + fi + $SUDO ufw reload >/dev/null echo "::: UFW configuration completed." fi @@ -1035,6 +1048,7 @@ confNetwork() { echo "$FORWARD_CHAIN_EDITED" > /tmp/FORWARD_CHAIN_EDITED $SUDO cp /tmp/noUFW /etc/pivpn/NO_UFW + $SUDO cp /tmp/OLD_UFW /etc/pivpn/OLD_UFW $SUDO cp /tmp/INPUT_CHAIN_EDITED /etc/pivpn/INPUT_CHAIN_EDITED $SUDO cp /tmp/FORWARD_CHAIN_EDITED /etc/pivpn/FORWARD_CHAIN_EDITED } diff --git a/scripts/pivpnDebug.sh b/scripts/pivpnDebug.sh index b63079a..818c760 100755 --- a/scripts/pivpnDebug.sh +++ b/scripts/pivpnDebug.sh @@ -5,6 +5,10 @@ PORT=$(cat /etc/pivpn/INSTALL_PORT) PROTO=$(cat /etc/pivpn/INSTALL_PROTO) IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" REMOTE="$(grep 'remote ' /etc/openvpn/easy-rsa/pki/Default.txt | awk '{print $2}')" +NO_UFW=$(cat /etc/pivpn/NO_UFW) +OLD_UFW=$(cat /etc/pivpn/NO_UFW) +INPUT_CHAIN_EDITED="$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" +FORWARD_CHAIN_EDITED="$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" ERR=0 echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::" @@ -46,7 +50,7 @@ else fi fi -if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then +if [ "$NO_UFW" -eq 1 ]; then if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then echo ":: [OK] Iptables MASQUERADE rule set" @@ -61,7 +65,7 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then fi fi - if [ "$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" -eq 1 ]; then + if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then if iptables -C INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT &> /dev/null; then echo ":: [OK] Iptables INPUT rule set" else @@ -75,7 +79,7 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then fi fi - if [ "$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" -eq 1 ]; then + if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then echo ":: [OK] Iptables FORWARD rule set" else @@ -126,15 +130,30 @@ else fi fi - if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then - echo ":: [OK] Ufw forwarding rule set" + if [ "$OLD_UFW" -eq 1 ]; then + FORWARD_POLICY="$(iptables -S FORWARD | grep '^-P' | awk '{print $3}')" + if [ "$FORWARD_POLICY" = "ACCEPT" ]; then + echo ":: [OK] Ufw forwarding policy is accept" + else + ERR=1 + read -r -p ":: [ERR] Ufw forwarding policy is not 'ACCEPT', attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw + ufw reload > /dev/null + echo "Done" + fi + fi else - ERR=1 - read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]]; then - ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any - ufw reload - echo "Done" + if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then + echo ":: [OK] Ufw forwarding rule set" + else + ERR=1 + read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any + ufw reload + echo "Done" + fi fi fi diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index f1edea4..94e9eec 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -4,6 +4,7 @@ INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) PLAT=$(cat /etc/pivpn/DET_PLATFORM) NO_UFW=$(cat /etc/pivpn/NO_UFW) +OLD_UFW=$(cat /etc/pivpn/NO_UFW) PORT=$(cat /etc/pivpn/INSTALL_PORT) PROTO=$(cat /etc/pivpn/INSTALL_PROTO) IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" @@ -97,7 +98,11 @@ echo ":::" if [[ $NO_UFW -eq 0 ]]; then sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules ufw delete allow "$PORT"/"$PROTO" >/dev/null - ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + if [ "$OLD_UFW" -eq 1 ]; then + sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"DROP\"/" /etc/default/ufw + else + ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + fi ufw reload >/dev/null else iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE