Commit graph

982 commits

Author SHA1 Message Date
Orazio
eae70d0295 Verify that the available OpenVPN version has ECC support 2020-03-12 13:00:18 +01:00
Orazio
1352ccf9a3 Avoid IPv6 leak by routing IPv6 through WireGuard
- Since the server is IPv4 only, routing IPv6 through it prevents IPv6
    packets from going outside the tunnel (if the client supports IPv6).
2020-03-10 14:16:23 +01:00
Orazio
9c4b87f4ab Do not add repositories if OpenVPN or WireGuard can be found inside available sources 2020-03-10 14:14:16 +01:00
Orazio
32acdd634b Use LC_ALL=C for the whole script
- Fixes 'apt-cache policy something | grep somethingelse'
2020-03-10 13:02:35 +01:00
Orazio
c1c1720aef Download OpenVPN key via HTTPS if retrieving via keyserver fails 2020-03-10 13:00:23 +01:00
Orazio
efcb262fa5 Merge branch 'test' of https://github.com/pivpn/pivpn into test 2020-03-04 12:54:29 +01:00
Orazio
0a30365d65 Some changes from pull request 963
- Make sure to install WireGuard only if platform is Raspbian or an x86 Debian/Ubuntu
  - Install WireGuard from bullseye repository instead of unstable
  - Reduced WireGuard package priority to the minimum that allows upgrades
2020-03-04 12:48:14 +01:00
Orazio
5c139b20d5
Merge pull request #973 from alexpovel/master
Fix typo and grammar
2020-03-04 11:25:52 +01:00
Alex Povel
61eaa7fd11 Fix typo and grammar 2020-03-03 17:03:05 +01:00
Orazio
f749d6b722 Fix for issue #962 2020-02-26 09:49:49 +01:00
Orazio
72ff65cb80
Merge pull request #963 from MichaIng/patch-1
Apply the x86-only OpenVPN repo on x86 systems only
2020-02-26 09:46:25 +01:00
MichaIng
ba79e14175
Apply the x86-only OpenVPN repo on x86 systems only 2020-02-26 00:13:46 +01:00
Orazio
e73f274fca
Update LatestUpdate.md 2020-02-17 16:34:07 +01:00
Orazio
1f7b4b7f2a
Merge pull request #950 from pivpn/test
Merge test into master
2020-02-17 16:12:05 +01:00
Orazio
9846d3787a Use variables to define VPN ranges instead of hard coding IPs 2020-02-16 09:09:09 +01:00
Orazio
edbd23a2a1 Fixed missing condition in if statement when deciding whether to listen on tun0/wg0 2020-02-15 13:24:42 +01:00
Orazio
660d83468c Drop libmnl-dev requirement on armv6l
- https://lists.zx2c4.com/pipermail/wireguard/2020-February/004963.html
2020-02-13 11:42:23 +01:00
Orazio
87cf243abc Fix Pi-hole support when dnsmasq is set to listen on all interfaces 2020-02-13 11:30:13 +01:00
0-kaladin
dc12418484
Update LICENSE 2020-02-11 20:59:04 -05:00
Orazio
41ed9c4a6f Minor fixes
- LC_ALL=C should be the canonical way to override the locale, instead
    of setting a specific one.
  - apt-transport-https is required on Ubuntu < Bionic and Debian < Buster
2020-02-11 12:17:34 +01:00
Orazio
337fa10fdc Improvements when importing GPG keys
- Importing OpenVPN PGP key from keyserver should be more secure than
    downloading from the website as we specifically tell the keyserver
    which key we want, referring to its fingerprint
  - Exit if import is unsuccessful
2020-02-11 12:17:29 +01:00
Orazio
3730d315e9 Automatic backup of existing OpenVPN/WireGuard folder should only be readable by root 2020-02-10 17:58:32 +01:00
Orazio
0cb5546608 Get $STATIC_IP before ccd folder is deleted (otherwhise $STATIC_IP will be empty) 2020-02-10 17:36:39 +01:00
Orazio
6fd451dac0 apt-transport-https is required since we will use HTTPS repos in the script 2020-02-10 17:34:11 +01:00
Orazio
2c6ba65288 Implemented feature request from issue #942 (OpenVPN) 2020-02-09 18:55:30 +01:00
Orazio
ead280e60f Set static IPs when using OpenVPN
- Preparation for feature request from issue #942
2020-02-09 18:51:30 +01:00
Orazio
3f616d9254 Implemented feature request from issue #942 (WireGuard) 2020-02-07 18:07:15 +01:00
Orazio
bf0015c303 Replaced last reference to pivpn.dev with pivpn.io 2020-02-05 20:51:24 +01:00
4s3ti
1f399527f3
Merge pull request #940 from pivpn/test
Going back to pivpn.io
2020-02-05 20:33:53 +01:00
4s3ti
5b8494c57c Going back to pivpn.io
replaced pivpn.dev with pivpn.io
2020-02-05 20:29:14 +01:00
4s3ti
cf28f62068
Merge pull request #933 from RBEGamer/patch-1
Update README.md
2020-02-02 17:55:35 +01:00
Marcel Ochsendorf
4b72d7b8cd
Update README.md 2020-02-02 15:23:13 +01:00
Orazio
5fd5b6e584 Suggest the user to take a look at the FAQ 2020-02-01 21:04:32 +01:00
Orazio
34fb734649
Update LatestUpdate.md 2020-01-31 21:33:32 +01:00
4s3ti
2b18518059
test to master
added link to server status dashboard

    Replaced Header with bold instead

    More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code
        Add curl as a dependency for those who run the script without 'curl URL | bash'.
        Use POSIX 'command -v' instead of 'hash'.
        Check if packages have actually been installed and abort execution if they have not.
        Fixed issue with getStaticIPv4Settings() that prevented existing network settings
        to be used as static IP settings when running the script unattended with empty
        $IPv4addr and $IPv4gw variables.
        Exit if processing wireguard-linux-compat fails.
        Exit if 50unattended-upgrades fails to extract.
        Exit clientSTAT.sh if the wg0 interface is not available.
        Moved the Self Check to a single script since dedicated versions were very similar.
        Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.

    Fixed cosmetic issue with spinner, added missing spinner to some APT commands

    Detect current netmask, validate user input when configuring a static IP

    Inform the user when updating the package cache, which can be slow on some RPis

    Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct

    Restart pihole in the more appropriate restartServices() function

    Improve static IP selection, validate public DNS name of the server
        Default to 'No' when asking if the RPi has DHCP reservation, considered
        that the user may not be fully aware, furthermore, setting a static IP
        anyways doesn't do harm.
        Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
        '/etc/dhcpcd.conf' with invalid data.
        Validate public DNS name of the server inside askPublicIPOrDNS() function

    Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
        Added a basic sanity check to downloaded DH paramenters, which doubles as a
        check for missing .pem file.
        Fix 'pivpn -c' showing the month number instead of the day of the month when
        using WireGuard.
        Removing APT keys is risky, it would break APT update/upgrade if the user
        already was already using the unstable repo.
        Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
        $i... already installed'.
        Check whether the OpenVPN repo and the Debian unstable repo are already used.

    Improvements to getStaticIPv4Settings()

        Use a regular expression to extract IPs from the 'ip' command. With this,
        there is a little need to validate output. Even though the regex will match
        invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
        the script would not have reached this function due to previous functions
        using the network with broken routes and addresses.

        Get the IP address from the selected interface rather then from the 'ip route'
        command as it's not guaranteed that such IP is the same of the interface the
        user decided to use (though on a Raspberry Pi inside a home LAN, most likely
        it is, but it also maskes easier to get the IP in the CIDR notation with a
        single 'ip | grep' pipe).

    Moved command substitution to specific functions to avoid unnecessary execution
        Moved $availableInterfaces and $CurrentIPv4gw from the script header to
        their relevant function, considered that if the OS is not Raspbian a static
        IP is not set, so those variables are not used.

    Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919
        Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
        still generate his own if he wishes).
        https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2020-01-31 20:37:22 +01:00
4s3ti
eece753ed1
Merge-test
Merge-test
2020-01-31 20:28:40 +01:00
4s3ti
b8f89ab015 Revert "Merge test (#929)"
This reverts commit d691321b3e.
2020-01-31 20:24:31 +01:00
Orazio
d691321b3e
Merge test (#929)
* added link to server status dashboard

* Replaced Header with bold instead

* More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code

  - Add curl as a dependency for those who run the script without 'curl URL | bash'.
  - Use POSIX 'command -v' instead of 'hash'.
  - Check if packages have actually been installed and abort execution if they have not.
  - Fixed issue with getStaticIPv4Settings() that prevented existing network settings
    to be used as static IP settings when running the script unattended with empty
    $IPv4addr and $IPv4gw variables.
  - Exit if processing wireguard-linux-compat fails.
  - Exit if 50unattended-upgrades fails to extract.
  - Exit clientSTAT.sh if the wg0 interface is not available.
  - Moved the Self Check to a single script since dedicated versions were very similar.
  - Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.

* Fixed cosmetic issue with spinner, added missing spinner to some APT commands

* Detect current netmask, validate user input when configuring a static IP

* Inform the user when updating the package cache, which can be slow on some RPis

* Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct

* Restart pihole in the more appropriate restartServices() function

* Improve static IP selection, validate public DNS name of the server
  - Default to 'No' when asking if the RPi has DHCP reservation, considered
    that the user may not be fully aware, furthermore, setting a static IP
    anyways doesn't do harm.
  - Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
    '/etc/dhcpcd.conf' with invalid data.
  - Validate public DNS name of the server inside askPublicIPOrDNS() function

* Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
  - Added a basic sanity check to downloaded DH paramenters, which doubles as a
    check for missing .pem file.
  - Fix 'pivpn -c' showing the month number instead of the day of the month when
    using WireGuard.
  - Removing APT keys is risky, it would break APT update/upgrade if the user
    already was already using the unstable repo.
  - Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
    $i... already installed'.
  - Check whether the OpenVPN repo and the Debian unstable repo are already used.

* Improvements to getStaticIPv4Settings()

  - Use a regular expression to extract IPs from the 'ip' command. With this,
    there is a little need to validate output. Even though the regex will match
    invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
    the script would not have reached this function due to previous functions
    using the network with broken routes and addresses.

  - Get the IP address from the selected interface rather then from the 'ip route'
    command as it's not guaranteed that such IP is the same of the interface the
    user decided to use (though on a Raspberry Pi inside a home LAN, most likely
    it is, but it also maskes easier to get the IP in the CIDR notation with a
    single 'ip | grep' pipe).

* Moved command substitution to specific functions to avoid unnecessary execution

  - Moved $availableInterfaces and $CurrentIPv4gw from the script header to
    their relevant function, considered that if the OS is not Raspbian a static
    IP is not set, so those variables are not used.

* Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919

  - Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
    still generate his own if he wishes).
    https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2020-01-31 16:40:09 +01:00
Orazio
e949aadbc3 Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919
- Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
    still generate his own if he wishes).
    https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2020-01-31 14:07:58 +01:00
Orazio
379ab50f5f Moved command substitution to specific functions to avoid unnecessary execution
- Moved $availableInterfaces and $CurrentIPv4gw from the script header to
    their relevant function, considered that if the OS is not Raspbian a static
    IP is not set, so those variables are not used.
2020-01-30 17:29:31 +01:00
Orazio
f2fa01e3a5 Fix WireGuard not starting on a clean install of Raspbian
- If the kernel is out of sync with the repo, have the user upgrade
    his system and reboot before installing WireGuard.
2020-01-30 14:16:39 +01:00
Orazio
380dc0ab37 Improvements to getStaticIPv4Settings()
- Use a regular expression to extract IPs from the 'ip' command. With this,
    there is a little need to validate output. Even though the regex will match
    invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
    the script would not have reached this function due to previous functions
    using the network with broken routes and addresses.

  - Get the IP address from the selected interface rather then from the 'ip route'
    command as it's not guaranteed that such IP is the same of the interface the
    user decided to use (though on a Raspberry Pi inside a home LAN, most likely
    it is, but it also maskes easier to get the IP in the CIDR notation with a
    single 'ip | grep' pipe).
2020-01-29 14:11:38 +01:00
Orazio
9679a600c1 Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
- Added a basic sanity check to downloaded DH paramenters, which doubles as a
    check for missing .pem file.
  - Fix 'pivpn -c' showing the month number instead of the day of the month when
    using WireGuard.
  - Removing APT keys is risky, it would break APT update/upgrade if the user
    already was already using the unstable repo.
  - Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
    $i... already installed'.
  - Check whether the OpenVPN repo and the Debian unstable repo are already used.
2020-01-27 14:44:03 +01:00
Orazio
b6a47a02c3 Improve static IP selection, validate public DNS name of the server
- Default to 'No' when asking if the RPi has DHCP reservation, considered
    that the user may not be fully aware, furthermore, setting a static IP
    anyways doesn't do harm.
  - Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
    '/etc/dhcpcd.conf' with invalid data.
  - Validate public DNS name of the server inside askPublicIPOrDNS() function
2020-01-26 18:45:25 +01:00
Orazio
8886eab1dc Restart pihole in the more appropriate restartServices() function 2020-01-26 15:37:42 +01:00
Orazio
e0ee6cf937 Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct 2020-01-26 14:47:31 +01:00
Orazio
b12996df37 Inform the user when updating the package cache, which can be slow on some RPis 2020-01-25 18:01:07 +01:00
Orazio
d1a781075a Detect current netmask, validate user input when configuring a static IP 2020-01-25 17:43:23 +01:00
Orazio
0994ac7d5a Fixed cosmetic issue with spinner, added missing spinner to some APT commands 2020-01-25 14:24:04 +01:00
Orazio
deee38b20e More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
  - Use POSIX 'command -v' instead of 'hash'.
  - Check if packages have actually been installed and abort execution if they have not.
  - Fixed issue with getStaticIPv4Settings() that prevented existing network settings
    to be used as static IP settings when running the script unattended with empty
    $IPv4addr and $IPv4gw variables.
  - Exit if processing wireguard-linux-compat fails.
  - Exit if 50unattended-upgrades fails to extract.
  - Exit clientSTAT.sh if the wg0 interface is not available.
  - Moved the Self Check to a single script since dedicated versions were very similar.
  - Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
2020-01-24 17:12:36 +01:00