Commit graph

410 commits

Author SHA1 Message Date
Orazio
435c4f39c7
Merge pull request #1243 from MichaIng/patch-1
Skip WireGuard module build on Raspbian if it's built-in
2021-02-08 21:32:38 +01:00
MichaIng
7cc5da39cb Skip WireGuard module build on Raspbian if it's built-in
Meanwhile the Raspberry Pi kernel package with Linux 5.10 and built-in WireGuard module has been released. It hence became effective to make use of the built-in module check on Raspbian as well to skip the overhead of kernel headers install and DKMS module build.

Additionally, when adding Bullseye repositories to make available the WireGuard packages, say so explicitly. "Adding Debian repository" / "Adding Raspbian repository" is confusing when running a Debian / Raspbian system with those repositories added already, only with an distro release.

Signed-off-by: MichaIng <micha@dietpi.com>
2021-02-08 15:52:56 +01:00
Dundar Göc
513c2afc2e Fixed shellcheck warning SC2004, SC2006, SC2129, SC2219. Issue #1233.
SC2004: "$/${} is unnecessary on arithmetic variables."
SC2006: "Use $(...) notation instead of legacy backticked `...`."
SC2129: "Consider using { cmd1; cmd2; } >> file instead of individual redirects."
SC2219: "Instead of 'let expr', prefer (( expr ))."
2021-02-07 21:31:13 +01:00
glitch452
be692a8782 Pass along exit code when running a sub-script, instead of always running exit 0 2021-01-23 15:58:03 -05:00
Carlos Colaço
586c631b9e MR #1194
Added the fix mentioned on #1194 with the correction requsted on the
review
2021-01-17 17:35:01 +01:00
Carlos Colaço
7095357f92 Fix for #1204
Added -y to $UPDATE_PKG_CACHE
updatePackageCache() no longer checks if apt update was run, it will
always update package cache since its a requirement
Replaced all updates using ${UPDATE_PKG_CACHE} with
updatePackageCache()
2021-01-12 17:08:15 +01:00
Orazio
db1fe2ebdd
Merge pull request #1186 from shelleycat485/test
A feature to disable / enable single wireguard client configs
2020-12-24 10:30:25 +01:00
Orazio
b369a02d5b
Merge pull request #1201 from MichaIng/patch-1
Fix WireGuard support detection
2020-12-14 15:17:32 +01:00
Orazio
a52e53d123 'sudo mktemp' creates file with 0600 mode, which means we need root to read it. 2020-12-14 15:15:29 +01:00
MichaIng
5077d70a2f Fix WireGuard support detection
Support was enabled automatically if a WireGuard package was found or could have been made available. But if the WireGuard kernel module is not available, it needs to be compiled. The required kernel headers are only reliably known for Raspberry Pi (Raspbian) and for amd64. This commit resolves the related issue where linux-image-amd64 was attempted to be installed on non-amd64 systems: https://github.com/pivpn/pivpn/issues/1180

Additionally this commit resolves the issue that kernel headers were required and a DKMS build done, even if the module was builtin, when no WireGuard package was found.

The $NEED_WIREGUARD_REPO variable has been replaced with $AVAILABLE_WIREGUARD, which practically serves the same information and allows a simpler support check.

Signed-off-by: MichaIng <micha@dietpi.com>
2020-12-14 14:54:46 +01:00
Roger Haxby
86de3eaa8c corect help on disable and enable 2020-12-10 23:59:54 +00:00
Roger Haxby
a3b7af869c more disabled in brackets 2020-12-09 23:07:28 +00:00
Orazio
dc744a9810 Fix directory and symbolic link creation when reconfiguring (writing over the same files) 2020-12-05 12:35:19 +01:00
Orazio
308affe4e9 Workaround for the following error on Ubuntu 20.04:
- /usr/bin/debconf-apt-progress: can't open /tmp/tmp.0CoNypDEPj: Permission denied at /usr/bin/debconf-apt-progress line 249, <STDIN> line 3.
    Reason: https://askubuntu.com/questions/1250974/user-root-cant-write-to-file-in-tmp-owned-by-someone-else-in-20-04-but-can-in
2020-12-05 12:35:11 +01:00
Orazio
5aac8bca84 Changed WireGuard unit path to /lib/systemd/system/wg-quick@.service
- On Raspbian, /lib is not a symbolic link to /usr/lib, so the WireGuard unit won't be found.
    Therefore changed to /lib/... (which is the default location for units of installed packages).
2020-12-05 12:35:02 +01:00
Roger Haxby
49a9314325 change to on/off for temp enable/disable 2020-11-26 15:36:00 +00:00
Orazio
3ed54bf71d Expose AllowedIPs settings inside setupVars.conf 2020-11-14 09:35:51 +01:00
Orazio
18007bb01e OpenVPN GPG key is static, so we might as well include the key in the PiVPN repo. 2020-10-27 18:40:16 +01:00
Orazio
4f9349b576 Log debconf-apt-progress output to show errors in case of failed package install 2020-10-27 08:52:51 +01:00
Jeffry Suryadharma
1ce55658aa
Update install.sh 2020-10-25 17:54:14 +07:00
Jeffry Suryadharma
f1553985a6
Update install.sh 2020-10-25 17:46:27 +07:00
Jeffry Suryadharma
915563610d
Update install.sh
add -D option because wg-quick@.service.d folder is not yet created
2020-10-25 17:37:59 +07:00
Orazio
43057b3f3b Fixed typos, clarified 'pivpn -l' text. 2020-10-24 16:00:26 +02:00
Orazio
d860f1d402 Add systemd override for wg-quick units that don't yet implement reload
- Discussed on pull request 1164
2020-10-24 13:41:07 +02:00
Orazio
9955f1fc02 Updated WireGuard module detection to accommodate different paths 2020-10-24 13:16:56 +02:00
Orazio
03f5871c71 Fixed WireGuard installation on Ubuntu when module is not built-in
- PIVPN_DEPS array should be assigned before appending to it,
    not after, to avoid overwriting existing items.
2020-09-14 16:19:40 +02:00
Orazio
551af5f351 Improved OpenVPN and WireGuard availability detection 2020-09-14 12:25:31 +02:00
stevoh6
d3992b3ff9
WireGuard on arm with Ubuntu 20.04 Focal Fosa
Allow install WireGuard on arm devices with Ubuntu 20.04 Focal Fosa
2020-09-03 12:39:26 +02:00
stevoh6
6099ea34ca
Add Ubuntu 20.04 (Focal Fossa) into supported OS 2020-08-31 21:24:47 +02:00
Orazio
139f16594d Allowing queries only from the local subnet is enough for the functionality of PiVPN.
From the man page of dnsmasq:
  --local-service
    Accept DNS queries only from hosts whose address is on a local subnet,
    ie a subnet for which an interface exists on the server. This option only
    has effect if there are no --interface, --except-interface, --listen-address
    or --auth-server options. It is intended to be set as a default on installation,
    to allow unconfigured installations to be useful but also safe from being
    used for DNS amplification attacks.
2020-07-24 14:44:59 +02:00
Orazio
0200ce545c When asking the user to upgrade the system, show the kernel package version instead of the kernel version. 2020-07-23 14:08:06 +02:00
Orazio
5b2bc9ba70 Set Pi-hole to "Listen on all interfaces, permit all origins" when using it as DNS for the VPN
- Letting dnsmasq additionally listen on a specific VPN interface when Pi-hole is
    listening on the physical interface only may be more secure than letting dnsmasq
    listen on all interfaces, however, dnsmasq will stop listening on the physical
    interface (breaking LAN resolution) if the user changes the listening behavior
    at a later time.
    For the target audience of PiVPN, it is more likely that users will set the
    listening behavior to all when deciding to use Pi-hole via VPN (which is suggested
    in the Pi-hole guide and most guides on the web), instead of digging into
    configuration file.
    This option is safe if the Raspberry Pi is inside the local network and the user
    has not forwarded port 53 on their router, which is unlikely as they are installing
    PiVPN precisely to avoid doing that.
2020-07-23 11:41:59 +02:00
Orazio
f72a531ce7 Downloading the entire unattended upgrades git release was overkill,
so now we simply copy the Raspbian config from the PiVPN repo and
provide a link to the source in the install script.
2020-07-23 11:07:19 +02:00
Orazio
8e1f53f34e Updated askAboutCustomizing() function
- Tweaked dialog text
  - Don't show dialog if runnning unattended
2020-06-08 09:38:53 +02:00
Orazio
e74ad23e8e Fixed DNS provider dialog formatting 2020-06-07 14:08:48 +02:00
Orazio
71bae41cda Simplified the OpenVPN installation flow by moving some settings behind a "customize" dialog.
Additional features could fall in there without compromising the simplicity of PiVPN.
2020-06-07 13:59:51 +02:00
Orazio
8e514a5f74 Update EasyRSA and unattended upgrades config
- EasyRSA 3.0.6 -> 3.0.7
  - Unattended upgrades config 1.16 -> 2.4
2020-06-06 15:39:37 +02:00
Orazio
ad363b717b Moved package check to relevant preconfigurePackages() function 2020-05-29 17:49:25 +02:00
Orazio
ba7c46aae8 Avoid hardcoding distribution codenames
- Actually check for apt >= 1.5 instead of checking for distributions
    known for having a newer package
2020-05-29 15:56:43 +02:00
Orazio
c8a9e2100a Changed how undocumented flags are managed
- Renamed '--i_do_not_follow_recommendations' to '--skip-space-check', since
    the argument actually skips the space check.
  - Obtain the unattended configuration dynamically, by looking at the argument
    next to '--unattended', instead of looking at the second argument, which
    was a too fragile parsing.
  - Because of the previous one, figuring out when no argument has been passed
    to '--unattended' doesn't seem trivial, because the next argument could be
    an undocumented flag as well, which would be intepreted as a filename.
2020-05-28 15:16:45 +02:00
Orazio
ba4c2c91db Allow (potentially) unsupported network interfaces via the '--show-unsupported-nics' argument 2020-05-28 13:59:18 +02:00
Orazio
61c7151e3b Create directory structure if missing
- /usr/local/src, when cloning the git repository
  - /opt (this one was already taken into account but I had accidentally
    removed the mkdir command in the previous commit).
2020-05-28 12:09:02 +02:00
Orazio
823afa3fbb Improved dual VPN uninstallation, remove duplicate code/script
- Allow using 'pivpn vpn -u' to directly uninstall VPN 'vpn'
  - Also allow using 'pivpn -u' with two VPNs (will present a dialog).
  - During uninstall, ask which VPN to remove only if there are two VPNs
  - PiVPN git repo will be downloaded to '/usr/local/src/pivpn'. All scripts
    in /opt/pivpn, the main pivpn script and the bash completion file,
    are now just symbolic links. Resolves issue #695.
  - Remove unused call to updateWireGuard().
2020-05-27 16:36:26 +02:00
Orazio
1dc10e7d54
Merge pull request #1054 from shelleycat485/test
Tidy dual VPN protocol install
2020-05-26 09:55:22 +02:00
shelleycat485
3f1b2ba576 put repository back to pivpn/pivpn 2020-05-25 15:54:39 +01:00
shelleycat485
6cfe936f55 self_check assign parameter 2020-05-25 15:43:31 +01:00
shelleycat485
15804dff39 selfcheck checks one VPN type again 2020-05-25 15:24:50 +01:00
Orazio
5dc7ac2a38 Fix issue #1047 2020-05-23 15:26:03 +02:00
Orazio
3ec566c762 Fix issue #1015 2020-05-23 15:12:14 +02:00
shelleycat485
4ac2855990
Update install.sh
remove refs to /etc/pivpn/setupVars in selfcheck and debug scripts
tidy indenting
on install, check if symlink already exists before making one to avoid error
uninstall indicates which vpns are available for uninstall
selfcheck checks both protocols if both present
install - additional text in reconfigure saying 2nd protocol can be added
change to use pivpn ovpn instaed of pivpn opv when dual protocols exist
2020-05-22 17:47:01 +01:00
shelleycat485
e110286a13 added install.sh to change 2020-05-22 12:46:37 +01:00
Orazio
35f07b2147
Merge pull request #1048 from shelleycat485/master
Both wireguard and openvpn can be installed together (Issue #968)
2020-05-19 14:06:58 +02:00
shelleycat485
d4b3c9ee89 both wg and openvpn can be installed 2020-05-14 15:32:19 +01:00
Ubuntu
e700cf1c8f bash_completion not used in dual 2020-05-13 19:49:48 +00:00
shelleycat485
4e3a57b9aa better uninstall.sh 2020-05-13 00:51:45 +01:00
shelleycat485
be3ee13586
Update install.sh 2020-05-11 16:49:10 +01:00
Ubuntu
501b9919a8 after ubuntu testing 2020-05-10 16:37:30 +00:00
shelleycat485
052376a133 install.sh path correct 2020-05-06 22:03:38 +01:00
shelleycat485
081bf912c2 still debugging dual 2020-05-05 23:12:32 +01:00
shelleycat485
4e3a58702f more dual 2020-05-05 00:05:10 +01:00
shelleycat485
3ed9ec5724 install and uninstall 2020-05-02 00:06:09 +01:00
root
f379ca2e10 initial dual install try 2020-04-28 23:44:56 +01:00
Orazio
1f506f50a6
Merge pull request #1023 from jellemdekker/feature/unique_client_psk
Generate unique pre-shared key for each client
2020-04-23 11:15:48 +02:00
jellemdekker
e643acce17 Generate a unique pre-shared key for each client as per WireGuard protocol to improve post-quantum resistance. 2020-04-21 10:52:35 +02:00
James
9b772ac4fb
fix: typos and grammar 2020-04-20 17:33:27 +02:00
rayden84
df43513354
Update install.sh
fix small typo in whiptail dialog text word ("especially")
2020-03-22 17:51:41 +01:00
Orazio
650032e5f2 Use safer 'apt-cache policy' filtering 2020-03-16 18:32:39 +01:00
Orazio
eae70d0295 Verify that the available OpenVPN version has ECC support 2020-03-12 13:00:18 +01:00
Orazio
9c4b87f4ab Do not add repositories if OpenVPN or WireGuard can be found inside available sources 2020-03-10 14:14:16 +01:00
Orazio
32acdd634b Use LC_ALL=C for the whole script
- Fixes 'apt-cache policy something | grep somethingelse'
2020-03-10 13:02:35 +01:00
Orazio
c1c1720aef Download OpenVPN key via HTTPS if retrieving via keyserver fails 2020-03-10 13:00:23 +01:00
Orazio
0a30365d65 Some changes from pull request 963
- Make sure to install WireGuard only if platform is Raspbian or an x86 Debian/Ubuntu
  - Install WireGuard from bullseye repository instead of unstable
  - Reduced WireGuard package priority to the minimum that allows upgrades
2020-03-04 12:48:14 +01:00
Orazio
f749d6b722 Fix for issue #962 2020-02-26 09:49:49 +01:00
MichaIng
ba79e14175
Apply the x86-only OpenVPN repo on x86 systems only 2020-02-26 00:13:46 +01:00
Orazio
9846d3787a Use variables to define VPN ranges instead of hard coding IPs 2020-02-16 09:09:09 +01:00
Orazio
edbd23a2a1 Fixed missing condition in if statement when deciding whether to listen on tun0/wg0 2020-02-15 13:24:42 +01:00
Orazio
660d83468c Drop libmnl-dev requirement on armv6l
- https://lists.zx2c4.com/pipermail/wireguard/2020-February/004963.html
2020-02-13 11:42:23 +01:00
Orazio
87cf243abc Fix Pi-hole support when dnsmasq is set to listen on all interfaces 2020-02-13 11:30:13 +01:00
Orazio
41ed9c4a6f Minor fixes
- LC_ALL=C should be the canonical way to override the locale, instead
    of setting a specific one.
  - apt-transport-https is required on Ubuntu < Bionic and Debian < Buster
2020-02-11 12:17:34 +01:00
Orazio
337fa10fdc Improvements when importing GPG keys
- Importing OpenVPN PGP key from keyserver should be more secure than
    downloading from the website as we specifically tell the keyserver
    which key we want, referring to its fingerprint
  - Exit if import is unsuccessful
2020-02-11 12:17:29 +01:00
Orazio
3730d315e9 Automatic backup of existing OpenVPN/WireGuard folder should only be readable by root 2020-02-10 17:58:32 +01:00
Orazio
6fd451dac0 apt-transport-https is required since we will use HTTPS repos in the script 2020-02-10 17:34:11 +01:00
Orazio
ead280e60f Set static IPs when using OpenVPN
- Preparation for feature request from issue #942
2020-02-09 18:51:30 +01:00
Orazio
3f616d9254 Implemented feature request from issue #942 (WireGuard) 2020-02-07 18:07:15 +01:00
4s3ti
5b8494c57c Going back to pivpn.io
replaced pivpn.dev with pivpn.io
2020-02-05 20:29:14 +01:00
Orazio
d691321b3e
Merge test (#929)
* added link to server status dashboard

* Replaced Header with bold instead

* More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code

  - Add curl as a dependency for those who run the script without 'curl URL | bash'.
  - Use POSIX 'command -v' instead of 'hash'.
  - Check if packages have actually been installed and abort execution if they have not.
  - Fixed issue with getStaticIPv4Settings() that prevented existing network settings
    to be used as static IP settings when running the script unattended with empty
    $IPv4addr and $IPv4gw variables.
  - Exit if processing wireguard-linux-compat fails.
  - Exit if 50unattended-upgrades fails to extract.
  - Exit clientSTAT.sh if the wg0 interface is not available.
  - Moved the Self Check to a single script since dedicated versions were very similar.
  - Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.

* Fixed cosmetic issue with spinner, added missing spinner to some APT commands

* Detect current netmask, validate user input when configuring a static IP

* Inform the user when updating the package cache, which can be slow on some RPis

* Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct

* Restart pihole in the more appropriate restartServices() function

* Improve static IP selection, validate public DNS name of the server
  - Default to 'No' when asking if the RPi has DHCP reservation, considered
    that the user may not be fully aware, furthermore, setting a static IP
    anyways doesn't do harm.
  - Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
    '/etc/dhcpcd.conf' with invalid data.
  - Validate public DNS name of the server inside askPublicIPOrDNS() function

* Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
  - Added a basic sanity check to downloaded DH paramenters, which doubles as a
    check for missing .pem file.
  - Fix 'pivpn -c' showing the month number instead of the day of the month when
    using WireGuard.
  - Removing APT keys is risky, it would break APT update/upgrade if the user
    already was already using the unstable repo.
  - Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
    $i... already installed'.
  - Check whether the OpenVPN repo and the Debian unstable repo are already used.

* Improvements to getStaticIPv4Settings()

  - Use a regular expression to extract IPs from the 'ip' command. With this,
    there is a little need to validate output. Even though the regex will match
    invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
    the script would not have reached this function due to previous functions
    using the network with broken routes and addresses.

  - Get the IP address from the selected interface rather then from the 'ip route'
    command as it's not guaranteed that such IP is the same of the interface the
    user decided to use (though on a Raspberry Pi inside a home LAN, most likely
    it is, but it also maskes easier to get the IP in the CIDR notation with a
    single 'ip | grep' pipe).

* Moved command substitution to specific functions to avoid unnecessary execution

  - Moved $availableInterfaces and $CurrentIPv4gw from the script header to
    their relevant function, considered that if the OS is not Raspbian a static
    IP is not set, so those variables are not used.

* Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919

  - Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
    still generate his own if he wishes).
    https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2020-01-31 16:40:09 +01:00
Orazio
f2fa01e3a5 Fix WireGuard not starting on a clean install of Raspbian
- If the kernel is out of sync with the repo, have the user upgrade
    his system and reboot before installing WireGuard.
2020-01-30 14:16:39 +01:00
Orazio
4a49787b28 Changed variable name, corrected rm typo 2020-01-21 15:54:20 +01:00
Orazio
44feb0b853 Added back ECDSA and tls-crypt 2020-01-21 13:51:25 +01:00
Orazio
30b374054c Enable cloneandupdate() function, fixed detecting existing iptables rules.
- Uncommented lines inside the cloneandupdate() function in the update script, so pivpn -up can pull scripts from the master branch
  - The script was checking for the existence of PiVPN rules in the INPUT and FORWARD chain by passing 'iptables -t nat -S' to grep, but it couldn't find them as they belong to the filer table and not the nat table. The correct command is 'iptables -S'
2020-01-20 21:51:36 +01:00
Orazio
038473c6c5 Rename 'limit-unstable' to 'pivpn-limit-unstable' 2020-01-20 11:46:17 +01:00
Orazio
0999b0dd7c Resolved merge conflicts (2) 2020-01-20 11:13:39 +01:00
Orazio
dba3e6ad3e - Prepend 'pivpn-' to unstable repo files to limit naming conflicts
- Update variables inside unattended examples
- Remove openvpn logging setting when uninstalling the package
- Run 'apt-get update' after removing the WireGuard PPA
2020-01-20 09:56:07 +01:00
Orazio
69606f7207 - Allow setting DHCP reservation preference with --unattended
- Flip condition check on $dhcpReserv: first check if empty, and if not, check if it's not 1.
  Doing it the other way (first check if not 1) would give a shell error if $dhcpReserv was empty.
2020-01-20 09:34:43 +01:00
Orazio
fc9a9f5ab7
Use metapackage to install kernel headers on Ubuntu
The ‘linux-headers-generic’ package is preferred over the version-specific headers package as the generic will be automatically  updated with the kernel, whereas the other will not.
2020-01-18 22:04:18 +01:00
4s3ti
1884be8afb Distro Support, Bug Fixes, Unattended install
Tested and added Support on Debian 9
tested and added support on Ubuntu 16.04 & 18.08
  * Fixed wireguard not installing, added pkg cache update after adding ppa
  * added kernel headers to dependencies as its requred for wireguard-dkms
unattended install
  * When user is provided and doest exist, it will create one without password set
2020-01-18 20:01:39 +01:00
4s3ti
e0d45db762 Variable Quoting
Quoted variables,
Added shellcheck disables.
2020-01-09 00:45:04 +01:00
4s3ti
e2eea482d0 Replace /etc/.pivpn/ with $pivpnFilesDir
/etc/.pivpn/ is refferenced multiple times trough the script,
Replaced all of them with $pivpnFilesDir
Quoted some unquoted vars
2020-01-09 00:22:15 +01:00
4s3ti
dd6bb069f0 Updates and improvements
install.sh
  installScripts function:
    update script not being copied over to /opt therefore update funcion was probably broken.
    changed script to copy all .sh scripts from .pivpn/scripts directory.

Issue #871: fix backup script
  I was probably very drunk when i first wrote this backup script.
  fixed it, now works with new code refactoring,
  loads vars from setupVars
  Added backup for wireguard
  Moved script to global pivpnscripts.
  Added backup script to bash-completion
  Added backup script to pivpn script

update.sh
  Commented the update from master branch to avoid users trying to update test from master.

Updated LatestChages.md
2020-01-08 19:38:38 +01:00
4s3ti
412c8e83ac Issue #607
InstallScripts function:
  Added -p flag on mkdir, this fixes script silently exiting if /opt
  does not exist (Issue #607)
2020-01-08 13:16:01 +01:00