From 6ecaeb4fde1d9dc92e509aec17b7050d34e1aa11 Mon Sep 17 00:00:00 2001 From: Mariusz Kogen Date: Sun, 30 Mar 2025 16:04:34 +0200 Subject: [PATCH] fix initiall setup as user and clear messaging (#2848) * fix initiall setup as user and clear messaging * fix this and that :) * add IPv6 support to validate_ip function * Use vpn-clearnet as name for the interface * Rebrand and finish with docs link * set static clearnet name * Magic clearnet to the end :D * change the command name * the name is magic-clearnet * wireguard-vps-proxy-setup * one more fix --- ...wg-vps-setup => wireguard-vps-proxy-setup} | 236 ++++++++++++++++-- debian/postinst | 2 +- 2 files changed, 213 insertions(+), 25 deletions(-) rename build/lib/scripts/{wg-vps-setup => wireguard-vps-proxy-setup} (53%) diff --git a/build/lib/scripts/wg-vps-setup b/build/lib/scripts/wireguard-vps-proxy-setup similarity index 53% rename from build/lib/scripts/wg-vps-setup rename to build/lib/scripts/wireguard-vps-proxy-setup index 6c630bb46..f9f654fe3 100755 --- a/build/lib/scripts/wg-vps-setup +++ b/build/lib/scripts/wireguard-vps-proxy-setup @@ -1,5 +1,33 @@ #!/bin/bash +# ============================================================================= +# Wireguard VPS Proxy Setup +# ============================================================================= +# +# This script automates the setup of a WireGuard VPN server on a remote VPS +# for StartOS Clearnet functionality. It handles: +# +# 1. SSH key-based authentication setup +# 2. Root access configuration (if needed) +# 3. WireGuard server installation +# 4. Configuration file generation and import +# +# Usage: +# wireguard-vps-proxy-setup [-h] [-i IP] [-u USERNAME] [-p PORT] [-k SSH_KEY] +# +# Options: +# -h Show help message +# -i VPS IP address +# -u SSH username (default: root) +# -p SSH port (default: 22) +# -k Path to custom SSH private key +# +# Example: +# wireguard-vps-proxy-setup -i 110.18.1.1 -u debian +# +# Note: This script requires root privileges and will auto-elevate if needed. +# ============================================================================= + # Colors for better output RED='\033[0;31m' GREEN='\033[0;32m' @@ -8,7 +36,7 @@ YELLOW='\033[1;33m' NC='\033[0;37m' # No Color # --- Constants --- -readonly WIREGUARD_INSTALL_URL="https://raw.githubusercontent.com/start9labs/wg-vps-setup/master/wireguard-install.sh" +readonly WIREGUARD_INSTALL_URL="https://raw.githubusercontent.com/start9labs/wireguard-vps-proxy-setup/master/wireguard-install.sh" readonly SSH_KEY_DIR="/home/start9/.ssh" readonly SSH_KEY_NAME="id_ed25519" readonly SSH_PRIVATE_KEY="$SSH_KEY_DIR/$SSH_KEY_NAME" @@ -31,7 +59,7 @@ check_root() { print_banner() { echo -e "${BLUE}" echo "================================================" - echo -e " ${NC}StartOS WireGuard VPS Setup Tool${BLUE} " + echo -e " ${NC}Wireguard VPS Proxy Setup${BLUE} " echo "================================================" echo -e "${NC}" } @@ -51,23 +79,53 @@ print_usage() { # Function to display end message display_end_message() { echo -e "\n${BLUE}------------------------------------------------------------------${NC}" - echo -e "${NC}WireGuard server setup complete!" - echo -e "${BLUE}------------------------------------------------------------------${NC}" - echo -e "\n${YELLOW}To expose your services to the Clearnet, use the following commands on your StartOS system (replace placeholders):${NC}" - echo -e "\n ${YELLOW}1. Initialize ACME (This only needs to be done once):${NC}" - echo " start-cli net acme init --provider=letsencrypt --contact=mailto:your-email@example.com" - echo -e "\n ${YELLOW}2. Expose 'hello-world' on port 80 through VPS:${NC}" - echo " start-cli package host hello-world binding ui-multi set-public 80" - echo -e "\n ${YELLOW}3. Add a domain to your 'hello-world' service:${NC}" - echo " start-cli package host hello-world address ui-multi domain add your-domain.example.com --acme=letsencrypt" - echo -e "\n ${YELLOW}Replace '${NC}your-email@example.com${YELLOW}' with your actual email address, '${NC}your-domain.example.com${YELLOW}' with your actual domain and '${NC}hello-world${YELLOW}' with your actual service id.${NC}" + echo -e "${GREEN}Wireguard VPS Proxy server setup complete!${NC}" echo -e "${BLUE}------------------------------------------------------------------${NC}" + echo -e "\n${GREEN}Clearnet functionality has been enabled via VPS (${VPS_IP})${NC}" + echo -e "\n${YELLOW}Next steps:${NC}" + echo -e "Visit https://docs.start9.com to complete the Clearnet setup" + echo -e "\n${BLUE}------------------------------------------------------------------${NC}" } # Function to validate IP address validate_ip() { local ip=$1 + # IPv4 validation if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then + # Additional IPv4 validation to ensure each octet is <= 255 + local IFS='.' + read -ra ADDR <<< "$ip" + for i in "${ADDR[@]}"; do + if [ "$i" -gt 255 ]; then + return 1 + fi + done + return 0 + # IPv6 validation + elif [[ $ip =~ ^([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$ ]] || \ + [[ $ip =~ ^([0-9a-fA-F]{1,4}:){6}:[0-9a-fA-F]{1,4}$ ]] || \ + [[ $ip =~ ^([0-9a-fA-F]{1,4}:){5}(:[0-9a-fA-F]{1,4}){1,2}$ ]] || \ + [[ $ip =~ ^([0-9a-fA-F]{1,4}:){4}(:[0-9a-fA-F]{1,4}){1,3}$ ]] || \ + [[ $ip =~ ^([0-9a-fA-F]{1,4}:){3}(:[0-9a-fA-F]{1,4}){1,4}$ ]] || \ + [[ $ip =~ ^([0-9a-fA-F]{1,4}:){2}(:[0-9a-fA-F]{1,4}){1,5}$ ]] || \ + [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1}(:[0-9a-fA-F]{1,4}){1,6}$ ]] || \ + [[ $ip =~ ^::([0-9a-fA-F]{1,4}:){0,6}[0-9a-fA-F]{1,4}$ ]] || \ + [[ $ip =~ ^[0-9a-fA-F]{1,4}::([0-9a-fA-F]{1,4}:){0,5}[0-9a-fA-F]{1,4}$ ]] || \ + [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,4}$ ]] || \ + [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,3}$ ]] || \ + [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,2}$ ]] || \ + [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,1}$ ]] || \ + [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}$ ]] || \ + [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,7}:$ ]] || \ + [[ $ip =~ ^::([0-9a-fA-F]{1,4}:){0,7}[0-9a-fA-F]{1,4}$ ]] || \ + [[ $ip =~ ^[0-9a-fA-F]{1,4}::([0-9a-fA-F]{1,4}:){0,6}[0-9a-fA-F]{1,4}$ ]] || \ + [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}$ ]] || \ + [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}$ ]] || \ + [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}$ ]] || \ + [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}$ ]] || \ + [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,6}(:[0-9a-fA-F]{1,4}){1,1}$ ]] || \ + [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,7}:$ ]] || \ + [[ $ip =~ ^::$ ]]; then return 0 else return 1 @@ -90,6 +148,15 @@ configure_ssh_key_auth() { echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config fi + # Enable root login + if grep -q "^#PermitRootLogin" /etc/ssh/sshd_config; then + sed -i "s/^#PermitRootLogin.*/PermitRootLogin yes/" /etc/ssh/sshd_config + elif grep -q "^PermitRootLogin" /etc/ssh/sshd_config; then + sed -i "s/^PermitRootLogin.*/PermitRootLogin yes/" /etc/ssh/sshd_config + else + echo "PermitRootLogin yes" >> /etc/ssh/sshd_config + fi + # Configure AuthorizedKeysFile if needed if grep -q "^#AuthorizedKeysFile" /etc/ssh/sshd_config; then sed -i "s/^#AuthorizedKeysFile.*/AuthorizedKeysFile .ssh\/authorized_keys .ssh\/authorized_keys2/" /etc/ssh/sshd_config @@ -203,7 +270,7 @@ install_wireguard() { fi # Run the remote install script and let it complete - if ! ssh -o ConnectTimeout=60 -i "$SSH_PRIVATE_KEY" -o StrictHostKeyChecking=no -p "$SSH_PORT" -t "$SSH_USER@$VPS_IP" "bash -c 'export TERM=xterm-256color; export STARTOS_HOSTNAME=$(hostname); bash ~/wireguard-install.sh'"; then + if ! ssh -o ConnectTimeout=60 -i "$SSH_PRIVATE_KEY" -o StrictHostKeyChecking=no -p "$SSH_PORT" -t "$SSH_USER@$VPS_IP" "bash -c 'export TERM=xterm-256color; export STARTOS_HOSTNAME=clearnet; bash ~/wireguard-install.sh'"; then echo -e "${RED}WireGuard installation failed on remote server.${NC}" return 1 fi @@ -218,6 +285,74 @@ install_wireguard() { return 0 } +# Function to enable root login via SSH +enable_root_login() { + echo -e "${BLUE}Checking and configuring root SSH access...${NC}" + + # Try to modify sshd config using sudo + if ! ssh -i "$SSH_PRIVATE_KEY" -o StrictHostKeyChecking=no -p "$SSH_PORT" "$SSH_USER@$VPS_IP" ' + # Check if we can use sudo without password + if ! sudo -n true 2>/dev/null; then + echo -e "\033[1;33mNOTE: You may be prompted for your sudo password.\033[0m" + fi + + # Check if user is in sudo group + if ! groups | grep -q sudo; then + echo -e "\033[1;31mError: Your user is not in the sudo group. Root access cannot be configured.\033[0m" + exit 1 + fi + + # Backup sshd config + sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak + + # Enable root login with SSH keys only + if sudo grep -q "^PermitRootLogin" /etc/ssh/sshd_config; then + sudo sed -i "s/^PermitRootLogin.*/PermitRootLogin prohibit-password/" /etc/ssh/sshd_config + else + echo "PermitRootLogin prohibit-password" | sudo tee -a /etc/ssh/sshd_config + fi + + # Ensure password authentication is disabled + if sudo grep -q "^PasswordAuthentication" /etc/ssh/sshd_config; then + sudo sed -i "s/^PasswordAuthentication.*/PasswordAuthentication no/" /etc/ssh/sshd_config + else + echo "PasswordAuthentication no" | sudo tee -a /etc/ssh/sshd_config + fi + + # Set up root SSH directory and keys + echo -e "\033[1;33mSetting up root SSH access...\033[0m" + sudo mkdir -p /root/.ssh + sudo cp ~/.ssh/authorized_keys /root/.ssh/ + sudo chown -R root:root /root/.ssh + sudo chmod 700 /root/.ssh + sudo chmod 600 /root/.ssh/authorized_keys + + # Reload SSH service + sudo systemctl reload sshd + + # Verify the changes + if ! sudo grep -q "^PermitRootLogin prohibit-password" /etc/ssh/sshd_config; then + echo -e "\033[1;31mError: Failed to verify root login configuration.\033[0m" + exit 1 + fi + + # Test root SSH access + if ! sudo -n true 2>/dev/null; then + echo -e "\033[1;33mNOTE: Please try to log in as root now using your SSH key.\033[0m" + echo -e "\033[1;33mIf successful, run this script again without the -u parameter.\033[0m" + else + echo -e "\033[1;32mRoot SSH access has been configured successfully!\033[0m" + fi + '; then + echo -e "${RED}Failed to configure root SSH access.${NC}" + return 1 + fi + + echo -e "${GREEN}Root SSH access has been configured successfully!${NC}" + echo -e "${YELLOW}Please try to log in as root now using your SSH key. If successful, run this script again without the -u parameter.${NC}" + return 0 +} + # --- Main Script --- # Initialize variables VPS_IP="" @@ -311,27 +446,80 @@ echo -e "${GREEN}SSH key-based authentication configured successfully!${NC}" # Test SSH connection using key-based authentication echo -e "\nTesting SSH connection with key-based authentication..." -if ! ssh -q -o BatchMode=yes -o ConnectTimeout=5 -i "$SSH_PRIVATE_KEY" -o StrictHostKeyChecking=no -p "$SSH_PORT" "$SSH_USER@$VPS_IP" 'grep -q "^PubkeyAuthentication yes" /etc/ssh/sshd_config'; then - echo -e "\n${RED}SSH key-based authentication is not enabled on your VPS.${NC}" - echo -e "\n${YELLOW}Would you like this script to automatically enable SSH key authentication? (y/N):${NC} " - read -r answer +if ! ssh -q -o BatchMode=yes -o ConnectTimeout=5 -i "$SSH_PRIVATE_KEY" -o StrictHostKeyChecking=no -p "$SSH_PORT" "$SSH_USER@$VPS_IP" 'exit'; then + echo -e "${RED}SSH connection test failed. Please check your credentials and try again.${NC}" + exit 1 +fi +# If we're connecting as a non-root user, set up root access first +if [ "$SSH_USER" != "root" ]; then + echo -e "\n${YELLOW}You are connecting as a non-root user. This script needs to enable root SSH access.${NC}" + echo -e "${YELLOW}This is a one-time setup that will allow direct root login for WireGuard installation.${NC}" + echo -n -e "${YELLOW}Would you like to proceed? (y/N): ${NC}" + read -r answer + if [[ "$answer" =~ ^[Yy]$ ]]; then - configure_ssh_key_auth + if enable_root_login; then + echo -e "\n${BLUE}------------------------------------------------------------------${NC}" + echo -e "${GREEN}Root SSH access has been configured successfully!${NC}" + echo -e "${YELLOW}Please run this script again without the -u parameter to continue setup.${NC}" + echo -e "${BLUE}------------------------------------------------------------------${NC}" + exit 0 + else + echo -e "${RED}Failed to configure root SSH access. Please check your sudo privileges and try again.${NC}" + exit 1 + fi else echo -e "\n${BLUE}------------------------------------------------------------------${NC}" - echo -e "${YELLOW}To manually enable SSH key authentication:${NC}" + echo -e "${YELLOW}To manually configure SSH for root access:${NC}" echo -e "\n ${YELLOW}1. Connect to your VPS and edit sshd_config:${NC}" - echo " nano /etc/ssh/sshd_config" - echo -e "\n ${YELLOW}2. Find and uncomment or add the line:${NC}" + echo " sudo nano /etc/ssh/sshd_config" + echo -e "\n ${YELLOW}2. Find and uncomment or add these lines:${NC}" echo " PubkeyAuthentication yes" + echo " PermitRootLogin yes" + echo " AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2" echo -e "\n ${YELLOW}3. Restart the SSH service:${NC}" - echo " systemctl restart sshd" + echo " sudo systemctl restart sshd" + echo -e "\n ${YELLOW}4. Copy your SSH key to root user:${NC}" + echo " sudo mkdir -p /root/.ssh" + echo " sudo cp ~/.ssh/authorized_keys /root/.ssh/" + echo " sudo chown -R root:root /root/.ssh" + echo " sudo chmod 700 /root/.ssh" + echo " sudo chmod 600 /root/.ssh/authorized_keys" echo -e "${BLUE}------------------------------------------------------------------${NC}" - echo -e "\n${YELLOW}Please enable SSH key authentication and run this script again.${NC}" + echo -e "\n${YELLOW}After completing these steps, run this script again without the -u parameter.${NC}" exit 1 fi fi + +# Check if root login is permitted when connecting as root +if [ "$SSH_USER" = "root" ]; then + # Check for both "yes" and "prohibit-password" as valid root login settings + if ! ssh -q -o BatchMode=yes -o ConnectTimeout=5 -i "$SSH_PRIVATE_KEY" -o StrictHostKeyChecking=no -p "$SSH_PORT" "$SSH_USER@$VPS_IP" 'grep -q "^PermitRootLogin.*\(yes\|prohibit-password\)" /etc/ssh/sshd_config'; then + echo -e "\n${RED}Root SSH login is not enabled on your VPS.${NC}" + echo -e "\n${YELLOW}Would you like this script to automatically enable root SSH access? (y/N):${NC} " + read -r answer + + if [[ "$answer" =~ ^[Yy]$ ]]; then + configure_ssh_key_auth + else + echo -e "\n${BLUE}------------------------------------------------------------------${NC}" + echo -e "${YELLOW}To manually configure SSH for root access:${NC}" + echo -e "\n ${YELLOW}1. Connect to your VPS and edit sshd_config:${NC}" + echo " sudo nano /etc/ssh/sshd_config" + echo -e "\n ${YELLOW}2. Find and uncomment or add these lines:${NC}" + echo " PubkeyAuthentication yes" + echo " PermitRootLogin prohibit-password" + echo " AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2" + echo -e "\n ${YELLOW}3. Restart the SSH service:${NC}" + echo " sudo systemctl restart sshd" + echo -e "${BLUE}------------------------------------------------------------------${NC}" + echo -e "\n${YELLOW}Please enable root SSH access and run this script again.${NC}" + exit 1 + fi + fi +fi + echo -e "${GREEN}SSH connection successful with key-based authentication!${NC}" # Download the WireGuard install script locally @@ -364,4 +552,4 @@ fi # Import the configuration if ! import_wireguard_config "$CONFIG_NAME"; then echo -e "${RED}StartOS configuration import failed or skipped!${NC}" -fi +fi \ No newline at end of file diff --git a/debian/postinst b/debian/postinst index d29fcfb86..2404ac5b3 100755 --- a/debian/postinst +++ b/debian/postinst @@ -109,7 +109,7 @@ rm -rf /var/lib/tor/* ln -sf /usr/lib/startos/scripts/chroot-and-upgrade /usr/bin/chroot-and-upgrade ln -sf /usr/lib/startos/scripts/tor-check /usr/bin/tor-check ln -sf /usr/lib/startos/scripts/gather-debug-info /usr/bin/gather-debug-info -ln -sf /usr/lib/startos/scripts/wg-vps-setup /usr/bin/wg-vps-setup +ln -sf /usr/lib/startos/scripts/wireguard-vps-proxy-setup /usr/bin/wireguard-vps-proxy-setup echo "fs.inotify.max_user_watches=1048576" > /etc/sysctl.d/97-startos.conf