Region Selection and Other Improvements

- separated get_region and get_token into two separate scripts, allowing for independent calls to each if desired; this also allows the implementation of other features mentioned below - implemented use of new centralized authentication server for easier automation; the new API is located at https://privateinternetaccess.com/gtoken/generateToken - added server selection capabilities to run_setup.sh, as requested by multiple users - added one-line call capabilities to run_setup.sh to allow easy automation - changed PIA_AUTOCONNECT to VPN_PROTOCOL for clarity - added AUTOCONNECT for one-line calls - added PREFERRED_REGION for one-line calls - added colored output to highlight important details - added input validation for prompts in run_setup.sh
pia-foss · Jan 21, 2021 · 742a492 · 742a492
1 parent d2d2480
commit 742a492
Show file tree

Hide file tree

Showing 8 changed files with 890 additions and 419 deletions.
diff --git a/README.md b/README.md
@@ -1,11 +1,11 @@
 # Manual PIA VPN Connections
 
-This repository contains documentation on how to create native WireGuard and OpenVPN connections to our __NextGen network__, and also on how to enable Port Forwarding in case you require this feature. You will find a lot of information below. However if you prefer quick test, here is the __TL/DR__:
+This repository contains documentation on how to create native WireGuard and OpenVPN connections, and also on how to enable Port Forwarding in case you require this feature. You will find a lot of information below. However if you prefer quick test, here is the __TL/DR__:
 
 ```
 git clone https://github.com/pia-foss/manual-connections.git
 cd manual-connections
-./run_setup.sh
+sudo ./run_setup.sh
 ```
 
 The scripts were written so that they are easy to read and to modify. The code also has a lot of comments, so that you find all the information you might need. We hope you will enjoy forking the repo and customizing the scripts for your setup!
@@ -57,6 +57,7 @@ Some users have created their own repositories for manual connections, based on
 |:-:|:-:|:-:|:-:|-|
 | FreeBSD | Yes | Bash | Compatibility | [glorious1/manual-connections](https://github.com/glorious1/manual-connections) |
 | Linux | No | Groovy/Java | WireGuard, PF | [Slugger/piawgmgr](https://github.com/Slugger/piawgmgr) |
+| Linux | No | Python | WireGuard, PF | [milahu/python-piavpn](https://github.com/milahu/python-piavpn) |
 | OPNsense | No | Python | WireGuard, PF | [FingerlessGlov3s/OPNsensePIAWireguard](https://github.com/FingerlessGlov3s/OPNsensePIAWireguard) |
 | pfSense | No | Sh | OpenVPN, PF | [fm407/PIA-NextGen-PortForwarding](https://github.com/fm407/PIA-NextGen-PortForwarding) |
 | Synology | Yes | Bash | Compatibility | [steff2632/manual-connections](https://github.com/steff2632/manual-connections) |
@@ -74,8 +75,24 @@ This service can be used only AFTER establishing a VPN connection.
 
 In order to help you use VPN services and PF on any device, we have prepared a few bash scripts that should help you through the process of setting everything up. The scripts also contain a lot of comments, just in case you require detailed information regarding how the technology works. The functionality is controlled via environment variables, so that you have an easy time automating your setup.
 
+The easiest way to trigger a fully automated connection is by running this oneliner:
+```
+sudo VPN_PROTOCOL=wireguard DISABLE_IPV6="no" AUTOCONNECT=true PIA_PF=false PIA_USER=p0123456 PIA_PASS=xxxxxxxx ./run_setup.sh
+```
+
 Here is a list of scripts you could find useful:
- * [Get the best region and a token](get_region_and_token.sh): This script helps you to get the best region and also to get a token for VPN authentication. Adding your PIA credentials to env vars `PIA_USER` and `PIA_PASS` will allow the script to also get a VPN token. The script can also trigger the WireGuard script to create a connection, if you specify `PIA_AUTOCONNECT=wireguard` or `PIA_AUTOCONNECT=openvpn_udp_standard`
+ * [Prompt based connection](run_setup.sh): This script allows connections with a one-line call, or will prompt for any missing or invalid variables. Varaibles available for one-line calls include:
+   * `PIA_USER` - your PIA username
+   * `PIA_PASS` - your PIA password
+   * `PIA_DNS` - true/false
+   * `PIA_PF` - true/false
+   * `MAX_LATENCY` - numeric value, in seconds
+   * `AUTOCONNECT` - true/false; this will test for and select the server with the lowest latency, it will overried PREFERRED_REGION
+   * `PREFERRED_REGION` - the region ID for a PIA server
+   * `VPN_PROTOCOL` - wireguard or openvpn; openvpn will default to openvpn_udp_standard, but can also specify openvpn_tcp/udp_standad/strong
+   * `DISABLE_IPV6` - yes/no
+ * [Get region details](get_region.sh): This script will provide server details, validate `PREFERRED_REGION` input, and can determine the lowest latency location. The script can also trigger VPN connections, if you specify `VPN_PROTOCOL=wireguard` or `VPN_PROTOCOL=openvpn`; doing so requires a token. This script can reference `get_token.sh` with use of `PIA_USER` and `PIA_PASS`. If called without specifying `PREFERRED_REGION` this script writes a list of servers within lower than `MAX_LATENCY` to a `/opt/piavpn-manual/latencyList` for reference.
+ * [Get a token](get_token.sh): This script allows you to get an authentication token with a valid 'PIA_USER' and 'PIA_PASS'. It will write the token and its expiration date to `/opt/piavpn-manual/token` for reference.
  * [Connect to WireGuard](connect_to_wireguard_with_token.sh): This script allows you to connect to the VPN server via WireGuard.
  * [Connect to OpenVPN](connect_to_openvpn_with_token.sh): This script allows you to connect to the VPN server via OpenVPN.
  * [Enable Port Forwarding](port_forwarding.sh): Enables you to add Port Forwarding to an existing VPN connection. Adding the environment variable `PIA_PF=true` to any of the previous scripts will also trigger this script.

diff --git a/connect_to_openvpn_with_token.sh b/connect_to_openvpn_with_token.sh
@@ -34,33 +34,54 @@ check_tool curl
 check_tool jq
 check_tool openvpn
 
+# Check if terminal allows output, if yes, define colors for output
+if test -t 1; then
+  ncolors=$(tput colors)
+  if test -n "$ncolors" && test $ncolors -ge 8; then
+    GREEN='\033[0;32m'
+    RED='\033[0;31m'
+    NC='\033[0m' # No Color
+  else
+    GREEN=''
+    RED=''
+    NC='' # No Color
+  fi
+fi
+
 # Check if manual PIA OpenVPN connection is already initialized.
 # Multi-hop is out of the scope of this repo, but you should be able to
 # get multi-hop running with both OpenVPN and WireGuard.
 adapter_check="$( ip a s tun06 2>&1 )"
 should_read="Device \"tun06\" does not exist"
 pid_filepath="/opt/piavpn-manual/pia_pid"
 if [[ "$adapter_check" != *"$should_read"* ]]; then
-  echo The tun06 adapter already exists, that interface is required
-  echo for this configuration.
+  echo -e ${RED}The tun06 adapter already exists, that interface is required
+  echo -e for this configuration.${NC}
   if [ -f "$pid_filepath" ]; then
     old_pid="$( cat "$pid_filepath" )"
     old_pid_name="$( ps -p "$old_pid" -o comm= )"
     if [[ $old_pid_name == 'openvpn' ]]; then
       echo
-      echo It seems likely that process $old_pid is an OpenVPN connection
+      echo -e It seems likely that process ${RED}$old_pid${NC} is an OpenVPN connection
       echo that was established by using this script. Unless it is closed
       echo you would not be able to get a new connection.
-      echo -n "Do you want to run $ kill $old_pid (Y/n): "
+      echo -ne "Do you want to run ${RED}$ kill $old_pid${NC} (Y/n): "
       read close_connection
     fi
     if echo ${close_connection:0:1} | grep -iq n ; then
-      echo Closing script. Resolve tun06 adapter conflict and run the script again.
+      echo -e ${RED}Closing script. Resolve tun06 adapter conflict and run the script again.
       exit 1
     fi
-    echo Killing the existing OpenVPN process and waiting 5 seconds...
+    echo
+    echo -e ${GREEN}Killing the existing OpenVPN process and waiting 5 seconds...${NC}
     kill $old_pid
-    sleep 5
+    echo
+    for i in {5..1}; do
+      echo -n "$i..."
+      sleep 1
+      done
+    echo
+    echo
   fi
 fi
 
@@ -72,17 +93,17 @@ if [[ -f /proc/net/if_inet6 ]] &&
   [[ $(sysctl -n net.ipv6.conf.all.disable_ipv6) -ne 1 ||
      $(sysctl -n net.ipv6.conf.default.disable_ipv6) -ne 1 ]]
 then
-  echo 'You should consider disabling IPv6 by running:'
+  echo -e ${RED}'You should consider disabling IPv6 by running:'
   echo 'sysctl -w net.ipv6.conf.all.disable_ipv6=1'
-  echo 'sysctl -w net.ipv6.conf.default.disable_ipv6=1'
+  echo -e 'sysctl -w net.ipv6.conf.default.disable_ipv6=1'${NC}
 fi
 
 #  Check if the mandatory environment variables are set.
 if [[ ! $OVPN_SERVER_IP ||
   ! $OVPN_HOSTNAME ||
   ! $PIA_TOKEN ||
   ! $CONNECTION_SETTINGS ]]; then
-  echo 'This script requires 4 env vars:'
+  echo -e ${RED}'This script requires 4 env vars:'
   echo 'PIA_TOKEN           - the token used for authentication'
   echo 'OVPN_SERVER_IP      - IP that you want to connect to'
   echo 'OVPN_HOSTNAME       - name of the server, required for ssl'
@@ -100,18 +121,18 @@ if [[ ! $OVPN_SERVER_IP ||
   echo An easy solution is to just run get_region_and_token.sh
   echo as it will guide you through getting the best server and
   echo also a token. Detailed information can be found here:
-  echo https://github.com/pia-foss/manual-connections
+  echo -e https://github.com/pia-foss/manual-connections ${NC}
   exit 1
 fi
 
 # Create a credentials file with the login token
-echo "Trying to write /opt/piavpn-manual/pia.ovpn...
-"
+echo -n "Trying to write /opt/piavpn-manual/pia.ovpn..."
 mkdir -p /opt/piavpn-manual
 rm -f /opt/piavpn-manual/credentials /opt/piavpn-manual/route_info
 echo ${PIA_TOKEN:0:62}"
 "${PIA_TOKEN:62} > /opt/piavpn-manual/credentials || exit 1
 chmod 600 /opt/piavpn-manual/credentials
+echo -e "${GREEN}OK!${NC}"
 
 # Translate connection settings variable
 IFS='_'
@@ -148,7 +169,7 @@ echo remote $OVPN_SERVER_IP $port $protocol >> /opt/piavpn-manual/pia.ovpn
 if [ "$PIA_DNS" != true ]; then
   cp openvpn_config/openvpn_up.sh /opt/piavpn-manual/
   cp openvpn_config/openvpn_down.sh /opt/piavpn-manual/
-  echo This configuration will not use PIA DNS.
+  echo -e ${RED}This configuration will not use PIA DNS.${NC}
   echo If you want to also enable PIA DNS, please start the script
   echo with the env var PIA_DNS=true. Example:
   echo $ OVPN_SERVER_IP=\"$OVPN_SERVER_IP\" OVPN_HOSTNAME=\"$OVPN_HOSTNAME\" \
@@ -171,10 +192,10 @@ openvpn --daemon \
   --writepid "/opt/piavpn-manual/pia_pid" \
   --log "/opt/piavpn-manual/debug_info" || exit 1
 
-echo "
+echo -n "
 The OpenVPN connect command was issued.
 
-Confirming OpenVPN connection state... "
+Confirming OpenVPN connection state..."
 
 # Check if manual PIA OpenVPN connection is initialized.
 # Manually adjust the connection_wait_time if needed
@@ -194,45 +215,54 @@ gateway_ip="$( cat /opt/piavpn-manual/route_info )"
 
 # Report and exit if connection was not initialized within 10 seconds.
 if [ "$connected" != true ]; then
-  echo "The VPN connection was not established within 10 seconds."
+  echo -e "${RED}The VPN connection was not established within 10 seconds.${NC}"
   kill $ovpn_pid
   exit 1
 fi
 
-echo "Initialization Sequence Complete!
+echo -e "${GREEN}Initialization Sequence Complete!${NC}
 
 At this point, internet should work via VPN.
 "
 
-echo "OpenVPN Process ID: $ovpn_pid
-VPN route IP: $gateway_ip
+echo -e "OpenVPN Process ID: ${GREEN}$ovpn_pid${NC}
+VPN route IP: ${GREEN}$gateway_ip${NC}
 
 To disconnect the VPN, run:
 
---> sudo kill $ovpn_pid <--
+--> ${GREEN}sudo kill $ovpn_pid${NC} <--
 "
 
 # This section will stop the script if PIA_PF is not set to "true".
 if [ "$PIA_PF" != true ]; then
+  echo If you want to also enable port forwarding, you can start the script:
+  echo -e $ ${GREEN}PIA_TOKEN=$PIA_TOKEN \
+    PF_GATEWAY=$gateway_ip \
+    PF_HOSTNAME=$OVPN_HOSTNAME \
+    ./port_forwarding.sh${NC}
   echo
-  echo If you want to also enable port forwarding, please start the script
-  echo with the env var PIA_PF=true. Example:
-  echo $ OVPN_SERVER_IP=\"$OVPN_SERVER_IP\" OVPN_HOSTNAME=\"$OVPN_HOSTNAME\" \
-    PIA_TOKEN=\"$PIA_TOKEN\" CONNECTION_SETTINGS=\"$CONNECTION_SETTINGS\" \
-    PIA_PF=true ./connect_to_openvpn_with_token.sh
-  exit
+  echo The location used must be port forwarding enabled, or this will fail.
+  echo Calling the ./get_region script with PIA_PF=true will provide a filtered list.
+  exit 1
 fi
 
-echo "
-This script got started with PIA_PF=true.
-Starting procedure to enable port forwarding by running the following command:
-$ PIA_TOKEN=\"$PIA_TOKEN\" \\
-  PF_GATEWAY=\"$gateway_ip\" \\
-  PF_HOSTNAME=\"$OVPN_HOSTNAME\" \\
-  ./port_forwarding.sh
-"
+echo -ne "This script got started with ${GREEN}PIA_PF=true${NC}.
+
+Starting port forwarding in "
+for i in {5..1}; do
+  echo -n "$i..."
+  sleep 1
+done
+echo
+echo
+
+echo -e "Starting procedure to enable port forwarding by running the following command:
+$ ${GREEN}PIA_TOKEN=$PIA_TOKEN \\
+  PF_GATEWAY=$gateway_ip \\
+  PF_HOSTNAME=$OVPN_HOSTNAME \\
+  ./port_forwarding.sh${NC}"
 
 PIA_TOKEN=$PIA_TOKEN \
-  PF_GATEWAY="$gateway_ip" \
-  PF_HOSTNAME="$OVPN_HOSTNAME" \
+  PF_GATEWAY=$gateway_ip \
+  PF_HOSTNAME=$OVPN_HOSTNAME \
   ./port_forwarding.sh