Skip to content

Commit

Permalink
added support for OpenVPN
Browse files Browse the repository at this point in the history
  • Loading branch information
@g00nix
g00nix committed Oct 9, 2020
1 parent 8d7b921 commit 366f132
Show file tree
Hide file tree
Showing 12 changed files with 636 additions and 52 deletions.
29 changes: 13 additions & 16 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,25 +1,22 @@
# Manual PIA VPN Connections
__This project is "Work in Progress"__

This repository contains documentation on how to create native WireGuard connections to our __NextGen network__, and also on how to enable Port Forwarding in case you require this feature. Documentation on OpenVPN will follow soon enough.
This repository contains documentation on how to create native WireGuard and OpenVPN connections to our __NextGen network__, and also on how to enable Port Forwarding in case you require this feature. You will find a lot of information below. However if you prefer quick test, here is the __TL/DR__:

You will find a lot of information bellow. However if you prefer a hands-on approach, here is the __TL/DR__:
* clone this repo: `git clone https://github.com/pia-foss/manual-connections.git`
* use `get_region_and_token.sh` to get the best region and a token
* use `connect_to_wireguard_with_token.sh` to create a WireGuard connection with/without PF

Here is a oneliner example:
```
sudo PIA_AUTOCONNECT=wireguard PIA_USER=p0123456 PIA_PASS=xxxxxxxxxx ./get_region_and_token.sh
git clone https://github.com/pia-foss/manual-connections.git
cd manual-connections
./run_setup.sh
```

The scripts were written so that they are easy to read and to modify. We hope you will enjoy forking the repo and customizing the scripts for your setup!

### Dependencies

In order for the scripts to work (probably even if you do a manual setup), you will need the following packages:
* `curl`
* `jq`
* (only for WireGuard) `wireguard-tools` and wireguard kernel module
* (only for OpenVPN) `openvpn` (however the script is not available yet)
* (only for WireGuard) `wg-quick` and `wireguard` kernel module
* (only for OpenVPN) `openvpn`

### Confirmed systems and distributions

Expand All @@ -45,13 +42,13 @@ This service can be used only AFTER establishing a VPN connection.

## Automated setup of VPN and/or PF

In order to help you use VPN services and PF on any device, we have prepare a few bash scripts that should help you through the process of setting everything up. The scripts also contain a lot of comments, just in case you require detailed information regarding how the technology works.
In order to help you use VPN services and PF on any device, we have prepared a few bash scripts that should help you through the process of setting everything up. The scripts also contain a lot of comments, just in case you require detailed information regarding how the technology works. The functionality is controlled via environment variables, so that you have an easy time automating your setup.

Here is a list of scripts you could find useful:
* [Get the best region and a token](get_region_and_token.sh): This script helps you to get the best region and also to get a token for VPN authentication. The script will extend it's functionality if you add extra environment variables. Adding your PIA credentials will allow the script to also get a VPN token. The script can also trigger the WireGuard script to create a connection, if you specify `PIA_AUTOCONNECT=wireguard`.
* [Connect to WireGuard](connect_to_wireguard_with_token.sh): This script allow you to connect to the VPN server via WireGuard. You can specify `PIA_PF=true` if you also wish to get Port Forwarding for your connection.
* Connect to OpenVPN: We are still working on this script.
* [Enable Port Forwarding](port_forwarding.sh): Enables you to add Port Forwarding to an existing VPN connection.
* [Get the best region and a token](get_region_and_token.sh): This script helps you to get the best region and also to get a token for VPN authentication. Adding your PIA credentials to env vars `PIA_USER` and `PIA_PASS` will allow the script to also get a VPN token. The script can also trigger the WireGuard script to create a connection, if you specify `PIA_AUTOCONNECT=wireguard` or `PIA_AUTOCONNECT=openvpn_udp_standard`
* [Connect to WireGuard](connect_to_wireguard_with_token.sh): This script allows you to connect to the VPN server via WireGuard.
* [Connect to OpenVPN](connect_to_openvpn_with_token.sh): This script allows you to connect to the VPN server via OpenVPN.
* [Enable Port Forwarding](port_forwarding.sh): Enables you to add Port Forwarding to an existing VPN connection. Adding the environment variable `PIA_PF=true` to any of the previous scripts will also trigger this script.

## Manual setup of PF

Expand Down
234 changes: 234 additions & 0 deletions connect_to_openvpn_with_token.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,234 @@
#!/bin/bash
# Copyright (C) 2020 Private Internet Access, Inc.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.

# This function allows you to check if the required tools have been installed.
function check_tool() {
cmd=$1
if ! command -v $cmd &>/dev/null
then
echo "$cmd could not be found"
echo "Please install $cmd"
exit 1
fi
}
# Now we call the function to make sure we can use wg-quick, curl and jq.
check_tool curl
check_tool jq
check_tool openvpn

# Check if manual PIA OpenVPN connection is alread intitialized.
# Multi-hop is out of the scope of this repo, but you should be able to
# get multi-hop running with both OpenVPN and WireGuard.
adapter_check="$( ip a s tun06 )"
should_read="Device \"tun06\" does not exist"
pid_filepath="/opt/piavpn-manual/pia_pid"
if [[ "$adapter_check" != "$should_read" ]]; then
echo The tun06 adapter already exists, that interface is required
echo for this configuration.
if [ -f "$pid_filepath" ]; then
old_pid="$( cat "$pid_filepath" )"
old_pid_name="$( ps -p "$old_pid" -o comm= )"
if [[ $old_pid_name == 'openvpn' ]]; then
echo
echo It seems likely that process $old_pid is an OpenVPN connection
echo that was established by using this script. Unless it is closed
echo you would not be able to get a new connection.
echo -n "Do you want to run $ kill $old_pid (Y/n): "
read close_connection
fi
if echo ${close_connection:0:1} | grep -iq n ; then
echo Closing script. Resolve tun06 adapter conflict and run the script again.
exit 1
fi
echo Killing the existing OpenVPN process and waiting 5 seconds...
kill $old_pid
sleep 5
fi
fi

# PIA currently does not support IPv6. In order to be sure your VPN
# connection does not leak, it is best to disabled IPv6 altogether.
if [ $(sysctl -n net.ipv6.conf.all.disable_ipv6) -ne 1 ] ||
[ $(sysctl -n net.ipv6.conf.default.disable_ipv6) -ne 1 ]
then
echo 'You should consider disabling IPv6 by running:'
echo 'sysctl -w net.ipv6.conf.all.disable_ipv6=1'
echo 'sysctl -w net.ipv6.conf.default.disable_ipv6=1'
fi

# Check if the mandatory environment variables are set.
if [[ ! $OVPN_SERVER_IP ||
! $OVPN_HOSTNAME ||
! $PIA_PF ||
! $PIA_TOKEN ||
! $CONNECTION_SETTINGS ]]; then
echo 'This script requires 3 env vars:'
echo 'OVPN_SERVER_IP - IP that you want to connect to'
echo 'OVPN_HOSTNAME - name of the server, required for ssl'
echo 'CONNECTION_SETTINGS - the protocol and encryption specification'
echo ' - available options for CONNECTION_SETTINGS are:'
echo ' * openvpn_udp_standard'
echo ' * openvpn_udp_strong'
echo ' * openvpn_tcp_standard'
echo ' * openvpn_tcp_strong'
echo
echo You can also specify optional env vars:
echo "PIA_PF - enable port forwarding"
echo "PAYLOAD_AND_SIGNATURE - In case you already have a port."
echo
echo An easy solution is to just run get_region_and_token.sh
echo as it will guide you through getting the best server and
echo also a token. Detailed information can be found here:
echo https://github.com/pia-foss/manual-connections
exit 1
fi

# Create a credentials file with the login token
echo "Trying to write /opt/piavpn-manual/pia.ovpn...
"
mkdir -p /opt/piavpn-manual
rm -f /opt/piavpn-manual/credentials /opt/piavpn-manual/route_info
echo ${PIA_TOKEN:0:62}"
"${PIA_TOKEN:62} > /opt/piavpn-manual/credentials || exit 1

# Translate connection settings variable
IFS='_'
read -ra connection_settings <<< "$CONNECTION_SETTINGS"
IFS=' '
protocol="${connection_settings[1]}"
encryption="${connection_settings[2]}"

prefix_filepath="openvpn_config/standard.ovpn"
if [[ $encryption == "strong" ]]; then
prefix_filepath="openvpn_config/strong.ovpn"
fi

if [[ $protocol == "udp" ]]; then
if [[ $encryption == "standard" ]]; then
port=1198
else
port=1197
fi
else
if [[ $encryption == "standard" ]]; then
port=502
else
port=501
fi
fi

# Create the OpenVPN config based on the settings specified
cat $prefix_filepath > /opt/piavpn-manual/pia.ovpn || exit 1
echo remote $OVPN_SERVER_IP $port $protocol >> /opt/piavpn-manual/pia.ovpn

# Copy the up/down scripts to /opt/piavpn-manual/
# based upon use of PIA DNS
if [ "$PIA_DNS" != true ]; then
cp openvpn_config/openvpn_up.sh /opt/piavpn-manual/
cp openvpn_config/openvpn_down.sh /opt/piavpn-manual/
echo This configuration will not use PIA DNS.
echo If you want to also enable PIA DNS, please start the script
echo with the env var PIA_DNS=true. Example:
echo $ OVPN_SERVER_IP=\"$OVPN_SERVER_IP\" OVPN_HOSTNAME=\"$OVPN_HOSTNAME\" \
PIA_TOKEN=\"$PIA_TOKEN\" CONNECTION_SETTINGS=\"$CONNECTION_SETTINGS\" \
PIA_PF=true PIA_DNS=true ./connect_to_openvpn_with_token.sh
else
cp openvpn_config/openvpn_up_dnsoverwrite.sh /opt/piavpn-manual/openvpn_up.sh
cp openvpn_config/openvpn_down_dnsoverwrite.sh /opt/piavpn-manual/openvpn_down.sh
fi

# Start the OpenVPN interface.
# If something failed, stop this script.
# If you get DNS errors because you miss some packages,
# just can hardcode /etc/resolv.conf to "nameserver 10.0.0.242".
#rm -f /opt/piavpn-manual/debug_info
echo "
Trying to start the OpenVPN connection..."
openvpn --daemon \
--config "/opt/piavpn-manual/pia.ovpn" \
--writepid "/opt/piavpn-manual/pia_pid" \
--log "/opt/piavpn-manual/debug_info" || exit 1

echo "
The OpenVPN connect command was issued.
Confirming OpenVPN connection state... "

# Check if manual PIA OpenVPN connection is intitialized.
# Manually adjust the connectino_wait_time if needed
connection_wait_time=10
confirmation="Initialization Sequence Complete"
for (( timeout=0; timeout <=$connection_wait_time; timeout++ ))
do
sleep 1
if grep -q "$confirmation" /opt/piavpn-manual/debug_info; then
connected=true
break
fi
done

ovpn_pid="$( cat /opt/piavpn-manual/pia_pid )"
gateway_ip="$( cat /opt/piavpn-manual/route_info )"

# Report and exit if connection was not initialized within 10 seconds.
if [ "$connected" != true ]; then
echo "The VPN connection was not established within 10 seconds."
kill $ovpn_pid
exit 1
fi

echo "Initialization Sequence Complete!
At this point, internet should work via VPN.
"

echo "OpenVPN Process ID: $ovpn_pid
VPN route IP: $gateway_ip
To disconnect the VPN, run:
--> sudo kill $ovpn_pid <--
"

# This section will stop the script if PIA_PF is not set to "true".
if [ "$PIA_PF" != true ]; then
echo
echo If you want to also enable port forwarding, please start the script
echo with the env var PIA_PF=true. Example:
echo $ OVPN_SERVER_IP=\"$OVPN_SERVER_IP\" OVPN_HOSTNAME=\"$OVPN_HOSTNAME\" \
PIA_TOKEN=\"$PIA_TOKEN\" CONNECTION_SETTINGS=\"$CONNECTION_SETTINGS\" \
PIA_PF=true ./connect_to_openvpn_with_token.sh
exit
fi

echo "
This script got started with PIA_PF=true.
Starting procedure to enable port forwarding by running the following command:
$ PIA_TOKEN=\"$PIA_TOKEN\" \\
PF_GATEWAY=\"$gateway_ip\" \\
PF_HOSTNAME=\"$OVPN_HOSTNAME\" \\
./port_forwarding.sh
"

PIA_TOKEN=$PIA_TOKEN \
PF_GATEWAY="$gateway_ip" \
PF_HOSTNAME="$OVPN_HOSTNAME" \
./port_forwarding.sh
40 changes: 26 additions & 14 deletions connect_to_wireguard_with_token.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,11 +46,11 @@ then
fi

# Check if the mandatory environment variables are set.
if [[ ! $WG_SERVER_IP || ! $WG_HOSTNAME || ! $WG_TOKEN ]]; then
if [[ ! $WG_SERVER_IP || ! $WG_HOSTNAME || ! $PIA_TOKEN ]]; then
echo This script requires 3 env vars:
echo WG_SERVER_IP - IP that you want to connect to
echo WG_HOSTNAME - name of the server, required for ssl
echo WG_TOKEN - your authentication token
echo PIA_TOKEN - your authentication token
echo
echo You can also specify optional env vars:
echo "PIA_PF - enable port forwarding"
Expand Down Expand Up @@ -79,7 +79,7 @@ echo Trying to connect to the PIA WireGuard API on $WG_SERVER_IP...
wireguard_json="$(curl -s -G \
--connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" \
--cacert "ca.rsa.4096.crt" \
--data-urlencode "pt=${WG_TOKEN}" \
--data-urlencode "pt=${PIA_TOKEN}" \
--data-urlencode "pubkey=$pubKey" \
"https://${WG_HOSTNAME}:1337/addKey" )"
export wireguard_json
Expand All @@ -91,19 +91,31 @@ if [ "$(echo "$wireguard_json" | jq -r '.status')" != "OK" ]; then
exit 1
fi

# Multi-hop is out of the scope of this repo, but you should be able to
# get multi-hop running with both WireGuard and OpenVPN by playing with
# these scripts. Feel free to fork the project and test it out.
echo
echo Trying to disable a PIA WG connection in case it exists...
wg-quick down pia && echo Disconnected!
echo

# Create the WireGuard config based on the JSON received from the API
# The config does not contain a DNS entry, since some servers do not
# have resolvconf, which will result in the script failing.
# We will enforce the DNS after the connection gets established.
# In case you want this section to also add the DNS setting, please
# start the script with PIA_DNS=true.
echo -n "Trying to write /etc/wireguard/pia.conf... "
mkdir -p /etc/wireguard
if [ "$PIA_DNS" == true ]; then
dnsServer="$(echo "$wireguard_json" | jq -r '.dns_servers[0]')"
echo Trying to set up DNS to $dnsServer. In case you do not have resolvconf,
echo this operation will fail and you will not get a VPN. If you have issues,
echo start this script without PIA_DNS.
dnsSettingForVPN="DNS = $dnsServer"
fi
echo "
[Interface]
Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
PrivateKey = $privKey
## If you want wg-quick to also set up your DNS, uncomment the line below.
# DNS = $(echo "$wireguard_json" | jq -r '.dns_servers[0]')
$dnsSettingForVPN
[Peer]
PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
AllowedIPs = 0.0.0.0/0
Expand All @@ -129,22 +141,22 @@ if [ "$PIA_PF" != true ]; then
echo
echo If you want to also enable port forwarding, please start the script
echo with the env var PIA_PF=true. Example:
echo $ WG_SERVER=10.0.0.3 WG_HOSTNAME=piaserver401 \
WG_TOKEN=\"\$token\" PIA_PF=true \
./sort_regions_by_latency.sh
echo $ WG_SERVER_IP=10.0.0.3 WG_HOSTNAME=piaserver401 \
PIA_TOKEN=\"\$token\" PIA_PF=true \
./connect_to_wireguard_with_token.sh
exit
fi

echo "
This script got started with PIA_PF=true.
Starting procedure to enable port forwarding by running the following command:
$ PIA_TOKEN=$WG_TOKEN \\
$ PIA_TOKEN=$PIA_TOKEN \\
PF_GATEWAY=\"$(echo "$wireguard_json" | jq -r '.server_vip')\" \\
PF_HOSTNAME=\"$WG_HOSTNAME\" \\
./port_forwarding.sh
"

PIA_TOKEN=$WG_TOKEN \
PIA_TOKEN=$PIA_TOKEN \
PF_GATEWAY="$(echo "$wireguard_json" | jq -r '.server_vip')" \
PF_HOSTNAME="$WG_HOSTNAME" \
./port_forwarding.sh
Loading

0 comments on commit 366f132

Please sign in to comment.