Update install.sh

This commit is contained in:
Orazio 2018-09-04 12:06:52 +02:00 committed by GitHub
parent 0a7928e25a
commit f02f57d721
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -24,13 +24,16 @@ PKG_CACHE="/var/lib/apt/lists/"
UPDATE_PKG_CACHE="${PKG_MANAGER} update"
PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install"
PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true"
PIVPN_DEPS=( openvpn git dhcpcd5 tar wget grep iptables-persistent dnsutils expect whiptail net-tools)
PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools)
### ###
pivpnGitUrl="https://github.com/pivpn/pivpn.git"
pivpnFilesDir="/etc/.pivpn"
easyrsaVer="3.0.1-pivpn1"
easyrsaRel="https://github.com/pivpn/easy-rsa/releases/download/${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz"
easyrsaVer="3.0.4"
easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz"
# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config
UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/1.4.tar.gz"
# Find the rows and columns. Will default to 80x24 if it can not be detected.
screen_size=$(stty size 2>/dev/null || echo 24 80)
@ -88,11 +91,15 @@ distro_check() {
else # else get info from os-release
PLAT=$(grep "^NAME" /etc/os-release | awk -F "=" '{print $2}' | tr -d '"' | awk '{print $1}')
VER=$(grep "VERSION_ID" /etc/os-release | awk -F "=" '{print $2}' | tr -d '"')
declare -A VER_MAP=(["9"]="stretch" ["8"]="jessie" ["16.04"]="xenial" ["14.04"]="trusty")
source /etc/os-release
PLAT=$(awk '{print $1}' <<< "$NAME")
VER="$VERSION_ID"
declare -A VER_MAP=(["9"]="stretch" ["8"]="jessie" ["18.04"]="bionic" ["16.04"]="xenial" ["14.04"]="trusty")
OSCN=${VER_MAP["${VER}"]}
fi
if [[ ${OSCN} != "bionic" ]]; then
PIVPN_DEPS+=(dhcpcd5)
fi
case ${PLAT} in
@ -143,7 +150,7 @@ chooseUser() {
# Explain the local user
whiptail --msgbox --backtitle "Parsing User List" --title "Local Users" "Choose a local user that will hold your ovpn configurations." ${r} ${c}
# First, let's check if there is a user available.
numUsers=$(awk -F':' 'BEGIN {count=0} $3>=500 && $3<=60000 { count++ } END{ print count }' /etc/passwd)
numUsers=$(awk -F':' 'BEGIN {count=0} $3>=1000 && $3<=60000 { count++ } END{ print count }' /etc/passwd)
if [ "$numUsers" -eq 0 ]
then
# We don't have a user, let's ask to add one.
@ -163,7 +170,7 @@ chooseUser() {
exit 1
fi
fi
availableUsers=$(awk -F':' '$3>=500 && $3<=60000 {print $1}' /etc/passwd)
availableUsers=$(awk -F':' '$3>=1000 && $3<=60000 {print $1}' /etc/passwd)
local userArray=()
local firstloop=1
@ -696,12 +703,43 @@ confOpenVPN() {
if [[ ${useUpdateVars} == false ]]; then
# Ask user for desired level of encryption
ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "Encryption strength" --radiolist \
if [[ ${useUpdateVars} == false ]]; then
if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]]; then
APPLY_TWO_POINT_FOUR=false
else
if (whiptail --backtitle "Setup OpenVPN" --title "Installation mode" --yesno --defaultyes "OpenVPN 2.4 brings support for stronger authentication and key exchange using Elliptic Curves, along with encrypted control channel.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then
APPLY_TWO_POINT_FOUR=true
$SUDO touch /etc/pivpn/TWO_POINT_FOUR
else
APPLY_TWO_POINT_FOUR=false
fi
fi
fi
if [[ ${runUnattended} == true ]] && [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then
$SUDO touch /etc/pivpn/TWO_POINT_FOUR
fi
if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then
ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "RSA encryption strength" --radiolist \
"Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications, it is recommended to use 2048 bits. If you are testing, you can use 1024 bits to speed things up, but do not use this for normal use! If you are paranoid about ... things... then grab a cup of joe and pick 4096 bits." ${r} ${c} 3 \
"1024" "Use 1024-bit encryption (testing only)" OFF \
"2048" "Use 2048-bit encryption (recommended level)" ON \
"4096" "Use 4096-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3)
else
declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1")
ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA encryption strength" --radiolist \
"Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \
"256" "Use 256-bit encryption (recommended level)" ON \
"384" "Use 384-bit encryption" OFF \
"521" "Use 521-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3)
fi
exitstatus=$?
if [ $exitstatus != 0 ]; then
echo "::: Cancel selected. Exiting..."
@ -720,6 +758,8 @@ confOpenVPN() {
$SUDO chown -R root:root /etc/openvpn/easy-rsa
$SUDO mkdir /etc/openvpn/easy-rsa/pki
cd /etc/openvpn/easy-rsa || exit
# Write out new vars file
set +e
IFS= read -d '' String <<"EOF"
@ -729,17 +769,19 @@ if [ -z "$EASYRSA_CALLER" ]; then
fi
set_var EASYRSA "/etc/openvpn/easy-rsa"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CURVE secp384r1
set_var EASYRSA_CRL_DAYS 3650
EOF
echo "${String}" | $SUDO tee /etc/openvpn/easy-rsa/vars >/dev/null
echo "${String}" | $SUDO tee vars >/dev/null
set -e
# Edit the KEY_SIZE variable in the vars file to set user chosen key size
cd /etc/openvpn/easy-rsa || exit
$SUDO sed -i "s/\(KEY_SIZE\).*/\1 ${ENCRYPT}/" vars
# Set certificate type
if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then
echo "set_var EASYRSA_ALGO rsa" >> vars
echo "set_var EASYRSA_KEY_SIZE ${ENCRYPT}" >> vars
else
echo "set_var EASYRSA_ALGO ec" >> vars
echo "set_var EASYRSA_CURVE ${ECDSA_MAP["${ENCRYPT}"]}" >> vars
fi
# Remove any previous keys
${SUDOE} ./easyrsa --batch init-pki
@ -750,30 +792,14 @@ EOF
printf "\n::: CA Complete.\n"
if [[ ${useUpdateVars} == false ]]; then
if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then
whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c}
fi
fi
# Build the server
${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass
if [[ ${useUpdateVars} == false ]]; then
if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]]; then
APPLY_TWO_POINT_FOUR=false
else
if (whiptail --backtitle "Setup OpenVPN" --title "Version 2.4 improvements" --yesno --defaultno "OpenVPN 2.4 brings support for stronger key exchange using Elliptic Curves and encrypted control channel, along with faster LZ4 compression.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then
APPLY_TWO_POINT_FOUR=true
$SUDO touch /etc/pivpn/TWO_POINT_FOUR
else
APPLY_TWO_POINT_FOUR=false
fi
fi
fi
if [[ ${runUnattended} == true ]] && [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then
$SUDO touch /etc/pivpn/TWO_POINT_FOUR
fi
if [[ ${useUpdateVars} == false ]]; then
if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then
if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from their database.\nMore information about this service can be found here: https://2ton.com.au/safeprimes/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then
@ -781,6 +807,8 @@ EOF
else
DOWNLOAD_DH_PARAM=false
fi
else
DOWNLOAD_DH_PARAM=false
fi
fi
@ -807,14 +835,13 @@ EOF
$SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf
if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then
#If they enabled 2.4 change compression algorithm and use tls-crypt instead of tls-auth to encrypt control channel
$SUDO sed -i "s/comp-lzo/compress lz4/" /etc/openvpn/server.conf
#If they enabled 2.4 use tls-crypt instead of tls-auth to encrypt control channel
$SUDO sed -i "s/tls-auth \/etc\/openvpn\/easy-rsa\/pki\/ta.key 0/tls-crypt \/etc\/openvpn\/easy-rsa\/pki\/ta.key/" /etc/openvpn/server.conf
fi
if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then
#If they enabled 2.4 disable dh parameters, use a specific curve instead
$SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/dh none\necdh-curve secp384r1/" /etc/openvpn/server.conf
#If they enabled 2.4 disable dh parameters since the key exchange will use the matching curve from the ECDSA certificate
$SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/dh none/" /etc/openvpn/server.conf
else
# Otherwise set the user encryption key size
$SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/\1${ENCRYPT}.pem/" /etc/openvpn/server.conf
@ -836,20 +863,24 @@ EOF
}
confUnattendedUpgrades() {
cd /etc/apt/apt.conf.d
if [[ $UNATTUPG == "unattended-upgrades" ]]; then
$SUDO apt-get --yes --quiet --no-install-recommends install "$UNATTUPG" > /dev/null & spinner $!
if [[ $PLAT == "Ubuntu" ]]; then
# Ubuntu 50unattended-upgrades should already just have security enabled
# so we just need to configure the 10periodic file
cat << EOT | $SUDO tee /etc/apt/apt.conf.d/10periodic >/dev/null
cat << EOT | $SUDO tee 10periodic >/dev/null
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";
EOT
else
$SUDO sed -i '/\(o=Raspbian,n=jessie\)/c\"o=Raspbian,n=jessie,l=Raspbian-Security";\' /etc/apt/apt.conf.d/50unattended-upgrades
cat << EOT | $SUDO tee /etc/apt/apt.conf.d/02periodic >/dev/null
wget -q -O - "$UNATTUPG_CONFIG" | $SUDO tar xz
$SUDO cp unattended-upgrades-1.4/data/50unattended-upgrades.Raspbian 50unattended-upgrades
$SUDO rm -rf unattended-upgrades-1.4
cat << EOT | $SUDO tee 02periodic >/dev/null
APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
@ -907,12 +938,12 @@ confNetwork() {
}
confOVPN() {
if ! IPv4pub=$(dig +short myip.opendns.com @resolver1.opendns.com)
IPv4pub=$(dig +short myip.opendns.com @208.67.222.222)
if [ $? -ne 0 ] || [ -z "$IPv4pub" ]; then
echo "dig failed, now trying to curl whatismyip.akamai.com"
if ! IPv4pub=$(curl -s http://whatismyip.akamai.com)
then
echo "dig failed, now trying to curl eth0.me"
if ! IPv4pub=$(curl eth0.me)
then
echo "eth0.me failed, please check your internet connection/DNS"
echo "whatismyip.akamai.com failed, please check your internet connection/DNS"
exit $?
fi
fi
@ -922,8 +953,7 @@ confOVPN() {
$SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt
if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then
#If they enabled 2.4 change compression algorithm and remove key-direction options since it's not required
$SUDO sed -i "s/comp-lzo/compress lz4/" /etc/openvpn/easy-rsa/pki/Default.txt
#If they enabled 2.4 remove key-direction options since it's not required
$SUDO sed -i "/key-direction 1/d" /etc/openvpn/easy-rsa/pki/Default.txt
fi