- Make sure to install WireGuard only if platform is Raspbian or an x86 Debian/Ubuntu
- Install WireGuard from bullseye repository instead of unstable
- Reduced WireGuard package priority to the minimum that allows upgrades
- LC_ALL=C should be the canonical way to override the locale, instead
of setting a specific one.
- apt-transport-https is required on Ubuntu < Bionic and Debian < Buster
- Importing OpenVPN PGP key from keyserver should be more secure than
downloading from the website as we specifically tell the keyserver
which key we want, referring to its fingerprint
- Exit if import is unsuccessful
* added link to server status dashboard
* Replaced Header with bold instead
* More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
- Use POSIX 'command -v' instead of 'hash'.
- Check if packages have actually been installed and abort execution if they have not.
- Fixed issue with getStaticIPv4Settings() that prevented existing network settings
to be used as static IP settings when running the script unattended with empty
$IPv4addr and $IPv4gw variables.
- Exit if processing wireguard-linux-compat fails.
- Exit if 50unattended-upgrades fails to extract.
- Exit clientSTAT.sh if the wg0 interface is not available.
- Moved the Self Check to a single script since dedicated versions were very similar.
- Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
* Fixed cosmetic issue with spinner, added missing spinner to some APT commands
* Detect current netmask, validate user input when configuring a static IP
* Inform the user when updating the package cache, which can be slow on some RPis
* Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct
* Restart pihole in the more appropriate restartServices() function
* Improve static IP selection, validate public DNS name of the server
- Default to 'No' when asking if the RPi has DHCP reservation, considered
that the user may not be fully aware, furthermore, setting a static IP
anyways doesn't do harm.
- Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
'/etc/dhcpcd.conf' with invalid data.
- Validate public DNS name of the server inside askPublicIPOrDNS() function
* Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
- Added a basic sanity check to downloaded DH paramenters, which doubles as a
check for missing .pem file.
- Fix 'pivpn -c' showing the month number instead of the day of the month when
using WireGuard.
- Removing APT keys is risky, it would break APT update/upgrade if the user
already was already using the unstable repo.
- Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
$i... already installed'.
- Check whether the OpenVPN repo and the Debian unstable repo are already used.
* Improvements to getStaticIPv4Settings()
- Use a regular expression to extract IPs from the 'ip' command. With this,
there is a little need to validate output. Even though the regex will match
invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
the script would not have reached this function due to previous functions
using the network with broken routes and addresses.
- Get the IP address from the selected interface rather then from the 'ip route'
command as it's not guaranteed that such IP is the same of the interface the
user decided to use (though on a Raspberry Pi inside a home LAN, most likely
it is, but it also maskes easier to get the IP in the CIDR notation with a
single 'ip | grep' pipe).
* Moved command substitution to specific functions to avoid unnecessary execution
- Moved $availableInterfaces and $CurrentIPv4gw from the script header to
their relevant function, considered that if the OS is not Raspbian a static
IP is not set, so those variables are not used.
* Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919
- Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
still generate his own if he wishes).
https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
- Uncommented lines inside the cloneandupdate() function in the update script, so pivpn -up can pull scripts from the master branch
- The script was checking for the existence of PiVPN rules in the INPUT and FORWARD chain by passing 'iptables -t nat -S' to grep, but it couldn't find them as they belong to the filer table and not the nat table. The correct command is 'iptables -S'
- Update variables inside unattended examples
- Remove openvpn logging setting when uninstalling the package
- Run 'apt-get update' after removing the WireGuard PPA
- Flip condition check on $dhcpReserv: first check if empty, and if not, check if it's not 1.
Doing it the other way (first check if not 1) would give a shell error if $dhcpReserv was empty.
The ‘linux-headers-generic’ package is preferred over the version-specific headers package as the generic will be automatically updated with the kernel, whereas the other will not.
Tested and added Support on Debian 9
tested and added support on Ubuntu 16.04 & 18.08
* Fixed wireguard not installing, added pkg cache update after adding ppa
* added kernel headers to dependencies as its requred for wireguard-dkms
unattended install
* When user is provided and doest exist, it will create one without password set
install.sh
installScripts function:
update script not being copied over to /opt therefore update funcion was probably broken.
changed script to copy all .sh scripts from .pivpn/scripts directory.
Issue #871: fix backup script
I was probably very drunk when i first wrote this backup script.
fixed it, now works with new code refactoring,
loads vars from setupVars
Added backup for wireguard
Moved script to global pivpnscripts.
Added backup script to bash-completion
Added backup script to pivpn script
update.sh
Commented the update from master branch to avoid users trying to update test from master.
Updated LatestChages.md
Moved installPiVPN up, to better match the order when it is called.
Added Some cuotes to make shellcheck happy.
Added exit codes and error messages in case cd fails to not exit
silently.
Support For DHCP IP Reservation
Main:
- added If statement to skipp SetStaticIPv4 if dhcpRserv=1
getStaticIPv4Settings:
- Added Whiptail asking if user wants to use DHCP reservation Settings, this will add dhcpReserv and
skip setStaticIPv4 while still logging everything.
ConfigExample files:
- Added staticReserv=0 to config examples. so it can be used with Unattended install
* 0 means static ip will be setup.
* 1 means DHCP Reservation will be used and no chage will be made to the interfaces
* Removed Unecessary pipe on availableInterfaces
* Changed OS Support messages accross the script
- Removed OS Version names from the script, this avoids having to change the code everytime a new OS Version is Released, instead we update the wiki with propper information.
* Changed MaybeOSSupport whiptail tiltes and messages to make it more clear.
- Messages and titles could cause confusion to users and specially developers
* Moved Funcions Comment to correct place.
* DistroCheck Function:
- Moved up before other functions so it better refflects the order they are called.
- changed Case identation to make it easier to read.
- Added info to # compatibility Comment, Removed unecessary comments
- added break to exit out of case, easier to understand that the script should move on.
* Added Shellcheck ignores,
* chooseinterface Function:
- Changed function Logic and cleaned it up
- Fixed Issue #906
- Added exit code if no interfaces are found
* Updated LatestUpdate.md
Handle running the install script over an existing installation (as the script already did before branching to test-wireguard), providing:
- Update, downloads latest scripts from git repo
- Repair, reinstall PiVPN while keeping existing settings
- Reconfigure, start over overwriting the existing settings
Tag iptables rules as an attempt to make sure that the uninstall script only removes PiVPN rules
Change the armv6l installation to reflect the split of WireGuard snapshots into wireguard-linux-compat and wireguard-tools
DNS resolution even if the user does not route the local network through the tunnel.
- Format listCONF in a similar way as listOVPN
- Specifically look for a free octet in the last word of clients.txt and not just any word.
Necessary otherwhise public keys starting with a number will match against an octet.
Example: if line is 'name 5abcdefgh 4', then looking for ' 5' will match but '5$' will
not (correctly).
- 'pivpn -c' will show the Connected Clients List for WireGuard too
Currently apt pulls all packages from the unstable repo because the
script intendation created the file 'limit-unstable' with tabs in it.
Fixed using printf to create a multiline file (which is the way
wireguard.com/install suggests).
MakeOVPN has been updated to include the -i iOS function to allow users to create an OVPN12 format file that can be used with the iOS keychain. Since the OVPN12 format is incompatible with OpenVPN 2.4 - this change creates a configuration file that determines if the user can create a -i request via MakeOVPN.
than two consecutive hyphens, must not end or start with hyphen,
final must be at least two apha characters.
Signed-off-by: Rob Gill <rrobgill@protonmail.com>
Install script not creating ovpns dir, and throwing error:
```
cp: cannot stat '/tmp/OLD_UFW': No such file or directory
mkdir: cannot create directory ‘/root\n/usr/sbin\n/bin\n/dev\n/bin\n/usr/games\n/var/cache/man\n/var/spool/lpd\n/var/mail\n/var/spool/news\n/var/spool/uucp\n/bin\n/var/www\n/var/backups\n/var/list\n/var/run/ircd\n/var/lib/gnats\n/nonexistent\n/nonexistent\n/run/systemd\n/run/systemd\n/run/systemd\n/nonexistent\n/run/sshd\n/\n/home/pivpntest/ovpns’: No such file or directory
chmod: cannot access '/root'$'\n''/usr/sbin'$'\n''/bin'$'\n''/dev'$'\n''/bin'$'\n''/usr/games'$'\n''/var/cache/man'$'\n''/var/spool/lpd'$'\n''/var/mail'$'\n''/var/spool/news'$'\n''/var/spool/uucp'$'\n''/bin'$'\n''/var/www'$'\n''/var/backups'$'\n''/var/list'$'\n''/var/run/ircd'$'\n''/var/lib/gnats'$'\n''/nonexistent'$'\n''/nonexistent'$'\n''/run/systemd'$'\n''/run/systemd'$'\n''/run/systemd'$'\n''/nonexistent'$'\n''/run/sshd'$'\n''/'$'\n''/home/pivpntest/ovpns': No such file or directory
```
Found incosistencies in instalation user var/files namings, to have it consistend and easy to understand and considering everyone is more familiar with INSTALL_USER
Changed $pivpnUser to INSTALL_USER
Changed pivpnUSR to INSTALL_USER
Removed PiVPN Secure Notes from PiVPN ADD introduced with PR #794
- Notes not being pushed to BW Vault
- OVPN files not going to ovpns dir
- Needs investigation
+ When estimating $INSTALL_HOME, assure grep can only match user names, to avoid possible wrong multi-line value
+ Remove possible trailing slash from $INSTALL_HOME, to avoid double slash in "$INSTALL_HOME/ovpns"
+ Avoid "cat <file> | grep <pattern>", since grep can process files directly
Signed-off-by: MichaIng <micha@dietpi.com>
Code assumes that the specified user directory is under /home. This code parses the /etc/passwd file in order to determine what that user's proper home directory is.
Historic versions leveraged a format of "server_$UUID" to name of the VPN server certificate for X509 verification. This seems very impersonal. The new code pulls the existing hostname of the machines and appends the 16 character UUID. The new format is $hostname_$UUID.
Example:
A machine named "Martian" with a UUID of 1234567890123456 would change from server_1234567890123456 to Martian_1234567890123456
This commit introduces a `sync` call before the install script exits.
The writes that this script does during setup do not reach persistent
storage until the kernel decides to flush them. The reboot sequence
might drop those pending writes on the floor. To mitigate that
possibility (but not fully eliminate it), the script now calls `sync`,
which waits until the kernel has flushed its write cache.
Changes:
- Document that Devuan is supported.
- Use special PLAT name, Raspvuan for Pi version
- Use service command for any *vuan PLAT, systemd is no on any
Devuan.
- add net-tools to PIVPN_DEPS
- To simplify further additions to PLAT or OSCN, use
the case command for checking
- Treat Devuan as Debian
- Add /sbin:/usr/sbin to PATH before calling ifconfig
- Ensure net-tools is installed so we have ifconfig
