Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-18 19:00:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #983 from pivpn/test

Browse source 
Merge test into master
This commit is contained in:
Orazio 2020-03-17 09:51:14 +01:00 committed by GitHub
commit fcf05d75df
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 361 additions and 429 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
LatestUpdate.md
View file

@ -5,6 +5,16 @@ patch release notes.
Everytime Test branch is merged into master, a new entry should be created with the date and changes being merged.
## Mar 17th 2020
- Switch to Bullseye repository on Debian/Raspbian. The bullseye repository is less likely to offer broken packages and it's also supported by Raspbian, meaning there is no need to manually compile WireGuard on older Raspberry Pis.
- Adding a PPA on Ubuntu requires 'software-properties-common' with may not be installed on servers.
- Avoid IPv6 leak by routing IPv6 through WireGuard.
- Download OpenVPN key via HTTPS if retrieving via keyserver fails.
- Show connected clients data rates with dotted decimal notation using 'pivpn -c -b'. It's useful because the human readable format does not offer enough precision to tell if a client is sending very little data.
- Use 'apt-cache policy' to decide whether we need a repository or not.
- Use lowest APT pin priority that allows package upgrades (more information on pull request [#963](https://github.com/pivpn/pivpn/pull/963) and [#983](https://github.com/pivpn/pivpn/pull/983)).
## Feb 17th 2020
- When offering to use Pi-hole, identify VPN clients via clientname.pivpn using a dedicated hosts file. Clients can now be resolved by their names and also show up in the Pi-hole dashboard.

404
auto_install/install.sh
View file

@ -14,10 +14,18 @@
pivpnGitUrl="https://github.com/pivpn/pivpn.git"
setupVars="/etc/pivpn/setupVars.conf"
pivpnFilesDir="/etc/.pivpn"
piholeSetupVars="/etc/pihole/setupVars.conf"
dnsmasqConfig="/etc/dnsmasq.d/02-pivpn.conf"
### PKG Vars ###
dhcpcdFile="/etc/dhcpcd.conf"
subnetClass="24"
debianOvpnUserGroup="openvpn:openvpn"
# OpenVPN GPG fingerprint, you can look it up at https://keyserver.ubuntu.com (prepend '0x' before it)
OPENVPN_KEY_ID="30EBF4E73CCE63EEE124DD278E6DA8B4E158C569"
######## PKG Vars ########
PKG_MANAGER="apt-get"
PKG_CACHE="/var/lib/apt/lists/"
### FIXME: quoting UPDATE_PKG_CACHE and PKG_INSTALL hangs the script, shellcheck SC2086
@ -33,32 +41,29 @@ BASE_DEPS=(git tar wget curl grep dnsutils whiptail net-tools bsdmainutils)
# PiVPN we won't prompt to remove packages that may have been installed by the user for other reasons
INSTALLED_PACKAGES=()
######## URLs ########
easyrsaVer="3.0.6"
easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz"
subnetClass="24"
dhcpcdFile="/etc/dhcpcd.conf"
debianOvpnUserGroup="openvpn:openvpn"
# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config
UNATTUPG_RELEASE="1.16"
UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/${UNATTUPG_RELEASE}.tar.gz"
# GPG fingerprints (you can look them up at https://keyserver.ubuntu.com)
OPENVPN_REPO_KEY="0x30ebf4e73cce63eee124dd278e6da8b4e158c569"
DEBIAN_STRETCH_KEY="0xe1cf20ddffe4b89e802658f1e0b11894f66aec98"
DEBIAN_BUSTER_KEY="0x80d15823b7fd1561f9f7bcdddc30d7c23cbbabee"
# Find the rows and columns. Will default to 80x24 if it can not be detected.
screen_size=$(stty size 2>/dev/null || echo 24 80)
rows=$(echo "$screen_size" | awk '{print $1}')
columns=$(echo "$screen_size" | awk '{print $2}')
# Fallback url for the OpenVPN key
OPENVPN_KEY_URL="https://swupdate.openvpn.net/repos/repo-public.gpg"
######## Undocumented Flags. Shhh ########
runUnattended=false
skipSpaceCheck=false
reconfigure=false
######## SCRIPT ########
# Find the rows and columns. Will default to 80x24 if it can not be detected.
screen_size=$(stty size 2>/dev/null || echo 24 80)
rows=$(echo "$screen_size" | awk '{print $1}')
columns=$(echo "$screen_size" | awk '{print $2}')
# Divide by two so the dialogs take up half of the screen, which looks nice.
r=$(( rows / 2 ))
c=$(( columns / 2 ))
@ -66,7 +71,8 @@ c=$(( columns / 2 ))
r=$(( r < 20 ? 20 : r ))
c=$(( c < 70 ? 70 : c ))
######## SCRIPT ############
# Override localization settings so the output is in English language.
export LC_ALL=C
main(){
@ -252,6 +258,15 @@ distroCheck(){
OSCN=${VER_MAP["${VER}"]}
fi
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then
DPKG_ARCH="$(dpkg --print-architecture)"
if [ "$DPKG_ARCH" = "amd64" ] || [ "$DPKG_ARCH" = "i386" ]; then
X86_SYSTEM=1
else
X86_SYSTEM=0
fi
fi
case ${PLAT} in
Debian|Raspbian|Ubuntu)
case ${OSCN} in
@ -440,7 +455,7 @@ preconfigurePackages(){
# if ufw is enabled, configure that.
# running as root because sometimes the executable is not in the user's $PATH
if $SUDO bash -c 'command -v ufw' > /dev/null; then
if LC_ALL=C $SUDO ufw status | grep -q inactive; then
if $SUDO ufw status | grep -q inactive; then
USING_UFW=0
else
USING_UFW=1
@ -986,6 +1001,11 @@ installPiVPN(){
askWhichVPN
if [ "$VPN" = "openvpn" ]; then
pivpnDEV="tun0"
pivpnNET="10.8.0.0"
vpnGw="${pivpnNET/.0.0/.0.1}"
installOpenVPN
askCustomProto
askCustomPort
@ -997,64 +1017,109 @@ installPiVPN(){
confOVPN
confNetwork
confLogging
elif [ "$VPN" = "wireguard" ]; then
# Since WireGuard only uses UDP, askCustomProto() is never called so we
# set the protocol here.
pivpnPROTO="udp"
pivpnDEV="wg0"
pivpnNET="10.6.0.0"
vpnGw="${pivpnNET/.0.0/.0.1}"
installWireGuard
askCustomPort
askClientDNS
askPublicIPOrDNS
confWireGuard
confNetwork
echo "pivpnPROTO=${pivpnPROTO}" >> /tmp/setupVars.conf
fi
echo "pivpnDEV=${pivpnDEV}" >> /tmp/setupVars.conf
echo "pivpnNET=${pivpnNET}" >> /tmp/setupVars.conf
echo "subnetClass=${subnetClass}" >> /tmp/setupVars.conf
}
askWhichVPN(){
if [ "${runUnattended}" = 'true' ]; then
if [ -z "$VPN" ]; then
echo ":: No VPN protocol specified, using WireGuard"
VPN="wireguard"
else
VPN="${VPN,,}"
if [ "$VPN" = "wireguard" ]; then
echo "::: WireGuard will be installed"
elif [ "$VPN" = "openvpn" ]; then
echo "::: OpenVPN will be installed"
if [ "$PLAT" = "Raspbian" ] || [ "$X86_SYSTEM" -eq 1 ]; then
if [ -z "$VPN" ]; then
echo ":: No VPN protocol specified, using WireGuard"
VPN="wireguard"
else
echo ":: $VPN is not a supported VPN protocol, please specify 'wireguard' or 'openvpn'"
exit 1
VPN="${VPN,,}"
if [ "$VPN" = "wireguard" ]; then
echo "::: WireGuard will be installed"
elif [ "$VPN" = "openvpn" ]; then
echo "::: OpenVPN will be installed"
else
echo ":: $VPN is not a supported VPN protocol, please specify 'wireguard' or 'openvpn'"
exit 1
fi
fi
elif [ "$X86_SYSTEM" -eq 0 ]; then
if [ -z "$VPN" ]; then
echo ":: No VPN protocol specified, using OpenVPN"
VPN="openvpn"
else
VPN="${VPN,,}"
if [ "$VPN" = "openvpn" ]; then
echo "::: OpenVPN will be installed"
else
echo ":: $VPN is not a supported VPN protocol on $DPKG_ARCH $PLAT, only 'openvpn' is"
exit 1
fi
fi
fi
else
chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "WireGuard is a new kind of VPN that provides near-istantaneous connection speed, high performance, modern cryptography.\\n\\nIt's the recommended choice expecially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\\n\\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol. Or if you need features like TCP and custom search domain.\\n\\nChoose a VPN (press space to select):" "${r}" "${c}" 2)
VPNChooseOptions=(WireGuard "" on
OpenVPN "" off)
if [ "$PLAT" = "Raspbian" ] || [ "$X86_SYSTEM" -eq 1 ]; then
chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "WireGuard is a new kind of VPN that provides near-istantaneous connection speed, high performance, modern cryptography.\\n\\nIt's the recommended choice expecially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\\n\\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol. Or if you need features like TCP and custom search domain.\\n\\nChoose a VPN (press space to select):" "${r}" "${c}" 2)
VPNChooseOptions=(WireGuard "" on
OpenVPN "" off)
if VPN=$("${chooseVPNCmd[@]}" "${VPNChooseOptions[@]}" 2>&1 >/dev/tty) ; then
echo "::: Using VPN: $VPN"
VPN="${VPN,,}"
else
echo "::: Cancel selected, exiting...."
exit 1
if VPN=$("${chooseVPNCmd[@]}" "${VPNChooseOptions[@]}" 2>&1 >/dev/tty) ; then
echo "::: Using VPN: $VPN"
VPN="${VPN,,}"
else
echo "::: Cancel selected, exiting...."
exit 1
fi
elif [ "$X86_SYSTEM" -eq 0 ]; then
echo "::: Using VPN: OpenVPN"
VPN="openvpn"
fi
fi
if [ "$VPN" = "wireguard" ]; then
# Since WireGuard only uses UDP, askCustomProto() is never called so we
# set the protocol here (it's not actually required to save the value, but
# it might be useful for the user when port forwarding).
pivpnPROTO="udp"
echo "pivpnPROTO=${pivpnPROTO}" >> /tmp/setupVars.conf
pivpnDEV="wg0"
pivpnNET="10.6.0.0"
elif [ "$VPN" = "openvpn" ]; then
pivpnDEV="tun0"
pivpnNET="10.8.0.0"
fi
vpnGw="${pivpnNET/.0.0/.0.1}"
echo "VPN=${VPN}" >> /tmp/setupVars.conf
echo "pivpnDEV=${pivpnDEV}" >> /tmp/setupVars.conf
echo "pivpnNET=${pivpnNET}" >> /tmp/setupVars.conf
echo "subnetClass=${subnetClass}" >> /tmp/setupVars.conf
}
downloadVerifyKey(){
local KEY_URL="$1"
local EXPECTED_KEY_ID="$2"
local KEY_CONTENT
local KEY_INFO
local DOWNLOADED_KEY_ID
if ! KEY_CONTENT="$(wget -qO- "$KEY_URL")"; then
return 1
fi
if ! KEY_INFO="$(gpg --show-key --with-colons <<< "$KEY_CONTENT")"; then
return 1
fi
DOWNLOADED_KEY_ID="$(sed -n '/^pub:/,/^fpr:/p' <<< "$KEY_INFO" | grep '^fpr' | cut -d ':' -f 10)"
if [ "$DOWNLOADED_KEY_ID" != "$EXPECTED_KEY_ID" ]; then
return 1
fi
echo "$KEY_CONTENT"
return 0
}
installOpenVPN(){
@ -1062,29 +1127,41 @@ installOpenVPN(){
echo "::: Installing OpenVPN from Debian package... "
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then
# gnupg is used by apt-key to import the openvpn GPG key into the
# APT keyring
PIVPN_DEPS=(gnupg)
installDependentPackages PIVPN_DEPS[@]
# Use x86-only OpenVPN APT repo on x86 Debian/Ubuntu systems
if [ "$PLAT" != "Raspbian" ] && [ "$X86_SYSTEM" -eq 1 ]; then
# We will download the repository key regardless of whether the user
# has already enabled the openvpn repository or not, just to make sure
# we have the right key
echo "::: Adding repository key..."
if ! $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys "$OPENVPN_REPO_KEY"; then
echo "::: Failed to import OpenVPN GPG key"
exit 1
fi
AVAILABLE_OPENVPN="$(apt-cache policy openvpn | grep -m1 'Candidate: ' | grep -v '(none)' | awk '{print $2}')"
# If there is an available openvpn package and its version is at least 2.4
# (required for ECC support), do not add the repository
if [ -n "$AVAILABLE_OPENVPN" ] && dpkg --compare-versions "$AVAILABLE_OPENVPN" ge 2.4; then
echo "::: OpenVPN is already available in the repositories"
else
# gnupg is used by apt-key to import the openvpn GPG key into the
# APT keyring
PIVPN_DEPS=(gnupg)
installDependentPackages PIVPN_DEPS[@]
# We will download the repository key for the official repository from a
# keyserver. If we fail, we will attempt to download the key via HTTPS
echo "::: Adding repository key..."
if ! $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys "$OPENVPN_KEY_ID"; then
echo "::: Import via keyserver failed, now trying wget"
if ! downloadVerifyKey "$OPENVPN_KEY_URL" "$OPENVPN_KEY_ID" | $SUDO apt-key add -; then
echo "::: Can't import OpenVPN GPG key"
exit 1
else
echo "::: Acquired key $OPENVPN_KEY_ID"
fi
fi
if ! grep -qR "deb http.\?://build.openvpn.net/debian/openvpn/stable.\? $OSCN main" /etc/apt/sources.list*; then
echo "::: Adding OpenVPN repository... "
echo "deb https://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/pivpn-openvpn-repo.list > /dev/null
fi
echo "::: Updating package cache..."
# shellcheck disable=SC2086
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
echo "::: Updating package cache..."
# shellcheck disable=SC2086
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
fi
fi
# grepcidr is used to redact IPs in the debug log whereas expect is used
@ -1107,8 +1184,8 @@ installWireGuard(){
# straight, so it's also a good suggestion in such case because they will have
# a lot of outdated packages.
INSTALLED_KERNEL="$(apt-cache policy raspberrypi-kernel | grep 'Installed:' | awk '{print $2}')"
CANDIDATE_KERNEL="$(apt-cache policy raspberrypi-kernel | grep 'Candidate:' | awk '{print $2}')"
INSTALLED_KERNEL="$(apt-cache policy raspberrypi-kernel | grep -m1 'Installed: ' | grep -v '(none)' | awk '{print $2}')"
CANDIDATE_KERNEL="$(apt-cache policy raspberrypi-kernel | grep -m1 'Candidate: ' | grep -v '(none)' | awk '{print $2}')"
if dpkg --compare-versions "${CANDIDATE_KERNEL}" gt "${INSTALLED_KERNEL}"; then
if [ "${runUnattended}" = 'true' ]; then
@ -1141,159 +1218,64 @@ installWireGuard(){
fi
fi
# If this Raspberry Pi uses armv7l we can use the package from the repo
# https://lists.zx2c4.com/pipermail/wireguard/2017-November/001885.html
# Otherwhise compile and build the kernel module via DKMS (so it will
# be recompiled on kernel upgrades)
echo "::: Installing WireGuard from Debian package... "
if [ "$(uname -m)" = "armv7l" ]; then
if apt-cache policy wireguard 2> /dev/null | grep -m1 'Candidate: ' | grep -vq '(none)'; then
echo "::: WireGuard is already available in the repositories"
else
echo "::: Adding Raspbian repository... "
echo "deb http://raspbian.raspberrypi.org/raspbian/ bullseye main" | $SUDO tee /etc/apt/sources.list.d/pivpn-bullseye.list > /dev/null
echo "::: Installing WireGuard from Debian package... "
# dirmngr is used by apt-key to import the debian GPG keys for the unstable
# repo into the APT keyring.
PIVPN_DEPS=(dirmngr)
installDependentPackages PIVPN_DEPS[@]
echo "::: Adding repository keys..."
if ! $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys "$DEBIAN_STRETCH_KEY" "$DEBIAN_BUSTER_KEY"; then
echo "::: Failed to import Debian GPG keys"
exit 1
fi
# This regular expression should match combinations like http[s]://mirror.example.com/debian[/] unstable main
if ! grep -qR 'deb http.\?://.*/debian.\? unstable main' /etc/apt/sources.list*; then
echo "::: Adding Debian repository... "
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
fi
# Do not upgrade packages from the unstable repository except for wireguard
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release a=unstable\nPin-Priority: 500\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null
# Do not upgrade packages from the bullseye repository except for wireguard
printf 'Package: *\nPin: release n=bullseye\nPin-Priority: -1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release n=bullseye\nPin-Priority: 100\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-bullseye > /dev/null
echo "::: Updating package cache..."
# shellcheck disable=SC2086
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
# qrencode is used to generate qrcodes from config file, for use with mobile clients
PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms qrencode)
installDependentPackages PIVPN_DEPS[@]
elif [ "$(uname -m)" = "armv6l" ]; then
echo "::: Installing WireGuard from source... "
PIVPN_DEPS=(checkinstall dkms libelf-dev raspberrypi-kernel-headers build-essential pkg-config qrencode jq)
installDependentPackages PIVPN_DEPS[@]
# Delete any leftover code
$SUDO rm -rf /usr/src/wireguard-*
WG_TOOLS_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-tools"."version"')"
WG_TOOLS_SOURCE="https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-${WG_TOOLS_SNAPSHOT}.tar.xz"
echo "::: Downloading wireguard-tools source code... "
wget -qO- "${WG_TOOLS_SOURCE}" | $SUDO tar xJ --directory /usr/src
echo "done!"
## || exits if cd fails.
cd /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}/src" || exit 1
# We install the userspace tools manually since DKMS only compiles and
# installs the kernel module
echo "::: Compiling WireGuard tools... "
if $SUDO make; then
echo "done!"
else
echo "failed!"
exit 1
fi
# Use checkinstall to install userspace tools so if the user wants to uninstall
# PiVPN we can just do apt remove wireguard-tools, instead of manually removing
# files from the file system
echo "::: Installing WireGuard tools... "
if $SUDO checkinstall --pkgname wireguard-tools --pkgversion "${WG_TOOLS_SNAPSHOT}" -y; then
INSTALLED_PACKAGES+=("wireguard-tools")
echo "done!"
else
echo "failed!"
exit 1
fi
echo "WG_TOOLS_SNAPSHOT=${WG_TOOLS_SNAPSHOT}" >> /tmp/setupVars.conf
WG_MODULE_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-linuxcompat"."version"')"
WG_MODULE_SOURCE="https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${WG_MODULE_SNAPSHOT}.tar.xz"
echo "::: Downloading wireguard-linux-compat source code... "
wget -qO- "${WG_MODULE_SOURCE}" | $SUDO tar xJ --directory /usr/src
echo "done!"
# Rename wireguard-linux-compat folder and move the source code to the parent folder
# such that dkms picks up the module when referencing wireguard/"${WG_MODULE_SNAPSHOT}"
cd /usr/src && \
$SUDO mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}" && \
cd wireguard-"${WG_MODULE_SNAPSHOT}" && \
$SUDO mv src/* . && \
$SUDO rmdir src || exit 1
echo "::: Adding WireGuard modules via DKMS... "
if $SUDO dkms add wireguard/"${WG_MODULE_SNAPSHOT}"; then
echo "done!"
else
echo "failed!"
$SUDO dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
exit 1
fi
echo "::: Compiling WireGuard modules via DKMS... "
if $SUDO dkms build wireguard/"${WG_MODULE_SNAPSHOT}"; then
echo "done!"
else
echo "failed!"
$SUDO dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
exit 1
fi
echo "::: Installing WireGuard modules via DKMS... "
if $SUDO dkms install wireguard/"${WG_MODULE_SNAPSHOT}"; then
INSTALLED_PACKAGES+=("wireguard-dkms")
echo "done!"
else
echo "failed!"
$SUDO dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
exit 1
fi
echo "WG_MODULE_SNAPSHOT=${WG_MODULE_SNAPSHOT}" >> /tmp/setupVars.conf
fi
# qrencode is used to generate qrcodes from config file, for use with mobile clients
PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms qrencode)
installDependentPackages PIVPN_DEPS[@]
elif [ "$PLAT" = "Debian" ]; then
echo "::: Installing WireGuard from Debian package... "
if ! grep -qR 'deb http.\?://.*/debian.\? unstable main' /etc/apt/sources.list*; then
if apt-cache policy wireguard 2> /dev/null | grep -m1 'Candidate: ' | grep -vq '(none)'; then
echo "::: WireGuard is already available in the repositories"
else
echo "::: Adding Debian repository... "
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
echo "deb https://deb.debian.org/debian/ bullseye main" | $SUDO tee /etc/apt/sources.list.d/pivpn-bullseye.list > /dev/null
printf 'Package: *\nPin: release n=bullseye\nPin-Priority: -1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release n=bullseye\nPin-Priority: 100\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-bullseye > /dev/null
echo "::: Updating package cache..."
# shellcheck disable=SC2086
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
fi
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null
echo "::: Updating package cache..."
# shellcheck disable=SC2086
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
PIVPN_DEPS=(linux-headers-amd64 qrencode wireguard wireguard-tools wireguard-dkms)
PIVPN_DEPS=(linux-headers-amd64 wireguard wireguard-tools wireguard-dkms qrencode)
installDependentPackages PIVPN_DEPS[@]
elif [ "$PLAT" = "Ubuntu" ]; then
echo "::: Installing WireGuard from PPA... "
$SUDO add-apt-repository ppa:wireguard/wireguard -y
echo "::: Installing WireGuard... "
echo "::: Updating package cache..."
# shellcheck disable=SC2086
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
if apt-cache policy wireguard 2> /dev/null | grep -m1 'Candidate: ' | grep -vq '(none)'; then
echo "::: WireGuard is already available in the repositories"
else
echo "::: Adding WireGuard PPA... "
PIVPN_DEPS=(software-properties-common)
installDependentPackages PIVPN_DEPS[@]
$SUDO add-apt-repository ppa:wireguard/wireguard -y
PIVPN_DEPS=(qrencode wireguard wireguard-tools wireguard-dkms linux-headers-generic)
echo "::: Updating package cache..."
# shellcheck disable=SC2086
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
fi
PIVPN_DEPS=(linux-headers-generic wireguard wireguard-tools wireguard-dkms qrencode)
installDependentPackages PIVPN_DEPS[@]
fi
@ -2227,10 +2209,12 @@ confUnattendedUpgrades(){
fi
# Enable automatic updates via the unstable repository when installing from debian package
if [ "$VPN" = "wireguard" ] && [ "$PLAT" != "Ubuntu" ] && [ "$(uname -m)" != "armv6l" ]; then
if ! grep -q '"o=Debian,a=unstable";' "${aptConfDir}/50unattended-upgrades"; then
$SUDO sed -i '/Unattended-Upgrade::Origins-Pattern {/a"o=Debian,a=unstable";' "${aptConfDir}/50unattended-upgrades"
# Enable automatic updates via the bullseye repository when installing from debian package
if [ "$VPN" = "wireguard" ]; then
if [ -f /etc/apt/sources.list.d/pivpn-bullseye.list ]; then
if ! grep -q "\"o=$PLAT,n=bullseye\";" "${aptConfDir}/50unattended-upgrades"; then
$SUDO sed -i "/Unattended-Upgrade::Origins-Pattern {/a\"o=$PLAT,n=bullseye\";" "${aptConfDir}/50unattended-upgrades"
fi
fi
fi
}

92
scripts/openvpn/clientStat.sh
View file

@ -3,36 +3,82 @@
STATUS_LOG="/var/log/openvpn-status.log"
function hr() {
numfmt --to=iec-i --suffix=B "$1"
if [ ! -f "${STATUS_LOG}" ]; then
echo "The file: $STATUS_LOG was not found!"
exit 1
fi
scriptusage(){
echo "::: List any connected clients to the server"
echo ":::"
echo "::: Usage: pivpn <-c|clients> [-b|bytes]"
echo ":::"
echo "::: Commands:"
echo "::: [none] List clients with human readable format"
echo "::: -b, bytes List clients with dotted decimal notation"
echo "::: -h, help Show this usage dialog"
}
printf "\n"
if [ ! -f "${STATUS_LOG}" ]; then
echo "The file: $STATUS_LOG was not found!"
exit 1
fi
hr(){
numfmt --to=iec-i --suffix=B "$1"
}
printf ": NOTE : The output below is NOT real-time!\n"
printf ": : It may be off by a few minutes.\n"
printf "\n"
printf "\e[1m::: Client Status List :::\e[0m\n"
{
printf "\e[4mName\e[0m \t \e[4mRemote IP\e[0m \t \e[4mVirtual IP\e[0m \t \e[4mBytes Received\e[0m \t \e[4mBytes Sent\e[0m \t \e[4mConnected Since\e[0m\n"
listClients(){
printf ": NOTE : The output below is NOT real-time!\n"
printf ": : It may be off by a few minutes.\n"
printf "\n"
printf "\e[1m::: Client Status List :::\e[0m\n"
if grep -q "^CLIENT_LIST" "${STATUS_LOG}"; then
if [ -n "$(type -t numfmt)" ]; then
while read -r line; do
{
printf "\e[4mName\e[0m \t \e[4mRemote IP\e[0m \t \e[4mVirtual IP\e[0m \t \e[4mBytes Received\e[0m \t \e[4mBytes Sent\e[0m \t \e[4mConnected Since\e[0m\n"
if grep -q "^CLIENT_LIST" "${STATUS_LOG}"; then
if [ -n "$(type -t numfmt)" ]; then
if [ "$HR" = 1 ]; then
while read -r line; do
read -r -a array <<< $line
[[ ${array[0]} = CLIENT_LIST ]] || continue
printf "%s \t %s \t %s \t %s \t %s \t %s %s %s - %s\n" ${array[1]} ${array[2]} ${array[3]} $(hr ${array[4]}) $(hr ${array[5]}) ${array[7]} ${array[8]} ${array[10]} ${array[9]}
done <$STATUS_LOG
else
printf "%s \t %s \t %s \t %s \t %s \t %s %s %s - %s\n" ${array[1]} ${array[2]} ${array[3]} $(hr ${array[4]}) $(hr ${array[5]}) ${array[7]} ${array[8]} ${array[10]} ${array[9]}
done <$STATUS_LOG
else
while read -r line; do
read -r -a array <<< $line
[[ ${array[0]} = CLIENT_LIST ]] || continue
printf "%s \t %s \t %s \t %'d \t %'d \t %s %s %s - %s\n" ${array[1]} ${array[2]} ${array[3]} ${array[4]} ${array[5]} ${array[7]} ${array[8]} ${array[10]} ${array[9]}
done <$STATUS_LOG
fi
else
awk -F' ' -v s='CLIENT_LIST' '$1 == s {print $2"\t\t"$3"\t"$4"\t"$5"\t\t"$6"\t\t"$8" "$9" "$11" - "$10"\n"}' ${STATUS_LOG}
fi
fi
else
printf "\nNo Clients Connected!\n"
fi
printf "\n"
} | column -t -s $'\t'
}
if [[ $# -eq 0 ]]; then
HR=1
listClients
else
printf "\nNo Clients Connected!\n"
while true; do
case "$1" in
-b|bytes)
HR=0
listClients
exit 0
;;
-h|help)
scriptusage
exit 0
;;
*)
HR=0
listClients
exit 0
;;
esac
done
fi
printf "\n"
} | column -t -s $'\t'

5
scripts/openvpn/pivpn
View file

@ -17,7 +17,8 @@ function makeOVPNFunc {
}
function listClientsFunc {
$SUDO /opt/pivpn/clientStat.sh
shift
$SUDO /opt/pivpn/clientStat.sh "$@"
exit 0
}
@ -93,7 +94,7 @@ fi
# Handle redirecting to specific functions based on arguments
case "$1" in
"-a" | "add" ) makeOVPNFunc "$@";;
"-c" | "clients" ) listClientsFunc;;
"-c" | "clients" ) listClientsFunc "$@";;
"-d" | "debug" ) debugFunc;;
"-l" | "list" ) listOVPNFunc;;
"-r" | "revoke" ) removeOVPNFunc "$@";;

27
scripts/uninstall.sh
View file

@ -98,37 +98,18 @@ removeAll(){
case $yn in
[Yy]* ) if [ "${i}" = "wireguard" ]; then
# On Debian and armv7l Raspbian, remove the unstable repo (on armv6l Raspbian
# there is no wireguard package). On Ubuntu, remove the PPA.
### FIXME: unconditionally rm'ing unstable.list isn't a good idea, it appears. What if someone else put it there manually?
if [ "$PLAT" = "Debian" ] || { [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv7l" ]; }; then
rm -f /etc/apt/sources.list.d/pivpn-unstable.list
rm -f /etc/apt/preferences.d/pivpn-limit-unstable
# On Debian and Raspbian, remove the bullseye repo. On Ubuntu, remove the PPA.
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Raspbian" ]; then
rm -f /etc/apt/sources.list.d/pivpn-bullseye.list
rm -f /etc/apt/preferences.d/pivpn-limit-bullseye
elif [ "$PLAT" = "Ubuntu" ]; then
add-apt-repository ppa:wireguard/wireguard -r -y
fi
echo "::: Updating package cache..."
${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
elif [ "${i}" = "wireguard-dkms" ]; then
# On armv6l Raspbian we manually remove the kernel module and skip the apt
# uninstallation (since it's not an actual package).
if [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv6l" ]; then
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
rm -rf /usr/src/wireguard-"${WG_MODULE_SNAPSHOT}"
break
fi
elif [ "${i}" = "wireguard-tools" ]; then
if [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv6l" ]; then
rm -rf /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}"
fi
elif [ "${i}" = "unattended-upgrades" ]; then
### REALLY???
rm -rf /var/log/unattended-upgrades
rm -rf /etc/apt/apt.conf.d/*periodic
rm -rf /etc/apt/apt.conf.d/*unattended-upgrades

107
scripts/wireguard/clientSTAT.sh
View file

@ -1,43 +1,90 @@
#!/bin/bash
#!/usr/bin/env bash
# PiVPN: client status script
cd /etc/wireguard/configs
if [ ! -s clients.txt ]; then
CLIENTS_FILE="/etc/wireguard/configs/clients.txt"
if [ ! -s "$CLIENTS_FILE" ]; then
echo "::: There are no clients to list"
exit 1
fi
scriptusage(){
echo "::: List any connected clients to the server"
echo ":::"
echo "::: Usage: pivpn <-c|clients> [-b|bytes]"
echo ":::"
echo "::: Commands:"
echo "::: [none] List clients with human readable format"
echo "::: -b, bytes List clients with dotted decimal notation"
echo "::: -h, help Show this usage dialog"
}
hr(){
numfmt --to=iec-i --suffix=B "$1"
}
if DUMP="$(wg show wg0 dump)"; then
DUMP="$(tail -n +2 <<< "$DUMP")"
else
exit 1
fi
printf "\e[1m::: Connected Clients List :::\e[0m\n"
{
printf "\e[4mName\e[0m \t \e[4mRemote IP\e[0m \t \e[4mVirtual IP\e[0m \t \e[4mBytes Received\e[0m \t \e[4mBytes Sent\e[0m \t \e[4mLast Seen\e[0m\n"
while IFS= read -r LINE; do
PUBLIC_KEY="$(awk '{ print $1 }' <<< "$LINE")"
REMOTE_IP="$(awk '{ print $3 }' <<< "$LINE")"
VIRTUAL_IP="$(awk '{ print $4 }' <<< "$LINE")"
BYTES_RECEIVED="$(awk '{ print $6 }' <<< "$LINE")"
BYTES_SENT="$(awk '{ print $7 }' <<< "$LINE")"
LAST_SEEN="$(awk '{ print $5 }' <<< "$LINE")"
CLIENT_NAME="$(grep "$PUBLIC_KEY" clients.txt | awk '{ print $1 }')"
if [ "$LAST_SEEN" -ne 0 ]; then
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "$(date -d @"$LAST_SEEN" '+%b %d %Y - %T')"
listClients(){
if DUMP="$(wg show wg0 dump)"; then
DUMP="$(tail -n +2 <<< "$DUMP")"
else
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "(not yet)"
exit 1
fi
done <<< "$DUMP"
printf "\e[1m::: Connected Clients List :::\e[0m\n"
printf "\n"
} | column -t -s $'\t'
{
printf "\e[4mName\e[0m \t \e[4mRemote IP\e[0m \t \e[4mVirtual IP\e[0m \t \e[4mBytes Received\e[0m \t \e[4mBytes Sent\e[0m \t \e[4mLast Seen\e[0m\n"
while IFS= read -r LINE; do
PUBLIC_KEY="$(awk '{ print $1 }' <<< "$LINE")"
REMOTE_IP="$(awk '{ print $3 }' <<< "$LINE")"
VIRTUAL_IP="$(awk '{ print $4 }' <<< "$LINE")"
BYTES_RECEIVED="$(awk '{ print $6 }' <<< "$LINE")"
BYTES_SENT="$(awk '{ print $7 }' <<< "$LINE")"
LAST_SEEN="$(awk '{ print $5 }' <<< "$LINE")"
CLIENT_NAME="$(grep "$PUBLIC_KEY" "$CLIENTS_FILE" | awk '{ print $1 }')"
if [ "$HR" = 1 ]; then
if [ "$LAST_SEEN" -ne 0 ]; then
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "$(date -d @"$LAST_SEEN" '+%b %d %Y - %T')"
else
printf "%s \t %s \t %s \t %s \t %s \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "(not yet)"
fi
else
if [ "$LAST_SEEN" -ne 0 ]; then
printf "%s \t %s \t %s \t %'d \t %'d \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$BYTES_RECEIVED" "$BYTES_SENT" "$(date -d @"$LAST_SEEN" '+%b %d %Y - %T')"
else
printf "%s \t %s \t %s \t %'d \t %'d \t %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$BYTES_RECEIVED" "$BYTES_SENT" "(not yet)"
fi
fi
done <<< "$DUMP"
printf "\n"
} | column -t -s $'\t'
}
if [[ $# -eq 0 ]]; then
HR=1
listClients
else
while true; do
case "$1" in
-b|bytes)
HR=0
listClients
exit 0
;;
-h|help)
scriptusage
exit 0
;;
*)
HR=0
listClients
exit 0
;;
esac
done
fi

2
scripts/wireguard/makeCONF.sh
View file

@ -104,7 +104,7 @@ echo "[Peer]
PublicKey = $(cat keys/server_pub)
PresharedKey = $(cat keys/psk)
Endpoint = ${pivpnHOST}:${pivpnPORT}
AllowedIPs = 0.0.0.0/0" >> "configs/${CLIENT_NAME}.conf"
AllowedIPs = 0.0.0.0/0, ::0/0" >> "configs/${CLIENT_NAME}.conf"
echo "::: Client config generated"
echo "# begin ${CLIENT_NAME}

11
scripts/wireguard/pivpn
View file

@ -17,7 +17,8 @@ makeConf(){
}
listConnected(){
$SUDO /opt/pivpn/clientSTAT.sh
shift
$SUDO /opt/pivpn/clientSTAT.sh "$@"
exit 0
}
@ -54,11 +55,6 @@ updateScripts(){
exit 0
}
updateWireGuard(){
$SUDO /opt/pivpn/wgUPDATE.sh
exit 0
}
backup(){
$SUDO /opt/pivpn/backup.sh
}
@ -78,7 +74,6 @@ showHelp(){
echo "::: -h, help Show this help dialog"
echo "::: -u, uninstall Uninstall pivpn from your system!"
echo "::: -up, update Updates PiVPN Scripts"
echo "::: -wg, wgupdate Updates WireGuard"
echo "::: -bk, backup Backup VPN configs and user profiles"
exit 0
}
@ -90,7 +85,7 @@ fi
# Handle redirecting to specific functions based on arguments
case "$1" in
"-a" | "add" ) makeConf "$@";;
"-c" | "clients" ) listConnected;;
"-c" | "clients" ) listConnected "$@";;
"-d" | "debug" ) debug;;
"-l" | "list" ) listClients;;
"-qr" | "qrcode" ) showQrcode "$@";;

132
scripts/wireguard/wgUPDATE.sh
View file

@ -1,132 +0,0 @@
#!/bin/bash
setupVars="/etc/pivpn/setupVars.conf"
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
if [ "$(uname -m)" != "armv6l" ]; then
echo "On your system, WireGuard updates via the package manager"
exit 0
fi
CURRENT_WG_TOOLS_SNAPSHOT="${WG_TOOLS_SNAPSHOT}"
WG_TOOLS_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-tools"."version"')"
if dpkg --compare-versions "${WG_TOOLS_SNAPSHOT}" gt "${CURRENT_WG_TOOLS_SNAPSHOT}"; then
read -r -p "A new wireguard-tools update is available (${WG_TOOLS_SNAPSHOT}), install? [Y/n]: "
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
echo "::: Upgrading wireguard-tools from ${CURRENT_WG_TOOLS_SNAPSHOT} to ${WG_TOOLS_SNAPSHOT}..."
WG_TOOLS_SOURCE="https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-${WG_TOOLS_SNAPSHOT}.tar.xz"
echo "::: Downloading wireguard-tools source code... "
wget -qO- "${WG_TOOLS_SOURCE}" | tar xJ --directory /usr/src
echo "done!"
## || exits if cd fails.
cd /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}/src" || exit 1
# We install the userspace tools manually since DKMS only compiles and
# installs the kernel module
echo "::: Compiling WireGuard tools... "
if make; then
echo "done!"
else
echo "failed!"
exit 1
fi
# Use checkinstall to install userspace tools so if the user wants to uninstall
# PiVPN we can just do apt remove wireguard-tools, instead of manually removing
# files from the file system
echo "::: Installing WireGuard tools... "
if checkinstall --pkgname wireguard-tools --pkgversion "${WG_TOOLS_SNAPSHOT}" -y; then
echo "done!"
else
echo "failed!"
exit 1
fi
echo "::: Removing old source code ..."
rm -rf /usr/src/wireguard-tools-"${CURRENT_WG_TOOLS_SNAPSHOT}"
sed "s/WG_TOOLS_SNAPSHOT=${CURRENT_WG_TOOLS_SNAPSHOT}/WG_TOOLS_SNAPSHOT=${WG_TOOLS_SNAPSHOT}/" -i "${setupVars}"
echo "::: Upgrade completed!"
fi
else
echo "::: You are running the lastest version of wireguard-tools (${CURRENT_WG_TOOLS_SNAPSHOT})"
fi
CURRENT_WG_MODULE_SNAPSHOT="${WG_MODULE_SNAPSHOT}"
WG_MODULE_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-linuxcompat"."version"')"
if dpkg --compare-versions "${WG_MODULE_SNAPSHOT}" gt "${CURRENT_WG_MODULE_SNAPSHOT}"; then
read -r -p "A new wireguard-dkms update is available (${WG_MODULE_SNAPSHOT}), install? [Y/n]: "
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
echo "::: Upgrading wireguard-dkms from ${CURRENT_WG_MODULE_SNAPSHOT} to ${WG_MODULE_SNAPSHOT}..."
WG_MODULE_SOURCE="https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${WG_MODULE_SNAPSHOT}.tar.xz"
echo "::: Downloading wireguard-linux-compat source code... "
wget -qO- "${WG_MODULE_SOURCE}" | tar xJ --directory /usr/src
echo "done!"
# Rename wireguard-linux-compat folder and move the source code to the parent folder
# such that dkms picks up the module when referencing wireguard/"${WG_MODULE_SNAPSHOT}"
cd /usr/src && \
mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}" && \
cd wireguard-"${WG_MODULE_SNAPSHOT}" && \
mv src/* . && \
rmdir src || exit 1
echo "::: Adding WireGuard module via DKMS... "
if dkms add wireguard/"${WG_MODULE_SNAPSHOT}"; then
echo "done!"
else
echo "failed!"
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
exit 1
fi
echo "::: Compiling WireGuard module via DKMS... "
if dkms build wireguard/"${WG_MODULE_SNAPSHOT}"; then
echo "done!"
else
echo "failed!"
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
exit 1
fi
echo "::: Installing WireGuard module via DKMS... "
if dkms install wireguard/"${WG_MODULE_SNAPSHOT}"; then
echo "done!"
else
echo "failed!"
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
exit 1
fi
echo "::: Removing old kernel module and source code..."
if dkms remove wireguard/"${CURRENT_WG_MODULE_SNAPSHOT}" --all; then
rm -rf /usr/src/wireguard-"${CURRENT_WG_MODULE_SNAPSHOT}"
echo "done!"
else
echo "failed!"
exit 1
fi
sed "s/WG_TOOLS_SNAPSHOT=${CURRENT_WG_MODULE_SNAPSHOT}/WG_TOOLS_SNAPSHOT=${WG_MODULE_SNAPSHOT}/" -i "${setupVars}"
echo "::: Upgrade completed!"
fi
else
echo "::: You are running the lastest version of wireguard-dkms (${CURRENT_WG_MODULE_SNAPSHOT})"
fi