Meanwhile the Raspberry Pi kernel package with Linux 5.10 and built-in WireGuard module has been released. It hence became effective to make use of the built-in module check on Raspbian as well to skip the overhead of kernel headers install and DKMS module build.
Additionally, when adding Bullseye repositories to make available the WireGuard packages, say so explicitly. "Adding Debian repository" / "Adding Raspbian repository" is confusing when running a Debian / Raspbian system with those repositories added already, only with an distro release.
Signed-off-by: MichaIng <micha@dietpi.com>
Added -y to $UPDATE_PKG_CACHE
updatePackageCache() no longer checks if apt update was run, it will
always update package cache since its a requirement
Replaced all updates using ${UPDATE_PKG_CACHE} with
updatePackageCache()
Support was enabled automatically if a WireGuard package was found or could have been made available. But if the WireGuard kernel module is not available, it needs to be compiled. The required kernel headers are only reliably known for Raspberry Pi (Raspbian) and for amd64. This commit resolves the related issue where linux-image-amd64 was attempted to be installed on non-amd64 systems: https://github.com/pivpn/pivpn/issues/1180
Additionally this commit resolves the issue that kernel headers were required and a DKMS build done, even if the module was builtin, when no WireGuard package was found.
The $NEED_WIREGUARD_REPO variable has been replaced with $AVAILABLE_WIREGUARD, which practically serves the same information and allows a simpler support check.
Signed-off-by: MichaIng <micha@dietpi.com>
- On Raspbian, /lib is not a symbolic link to /usr/lib, so the WireGuard unit won't be found.
Therefore changed to /lib/... (which is the default location for units of installed packages).
From the man page of dnsmasq:
--local-service
Accept DNS queries only from hosts whose address is on a local subnet,
ie a subnet for which an interface exists on the server. This option only
has effect if there are no --interface, --except-interface, --listen-address
or --auth-server options. It is intended to be set as a default on installation,
to allow unconfigured installations to be useful but also safe from being
used for DNS amplification attacks.
- Letting dnsmasq additionally listen on a specific VPN interface when Pi-hole is
listening on the physical interface only may be more secure than letting dnsmasq
listen on all interfaces, however, dnsmasq will stop listening on the physical
interface (breaking LAN resolution) if the user changes the listening behavior
at a later time.
For the target audience of PiVPN, it is more likely that users will set the
listening behavior to all when deciding to use Pi-hole via VPN (which is suggested
in the Pi-hole guide and most guides on the web), instead of digging into
configuration file.
This option is safe if the Raspberry Pi is inside the local network and the user
has not forwarded port 53 on their router, which is unlikely as they are installing
PiVPN precisely to avoid doing that.
- Renamed '--i_do_not_follow_recommendations' to '--skip-space-check', since
the argument actually skips the space check.
- Obtain the unattended configuration dynamically, by looking at the argument
next to '--unattended', instead of looking at the second argument, which
was a too fragile parsing.
- Because of the previous one, figuring out when no argument has been passed
to '--unattended' doesn't seem trivial, because the next argument could be
an undocumented flag as well, which would be intepreted as a filename.
- /usr/local/src, when cloning the git repository
- /opt (this one was already taken into account but I had accidentally
removed the mkdir command in the previous commit).
- Allow using 'pivpn vpn -u' to directly uninstall VPN 'vpn'
- Also allow using 'pivpn -u' with two VPNs (will present a dialog).
- During uninstall, ask which VPN to remove only if there are two VPNs
- PiVPN git repo will be downloaded to '/usr/local/src/pivpn'. All scripts
in /opt/pivpn, the main pivpn script and the bash completion file,
are now just symbolic links. Resolves issue #695.
- Remove unused call to updateWireGuard().
remove refs to /etc/pivpn/setupVars in selfcheck and debug scripts
tidy indenting
on install, check if symlink already exists before making one to avoid error
uninstall indicates which vpns are available for uninstall
selfcheck checks both protocols if both present
install - additional text in reconfigure saying 2nd protocol can be added
change to use pivpn ovpn instaed of pivpn opv when dual protocols exist
- Make sure to install WireGuard only if platform is Raspbian or an x86 Debian/Ubuntu
- Install WireGuard from bullseye repository instead of unstable
- Reduced WireGuard package priority to the minimum that allows upgrades
- LC_ALL=C should be the canonical way to override the locale, instead
of setting a specific one.
- apt-transport-https is required on Ubuntu < Bionic and Debian < Buster
- Importing OpenVPN PGP key from keyserver should be more secure than
downloading from the website as we specifically tell the keyserver
which key we want, referring to its fingerprint
- Exit if import is unsuccessful
* added link to server status dashboard
* Replaced Header with bold instead
* More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
- Use POSIX 'command -v' instead of 'hash'.
- Check if packages have actually been installed and abort execution if they have not.
- Fixed issue with getStaticIPv4Settings() that prevented existing network settings
to be used as static IP settings when running the script unattended with empty
$IPv4addr and $IPv4gw variables.
- Exit if processing wireguard-linux-compat fails.
- Exit if 50unattended-upgrades fails to extract.
- Exit clientSTAT.sh if the wg0 interface is not available.
- Moved the Self Check to a single script since dedicated versions were very similar.
- Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
* Fixed cosmetic issue with spinner, added missing spinner to some APT commands
* Detect current netmask, validate user input when configuring a static IP
* Inform the user when updating the package cache, which can be slow on some RPis
* Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct
* Restart pihole in the more appropriate restartServices() function
* Improve static IP selection, validate public DNS name of the server
- Default to 'No' when asking if the RPi has DHCP reservation, considered
that the user may not be fully aware, furthermore, setting a static IP
anyways doesn't do harm.
- Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
'/etc/dhcpcd.conf' with invalid data.
- Validate public DNS name of the server inside askPublicIPOrDNS() function
* Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
- Added a basic sanity check to downloaded DH paramenters, which doubles as a
check for missing .pem file.
- Fix 'pivpn -c' showing the month number instead of the day of the month when
using WireGuard.
- Removing APT keys is risky, it would break APT update/upgrade if the user
already was already using the unstable repo.
- Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
$i... already installed'.
- Check whether the OpenVPN repo and the Debian unstable repo are already used.
* Improvements to getStaticIPv4Settings()
- Use a regular expression to extract IPs from the 'ip' command. With this,
there is a little need to validate output. Even though the regex will match
invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
the script would not have reached this function due to previous functions
using the network with broken routes and addresses.
- Get the IP address from the selected interface rather then from the 'ip route'
command as it's not guaranteed that such IP is the same of the interface the
user decided to use (though on a Raspberry Pi inside a home LAN, most likely
it is, but it also maskes easier to get the IP in the CIDR notation with a
single 'ip | grep' pipe).
* Moved command substitution to specific functions to avoid unnecessary execution
- Moved $availableInterfaces and $CurrentIPv4gw from the script header to
their relevant function, considered that if the OS is not Raspbian a static
IP is not set, so those variables are not used.
* Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919
- Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
still generate his own if he wishes).
https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
- Uncommented lines inside the cloneandupdate() function in the update script, so pivpn -up can pull scripts from the master branch
- The script was checking for the existence of PiVPN rules in the INPUT and FORWARD chain by passing 'iptables -t nat -S' to grep, but it couldn't find them as they belong to the filer table and not the nat table. The correct command is 'iptables -S'
- Update variables inside unattended examples
- Remove openvpn logging setting when uninstalling the package
- Run 'apt-get update' after removing the WireGuard PPA
- Flip condition check on $dhcpReserv: first check if empty, and if not, check if it's not 1.
Doing it the other way (first check if not 1) would give a shell error if $dhcpReserv was empty.
The ‘linux-headers-generic’ package is preferred over the version-specific headers package as the generic will be automatically updated with the kernel, whereas the other will not.
Tested and added Support on Debian 9
tested and added support on Ubuntu 16.04 & 18.08
* Fixed wireguard not installing, added pkg cache update after adding ppa
* added kernel headers to dependencies as its requred for wireguard-dkms
unattended install
* When user is provided and doest exist, it will create one without password set
