Add: DIP Support (#159)

* Provision of DIP Support Added dedicated IP support, including DIP_TOKEN for one-line calls and prompts through run_setup.sh. Adjusted package dependency response for wireguard to list the necessary package (wireguard-tools) to utilize wg-quick. Updated README.md to clarify package dependencies and include DIP_TOKEN.
2025-02-05 14:08:29 +00:00 · 2022-08-23 04:59:02 -05:00 · 2022-08-23 04:59:02 -05:00 · 9b42ad934a
commit 9b42ad934a
parent c7336e9e03
8 changed files with 392 additions and 159 deletions
--- a/README.md
+++ b/README.md
@ -27,7 +27,7 @@ The scripts were written so that they are easy to read and to modify. The code a
 In order for the scripts to work (probably even if you do a manual setup), you will need the following packages:
 * `curl`
 * `jq`
- * (only for WireGuard) `wg-quick` and `wireguard` kernel module
+ * (only for WireGuard) `wireguard-tools` (`wg-quick` and `wireguard` kernel module)
 * (only for OpenVPN) `openvpn`

 ## Disclaimers
@ -90,6 +90,7 @@ Here is a list of scripts you could find useful:
 * [Prompt based connection](run_setup.sh): This script allows connections with a one-line call, or will prompt for any missing or invalid variables. Variables available for one-line calls include:
   * `PIA_USER` - your PIA username
   * `PIA_PASS` - your PIA password
+   * `DIP_TOKEN` - your PIA dedicated IP token (can be purchased in the client control panel)
   * `PIA_DNS` - true/false
   * `PIA_PF` - true/false
   * `MAX_LATENCY` - numeric value, in seconds
--- a/connect_to_openvpn_with_token.sh
+++ b/connect_to_openvpn_with_token.sh
@ -28,6 +28,7 @@ check_tool() {
    exit 1
  fi
 }
+
 # Now we call the function to make sure we can use openvpn, curl and jq.
 check_tool openvpn
 check_tool curl
@ -124,13 +125,22 @@ if [[ -z $OVPN_SERVER_IP ||
  exit 1
 fi

+splitToken="dedicated_ip_$DIP_TOKEN"
+
 # Create a credentials file with the login token
 echo -n "Trying to write /opt/piavpn-manual/pia.ovpn..."
 mkdir -p /opt/piavpn-manual
 rm -f /opt/piavpn-manual/credentials /opt/piavpn-manual/route_info
+
+if [[ -z $DIP_TOKEN ]]; then
  echo "${PIA_TOKEN:0:62}
 ${PIA_TOKEN:62}" > /opt/piavpn-manual/credentials || exit 1
  chmod 600 /opt/piavpn-manual/credentials
+else
+  echo "${splitToken:0:62}
+${splitToken:62}" > /opt/piavpn-manual/credentials || exit 1
+  chmod 600 /opt/piavpn-manual/credentials
+fi
 echo -e "${green}OK!${nc}"

 # Translate connection settings variable
--- a/connect_to_wireguard_with_token.sh
+++ b/connect_to_wireguard_with_token.sh
@ -22,16 +22,18 @@
 # This function allows you to check if the required tools have been installed.
 check_tool() {
  cmd=$1
+  pkg=$2
  if ! command -v "$cmd" >/dev/null; then
    echo "$cmd could not be found"
-    echo "Please install $cmd"
+    echo "Please install $pkg"
    exit 1
  fi
 }
+
 # Now we call the function to make sure we can use wg-quick, curl and jq.
-check_tool wg-quick
-check_tool curl
-check_tool jq
+check_tool wg-quick wireguard-tools
+check_tool curl curl
+check_tool jq jq

 # Check if terminal allows output, if yes, define colors for output
 if [[ -t 1 ]]; then
@ -93,12 +95,21 @@ export pubKey
 # https://github.com/pia-foss/manual-connections/blob/master/ca.rsa.4096.crt
 # In case you want to troubleshoot the script, replace -s with -v.
 echo "Trying to connect to the PIA WireGuard API on $WG_SERVER_IP..."
+if [[ -z $DIP_TOKEN ]]; then
  wireguard_json="$(curl -s -G \
    --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" \
    --cacert "ca.rsa.4096.crt" \
    --data-urlencode "pt=${PIA_TOKEN}" \
    --data-urlencode "pubkey=$pubKey" \
    "https://${WG_HOSTNAME}:1337/addKey" )"
+else
+  wireguard_json="$(curl -s -G \
+    --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" \
+    --cacert "ca.rsa.4096.crt" \
+    --user "dedicated_ip_$DIP_TOKEN:$WG_SERVER_IP" \
+    --data-urlencode "pubkey=$pubKey" \
+    "https://$WG_HOSTNAME:1337/addKey" )"
+fi
 export wireguard_json

 # Check if the API returned OK and stop this script if it didn't.
--- a/get_dip.sh
+++ b/get_dip.sh
@ -0,0 +1,110 @@
+#!/bin/bash
+# Copyright (C) 2020 Private Internet Access, Inc.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+# This function allows you to check if the required tools have been installed.
+check_tool() {
+  cmd=$1
+  if ! command -v $cmd &>/dev/null; then
+    echo "$cmd could not be found"
+    echo "Please install $cmd"
+    exit 1
+  fi
+}
+
+# Now we call the function to make sure we can use curl and jq.
+check_tool curl
+check_tool jq
+
+# Check if terminal allows output, if yes, define colors for output
+if [[ -t 1 ]]; then
+  ncolors=$(tput colors)
+  if [[ -n $ncolors && $ncolors -ge 8 ]]; then
+    red=$(tput setaf 1) # ANSI red
+    green=$(tput setaf 2) # ANSI green
+    nc=$(tput sgr0) # No Color
+  else
+    red=''
+    green=''
+    nc='' # No Color
+  fi
+fi
+
+# Only allow script to run as root
+if (( EUID != 0 )); then
+  echo -e "${red}This script needs to be run as root. Try again with 'sudo $0'${nc}"
+  exit 1
+fi
+
+mkdir -p /opt/piavpn-manual
+
+if [[ -z $PIA_TOKEN ]]; then
+  echo "If you want this script to automatically retrieve dedicated IP location details"
+  echo "from the Meta service, please add the variables PIA_TOKEN and DIP_TOKEN. Example:"
+  echo "$ PIA_TOKEN DIP_TOKEN=DIP1a2b3c4d5e6f7g8h9i10j11k12l13 ./get_token.sh"
+  exit 1
+fi
+
+dipSavedLocation=/opt/piavpn-manual/dipAddress
+
+echo
+echo -n "Checking DIP token..."
+
+generateDIPResponse=$(curl -s --location --request POST \
+  'https://www.privateinternetaccess.com/api/client/v2/dedicated_ip' \
+  --header 'Content-Type: application/json' \
+  --header "Authorization: Token $PIA_TOKEN" \
+  --data-raw '{
+    "tokens":["'"$DIP_TOKEN"'"]
+  }')
+
+if [ "$(echo "$generateDIPResponse" | jq -r '.[0].status')" != "active" ]; then
+  echo
+  echo
+  echo -e "${red}Could not validate the dedicated IP token provided!${nc}"
+  echo
+  exit
+fi
+  
+echo -e ${green}OK!${nc}
+echo
+dipAddress=$(echo "$generateDIPResponse" | jq -r '.[0].ip')
+dipHostname=$(echo "$generateDIPResponse" | jq -r '.[0].cn')
+keyHostname=$(echo "dedicated_ip_$DIP_TOKEN")
+dipExpiration=$(echo "$generateDIPResponse" | jq -r '.[0].dip_expire')
+dipExpiration=$(date -d @$dipExpiration)
+dipID=$(echo "$generateDIPResponse" | jq -r '.[0].id')
+echo -e The hostname of your dedicated IP is ${green}$dipHostname${nc}
+echo
+echo -e The dedicated IP address is ${green}$dipAddress${nc}
+echo 
+echo This dedicated IP is valid until $dipExpiration.
+echo
+pfCapable="true"
+if [[ $dipID == us_* ]]; then
+  pfCapable="false"
+  echo This location does not have port forwarding capability.
+  echo
+fi
+echo $dipAddress > /opt/piavpn-manual/dipAddress || exit 1
+echo $dipHostname >> /opt/piavpn-manual/dipAddress
+echo $keyHostname >> /opt/piavpn-manual/dipAddress
+echo $dipExpiration >> /opt/piavpn-manual/dipAddress
+echo $pfCapable >> /opt/piavpn-manual/dipAddress
--- a/get_region.sh
+++ b/get_region.sh
@ -28,6 +28,7 @@ check_tool() {
    exit 1
  fi
 }
+
 # Now we call the function to make sure we can use curl and jq.
 check_tool curl
 check_tool jq
--- a/get_token.sh
+++ b/get_token.sh
@ -28,6 +28,7 @@ check_tool() {
    exit 1
  fi
 }
+
 # Now we call the function to make sure we can use curl and jq.
 check_tool curl
 check_tool jq
@ -68,10 +69,12 @@ fi

 echo -n "Checking login credentials..."

-generateTokenResponse=$(curl -s -u "$PIA_USER:$PIA_PASS" \
-  "https://www.privateinternetaccess.com/gtoken/generateToken")
+generateTokenResponse=$(curl -s --location --request POST \
+  'https://www.privateinternetaccess.com/api/client/v2/token' \
+  --form "username=$PIA_USER" \
+  --form "password=$PIA_PASS" )

-if [[ $(echo "$generateTokenResponse" | jq -r '.status') != "OK" ]]; then
+if [ "$(echo "$generateTokenResponse" | jq -r '.token')" == "" ]; then
  echo
  echo
  echo -e "${red}Could not authenticate with the login credentials provided!${nc}"
@ -83,7 +86,7 @@ echo -e "${green}OK!"
 echo
 token=$(echo "$generateTokenResponse" | jq -r '.token')
 tokenExpiration=$(timeout_timestamp)
-tokenLocation="/opt/piavpn-manual/token"
+tokenLocation=/opt/piavpn-manual/token
 echo -e "PIA_TOKEN=$token${nc}"
 echo "$token" > "$tokenLocation" || exit 1
 echo "$tokenExpiration" >> "$tokenLocation"
--- a/port_forwarding.sh
+++ b/port_forwarding.sh
@ -28,6 +28,7 @@ check_tool() {
    exit 1
  fi
 }
+
 # Now we call the function to make sure we can use curl and jq.
 check_tool curl
 check_tool jq
--- a/run_setup.sh
+++ b/run_setup.sh
@ -117,6 +117,64 @@ while :; do
  fi
 done

+# Check for dedicated IP
+echo -n "Do you want to use a dedicated IP token ([N]o/[y]es): "
+read useDIP
+echo
+pfOption="true"
+if echo ${useDIP:0:1} | grep -iq y; then
+useDIP="true"
+  while :; do
+    while :; do
+      # Check for in-line definition of $DIP_TOKEN
+      if [[ -z $DIP_TOKEN ]]; then
+        read -p "Dedicated token (DIP#############################): " DIP_TOKEN
+      fi
+
+      # Confirm format of PIA_USER input
+      dipPrefix=$( echo ${DIP_TOKEN:0:3} )
+      if [[ -z "$DIP_TOKEN" ]]; then
+        echo -e "\n${red}You must provide input.${nc}"
+      elif [[ ${#DIP_TOKEN} != 32 ]]; then
+        echo -e "\n${red}A dedicated IP token is always 32 characters long.${nc}"
+      elif [[ $dipPrefix != "DIP" ]]; then
+        echo -e "\n${red}A dedicated IP token must start with \"DIP\".${nc}"
+      else
+        break
+      fi
+      DIP_TOKEN=""
+    done
+    export DIP_TOKEN
+
+    # Confirm DIP_TOKEN and retrieve connection details
+    ./get_dip.sh
+
+    dipDetails="/opt/piavpn-manual/dipAddress"
+    # If the script failed to generate retrieve dedicated IP information, the script will exit early.
+    if [ ! -f "$dipDetails" ]; then
+      read -p "Do you want to try again ([N]o/[y]es): " tryAgain
+      if ! echo ${tryAgain:0:1} | grep -iq y; then
+        exit 1
+      fi
+      DIP_TOKEN=""
+    else
+      dipAddress=$( awk 'NR == 1' /opt/piavpn-manual/dipAddress )
+      dipHostname=$( awk 'NR == 2' /opt/piavpn-manual/dipAddress)
+      dipKey=$( awk 'NR == 3' /opt/piavpn-manual/dipAddress )
+      pfOption=$( awk 'NR == 5' /opt/piavpn-manual/dipAddress )
+      rm -f /opt/piavpn-manual/dipAddress
+    break
+    fi
+  done
+fi
+
+# Erase previous connection details if present
+rm -f /opt/piavpn-manual/token /opt/piavpn-manual/latencyList
+
+# Prompt for port forwarding if no DIP or DIP allows it
+if [[ $pfOption = "false" ]]; then
+  PIA_PF="false"
+fi
 # Check for in-line definition of PIA_PF and prompt for input
 if [[ -z $PIA_PF ]]; then
  echo -n "Do you want a forwarding port assigned ([N]o/[y]es): "
@ -158,6 +216,8 @@ ${green}Defaulting to yes.${nc}
  echo -e "${nc}"
 fi

+# Only prompt for server selection if no DIP has been specified
+if [[ -z $DIP_TOKEN ]]; then
  # Input validation and check for conflicting declarations of AUTOCONNECT and PREFERRED_REGION
  # If both variables are set, AUTOCONNECT has superiority and PREFERRED_REGION is ignored
  if [[ -z $AUTOCONNECT ]]; then
@ -315,6 +375,7 @@ For example, you can try 0.2 for 200ms allowed latency.
      PREFERRED_REGION=""
    fi
  done
+fi

 if [[ -z $VPN_PROTOCOL ]]; then
  VPN_PROTOCOL="none"
@ -391,4 +452,39 @@ echo -e "${green}PIA_DNS=$PIA_DNS${nc}"
 CONNECTION_READY="true"
 export CONNECTION_READY

+if [[ -z $DIP_TOKEN ]]; then
  ./get_region.sh
+elif [[ $VPN_PROTOCOL == wireguard ]]; then
+  echo
+  echo -e "You will be connecting with ${green}WG_SERVER_IP=$dipAddress${nc} using"
+  echo -e "${green}VPN_PROTOCOL=wireguard${nc}, so we will automatically connect to WireGuard,"
+  echo "by running this command:"
+  echo -e "$ ${green}PIA_PF=$PIA_PF PIA_TOKEN=$PIA_TOKEN" \\
+  echo "DIP_TOKEN=$DIP_TOKEN" \\
+  echo "WG_SERVER_IP=$dipAddress WG_HOSTNAME=$dipHostname" \\
+  echo -e "./connect_to_wireguard_with_token.sh${nc}"
+  echo
+  PIA_PF=$PIA_PF PIA_TOKEN=$PIA_TOKEN DIP_TOKEN=$DIP_TOKEN \
+    WG_SERVER_IP=$dipAddress WG_HOSTNAME=$dipHostname \
+    ./connect_to_wireguard_with_token.sh
+  rm -f /opt/piavpn-manual/latencyList
+  exit 0
+elif [[ $VPN_PROTOCOL == openvpn* ]]; then
+  echo
+  echo "The dedicated IP connection will be started with"
+  echo -e "${green}VPN_PROTOCOL=$VPN_PROTOCOL${nc}, so we will automatically"
+  echo "connect to OpenVPN, by running this command:"
+  echo -e "$ ${green}PIA_PF=$PIA_PF PIA_TOKEN=$PIA_TOKEN" \\
+  echo   "DIP_TOKEN=$DIP_TOKEN OVPN_SERVER_IP=$dipAddress" \\
+  echo   "OVPN_HOSTNAME=$dipHostname" \\
+  echo   "CONNECTION_SETTINGS=$VPN_PROTOCOL" \\
+  echo -e "./connect_to_openvpn_with_token.sh${nc}"
+  echo
+  PIA_PF=$PIA_PF PIA_TOKEN=$PIA_TOKEN \
+    DIP_TOKEN=$DIP_TOKEN OVPN_SERVER_IP=$dipAddress \
+    OVPN_HOSTNAME=$dipHostname \
+    CONNECTION_SETTINGS=$VPN_PROTOCOL \
+    ./connect_to_openvpn_with_token.sh
+  rm -f /opt/piavpn-manual/latencyList
+  exit 0
+fi