debconf-apt-progress is a tool to show a whiptail based dialog with progress bar for apt package installs, but it is some downsides:
- It aborts whenever apt or debconf halt for an interactive input, hence this would need to be prevented carefully, e.g. via "DEBIAN_FRONTEND=noninteractive" and "--force-confdef/old/new/miss", while it is questionable whether PiVPN should mute such configuration inputs for users.
- It even aborts when such interactive input is not actually required in some cases, but triggered by some other debconf load internals: pivpn#1360
Most importantly, aside of the visually probably appealing progress bar, debconf-apt-progress has not any upsides but reduces transparency of what is actually done, and the installer has a fallback already.
This commit removes the debconf-apt-progress usage in favour of the fallback: direct apt-get usage.
Signed-off-by: MichaIng <micha@dietpi.com>
There is only a single wget call in the installer, at the beginning of a pipe where curl may be the more natural choice. Since curl is a dependency already, this commit replaces the only wget call with curl and hence removes wget from installer dependencies.
Additionally, all curl calls get additional flags:
-s: The "silent" flag is now consequently used to suppress all processing output. It is not necessarily required when the STDOUT is a pipe or command substitution, but it does not hurt.
-S: Even when the curl output is piped, it may be helpful to have errors visible via STDERR, for debugging and being transparent about actual connection/download errors. This flag preserves error messages but does not send them to STDOUT, hence the data processed in the pipe or command substitution is not affected.
-f: There are cases where webservers return a 40x HTML document which is then printed to STDOUT by curl, like a 20x document, and hence unintentionally processed by the end of the pipe or command substitution. Usually this just cases a syntax error, but in theory it can have any unintended or even dangerous effect. The "fail" flag assures that 40x responses are printed as shortened error messages to STDERR and nothing is output to STDOUT. It should be hence seen as mandatory flag whenever curl is called to not print something to console but the output is processed.
-L: wget follows redirects automatically, curl requires the "-L" flag for this. For the wget => curl migration it is hence added to not change the behaviour.
Signed-off-by: MichaIng <micha@dietpi.com>
rsyslog and/or logrotate may not be installed on the system, in which case creating the configurations may fail. As rsyslog and logrotate may be installed later on, it makes sense to pre-create those directories so that then OpenVPN logs are handled as expected.
Also, if the rsyslog service is not installed or not active, it should not and does not need to be restarted. Since there is not `-e` flag, ` || true` has not effect, but also, when using that flag it makes sense to exit if for some reason the running service couldn't be restarted, which may then be caused by the added configuration.
Signed-off-by: MichaIng <micha@dietpi.com>
- Raspbian images have been shipping with kernel 5.10.17 since March 4.
This kernel version has the WireGuard module built in which means we
don't need to check if the user has updated, neither to install the
module via DKMS.
SC2178: Variable was used as an array but is now assigned a string.
SC2128: Expanding an array without an index only gives the first element.
It's apparently a known bug that shellcheck can't both declare a
variable local and assign a value to it without raising this issue.
https://github.com/koalaman/shellcheck/wiki/SC2178
Meanwhile the Raspberry Pi kernel package with Linux 5.10 and built-in WireGuard module has been released. It hence became effective to make use of the built-in module check on Raspbian as well to skip the overhead of kernel headers install and DKMS module build.
Additionally, when adding Bullseye repositories to make available the WireGuard packages, say so explicitly. "Adding Debian repository" / "Adding Raspbian repository" is confusing when running a Debian / Raspbian system with those repositories added already, only with an distro release.
Signed-off-by: MichaIng <micha@dietpi.com>
Added -y to $UPDATE_PKG_CACHE
updatePackageCache() no longer checks if apt update was run, it will
always update package cache since its a requirement
Replaced all updates using ${UPDATE_PKG_CACHE} with
updatePackageCache()
Support was enabled automatically if a WireGuard package was found or could have been made available. But if the WireGuard kernel module is not available, it needs to be compiled. The required kernel headers are only reliably known for Raspberry Pi (Raspbian) and for amd64. This commit resolves the related issue where linux-image-amd64 was attempted to be installed on non-amd64 systems: https://github.com/pivpn/pivpn/issues/1180
Additionally this commit resolves the issue that kernel headers were required and a DKMS build done, even if the module was builtin, when no WireGuard package was found.
The $NEED_WIREGUARD_REPO variable has been replaced with $AVAILABLE_WIREGUARD, which practically serves the same information and allows a simpler support check.
Signed-off-by: MichaIng <micha@dietpi.com>
- On Raspbian, /lib is not a symbolic link to /usr/lib, so the WireGuard unit won't be found.
Therefore changed to /lib/... (which is the default location for units of installed packages).
From the man page of dnsmasq:
--local-service
Accept DNS queries only from hosts whose address is on a local subnet,
ie a subnet for which an interface exists on the server. This option only
has effect if there are no --interface, --except-interface, --listen-address
or --auth-server options. It is intended to be set as a default on installation,
to allow unconfigured installations to be useful but also safe from being
used for DNS amplification attacks.
- Letting dnsmasq additionally listen on a specific VPN interface when Pi-hole is
listening on the physical interface only may be more secure than letting dnsmasq
listen on all interfaces, however, dnsmasq will stop listening on the physical
interface (breaking LAN resolution) if the user changes the listening behavior
at a later time.
For the target audience of PiVPN, it is more likely that users will set the
listening behavior to all when deciding to use Pi-hole via VPN (which is suggested
in the Pi-hole guide and most guides on the web), instead of digging into
configuration file.
This option is safe if the Raspberry Pi is inside the local network and the user
has not forwarded port 53 on their router, which is unlikely as they are installing
PiVPN precisely to avoid doing that.
- Renamed '--i_do_not_follow_recommendations' to '--skip-space-check', since
the argument actually skips the space check.
- Obtain the unattended configuration dynamically, by looking at the argument
next to '--unattended', instead of looking at the second argument, which
was a too fragile parsing.
- Because of the previous one, figuring out when no argument has been passed
to '--unattended' doesn't seem trivial, because the next argument could be
an undocumented flag as well, which would be intepreted as a filename.
- /usr/local/src, when cloning the git repository
- /opt (this one was already taken into account but I had accidentally
removed the mkdir command in the previous commit).
- Allow using 'pivpn vpn -u' to directly uninstall VPN 'vpn'
- Also allow using 'pivpn -u' with two VPNs (will present a dialog).
- During uninstall, ask which VPN to remove only if there are two VPNs
- PiVPN git repo will be downloaded to '/usr/local/src/pivpn'. All scripts
in /opt/pivpn, the main pivpn script and the bash completion file,
are now just symbolic links. Resolves issue #695.
- Remove unused call to updateWireGuard().
remove refs to /etc/pivpn/setupVars in selfcheck and debug scripts
tidy indenting
on install, check if symlink already exists before making one to avoid error
uninstall indicates which vpns are available for uninstall
selfcheck checks both protocols if both present
install - additional text in reconfigure saying 2nd protocol can be added
change to use pivpn ovpn instaed of pivpn opv when dual protocols exist
