mirror of
https://github.com/pivpn/pivpn.git
synced 2024-12-20 20:00:16 +00:00
Merge-test
Merge-test
This commit is contained in:
commit
eece753ed1
21 changed files with 695 additions and 510 deletions
|
@ -24,12 +24,12 @@ PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install"
|
||||||
PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true"
|
PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true"
|
||||||
|
|
||||||
# Dependencies that are required by the script, regardless of the VPN protocol chosen
|
# Dependencies that are required by the script, regardless of the VPN protocol chosen
|
||||||
BASE_DEPS=(git tar wget grep dnsutils whiptail net-tools bsdmainutils)
|
BASE_DEPS=(git tar wget curl grep dnsutils whiptail net-tools bsdmainutils)
|
||||||
|
|
||||||
# Dependencies that where actually installed by the script. For example if the script requires
|
# Dependencies that where actually installed by the script. For example if the script requires
|
||||||
# grep and dnsutils but dnsutils is already installed, we save grep here. This way when uninstalling
|
# grep and dnsutils but dnsutils is already installed, we save grep here. This way when uninstalling
|
||||||
# PiVPN we won't prompt to remove packages that may have been installed by the user for other reasons
|
# PiVPN we won't prompt to remove packages that may have been installed by the user for other reasons
|
||||||
TO_INSTALL=()
|
INSTALLED_PACKAGES=()
|
||||||
|
|
||||||
easyrsaVer="3.0.6"
|
easyrsaVer="3.0.6"
|
||||||
easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz"
|
easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz"
|
||||||
|
@ -59,11 +59,6 @@ c=$(( columns / 2 ))
|
||||||
r=$(( r < 20 ? 20 : r ))
|
r=$(( r < 20 ? 20 : r ))
|
||||||
c=$(( c < 70 ? 70 : c ))
|
c=$(( c < 70 ? 70 : c ))
|
||||||
|
|
||||||
# Find IP used to route to outside world
|
|
||||||
IPv4addr=$(ip route get 192.0.2.1 | awk '{print $7}')
|
|
||||||
IPv4gw=$(ip route get 192.0.2.1 | awk '{print $3}')
|
|
||||||
availableInterfaces=$(ip -o link | awk '/state UP/ {print $2}' | cut -d':' -f1 | cut -d'@' -f1)
|
|
||||||
|
|
||||||
######## SCRIPT ############
|
######## SCRIPT ############
|
||||||
|
|
||||||
main(){
|
main(){
|
||||||
|
@ -195,7 +190,7 @@ main(){
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Save installation setting to the final location
|
# Save installation setting to the final location
|
||||||
echo "TO_INSTALL=(${TO_INSTALL[*]})" >> /tmp/setupVars.conf
|
echo "INSTALLED_PACKAGES=(${INSTALLED_PACKAGES[*]})" >> /tmp/setupVars.conf
|
||||||
$SUDO cp /tmp/setupVars.conf "$setupVars"
|
$SUDO cp /tmp/setupVars.conf "$setupVars"
|
||||||
|
|
||||||
installScripts
|
installScripts
|
||||||
|
@ -235,7 +230,7 @@ askAboutExistingInstall(){
|
||||||
# distroCheck, maybeOSSupport, noOSSupport
|
# distroCheck, maybeOSSupport, noOSSupport
|
||||||
distroCheck(){
|
distroCheck(){
|
||||||
# if lsb_release command is on their system
|
# if lsb_release command is on their system
|
||||||
if hash lsb_release 2>/dev/null; then
|
if command -v lsb_release > /dev/null; then
|
||||||
|
|
||||||
PLAT=$(lsb_release -si)
|
PLAT=$(lsb_release -si)
|
||||||
OSCN=$(lsb_release -sc)
|
OSCN=$(lsb_release -sc)
|
||||||
|
@ -335,7 +330,7 @@ spinner(){
|
||||||
local pid=$1
|
local pid=$1
|
||||||
local delay=0.50
|
local delay=0.50
|
||||||
local spinstr='/-\|'
|
local spinstr='/-\|'
|
||||||
while ps a | awk '{print $1}' | grep "${pid}"; do
|
while ps a | awk '{print $1}' | grep -q "$pid"; do
|
||||||
local temp=${spinstr#?}
|
local temp=${spinstr#?}
|
||||||
printf " [%c] " "${spinstr}"
|
printf " [%c] " "${spinstr}"
|
||||||
local spinstr=${temp}${spinstr%"$temp"}
|
local spinstr=${temp}${spinstr%"$temp"}
|
||||||
|
@ -399,7 +394,7 @@ updatePackageCache(){
|
||||||
echo ":::"
|
echo ":::"
|
||||||
echo -ne "::: ${PKG_MANAGER} update has not been run today. Running now...\\n"
|
echo -ne "::: ${PKG_MANAGER} update has not been run today. Running now...\\n"
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null
|
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||||
echo " done!"
|
echo " done!"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -436,7 +431,7 @@ preconfigurePackages(){
|
||||||
|
|
||||||
# if ufw is enabled, configure that.
|
# if ufw is enabled, configure that.
|
||||||
# running as root because sometimes the executable is not in the user's $PATH
|
# running as root because sometimes the executable is not in the user's $PATH
|
||||||
if $SUDO bash -c 'hash ufw' 2>/dev/null; then
|
if $SUDO bash -c 'command -v ufw' > /dev/null; then
|
||||||
if LANG=en_US.UTF-8 $SUDO ufw status | grep -q inactive; then
|
if LANG=en_US.UTF-8 $SUDO ufw status | grep -q inactive; then
|
||||||
USING_UFW=0
|
USING_UFW=0
|
||||||
else
|
else
|
||||||
|
@ -456,25 +451,46 @@ preconfigurePackages(){
|
||||||
}
|
}
|
||||||
|
|
||||||
installDependentPackages(){
|
installDependentPackages(){
|
||||||
|
declare -a TO_INSTALL=()
|
||||||
|
|
||||||
# Install packages passed in via argument array
|
# Install packages passed in via argument array
|
||||||
# No spinner - conflicts with set -e
|
# No spinner - conflicts with set -e
|
||||||
declare -a argArray1=("${!1}")
|
declare -a argArray1=("${!1}")
|
||||||
|
|
||||||
for i in "${argArray1[@]}"; do
|
for i in "${argArray1[@]}"; do
|
||||||
echo -n "::: Checking for $i..."
|
echo -n "::: Checking for $i..."
|
||||||
if dpkg-query -W -f='${Status}' "${i}" 2>/dev/null | grep -q "ok installed"; then
|
if dpkg-query -W -f='${Status}' "${i}" 2>/dev/null | grep -q "ok installed"; then
|
||||||
echo " installed!"
|
echo " already installed!"
|
||||||
else
|
else
|
||||||
TO_INSTALL+=("${i}")
|
echo " not installed!"
|
||||||
echo " not installed!"
|
# Add this package to the list of packages in the argument array that need to be installed
|
||||||
fi
|
TO_INSTALL+=("${i}")
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
if command -v debconf-apt-progress &> /dev/null; then
|
if command -v debconf-apt-progress > /dev/null; then
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
$SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}"
|
$SUDO debconf-apt-progress -- ${PKG_INSTALL} "${TO_INSTALL[@]}"
|
||||||
else
|
else
|
||||||
${PKG_INSTALL} "${argArray1[@]}"
|
# shellcheck disable=SC2086
|
||||||
|
$SUDO ${PKG_INSTALL} "${TO_INSTALL[@]}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
local FAILED=0
|
||||||
|
|
||||||
|
for i in "${TO_INSTALL[@]}"; do
|
||||||
|
if dpkg-query -W -f='${Status}' "${i}" 2>/dev/null | grep -q "ok installed"; then
|
||||||
|
echo "::: Package $i successfully installed!"
|
||||||
|
# Add this package to the total list of packages that were actually installed by the script
|
||||||
|
INSTALLED_PACKAGES+=("${i}")
|
||||||
|
else
|
||||||
|
echo "::: Failed to install $i!"
|
||||||
|
((FAILED++))
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ "$FAILED" -gt 0 ]; then
|
||||||
|
exit 1
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -507,6 +523,9 @@ local chooseInterfaceOptions
|
||||||
# Loop sentinel variable
|
# Loop sentinel variable
|
||||||
local firstloop=1
|
local firstloop=1
|
||||||
|
|
||||||
|
# Find network interfaces whose state is UP, so as to skip virtual interfaces and the loopback interface
|
||||||
|
availableInterfaces=$(ip -o link | awk '/state UP/ {print $2}' | cut -d':' -f1 | cut -d'@' -f1)
|
||||||
|
|
||||||
if [ -z "$availableInterfaces" ]; then
|
if [ -z "$availableInterfaces" ]; then
|
||||||
echo "::: Could not find any active network interface, exiting"
|
echo "::: Could not find any active network interface, exiting"
|
||||||
exit 1
|
exit 1
|
||||||
|
@ -580,7 +599,7 @@ validIP(){
|
||||||
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
|
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
|
||||||
OIFS=$IFS
|
OIFS=$IFS
|
||||||
IFS='.'
|
IFS='.'
|
||||||
read -r -a ip <<< "$ip"
|
read -r -a ip <<< "$ip"
|
||||||
IFS=$OIFS
|
IFS=$OIFS
|
||||||
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 \
|
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 \
|
||||||
&& ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
|
&& ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
|
||||||
|
@ -589,39 +608,56 @@ validIP(){
|
||||||
return $stat
|
return $stat
|
||||||
}
|
}
|
||||||
|
|
||||||
|
validIPAndNetmask(){
|
||||||
|
local ip=$1
|
||||||
|
local stat=1
|
||||||
|
ip="${ip/\//.}"
|
||||||
|
|
||||||
|
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,2}$ ]]; then
|
||||||
|
OIFS=$IFS
|
||||||
|
IFS='.'
|
||||||
|
read -r -a ip <<< "$ip"
|
||||||
|
IFS=$OIFS
|
||||||
|
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 \
|
||||||
|
&& ${ip[2]} -le 255 && ${ip[3]} -le 255 \
|
||||||
|
&& ${ip[4]} -le 32 ]]
|
||||||
|
stat=$?
|
||||||
|
fi
|
||||||
|
return $stat
|
||||||
|
}
|
||||||
|
|
||||||
getStaticIPv4Settings() {
|
getStaticIPv4Settings() {
|
||||||
# Grab their current DNS Server
|
# Find the gateway IP used to route to outside world
|
||||||
IPv4dns=$(grep nameserver /etc/resolv.conf | awk '{print $2}' | xargs)
|
CurrentIPv4gw="$(ip -o route get 192.0.2.1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk 'NR==2')"
|
||||||
|
|
||||||
|
# Find the IP address (and netmask) of the desidered interface
|
||||||
|
CurrentIPv4addr="$(ip -o -f inet address show dev "${IPv4dev}" | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/[0-9]{1,2}')"
|
||||||
|
|
||||||
|
# Grab their current DNS servers
|
||||||
|
IPv4dns=$(grep -v "^#" /etc/resolv.conf | grep -w nameserver | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | xargs)
|
||||||
|
|
||||||
if [ "${runUnattended}" = 'true' ]; then
|
if [ "${runUnattended}" = 'true' ]; then
|
||||||
|
|
||||||
if [ -z "$dhcpReserv" ] || [ "$dhcpReserv" -ne 1 ]; then
|
if [ -z "$dhcpReserv" ] || [ "$dhcpReserv" -ne 1 ]; then
|
||||||
local INVALID_STATIC_IPV4_SETTINGS=0
|
local MISSING_STATIC_IPV4_SETTINGS=0
|
||||||
|
|
||||||
if [ -z "$IPv4addr" ]; then
|
if [ -z "$IPv4addr" ]; then
|
||||||
echo "::: Missing static IP address"
|
echo "::: Missing static IP address"
|
||||||
INVALID_STATIC_IPV4_SETTINGS=1
|
((MISSING_STATIC_IPV4_SETTINGS++))
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$IPv4gw" ]; then
|
if [ -z "$IPv4gw" ]; then
|
||||||
echo "::: Missing static IP gateway"
|
echo "::: Missing static IP gateway"
|
||||||
INVALID_STATIC_IPV4_SETTINGS=1
|
((MISSING_STATIC_IPV4_SETTINGS++))
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$INVALID_STATIC_IPV4_SETTINGS" -eq 1 ]; then
|
if [ "$MISSING_STATIC_IPV4_SETTINGS" -eq 0 ]; then
|
||||||
echo "::: Incomplete static IP settings"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -z "$IPv4addr" ] && [ -z "$IPv4gw" ]; then
|
# If both settings are not empty, check if they are valid and proceed
|
||||||
echo "::: No static IP settings, using current settings"
|
if validIPAndNetmask "${IPv4addr}"; then
|
||||||
echo "::: Your static IPv4 address: ${IPv4addr}"
|
|
||||||
echo "::: Your static IPv4 gateway: ${IPv4gw}"
|
|
||||||
else
|
|
||||||
if validIP "${IPv4addr%/*}"; then
|
|
||||||
echo "::: Your static IPv4 address: ${IPv4addr}"
|
echo "::: Your static IPv4 address: ${IPv4addr}"
|
||||||
else
|
else
|
||||||
echo "::: ${IPv4addr%/*} is not a valid IP address"
|
echo "::: ${IPv4addr} is not a valid IP address"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -631,26 +667,45 @@ getStaticIPv4Settings() {
|
||||||
echo "::: ${IPv4gw} is not a valid IP address"
|
echo "::: ${IPv4gw} is not a valid IP address"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
elif [ "$MISSING_STATIC_IPV4_SETTINGS" -eq 1 ]; then
|
||||||
|
|
||||||
|
# If either of the settings is missing, consider the input inconsistent
|
||||||
|
echo "::: Incomplete static IP settings"
|
||||||
|
exit 1
|
||||||
|
|
||||||
|
elif [ "$MISSING_STATIC_IPV4_SETTINGS" -eq 2 ]; then
|
||||||
|
|
||||||
|
# If both of the settings are missing, assume the user wants to use current settings
|
||||||
|
IPv4addr="${CurrentIPv4addr}"
|
||||||
|
IPv4gw="${CurrentIPv4gw}"
|
||||||
|
echo "::: No static IP settings, using current settings"
|
||||||
|
echo "::: Your static IPv4 address: ${IPv4addr}"
|
||||||
|
echo "::: Your static IPv4 gateway: ${IPv4gw}"
|
||||||
|
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
echo "::: Skipping setting static IP address"
|
echo "::: Skipping setting static IP address"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "dhcpReserv=${dhcpReserv}" >> /tmp/setupVars.conf
|
echo "dhcpReserv=${dhcpReserv}" >> /tmp/setupVars.conf
|
||||||
echo "IPv4addr=${IPv4addr%/*}" >> /tmp/setupVars.conf
|
echo "IPv4addr=${IPv4addr}" >> /tmp/setupVars.conf
|
||||||
echo "IPv4gw=${IPv4gw}" >> /tmp/setupVars.conf
|
echo "IPv4gw=${IPv4gw}" >> /tmp/setupVars.conf
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
|
|
||||||
local ipSettingsCorrect
|
local ipSettingsCorrect
|
||||||
|
local IPv4AddrValid
|
||||||
|
local IPv4gwValid
|
||||||
# Some users reserve IP addresses on another DHCP Server or on their routers,
|
# Some users reserve IP addresses on another DHCP Server or on their routers,
|
||||||
# Lets ask them if they want to make any changes to their interfaces.
|
# Lets ask them if they want to make any changes to their interfaces.
|
||||||
if (whiptail --backtitle "Calibrating network interface" --title "DHCP Reservation" --yesno \
|
|
||||||
|
if (whiptail --backtitle "Calibrating network interface" --title "DHCP Reservation" --yesno --defaultno \
|
||||||
"Are you Using DHCP Reservation on your Router/DHCP Server?
|
"Are you Using DHCP Reservation on your Router/DHCP Server?
|
||||||
These are your current Network Settings:
|
These are your current Network Settings:
|
||||||
|
|
||||||
IP address: ${IPv4addr}
|
IP address: ${CurrentIPv4addr}
|
||||||
Gateway: ${IPv4gw}
|
Gateway: ${CurrentIPv4gw}
|
||||||
|
|
||||||
Yes: Keep using DHCP reservation
|
Yes: Keep using DHCP reservation
|
||||||
No: Setup static IP address
|
No: Setup static IP address
|
||||||
|
@ -658,56 +713,82 @@ Don't know what DHCP Reservation is? Answer No." ${r} ${c}); then
|
||||||
dhcpReserv=1
|
dhcpReserv=1
|
||||||
# shellcheck disable=SC2129
|
# shellcheck disable=SC2129
|
||||||
echo "dhcpReserv=${dhcpReserv}" >> /tmp/setupVars.conf
|
echo "dhcpReserv=${dhcpReserv}" >> /tmp/setupVars.conf
|
||||||
echo "IPv4addr=${IPv4addr%/*}" >> /tmp/setupVars.conf
|
# We don't really need to save them as we won't set a static IP but they might be useful for debugging
|
||||||
echo "IPv4gw=${IPv4gw}" >> /tmp/setupVars.conf
|
echo "IPv4addr=${CurrentIPv4addr}" >> /tmp/setupVars.conf
|
||||||
|
echo "IPv4gw=${CurrentIPv4gw}" >> /tmp/setupVars.conf
|
||||||
else
|
else
|
||||||
# Ask if the user wants to use DHCP settings as their static IP
|
# Ask if the user wants to use DHCP settings as their static IP
|
||||||
if (whiptail --backtitle "Calibrating network interface" --title "Static IP Address" --yesno "Do you want to use your current network settings as a static address?
|
if (whiptail --backtitle "Calibrating network interface" --title "Static IP Address" --yesno "Do you want to use your current network settings as a static address?
|
||||||
IP address: ${IPv4addr}
|
|
||||||
Gateway: ${IPv4gw}" ${r} ${c}); then
|
|
||||||
|
|
||||||
echo "IPv4addr=${IPv4addr%/*}" >> /tmp/setupVars.conf
|
IP address: ${CurrentIPv4addr}
|
||||||
echo "IPv4gw=${IPv4gw}" >> /tmp/setupVars.conf
|
Gateway: ${CurrentIPv4gw}" ${r} ${c}); then
|
||||||
# If they choose yes, let the user know that the IP address will not be available via DHCP and may cause a conflict.
|
IPv4addr=${CurrentIPv4addr}
|
||||||
whiptail --msgbox --backtitle "IP information" --title "FYI: IP Conflict" "It is possible your router could still try to assign this IP to a device, which would cause a conflict. But in most cases the router is smart enough to not do that.
|
IPv4gw=${CurrentIPv4gw}
|
||||||
|
echo "IPv4addr=${IPv4addr}" >> /tmp/setupVars.conf
|
||||||
|
echo "IPv4gw=${IPv4gw}" >> /tmp/setupVars.conf
|
||||||
|
|
||||||
|
# If they choose yes, let the user know that the IP address will not be available via DHCP and may cause a conflict.
|
||||||
|
whiptail --msgbox --backtitle "IP information" --title "FYI: IP Conflict" "It is possible your router could still try to assign this IP to a device, which would cause a conflict. But in most cases the router is smart enough to not do that.
|
||||||
If you are worried, either manually set the address, or modify the DHCP reservation pool so it does not include the IP you want.
|
If you are worried, either manually set the address, or modify the DHCP reservation pool so it does not include the IP you want.
|
||||||
It is also possible to use a DHCP reservation, but if you are going to do that, you might as well set a static address." ${r} ${c}
|
It is also possible to use a DHCP reservation, but if you are going to do that, you might as well set a static address." ${r} ${c}
|
||||||
# Nothing else to do since the variables are already set above
|
# Nothing else to do since the variables are already set above
|
||||||
else
|
else
|
||||||
# Otherwise, we need to ask the user to input their desired settings.
|
# Otherwise, we need to ask the user to input their desired settings.
|
||||||
# Start by getting the IPv4 address (pre-filling it with info gathered from DHCP)
|
# Start by getting the IPv4 address (pre-filling it with info gathered from DHCP)
|
||||||
# Start a loop to let the user enter their information with the chance to go back and edit it if necessary
|
# Start a loop to let the user enter their information with the chance to go back and edit it if necessary
|
||||||
until [[ ${ipSettingsCorrect} = True ]]; do
|
until [[ ${ipSettingsCorrect} = True ]]; do
|
||||||
# Ask for the IPv4 address
|
|
||||||
if IPv4addr=$(whiptail --backtitle "Calibrating network interface" --title "IPv4 address" --inputbox "Enter your desired IPv4 address" ${r} ${c} "${IPv4addr}" 3>&1 1>&2 2>&3) ; then
|
until [[ ${IPv4AddrValid} = True ]]; do
|
||||||
echo "::: Your static IPv4 address: ${IPv4addr}"
|
# Ask for the IPv4 address
|
||||||
# Ask for the gateway
|
if IPv4addr=$(whiptail --backtitle "Calibrating network interface" --title "IPv4 address" --inputbox "Enter your desired IPv4 address" ${r} ${c} "${CurrentIPv4addr}" 3>&1 1>&2 2>&3) ; then
|
||||||
if IPv4gw=$(whiptail --backtitle "Calibrating network interface" --title "IPv4 gateway (router)" --inputbox "Enter your desired IPv4 default gateway" ${r} ${c} "${IPv4gw}" 3>&1 1>&2 2>&3) ; then
|
if validIPAndNetmask "${IPv4addr}"; then
|
||||||
echo "::: Your static IPv4 gateway: ${IPv4gw}"
|
echo "::: Your static IPv4 address: ${IPv4addr}"
|
||||||
# Give the user a chance to review their settings before moving on
|
IPv4AddrValid=True
|
||||||
if (whiptail --backtitle "Calibrating network interface" --title "Static IP Address" --yesno "Are these settings correct?
|
|
||||||
IP address: ${IPv4addr}
|
|
||||||
Gateway: ${IPv4gw}" ${r} ${c}); then
|
|
||||||
# If the settings are correct, then we need to set the pivpnIP
|
|
||||||
echo "IPv4addr=${IPv4addr%/*}" >> /tmp/setupVars.conf
|
|
||||||
echo "IPv4gw=${IPv4gw}" >> /tmp/setupVars.conf
|
|
||||||
# After that's done, the loop ends and we move on
|
|
||||||
ipSettingsCorrect=True
|
|
||||||
else
|
else
|
||||||
# If the settings are wrong, the loop continues
|
whiptail --msgbox --backtitle "Calibrating network interface" --title "IPv4 address" "You've entered an invalid IP address: ${IPv4addr}\\n\\nPlease enter an IP address in the CIDR notation, example: 192.168.23.211/24\\n\\nIf you are not sure, please just keep the default." ${r} ${c}
|
||||||
ipSettingsCorrect=False
|
echo "::: Invalid IPv4 address: ${IPv4addr}"
|
||||||
|
IPv4AddrValid=False
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
# Cancelling gateway settings window
|
# Cancelling IPv4 settings window
|
||||||
ipSettingsCorrect=False
|
|
||||||
echo "::: Cancel selected. Exiting..."
|
echo "::: Cancel selected. Exiting..."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
until [[ ${IPv4gwValid} = True ]]; do
|
||||||
|
# Ask for the gateway
|
||||||
|
if IPv4gw=$(whiptail --backtitle "Calibrating network interface" --title "IPv4 gateway (router)" --inputbox "Enter your desired IPv4 default gateway" ${r} ${c} "${CurrentIPv4gw}" 3>&1 1>&2 2>&3) ; then
|
||||||
|
if validIP "${IPv4gw}"; then
|
||||||
|
echo "::: Your static IPv4 gateway: ${IPv4gw}"
|
||||||
|
IPv4gwValid=True
|
||||||
|
else
|
||||||
|
whiptail --msgbox --backtitle "Calibrating network interface" --title "IPv4 gateway (router)" "You've entered an invalid gateway IP: ${IPv4gw}\\n\\nPlease enter the IP address of your gateway (router), example: 192.168.23.1\\n\\nIf you are not sure, please just keep the default." ${r} ${c}
|
||||||
|
echo "::: Invalid IPv4 gateway: ${IPv4gw}"
|
||||||
|
IPv4gwValid=False
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
# Cancelling gateway settings window
|
||||||
|
echo "::: Cancel selected. Exiting..."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# Give the user a chance to review their settings before moving on
|
||||||
|
if (whiptail --backtitle "Calibrating network interface" --title "Static IP Address" --yesno "Are these settings correct?
|
||||||
|
|
||||||
|
IP address: ${IPv4addr}
|
||||||
|
Gateway: ${IPv4gw}" ${r} ${c}); then
|
||||||
|
# If the settings are correct, then we need to set the pivpnIP
|
||||||
|
echo "IPv4addr=${IPv4addr}" >> /tmp/setupVars.conf
|
||||||
|
echo "IPv4gw=${IPv4gw}" >> /tmp/setupVars.conf
|
||||||
|
# After that's done, the loop ends and we move on
|
||||||
|
ipSettingsCorrect=True
|
||||||
else
|
else
|
||||||
# Cancelling IPv4 settings window
|
# If the settings are wrong, the loop continues
|
||||||
ipSettingsCorrect=False
|
ipSettingsCorrect=False
|
||||||
echo "::: Cancel selected. Exiting..."
|
IPv4AddrValid=False
|
||||||
exit 1
|
IPv4gwValid=False
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
# End the if statement for DHCP vs. static
|
# End the if statement for DHCP vs. static
|
||||||
|
@ -964,18 +1045,29 @@ askWhichVPN(){
|
||||||
installOpenVPN(){
|
installOpenVPN(){
|
||||||
local PIVPN_DEPS
|
local PIVPN_DEPS
|
||||||
|
|
||||||
|
echo "::: Installing OpenVPN from Debian package... "
|
||||||
|
|
||||||
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then
|
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then
|
||||||
echo "::: Adding OpenVPN repository... "
|
|
||||||
# gnupg is used to add the openvpn PGP key to the APT keyring
|
# gnupg is used to add the openvpn PGP key to the APT keyring
|
||||||
PIVPN_DEPS=(gnupg)
|
PIVPN_DEPS=(gnupg)
|
||||||
installDependentPackages PIVPN_DEPS[@]
|
installDependentPackages PIVPN_DEPS[@]
|
||||||
|
|
||||||
|
# We will download the repository key regardless of whether the user
|
||||||
|
# has already enabled the openvpn repository or not, just to make sure
|
||||||
|
# we have the right key
|
||||||
|
echo "::: Adding repository key..."
|
||||||
wget -qO- https://swupdate.openvpn.net/repos/repo-public.gpg | $SUDO apt-key add -
|
wget -qO- https://swupdate.openvpn.net/repos/repo-public.gpg | $SUDO apt-key add -
|
||||||
echo "deb https://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/pivpn-openvpn-repo.list > /dev/null
|
|
||||||
|
if ! grep -qR "deb http.\?://build.openvpn.net/debian/openvpn/stable.\? $OSCN main" /etc/apt/sources.list*; then
|
||||||
|
echo "::: Adding OpenVPN repository... "
|
||||||
|
echo "deb https://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/pivpn-openvpn-repo.list > /dev/null
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "::: Updating package cache..."
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null
|
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "::: Installing OpenVPN from Debian package... "
|
|
||||||
# grepcidr is used to redact IPs in the debug log whereas expect is used
|
# grepcidr is used to redact IPs in the debug log whereas expect is used
|
||||||
# to feed easy-rsa with passwords
|
# to feed easy-rsa with passwords
|
||||||
PIVPN_DEPS=(openvpn grepcidr expect)
|
PIVPN_DEPS=(openvpn grepcidr expect)
|
||||||
|
@ -983,6 +1075,8 @@ installOpenVPN(){
|
||||||
}
|
}
|
||||||
|
|
||||||
installWireGuard(){
|
installWireGuard(){
|
||||||
|
local PIVPN_DEPS
|
||||||
|
|
||||||
if [ "$PLAT" = "Raspbian" ]; then
|
if [ "$PLAT" = "Raspbian" ]; then
|
||||||
|
|
||||||
# If the running kernel is older than the kernel from the repo, dkms will
|
# If the running kernel is older than the kernel from the repo, dkms will
|
||||||
|
@ -1036,19 +1130,28 @@ installWireGuard(){
|
||||||
if [ "$(uname -m)" = "armv7l" ]; then
|
if [ "$(uname -m)" = "armv7l" ]; then
|
||||||
|
|
||||||
echo "::: Installing WireGuard from Debian package... "
|
echo "::: Installing WireGuard from Debian package... "
|
||||||
# dirmngr is used to download repository keys, whereas qrencode is used to generate qrcodes
|
# dirmngr is used to download repository keys for the unstable repo
|
||||||
# from config file, for use with mobile clients
|
PIVPN_DEPS=(dirmngr)
|
||||||
PIVPN_DEPS=(dirmngr qrencode)
|
|
||||||
installDependentPackages PIVPN_DEPS[@]
|
installDependentPackages PIVPN_DEPS[@]
|
||||||
|
|
||||||
|
echo "::: Adding repository keys..."
|
||||||
|
$SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138
|
||||||
|
|
||||||
|
# This regular expression should match combinations like http[s]://mirror.example.com/debian[/] unstable main
|
||||||
|
if ! grep -qR 'deb http.\?://.*/debian.\? unstable main' /etc/apt/sources.list*; then
|
||||||
|
echo "::: Adding Debian repository... "
|
||||||
|
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
|
||||||
|
fi
|
||||||
|
|
||||||
# Do not upgrade packages from the unstable repository except for wireguard
|
# Do not upgrade packages from the unstable repository except for wireguard
|
||||||
echo "::: Adding Debian repository... "
|
|
||||||
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
|
|
||||||
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release a=unstable\nPin-Priority: 500\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null
|
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release a=unstable\nPin-Priority: 500\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null
|
||||||
|
|
||||||
$SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138
|
echo "::: Updating package cache..."
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null
|
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||||
PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms)
|
|
||||||
|
# qrencode is used to generate qrcodes from config file, for use with mobile clients
|
||||||
|
PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms qrencode)
|
||||||
installDependentPackages PIVPN_DEPS[@]
|
installDependentPackages PIVPN_DEPS[@]
|
||||||
|
|
||||||
elif [ "$(uname -m)" = "armv6l" ]; then
|
elif [ "$(uname -m)" = "armv6l" ]; then
|
||||||
|
@ -1064,7 +1167,7 @@ installWireGuard(){
|
||||||
WG_TOOLS_SOURCE="https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-${WG_TOOLS_SNAPSHOT}.tar.xz"
|
WG_TOOLS_SOURCE="https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-${WG_TOOLS_SNAPSHOT}.tar.xz"
|
||||||
|
|
||||||
echo "::: Downloading wireguard-tools source code... "
|
echo "::: Downloading wireguard-tools source code... "
|
||||||
wget -qO- "${WG_TOOLS_SOURCE}" | $SUDO tar Jxf - --directory /usr/src
|
wget -qO- "${WG_TOOLS_SOURCE}" | $SUDO tar xJ --directory /usr/src
|
||||||
echo "done!"
|
echo "done!"
|
||||||
|
|
||||||
## || exits if cd fails.
|
## || exits if cd fails.
|
||||||
|
@ -1085,7 +1188,7 @@ installWireGuard(){
|
||||||
# files from the file system
|
# files from the file system
|
||||||
echo "::: Installing WireGuard tools... "
|
echo "::: Installing WireGuard tools... "
|
||||||
if $SUDO checkinstall --pkgname wireguard-tools --pkgversion "${WG_TOOLS_SNAPSHOT}" -y; then
|
if $SUDO checkinstall --pkgname wireguard-tools --pkgversion "${WG_TOOLS_SNAPSHOT}" -y; then
|
||||||
TO_INSTALL+=("wireguard-tools")
|
INSTALLED_PACKAGES+=("wireguard-tools")
|
||||||
echo "done!"
|
echo "done!"
|
||||||
else
|
else
|
||||||
echo "failed!"
|
echo "failed!"
|
||||||
|
@ -1098,16 +1201,16 @@ installWireGuard(){
|
||||||
WG_MODULE_SOURCE="https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${WG_MODULE_SNAPSHOT}.tar.xz"
|
WG_MODULE_SOURCE="https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${WG_MODULE_SNAPSHOT}.tar.xz"
|
||||||
|
|
||||||
echo "::: Downloading wireguard-linux-compat source code... "
|
echo "::: Downloading wireguard-linux-compat source code... "
|
||||||
wget -qO- "${WG_MODULE_SOURCE}" | $SUDO tar Jxf - --directory /usr/src
|
wget -qO- "${WG_MODULE_SOURCE}" | $SUDO tar xJ --directory /usr/src
|
||||||
echo "done!"
|
echo "done!"
|
||||||
|
|
||||||
# Rename wireguard-linux-compat folder and move the source code to the parent folder
|
# Rename wireguard-linux-compat folder and move the source code to the parent folder
|
||||||
# such that dkms picks up the module when referencing wireguard/"${WG_MODULE_SNAPSHOT}"
|
# such that dkms picks up the module when referencing wireguard/"${WG_MODULE_SNAPSHOT}"
|
||||||
cd /usr/src && \
|
cd /usr/src && \
|
||||||
$SUDO mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}"
|
$SUDO mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}" && \
|
||||||
cd wireguard-"${WG_MODULE_SNAPSHOT}" && \
|
cd wireguard-"${WG_MODULE_SNAPSHOT}" && \
|
||||||
$SUDO mv src/* . && \
|
$SUDO mv src/* . && \
|
||||||
$SUDO rmdir src
|
$SUDO rmdir src || exit 1
|
||||||
|
|
||||||
echo "::: Adding WireGuard modules via DKMS... "
|
echo "::: Adding WireGuard modules via DKMS... "
|
||||||
if $SUDO dkms add wireguard/"${WG_MODULE_SNAPSHOT}"; then
|
if $SUDO dkms add wireguard/"${WG_MODULE_SNAPSHOT}"; then
|
||||||
|
@ -1129,7 +1232,7 @@ installWireGuard(){
|
||||||
|
|
||||||
echo "::: Installing WireGuard modules via DKMS... "
|
echo "::: Installing WireGuard modules via DKMS... "
|
||||||
if $SUDO dkms install wireguard/"${WG_MODULE_SNAPSHOT}"; then
|
if $SUDO dkms install wireguard/"${WG_MODULE_SNAPSHOT}"; then
|
||||||
TO_INSTALL+=("wireguard-dkms")
|
INSTALLED_PACKAGES+=("wireguard-dkms")
|
||||||
echo "done!"
|
echo "done!"
|
||||||
else
|
else
|
||||||
echo "failed!"
|
echo "failed!"
|
||||||
|
@ -1144,11 +1247,17 @@ installWireGuard(){
|
||||||
elif [ "$PLAT" = "Debian" ]; then
|
elif [ "$PLAT" = "Debian" ]; then
|
||||||
|
|
||||||
echo "::: Installing WireGuard from Debian package... "
|
echo "::: Installing WireGuard from Debian package... "
|
||||||
echo "::: Adding Debian repository... "
|
if ! grep -qR 'deb http.\?://.*/debian.\? unstable main' /etc/apt/sources.list*; then
|
||||||
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
|
echo "::: Adding Debian repository... "
|
||||||
|
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
|
||||||
|
fi
|
||||||
|
|
||||||
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null
|
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null
|
||||||
# shellcheck disable=SC2086
|
|
||||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null
|
echo "::: Updating package cache..."
|
||||||
|
# shellcheck disable=SC2086
|
||||||
|
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||||
|
|
||||||
PIVPN_DEPS=(linux-headers-amd64 qrencode wireguard wireguard-tools wireguard-dkms)
|
PIVPN_DEPS=(linux-headers-amd64 qrencode wireguard wireguard-tools wireguard-dkms)
|
||||||
installDependentPackages PIVPN_DEPS[@]
|
installDependentPackages PIVPN_DEPS[@]
|
||||||
|
|
||||||
|
@ -1156,7 +1265,11 @@ installWireGuard(){
|
||||||
|
|
||||||
echo "::: Installing WireGuard from PPA... "
|
echo "::: Installing WireGuard from PPA... "
|
||||||
$SUDO add-apt-repository ppa:wireguard/wireguard -y
|
$SUDO add-apt-repository ppa:wireguard/wireguard -y
|
||||||
$SUDO ${UPDATE_PKG_CACHE}
|
|
||||||
|
echo "::: Updating package cache..."
|
||||||
|
# shellcheck disable=SC2086
|
||||||
|
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||||
|
|
||||||
PIVPN_DEPS=(qrencode wireguard wireguard-tools wireguard-dkms linux-headers-generic)
|
PIVPN_DEPS=(qrencode wireguard wireguard-tools wireguard-dkms linux-headers-generic)
|
||||||
installDependentPackages PIVPN_DEPS[@]
|
installDependentPackages PIVPN_DEPS[@]
|
||||||
|
|
||||||
|
@ -1302,11 +1415,10 @@ askClientDNS(){
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Detect and offer to use Pi-hole
|
# Detect and offer to use Pi-hole
|
||||||
if command -v pihole &>/dev/null; then
|
if command -v pihole > /dev/null; then
|
||||||
if (whiptail --backtitle "Setup PiVPN" --title "Pi-hole" --yesno "We have detected a Pi-hole installation, do you want to use it as the DNS server for the VPN, so you get ad blocking on the go?" ${r} ${c}); then
|
if (whiptail --backtitle "Setup PiVPN" --title "Pi-hole" --yesno "We have detected a Pi-hole installation, do you want to use it as the DNS server for the VPN, so you get ad blocking on the go?" ${r} ${c}); then
|
||||||
pivpnDNS1="$vpnGw"
|
pivpnDNS1="$vpnGw"
|
||||||
echo "interface=$pivpnDEV" | $SUDO tee /etc/dnsmasq.d/02-pivpn.conf > /dev/null
|
echo "interface=$pivpnDEV" | $SUDO tee /etc/dnsmasq.d/02-pivpn.conf > /dev/null
|
||||||
$SUDO pihole restartdns
|
|
||||||
echo "pivpnDNS1=${pivpnDNS1}" >> /tmp/setupVars.conf
|
echo "pivpnDNS1=${pivpnDNS1}" >> /tmp/setupVars.conf
|
||||||
echo "pivpnDNS2=${pivpnDNS2}" >> /tmp/setupVars.conf
|
echo "pivpnDNS2=${pivpnDNS2}" >> /tmp/setupVars.conf
|
||||||
return
|
return
|
||||||
|
@ -1480,36 +1592,46 @@ askPublicIPOrDNS(){
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
|
|
||||||
METH=$(whiptail --title "Public IP or DNS" --radiolist "Will clients use a Public IP or DNS Name to connect to your server (press space to select)?" ${r} ${c} 2 \
|
local publicDNSCorrect
|
||||||
"$IPv4pub" "Use this public IP" "ON" \
|
local publicDNSValid
|
||||||
"DNS Entry" "Use a public DNS" "OFF" 3>&1 1>&2 2>&3)
|
|
||||||
|
|
||||||
exitstatus=$?
|
if METH=$(whiptail --title "Public IP or DNS" --radiolist "Will clients use a Public IP or DNS Name to connect to your server (press space to select)?" ${r} ${c} 2 \
|
||||||
if [ $exitstatus != 0 ]; then
|
"$IPv4pub" "Use this public IP" "ON" \
|
||||||
|
"DNS Entry" "Use a public DNS" "OFF" 3>&1 1>&2 2>&3); then
|
||||||
|
|
||||||
|
if [ "$METH" = "$IPv4pub" ]; then
|
||||||
|
pivpnHOST="${IPv4pub}"
|
||||||
|
else
|
||||||
|
until [[ ${publicDNSCorrect} = True ]]; do
|
||||||
|
|
||||||
|
until [[ ${publicDNSValid} = True ]]; do
|
||||||
|
if PUBLICDNS=$(whiptail --title "PiVPN Setup" --inputbox "What is the public DNS name of this Server?" ${r} ${c} 3>&1 1>&2 2>&3); then
|
||||||
|
if validDomain "$PUBLICDNS"; then
|
||||||
|
publicDNSValid=True
|
||||||
|
pivpnHOST="${PUBLICDNS}"
|
||||||
|
else
|
||||||
|
whiptail --msgbox --backtitle "PiVPN Setup" --title "Invalid DNS name" "This DNS name is invalid. Please try again.\\n\\n DNS name: $PUBLICDNS\\n" ${r} ${c}
|
||||||
|
publicDNSValid=False
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "::: Cancel selected. Exiting..."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if (whiptail --backtitle "PiVPN Setup" --title "Confirm DNS Name" --yesno "Is this correct?\\n\\n Public DNS Name: $PUBLICDNS" ${r} ${c}) then
|
||||||
|
publicDNSCorrect=True
|
||||||
|
else
|
||||||
|
publicDNSCorrect=False
|
||||||
|
publicDNSValid=False
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
else
|
||||||
echo "::: Cancel selected. Exiting..."
|
echo "::: Cancel selected. Exiting..."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$METH" == "$IPv4pub" ]; then
|
|
||||||
pivpnHOST="${IPv4pub}"
|
|
||||||
else
|
|
||||||
until [[ $publicDNSCorrect = True ]]
|
|
||||||
do
|
|
||||||
PUBLICDNS=$(whiptail --title "PiVPN Setup" --inputbox "What is the public DNS name of this Server?" ${r} ${c} 3>&1 1>&2 2>&3)
|
|
||||||
exitstatus=$?
|
|
||||||
if [ $exitstatus != 0 ]; then
|
|
||||||
echo "::: Cancel selected. Exiting..."
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
if (whiptail --backtitle "Confirm DNS Name" --title "Confirm DNS Name" --yesno "Is this correct?\\n\\n Public DNS Name: $PUBLICDNS" ${r} ${c}) then
|
|
||||||
publicDNSCorrect=True
|
|
||||||
pivpnHOST="${PUBLICDNS}"
|
|
||||||
else
|
|
||||||
publicDNSCorrect=False
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "pivpnHOST=${pivpnHOST}" >> /tmp/setupVars.conf
|
echo "pivpnHOST=${pivpnHOST}" >> /tmp/setupVars.conf
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1547,17 +1669,21 @@ askEncryption(){
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$DOWNLOAD_DH_PARAM" ] || [ "$DOWNLOAD_DH_PARAM" -ne 1 ]; then
|
if [ -z "$USE_PREDEFINED_DH_PARAM" ]; then
|
||||||
DOWNLOAD_DH_PARAM=0
|
USE_PREDEFINED_DH_PARAM=1
|
||||||
echo "::: DH parameters will be generated locally"
|
echo "::: Pre-defined DH parameters will be used"
|
||||||
else
|
else
|
||||||
echo "::: DH parameters will be downloaded from \"2 Ton Digital\""
|
if [ "$USE_PREDEFINED_DH_PARAM" -eq 1 ]; then
|
||||||
|
echo "::: Pre-defined DH parameters will be used"
|
||||||
|
else
|
||||||
|
echo "::: DH parameters will be generated locally"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "TWO_POINT_FOUR=${TWO_POINT_FOUR}" >> /tmp/setupVars.conf
|
echo "TWO_POINT_FOUR=${TWO_POINT_FOUR}" >> /tmp/setupVars.conf
|
||||||
echo "pivpnENCRYPT=${pivpnENCRYPT}" >> /tmp/setupVars.conf
|
echo "pivpnENCRYPT=${pivpnENCRYPT}" >> /tmp/setupVars.conf
|
||||||
echo "DOWNLOAD_DH_PARAM=${DOWNLOAD_DH_PARAM}" >> /tmp/setupVars.conf
|
echo "USE_PREDEFINED_DH_PARAM=${USE_PREDEFINED_DH_PARAM}" >> /tmp/setupVars.conf
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -1583,15 +1709,15 @@ askEncryption(){
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ([ "$pivpnENCRYPT" -ge 3072 ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\\n\\nGenerating DH parameters for a $pivpnENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from their database.\\nMore information about this service can be found here: https://2ton.com.au/safeprimes/\\n\\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then
|
if ([ "$pivpnENCRYPT" -ge 2048 ] && whiptail --backtitle "Setup OpenVPN" --title "Generate Diffie-Hellman Parameters" --yesno "Generating DH parameters can take many hours on a Raspberry Pi. You can instead use Pre-defined DH parameters recommended by the Internet Engineering Task Force.\\n\\nMore information about those can be found here: https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups\\n\\nIf you want unique parameters, choose 'No' and new Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then
|
||||||
DOWNLOAD_DH_PARAM=1
|
USE_PREDEFINED_DH_PARAM=1
|
||||||
else
|
else
|
||||||
DOWNLOAD_DH_PARAM=0
|
USE_PREDEFINED_DH_PARAM=0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "TWO_POINT_FOUR=${TWO_POINT_FOUR}" >> /tmp/setupVars.conf
|
echo "TWO_POINT_FOUR=${TWO_POINT_FOUR}" >> /tmp/setupVars.conf
|
||||||
echo "pivpnENCRYPT=${pivpnENCRYPT}" >> /tmp/setupVars.conf
|
echo "pivpnENCRYPT=${pivpnENCRYPT}" >> /tmp/setupVars.conf
|
||||||
echo "DOWNLOAD_DH_PARAM=${DOWNLOAD_DH_PARAM}" >> /tmp/setupVars.conf
|
echo "USE_PREDEFINED_DH_PARAM=${USE_PREDEFINED_DH_PARAM}" >> /tmp/setupVars.conf
|
||||||
}
|
}
|
||||||
|
|
||||||
confOpenVPN(){
|
confOpenVPN(){
|
||||||
|
@ -1617,7 +1743,7 @@ confOpenVPN(){
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Get easy-rsa
|
# Get easy-rsa
|
||||||
wget -qO- "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn
|
wget -qO- "${easyrsaRel}" | $SUDO tar xz --directory /etc/openvpn
|
||||||
$SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa
|
$SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa
|
||||||
# fix ownership
|
# fix ownership
|
||||||
$SUDO chown -R root:root /etc/openvpn/easy-rsa
|
$SUDO chown -R root:root /etc/openvpn/easy-rsa
|
||||||
|
@ -1660,13 +1786,13 @@ set_var EASYRSA_ALGO ${pivpnCERT}" | $SUDO tee vars >/dev/null
|
||||||
${SUDOE} ./easyrsa --batch build-ca nopass
|
${SUDOE} ./easyrsa --batch build-ca nopass
|
||||||
printf "\\n::: CA Complete.\\n"
|
printf "\\n::: CA Complete.\\n"
|
||||||
|
|
||||||
if [ "$pivpnCERT" = "rsa" ]; then
|
if [ "$pivpnCERT" = "rsa" ] && [ "$USE_PREDEFINED_DH_PARAM" -ne 1 ]; then
|
||||||
if [ "${runUnattended}" = 'true' ]; then
|
if [ "${runUnattended}" = 'true' ]; then
|
||||||
echo "::: The server key, Diffie-Hellman parameters, and HMAC key will now be generated."
|
echo "::: The server key, Diffie-Hellman parameters, and HMAC key will now be generated."
|
||||||
else
|
else
|
||||||
whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman parameters, and HMAC key will now be generated." ${r} ${c}
|
whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman parameters, and HMAC key will now be generated." ${r} ${c}
|
||||||
fi
|
fi
|
||||||
elif [ "$pivpnCERT" = "ec" ]; then
|
elif [ "$pivpnCERT" = "ec" ] || { [ "$pivpnCERT" = "rsa" ] && [ "$USE_PREDEFINED_DH_PARAM" -eq 1 ]; }; then
|
||||||
if [ "${runUnattended}" = 'true' ]; then
|
if [ "${runUnattended}" = 'true' ]; then
|
||||||
echo "::: The server key and HMAC key will now be generated."
|
echo "::: The server key and HMAC key will now be generated."
|
||||||
else
|
else
|
||||||
|
@ -1678,13 +1804,13 @@ set_var EASYRSA_ALGO ${pivpnCERT}" | $SUDO tee vars >/dev/null
|
||||||
EASYRSA_CERT_EXPIRE=3650 ${SUDOE} ./easyrsa build-server-full "${SERVER_NAME}" nopass
|
EASYRSA_CERT_EXPIRE=3650 ${SUDOE} ./easyrsa build-server-full "${SERVER_NAME}" nopass
|
||||||
|
|
||||||
if [ "$pivpnCERT" = "rsa" ]; then
|
if [ "$pivpnCERT" = "rsa" ]; then
|
||||||
if [ ${DOWNLOAD_DH_PARAM} -eq 1 ]; then
|
if [ "${USE_PREDEFINED_DH_PARAM}" -eq 1 ]; then
|
||||||
# Downloading parameters
|
# Use Diffie-Hellman parameters from RFC 7919 (FFDHE)
|
||||||
${SUDOE} curl -s "https://2ton.com.au/getprimes/random/dhparam/${pivpnENCRYPT}" -o "/etc/openvpn/easy-rsa/pki/dh${pivpnENCRYPT}.pem"
|
${SUDOE} install -m 644 "${pivpnFilesDir}"/files/etc/openvpn/easy-rsa/pki/ffdhe"${pivpnENCRYPT}".pem pki/dh"${pivpnENCRYPT}".pem
|
||||||
else
|
else
|
||||||
# Generate Diffie-Hellman key exchange
|
# Generate Diffie-Hellman key exchange
|
||||||
${SUDOE} ./easyrsa gen-dh
|
${SUDOE} ./easyrsa gen-dh
|
||||||
${SUDOE} mv "pki/dh.pem" "pki/dh${pivpnENCRYPT}.pem"
|
${SUDOE} mv pki/dh.pem pki/dh"${pivpnENCRYPT}".pem
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -1700,7 +1826,7 @@ set_var EASYRSA_ALGO ${pivpnCERT}" | $SUDO tee vars >/dev/null
|
||||||
${SUDOE} chown "$debianOvpnUserGroup" /etc/openvpn/crl.pem
|
${SUDOE} chown "$debianOvpnUserGroup" /etc/openvpn/crl.pem
|
||||||
|
|
||||||
# Write config file for server using the template.txt file
|
# Write config file for server using the template.txt file
|
||||||
$SUDO cp $pivpnFilesDir/server_config.txt /etc/openvpn/server.conf
|
$SUDO install -m 644 "$pivpnFilesDir"/files/etc/openvpn/server_config.txt /etc/openvpn/server.conf
|
||||||
|
|
||||||
# Apply client DNS settings
|
# Apply client DNS settings
|
||||||
${SUDOE} sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${pivpnDNS1}'\"/' /etc/openvpn/server.conf
|
${SUDOE} sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${pivpnDNS1}'\"/' /etc/openvpn/server.conf
|
||||||
|
@ -1747,7 +1873,7 @@ set_var EASYRSA_ALGO ${pivpnCERT}" | $SUDO tee vars >/dev/null
|
||||||
}
|
}
|
||||||
|
|
||||||
confOVPN(){
|
confOVPN(){
|
||||||
$SUDO cp $pivpnFilesDir/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt
|
$SUDO install -m 644 "$pivpnFilesDir"/files/etc/openvpn/easy-rsa/pki/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt
|
||||||
|
|
||||||
$SUDO sed -i 's/IPv4pub/'"$pivpnHOST"'/' /etc/openvpn/easy-rsa/pki/Default.txt
|
$SUDO sed -i 's/IPv4pub/'"$pivpnHOST"'/' /etc/openvpn/easy-rsa/pki/Default.txt
|
||||||
|
|
||||||
|
@ -1951,6 +2077,10 @@ restartServices(){
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
if [ -f /etc/dnsmasq.d/02-pivpn.conf ]; then
|
||||||
|
$SUDO pihole restartdns
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
askUnattendedUpgrades(){
|
askUnattendedUpgrades(){
|
||||||
|
@ -1982,7 +2112,7 @@ askUnattendedUpgrades(){
|
||||||
|
|
||||||
confUnattendedUpgrades(){
|
confUnattendedUpgrades(){
|
||||||
local PIVPN_DEPS
|
local PIVPN_DEPS
|
||||||
PIVPN_DEPS+=(unattended-upgrades)
|
PIVPN_DEPS=(unattended-upgrades)
|
||||||
installDependentPackages PIVPN_DEPS[@]
|
installDependentPackages PIVPN_DEPS[@]
|
||||||
aptConfDir="/etc/apt/apt.conf.d"
|
aptConfDir="/etc/apt/apt.conf.d"
|
||||||
|
|
||||||
|
@ -1999,10 +2129,13 @@ confUnattendedUpgrades(){
|
||||||
|
|
||||||
# Fix Raspbian config
|
# Fix Raspbian config
|
||||||
if [ "$PLAT" = "Raspbian" ]; then
|
if [ "$PLAT" = "Raspbian" ]; then
|
||||||
wget -q -O "/tmp/${UNATTUPG_RELEASE}.tar.gz" "$UNATTUPG_CONFIG"
|
wget -qO- "$UNATTUPG_CONFIG" | $SUDO tar xz --directory "${aptConfDir}" "unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" --strip-components 2
|
||||||
cd /tmp/ && $SUDO tar xzf "/tmp/${UNATTUPG_RELEASE}.tar.gz"
|
if test -s "${aptConfDir}/50unattended-upgrades.Raspbian"; then
|
||||||
$SUDO cp /tmp/"unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" "${aptConfDir}/50unattended-upgrades"
|
$SUDO mv "${aptConfDir}/50unattended-upgrades.Raspbian" "${aptConfDir}/50unattended-upgrades"
|
||||||
$SUDO rm -rf "/tmp/unattended-upgrades-$UNATTUPG_RELEASE"
|
else
|
||||||
|
echo "$0: ERR: Failed to download \"50unattended-upgrades.Raspbian\"."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Add the remaining settings for all other distributions
|
# Add the remaining settings for all other distributions
|
||||||
|
@ -2033,14 +2166,11 @@ installScripts(){
|
||||||
$SUDO chmod 0755 /opt/pivpn
|
$SUDO chmod 0755 /opt/pivpn
|
||||||
fi
|
fi
|
||||||
|
|
||||||
$SUDO cp "$pivpnFilesDir"/scripts/*.sh /opt/pivpn/
|
$SUDO install -m 755 "$pivpnFilesDir"/scripts/*.sh -t /opt/pivpn
|
||||||
$SUDO cp "$pivpnFilesDir"/scripts/"$VPN"/*.sh /opt/pivpn/
|
$SUDO install -m 755 "$pivpnFilesDir"/scripts/"$VPN"/*.sh -t /opt/pivpn
|
||||||
$SUDO chmod 0755 /opt/pivpn/*.sh
|
$SUDO install -m 755 "$pivpnFilesDir"/scripts/"$VPN"/pivpn /usr/local/bin/pivpn
|
||||||
$SUDO cp "$pivpnFilesDir"/scripts/"$VPN"/pivpn /usr/local/bin/pivpn
|
$SUDO install -m 644 "$pivpnFilesDir"/scripts/"$VPN"/bash-completion /etc/bash_completion.d/pivpn
|
||||||
$SUDO chmod 0755 /usr/local/bin/pivpn
|
# shellcheck disable=SC1091
|
||||||
$SUDO cp "$pivpnFilesDir"/scripts/"$VPN"/bash-completion /etc/bash_completion.d/pivpn
|
|
||||||
$SUDO chmod 0644 /etc/bash_completion.d/pivpn
|
|
||||||
# shellcheck disable=SC1091
|
|
||||||
. /etc/bash_completion.d/pivpn
|
. /etc/bash_completion.d/pivpn
|
||||||
echo " done."
|
echo " done."
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,6 @@
|
||||||
IPv4dev=eth0
|
IPv4dev=eth0
|
||||||
|
IPv4addr=192.168.23.211/24
|
||||||
|
IPv4gw=192.168.23.1
|
||||||
dhcpReserv=0
|
dhcpReserv=0
|
||||||
install_user=pi
|
install_user=pi
|
||||||
VPN=openvpn
|
VPN=openvpn
|
||||||
|
@ -10,5 +12,5 @@ pivpnHOST=pivpn.example.com
|
||||||
pivpnENCRYPT=256
|
pivpnENCRYPT=256
|
||||||
pivpnSEARCHDOMAIN=searchdomain.example.com
|
pivpnSEARCHDOMAIN=searchdomain.example.com
|
||||||
TWO_POINT_FOUR=1
|
TWO_POINT_FOUR=1
|
||||||
DOWNLOAD_DH_PARAM=0
|
USE_PREDEFINED_DH_PARAM=1
|
||||||
UNATTUPG=1
|
UNATTUPG=1
|
|
@ -1,4 +1,6 @@
|
||||||
IPv4dev=eth0
|
IPv4dev=eth0
|
||||||
|
IPv4addr=192.168.23.211/24
|
||||||
|
IPv4gw=192.168.23.1
|
||||||
dhcpReserv=0
|
dhcpReserv=0
|
||||||
install_user=pi
|
install_user=pi
|
||||||
VPN=wireguard
|
VPN=wireguard
|
8
files/etc/openvpn/easy-rsa/pki/ffdhe2048.pem
Normal file
8
files/etc/openvpn/easy-rsa/pki/ffdhe2048.pem
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
-----BEGIN DH PARAMETERS-----
|
||||||
|
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||||
|
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||||
|
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||||
|
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||||
|
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||||
|
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||||
|
-----END DH PARAMETERS-----
|
11
files/etc/openvpn/easy-rsa/pki/ffdhe3072.pem
Normal file
11
files/etc/openvpn/easy-rsa/pki/ffdhe3072.pem
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
-----BEGIN DH PARAMETERS-----
|
||||||
|
MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||||
|
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||||
|
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||||
|
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||||
|
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||||
|
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
|
||||||
|
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
|
||||||
|
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu
|
||||||
|
N///////////AgEC
|
||||||
|
-----END DH PARAMETERS-----
|
13
files/etc/openvpn/easy-rsa/pki/ffdhe4096.pem
Normal file
13
files/etc/openvpn/easy-rsa/pki/ffdhe4096.pem
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
-----BEGIN DH PARAMETERS-----
|
||||||
|
MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||||
|
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||||
|
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||||
|
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||||
|
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||||
|
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
|
||||||
|
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
|
||||||
|
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
|
||||||
|
8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
|
||||||
|
iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
|
||||||
|
zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
|
||||||
|
-----END DH PARAMETERS-----
|
|
@ -1,9 +1,16 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
# shellcheck disable=SC1091
|
|
||||||
source /etc/pivpn/setupVars.conf
|
|
||||||
# shellcheck disable=SC1090
|
|
||||||
backupdir=pivpnbackup
|
backupdir=pivpnbackup
|
||||||
date=$(date +%Y%m%d-%H%M%S)
|
date=$(date +%Y%m%d-%H%M%S)
|
||||||
|
setupVars="/etc/pivpn/setupVars.conf"
|
||||||
|
|
||||||
|
if [ ! -f "${setupVars}" ]; then
|
||||||
|
echo "::: Missing setup vars file!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# shellcheck disable=SC1090
|
||||||
|
source "${setupVars}"
|
||||||
|
|
||||||
checkbackupdir(){
|
checkbackupdir(){
|
||||||
|
|
||||||
|
|
|
@ -91,7 +91,7 @@ do
|
||||||
NO_PASS="1"
|
NO_PASS="1"
|
||||||
;;
|
;;
|
||||||
-b|--bitwarden)
|
-b|--bitwarden)
|
||||||
if command -v bw &> /dev/null; then
|
if command -v bw > /dev/null; then
|
||||||
BITWARDEN="2"
|
BITWARDEN="2"
|
||||||
else
|
else
|
||||||
echo "Bitwarden not found, please install bitwarden"
|
echo "Bitwarden not found, please install bitwarden"
|
||||||
|
|
|
@ -2,7 +2,6 @@
|
||||||
# This scripts runs as root
|
# This scripts runs as root
|
||||||
|
|
||||||
setupVars="/etc/pivpn/setupVars.conf"
|
setupVars="/etc/pivpn/setupVars.conf"
|
||||||
ERR=0
|
|
||||||
|
|
||||||
if [ ! -f "${setupVars}" ]; then
|
if [ ! -f "${setupVars}" ]; then
|
||||||
echo "::: Missing setup vars file!"
|
echo "::: Missing setup vars file!"
|
||||||
|
@ -17,14 +16,6 @@ echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::"
|
||||||
git --git-dir /etc/.pivpn/.git log -n 1
|
git --git-dir /etc/.pivpn/.git log -n 1
|
||||||
printf "=============================================\n"
|
printf "=============================================\n"
|
||||||
echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::"
|
echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::"
|
||||||
# Use the wildcard so setupVars.conf.update.bak from the previous install is not shown
|
|
||||||
for filename in /etc/pivpn/*; do
|
|
||||||
if [[ "$filename" != "/etc/pivpn/setupVars.conf"* ]]; then
|
|
||||||
echo "$filename -> $(cat "$filename")"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
printf "=============================================\n"
|
|
||||||
echo -e "::::\t\e[4msetupVars file shown below\e[0m\t ::::"
|
|
||||||
sed "s/$pivpnHOST/REDACTED/" < /etc/pivpn/setupVars.conf
|
sed "s/$pivpnHOST/REDACTED/" < /etc/pivpn/setupVars.conf
|
||||||
printf "=============================================\n"
|
printf "=============================================\n"
|
||||||
echo -e ":::: \e[4mServer configuration shown below\e[0m ::::"
|
echo -e ":::: \e[4mServer configuration shown below\e[0m ::::"
|
||||||
|
@ -37,152 +28,7 @@ echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::: \e[4m/etc/openv
|
||||||
ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial
|
ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial
|
||||||
printf "=============================================\n"
|
printf "=============================================\n"
|
||||||
echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::"
|
echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::"
|
||||||
|
/opt/pivpn/self_check.sh
|
||||||
if [ "$(cat /proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then
|
|
||||||
echo ":: [OK] IP forwarding is enabled"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
|
|
||||||
sysctl -p
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$USING_UFW" -eq 0 ]; then
|
|
||||||
|
|
||||||
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
|
|
||||||
echo ":: [OK] Iptables MASQUERADE rule set"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule"
|
|
||||||
iptables-save > /etc/iptables/rules.v4
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
|
|
||||||
|
|
||||||
if iptables -C INPUT -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule" &> /dev/null; then
|
|
||||||
echo ":: [OK] Iptables INPUT rule set"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
iptables -I INPUT 1 -i "$IPv4dev" -p "$pivpnPROTO" --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule"
|
|
||||||
iptables-save > /etc/iptables/rules.v4
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
|
|
||||||
|
|
||||||
if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule" &> /dev/null; then
|
|
||||||
echo ":: [OK] Iptables FORWARD rule set"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
|
||||||
iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
|
||||||
iptables-save > /etc/iptables/rules.v4
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
else
|
|
||||||
|
|
||||||
if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
|
|
||||||
echo ":: [OK] Ufw is enabled"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
ufw enable
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
|
|
||||||
echo ":: [OK] Iptables MASQUERADE rule set"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE -m comment --comment ${VPN}-nat-rule\nCOMMIT\n" -i /etc/ufw/before.rules
|
|
||||||
ufw reload
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if iptables -C ufw-user-input -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT &> /dev/null; then
|
|
||||||
echo ":: [OK] Ufw input rule set"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
ufw insert 1 allow "$pivpnPORT"/"$pivpnPROTO"
|
|
||||||
ufw reload
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then
|
|
||||||
echo ":: [OK] Ufw forwarding rule set"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any
|
|
||||||
ufw reload
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
fi
|
|
||||||
|
|
||||||
if systemctl is-active -q openvpn; then
|
|
||||||
echo ":: [OK] OpenVPN is running"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] OpenVPN is not running, try to start now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
systemctl start openvpn
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if systemctl is-enabled -q openvpn; then
|
|
||||||
echo ":: [OK] OpenVPN is enabled (it will automatically start on reboot)"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] OpenVPN is not enabled, try to enable now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
systemctl enable openvpn
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
# grep -w (whole word) is used so port 11940 won't match when looking for 1194
|
|
||||||
if netstat -uanpt | grep openvpn | grep -w "${pivpnPORT}" | grep -q "${pivpnPROTO}"; then
|
|
||||||
echo ":: [OK] OpenVPN is listening on port ${pivpnPORT}/${pivpnPROTO}"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] OpenVPN is not listening, try to restart now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
systemctl restart openvpn
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$ERR" -eq 1 ]; then
|
|
||||||
echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues"
|
|
||||||
fi
|
|
||||||
|
|
||||||
printf "=============================================\n"
|
printf "=============================================\n"
|
||||||
echo -e ":::: \e[4mSnippet of the server log\e[0m ::::"
|
echo -e ":::: \e[4mSnippet of the server log\e[0m ::::"
|
||||||
tail -20 /var/log/openvpn.log > /tmp/snippet
|
tail -20 /var/log/openvpn.log > /tmp/snippet
|
||||||
|
|
170
scripts/self_check.sh
Executable file
170
scripts/self_check.sh
Executable file
|
@ -0,0 +1,170 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
subnetClass="24"
|
||||||
|
setupVars="/etc/pivpn/setupVars.conf"
|
||||||
|
ERR=0
|
||||||
|
|
||||||
|
if [ ! -f "${setupVars}" ]; then
|
||||||
|
echo "::: Missing setup vars file!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
source "${setupVars}"
|
||||||
|
|
||||||
|
if [ "$VPN" = "wireguard" ]; then
|
||||||
|
pivpnPROTO="udp"
|
||||||
|
pivpnDEV="wg0"
|
||||||
|
pivpnNET="10.6.0.0"
|
||||||
|
VPN_SERVICE="wg-quick@wg0"
|
||||||
|
VPN_PRETTY_NAME="WireGuard"
|
||||||
|
elif [ "$VPN" = "openvpn" ]; then
|
||||||
|
pivpnDEV="tun0"
|
||||||
|
pivpnNET="10.8.0.0"
|
||||||
|
VPN_SERVICE="openvpn"
|
||||||
|
VPN_PRETTY_NAME="OpenVPN"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$(</proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then
|
||||||
|
echo ":: [OK] IP forwarding is enabled"
|
||||||
|
else
|
||||||
|
ERR=1
|
||||||
|
read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY
|
||||||
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||||
|
sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
|
||||||
|
sysctl -p
|
||||||
|
echo "Done"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$USING_UFW" -eq 0 ]; then
|
||||||
|
|
||||||
|
if iptables -t nat -C POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
|
||||||
|
echo ":: [OK] Iptables MASQUERADE rule set"
|
||||||
|
else
|
||||||
|
ERR=1
|
||||||
|
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
|
||||||
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||||
|
iptables -t nat -I POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule"
|
||||||
|
iptables-save > /etc/iptables/rules.v4
|
||||||
|
echo "Done"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
|
||||||
|
|
||||||
|
if iptables -C INPUT -i "${IPv4dev}" -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT -m comment --comment "${VPN}-input-rule" &> /dev/null; then
|
||||||
|
echo ":: [OK] Iptables INPUT rule set"
|
||||||
|
else
|
||||||
|
ERR=1
|
||||||
|
read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
|
||||||
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||||
|
iptables -I INPUT 1 -i "${IPv4dev}" -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT -m comment --comment "${VPN}-input-rule"
|
||||||
|
iptables-save > /etc/iptables/rules.v4
|
||||||
|
echo "Done"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
|
||||||
|
|
||||||
|
if iptables -C FORWARD -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT -m comment --comment "${VPN}-forward-rule" &> /dev/null; then
|
||||||
|
echo ":: [OK] Iptables FORWARD rule set"
|
||||||
|
else
|
||||||
|
ERR=1
|
||||||
|
read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
|
||||||
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||||
|
iptables -I FORWARD 1 -d "${pivpnNET}/${subnetClass}" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
||||||
|
iptables -I FORWARD 2 -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
||||||
|
iptables-save > /etc/iptables/rules.v4
|
||||||
|
echo "Done"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
else
|
||||||
|
|
||||||
|
if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
|
||||||
|
echo ":: [OK] Ufw is enabled"
|
||||||
|
else
|
||||||
|
ERR=1
|
||||||
|
read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY
|
||||||
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||||
|
ufw enable
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if iptables -t nat -C POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
|
||||||
|
echo ":: [OK] Iptables MASQUERADE rule set"
|
||||||
|
else
|
||||||
|
ERR=1
|
||||||
|
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
|
||||||
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||||
|
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s ${pivpnNET}/${subnetClass} -o ${IPv4dev} -j MASQUERADE -m comment --comment ${VPN}-nat-rule\nCOMMIT\n" -i /etc/ufw/before.rules
|
||||||
|
ufw reload
|
||||||
|
echo "Done"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if iptables -C ufw-user-input -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT &> /dev/null; then
|
||||||
|
echo ":: [OK] Ufw input rule set"
|
||||||
|
else
|
||||||
|
ERR=1
|
||||||
|
read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY
|
||||||
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||||
|
ufw insert 1 allow "${pivpnPORT}"/"${pivpnPROTO}"
|
||||||
|
ufw reload
|
||||||
|
echo "Done"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if iptables -C ufw-user-forward -i "${pivpnDEV}" -o "${IPv4dev}" -s "${pivpnNET}/${subnetClass}" -j ACCEPT &> /dev/null; then
|
||||||
|
echo ":: [OK] Ufw forwarding rule set"
|
||||||
|
else
|
||||||
|
ERR=1
|
||||||
|
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
|
||||||
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||||
|
ufw route insert 1 allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any
|
||||||
|
ufw reload
|
||||||
|
echo "Done"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
if systemctl is-active -q "${VPN_SERVICE}"; then
|
||||||
|
echo ":: [OK] ${VPN_PRETTY_NAME} is running"
|
||||||
|
else
|
||||||
|
ERR=1
|
||||||
|
read -r -p ":: [ERR] ${VPN_PRETTY_NAME} is not running, try to start now? [Y/n] " REPLY
|
||||||
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||||
|
systemctl start "${VPN_SERVICE}"
|
||||||
|
echo "Done"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if systemctl is-enabled -q "${VPN_SERVICE}"; then
|
||||||
|
echo ":: [OK] ${VPN_PRETTY_NAME} is enabled (it will automatically start on reboot)"
|
||||||
|
else
|
||||||
|
ERR=1
|
||||||
|
read -r -p ":: [ERR] ${VPN_PRETTY_NAME} is not enabled, try to enable now? [Y/n] " REPLY
|
||||||
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||||
|
systemctl enable "${VPN_SERVICE}"
|
||||||
|
echo "Done"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# grep -w (whole word) is used so port 11940 won't match when looking for 1194
|
||||||
|
if netstat -antu | grep -wqE "${pivpnPROTO}.*${pivpnPORT}"; then
|
||||||
|
echo ":: [OK] ${VPN_PRETTY_NAME} is listening on port ${pivpnPORT}/${pivpnPROTO}"
|
||||||
|
else
|
||||||
|
ERR=1
|
||||||
|
read -r -p ":: [ERR] ${VPN_PRETTY_NAME} is not listening, try to restart now? [Y/n] " REPLY
|
||||||
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||||
|
systemctl restart "${VPN_SERVICE}"
|
||||||
|
echo "Done"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$ERR" -eq 1 ]; then
|
||||||
|
echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues"
|
||||||
|
fi
|
|
@ -5,6 +5,7 @@
|
||||||
### FIXME: use variables where appropriate, reduce magic numbers by 99.9%, at least.
|
### FIXME: use variables where appropriate, reduce magic numbers by 99.9%, at least.
|
||||||
|
|
||||||
PKG_MANAGER="apt-get"
|
PKG_MANAGER="apt-get"
|
||||||
|
UPDATE_PKG_CACHE="${PKG_MANAGER} update"
|
||||||
subnetClass="24"
|
subnetClass="24"
|
||||||
setupVars="/etc/pivpn/setupVars.conf"
|
setupVars="/etc/pivpn/setupVars.conf"
|
||||||
|
|
||||||
|
@ -33,7 +34,7 @@ spinner(){
|
||||||
local pid=$1
|
local pid=$1
|
||||||
local delay=0.50
|
local delay=0.50
|
||||||
local spinstr='/-\|'
|
local spinstr='/-\|'
|
||||||
while ps a | awk '{print $1}' | grep "$pid"; do
|
while ps a | awk '{print $1}' | grep -q "$pid"; do
|
||||||
local temp=${spinstr#?}
|
local temp=${spinstr#?}
|
||||||
printf " [%c] " "$spinstr"
|
printf " [%c] " "$spinstr"
|
||||||
local spinstr=$temp${spinstr%"$temp"}
|
local spinstr=$temp${spinstr%"$temp"}
|
||||||
|
@ -101,7 +102,7 @@ removeAll(){
|
||||||
# Purge dependencies
|
# Purge dependencies
|
||||||
echo "::: Purge dependencies..."
|
echo "::: Purge dependencies..."
|
||||||
|
|
||||||
for i in "${TO_INSTALL[@]}"; do
|
for i in "${INSTALLED_PACKAGES[@]}"; do
|
||||||
while true; do
|
while true; do
|
||||||
read -rp "::: Do you wish to remove $i from your system? [Y/n]: " yn
|
read -rp "::: Do you wish to remove $i from your system? [Y/n]: " yn
|
||||||
case $yn in
|
case $yn in
|
||||||
|
@ -113,11 +114,11 @@ removeAll(){
|
||||||
if [ "$PLAT" = "Debian" ] || { [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv7l" ]; }; then
|
if [ "$PLAT" = "Debian" ] || { [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv7l" ]; }; then
|
||||||
rm -f /etc/apt/sources.list.d/pivpn-unstable.list
|
rm -f /etc/apt/sources.list.d/pivpn-unstable.list
|
||||||
rm -f /etc/apt/preferences.d/pivpn-limit-unstable
|
rm -f /etc/apt/preferences.d/pivpn-limit-unstable
|
||||||
$PKG_MANAGER update &> /dev/null
|
|
||||||
elif [ "$PLAT" = "Ubuntu" ]; then
|
elif [ "$PLAT" = "Ubuntu" ]; then
|
||||||
add-apt-repository ppa:wireguard/wireguard -r -y
|
add-apt-repository ppa:wireguard/wireguard -r -y
|
||||||
$PKG_MANAGER update &> /dev/null
|
|
||||||
fi
|
fi
|
||||||
|
echo "::: Updating package cache..."
|
||||||
|
${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||||
|
|
||||||
elif [ "${i}" = "wireguard-dkms" ]; then
|
elif [ "${i}" = "wireguard-dkms" ]; then
|
||||||
|
|
||||||
|
@ -135,12 +136,6 @@ removeAll(){
|
||||||
rm -rf /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}"
|
rm -rf /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
elif [ "${i}" = "dirmngr" ]; then
|
|
||||||
|
|
||||||
# If dirmngr was installed, then we had previously installed wireguard on armv7l Raspbian
|
|
||||||
# so we remove the repository keys
|
|
||||||
apt-key remove E1CF20DDFFE4B89E802658F1E0B11894F66AEC98 80D15823B7FD1561F9F7BCDDDC30D7C23CBBABEE &> /dev/null
|
|
||||||
|
|
||||||
elif [ "${i}" = "unattended-upgrades" ]; then
|
elif [ "${i}" = "unattended-upgrades" ]; then
|
||||||
|
|
||||||
### REALLY???
|
### REALLY???
|
||||||
|
@ -152,7 +147,8 @@ removeAll(){
|
||||||
|
|
||||||
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then
|
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then
|
||||||
rm -f /etc/apt/sources.list.d/pivpn-openvpn-repo.list
|
rm -f /etc/apt/sources.list.d/pivpn-openvpn-repo.list
|
||||||
$PKG_MANAGER update &> /dev/null
|
echo "::: Updating package cache..."
|
||||||
|
${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||||
fi
|
fi
|
||||||
deluser openvpn
|
deluser openvpn
|
||||||
rm -f /etc/rsyslog.d/30-openvpn.conf
|
rm -f /etc/rsyslog.d/30-openvpn.conf
|
||||||
|
|
|
@ -15,6 +15,17 @@ fi
|
||||||
|
|
||||||
source "${setupVars}"
|
source "${setupVars}"
|
||||||
|
|
||||||
|
scriptusage(){
|
||||||
|
echo "::: Updates PiVPN scripts"
|
||||||
|
echo ":::"
|
||||||
|
echo "::: Usage: pivpn <-up|update> [-t|--test]"
|
||||||
|
echo ":::"
|
||||||
|
echo "::: Commands:"
|
||||||
|
echo "::: [none] Updates from master branch"
|
||||||
|
echo "::: -t, test Updates from test branch"
|
||||||
|
echo "::: -h, help Show this usage dialog"
|
||||||
|
}
|
||||||
|
|
||||||
###Functions
|
###Functions
|
||||||
##Updates scripts
|
##Updates scripts
|
||||||
updatepivpnscripts(){
|
updatepivpnscripts(){
|
||||||
|
@ -68,14 +79,6 @@ cloneupdttest(){
|
||||||
git -C "$pivpnlocalpath" checkout master
|
git -C "$pivpnlocalpath" checkout master
|
||||||
}
|
}
|
||||||
|
|
||||||
scriptusage(){
|
|
||||||
echo -e "Updates pivpn scripts,
|
|
||||||
|
|
||||||
Usage:
|
|
||||||
pivpn update | updates from master branch
|
|
||||||
pivpn update -t or --test | updates from test branch"
|
|
||||||
}
|
|
||||||
|
|
||||||
## SCRIPT
|
## SCRIPT
|
||||||
|
|
||||||
if [[ $# -eq 0 ]]; then
|
if [[ $# -eq 0 ]]; then
|
||||||
|
@ -83,15 +86,15 @@ if [[ $# -eq 0 ]]; then
|
||||||
else
|
else
|
||||||
while true; do
|
while true; do
|
||||||
case "$1" in
|
case "$1" in
|
||||||
-t|--test|test)
|
-t|test)
|
||||||
updatefromtest
|
updatefromtest
|
||||||
exit 0
|
exit 0
|
||||||
;;
|
;;
|
||||||
-h|--help|help)
|
-h|help)
|
||||||
scriptusage
|
scriptusage
|
||||||
exit 0
|
exit 0
|
||||||
;;
|
;;
|
||||||
* )
|
*)
|
||||||
updatepivpnscripts
|
updatepivpnscripts
|
||||||
exit 0
|
exit 0
|
||||||
;;
|
;;
|
||||||
|
|
|
@ -4,8 +4,8 @@ _pivpn()
|
||||||
COMPREPLY=()
|
COMPREPLY=()
|
||||||
cur="${COMP_WORDS[COMP_CWORD]}"
|
cur="${COMP_WORDS[COMP_CWORD]}"
|
||||||
prev="${COMP_WORDS[COMP_CWORD-1]}"
|
prev="${COMP_WORDS[COMP_CWORD-1]}"
|
||||||
dashopts="-a -c -d -l -qr -r -h -u -up -bk"
|
dashopts="-a -c -d -l -qr -r -h -u -up -wg -bk"
|
||||||
opts="add clients debug list qrcode remove help uninstall update backup"
|
opts="add clients debug list qrcode remove help uninstall update wgupdate backup"
|
||||||
if [ "${#COMP_WORDS[@]}" -eq 2 ]
|
if [ "${#COMP_WORDS[@]}" -eq 2 ]
|
||||||
then
|
then
|
||||||
if [[ ${cur} == -* ]] ; then
|
if [[ ${cur} == -* ]] ; then
|
||||||
|
|
|
@ -10,7 +10,11 @@ hr(){
|
||||||
numfmt --to=iec-i --suffix=B "$1"
|
numfmt --to=iec-i --suffix=B "$1"
|
||||||
}
|
}
|
||||||
|
|
||||||
DUMP="$(wg show wg0 dump | tail -n +2)"
|
if DUMP="$(wg show wg0 dump)"; then
|
||||||
|
DUMP="$(tail -n +2 <<< "$DUMP")"
|
||||||
|
else
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
printf "\e[1m::: Connected Clients List :::\e[0m\n"
|
printf "\e[1m::: Connected Clients List :::\e[0m\n"
|
||||||
|
|
||||||
|
@ -28,7 +32,7 @@ while IFS= read -r LINE; do
|
||||||
CLIENT_NAME="$(grep "$PUBLIC_KEY" clients.txt | awk '{ print $1 }')"
|
CLIENT_NAME="$(grep "$PUBLIC_KEY" clients.txt | awk '{ print $1 }')"
|
||||||
|
|
||||||
if [ "$LAST_SEEN" -ne 0 ]; then
|
if [ "$LAST_SEEN" -ne 0 ]; then
|
||||||
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "$(date -d @"$LAST_SEEN" '+%b %m %Y - %T')"
|
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "$(date -d @"$LAST_SEEN" '+%b %d %Y - %T')"
|
||||||
else
|
else
|
||||||
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "(not yet)"
|
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "(not yet)"
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -2,6 +2,13 @@
|
||||||
|
|
||||||
setupVars="/etc/pivpn/setupVars.conf"
|
setupVars="/etc/pivpn/setupVars.conf"
|
||||||
|
|
||||||
|
if [ ! -f "${setupVars}" ]; then
|
||||||
|
echo "::: Missing setup vars file!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
source "${setupVars}"
|
||||||
|
|
||||||
helpFunc(){
|
helpFunc(){
|
||||||
echo "::: Create a client conf profile"
|
echo "::: Create a client conf profile"
|
||||||
echo ":::"
|
echo ":::"
|
||||||
|
@ -39,13 +46,6 @@ while test $# -gt 0; do
|
||||||
shift
|
shift
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ ! -f "${setupVars}" ]; then
|
|
||||||
echo "::: Missing setup vars file!"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
source "${setupVars}"
|
|
||||||
|
|
||||||
# The home folder variable was sourced from the settings file.
|
# The home folder variable was sourced from the settings file.
|
||||||
if [ ! -d "${install_home}/configs" ]; then
|
if [ ! -d "${install_home}/configs" ]; then
|
||||||
mkdir "${install_home}/configs"
|
mkdir "${install_home}/configs"
|
||||||
|
|
|
@ -54,6 +54,11 @@ updateScripts(){
|
||||||
exit 0
|
exit 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
updateWireGuard(){
|
||||||
|
$SUDO /opt/pivpn/wgUPDATE.sh
|
||||||
|
exit 0
|
||||||
|
}
|
||||||
|
|
||||||
backup(){
|
backup(){
|
||||||
$SUDO /opt/pivpn/backup.sh
|
$SUDO /opt/pivpn/backup.sh
|
||||||
}
|
}
|
||||||
|
@ -73,7 +78,8 @@ showHelp(){
|
||||||
echo "::: -h, help Show this help dialog"
|
echo "::: -h, help Show this help dialog"
|
||||||
echo "::: -u, uninstall Uninstall pivpn from your system!"
|
echo "::: -u, uninstall Uninstall pivpn from your system!"
|
||||||
echo "::: -up, update Updates PiVPN Scripts"
|
echo "::: -up, update Updates PiVPN Scripts"
|
||||||
echo "::: -bk, Backup Backup vpn configs and user profiles"
|
echo "::: -wg, wgupdate Updates WireGuard"
|
||||||
|
echo "::: -bk, backup Backup VPN configs and user profiles"
|
||||||
exit 0
|
exit 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -92,6 +98,7 @@ case "$1" in
|
||||||
"-h" | "help" ) showHelp;;
|
"-h" | "help" ) showHelp;;
|
||||||
"-u" | "uninstall" ) uninstallServer;;
|
"-u" | "uninstall" ) uninstallServer;;
|
||||||
"-up" | "update" ) updateScripts "$@" ;;
|
"-up" | "update" ) updateScripts "$@" ;;
|
||||||
|
"-wg" | "wgupdate" ) updateWireGuard ;;
|
||||||
"-bk" | "backup" ) backup ;;
|
"-bk" | "backup" ) backup ;;
|
||||||
* ) showHelp;;
|
* ) showHelp;;
|
||||||
esac
|
esac
|
||||||
|
|
|
@ -10,32 +10,30 @@ fi
|
||||||
|
|
||||||
source "${setupVars}"
|
source "${setupVars}"
|
||||||
|
|
||||||
EXAMPLE="$(head -1 /etc/wireguard/configs/clients.txt | awk '{print $1}')"
|
|
||||||
ERR=0
|
|
||||||
|
|
||||||
echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::"
|
echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::"
|
||||||
printf "=============================================\n"
|
printf "=============================================\n"
|
||||||
echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::"
|
echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::"
|
||||||
git --git-dir /etc/.pivpn/.git log -n 1
|
git --git-dir /etc/.pivpn/.git log -n 1
|
||||||
printf "=============================================\n"
|
printf "=============================================\n"
|
||||||
echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::"
|
echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::"
|
||||||
sed "s/$pivpnHOST/REDACTED/" < /etc/pivpn/setupVars.conf
|
sed "s/$pivpnHOST/REDACTED/" < /etc/pivpn/setupVars.conf
|
||||||
printf "=============================================\n"
|
printf "=============================================\n"
|
||||||
echo -e ":::: \e[4mServer configuration shown below\e[0m ::::"
|
echo -e ":::: \e[4mServer configuration shown below\e[0m ::::"
|
||||||
cd /etc/wireguard/keys
|
cd /etc/wireguard/keys
|
||||||
cp ../wg0.conf ../wg0.tmp
|
cp ../wg0.conf ../wg0.tmp
|
||||||
# Replace every key in the server configuration with just its file name
|
# Replace every key in the server configuration with just its file name
|
||||||
for k in *; do
|
for k in *; do
|
||||||
sed "s#$(cat "$k")#$k#" -i ../wg0.tmp
|
sed "s#$(<"$k")#$k#" -i ../wg0.tmp
|
||||||
done
|
done
|
||||||
cat ../wg0.tmp
|
cat ../wg0.tmp
|
||||||
rm ../wg0.tmp
|
rm ../wg0.tmp
|
||||||
printf "=============================================\n"
|
printf "=============================================\n"
|
||||||
echo -e ":::: \e[4mClient configuration shown below\e[0m ::::"
|
echo -e ":::: \e[4mClient configuration shown below\e[0m ::::"
|
||||||
|
EXAMPLE="$(head -1 /etc/wireguard/configs/clients.txt | awk '{print $1}')"
|
||||||
if [ -n "$EXAMPLE" ]; then
|
if [ -n "$EXAMPLE" ]; then
|
||||||
cp ../configs/"$EXAMPLE".conf ../configs/"$EXAMPLE".tmp
|
cp ../configs/"$EXAMPLE".conf ../configs/"$EXAMPLE".tmp
|
||||||
for k in *; do
|
for k in *; do
|
||||||
sed "s#$(cat "$k")#$k#" -i ../configs/"$EXAMPLE".tmp
|
sed "s#$(<"$k")#$k#" -i ../configs/"$EXAMPLE".tmp
|
||||||
done
|
done
|
||||||
sed "s/$pivpnHOST/REDACTED/" < ../configs/"$EXAMPLE".tmp
|
sed "s/$pivpnHOST/REDACTED/" < ../configs/"$EXAMPLE".tmp
|
||||||
rm ../configs/"$EXAMPLE".tmp
|
rm ../configs/"$EXAMPLE".tmp
|
||||||
|
@ -48,151 +46,7 @@ echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::::\e\t[4m/etc/wir
|
||||||
ls -LR /etc/wireguard
|
ls -LR /etc/wireguard
|
||||||
printf "=============================================\n"
|
printf "=============================================\n"
|
||||||
echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::"
|
echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::"
|
||||||
|
/opt/pivpn/self_check.sh
|
||||||
if [ "$(cat /proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then
|
|
||||||
echo ":: [OK] IP forwarding is enabled"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
|
|
||||||
sysctl -p
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$USING_UFW" -eq 0 ]; then
|
|
||||||
|
|
||||||
if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
|
|
||||||
echo ":: [OK] Iptables MASQUERADE rule set"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
iptables -t nat -I POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule"
|
|
||||||
iptables-save > /etc/iptables/rules.v4
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
|
|
||||||
|
|
||||||
if iptables -C INPUT -i "$IPv4dev" -p udp --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule" &> /dev/null; then
|
|
||||||
echo ":: [OK] Iptables INPUT rule set"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
iptables -I INPUT 1 -i "$IPv4dev" -p udp --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule"
|
|
||||||
iptables-save > /etc/iptables/rules.v4
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
|
|
||||||
|
|
||||||
if iptables -C FORWARD -s 10.6.0.0/24 -i wg0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule" &> /dev/null; then
|
|
||||||
echo ":: [OK] Iptables FORWARD rule set"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
iptables -I FORWARD 1 -d 10.6.0.0/24 -i "$IPv4dev" -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
|
||||||
iptables -I FORWARD 2 -s 10.6.0.0/24 -i wg0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
|
||||||
iptables-save > /etc/iptables/rules.v4
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
else
|
|
||||||
|
|
||||||
if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
|
|
||||||
echo ":: [OK] Ufw is enabled"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
ufw enable
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
|
|
||||||
echo ":: [OK] Iptables MASQUERADE rule set"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.6.0.0/24 -o $IPv4dev -j MASQUERADE -m comment --comment ${VPN}-nat-rule\nCOMMIT\n" -i /etc/ufw/before.rules
|
|
||||||
ufw reload
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if iptables -C ufw-user-input -p udp --dport "${pivpnPORT}" -j ACCEPT &> /dev/null; then
|
|
||||||
echo ":: [OK] Ufw input rule set"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
ufw insert 1 allow "$pivpnPORT"/udp
|
|
||||||
ufw reload
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if iptables -C ufw-user-forward -i wg0 -o "${IPv4dev}" -s 10.6.0.0/24 -j ACCEPT &> /dev/null; then
|
|
||||||
echo ":: [OK] Ufw forwarding rule set"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
ufw route insert 1 allow in on wg0 from 10.6.0.0/24 out on "$IPv4dev" to any
|
|
||||||
ufw reload
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
fi
|
|
||||||
|
|
||||||
if systemctl is-active -q wg-quick@wg0; then
|
|
||||||
echo ":: [OK] WireGuard is running"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] WireGuard is not running, try to start now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
systemctl start wg-quick@wg0
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if systemctl is-enabled -q wg-quick@wg0; then
|
|
||||||
echo ":: [OK] WireGuard is enabled (it will automatically start on reboot)"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] WireGuard is not enabled, try to enable now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
systemctl enable wg-quick@wg0
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
# grep -w (whole word) is used so port 11940 won't match when looking for 1194
|
|
||||||
if netstat -uanp | grep -w "${pivpnPORT}" | grep -q 'udp'; then
|
|
||||||
echo ":: [OK] WireGuard is listening on port ${pivpnPORT}/udp"
|
|
||||||
else
|
|
||||||
ERR=1
|
|
||||||
read -r -p ":: [ERR] WireGuard is not listening, try to restart now? [Y/n] " REPLY
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
||||||
systemctl restart wg-quick@wg0
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$ERR" -eq 1 ]; then
|
|
||||||
echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues"
|
|
||||||
fi
|
|
||||||
printf "=============================================\n"
|
printf "=============================================\n"
|
||||||
echo -e ":::: \e[1mWARNING\e[0m: This script should have automatically masked sensitive ::::"
|
echo -e ":::: \e[1mWARNING\e[0m: This script should have automatically masked sensitive ::::"
|
||||||
echo -e ":::: information, however, still make sure that \e[4mPrivateKey\e[0m, \e[4mPublicKey\e[0m ::::"
|
echo -e ":::: information, however, still make sure that \e[4mPrivateKey\e[0m, \e[4mPublicKey\e[0m ::::"
|
||||||
|
|
|
@ -2,6 +2,13 @@
|
||||||
|
|
||||||
setupVars="/etc/pivpn/setupVars.conf"
|
setupVars="/etc/pivpn/setupVars.conf"
|
||||||
|
|
||||||
|
if [ ! -f "${setupVars}" ]; then
|
||||||
|
echo "::: Missing setup vars file!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
source "${setupVars}"
|
||||||
|
|
||||||
helpFunc(){
|
helpFunc(){
|
||||||
echo "::: Remove a client conf profile"
|
echo "::: Remove a client conf profile"
|
||||||
echo ":::"
|
echo ":::"
|
||||||
|
@ -29,13 +36,6 @@ do
|
||||||
shift
|
shift
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ ! -f "${setupVars}" ]; then
|
|
||||||
echo "::: Missing setup vars file!"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
source "${setupVars}"
|
|
||||||
|
|
||||||
cd /etc/wireguard
|
cd /etc/wireguard
|
||||||
if [ ! -s configs/clients.txt ]; then
|
if [ ! -s configs/clients.txt ]; then
|
||||||
echo "::: There are no clients to remove"
|
echo "::: There are no clients to remove"
|
||||||
|
|
132
scripts/wireguard/wgUPDATE.sh
Executable file
132
scripts/wireguard/wgUPDATE.sh
Executable file
|
@ -0,0 +1,132 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
setupVars="/etc/pivpn/setupVars.conf"
|
||||||
|
|
||||||
|
if [ ! -f "${setupVars}" ]; then
|
||||||
|
echo "::: Missing setup vars file!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
source "${setupVars}"
|
||||||
|
|
||||||
|
if [ "$(uname -m)" != "armv6l" ]; then
|
||||||
|
echo "On your system, WireGuard updates via the package manager"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
CURRENT_WG_TOOLS_SNAPSHOT="${WG_TOOLS_SNAPSHOT}"
|
||||||
|
WG_TOOLS_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-tools"."version"')"
|
||||||
|
|
||||||
|
if dpkg --compare-versions "${WG_TOOLS_SNAPSHOT}" gt "${CURRENT_WG_TOOLS_SNAPSHOT}"; then
|
||||||
|
|
||||||
|
read -r -p "A new wireguard-tools update is available (${WG_TOOLS_SNAPSHOT}), install? [Y/n]: "
|
||||||
|
|
||||||
|
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
|
||||||
|
echo "::: Upgrading wireguard-tools from ${CURRENT_WG_TOOLS_SNAPSHOT} to ${WG_TOOLS_SNAPSHOT}..."
|
||||||
|
|
||||||
|
WG_TOOLS_SOURCE="https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-${WG_TOOLS_SNAPSHOT}.tar.xz"
|
||||||
|
echo "::: Downloading wireguard-tools source code... "
|
||||||
|
wget -qO- "${WG_TOOLS_SOURCE}" | tar xJ --directory /usr/src
|
||||||
|
echo "done!"
|
||||||
|
|
||||||
|
## || exits if cd fails.
|
||||||
|
cd /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}/src" || exit 1
|
||||||
|
|
||||||
|
# We install the userspace tools manually since DKMS only compiles and
|
||||||
|
# installs the kernel module
|
||||||
|
echo "::: Compiling WireGuard tools... "
|
||||||
|
if make; then
|
||||||
|
echo "done!"
|
||||||
|
else
|
||||||
|
echo "failed!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Use checkinstall to install userspace tools so if the user wants to uninstall
|
||||||
|
# PiVPN we can just do apt remove wireguard-tools, instead of manually removing
|
||||||
|
# files from the file system
|
||||||
|
echo "::: Installing WireGuard tools... "
|
||||||
|
if checkinstall --pkgname wireguard-tools --pkgversion "${WG_TOOLS_SNAPSHOT}" -y; then
|
||||||
|
echo "done!"
|
||||||
|
else
|
||||||
|
echo "failed!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "::: Removing old source code ..."
|
||||||
|
rm -rf /usr/src/wireguard-tools-"${CURRENT_WG_TOOLS_SNAPSHOT}"
|
||||||
|
|
||||||
|
sed "s/WG_TOOLS_SNAPSHOT=${CURRENT_WG_TOOLS_SNAPSHOT}/WG_TOOLS_SNAPSHOT=${WG_TOOLS_SNAPSHOT}/" -i "${setupVars}"
|
||||||
|
|
||||||
|
echo "::: Upgrade completed!"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "::: You are running the lastest version of wireguard-tools (${CURRENT_WG_TOOLS_SNAPSHOT})"
|
||||||
|
fi
|
||||||
|
|
||||||
|
CURRENT_WG_MODULE_SNAPSHOT="${WG_MODULE_SNAPSHOT}"
|
||||||
|
WG_MODULE_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-linuxcompat"."version"')"
|
||||||
|
|
||||||
|
if dpkg --compare-versions "${WG_MODULE_SNAPSHOT}" gt "${CURRENT_WG_MODULE_SNAPSHOT}"; then
|
||||||
|
|
||||||
|
read -r -p "A new wireguard-dkms update is available (${WG_MODULE_SNAPSHOT}), install? [Y/n]: "
|
||||||
|
|
||||||
|
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
|
||||||
|
echo "::: Upgrading wireguard-dkms from ${CURRENT_WG_MODULE_SNAPSHOT} to ${WG_MODULE_SNAPSHOT}..."
|
||||||
|
|
||||||
|
WG_MODULE_SOURCE="https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${WG_MODULE_SNAPSHOT}.tar.xz"
|
||||||
|
echo "::: Downloading wireguard-linux-compat source code... "
|
||||||
|
wget -qO- "${WG_MODULE_SOURCE}" | tar xJ --directory /usr/src
|
||||||
|
echo "done!"
|
||||||
|
|
||||||
|
# Rename wireguard-linux-compat folder and move the source code to the parent folder
|
||||||
|
# such that dkms picks up the module when referencing wireguard/"${WG_MODULE_SNAPSHOT}"
|
||||||
|
cd /usr/src && \
|
||||||
|
mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}" && \
|
||||||
|
cd wireguard-"${WG_MODULE_SNAPSHOT}" && \
|
||||||
|
mv src/* . && \
|
||||||
|
rmdir src || exit 1
|
||||||
|
|
||||||
|
echo "::: Adding WireGuard module via DKMS... "
|
||||||
|
if dkms add wireguard/"${WG_MODULE_SNAPSHOT}"; then
|
||||||
|
echo "done!"
|
||||||
|
else
|
||||||
|
echo "failed!"
|
||||||
|
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "::: Compiling WireGuard module via DKMS... "
|
||||||
|
if dkms build wireguard/"${WG_MODULE_SNAPSHOT}"; then
|
||||||
|
echo "done!"
|
||||||
|
else
|
||||||
|
echo "failed!"
|
||||||
|
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "::: Installing WireGuard module via DKMS... "
|
||||||
|
if dkms install wireguard/"${WG_MODULE_SNAPSHOT}"; then
|
||||||
|
echo "done!"
|
||||||
|
else
|
||||||
|
echo "failed!"
|
||||||
|
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "::: Removing old kernel module and source code..."
|
||||||
|
if dkms remove wireguard/"${CURRENT_WG_MODULE_SNAPSHOT}" --all; then
|
||||||
|
rm -rf /usr/src/wireguard-"${CURRENT_WG_MODULE_SNAPSHOT}"
|
||||||
|
echo "done!"
|
||||||
|
else
|
||||||
|
echo "failed!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
sed "s/WG_TOOLS_SNAPSHOT=${CURRENT_WG_MODULE_SNAPSHOT}/WG_TOOLS_SNAPSHOT=${WG_MODULE_SNAPSHOT}/" -i "${setupVars}"
|
||||||
|
|
||||||
|
echo "::: Upgrade completed!"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "::: You are running the lastest version of wireguard-dkms (${CURRENT_WG_MODULE_SNAPSHOT})"
|
||||||
|
fi
|
Loading…
Reference in a new issue