mirror of
https://github.com/pivpn/pivpn.git
synced 2024-12-23 21:30:15 +00:00
deee38b20e
- Add curl as a dependency for those who run the script without 'curl URL | bash'. - Use POSIX 'command -v' instead of 'hash'. - Check if packages have actually been installed and abort execution if they have not. - Fixed issue with getStaticIPv4Settings() that prevented existing network settings to be used as static IP settings when running the script unattended with empty $IPv4addr and $IPv4gw variables. - Exit if processing wireguard-linux-compat fails. - Exit if 50unattended-upgrades fails to extract. - Exit clientSTAT.sh if the wg0 interface is not available. - Moved the Self Check to a single script since dedicated versions were very similar. - Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
170 lines
5.6 KiB
Bash
Executable file
170 lines
5.6 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
subnetClass="24"
|
|
setupVars="/etc/pivpn/setupVars.conf"
|
|
ERR=0
|
|
|
|
if [ ! -f "${setupVars}" ]; then
|
|
echo "::: Missing setup vars file!"
|
|
exit 1
|
|
fi
|
|
|
|
source "${setupVars}"
|
|
|
|
if [ "$VPN" = "wireguard" ]; then
|
|
pivpnPROTO="udp"
|
|
pivpnDEV="wg0"
|
|
pivpnNET="10.6.0.0"
|
|
VPN_SERVICE="wg-quick@wg0"
|
|
VPN_PRETTY_NAME="WireGuard"
|
|
elif [ "$VPN" = "openvpn" ]; then
|
|
pivpnDEV="tun0"
|
|
pivpnNET="10.8.0.0"
|
|
VPN_SERVICE="openvpn"
|
|
VPN_PRETTY_NAME="OpenVPN"
|
|
fi
|
|
|
|
if [ "$(</proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then
|
|
echo ":: [OK] IP forwarding is enabled"
|
|
else
|
|
ERR=1
|
|
read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY
|
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
|
|
sysctl -p
|
|
echo "Done"
|
|
fi
|
|
fi
|
|
|
|
if [ "$USING_UFW" -eq 0 ]; then
|
|
|
|
if iptables -t nat -C POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
|
|
echo ":: [OK] Iptables MASQUERADE rule set"
|
|
else
|
|
ERR=1
|
|
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
|
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
iptables -t nat -I POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule"
|
|
iptables-save > /etc/iptables/rules.v4
|
|
echo "Done"
|
|
fi
|
|
fi
|
|
|
|
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
|
|
|
|
if iptables -C INPUT -i "${IPv4dev}" -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT -m comment --comment "${VPN}-input-rule" &> /dev/null; then
|
|
echo ":: [OK] Iptables INPUT rule set"
|
|
else
|
|
ERR=1
|
|
read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
|
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
iptables -I INPUT 1 -i "${IPv4dev}" -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT -m comment --comment "${VPN}-input-rule"
|
|
iptables-save > /etc/iptables/rules.v4
|
|
echo "Done"
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
|
|
|
|
if iptables -C FORWARD -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT -m comment --comment "${VPN}-forward-rule" &> /dev/null; then
|
|
echo ":: [OK] Iptables FORWARD rule set"
|
|
else
|
|
ERR=1
|
|
read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
|
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
iptables -I FORWARD 1 -d "${pivpnNET}/${subnetClass}" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
|
iptables -I FORWARD 2 -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT -m comment --comment "${VPN}-forward-rule"
|
|
iptables-save > /etc/iptables/rules.v4
|
|
echo "Done"
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
else
|
|
|
|
if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
|
|
echo ":: [OK] Ufw is enabled"
|
|
else
|
|
ERR=1
|
|
read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY
|
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
ufw enable
|
|
fi
|
|
fi
|
|
|
|
if iptables -t nat -C POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
|
|
echo ":: [OK] Iptables MASQUERADE rule set"
|
|
else
|
|
ERR=1
|
|
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
|
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s ${pivpnNET}/${subnetClass} -o ${IPv4dev} -j MASQUERADE -m comment --comment ${VPN}-nat-rule\nCOMMIT\n" -i /etc/ufw/before.rules
|
|
ufw reload
|
|
echo "Done"
|
|
fi
|
|
fi
|
|
|
|
if iptables -C ufw-user-input -p "${pivpnPROTO}" --dport "${pivpnPORT}" -j ACCEPT &> /dev/null; then
|
|
echo ":: [OK] Ufw input rule set"
|
|
else
|
|
ERR=1
|
|
read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY
|
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
ufw insert 1 allow "${pivpnPORT}"/"${pivpnPROTO}"
|
|
ufw reload
|
|
echo "Done"
|
|
fi
|
|
fi
|
|
|
|
if iptables -C ufw-user-forward -i "${pivpnDEV}" -o "${IPv4dev}" -s "${pivpnNET}/${subnetClass}" -j ACCEPT &> /dev/null; then
|
|
echo ":: [OK] Ufw forwarding rule set"
|
|
else
|
|
ERR=1
|
|
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
|
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
ufw route insert 1 allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any
|
|
ufw reload
|
|
echo "Done"
|
|
fi
|
|
fi
|
|
|
|
fi
|
|
|
|
if systemctl is-active -q "${VPN_SERVICE}"; then
|
|
echo ":: [OK] ${VPN_PRETTY_NAME} is running"
|
|
else
|
|
ERR=1
|
|
read -r -p ":: [ERR] ${VPN_PRETTY_NAME} is not running, try to start now? [Y/n] " REPLY
|
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
systemctl start "${VPN_SERVICE}"
|
|
echo "Done"
|
|
fi
|
|
fi
|
|
|
|
if systemctl is-enabled -q "${VPN_SERVICE}"; then
|
|
echo ":: [OK] ${VPN_PRETTY_NAME} is enabled (it will automatically start on reboot)"
|
|
else
|
|
ERR=1
|
|
read -r -p ":: [ERR] ${VPN_PRETTY_NAME} is not enabled, try to enable now? [Y/n] " REPLY
|
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
systemctl enable "${VPN_SERVICE}"
|
|
echo "Done"
|
|
fi
|
|
fi
|
|
|
|
# grep -w (whole word) is used so port 11940 won't match when looking for 1194
|
|
if netstat -antu | grep -wqE "${pivpnPROTO}.*${pivpnPORT}"; then
|
|
echo ":: [OK] ${VPN_PRETTY_NAME} is listening on port ${pivpnPORT}/${pivpnPROTO}"
|
|
else
|
|
ERR=1
|
|
read -r -p ":: [ERR] ${VPN_PRETTY_NAME} is not listening, try to restart now? [Y/n] " REPLY
|
|
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
|
systemctl restart "${VPN_SERVICE}"
|
|
echo "Done"
|
|
fi
|
|
fi
|
|
|
|
if [ "$ERR" -eq 1 ]; then
|
|
echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues"
|
|
fi
|