Merge pull request #983 from pivpn/test

Merge test into master
2024-10-18 21:53:31 +00:00 · 2020-03-17 09:51:14 +01:00 · 2020-03-17 09:51:14 +01:00 · fcf05d75df
commit fcf05d75df
parent e73f274fca fcff5b70bf
9 changed files with 361 additions and 429 deletions
--- a/LatestUpdate.md
+++ b/LatestUpdate.md
@ -5,6 +5,16 @@ patch release notes.
 Everytime Test branch is merged into master, a new entry should be created with the date and changes being merged.
 ## Mar 17th 2020
 - Switch to Bullseye repository on Debian/Raspbian. The bullseye repository is less likely to offer broken packages and it's also supported by Raspbian, meaning there is no need to manually compile WireGuard on older Raspberry Pis.
 - Adding a PPA on Ubuntu requires 'software-properties-common' with may not be installed on servers.
 - Avoid IPv6 leak by routing IPv6 through WireGuard.
 - Download OpenVPN key via HTTPS if retrieving via keyserver fails.
 - Show connected clients data rates with dotted decimal notation using 'pivpn -c -b'. It's useful because the human readable format does not offer enough precision to tell if a client is sending very little data.
 - Use 'apt-cache policy' to decide whether we need a repository or not.
 - Use lowest APT pin priority that allows package upgrades (more information on pull request [#963](https://github.com/pivpn/pivpn/pull/963) and [#983](https://github.com/pivpn/pivpn/pull/983)).
 ## Feb 17th 2020
 - When offering to use Pi-hole, identify VPN clients via clientname.pivpn using a dedicated hosts file. Clients can now be resolved by their names and also show up in the Pi-hole dashboard.
--- a/auto_install/install.sh
+++ b/auto_install/install.sh
@ -14,10 +14,18 @@
 pivpnGitUrl="https://github.com/pivpn/pivpn.git"
 setupVars="/etc/pivpn/setupVars.conf"
 pivpnFilesDir="/etc/.pivpn"
 piholeSetupVars="/etc/pihole/setupVars.conf"
 dnsmasqConfig="/etc/dnsmasq.d/02-pivpn.conf"
-### PKG Vars ###
+dhcpcdFile="/etc/dhcpcd.conf"
 subnetClass="24"
 debianOvpnUserGroup="openvpn:openvpn"
 # OpenVPN GPG fingerprint, you can look it up at https://keyserver.ubuntu.com (prepend '0x' before it)
 OPENVPN_KEY_ID="30EBF4E73CCE63EEE124DD278E6DA8B4E158C569"
 ######## PKG Vars ########
 PKG_MANAGER="apt-get"
 PKG_CACHE="/var/lib/apt/lists/"
 ### FIXME: quoting UPDATE_PKG_CACHE and PKG_INSTALL hangs the script, shellcheck SC2086
@ -33,32 +41,29 @@ BASE_DEPS=(git tar wget curl grep dnsutils whiptail net-tools bsdmainutils)
 # PiVPN we won't prompt to remove packages that may have been installed by the user for other reasons
 INSTALLED_PACKAGES=()
 ######## URLs ########
 easyrsaVer="3.0.6"
 easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz"
 subnetClass="24"
 dhcpcdFile="/etc/dhcpcd.conf"
 debianOvpnUserGroup="openvpn:openvpn"
 # Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config
 UNATTUPG_RELEASE="1.16"
 UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/${UNATTUPG_RELEASE}.tar.gz"
-# GPG fingerprints (you can look them up at https://keyserver.ubuntu.com)
+# Fallback url for the OpenVPN key
-OPENVPN_REPO_KEY="0x30ebf4e73cce63eee124dd278e6da8b4e158c569"
+OPENVPN_KEY_URL="https://swupdate.openvpn.net/repos/repo-public.gpg"
 DEBIAN_STRETCH_KEY="0xe1cf20ddffe4b89e802658f1e0b11894f66aec98"
 DEBIAN_BUSTER_KEY="0x80d15823b7fd1561f9f7bcdddc30d7c23cbbabee"
 # Find the rows and columns. Will default to 80x24 if it can not be detected.
 screen_size=$(stty size 2>/dev/null || echo 24 80)
 rows=$(echo "$screen_size" | awk '{print $1}')
 columns=$(echo "$screen_size" | awk '{print $2}')
 ######## Undocumented Flags. Shhh ########
 runUnattended=false
 skipSpaceCheck=false
 reconfigure=false
 ######## SCRIPT ########
 # Find the rows and columns. Will default to 80x24 if it can not be detected.
 screen_size=$(stty size 2>/dev/null || echo 24 80)
 rows=$(echo "$screen_size" | awk '{print $1}')
 columns=$(echo "$screen_size" | awk '{print $2}')
 # Divide by two so the dialogs take up half of the screen, which looks nice.
 r=$(( rows / 2 ))
 c=$(( columns / 2 ))
@ -66,7 +71,8 @@ c=$(( columns / 2 ))
 r=$(( r < 20 ? 20 : r ))
 c=$(( c < 70 ? 70 : c ))
-######## SCRIPT ############
+# Override localization settings so the output is in English language.
 export LC_ALL=C
 main(){
@ -252,6 +258,15 @@ distroCheck(){
 		OSCN=${VER_MAP["${VER}"]}
 	fi
 	if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then
 		DPKG_ARCH="$(dpkg --print-architecture)"
 		if [ "$DPKG_ARCH" = "amd64" ] || [ "$DPKG_ARCH" = "i386" ]; then
 			X86_SYSTEM=1
 		else
 			X86_SYSTEM=0
 		fi
 	fi
 	case ${PLAT} in
 		Debian|Raspbian|Ubuntu)
 			case ${OSCN} in
@ -440,7 +455,7 @@ preconfigurePackages(){
 	# if ufw is enabled, configure that.
 	# running as root because sometimes the executable is not in the user's $PATH
 	if $SUDO bash -c 'command -v ufw' > /dev/null; then
-		if LC_ALL=C $SUDO ufw status | grep -q inactive; then
+		if $SUDO ufw status | grep -q inactive; then
 			USING_UFW=0
 		else
 			USING_UFW=1
@ -986,6 +1001,11 @@ installPiVPN(){
 	askWhichVPN
 	if [ "$VPN" = "openvpn" ]; then
 		pivpnDEV="tun0"
 		pivpnNET="10.8.0.0"
 		vpnGw="${pivpnNET/.0.0/.0.1}"
 		installOpenVPN
 		askCustomProto
 		askCustomPort
@ -997,18 +1017,35 @@ installPiVPN(){
 		confOVPN
 		confNetwork
 		confLogging
 	elif [ "$VPN" = "wireguard" ]; then
 		# Since WireGuard only uses UDP, askCustomProto() is never called so we
 		# set the protocol here.
 		pivpnPROTO="udp"
 		pivpnDEV="wg0"
 		pivpnNET="10.6.0.0"
 		vpnGw="${pivpnNET/.0.0/.0.1}"
 		installWireGuard
 		askCustomPort
 		askClientDNS
 		askPublicIPOrDNS
 		confWireGuard
 		confNetwork
 		echo "pivpnPROTO=${pivpnPROTO}" >> /tmp/setupVars.conf
 	fi
 	echo "pivpnDEV=${pivpnDEV}" >> /tmp/setupVars.conf
 	echo "pivpnNET=${pivpnNET}" >> /tmp/setupVars.conf
 	echo "subnetClass=${subnetClass}" >> /tmp/setupVars.conf
 }
 askWhichVPN(){
 	if [ "${runUnattended}" = 'true' ]; then
 		if [ "$PLAT" = "Raspbian" ] || [ "$X86_SYSTEM" -eq 1 ]; then
 			if [ -z "$VPN" ]; then
 				echo ":: No VPN protocol specified, using WireGuard"
 				VPN="wireguard"
@ -1023,7 +1060,22 @@ askWhichVPN(){
 					exit 1
 				fi
 			fi
 		elif [ "$X86_SYSTEM" -eq 0 ]; then
 			if [ -z "$VPN" ]; then
 				echo ":: No VPN protocol specified, using OpenVPN"
 				VPN="openvpn"
 			else
 				VPN="${VPN,,}"
 				if [ "$VPN" = "openvpn" ]; then
 					echo "::: OpenVPN will be installed"
 				else
 					echo ":: $VPN is not a supported VPN protocol on $DPKG_ARCH $PLAT, only 'openvpn' is"
 					exit 1
 				fi
 			fi
 		fi
 	else
 		if [ "$PLAT" = "Raspbian" ] || [ "$X86_SYSTEM" -eq 1 ]; then
 			chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "WireGuard is a new kind of VPN that provides near-istantaneous connection speed, high performance, modern cryptography.\\n\\nIt's the recommended choice expecially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\\n\\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol. Or if you need features like TCP and custom search domain.\\n\\nChoose a VPN (press space to select):" "${r}" "${c}" 2)
 			VPNChooseOptions=(WireGuard "" on
 								OpenVPN "" off)
@ -1035,26 +1087,39 @@ askWhichVPN(){
 				echo "::: Cancel selected, exiting...."
 				exit 1
 			fi
 		elif [ "$X86_SYSTEM" -eq 0 ]; then
 			echo "::: Using VPN: OpenVPN"
 			VPN="openvpn"
 		fi
 	if [ "$VPN" = "wireguard" ]; then
 		# Since WireGuard only uses UDP, askCustomProto() is never called so we
 		# set the protocol here (it's not actually required to save the value, but
 		# it might be useful for the user when port forwarding).
 		pivpnPROTO="udp"
 		echo "pivpnPROTO=${pivpnPROTO}" >> /tmp/setupVars.conf
 		pivpnDEV="wg0"
 		pivpnNET="10.6.0.0"
 	elif [ "$VPN" = "openvpn" ]; then
 		pivpnDEV="tun0"
 		pivpnNET="10.8.0.0"
 	fi
 	vpnGw="${pivpnNET/.0.0/.0.1}"
 	echo "VPN=${VPN}" >> /tmp/setupVars.conf
-	echo "pivpnDEV=${pivpnDEV}" >> /tmp/setupVars.conf
+}
-	echo "pivpnNET=${pivpnNET}" >> /tmp/setupVars.conf
+
-	echo "subnetClass=${subnetClass}" >> /tmp/setupVars.conf
+downloadVerifyKey(){
 	local KEY_URL="$1"
 	local EXPECTED_KEY_ID="$2"
 	local KEY_CONTENT
 	local KEY_INFO
 	local DOWNLOADED_KEY_ID
 	if ! KEY_CONTENT="$(wget -qO- "$KEY_URL")"; then
 		return 1
 	fi
 	if ! KEY_INFO="$(gpg --show-key --with-colons <<< "$KEY_CONTENT")"; then
 		return 1
 	fi
 	DOWNLOADED_KEY_ID="$(sed -n '/^pub:/,/^fpr:/p' <<< "$KEY_INFO" | grep '^fpr' | cut -d ':' -f 10)"
 	if [ "$DOWNLOADED_KEY_ID" != "$EXPECTED_KEY_ID" ]; then
 		return 1
 	fi
 	echo "$KEY_CONTENT"
 	return 0
 }
 installOpenVPN(){
@ -1062,30 +1127,42 @@ installOpenVPN(){
 	echo "::: Installing OpenVPN from Debian package... "
-	if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then
+	# Use x86-only OpenVPN APT repo on x86 Debian/Ubuntu systems
 	if [ "$PLAT" != "Raspbian" ] && [ "$X86_SYSTEM" -eq 1 ]; then
 		AVAILABLE_OPENVPN="$(apt-cache policy openvpn | grep -m1 'Candidate: ' | grep -v '(none)' | awk '{print $2}')"
 		# If there is an available openvpn package and its version is at least 2.4
 		# (required for ECC support), do not add the repository
 		if [ -n "$AVAILABLE_OPENVPN" ] && dpkg --compare-versions "$AVAILABLE_OPENVPN" ge 2.4; then
 			echo "::: OpenVPN is already available in the repositories"
 		else
 			# gnupg is used by apt-key to import the openvpn GPG key into the
 			# APT keyring
 			PIVPN_DEPS=(gnupg)
 			installDependentPackages PIVPN_DEPS[@]
-		# We will download the repository key regardless of whether the user
+			# We will download the repository key for the official repository from a
-		# has already enabled the openvpn repository or not, just to make sure
+			# keyserver. If we fail, we will attempt to download the key via HTTPS
 		# we have the right key
 			echo "::: Adding repository key..."
-		if ! $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys "$OPENVPN_REPO_KEY"; then
+			if ! $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys "$OPENVPN_KEY_ID"; then
-			echo "::: Failed to import OpenVPN GPG key"
+				echo "::: Import via keyserver failed, now trying wget"
 				if ! downloadVerifyKey "$OPENVPN_KEY_URL" "$OPENVPN_KEY_ID" | $SUDO apt-key add -; then
 					echo "::: Can't import OpenVPN GPG key"
 					exit 1
 				else
 					echo "::: Acquired key $OPENVPN_KEY_ID"
 				fi
 			fi
 		if ! grep -qR "deb http.\?://build.openvpn.net/debian/openvpn/stable.\? $OSCN main" /etc/apt/sources.list*; then
 			echo "::: Adding OpenVPN repository... "
 			echo "deb https://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/pivpn-openvpn-repo.list > /dev/null
 		fi
 			echo "::: Updating package cache..."
 			# shellcheck disable=SC2086
 			$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
 		fi
 	fi
 	# grepcidr is used to redact IPs in the debug log whereas expect is used
 	# to feed easy-rsa with passwords
@ -1107,8 +1184,8 @@ installWireGuard(){
 		# straight, so it's also a good suggestion in such case because they will have
 		# a lot of outdated packages.
-		INSTALLED_KERNEL="$(apt-cache policy raspberrypi-kernel | grep 'Installed:' | awk '{print $2}')"
+		INSTALLED_KERNEL="$(apt-cache policy raspberrypi-kernel | grep -m1 'Installed: ' | grep -v '(none)' | awk '{print $2}')"
-		CANDIDATE_KERNEL="$(apt-cache policy raspberrypi-kernel | grep 'Candidate:' | awk '{print $2}')"
+		CANDIDATE_KERNEL="$(apt-cache policy raspberrypi-kernel | grep -m1 'Candidate: ' | grep -v '(none)' | awk '{print $2}')"
 		if dpkg --compare-versions "${CANDIDATE_KERNEL}" gt "${INSTALLED_KERNEL}"; then
 			if [ "${runUnattended}" = 'true' ]; then
@ -1141,159 +1218,64 @@ installWireGuard(){
 			fi
 		fi
 		# If this Raspberry Pi uses armv7l we can use the package from the repo
 		# https://lists.zx2c4.com/pipermail/wireguard/2017-November/001885.html
 		# Otherwhise compile and build the kernel module via DKMS (so it will
 		# be recompiled on kernel upgrades)
 		if [ "$(uname -m)" = "armv7l" ]; then
 		echo "::: Installing WireGuard from Debian package... "
 			# dirmngr is used by apt-key to import the debian GPG keys for the unstable
 			# repo into the APT keyring.
 			PIVPN_DEPS=(dirmngr)
 			installDependentPackages PIVPN_DEPS[@]
-			echo "::: Adding repository keys..."
+		if apt-cache policy wireguard 2> /dev/null | grep -m1 'Candidate: ' | grep -vq '(none)'; then
-			if ! $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys "$DEBIAN_STRETCH_KEY" "$DEBIAN_BUSTER_KEY"; then
+			echo "::: WireGuard is already available in the repositories"
-				echo "::: Failed to import Debian GPG keys"
+		else
-				exit 1
+			echo "::: Adding Raspbian repository... "
-			fi
+			echo "deb http://raspbian.raspberrypi.org/raspbian/ bullseye main" | $SUDO tee /etc/apt/sources.list.d/pivpn-bullseye.list > /dev/null
-			# This regular expression should match combinations like http[s]://mirror.example.com/debian[/] unstable main
+			# Do not upgrade packages from the bullseye repository except for wireguard
-			if ! grep -qR 'deb http.\?://.*/debian.\? unstable main' /etc/apt/sources.list*; then
+			printf 'Package: *\nPin: release n=bullseye\nPin-Priority: -1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release n=bullseye\nPin-Priority: 100\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-bullseye > /dev/null
 				echo "::: Adding Debian repository... "
 				echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
 			fi
 			# Do not upgrade packages from the unstable repository except for wireguard
 			printf 'Package: *\nPin: release a=unstable\nPin-Priority: 1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release a=unstable\nPin-Priority: 500\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null
 			echo "::: Updating package cache..."
 			# shellcheck disable=SC2086
 			$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
 		fi
 		# qrencode is used to generate qrcodes from config file, for use with mobile clients
 		PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms qrencode)
 		installDependentPackages PIVPN_DEPS[@]
 		elif [ "$(uname -m)" = "armv6l" ]; then
 			echo "::: Installing WireGuard from source... "
 			PIVPN_DEPS=(checkinstall dkms libelf-dev raspberrypi-kernel-headers build-essential pkg-config qrencode jq)
 			installDependentPackages PIVPN_DEPS[@]
 			# Delete any leftover code
 			$SUDO rm -rf /usr/src/wireguard-*
 			WG_TOOLS_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-tools"."version"')"
 			WG_TOOLS_SOURCE="https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-${WG_TOOLS_SNAPSHOT}.tar.xz"
 			echo "::: Downloading wireguard-tools source code... "
 			wget -qO- "${WG_TOOLS_SOURCE}" | $SUDO tar xJ --directory /usr/src
 			echo "done!"
 			##  || exits if cd fails.
 			cd /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}/src" || exit 1
 			# We install the userspace tools manually since DKMS only compiles and
 			# installs the kernel module
 			echo "::: Compiling WireGuard tools... "
 			if $SUDO make; then
 				echo "done!"
 			else
 				echo "failed!"
 				exit 1
 			fi
 			# Use checkinstall to install userspace tools so if the user wants to uninstall
 			# PiVPN we can just do apt remove wireguard-tools, instead of manually removing
 			# files from the file system
 			echo "::: Installing WireGuard tools... "
 			if $SUDO checkinstall --pkgname wireguard-tools --pkgversion "${WG_TOOLS_SNAPSHOT}" -y; then
 				INSTALLED_PACKAGES+=("wireguard-tools")
 				echo "done!"
 			else
 				echo "failed!"
 				exit 1
 			fi
 			echo "WG_TOOLS_SNAPSHOT=${WG_TOOLS_SNAPSHOT}" >> /tmp/setupVars.conf
 			WG_MODULE_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-linuxcompat"."version"')"
 			WG_MODULE_SOURCE="https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${WG_MODULE_SNAPSHOT}.tar.xz"
 			echo "::: Downloading wireguard-linux-compat source code... "
 			wget -qO- "${WG_MODULE_SOURCE}" | $SUDO tar xJ --directory /usr/src
 			echo "done!"
 			# Rename wireguard-linux-compat folder and move the source code to the parent folder
 			# such that dkms picks up the module when referencing wireguard/"${WG_MODULE_SNAPSHOT}"
 			cd /usr/src && \
 			$SUDO mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}" && \
 			cd wireguard-"${WG_MODULE_SNAPSHOT}" && \
 			$SUDO mv src/* . && \
 			$SUDO rmdir src || exit 1
 			echo "::: Adding WireGuard modules via DKMS... "
 			if $SUDO dkms add wireguard/"${WG_MODULE_SNAPSHOT}"; then
 				echo "done!"
 			else
 				echo "failed!"
 				$SUDO dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
 				exit 1
 			fi
 			echo "::: Compiling WireGuard modules via DKMS... "
 			if $SUDO dkms build wireguard/"${WG_MODULE_SNAPSHOT}"; then
 				echo "done!"
 			else
 				echo "failed!"
 				$SUDO dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
 				exit 1
 			fi
 			echo "::: Installing WireGuard modules via DKMS... "
 			if $SUDO dkms install wireguard/"${WG_MODULE_SNAPSHOT}"; then
 				INSTALLED_PACKAGES+=("wireguard-dkms")
 				echo "done!"
 			else
 				echo "failed!"
 				$SUDO dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
 				exit 1
 			fi
 			echo "WG_MODULE_SNAPSHOT=${WG_MODULE_SNAPSHOT}" >> /tmp/setupVars.conf
 		fi
 	elif [ "$PLAT" = "Debian" ]; then
 		echo "::: Installing WireGuard from Debian package... "
 		if ! grep -qR 'deb http.\?://.*/debian.\? unstable main' /etc/apt/sources.list*; then
 			echo "::: Adding Debian repository... "
 			echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
 		fi
-		printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null
+		if apt-cache policy wireguard 2> /dev/null | grep -m1 'Candidate: ' | grep -vq '(none)'; then
 			echo "::: WireGuard is already available in the repositories"
 		else
 			echo "::: Adding Debian repository... "
 			echo "deb https://deb.debian.org/debian/ bullseye main" | $SUDO tee /etc/apt/sources.list.d/pivpn-bullseye.list > /dev/null
 			printf 'Package: *\nPin: release n=bullseye\nPin-Priority: -1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release n=bullseye\nPin-Priority: 100\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-bullseye > /dev/null
 			echo "::: Updating package cache..."
 			# shellcheck disable=SC2086
 			$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
 		fi
-		PIVPN_DEPS=(linux-headers-amd64 qrencode wireguard wireguard-tools wireguard-dkms)
+		PIVPN_DEPS=(linux-headers-amd64 wireguard wireguard-tools wireguard-dkms qrencode)
 		installDependentPackages PIVPN_DEPS[@]
 	elif [ "$PLAT" = "Ubuntu" ]; then
-		echo "::: Installing WireGuard from PPA... "
+		echo "::: Installing WireGuard... "
 		if apt-cache policy wireguard 2> /dev/null | grep -m1 'Candidate: ' | grep -vq '(none)'; then
 			echo "::: WireGuard is already available in the repositories"
 		else
 			echo "::: Adding WireGuard PPA... "
 			PIVPN_DEPS=(software-properties-common)
 			installDependentPackages PIVPN_DEPS[@]
 			$SUDO add-apt-repository ppa:wireguard/wireguard -y
 			echo "::: Updating package cache..."
 			# shellcheck disable=SC2086
 			$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
 		fi
-		PIVPN_DEPS=(qrencode wireguard wireguard-tools wireguard-dkms linux-headers-generic)
+		PIVPN_DEPS=(linux-headers-generic wireguard wireguard-tools wireguard-dkms qrencode)
 		installDependentPackages PIVPN_DEPS[@]
 	fi
@ -2227,10 +2209,12 @@ confUnattendedUpgrades(){
 	fi
-	# Enable automatic updates via the unstable repository when installing from debian package
+	# Enable automatic updates via the bullseye repository when installing from debian package
-	if [ "$VPN" = "wireguard" ] && [ "$PLAT" != "Ubuntu" ] && [ "$(uname -m)" != "armv6l" ]; then
+	if [ "$VPN" = "wireguard" ]; then
-		if ! grep -q '"o=Debian,a=unstable";' "${aptConfDir}/50unattended-upgrades"; then
+		if [ -f /etc/apt/sources.list.d/pivpn-bullseye.list ]; then
-			$SUDO sed -i '/Unattended-Upgrade::Origins-Pattern {/a"o=Debian,a=unstable";' "${aptConfDir}/50unattended-upgrades"
+			if ! grep -q "\"o=$PLAT,n=bullseye\";" "${aptConfDir}/50unattended-upgrades"; then
 				$SUDO sed -i "/Unattended-Upgrade::Origins-Pattern {/a\"o=$PLAT,n=bullseye\";" "${aptConfDir}/50unattended-upgrades"
 			fi
 		fi
 	fi
 }
--- a/scripts/openvpn/clientStat.sh
+++ b/scripts/openvpn/clientStat.sh
@ -3,36 +3,82 @@
 STATUS_LOG="/var/log/openvpn-status.log"
 function hr() {
        numfmt --to=iec-i --suffix=B "$1"
 }
 printf "\n"
 if [ ! -f "${STATUS_LOG}" ]; then
    echo "The file: $STATUS_LOG was not found!"
    exit 1
 fi
-printf ": NOTE : The output below is NOT real-time!\n"
+scriptusage(){
-printf ":      : It may be off by a few minutes.\n"
+    echo "::: List any connected clients to the server"
-printf "\n"
+    echo ":::"
-printf "\e[1m::: Client Status List :::\e[0m\n"
+    echo "::: Usage: pivpn <-c|clients> [-b|bytes]"
    echo ":::"
    echo "::: Commands:"
    echo ":::  [none]              List clients with human readable format"
    echo ":::  -b, bytes           List clients with dotted decimal notation"
    echo ":::  -h, help            Show this usage dialog"
 }
-{
+hr(){
-printf "\e[4mName\e[0m  \t  \e[4mRemote IP\e[0m  \t  \e[4mVirtual IP\e[0m  \t  \e[4mBytes Received\e[0m  \t  \e[4mBytes Sent\e[0m  \t  \e[4mConnected Since\e[0m\n"
+    numfmt --to=iec-i --suffix=B "$1"
 }
-if grep -q "^CLIENT_LIST" "${STATUS_LOG}"; then
+
 listClients(){
    printf ": NOTE : The output below is NOT real-time!\n"
    printf ":      : It may be off by a few minutes.\n"
    printf "\n"
    printf "\e[1m::: Client Status List :::\e[0m\n"
    {
    printf "\e[4mName\e[0m  \t  \e[4mRemote IP\e[0m  \t  \e[4mVirtual IP\e[0m  \t  \e[4mBytes Received\e[0m  \t  \e[4mBytes Sent\e[0m  \t  \e[4mConnected Since\e[0m\n"
    if grep -q "^CLIENT_LIST" "${STATUS_LOG}"; then
            if [ -n "$(type -t numfmt)" ]; then
                if [ "$HR" = 1 ]; then
                    while read -r line; do
                        read -r -a array <<< $line
                        [[ ${array[0]} = CLIENT_LIST ]] || continue
                        printf "%s  \t  %s  \t  %s  \t  %s  \t  %s  \t  %s %s %s - %s\n" ${array[1]} ${array[2]} ${array[3]} $(hr ${array[4]}) $(hr ${array[5]}) ${array[7]} ${array[8]} ${array[10]} ${array[9]}
                    done <$STATUS_LOG
                else
                    while read -r line; do
                        read -r -a array <<< $line
                        [[ ${array[0]} = CLIENT_LIST ]] || continue
                        printf "%s  \t  %s  \t  %s  \t  %'d  \t  %'d  \t  %s %s %s - %s\n" ${array[1]} ${array[2]} ${array[3]} ${array[4]} ${array[5]} ${array[7]} ${array[8]} ${array[10]} ${array[9]}
                    done <$STATUS_LOG
                fi
            else
                awk -F' ' -v s='CLIENT_LIST' '$1 == s {print $2"\t\t"$3"\t"$4"\t"$5"\t\t"$6"\t\t"$8" "$9" "$11" - "$10"\n"}' ${STATUS_LOG}
            fi
-else
+    else
        printf "\nNo Clients Connected!\n"
    fi
    printf "\n"
    } | column -t -s $'\t'
 }
 if [[ $# -eq 0 ]]; then
    HR=1
    listClients
 else
    while true; do
        case "$1" in
            -b|bytes)
                HR=0
                listClients
                exit 0
                ;;
            -h|help)
                scriptusage
                exit 0
                ;;
            *)
                HR=0
                listClients
                exit 0
                ;;
        esac
    done
 fi
 printf "\n"
 } | column -t -s $'\t'
--- a/scripts/openvpn/pivpn
+++ b/scripts/openvpn/pivpn
@ -17,7 +17,8 @@ function makeOVPNFunc {
 }
 function listClientsFunc {
-    $SUDO /opt/pivpn/clientStat.sh
+    shift
    $SUDO /opt/pivpn/clientStat.sh "$@"
    exit 0
 }
@ -93,7 +94,7 @@ fi
 # Handle redirecting to specific functions based on arguments
 case "$1" in
 "-a" | "add"                ) makeOVPNFunc "$@";;
-"-c" | "clients"            ) listClientsFunc;;
+"-c" | "clients"            ) listClientsFunc "$@";;
 "-d" | "debug"              ) debugFunc;;
 "-l" | "list"               ) listOVPNFunc;;
 "-r" | "revoke"             ) removeOVPNFunc "$@";;
--- a/scripts/uninstall.sh
+++ b/scripts/uninstall.sh
@ -98,37 +98,18 @@ removeAll(){
 			case $yn in
 				[Yy]* ) if [ "${i}" = "wireguard" ]; then
-							# On Debian and armv7l Raspbian, remove the unstable repo (on armv6l Raspbian
+							# On Debian and Raspbian, remove the bullseye repo. On Ubuntu, remove the PPA.
-							# there is no wireguard package). On Ubuntu, remove the PPA.
+							if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Raspbian" ]; then
-              ### FIXME: unconditionally rm'ing unstable.list isn't a good idea, it appears. What if someone else put it there manually?
+								rm -f /etc/apt/sources.list.d/pivpn-bullseye.list
-							if [ "$PLAT" = "Debian" ] || { [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv7l" ]; }; then
+								rm -f /etc/apt/preferences.d/pivpn-limit-bullseye
 								rm -f /etc/apt/sources.list.d/pivpn-unstable.list
 								rm -f /etc/apt/preferences.d/pivpn-limit-unstable
 							elif [ "$PLAT" = "Ubuntu" ]; then
 								add-apt-repository ppa:wireguard/wireguard -r -y
 							fi
 							echo "::: Updating package cache..."
 							${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
 						elif [ "${i}" = "wireguard-dkms" ]; then
 							# On armv6l Raspbian we manually remove the kernel module and skip the apt
 							# uninstallation (since it's not an actual package).
 							if [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv6l" ]; then
 								dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
 								rm -rf /usr/src/wireguard-"${WG_MODULE_SNAPSHOT}"
 								break
 							fi
 						elif [ "${i}" = "wireguard-tools" ]; then
 							if [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv6l" ]; then
 								rm -rf /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}"
 							fi
 						elif [ "${i}" = "unattended-upgrades" ]; then
              ### REALLY???
 							rm -rf /var/log/unattended-upgrades
 							rm -rf /etc/apt/apt.conf.d/*periodic
 							rm -rf /etc/apt/apt.conf.d/*unattended-upgrades
--- a/scripts/wireguard/clientSTAT.sh
+++ b/scripts/wireguard/clientSTAT.sh
@ -1,27 +1,41 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # PiVPN: client status script
-cd /etc/wireguard/configs
+CLIENTS_FILE="/etc/wireguard/configs/clients.txt"
-if [ ! -s clients.txt ]; then
+
 if [ ! -s "$CLIENTS_FILE" ]; then
    echo "::: There are no clients to list"
    exit 1
 fi
 scriptusage(){
    echo "::: List any connected clients to the server"
    echo ":::"
    echo "::: Usage: pivpn <-c|clients> [-b|bytes]"
    echo ":::"
    echo "::: Commands:"
    echo ":::  [none]              List clients with human readable format"
    echo ":::  -b, bytes           List clients with dotted decimal notation"
    echo ":::  -h, help            Show this usage dialog"
 }
 hr(){
    numfmt --to=iec-i --suffix=B "$1"
 }
-if DUMP="$(wg show wg0 dump)"; then
+listClients(){
    if DUMP="$(wg show wg0 dump)"; then
        DUMP="$(tail -n +2 <<< "$DUMP")"
-else
+    else
        exit 1
-fi
+    fi
-printf "\e[1m::: Connected Clients List :::\e[0m\n"
+    printf "\e[1m::: Connected Clients List :::\e[0m\n"
-{
+    {
-printf "\e[4mName\e[0m  \t  \e[4mRemote IP\e[0m  \t  \e[4mVirtual IP\e[0m  \t  \e[4mBytes Received\e[0m  \t  \e[4mBytes Sent\e[0m  \t  \e[4mLast Seen\e[0m\n"
+    printf "\e[4mName\e[0m  \t  \e[4mRemote IP\e[0m  \t  \e[4mVirtual IP\e[0m  \t  \e[4mBytes Received\e[0m  \t  \e[4mBytes Sent\e[0m  \t  \e[4mLast Seen\e[0m\n"
-while IFS= read -r LINE; do
+    while IFS= read -r LINE; do
        PUBLIC_KEY="$(awk '{ print $1 }' <<< "$LINE")"
        REMOTE_IP="$(awk '{ print $3 }' <<< "$LINE")"
@ -29,15 +43,48 @@ while IFS= read -r LINE; do
        BYTES_RECEIVED="$(awk '{ print $6 }' <<< "$LINE")"
        BYTES_SENT="$(awk '{ print $7 }' <<< "$LINE")"
        LAST_SEEN="$(awk '{ print $5 }' <<< "$LINE")"
-    CLIENT_NAME="$(grep "$PUBLIC_KEY" clients.txt | awk '{ print $1 }')"
+        CLIENT_NAME="$(grep "$PUBLIC_KEY" "$CLIENTS_FILE" | awk '{ print $1 }')"
        if [ "$HR" = 1 ]; then
            if [ "$LAST_SEEN" -ne 0 ]; then
                printf "%s  \t  %s  \t  %s  \t  %s  \t  %s  \t  %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "$(date -d @"$LAST_SEEN" '+%b %d %Y - %T')"
            else
                printf "%s  \t  %s  \t  %s  \t  %s  \t  %s  \t  %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$(hr "$BYTES_RECEIVED")" "$(hr "$BYTES_SENT")" "(not yet)"
            fi
        else
            if [ "$LAST_SEEN" -ne 0 ]; then
                printf "%s  \t  %s  \t  %s  \t  %'d  \t  %'d  \t  %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$BYTES_RECEIVED" "$BYTES_SENT" "$(date -d @"$LAST_SEEN" '+%b %d %Y - %T')"
            else
                printf "%s  \t  %s  \t  %s  \t  %'d  \t  %'d  \t  %s\n" "$CLIENT_NAME" "$REMOTE_IP" "${VIRTUAL_IP/\/32/}" "$BYTES_RECEIVED" "$BYTES_SENT" "(not yet)"
            fi
        fi
-done <<< "$DUMP"
+    done <<< "$DUMP"
-printf "\n"
+    printf "\n"
-} | column -t -s $'\t'
+    } | column -t -s $'\t'
 }
 if [[ $# -eq 0 ]]; then
    HR=1
    listClients
 else
    while true; do
        case "$1" in
            -b|bytes)
                HR=0
                listClients
                exit 0
                ;;
            -h|help)
                scriptusage
                exit 0
                ;;
            *)
                HR=0
                listClients
                exit 0
                ;;
        esac
    done
 fi
--- a/scripts/wireguard/makeCONF.sh
+++ b/scripts/wireguard/makeCONF.sh
@ -104,7 +104,7 @@ echo "[Peer]
 PublicKey = $(cat keys/server_pub)
 PresharedKey = $(cat keys/psk)
 Endpoint = ${pivpnHOST}:${pivpnPORT}
-AllowedIPs = 0.0.0.0/0" >> "configs/${CLIENT_NAME}.conf"
+AllowedIPs = 0.0.0.0/0, ::0/0" >> "configs/${CLIENT_NAME}.conf"
 echo "::: Client config generated"
 echo "# begin ${CLIENT_NAME}
--- a/scripts/wireguard/pivpn
+++ b/scripts/wireguard/pivpn
@ -17,7 +17,8 @@ makeConf(){
 }
 listConnected(){
-    $SUDO /opt/pivpn/clientSTAT.sh
+    shift
    $SUDO /opt/pivpn/clientSTAT.sh "$@"
    exit 0
 }
@ -54,11 +55,6 @@ updateScripts(){
    exit 0
 }
 updateWireGuard(){
    $SUDO /opt/pivpn/wgUPDATE.sh
    exit 0
 }
 backup(){
  $SUDO /opt/pivpn/backup.sh
 }
@ -78,7 +74,6 @@ showHelp(){
    echo ":::  -h,  help             Show this help dialog"
    echo ":::  -u,  uninstall        Uninstall pivpn from your system!"
    echo ":::  -up, update           Updates PiVPN Scripts"
    echo ":::  -wg, wgupdate         Updates WireGuard"
    echo ":::  -bk, backup           Backup VPN configs and user profiles"
    exit 0
 }
@ -90,7 +85,7 @@ fi
 # Handle redirecting to specific functions based on arguments
 case "$1" in
 "-a"  | "add"                ) makeConf "$@";;
-"-c"  | "clients"            ) listConnected;;
+"-c"  | "clients"            ) listConnected "$@";;
 "-d"  | "debug"              ) debug;;
 "-l"  | "list"               ) listClients;;
 "-qr" | "qrcode"             ) showQrcode "$@";;
--- a/scripts/wireguard/wgUPDATE.sh
+++ b/scripts/wireguard/wgUPDATE.sh
@ -1,132 +0,0 @@
 #!/bin/bash
 setupVars="/etc/pivpn/setupVars.conf"
 if [ ! -f "${setupVars}" ]; then
 	echo "::: Missing setup vars file!"
 	exit 1
 fi
 source "${setupVars}"
 if [ "$(uname -m)" != "armv6l" ]; then
 	echo "On your system, WireGuard updates via the package manager"
 	exit 0
 fi
 CURRENT_WG_TOOLS_SNAPSHOT="${WG_TOOLS_SNAPSHOT}"
 WG_TOOLS_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-tools"."version"')"
 if dpkg --compare-versions "${WG_TOOLS_SNAPSHOT}" gt "${CURRENT_WG_TOOLS_SNAPSHOT}"; then
 	read -r -p "A new wireguard-tools update is available (${WG_TOOLS_SNAPSHOT}), install? [Y/n]: "
 	if [[ ${REPLY} =~ ^[Yy]$ ]]; then
 		echo "::: Upgrading wireguard-tools from ${CURRENT_WG_TOOLS_SNAPSHOT} to ${WG_TOOLS_SNAPSHOT}..."
 		WG_TOOLS_SOURCE="https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-${WG_TOOLS_SNAPSHOT}.tar.xz"
 		echo "::: Downloading wireguard-tools source code... "
 		wget -qO- "${WG_TOOLS_SOURCE}" | tar xJ --directory /usr/src
 		echo "done!"
 		## || exits if cd fails.
 		cd /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}/src" || exit 1
 		# We install the userspace tools manually since DKMS only compiles and
 		# installs the kernel module
 		echo "::: Compiling WireGuard tools... "
 		if make; then
 			echo "done!"
 		else
 			echo "failed!"
 			exit 1
 		fi
 		# Use checkinstall to install userspace tools so if the user wants to uninstall
 		# PiVPN we can just do apt remove wireguard-tools, instead of manually removing
 		# files from the file system
 		echo "::: Installing WireGuard tools... "
 		if checkinstall --pkgname wireguard-tools --pkgversion "${WG_TOOLS_SNAPSHOT}" -y; then
 			echo "done!"
 		else
 			echo "failed!"
 			exit 1
 		fi
 		echo "::: Removing old source code ..."
 		rm -rf /usr/src/wireguard-tools-"${CURRENT_WG_TOOLS_SNAPSHOT}"
 		sed "s/WG_TOOLS_SNAPSHOT=${CURRENT_WG_TOOLS_SNAPSHOT}/WG_TOOLS_SNAPSHOT=${WG_TOOLS_SNAPSHOT}/" -i "${setupVars}"
 		echo "::: Upgrade completed!"
 	fi
 else
 	echo "::: You are running the lastest version of wireguard-tools (${CURRENT_WG_TOOLS_SNAPSHOT})"
 fi
 CURRENT_WG_MODULE_SNAPSHOT="${WG_MODULE_SNAPSHOT}"
 WG_MODULE_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-linuxcompat"."version"')"
 if dpkg --compare-versions "${WG_MODULE_SNAPSHOT}" gt "${CURRENT_WG_MODULE_SNAPSHOT}"; then
 	read -r -p "A new wireguard-dkms update is available (${WG_MODULE_SNAPSHOT}), install? [Y/n]: "
 	if [[ ${REPLY} =~ ^[Yy]$ ]]; then
 		echo "::: Upgrading wireguard-dkms from ${CURRENT_WG_MODULE_SNAPSHOT} to ${WG_MODULE_SNAPSHOT}..."
 		WG_MODULE_SOURCE="https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${WG_MODULE_SNAPSHOT}.tar.xz"
 		echo "::: Downloading wireguard-linux-compat source code... "
 		wget -qO- "${WG_MODULE_SOURCE}" | tar xJ --directory /usr/src
 		echo "done!"
 		# Rename wireguard-linux-compat folder and move the source code to the parent folder
 		# such that dkms picks up the module when referencing wireguard/"${WG_MODULE_SNAPSHOT}"
 		cd /usr/src && \
 		mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}" && \
 		cd wireguard-"${WG_MODULE_SNAPSHOT}" && \
 		mv src/* . && \
 		rmdir src || exit 1
 		echo "::: Adding WireGuard module via DKMS... "
 		if dkms add wireguard/"${WG_MODULE_SNAPSHOT}"; then
 			echo "done!"
 		else
 			echo "failed!"
 			dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
 			exit 1
 		fi
 		echo "::: Compiling WireGuard module via DKMS... "
 		if dkms build wireguard/"${WG_MODULE_SNAPSHOT}"; then
 			echo "done!"
 		else
 			echo "failed!"
 			dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
 			exit 1
 		fi
 		echo "::: Installing WireGuard module via DKMS... "
 		if dkms install wireguard/"${WG_MODULE_SNAPSHOT}"; then
 			echo "done!"
 		else
 			echo "failed!"
 			dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
 			exit 1
 		fi
 		echo "::: Removing old kernel module and source code..."
 		if dkms remove wireguard/"${CURRENT_WG_MODULE_SNAPSHOT}" --all; then
 			rm -rf /usr/src/wireguard-"${CURRENT_WG_MODULE_SNAPSHOT}"
 			echo "done!"
 		else
 			echo "failed!"
 			exit 1
 		fi
 		sed "s/WG_TOOLS_SNAPSHOT=${CURRENT_WG_MODULE_SNAPSHOT}/WG_TOOLS_SNAPSHOT=${WG_MODULE_SNAPSHOT}/" -i "${setupVars}"
 		echo "::: Upgrade completed!"
 	fi
 else
 	echo "::: You are running the lastest version of wireguard-dkms (${CURRENT_WG_MODULE_SNAPSHOT})"
 fi