Merge pull request #1 from 4s3ti/test

Merging test into Master, merge conflicts resolved.
2024-12-18 19:00:15 +00:00 · 2019-05-14 00:16:52 +01:00 · 2019-05-14 00:16:52 +01:00 · fae7767b99
commit fae7767b99
parent 7b4b0228d4 dafd3da38c
14 changed files with 325 additions and 147 deletions
--- a/ISSUE_TEMPLATE.md
+++ b/ISSUE_TEMPLATE.md
@ -64,4 +64,6 @@ For any output requested below, you may alternatively post it on http://pastebin
 ```
 ### Have you taken any steps towards solving your issue?
-     which?
+```
  which?
 ```
--- a/README.md
+++ b/README.md
@ -1,24 +1,15 @@
 PiVPN is once again maintained
 ============
 james-lasersoft: 0-kaladin has assigned me as new admin for this project. I will do my best to keep things rolling into the future. I would like to thanks 0-kaladin for creating the most excellent project and I would also like to thank all of the future contributions we will receive from our zealous followers as they keep me on track.
 -----
 0-kaladin:  Sad times.  I love this project just have no time to properly give it the attention it deserves.  I'm still around so if anyone is willing to pick this up and keep it running just create an issue to let me know.  Thanks to all who've kept this going as current life changes don't allow time for hobbies.  Hopefully in the future... I wanted to get this to <pip install pivpn> at one point.
 About
 -----
 Visit the [PiVPN](http://pivpn.io) site for more information.
-This is a set of shell scripts that serve to easily turn your Raspberry Pi (TM)
+This is a set of shell scripts developed by **@0-kaladin** that serve to easily turn your Raspberry Pi (TM)
 into a VPN server using the free, open-source [OpenVPN](https://openvpn.net) software.
 Have you been looking for a good guide or tutorial for installing openvpn on a raspberry pi or ubuntu based server?  Run this script and you don't need a guide or tutorial, this will do it all for you, in a fraction of the time and with hardened security settings in place by default.  
 The master branch of this script installs and configures OpenVPN on Raspbian
-Jessie, Stretch, Devuan and has been tested on Ubuntu 14.04 and 16.04 running from an Amazon AWS image.  Personally, I'd recommend using the Stretch or Jessie Lite image on a raspberry pi in your home so you can VPN into your home from unsecure remote locations and safely use the internet.  However, the scripts do try to detect different distributions and make adjustments accordingly.  They should work on the majority of Ubuntu and Debian based distributions including those using UFW by default instead of raw iptables.  
+Jessie, Stretch, Devuan and has been tested on Ubuntu 14.04 and 16.04 running from an Amazon AWS image.
 We recommend using the Stretch or Jessie Lite image on a raspberry pi in your home so you can VPN into your home from unsecure remote locations and safely use the internet.  However, the scripts do try to detect different distributions and make adjustments accordingly.  They should work on the majority of Ubuntu and Debian based distributions including those using UFW by default instead of raw iptables.  
 This scripts primary mission in life is to allow a user to have a home VPN for as cost effective as possible and without being a technical wizard.  Hence the design of pivpn to work on a Raspberry Pi ($35) and then one command installer.  Followed by easy management of the VPN thereafter with the 'pivpn' command.  That being said...
@ -54,11 +45,13 @@ curl -L https://install.pivpn.io | bash
 The script will first update your APT repositories, upgrade packages, and install OpenVPN,
 which will take some time.
-It will ask which encryption method you wish the guts of your server to use, 1024-bit, 2048-bit, or 4096-bit.
+It will ask which authentication method you wish the guts of your server to use, 1024-bit, 2048-bit, or 4096-bit.
 If you're unsure or don't have a convincing reason one way or the other I'd use 2048 today.  From the OpenVPN site:
 > For asymmetric keys, general wisdom is that 1024-bit keys are no longer sufficient to protect against well-equipped adversaries. Use of 2048-bit is a good minimum. It is wise to ensure all keys across your active PKI (including the CA root keypair) are using at least 2048-bit keys.
-> Up to 4096-bit is accepted by nearly all RSA systems (including OpenVPN,) but use of keys this large will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations; the benefit beyond 2048-bit keys is small enough not to be of great use at the current time. It is often a larger benefit to consider lower validity times than more bits past 2048, but that is for you to decide.
+> Up to 4096-bit is accepted by nearly all RSA systems (including OpenVPN), but use of keys this large will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations; the benefit beyond 2048-bit keys is small enough not to be of great use at the current time. It is often a larger benefit to consider lower validity times than more bits past 2048, but that is for you to decide.
 Luckily, OpenVPN 2.4 supports ECDSA certificates, which are based on Elliptic Curves, allowing much smaller keys while providing an equivalent security level (256 bit long, equivalent to 3072 bit RSA). For this reason, PiVPN now uses ECDSA certs if you choose to enable OpenVPN 2.4 features. If not, the usual RSA certificates are generated in case the user has clients running an older version of OpenVPN.
 After this, the script will go back to the command line as it builds the server's own
 certificate authority. The script will ask you if you'd like to change the certificate fields,
@ -70,11 +63,16 @@ and have a working configuration at the end.
 Finally, the script will take some time to build the server's Diffie-Hellman key
 exchange. If you chose 1024-bit encryption, this will just take a few minutes, but if you
 chose 2048-bit, it will take much longer (anywhere from 40 minutes to several hours on a
-Model B+). The script will also make some changes to your system to allow it to forward
+Model B+).
 NOTE: Diffie-Hellman parameters are NOT generated if you choose not to use OpenVPN 2.4.
 The script will also make some changes to your system to allow it to forward
 internet traffic and allow VPN connections through the Pi's firewall. When the script
 informs you that it has finished configuring OpenVPN, it will ask if you want to reboot.  
 I have it where you do not need to reboot when done but it also can't hurt.
 Managing the PiVPN
 ----------------------
@ -135,14 +133,16 @@ you want to remove OpenVPN without installing a fresh Raspbian image, just run
 Feedback & Support
 --------
-I am interested in making this script work for as many people as possible, so I
+PiVPN is purely community driven, and we are interested in making this script work for as many people as possible, we welcome any feedback on your experience.
-welcome any feedback on your experience. If you have problems using it, feel
+
-free to post an issue here on github.  I'll classify the issues the best I can
+for community support or general questions.
-to keep things sorted.
+Feel free to post on our subreddit <https://www.reddit.com/r/pivpn/>
 You can also join #pivpn <ircs://freenode/pivpn> on freenode in IRC 
 For code related issues, code contributions, feature requests, feel free to open an issue here at github.
 We will classify the issues the best we can to keep things sorted.
 [[DISCONTINUED APRIL 17]] You can also post on the [Google Space](https://goo.gl/spaces/kgp2Mcy5RDfZ5SSf8) I created for PiVPN, especially suited for general questions or discussions.
 You can also join #pivpn <ircs://freenode/pivpn> on freenode in IRC for community support or general questions.
 Related Projects
 --------
@ -158,7 +158,7 @@ The foundation for all open-source VPN projects.
 Contributions
 -------------
-I'm also interested in improving this script, please check the current issues to see where you can help. If you have any
+Please check the current issues to see where you can help. If you have any
 feature ideas or requests, or are interested in adding your ideas to it,
 testing it on other platforms, please comment or leave a pull request.
 If you contribute often I can add you as a member of the PiVPN project.
@ -175,4 +175,4 @@ sources.
 4. And as always the ever vigilant [EFF](https://www.eff.org/)
-I don't take donations at this time but if you want to show your appreciation to me, then contribute or leave feedback on suggestions or improvements.
+PiVPN is not taking donations at this time but if you want to show your appreciation, then contribute or leave feedback on suggestions or improvements.
--- a/auto_install/install.sh
+++ b/auto_install/install.sh
@ -9,12 +9,9 @@
 #
 # curl -L https://install.pivpn.io | bash
 # Make sure you have `curl` installed
 set -e
 ######## VARIABLES #########
-tmpLog="/tmp/pivpn-install.log"
+######## VARIABLES #########
 instalLogLoc="/etc/pivpn/install.log"
 setupVars=/etc/pivpn/setupVars.conf
 useUpdateVars=false
@ -33,7 +30,8 @@ easyrsaVer="3.0.6"
 easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz"
 # Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config 
-UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/1.4.tar.gz"
+UNATTUPG_RELEASE="1.9"
 UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/${UNATTUPG_RELEASE}.tar.gz"
 # Find the rows and columns. Will default to 80x24 if it can not be detected.
 screen_size=$(stty size 2>/dev/null || echo 24 80)
@ -380,6 +378,18 @@ function valid_ip()
    return $stat
 }
 #Call this function to use a regex to check user input for a valid custom domain
 function valid_domain()
 {
  local domain=$1
  local stat=1
  if [[ $domain =~ ^[a-zA-Z0-9][a-zA-Z0-9-]{1,61}\.[a-zA-Z]{2,}$ ]]; then
    stat=$?
  fi
  return $stat
 }
 installScripts() {
    # Install the scripts from /etc/.pivpn to their various locations
    $SUDO echo ":::"
@ -395,8 +405,7 @@ installScripts() {
    $SUDO cp /etc/.pivpn/scripts/removeOVPN.sh /opt/pivpn/removeOVPN.sh
    $SUDO cp /etc/.pivpn/scripts/uninstall.sh /opt/pivpn/uninstall.sh
    $SUDO cp /etc/.pivpn/scripts/pivpnDebug.sh /opt/pivpn/pivpnDebug.sh
-    $SUDO cp /etc/.pivpn/scripts/fix_iptables.sh /opt/pivpn/fix_iptables.sh
+    $SUDO chmod 0755 /opt/pivpn/{makeOVPN,clientStat,listOVPN,removeOVPN,uninstall,pivpnDebug}.sh
    $SUDO chmod 0755 /opt/pivpn/{makeOVPN,clientStat,listOVPN,removeOVPN,uninstall,pivpnDebug,fix_iptables}.sh
    $SUDO cp /etc/.pivpn/pivpn /usr/local/bin/pivpn
    $SUDO chmod 0755 /usr/local/bin/pivpn
    $SUDO cp /etc/.pivpn/scripts/bash-completion /etc/bash_completion.d/pivpn
@ -473,14 +482,13 @@ install_dependent_packages() {
    echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections
    echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections
-    if command -v debconf-apt-progress &> /dev/null; then
+    # Add support for https repositories if there are any that use it otherwise the installation will silently fail
    if grep -q https /etc/apt/sources.list; then
        PIVPN_DEPS+=("apt-transport-https")
    fi
-        # Use appropriate argument if the package manager uses https otherwise the installation will silently fail
+    if command -v debconf-apt-progress &> /dev/null; then
-        if grep -q https /etc/apt/sources.list; then
+        $SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}"
            $SUDO debconf-apt-progress -- ${PKG_INSTALL} -y apt-transport-https "${argArray1[@]}"
        else
            $SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}"
        fi
    else
        for i in "${argArray1[@]}"; do
            echo -n ":::    Checking for $i..."
@ -537,7 +545,7 @@ make_repo() {
    # Remove the non-repos interface and clone the interface
    echo -n ":::    Cloning $2 into $1..."
    $SUDO rm -rf "${1}"
-    $SUDO git clone -q "${2}" "${1}" > /dev/null & spinner $!
+    $SUDO git clone -q --depth 1 --no-single-branch "${2}" "${1}" > /dev/null & spinner $!
    if [ -z "${TESTING+x}" ]; then
        :
    else
@ -552,9 +560,9 @@ update_repo() {
    else
        # Pull the latest commits
        echo -n ":::     Updating repo in $1..."
        $SUDO rm -rf "${1}"
        $SUDO git clone -q --depth 1 --no-single-branch "${2}" "${1}" > /dev/null & spinner $!
        cd "${1}" || exit 1
        $SUDO git stash -q > /dev/null & spinner $!
        $SUDO git pull -q > /dev/null & spinner $!
        if [ -z "${TESTING+x}" ]; then
            :
        else
@ -702,6 +710,40 @@ setClientDNS() {
    fi
 }
 #This procedure allows a user to specify a custom search domain if they have one.
 setCustomDomain() {
  DomainSettingsCorrect=False
  if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno "Would you like to add a custom search domain? \n (This is only for advanced users who have their own domain)\n" ${r} ${c}); then
    until [[ $DomainSettingsCorrect = True ]]
    do
      if CUSTOMDomain=$(whiptail --inputbox "Enter Custom Domain\nFormat: mydomain.com" ${r} ${c} --title "Custom Domain" 3>&1 1>&2 2>&3); then
          if valid_domain "$CUSTOMDomain"; then
            if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno "Are these settings correct?\n    Custom Search Domain: $CUSTOMDomain" ${r} ${c}); then
                DomainSettingsCorrect=True
                $SUDO sed -i '0,/\(.*dhcp-option.*\)/s//\push "dhcp-option DOMAIN '${CUSTOMDomain}'" \n&/' /etc/openvpn/server.conf
            else
                # If the settings are wrong, the loop continues
                DomainSettingsCorrect=False
            fi
          else
            whiptail --msgbox --backtitle "Invalid Domain" --title "Invalid Domain" "Domain is invalid. Please try again.\n\n    DOMAIN:   $CUSTOMDomain\n" ${r} ${c}
            DomainSettingsCorrect=False
          fi
      else
        echo "::: Cancel selected. Exiting..."
        exit 1
      fi
    done
  else
    echo sleep 0.1
  fi
 }
 confOpenVPN() {
    # Generate a random, alphanumeric identifier of 16 characters for this server so that we can use verify-x509-name later that is unique for this server installation. Source: Earthgecko (https://gist.github.com/earthgecko/3089509)
    NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
@ -729,20 +771,20 @@ confOpenVPN() {
        if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then
-            ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "RSA encryption strength" --radiolist \
+            ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "RSA certificate size" --radiolist \
-            "Choose your desired level of encryption (press space to select):\n   This is an encryption key that will be generated on your system.  The larger the key, the more time this will take.  For most applications, it is recommended to use 2048 bits.  If you are testing, you can use 1024 bits to speed things up, but do not use this for normal use!  If you are paranoid about ... things... then grab a cup of joe and pick 4096 bits." ${r} ${c} 3 \
+            "Choose the desired size of your certificate (press space to select):\n   This is a certificate that will be generated on your system.  The larger the certificate, the more time this will take.  For most applications, it is recommended to use 2048 bits.  If you are testing, you can use 1024 bits to speed things up, but do not use this for normal use!  If you are paranoid about ... things... then grab a cup of joe and pick 4096 bits." ${r} ${c} 3 \
-            "1024" "Use 1024-bit encryption (testing only)" OFF \
+            "1024" "Use a 1024-bit certificate (testing only)" OFF \
-            "2048" "Use 2048-bit encryption (recommended level)" ON \
+            "2048" "Use a 2048-bit certificate (recommended level)" ON \
-            "4096" "Use 4096-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3)
+            "4096" "Use a 4096-bit certificate (paranoid level)" OFF 3>&1 1>&2 2>&3)
        else
            declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1")
-            ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA encryption strength" --radiolist \
+            ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA certificate size" --radiolist \
-            "Choose your desired level of encryption (press space to select):\n   This is an encryption key that will be generated on your system.  The larger the key, the more time this will take.  For most applications, it is recommended to use 256 bits.  You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \
+            "Choose the desired size of your certificate (press space to select):\n   This is an certificate that will be generated on your system.  The larger the certificate, the more time this will take.  For most applications, it is recommended to use 256 bits.  You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \
-            "256" "Use 256-bit encryption (recommended level)" ON \
+            "256" "Use a 256-bit certificate (recommended level)" ON \
-            "384" "Use 384-bit encryption" OFF \
+            "384" "Use a 384-bit certificate" OFF \
-            "521" "Use 521-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3)
+            "521" "Use a 521-bit certificate (paranoid level)" OFF 3>&1 1>&2 2>&3)
        fi
@ -758,7 +800,8 @@ confOpenVPN() {
        $SUDO rm -rf /etc/openvpn/easy-rsa/
    fi
-    # Get the PiVPN easy-rsa
+
    # Get easy-rsa
    wget -q -O - "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn && $SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa
    # fix ownership
    $SUDO chown -R root:root /etc/openvpn/easy-rsa
@ -799,7 +842,7 @@ EOF
    if [[ ${useUpdateVars} == false ]]; then
        if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then
-            whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c}
+            whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman parameters, and HMAC key will now be generated." ${r} ${c}
        fi
    fi
@ -886,8 +929,8 @@ EOT
            # Fix Raspbian config
            if [[ $PLAT == "Raspbian" ]]; then
                wget -q -O - "$UNATTUPG_CONFIG" | $SUDO tar xz
-                $SUDO cp unattended-upgrades-1.4/data/50unattended-upgrades.Raspbian 50unattended-upgrades
+                $SUDO cp "unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" 50unattended-upgrades
-                $SUDO rm -rf unattended-upgrades-1.4
+                $SUDO rm -rf "unattended-upgrades-$UNATTUPG_RELEASE"
            fi
            # Add the remaining settings for all other distributions
@ -909,21 +952,20 @@ confNetwork() {
    $SUDO sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
    $SUDO sysctl -p
-    # if ufw enabled, configure that
+    # if ufw enabled, configure that (running as root because sometimes the executable is not in the user's $PATH, on Debian for example)
-    if hash ufw 2>/dev/null; then
+    if $SUDO bash -c 'hash ufw' 2>/dev/null; then
        if LANG=en_US.UTF-8 $SUDO ufw status | grep -q inactive
        then
            noUFW=1
        else
            echo "::: Detected UFW is enabled."
            echo "::: Adding UFW rules..."
-            $SUDO cp /etc/.pivpn/ufw_add.txt /tmp/ufw_add.txt
+            $SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
-            $SUDO sed -i 's/IPv4dev/'"$IPv4dev"'/' /tmp/ufw_add.txt
+            # Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic)
-            $SUDO sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw
+            $SUDO ufw insert 1 allow "$PORT"/"$PROTO" >/dev/null
-            $SUDO sed -i -e '/delete these required/r /tmp/ufw_add.txt' -e//N /etc/ufw/before.rules
+            # Don't forward everything, just the traffic originated from the VPN subnet
-            $SUDO ufw allow "${PORT}/${PROTO}"
+            $SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
-            $SUDO ufw allow from 10.8.0.0/24
+            $SUDO ufw reload >/dev/null
            $SUDO ufw reload
            echo "::: UFW configuration completed."
        fi
    else
@ -932,7 +974,7 @@ confNetwork() {
    # else configure iptables
    if [[ $noUFW -eq 1 ]]; then
        echo 1 > /tmp/noUFW
-        $SUDO iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o "$IPv4dev" -j MASQUERADE
+        $SUDO iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "$IPv4dev" -j MASQUERADE
        case ${PLAT} in
            Ubuntu|Debian|Devuan)
                $SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null
@ -1104,6 +1146,7 @@ installPiVPN() {
    confNetwork
    confOVPN
    setClientDNS
    setCustomDomain
    confLogging
    finalExports
 }
@ -1138,8 +1181,7 @@ updatePiVPN() {
 displayFinalMessage() {
    # Final completion message to user
    whiptail --msgbox --backtitle "Make it so." --title "Installation Complete!" "Now run 'pivpn add' to create the ovpn profiles.
-Run 'pivpn help' to see what else you can do!
+Run 'pivpn help' to see what else you can do!" ${r} ${c}
 The install log is in /etc/pivpn." ${r} ${c}
    if (whiptail --title "Reboot" --yesno --defaultno "It is strongly recommended you reboot after installation.  Would you like to reboot now?" ${r} ${c}); then
        whiptail --title "Rebooting" --msgbox "The system will now reboot." ${r} ${c}
        printf "\nRebooting system...\n"
@ -1277,10 +1319,12 @@ main() {
        # Clone/Update the repos
        clone_or_update_repos
-        # Install and log everything to a file
+        # Install
-        installPiVPN | tee ${tmpLog}
+        if installPiVPN; then
-
+            echo "::: Install Complete..."
-        echo "::: Install Complete..."
+        else
            exit 1
        fi
    else
        # Source ${setupVars} for use in the rest of the functions.
        source ${setupVars}
@ -1314,12 +1358,9 @@ main() {
        clone_or_update_repos
-        updatePiVPN | tee ${tmpLog}
+        updatePiVPN
    fi
    #Move the install log into /etc/pivpn for storage
    $SUDO mv ${tmpLog} ${instalLogLoc}
    echo "::: Restarting services..."
    # Start services
    case ${PLAT} in
@ -1331,6 +1372,10 @@ main() {
            $SUDO systemctl start openvpn.service
            ;;
    esac
    # Ensure that cached writes reach persistent storage
    echo "::: Flushing writes to disk..."
    sync
    echo "::: done."
@ -1349,7 +1394,6 @@ main() {
    fi
    echo ":::"
    echo "::: The install log is located at: ${instalLogLoc}"
 }
 if [[ "${PIVPN_TEST}" != true ]] ; then
--- a/ca_info.txt
+++ b/ca_info.txt
@ -1,8 +0,0 @@
 CO
 ST
 CITY
 ORG
 ORG-UNIT
 COMMON-NAME
 NAME
 EMAIL
--- a/firewall-openvpn-rules.txt
+++ b/firewall-openvpn-rules.txt
@ -1,3 +0,0 @@
 #!/bin/sh
 iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o IPv4dev -j MASQUERADE
--- a/18
+++ b/18
@ -27,30 +27,12 @@ function listOVPNFunc {
 }
 function debugFunc {
    noUFW=$(cat /etc/pivpn/NO_UFW)
    echo "::: Generating Debug Output"
    $SUDO /opt/pivpn/pivpnDebug.sh | tee /tmp/debug.txt
    echo "::: "
    echo "::: Debug output completed above."
    echo "::: Copy saved to /tmp/debug.txt"
    echo "::: "
    if [[ ${noUFW} -eq 1 ]]; then
        IPTABLES_FIX=`$SUDO iptables -t nat -L -n -v | grep -c 'MASQUERADE.*10.8.0.0\/24'`
        $SUDO iptables -t nat -L -n -v | grep -q 'MASQUERADE.*10.8.0.0\/24'
        if [ $? -ne 0 ]; then
            IPTABLES_FIX=2
        fi
        if [[ ${IPTABLES_FIX} -gt 1 ]]; then
            echo "::: We detected some potential issues with your iptables."
            read -p "::: Would you like us to try to fix this? [y/n]: " -n 1 -r
            echo
            if [[ ${REPLY} =~ ^[Yy]$ ]]; then
                $SUDO /opt/pivpn/fix_iptables.sh
            fi
            echo "::: Attempt at fix completed."
            echo "::: Run 'pivpn debug' again to see if we detect issues."
        fi
    fi
    exit 1
 }
--- a/scripts/clientStat.sh
+++ b/scripts/clientStat.sh
--- a/scripts/fix_iptables.sh
+++ b/scripts/fix_iptables.sh
@ -1,9 +0,0 @@
 #!/usr/bin/env bash
 # PiVPN: Fix iptables script
 # called by pivpnDebug.sh
 IPv4dev=$(ip route get 8.8.8.8 | awk '{for(i=1;i<=NF;i++)if($i~/dev/)print $(i+1)}')
 iptables -t nat -F
 iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${IPv4dev} -j MASQUERADE
 iptables-save > /etc/iptables/rules.v4
 iptables-restore < /etc/iptables/rules.v4
--- a/scripts/listOVPN.sh
+++ b/scripts/listOVPN.sh
--- a/scripts/makeOVPN.sh
+++ b/scripts/makeOVPN.sh
@ -13,11 +13,12 @@ INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
 helpFunc() {
    echo "::: Create a client ovpn profile, optional nopass"
    echo ":::"
-    echo "::: Usage: pivpn <-a|add> [-n|--name <arg>] [-p|--password <arg>]|[nopass] [-h|--help]"
+    echo "::: Usage: pivpn <-a|add> [-n|--name <arg>] [-p|--password <arg>]|[nopass] [-d|--days <number>] [-h|--help]"
    echo ":::"
    echo "::: Commands:"
    echo ":::  [none]               Interactive mode"
    echo ":::  nopass               Create a client without a password"
    echo ":::  -d,--days            Expire the certificate after specified number of days (default: 1080)"
    echo ":::  -n,--name            Name for the Client (default: '"$(hostname)"')"
    echo ":::  -p,--password        Password for the Client (no default)"
    echo ":::  -h,--help            Show this help dialog"
@ -48,6 +49,16 @@ do
            fi
            PASSWD="$_val"
            ;;
        -d|--days|--days=*)
            _val="${_key##--days=}"
            if test "$_val" = "$_key"
            then
                test $# -lt 2 && echo "Missing value for the optional argument '$_key'." && exit 1
                _val="$2"
                shift
            fi
            DAYS="$_val"
            ;;
        -h|--help)
            helpFunc
            exit 0
@ -71,6 +82,7 @@ function keynoPASS() {
    #Build the client key
    expect << EOF
    set timeout -1
    set env(EASYRSA_CERT_EXPIRE) "${DAYS}"
    spawn ./easyrsa build-client-full "${NAME}" nopass
    expect eof
 EOF
@ -115,6 +127,7 @@ function keyPASS() {
    expect << EOF
    set timeout -1
    set env(EASYRSA_CERT_EXPIRE) "${DAYS}"
    spawn ./easyrsa build-client-full "${NAME}"
    expect "Enter PEM pass phrase" { send -- "${PASSWD}\r" }
    expect "Verifying - Enter PEM pass phrase" { send -- "${PASSWD}\r" }
@ -129,8 +142,13 @@ if [ -z "${NAME}" ]; then
    read -r NAME
 fi
-if [[ "${NAME}" =~ [^a-zA-Z0-9\-] ]]; then
+if [[ ${NAME::1} == "." ]] || [[ ${NAME::1} == "-" ]]; then
-    echo "Name can only contain alphanumeric characters and dashes (-)."
+    echo "Names cannot start with a dot (.) or a dash (-)."
    exit 1
 fi
 if [[ "${NAME}" =~ [^a-zA-Z0-9\.\-\@\_] ]]; then
    echo "Name can only contain alphanumeric characters and these characters (.-@_)."
    exit 1
 fi
@ -164,6 +182,18 @@ if [ "${NAME}" == "ta" ] || [ "${NAME}" == "server" ] || [ "${NAME}" == "ca" ];
    exit 1
 fi
 #As of EasyRSA 3.0.6, by default certificates last 1080 days, see https://github.com/OpenVPN/easy-rsa/blob/6b7b6bf1f0d3c9362b5618ad18c66677351cacd1/easyrsa3/vars.example
 if [ -z "${DAYS}" ]; then
    read -r -e -p "How many days should the certificate last?  " -i 1080 DAYS
 fi
 if [[ ! "$DAYS" =~ ^[0-9]+$ ]] || [ "$DAYS" -lt 1 ] || [ "$DAYS" -gt 3650 ]; then
    #The CRL lasts 3650 days so it doesn't make much sense that certificates would last longer
    echo "Please input a valid number of days, between 1 and 3650 inclusive."
    exit 1
 fi
 cd /etc/openvpn/easy-rsa || exit
 if [[ "${NO_PASS}" =~ "1" ]]; then
@ -241,6 +271,8 @@ echo "tls-auth Private Key found: $TA"
 # Copy the .ovpn profile to the home directory for convenient remote access
 cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
 chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
 chmod o-r "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT"
 chmod o-r "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
 printf "\n\n"
 printf "========================================================\n"
 printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME$FILEEXT"
--- a/scripts/pivpnDebug.sh
+++ b/scripts/pivpnDebug.sh
@ -1,23 +1,169 @@
 #!/usr/bin/env bash
 # This scripts runs as root
-printf ":::\t\t\t\t\t:::\n::\t\tPiVPN Debug\t\t ::\n"
+
-printf ":::\t\t\t\t\t:::\n::\tLatest Commit\t\t\t ::\n:::\t\t\t\t\t:::\n"
+PORT=$(cat /etc/pivpn/INSTALL_PORT)
 PROTO=$(cat /etc/pivpn/INSTALL_PROTO)
 IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)"
 REMOTE="$(grep 'remote ' /etc/openvpn/easy-rsa/pki/Default.txt | awk '{print $2}')"
 ERR=0
 echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::"
 printf "=============================================\n"
 echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::"
 git --git-dir /etc/.pivpn/.git log -n 1
-printf ":::\t\t\t\t\t:::\n::\tRecursive list of files in\t ::\n"
+printf "=============================================\n"
-printf "::\t/etc/openvpn/easy-rsa/pki\t ::\n:::\t\t\t\t\t:::\n"
+echo -e "::::\t    \e[4mInstallation settings\e[0m    \t ::::"
 ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial
 printf ":::\t\t\t\t\t:::\n::\tOutput of /etc/pivpn/*\t\t ::\n:::\t\t\t\t\t:::\n"
 for filename in /etc/pivpn/*; do
-    if [[ "${filename}" != "/etc/pivpn/install.log" ]]; then
+    if [ "$filename" != "/etc/pivpn/setupVars.conf" ]; then
-        echo ":: START $filename ::"
+        echo "$filename -> $(cat "$filename")"
        cat "$filename"
        echo ":: END $filename ::"
    fi
 done
-printf ":::\t\t\t\t\t:::\n:: /etc/openvpn/easy-rsa/pki/Default.txt ::\n:::\t\t\t\t\t:::\n"
+printf "=============================================\n"
-cat /etc/openvpn/easy-rsa/pki/Default.txt
+echo -e "::::\t\e[4msetupVars file shown below\e[0m\t ::::"
-if [[ ${noUFW} -eq 1 ]]; then
+sed "s/$REMOTE/REMOTE/" < /etc/pivpn/setupVars.conf
-    printf ":::\t\t\t\t\t:::\n::\tOutput of iptables\t\t ::\n:::\t\t\t\t\t:::\n"
+printf "=============================================\n"
-    iptables -t nat -L -n -v
+echo -e "::::  \e[4mServer configuration shown below\e[0m   ::::"
 cat /etc/openvpn/server.conf
 printf "=============================================\n"
 echo -e "::::  \e[4mClient template file shown below\e[0m   ::::"
 sed "s/$REMOTE/REMOTE/" < /etc/openvpn/easy-rsa/pki/Default.txt
 printf "=============================================\n"
 echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::: \e[4m/etc/openvpn/easy-rsa/pki shows below\e[0m :::"
 ls -LR /etc/openvpn/easy-rsa/pki/ -Ireqs -Icerts_by_serial
 printf "=============================================\n"
 echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::"
 if [ "$(cat /proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then
    echo ":: [OK] IP forwarding is enabled"
 else
    ERR=1
    read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY
    if [[ ${REPLY} =~ ^[Yy]$ ]]; then
        sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
        sysctl -p
        echo "Done"
    fi
 fi
-printf ":::\t\t\t\t\t:::\n::\tDebug Output Complete\t\t ::\n:::\t\t\t\t\t:::\n"
+
 if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then
    if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
        echo ":: [OK] Iptables MASQUERADE rule set"
    else
        ERR=1
        read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
        if [[ ${REPLY} =~ ^[Yy]$ ]]; then
            iptables -t nat -F
            iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE
            iptables-save > /etc/iptables/rules.v4
            iptables-restore < /etc/iptables/rules.v4
            echo "Done"
        fi
    fi
 else
    if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
        echo ":: [OK] Ufw is enabled"
    else
        ERR=1
        read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY
        if [[ ${REPLY} =~ ^[Yy]$ ]]; then
            ufw enable
        fi
    fi
    if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
        echo ":: [OK] Iptables MASQUERADE rule set"
    else
        ERR=1
        read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
        if [[ ${REPLY} =~ ^[Yy]$ ]]; then
            sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
            ufw reload
            echo "Done"
        fi
    fi
    if iptables -C ufw-user-input -p "${PROTO}" --dport "${PORT}" -j ACCEPT &> /dev/null; then
        echo ":: [OK] Ufw input rule set"
    else
        ERR=1
        read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY
        if [[ ${REPLY} =~ ^[Yy]$ ]]; then
            ufw insert 1 allow "$PORT"/"$PROTO"
            ufw reload
            echo "Done"
        fi
    fi
    if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then
        echo ":: [OK] Ufw forwarding rule set"
    else
        ERR=1
        read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
        if [[ ${REPLY} =~ ^[Yy]$ ]]; then
            ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any
            ufw reload
            echo "Done"
        fi
    fi
 fi
 if systemctl is-active -q openvpn; then
    echo ":: [OK] OpenVPN is running"
 else
    ERR=1
    read -r -p ":: [ERR] OpenVPN is not running, try to start now? [Y/n] " REPLY
    if [[ ${REPLY} =~ ^[Yy]$ ]]; then
        systemctl start openvpn
        echo "Done"
    fi
 fi
 if systemctl is-enabled -q openvpn; then
    echo ":: [OK] OpenVPN is enabled (it will automatically start on reboot)"
 else
    ERR=1
    read -r -p ":: [ERR] OpenVPN is not enabled, try to enable now? [Y/n] " REPLY
    if [[ ${REPLY} =~ ^[Yy]$ ]]; then
        systemctl enable openvpn
        echo "Done"
    fi
 fi
 # grep -w (whole word) is used so port 111940 with now match when looking for 1194
 if netstat -uanpt | grep openvpn | grep -w "${PORT}" | grep -q "${PROTO}"; then
    echo ":: [OK] OpenVPN is listening on port ${PORT}/${PROTO}"
 else
    ERR=1
    read -r -p ":: [ERR] OpenVPN is not listening, try to restart now? [Y/n] " REPLY
    if [[ ${REPLY} =~ ^[Yy]$ ]]; then
        systemctl restart openvpn
        echo "Done"
    fi
 fi
 if [ "$ERR" -eq 1 ]; then
    echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues"
 fi
 printf "=============================================\n"
 echo -e "::::      \e[4mSnippet of the server log\e[0m      ::::"
 tail -20 /var/log/openvpn.log
 printf "=============================================\n"
 echo -e "::::\t\t\e[4mDebug complete\e[0m\t\t ::::"
 # Telekom Hybrid Check
 wget -O /tmp/hybcheck http://speedport.ip &>/dev/null
 if grep -Fq "Speedport Pro" /tmp/hybcheck || grep -Fq "Speedport Hybrid" /tmp/hybcheck
 then
    printf ":::\t\t\t\t\t:::\n::\tTelekom Hybrid Check\t\t ::\n:::\t\t\t\t\t:::\n"
    echo "Are you using Telekom Hybrid (found a hybrid compatible router)?"
    echo "If yes and you have problems with the connections you can test the following:"
    echo "Add 'tun-mtu 1316' in /etc/openvpn/easy-rsa/pki/Default.txt to set a hybrid compatible MTU size (new .ovpn files)."
    echo "For already existing .ovpn files 'tun-mtu 1316' can also be inserted there manually."
    echo "With Telekom hybrid connections, you may have to experiment a little with MTU (tun-mtu, link-mtu and mssfix)."
 fi
 rm /tmp/hybcheck
--- a/scripts/removeOVPN.sh
+++ b/scripts/removeOVPN.sh
@ -114,6 +114,7 @@ for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
    rm -rf "pki/private/${CERTS_TO_REVOKE[ii]}.key"
    rm -rf "pki/issued/${CERTS_TO_REVOKE[ii]}.crt"
    rm -rf "/home/${INSTALL_USER}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn"
    rm -rf "/etc/openvpn/easy-rsa/pki/${CERTS_TO_REVOKE[ii]}.ovpn"
    cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
 done
 printf "::: Completed!\n"
--- a/scripts/uninstall.sh
+++ b/scripts/uninstall.sh
@ -21,6 +21,7 @@ PLAT=$(cat /etc/pivpn/DET_PLATFORM)
 NO_UFW=$(cat /etc/pivpn/NO_UFW)
 PORT=$(cat /etc/pivpn/INSTALL_PORT)
 PROTO=$(cat /etc/pivpn/INSTALL_PROTO)
 IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)"
 # Find the rows and columns. Will default to 80x24 if it can not be detected.
 screen_size=$(stty size 2>/dev/null || echo 24 80)
@ -107,11 +108,10 @@ echo ":::"
    sysctl -p
    if [[ $NO_UFW -eq 0 ]]; then
-        $SUDO sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"DROP\"/" /etc/default/ufw
+        $SUDO sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
-        $SUDO sed -i '/START OPENVPN RULES/,/END OPENVPN RULES/ d' /etc/ufw/before.rules
+        $SUDO ufw delete allow "$PORT"/"$PROTO" >/dev/null
-        $SUDO ufw delete allow from 10.8.0.0/24 >/dev/null
+        $SUDO ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
-        $SUDO ufw delete allow ${PORT}/${PROTO} >/dev/null
+        $SUDO ufw reload >/dev/null
        $SUDO ufw reload
    fi
    echo ":::"
--- a/ufw_add.txt
+++ b/ufw_add.txt
@ -1,9 +0,0 @@
 # START OPENVPN RULES
 # NAT table rules
 *nat
 :POSTROUTING ACCEPT [0:0] 
 # Allow traffic from OpenVPN client to masquerade 
 -A POSTROUTING -s 10.8.0.0/24 -o IPv4dev -j MASQUERADE
 COMMIT
 # END OPENVPN RULES
		`@ -1,3 +0,0 @@`
			`#!/bin/sh`

			`iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o IPv4dev -j MASQUERADE`