#whiptail --msgbox --backtitle "Security Updates" --title "Unattended Upgrades" "Since this server will have at least one port open to the internet, it is recommended you enable unattended-upgrades.\nThis feature will check daily for security package updates only and apply them when necessary.\nIt will NOT automatically reboot the server so to fully apply some updates you should periodically reboot." ${r} ${c}
#if (whiptail --backtitle "Security Updates" --title "Unattended Upgrades" --yesno "Do you want to enable unattended upgrades of security patches to this server?" ${r} ${c}) then
# UNATTUPG="unattended-upgrades"
#else
# UNATTUPG=""
#fi
}
stopServices(){
# Stop openvpn
$SUDOecho":::"
$SUDOecho -n "::: Stopping OpenVPN service..."
case${PLAT} in
Ubuntu|Debian|*vuan)
$SUDO service openvpn stop ||true
;;
*)
$SUDO systemctl stop openvpn.service ||true
;;
esac
$SUDOecho" done."
}
getGitFiles(){
# Setup git repos for base files
echo":::"
echo"::: Checking for existing base files..."
#if is_repo "${1}"; then
# update_repo "${1}" "${2}"
#else
# make_repo "${1}" "${2}"
#fi
make_repo "${1}""${2}"
}
is_repo(){
# If the directory does not have a .git folder it is not a repo
echo -n "::: Checking $1 is a repo..."
cd"${1}"&> /dev/null ||return1
$SUDO git status &> /dev/null &&echo" OK!";return0||echo" not found!";return1
}
make_repo(){
# Remove the non-repos interface and clone the interface
$SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf
$SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf
}
#This procedure allows a user to specify a custom search domain if they have one.
setCustomDomain(){
DomainSettingsCorrect=False
#if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno "Would you like to add a custom search domain? \n (This is only for advanced users who have their own domain)\n" ${r} ${c}); then
#
# until [[ $DomainSettingsCorrect = True ]]
# do
# if CUSTOMDomain=$(whiptail --inputbox "Enter Custom Domain\nFormat: mydomain.com" ${r} ${c} --title "Custom Domain" 3>&1 1>&2 2>&3); then
# if valid_domain "$CUSTOMDomain"; then
# if (whiptail --backtitle "Custom Search Domain" --title "Custom Search Domain" --yesno "Are these settings correct?\n Custom Search Domain: $CUSTOMDomain" ${r} ${c}); then
# DomainSettingsCorrect=True
#
# $SUDO sed -i '0,/\(.*dhcp-option.*\)/s//\push "dhcp-option DOMAIN '${CUSTOMDomain}'" \n&/' /etc/openvpn/server.conf
# Generate a random, alphanumeric identifier of 16 characters for this server so that we can use verify-x509-name later that is unique for this server installation. Source: Earthgecko (https://gist.github.com/earthgecko/3089509)
#if (whiptail --backtitle "Setup OpenVPN" --title "Installation mode" --yesno "OpenVPN 2.4 brings support for stronger authentication and key exchange using Elliptic Curves, along with encrypted control channel.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then
# "Choose the desired size of your certificate (press space to select):\n This is a certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 2048 bits. If you are testing, you can use 1024 bits to speed things up, but do not use this for normal use! If you are paranoid about ... things... then grab a cup of joe and pick 4096 bits." ${r} ${c} 3 \
# "1024" "Use a 1024-bit certificate (testing only)" OFF \
# "2048" "Use a 2048-bit certificate (recommended level)" ON \
# "4096" "Use a 4096-bit certificate (paranoid level)" OFF 3>&1 1>&2 2>&3)
#else
# declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1")
# "Choose the desired size of your certificate (press space to select):\n This is an certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \
# "256" "Use a 256-bit certificate (recommended level)" ON \
# "384" "Use a 384-bit certificate" OFF \
# "521" "Use a 521-bit certificate (paranoid level)" OFF 3>&1 1>&2 2>&3)
echo"set_var EASYRSA_KEY_SIZE ${ENCRYPT}"|$SUDO tee -a vars
else
echo"set_var EASYRSA_ALGO ec"|$SUDO tee -a vars
echo"set_var EASYRSA_CURVE ${ECDSA_MAP["${ENCRYPT}"]}"|$SUDO tee -a vars
fi
# Remove any previous keys
${SUDOE} ./easyrsa --batch init-pki
# Build the certificate authority
printf"::: Building CA...\n"
${SUDOE} ./easyrsa --batch build-ca nopass
printf"\n::: CA Complete.\n"
#if [[ ${useUpdateVars} == false ]]; then
# if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then
# whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman parameters, and HMAC key will now be generated." ${r} ${c}
if(["$ENCRYPT" -ge "4096"]&& whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from their database.\nMore information about this service can be found here: https://2ton.com.au/safeprimes/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device."${r}${c});then
#If they enabled 2.4 remove key-direction options since it's not required
$SUDO sed -i "/key-direction 1/d" /etc/openvpn/easy-rsa/pki/Default.txt
fi
if[[${useUpdateVars}==false]];then
#METH=$(whiptail --title "Public IP or DNS" --radiolist "Will clients use a Public IP or DNS Name to connect to your server (press space to select)?" ${r} ${c} 2 \
#"$IPv4pub" "Use this public IP" "ON" \
#"DNS Entry" "Use a public DNS" "OFF" 3>&1 1>&2 2>&3)
METH=$IPv4pub
exitstatus=$?
if[$exitstatus !=0];then
echo"::: Cancel selected. Exiting..."
exit1
fi
if["$METH"=="$IPv4pub"];then
$SUDO sed -i 's/IPv4pub/'"$IPv4pub"'/' /etc/openvpn/easy-rsa/pki/Default.txt
else
until[[$publicDNSCorrect= True ]]
do
PUBLICDNS=$(whiptail --title "PiVPN Setup" --inputbox "What is the public DNS name of this Server?"${r}${c} 3>&1 1>&2 2>&3)
exitstatus=$?
if[$exitstatus !=0];then
echo"::: Cancel selected. Exiting..."
exit1
fi
if(whiptail --backtitle "Confirm DNS Name" --title "Confirm DNS Name" --yesno "Is this correct?\n\n Public DNS Name: $PUBLICDNS"${r}${c})then
publicDNSCorrect=True
$SUDO sed -i 's/IPv4pub/'"$PUBLICDNS"'/' /etc/openvpn/easy-rsa/pki/Default.txt
else
publicDNSCorrect=False
fi
done
fi
else
$SUDO sed -i 's/IPv4pub/'"$PUBLICDNS"'/' /etc/openvpn/easy-rsa/pki/Default.txt
fi
# if they modified port put value in Default.txt for clients to use
if[$PORT !=1194];then
$SUDO sed -i -e "s/1194/${PORT}/g" /etc/openvpn/easy-rsa/pki/Default.txt
fi
# if they modified protocol put value in Default.txt for clients to use
if["$PROTO" !="udp"];then
$SUDO sed -i -e "s/proto udp/proto tcp/g" /etc/openvpn/easy-rsa/pki/Default.txt
fi
# verify server name to strengthen security
$SUDO sed -i "s/SRVRNAME/${SERVER_NAME}/" /etc/openvpn/easy-rsa/pki/Default.txt
if[ ! -d "/home/$pivpnUser/ovpns"];then
$SUDO mkdir "/home/$pivpnUser/ovpns"
fi
$SUDO chmod 0777 -R "/home/$pivpnUser/ovpns"
}
confLogging(){
echo"if \$programname == 'ovpn-server' then /var/log/openvpn.log
if\$programname=='ovpn-server'then stop" | $SUDO tee /etc/rsyslog.d/30-openvpn.conf > /dev/null
echo"/var/log/openvpn.log
{
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog rotate >/dev/null 2>&1||true
endscript
}" | $SUDO tee /etc/logrotate.d/openvpn > /dev/null
# Restart the logging service
case${PLAT} in
Ubuntu|Debian|*vuan)
$SUDO service rsyslog restart ||true
;;
*)
$SUDO systemctl restart rsyslog.service ||true
;;
esac
}
finalExports(){
# Update variables in setupVars.conf file
if[ -e "${setupVars}"];then
$SUDO sed -i.update.bak '/pivpnUser/d;/UNATTUPG/d;/pivpnInterface/d;/IPv4dns/d;/IPv4addr/d;/IPv4gw/d;/pivpnProto/d;/PORT/d;/ENCRYPT/d;/DOWNLOAD_DH_PARAM/d;/PUBLICDNS/d;/OVPNDNS1/d;/OVPNDNS2/d;'"${setupVars}"
# ?? Is this always OK? Also if you only select one DNS server ??
$SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf
$SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf
finalExports #re-export setupVars.conf to account for any new vars added in new versions
}
displayFinalMessage(){
# Final completion message to user
#whiptail --msgbox --backtitle "Make it so." --title "Installation Complete!" "Now run 'pivpn add' to create the ovpn profiles.
#Run 'pivpn help' to see what else you can do!\n\nIf you run into any issue, please read all our documentation carefully.
#All incomplete posts or bug reports will be ignored or deleted.\n\nThank you for using PiVPN." ${r} ${c}
#if (whiptail --title "Reboot" --yesno --defaultno "It is strongly recommended you reboot after installation. Would you like to reboot now?" ${r} ${c}); then
# whiptail --title "Rebooting" --msgbox "The system will now reboot." ${r} ${c}
echo"::: --unattended passed to install script, no whiptail dialogs will be displayed"
useUpdateVars=true
else
update_dialogs
fi
fi
# Start the installer
# Verify there is enough disk space for the install
if[["${skipSpaceCheck}"==true]];then
echo"::: --i_do_not_follow_recommendations passed to script, skipping free disk space verification!"
else
verifyFreeDiskSpace
fi
# Install the packages (we do this first because we need whiptail)
addSoftwareRepo
update_package_cache
# Notify user of package availability
notify_package_updates_available
# Install packages used by this installation script
install_dependent_packages PIVPN_DEPS[@]
if[[${useUpdateVars}==false]];then
# Display welcome dialogs
welcomeDialogs
# Find interfaces and let the user choose one
chooseInterface
# Only try to set static on Raspbian, otherwise let user do it
if[[$PLAT !="Raspbian"]];then
avoidStaticIPv4Ubuntu
else
setStaticIPv4
fi
# Choose the user for the ovpns
chooseUser
# Ask if unattended-upgrades will be enabled
unattendedUpgrades
# Clone/Update the repos
clone_or_update_repos
# Install
if installPiVPN;then
echo"::: Install Complete..."
else
exit1
fi
else
# Source ${setupVars} for use in the rest of the functions.
source${setupVars}
echo"::: Using IP address: $IPv4addr"
echo"${IPv4addr%/*}" > /tmp/pivpnIP
echo"::: Using interface: $pivpnInterface"
echo"${pivpnInterface}" > /tmp/pivpnINT
echo"::: Using User: $pivpnUser"
echo"${pivpnUser}" > /tmp/pivpnUSR
echo"::: Using protocol: $pivpnProto"
echo"${pivpnProto}" > /tmp/pivpnPROTO
echo"::: Using port: $PORT"
echo${PORT} > /tmp/INSTALL_PORT
echo":::"
# Only try to set static on Raspbian
case${PLAT} in
Rasp*)
setStaticIPv4 # This might be a problem if a user tries to modify the ip in the config file and then runs an update because of the way we check for previous configuration in /etc/dhcpcd.conf
;;
*)
echo"::: IP Information"
echo"::: Since we think you are not using Raspbian, we will not configure a static IP for you."
echo"::: If you are in Amazon then you can not configure a static IP anyway."
echo"::: Just ensure before this installer started you had set an elastic IP on your instance."
;;
esac
# Clone/Update the repos
clone_or_update_repos
updatePiVPN
fi
echo"::: Restarting services..."
# Start services
case${PLAT} in
Ubuntu|Debian|*vuan)
$SUDO service openvpn start
;;
*)
$SUDO systemctl enable openvpn.service
$SUDO systemctl start openvpn.service
;;
esac
# Ensure that cached writes reach persistent storage
echo"::: Flushing writes to disk..."
sync
echo"::: done."
if[["${useUpdateVars}"==false]];then
displayFinalMessage
fi
echo":::"
if[["${useUpdateVars}"==false]];then
echo"::: Installation Complete!"
echo"::: Now run 'pivpn add' to create an ovpn profile for each of your devices."
echo"::: Run 'pivpn help' to see what else you can do!"
echo"::: It is strongly recommended you reboot after installation."