Add: DIP Support (#159)

* Provision of DIP Support

Added dedicated IP support, including DIP_TOKEN for one-line calls and prompts through run_setup.sh.

Adjusted package dependency response for wireguard to list the necessary package (wireguard-tools) to utilize wg-quick.

Updated README.md to clarify package dependencies and include DIP_TOKEN.
This commit is contained in:
faireOwl 2022-08-23 04:59:02 -05:00 committed by GitHub
parent c7336e9e03
commit 9b42ad934a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 392 additions and 159 deletions

View File

@ -27,7 +27,7 @@ The scripts were written so that they are easy to read and to modify. The code a
In order for the scripts to work (probably even if you do a manual setup), you will need the following packages:
* `curl`
* `jq`
* (only for WireGuard) `wg-quick` and `wireguard` kernel module
* (only for WireGuard) `wireguard-tools` (`wg-quick` and `wireguard` kernel module)
* (only for OpenVPN) `openvpn`
## Disclaimers
@ -90,6 +90,7 @@ Here is a list of scripts you could find useful:
* [Prompt based connection](run_setup.sh): This script allows connections with a one-line call, or will prompt for any missing or invalid variables. Variables available for one-line calls include:
* `PIA_USER` - your PIA username
* `PIA_PASS` - your PIA password
* `DIP_TOKEN` - your PIA dedicated IP token (can be purchased in the client control panel)
* `PIA_DNS` - true/false
* `PIA_PF` - true/false
* `MAX_LATENCY` - numeric value, in seconds

View File

@ -28,6 +28,7 @@ check_tool() {
exit 1
fi
}
# Now we call the function to make sure we can use openvpn, curl and jq.
check_tool openvpn
check_tool curl
@ -124,13 +125,22 @@ if [[ -z $OVPN_SERVER_IP ||
exit 1
fi
splitToken="dedicated_ip_$DIP_TOKEN"
# Create a credentials file with the login token
echo -n "Trying to write /opt/piavpn-manual/pia.ovpn..."
mkdir -p /opt/piavpn-manual
rm -f /opt/piavpn-manual/credentials /opt/piavpn-manual/route_info
echo "${PIA_TOKEN:0:62}
if [[ -z $DIP_TOKEN ]]; then
echo "${PIA_TOKEN:0:62}
${PIA_TOKEN:62}" > /opt/piavpn-manual/credentials || exit 1
chmod 600 /opt/piavpn-manual/credentials
chmod 600 /opt/piavpn-manual/credentials
else
echo "${splitToken:0:62}
${splitToken:62}" > /opt/piavpn-manual/credentials || exit 1
chmod 600 /opt/piavpn-manual/credentials
fi
echo -e "${green}OK!${nc}"
# Translate connection settings variable

View File

@ -22,16 +22,18 @@
# This function allows you to check if the required tools have been installed.
check_tool() {
cmd=$1
pkg=$2
if ! command -v "$cmd" >/dev/null; then
echo "$cmd could not be found"
echo "Please install $cmd"
echo "Please install $pkg"
exit 1
fi
}
# Now we call the function to make sure we can use wg-quick, curl and jq.
check_tool wg-quick
check_tool curl
check_tool jq
check_tool wg-quick wireguard-tools
check_tool curl curl
check_tool jq jq
# Check if terminal allows output, if yes, define colors for output
if [[ -t 1 ]]; then
@ -93,12 +95,21 @@ export pubKey
# https://github.com/pia-foss/manual-connections/blob/master/ca.rsa.4096.crt
# In case you want to troubleshoot the script, replace -s with -v.
echo "Trying to connect to the PIA WireGuard API on $WG_SERVER_IP..."
wireguard_json="$(curl -s -G \
if [[ -z $DIP_TOKEN ]]; then
wireguard_json="$(curl -s -G \
--connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" \
--cacert "ca.rsa.4096.crt" \
--data-urlencode "pt=${PIA_TOKEN}" \
--data-urlencode "pubkey=$pubKey" \
"https://${WG_HOSTNAME}:1337/addKey" )"
else
wireguard_json="$(curl -s -G \
--connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" \
--cacert "ca.rsa.4096.crt" \
--user "dedicated_ip_$DIP_TOKEN:$WG_SERVER_IP" \
--data-urlencode "pubkey=$pubKey" \
"https://$WG_HOSTNAME:1337/addKey" )"
fi
export wireguard_json
# Check if the API returned OK and stop this script if it didn't.

110
get_dip.sh Executable file
View File

@ -0,0 +1,110 @@
#!/bin/bash
# Copyright (C) 2020 Private Internet Access, Inc.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
# This function allows you to check if the required tools have been installed.
check_tool() {
cmd=$1
if ! command -v $cmd &>/dev/null; then
echo "$cmd could not be found"
echo "Please install $cmd"
exit 1
fi
}
# Now we call the function to make sure we can use curl and jq.
check_tool curl
check_tool jq
# Check if terminal allows output, if yes, define colors for output
if [[ -t 1 ]]; then
ncolors=$(tput colors)
if [[ -n $ncolors && $ncolors -ge 8 ]]; then
red=$(tput setaf 1) # ANSI red
green=$(tput setaf 2) # ANSI green
nc=$(tput sgr0) # No Color
else
red=''
green=''
nc='' # No Color
fi
fi
# Only allow script to run as root
if (( EUID != 0 )); then
echo -e "${red}This script needs to be run as root. Try again with 'sudo $0'${nc}"
exit 1
fi
mkdir -p /opt/piavpn-manual
if [[ -z $PIA_TOKEN ]]; then
echo "If you want this script to automatically retrieve dedicated IP location details"
echo "from the Meta service, please add the variables PIA_TOKEN and DIP_TOKEN. Example:"
echo "$ PIA_TOKEN DIP_TOKEN=DIP1a2b3c4d5e6f7g8h9i10j11k12l13 ./get_token.sh"
exit 1
fi
dipSavedLocation=/opt/piavpn-manual/dipAddress
echo
echo -n "Checking DIP token..."
generateDIPResponse=$(curl -s --location --request POST \
'https://www.privateinternetaccess.com/api/client/v2/dedicated_ip' \
--header 'Content-Type: application/json' \
--header "Authorization: Token $PIA_TOKEN" \
--data-raw '{
"tokens":["'"$DIP_TOKEN"'"]
}')
if [ "$(echo "$generateDIPResponse" | jq -r '.[0].status')" != "active" ]; then
echo
echo
echo -e "${red}Could not validate the dedicated IP token provided!${nc}"
echo
exit
fi
echo -e ${green}OK!${nc}
echo
dipAddress=$(echo "$generateDIPResponse" | jq -r '.[0].ip')
dipHostname=$(echo "$generateDIPResponse" | jq -r '.[0].cn')
keyHostname=$(echo "dedicated_ip_$DIP_TOKEN")
dipExpiration=$(echo "$generateDIPResponse" | jq -r '.[0].dip_expire')
dipExpiration=$(date -d @$dipExpiration)
dipID=$(echo "$generateDIPResponse" | jq -r '.[0].id')
echo -e The hostname of your dedicated IP is ${green}$dipHostname${nc}
echo
echo -e The dedicated IP address is ${green}$dipAddress${nc}
echo
echo This dedicated IP is valid until $dipExpiration.
echo
pfCapable="true"
if [[ $dipID == us_* ]]; then
pfCapable="false"
echo This location does not have port forwarding capability.
echo
fi
echo $dipAddress > /opt/piavpn-manual/dipAddress || exit 1
echo $dipHostname >> /opt/piavpn-manual/dipAddress
echo $keyHostname >> /opt/piavpn-manual/dipAddress
echo $dipExpiration >> /opt/piavpn-manual/dipAddress
echo $pfCapable >> /opt/piavpn-manual/dipAddress

View File

@ -28,6 +28,7 @@ check_tool() {
exit 1
fi
}
# Now we call the function to make sure we can use curl and jq.
check_tool curl
check_tool jq

View File

@ -28,6 +28,7 @@ check_tool() {
exit 1
fi
}
# Now we call the function to make sure we can use curl and jq.
check_tool curl
check_tool jq
@ -68,10 +69,12 @@ fi
echo -n "Checking login credentials..."
generateTokenResponse=$(curl -s -u "$PIA_USER:$PIA_PASS" \
"https://www.privateinternetaccess.com/gtoken/generateToken")
generateTokenResponse=$(curl -s --location --request POST \
'https://www.privateinternetaccess.com/api/client/v2/token' \
--form "username=$PIA_USER" \
--form "password=$PIA_PASS" )
if [[ $(echo "$generateTokenResponse" | jq -r '.status') != "OK" ]]; then
if [ "$(echo "$generateTokenResponse" | jq -r '.token')" == "" ]; then
echo
echo
echo -e "${red}Could not authenticate with the login credentials provided!${nc}"
@ -83,7 +86,7 @@ echo -e "${green}OK!"
echo
token=$(echo "$generateTokenResponse" | jq -r '.token')
tokenExpiration=$(timeout_timestamp)
tokenLocation="/opt/piavpn-manual/token"
tokenLocation=/opt/piavpn-manual/token
echo -e "PIA_TOKEN=$token${nc}"
echo "$token" > "$tokenLocation" || exit 1
echo "$tokenExpiration" >> "$tokenLocation"

View File

@ -28,6 +28,7 @@ check_tool() {
exit 1
fi
}
# Now we call the function to make sure we can use curl and jq.
check_tool curl
check_tool jq

View File

@ -117,6 +117,64 @@ while :; do
fi
done
# Check for dedicated IP
echo -n "Do you want to use a dedicated IP token ([N]o/[y]es): "
read useDIP
echo
pfOption="true"
if echo ${useDIP:0:1} | grep -iq y; then
useDIP="true"
while :; do
while :; do
# Check for in-line definition of $DIP_TOKEN
if [[ -z $DIP_TOKEN ]]; then
read -p "Dedicated token (DIP#############################): " DIP_TOKEN
fi
# Confirm format of PIA_USER input
dipPrefix=$( echo ${DIP_TOKEN:0:3} )
if [[ -z "$DIP_TOKEN" ]]; then
echo -e "\n${red}You must provide input.${nc}"
elif [[ ${#DIP_TOKEN} != 32 ]]; then
echo -e "\n${red}A dedicated IP token is always 32 characters long.${nc}"
elif [[ $dipPrefix != "DIP" ]]; then
echo -e "\n${red}A dedicated IP token must start with \"DIP\".${nc}"
else
break
fi
DIP_TOKEN=""
done
export DIP_TOKEN
# Confirm DIP_TOKEN and retrieve connection details
./get_dip.sh
dipDetails="/opt/piavpn-manual/dipAddress"
# If the script failed to generate retrieve dedicated IP information, the script will exit early.
if [ ! -f "$dipDetails" ]; then
read -p "Do you want to try again ([N]o/[y]es): " tryAgain
if ! echo ${tryAgain:0:1} | grep -iq y; then
exit 1
fi
DIP_TOKEN=""
else
dipAddress=$( awk 'NR == 1' /opt/piavpn-manual/dipAddress )
dipHostname=$( awk 'NR == 2' /opt/piavpn-manual/dipAddress)
dipKey=$( awk 'NR == 3' /opt/piavpn-manual/dipAddress )
pfOption=$( awk 'NR == 5' /opt/piavpn-manual/dipAddress )
rm -f /opt/piavpn-manual/dipAddress
break
fi
done
fi
# Erase previous connection details if present
rm -f /opt/piavpn-manual/token /opt/piavpn-manual/latencyList
# Prompt for port forwarding if no DIP or DIP allows it
if [[ $pfOption = "false" ]]; then
PIA_PF="false"
fi
# Check for in-line definition of PIA_PF and prompt for input
if [[ -z $PIA_PF ]]; then
echo -n "Do you want a forwarding port assigned ([N]o/[y]es): "
@ -158,13 +216,15 @@ ${green}Defaulting to yes.${nc}
echo -e "${nc}"
fi
# Input validation and check for conflicting declarations of AUTOCONNECT and PREFERRED_REGION
# If both variables are set, AUTOCONNECT has superiority and PREFERRED_REGION is ignored
if [[ -z $AUTOCONNECT ]]; then
# Only prompt for server selection if no DIP has been specified
if [[ -z $DIP_TOKEN ]]; then
# Input validation and check for conflicting declarations of AUTOCONNECT and PREFERRED_REGION
# If both variables are set, AUTOCONNECT has superiority and PREFERRED_REGION is ignored
if [[ -z $AUTOCONNECT ]]; then
echo "AUTOCONNECT was not declared."
echo
selectServer="ask"
elif echo "${AUTOCONNECT:0:1}" | grep -iq f; then
elif echo "${AUTOCONNECT:0:1}" | grep -iq f; then
if [[ $AUTOCONNECT != "false" ]]; then
echo -e "The variable ${green}AUTOCONNECT=$AUTOCONNECT${nc}, starts with 'f' for 'false'."
AUTOCONNECT="false"
@ -172,7 +232,7 @@ elif echo "${AUTOCONNECT:0:1}" | grep -iq f; then
echo
fi
selectServer="yes"
else
else
if [[ $AUTOCONNECT != "true" ]]; then
echo -e "The variable ${green}AUTOCONNECT=$AUTOCONNECT${nc}, does not start with 'f' for 'false'."
AUTOCONNECT="true"
@ -190,15 +250,15 @@ else
PREFERRED_REGION=""
fi
selectServer="no"
fi
fi
# Prompt the user to specify a server or auto-connect to the lowest latency
while :; do
# Prompt the user to specify a server or auto-connect to the lowest latency
while :; do
if [[ -z $PREFERRED_REGION ]]; then
# If autoconnect is not set, prompt the user to specify a server or auto-connect to the lowest latency
if [[ $selectServer == "ask" ]]; then
echo -n "Do you want to manually select a server, instead of auto-connecting to the
server with the lowest latency ([N]o/[y]es): "
server with the lowest latency ([N]o/[y]es): "
read -r selectServer
echo
fi
@ -213,9 +273,9 @@ server with the lowest latency ([N]o/[y]es): "
# All servers that respond slower than this will be ignored.
if [[ -z $MAX_LATENCY ]]; then
echo -n "With no input, the maximum allowed latency will be set to 0.05s (50ms).
If your connection has high latency, you may need to increase this value.
For example, you can try 0.2 for 200ms allowed latency.
"
If your connection has high latency, you may need to increase this value.
For example, you can try 0.2 for 200ms allowed latency.
"
else
latencyInput=$MAX_LATENCY
fi
@ -314,7 +374,8 @@ For example, you can try 0.2 for 200ms allowed latency.
fi
PREFERRED_REGION=""
fi
done
done
fi
if [[ -z $VPN_PROTOCOL ]]; then
VPN_PROTOCOL="none"
@ -391,4 +452,39 @@ echo -e "${green}PIA_DNS=$PIA_DNS${nc}"
CONNECTION_READY="true"
export CONNECTION_READY
./get_region.sh
if [[ -z $DIP_TOKEN ]]; then
./get_region.sh
elif [[ $VPN_PROTOCOL == wireguard ]]; then
echo
echo -e "You will be connecting with ${green}WG_SERVER_IP=$dipAddress${nc} using"
echo -e "${green}VPN_PROTOCOL=wireguard${nc}, so we will automatically connect to WireGuard,"
echo "by running this command:"
echo -e "$ ${green}PIA_PF=$PIA_PF PIA_TOKEN=$PIA_TOKEN" \\
echo "DIP_TOKEN=$DIP_TOKEN" \\
echo "WG_SERVER_IP=$dipAddress WG_HOSTNAME=$dipHostname" \\
echo -e "./connect_to_wireguard_with_token.sh${nc}"
echo
PIA_PF=$PIA_PF PIA_TOKEN=$PIA_TOKEN DIP_TOKEN=$DIP_TOKEN \
WG_SERVER_IP=$dipAddress WG_HOSTNAME=$dipHostname \
./connect_to_wireguard_with_token.sh
rm -f /opt/piavpn-manual/latencyList
exit 0
elif [[ $VPN_PROTOCOL == openvpn* ]]; then
echo
echo "The dedicated IP connection will be started with"
echo -e "${green}VPN_PROTOCOL=$VPN_PROTOCOL${nc}, so we will automatically"
echo "connect to OpenVPN, by running this command:"
echo -e "$ ${green}PIA_PF=$PIA_PF PIA_TOKEN=$PIA_TOKEN" \\
echo "DIP_TOKEN=$DIP_TOKEN OVPN_SERVER_IP=$dipAddress" \\
echo "OVPN_HOSTNAME=$dipHostname" \\
echo "CONNECTION_SETTINGS=$VPN_PROTOCOL" \\
echo -e "./connect_to_openvpn_with_token.sh${nc}"
echo
PIA_PF=$PIA_PF PIA_TOKEN=$PIA_TOKEN \
DIP_TOKEN=$DIP_TOKEN OVPN_SERVER_IP=$dipAddress \
OVPN_HOSTNAME=$dipHostname \
CONNECTION_SETTINGS=$VPN_PROTOCOL \
./connect_to_openvpn_with_token.sh
rm -f /opt/piavpn-manual/latencyList
exit 0
fi