Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-19 03:10:16 +00:00
Code Issues Projects Releases Packages Wiki Activity
pivpn/scripts/wireguard/pivpnDEBUG.sh
Orazio a561607272 Mostly changes to the install script, see below 
Handle running the install script over an existing installation (as the script already did before branching to test-wireguard), providing:
    - Update, downloads latest scripts from git repo
    - Repair, reinstall PiVPN while keeping existing settings
    - Reconfigure, start over overwriting the existing settings
  Tag iptables rules as an attempt to make sure that the uninstall script only removes PiVPN rules
  Change the armv6l installation to reflect the split of WireGuard snapshots into wireguard-linux-compat and wireguard-tools
2019-12-29 18:25:35 +01:00

203 lines
7.8 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/env bash
# This scripts runs as root
setupVars="/etc/pivpn/setupVars.conf"
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
EXAMPLE="$(head -1 /etc/wireguard/configs/clients.txt | awk '{print $1}')"
ERR=0
echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::"
printf "=============================================\n"
echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::"
git --git-dir /etc/.pivpn/.git log -n 1
printf "=============================================\n"
echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::"
sed "s/$pivpnHOST/REDACTED/" < /etc/pivpn/setupVars.conf
printf "=============================================\n"
echo -e ":::: \e[4mServer configuration shown below\e[0m ::::"
cd /etc/wireguard/keys
cp ../wg0.conf ../wg0.tmp
# Replace every key in the server configuration with just its file name
for k in *; do
sed "s#$(cat "$k")#$k#" -i ../wg0.tmp
done
cat ../wg0.tmp
rm ../wg0.tmp
printf "=============================================\n"
echo -e ":::: \e[4mClient configuration shown below\e[0m ::::"
if [ -n "$EXAMPLE" ]; then
cp ../configs/"$EXAMPLE".conf ../configs/"$EXAMPLE".tmp
for k in *; do
sed "s#$(cat "$k")#$k#" -i ../configs/"$EXAMPLE".tmp
done
sed "s/$pivpnHOST/REDACTED/" < ../configs/"$EXAMPLE".tmp
rm ../configs/"$EXAMPLE".tmp
else
echo "::: There are no clients yet"
fi
printf "=============================================\n"
echo -e ":::: \t\e[4mRecursive list of files in\e[0m\t ::::\n::::\e\t[4m/etc/wireguard shown below\e[0m\t ::::"
ls -LR /etc/wireguard
printf "=============================================\n"
echo -e "::::\t\t\e[4mSelf check\e[0m\t\t ::::"
if [ "$(cat /proc/sys/net/ipv4/ip_forward)" -eq 1 ]; then
echo ":: [OK] IP forwarding is enabled"
else
ERR=1
read -r -p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
sysctl -p
echo "Done"
fi
fi
if [ "$USING_UFW" -eq 0 ]; then
if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
iptables -t nat -I POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule"
iptables-save > /etc/iptables/rules.v4
echo "Done"
fi
fi
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
if iptables -C INPUT -i "$IPv4dev" -p udp --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule" &> /dev/null; then
echo ":: [OK] Iptables INPUT rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
iptables -I INPUT 1 -i "$IPv4dev" -p udp --dport "$pivpnPORT" -j ACCEPT -m comment --comment "${VPN}-input-rule"
iptables-save > /etc/iptables/rules.v4
echo "Done"
fi
fi
fi
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
if iptables -C FORWARD -s 10.6.0.0/24 -i wg0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule" &> /dev/null; then
echo ":: [OK] Iptables FORWARD rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
iptables -I FORWARD 1 -d 10.6.0.0/24 -i "$IPv4dev" -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "${VPN}-forward-rule"
iptables -I FORWARD 2 -s 10.6.0.0/24 -i wg0 -o "$IPv4dev" -j ACCEPT -m comment --comment "${VPN}-forward-rule"
iptables-save > /etc/iptables/rules.v4
echo "Done"
fi
fi
fi
else
if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
echo ":: [OK] Ufw is enabled"
else
ERR=1
read -r -p ":: [ERR] Ufw is not enabled, try to enable now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
ufw enable
fi
fi
if iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule" &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.6.0.0/24 -o $IPv4dev -j MASQUERADE -m comment --comment ${VPN}-nat-rule\nCOMMIT\n" -i /etc/ufw/before.rules
ufw reload
echo "Done"
fi
fi
if iptables -C ufw-user-input -p udp --dport "${pivpnPORT}" -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw input rule set"
else
ERR=1
read -r -p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
ufw insert 1 allow "$pivpnPORT"/udp
ufw reload
echo "Done"
fi
fi
if iptables -C ufw-user-forward -i wg0 -o "${IPv4dev}" -s 10.6.0.0/24 -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw forwarding rule set"
else
ERR=1
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
ufw route insert 1 allow in on wg0 from 10.6.0.0/24 out on "$IPv4dev" to any
ufw reload
echo "Done"
fi
fi
fi
if systemctl is-active -q wg-quick@wg0; then
echo ":: [OK] WireGuard is running"
else
ERR=1
read -r -p ":: [ERR] WireGuard is not running, try to start now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
systemctl start wg-quick@wg0
echo "Done"
fi
fi
if systemctl is-enabled -q wg-quick@wg0; then
echo ":: [OK] WireGuard is enabled (it will automatically start on reboot)"
else
ERR=1
read -r -p ":: [ERR] WireGuard is not enabled, try to enable now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
systemctl enable wg-quick@wg0
echo "Done"
fi
fi
# grep -w (whole word) is used so port 11940 won't match when looking for 1194
if netstat -uanp | grep -w "${pivpnPORT}" | grep -q 'udp'; then
echo ":: [OK] WireGuard is listening on port ${pivpnPORT}/udp"
else
ERR=1
read -r -p ":: [ERR] WireGuard is not listening, try to restart now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
systemctl restart wg-quick@wg0
echo "Done"
fi
fi
if [ "$ERR" -eq 1 ]; then
echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues"
fi
printf "=============================================\n"
echo -e ":::: \e[1mWARNING\e[0m: This script should have automatically masked sensitive ::::"
echo -e ":::: information, however, still make sure that \e[4mPrivateKey\e[0m, \e[4mPublicKey\e[0m ::::"
echo -e ":::: and \e[4mPresharedKey\e[0m are masked before reporting an issue. An example key ::::"
echo ":::: that you should NOT see in this log looks like this: ::::"
echo ":::: WJhKKx+Uk1l1TxaH2KcEGeBdPBTp/k/Qy4EpBig5UnI= ::::"
printf "=============================================\n"
echo -e "::::\t\t\e[4mDebug complete\e[0m\t\t ::::"
Reference in a new issue View git blame Copy permalink