From a7c9a3535215f44b39e08a6d0f4088242cfb6c79 Mon Sep 17 00:00:00 2001 From: Stephen KINGER Date: Tue, 27 Sep 2016 14:24:14 +0200 Subject: [PATCH 1/5] /feature/add_tcp_option Adding a correct tcp option --- auto_install/install.sh | 71 +++++++++++++++++++++++++++++++---------- 1 file changed, 54 insertions(+), 17 deletions(-) mode change 100644 => 100755 auto_install/install.sh diff --git a/auto_install/install.sh b/auto_install/install.sh old mode 100644 new mode 100755 index 662b90f..8a515e8 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -65,7 +65,7 @@ If you think you received this message in error, you can post an issue on the Gi } function maybeOS_Support() { - if (whiptail --backtitle "Not Supported OS" --title "Not Supported OS" --yesno "You are on an OS that we have not tested but MAY work. + if (whiptail --backtitle "Not Supported OS" --title "Not Supported OS" --yesno "You are on an OS that we have not tested but MAY work. Currently this installer supports Raspbian jessie, Ubuntu 14.04 (trusty), and Ubuntu 16.04 (xenial). Would you like to continue anyway?" $r $c) then echo "::: Did not detect perfectly supported OS but," @@ -97,7 +97,7 @@ elif [[ "$(cat /etc/os-release | grep raspbian)" ]]; then PLAT="Ubuntu" OSCN="unknown" maybeOS_Support - fi + fi # else we prob don't want to install else noOS_Support @@ -127,7 +127,7 @@ welcomeDialogs() { # Explain the need for a static address whiptail --msgbox --backtitle "Initiating network interface" --title "Static IP Needed" "The PiVPN is a SERVER so it needs a STATIC IP ADDRESS to function properly. - + In the next section, you can choose to use your current network settings (DHCP) or to manually edit them." $r $c } @@ -372,7 +372,7 @@ checkForDependencies() { timestamp=$(stat -c %Y /var/cache/apt/) timestampAsDate=$(date -d @"$timestamp" "+%b %e") today=$(date "+%b %e") - + if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then if [[ $OSCN == "trusty" || $OSCN == "jessie" || $OSCN == "wheezy" ]]; then wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg| $SUDO apt-key add - @@ -475,6 +475,34 @@ update_repo() { echo " done!" } +setCustomProto() { + # Turn the available interfaces into an array so it can be used with a whiptail dialog + protoArray=() + + protoArray+=("udp" "available" "ON") + protoArray+=("tcp" "available" "OFF") + + # Find out how many interfaces are available to choose from + chooseProtoCmd=(whiptail --separate-output --radiolist "Choose A Protocol" $r $c 2) + echo "${chooseProtoCmd[@]}" "${protoArray[@]}" + chooseProtoOptions=$("${chooseProtoCmd[@]}" "${protoArray[@]}" 2>&1 >/dev/tty) + if [[ $? = 0 ]]; then + for desiredProto in $chooseProtoOptions + do + pivpnProto=$desiredProto + echo "::: Using protocol: $pivpnProto" + echo "${pivpnProto}" > /tmp/pivpnPROTO + done + else + echo "::: Cancel selected, exiting...." + exit 1 + fi + # write out the PROTO + PROTO=$pivpnProto + $SUDO cp /tmp/pivpnPROTO /etc/pivpn/INSTALL_PROTO +} + + setCustomPort() { until [[ $PORTNumCorrect = True ]] do @@ -617,7 +645,7 @@ confOpenVPN() { cd /etc/openvpn/easy-rsa $SUDO sed -i 's:"`pwd`":"/etc/openvpn/easy-rsa":' vars $SUDO sed -i "s/\(KEY_SIZE=\).*/\1${ENCRYPT}/" vars - + # Init Cert Values COUNTRY="US" STATE="CA" @@ -698,7 +726,7 @@ confOpenVPN() { # It seems you have to set this if you mess with key_cn, lets not. # grep -q 'KEY_ALTNAMES=' vars || printf '\nexport KEY_ALTNAMES="PiVPN_KEYALT"\n' >> vars - + # source the vars file just edited source ./vars @@ -724,17 +752,21 @@ confOpenVPN() { # Write config file for server using the template .txt file LOCALIP=$(ifconfig $pivpnInterface | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') $SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf - + $SUDO sed -i "s/LOCALIP/${LOCALIP}/g" /etc/openvpn/server.conf # Set the user encryption key size $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/keys\/dh\).*/\1${ENCRYPT}.pem/" /etc/openvpn/server.conf - + # if they modified port put value in server.conf if [ $PORT != 1194 ]; then $SUDO sed -i "s/1194/${PORT}/g" /etc/openvpn/server.conf fi + if [ $PROTO != "udp" ]; then + $SUDO sed -i "s/proto udp/proto tcp/g" /etc/openvpn/server.conf + fi + # write out server certs to conf file $SUDO sed -i "s/\(key \/etc\/openvpn\/easy-rsa\/keys\/\).*/\1${SERVER_NAME}.key/" /etc/openvpn/server.conf $SUDO sed -i "s/\(cert \/etc\/openvpn\/easy-rsa\/keys\/\).*/\1${SERVER_NAME}.crt/" /etc/openvpn/server.conf @@ -783,7 +815,7 @@ confNetwork() { $SUDO sed -i 's/IPv4dev/'$IPv4dev'/' /tmp/ufw_add.txt $SUDO sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw $SUDO sed -i -e '/delete these required/r /tmp/ufw_add.txt' -e//N /etc/ufw/before.rules - $SUDO ufw allow ${PORT}/udp + $SUDO ufw allow ${PORT}/${PROTO} $SUDO ufw allow from 10.8.0.0/24 $SUDO ufw reload echo "::: UFW configuration completed." @@ -803,7 +835,7 @@ confNetwork() { else echo 0 > /tmp/noUFW fi - + $SUDO cp /tmp/noUFW /etc/pivpn/NO_UFW } @@ -818,8 +850,8 @@ confOVPN() { METH=$(whiptail --title "Public IP or DNS" --radiolist "Will clients use a Public IP or DNS Name to connect to your server?" $r $c 2 \ "$IPv4pub" "Use this public IP" "ON" \ - "DNS Entry" "Use a public DNS" "OFF" 3>&1 1>&2 2>&3) - + "DNS Entry" "Use a public DNS" "OFF" 3>&1 1>&2 2>&3) + exitstatus=$? if [ $exitstatus != 0 ]; then echo "::: Cancel selected. Exiting..." @@ -830,7 +862,7 @@ confOVPN() { if [ "$METH" == "$IPv4pub" ]; then $SUDO sed -i 's/IPv4pub/'$IPv4pub'/' /etc/openvpn/easy-rsa/keys/Default.txt - else + else until [[ $publicDNSCorrect = True ]] do PUBLICDNS=$(whiptail --title "PiVPN Setup" --inputbox "What is the public DNS name of this Server?" $r $c 3>&1 1>&2 2>&3) @@ -844,16 +876,20 @@ confOVPN() { $SUDO sed -i 's/IPv4pub/'$PUBLICDNS'/' /etc/openvpn/easy-rsa/keys/Default.txt else publicDNSCorrect=False - + fi done fi - + # if they modified port put value in Default.txt for clients to use if [ $PORT != 1194 ]; then $SUDO sed -i -e "s/1194/${PORT}/g" /etc/openvpn/easy-rsa/keys/Default.txt fi - + + if [ $PROTO != "udp" ]; then + $SUDO sed -i -e "s/proto udp/proto tcp/g" /etc/openvpn/easy-rsa/keys/Default.txt + fi + # verify server name to strengthen security $SUDO sed -i "s/SRVRNAME/${SERVER_NAME}/" /etc/openvpn/easy-rsa/keys/Default.txt @@ -868,6 +904,7 @@ installPiVPN() { $SUDO mkdir -p /etc/pivpn/ getGitFiles installScripts + setCustomProto setCustomPort confOpenVPN confNetwork @@ -884,7 +921,7 @@ displayFinalMessage() { $SUDO systemctl start openvpn.service fi - whiptail --msgbox --backtitle "Make it so." --title "Installation Complete!" "Now run 'pivpn add' to create the ovpn profiles. + whiptail --msgbox --backtitle "Make it so." --title "Installation Complete!" "Now run 'pivpn add' to create the ovpn profiles. Run 'pivpn help' to see what else you can do! The install log is in /etc/pivpn." $r $c if (whiptail --title "Reboot" --yesno --defaultno "It is strongly recommended you reboot after installation. Would you like to reboot now?" $r $c); then From f81425e05af55f3aa237e900a93464d295ece15c Mon Sep 17 00:00:00 2001 From: Stephen KINGER Date: Tue, 27 Sep 2016 14:31:41 +0200 Subject: [PATCH 2/5] Update the unisntall script, not tested yet. --- auto_install/install.sh | 6 +++--- scripts/uninstall.sh | 13 +++++++------ 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 8a515e8..ea85c58 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -476,13 +476,11 @@ update_repo() { } setCustomProto() { - # Turn the available interfaces into an array so it can be used with a whiptail dialog + # Set the available protocols into an array so it can be used with a whiptail dialog protoArray=() - protoArray+=("udp" "available" "ON") protoArray+=("tcp" "available" "OFF") - # Find out how many interfaces are available to choose from chooseProtoCmd=(whiptail --separate-output --radiolist "Choose A Protocol" $r $c 2) echo "${chooseProtoCmd[@]}" "${protoArray[@]}" chooseProtoOptions=$("${chooseProtoCmd[@]}" "${protoArray[@]}" 2>&1 >/dev/tty) @@ -763,6 +761,7 @@ confOpenVPN() { $SUDO sed -i "s/1194/${PORT}/g" /etc/openvpn/server.conf fi + # if they modified protocol put value in server.conf if [ $PROTO != "udp" ]; then $SUDO sed -i "s/proto udp/proto tcp/g" /etc/openvpn/server.conf fi @@ -886,6 +885,7 @@ confOVPN() { $SUDO sed -i -e "s/1194/${PORT}/g" /etc/openvpn/easy-rsa/keys/Default.txt fi + # if they modified protocol put value in Default.txt for clients to use if [ $PROTO != "udp" ]; then $SUDO sed -i -e "s/proto udp/proto tcp/g" /etc/openvpn/easy-rsa/keys/Default.txt fi diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 902faf9..f4c9b33 100644 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -20,6 +20,7 @@ INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) PLAT=$(cat /etc/pivpn/DET_PLATFORM) NO_UFW=$(cat /etc/pivpn/NO_UFW) PORT=$(cat /etc/pivpn/INSTALL_PORT) +PROTO=$(cat /etc/pivpn/INSTALL_PROTO) # Find the rows and columns rows=$(tput lines) @@ -53,7 +54,7 @@ echo ":::" while true; do read -rp "::: Do you wish to remove $i from your system? [y/n]: " yn case $yn in - [Yy]* ) printf ":::\tRemoving %s..." "$i"; $SUDO apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n"; + [Yy]* ) printf ":::\tRemoving %s..." "$i"; $SUDO apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n"; if [ "$i" == "openvpn" ]; then UINST_OVPN=1 ; fi if [ "$i" == "unattended-upgrades" ]; then UINST_UNATTUPG=1 ; fi break;; @@ -100,15 +101,15 @@ echo ":::" # Disable IPv4 forwarding sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf sysctl -p - + if [[ $NO_UFW -eq 0 ]]; then $SUDO sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"DROP\"/" /etc/default/ufw - $SUDO sed -i '/START OPENVPN RULES/,/END OPENVPN RULES/ d' /etc/ufw/before.rules + $SUDO sed -i '/START OPENVPN RULES/,/END OPENVPN RULES/ d' /etc/ufw/before.rules $SUDO ufw delete allow from 10.8.0.0/24 >/dev/null - $SUDO ufw delete allow ${PORT}/udp >/dev/null + $SUDO ufw delete allow ${PORT}/${PROTO} >/dev/null $SUDO ufw reload fi - + echo ":::" printf "::: Finished removing PiVPN from your system.\n" printf "::: Reinstall by simpling running\n:::\n:::\tcurl -L https://install.pivpn.io | bash\n:::\n::: at any time!\n:::\n" @@ -132,7 +133,7 @@ while true; do read -rp "::: Do you wish to completely remove PiVPN configuration and installed packages from your system? (You will be prompted for each package) [y/n]: " yn case $yn in [Yy]* ) removeAll; askreboot; break;; - + [Nn]* ) printf "::: Not removing anything, exiting...\n"; break;; esac done From e541fd39ac10a4d31ca52c31b8d71d9486a45a6d Mon Sep 17 00:00:00 2001 From: Stephen KINGER Date: Tue, 27 Sep 2016 14:31:41 +0200 Subject: [PATCH 3/5] Update the unisntall script, OK. --- auto_install/install.sh | 6 +++--- scripts/uninstall.sh | 13 +++++++------ 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 8a515e8..ea85c58 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -476,13 +476,11 @@ update_repo() { } setCustomProto() { - # Turn the available interfaces into an array so it can be used with a whiptail dialog + # Set the available protocols into an array so it can be used with a whiptail dialog protoArray=() - protoArray+=("udp" "available" "ON") protoArray+=("tcp" "available" "OFF") - # Find out how many interfaces are available to choose from chooseProtoCmd=(whiptail --separate-output --radiolist "Choose A Protocol" $r $c 2) echo "${chooseProtoCmd[@]}" "${protoArray[@]}" chooseProtoOptions=$("${chooseProtoCmd[@]}" "${protoArray[@]}" 2>&1 >/dev/tty) @@ -763,6 +761,7 @@ confOpenVPN() { $SUDO sed -i "s/1194/${PORT}/g" /etc/openvpn/server.conf fi + # if they modified protocol put value in server.conf if [ $PROTO != "udp" ]; then $SUDO sed -i "s/proto udp/proto tcp/g" /etc/openvpn/server.conf fi @@ -886,6 +885,7 @@ confOVPN() { $SUDO sed -i -e "s/1194/${PORT}/g" /etc/openvpn/easy-rsa/keys/Default.txt fi + # if they modified protocol put value in Default.txt for clients to use if [ $PROTO != "udp" ]; then $SUDO sed -i -e "s/proto udp/proto tcp/g" /etc/openvpn/easy-rsa/keys/Default.txt fi diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 902faf9..f4c9b33 100644 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -20,6 +20,7 @@ INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) PLAT=$(cat /etc/pivpn/DET_PLATFORM) NO_UFW=$(cat /etc/pivpn/NO_UFW) PORT=$(cat /etc/pivpn/INSTALL_PORT) +PROTO=$(cat /etc/pivpn/INSTALL_PROTO) # Find the rows and columns rows=$(tput lines) @@ -53,7 +54,7 @@ echo ":::" while true; do read -rp "::: Do you wish to remove $i from your system? [y/n]: " yn case $yn in - [Yy]* ) printf ":::\tRemoving %s..." "$i"; $SUDO apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n"; + [Yy]* ) printf ":::\tRemoving %s..." "$i"; $SUDO apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n"; if [ "$i" == "openvpn" ]; then UINST_OVPN=1 ; fi if [ "$i" == "unattended-upgrades" ]; then UINST_UNATTUPG=1 ; fi break;; @@ -100,15 +101,15 @@ echo ":::" # Disable IPv4 forwarding sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf sysctl -p - + if [[ $NO_UFW -eq 0 ]]; then $SUDO sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"DROP\"/" /etc/default/ufw - $SUDO sed -i '/START OPENVPN RULES/,/END OPENVPN RULES/ d' /etc/ufw/before.rules + $SUDO sed -i '/START OPENVPN RULES/,/END OPENVPN RULES/ d' /etc/ufw/before.rules $SUDO ufw delete allow from 10.8.0.0/24 >/dev/null - $SUDO ufw delete allow ${PORT}/udp >/dev/null + $SUDO ufw delete allow ${PORT}/${PROTO} >/dev/null $SUDO ufw reload fi - + echo ":::" printf "::: Finished removing PiVPN from your system.\n" printf "::: Reinstall by simpling running\n:::\n:::\tcurl -L https://install.pivpn.io | bash\n:::\n::: at any time!\n:::\n" @@ -132,7 +133,7 @@ while true; do read -rp "::: Do you wish to completely remove PiVPN configuration and installed packages from your system? (You will be prompted for each package) [y/n]: " yn case $yn in [Yy]* ) removeAll; askreboot; break;; - + [Nn]* ) printf "::: Not removing anything, exiting...\n"; break;; esac done From cf5ba27a2110976ab6cfe941007e1b67d5811c41 Mon Sep 17 00:00:00 2001 From: redfast00 Date: Sun, 9 Oct 2016 12:30:13 +0200 Subject: [PATCH 4/5] Added message about TCP --- auto_install/install.sh | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index ea85c58..42b2c8e 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -477,20 +477,15 @@ update_repo() { setCustomProto() { # Set the available protocols into an array so it can be used with a whiptail dialog - protoArray=() - protoArray+=("udp" "available" "ON") - protoArray+=("tcp" "available" "OFF") - - chooseProtoCmd=(whiptail --separate-output --radiolist "Choose A Protocol" $r $c 2) - echo "${chooseProtoCmd[@]}" "${protoArray[@]}" - chooseProtoOptions=$("${chooseProtoCmd[@]}" "${protoArray[@]}" 2>&1 >/dev/tty) - if [[ $? = 0 ]]; then - for desiredProto in $chooseProtoOptions - do - pivpnProto=$desiredProto - echo "::: Using protocol: $pivpnProto" - echo "${pivpnProto}" > /tmp/pivpnPROTO - done + protocol=$(whiptail --title "Protocol" --radiolist \ + "Choose a protocol. Please only choose TCP if you know why you need TCP." $r $c 2 \ + "UDP" "" ON \ + "TCP" "" OFF 3>&1 1>&2 2>&3) + if [ $? -eq 0 ]; then + # Convert option into lowercase (UDP->udp) + pivpnProto="${protocol,,}" + echo "::: Using protocol: $pivpnProto" + echo "${pivpnProto}" > /tmp/pivpnPROTO else echo "::: Cancel selected, exiting...." exit 1 From ac28a7c3e4d85e379147f7a4de090c65de058ac2 Mon Sep 17 00:00:00 2001 From: Stephen KINGER Date: Sun, 9 Oct 2016 13:40:19 +0200 Subject: [PATCH 5/5] Set default ports as 1194 for UDP and 443 port for TCP --- auto_install/install.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 42b2c8e..32f30da 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -501,7 +501,14 @@ setCustomPort() { do portInvalid="Invalid" - PORT=$(whiptail --title "Default OpenVPN Port" --inputbox "You can modify the default OpenVPN port. \nEnter a new value or hit 'Enter' to retain the default" $r $c 1194 3>&1 1>&2 2>&3) + PROTO=`cat /etc/pivpn/INSTALL_PROTO` + if [ "$PROTO" = "udp" ]; then + DEFAULT_PORT=1194 + else + DEFAULT_PORT=443 + fi + + PORT=$(whiptail --title "Default OpenVPN Port" --inputbox "You can modify the default OpenVPN port. \nEnter a new value or hit 'Enter' to retain the default" $r $c $DEFAULT_PORT 3>&1 1>&2 2>&3) if [[ $? = 0 ]]; then if [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 -a "$PORT" -le 65535 ]; then :