nocci/mvpg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

New branch

Browse source
This commit is contained in:
nocci 2025-08-10 15:34:34 +02:00
commit 58d70409b5
31 changed files with 9093 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

162
scripts/health-check.sh Executable file
View file

@ -0,0 +1,162 @@
#!/bin/bash
# VPN Gateway Health Check Script
# Comprehensive system health monitoring
# Version: 1.0.0
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
# Scoring
TOTAL_SCORE=0
MAX_SCORE=100
ISSUES=()
check_mark() {
echo -e "${GREEN}${NC}"
}
x_mark() {
echo -e "${RED}${NC}"
}
warning_mark() {
echo -e "${YELLOW}${NC}"
}
add_score() {
TOTAL_SCORE=$((TOTAL_SCORE + $1))
}
add_issue() {
ISSUES+=("$1")
}
echo -e "${BLUE}=== VPN Gateway Health Check ===${NC}"
echo ""
# 1. Check Services
echo -n "Checking services... "
services_ok=true
for service in vpn-webui vpn-killswitch vpn-security-monitor; do
if systemctl is-active $service >/dev/null 2>&1; then
add_score 10
else
services_ok=false
add_issue "Service $service is not running"
fi
done
[ "$services_ok" = true ] && check_mark || x_mark
# 2. Check Killswitch
echo -n "Checking killswitch... "
if iptables -L OUTPUT -n | grep -q "policy DROP"; then
add_score 20
check_mark
else
add_issue "Killswitch not active!"
x_mark
fi
# 3. Check VPN Connection
echo -n "Checking VPN connection... "
if wg show wg0 >/dev/null 2>&1; then
add_score 15
check_mark
else
add_issue "VPN not connected"
warning_mark
fi
# 4. Check for leaks
echo -n "Checking for leaks... "
if ! ping -c 1 -W 1 8.8.8.8 >/dev/null 2>&1; then
if wg show wg0 >/dev/null 2>&1; then
add_issue "VPN connected but no internet"
warning_mark
else
add_score 15
check_mark
fi
else
if wg show wg0 >/dev/null 2>&1; then
add_score 15
check_mark
else
add_issue "CRITICAL: Internet accessible without VPN!"
x_mark
fi
fi
# 5. Check DNS
echo -n "Checking DNS configuration... "
dns_ok=true
while read -r dns; do
case "$dns" in
127.0.0.1|10.*|172.*|192.168.*|100.64.*)
;;
*)
dns_ok=false
add_issue "Public DNS detected: $dns"
;;
esac
done < <(grep "^nameserver" /etc/resolv.conf | awk '{print $2}')
if [ "$dns_ok" = true ]; then
add_score 10
check_mark
else
warning_mark
fi
# 6. Check disk space
echo -n "Checking disk space... "
disk_usage=$(df /opt/vpn-gateway | tail -1 | awk '{print $5}' | sed 's/%//')
if [ "$disk_usage" -lt 80 ]; then
add_score 5
check_mark
elif [ "$disk_usage" -lt 90 ]; then
add_issue "Disk usage high: ${disk_usage}%"
warning_mark
else
add_issue "Critical disk usage: ${disk_usage}%"
x_mark
fi
# 7. Check WebUI accessibility
echo -n "Checking WebUI... "
if curl -s http://localhost:5000/api/status >/dev/null 2>&1; then
add_score 10
check_mark
else
add_issue "WebUI not accessible"
x_mark
fi
# Results
echo ""
echo -e "${BLUE}=== Health Score: $TOTAL_SCORE/$MAX_SCORE ===${NC}"
echo ""
if [ $TOTAL_SCORE -ge 90 ]; then
echo -e "${GREEN}System Status: EXCELLENT${NC}"
elif [ $TOTAL_SCORE -ge 70 ]; then
echo -e "${GREEN}System Status: GOOD${NC}"
elif [ $TOTAL_SCORE -ge 50 ]; then
echo -e "${YELLOW}System Status: WARNING${NC}"
else
echo -e "${RED}System Status: CRITICAL${NC}"
fi
if [ ${#ISSUES[@]} -gt 0 ]; then
echo ""
echo "Issues found:"
for issue in "${ISSUES[@]}"; do
echo " - $issue"
done
fi
exit $((100 - TOTAL_SCORE))

241
scripts/killswitch.sh Executable file
View file

@ -0,0 +1,241 @@
#!/bin/bash
#############################################################
# scripts/killswitch.sh #
#############################################################
cat > scripts/killswitch.sh << 'EOFKILLSWITCH'
#!/bin/bash
# VPN Gateway Killswitch Script
# CRITICAL: This script ensures NO traffic leaks without VPN
# Version: 1.0.0
set -e
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
# Get network configuration from install
if [ -f /opt/vpn-gateway/network.conf ]; then
source /opt/vpn-gateway/network.conf
else
# Fallback to auto-detection
LAN_IF=$(ip route | grep default | awk '{print $5}' | head -n1)
LAN_NET=$(ip route | grep "$LAN_IF" | grep -v default | awk '{print $1}' | head -n1)
fi
# Logging
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" >> /var/log/vpn-killswitch.log
echo -e "${GREEN}[+]${NC} $1"
}
error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" >> /var/log/vpn-killswitch.log
echo -e "${RED}[!]${NC} $1"
}
warning() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] WARNING: $1" >> /var/log/vpn-killswitch.log
echo -e "${YELLOW}[*]${NC} $1"
}
enable_killswitch() {
log "ENABLING PERMANENT KILLSWITCH - NO INTERNET WITHOUT VPN"
# Backup current rules (just in case)
iptables-save > /tmp/iptables.backup.$(date +%s) 2>/dev/null || true
# Reset all rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
# DEFAULT POLICIES: DROP EVERYTHING
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
log "Default policies set to DROP"
# CRITICAL: Allow loopback (required for system operation)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow LAN communication (for WebUI and local clients)
if [ -n "$LAN_IF" ] && [ -n "$LAN_NET" ]; then
iptables -A INPUT -i $LAN_IF -s $LAN_NET -j ACCEPT
iptables -A OUTPUT -o $LAN_IF -d $LAN_NET -j ACCEPT
log "LAN communication allowed: $LAN_IF ($LAN_NET)"
fi
# Allow DNS for initial VPN connection (root only, limited)
iptables -A OUTPUT -p udp --dport 53 -m owner --uid-owner root -m limit --limit 10/min -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m owner --uid-owner root -m limit --limit 10/min -j ACCEPT
# Allow DHCP client (if needed)
iptables -A OUTPUT -p udp --sport 68 --dport 67 -j ACCEPT
iptables -A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
# Allow established/related connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow forwarding from LAN (will only work when VPN is up)
if [ -n "$LAN_IF" ] && [ -n "$LAN_NET" ]; then
iptables -A FORWARD -i $LAN_IF -s $LAN_NET -j ACCEPT
fi
# Log dropped packets (optional, can be verbose)
# iptables -A INPUT -j LOG --log-prefix "INPUT-DROP: " --log-level 4
# iptables -A OUTPUT -j LOG --log-prefix "OUTPUT-DROP: " --log-level 4
# IPv6: Complete blocking (unless you use IPv6 VPN)
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Save rules for persistence
mkdir -p /etc/iptables
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
# Ensure persistence across reboots
if ! systemctl is-enabled netfilter-persistent >/dev/null 2>&1; then
systemctl enable netfilter-persistent 2>/dev/null || true
fi
log "KILLSWITCH ACTIVE - System is now protected"
log "Rules saved to /etc/iptables/"
# Verify killswitch is working
verify_killswitch
}
disable_killswitch() {
error "KILLSWITCH CANNOT BE DISABLED FOR SECURITY REASONS!"
warning "This is a security feature. The killswitch must remain active."
warning "If you really need to disable it, you must manually flush iptables rules."
warning "This would leave your system vulnerable to leaks!"
# Re-enable killswitch immediately
enable_killswitch
return 1
}
verify_killswitch() {
log "Verifying killswitch status..."
# Check DROP policies
if iptables -L -n | grep -q "Chain INPUT (policy DROP)" && \
iptables -L -n | grep -q "Chain OUTPUT (policy DROP)" && \
iptables -L -n | grep -q "Chain FORWARD (policy DROP)"; then
log "✓ Killswitch policies verified: DROP"
else
error "✗ Killswitch policies NOT active!"
enable_killswitch
return 1
fi
# Test that we cannot reach internet directly
if ping -c 1 -W 1 8.8.8.8 >/dev/null 2>&1; then
if wg show wg0 >/dev/null 2>&1; then
log "✓ Internet accessible (VPN is connected)"
else
error "✗ LEAK DETECTED: Internet accessible without VPN!"
enable_killswitch
return 1
fi
else
if wg show wg0 >/dev/null 2>&1; then
warning "VPN appears connected but internet not reachable"
else
log "✓ Internet blocked (VPN not connected)"
fi
fi
log "Killswitch verification complete"
}
status_killswitch() {
echo -e "${GREEN}=== VPN Killswitch Status ===${NC}"
echo ""
# Check policies
echo "Firewall Policies:"
iptables -L -n | grep "Chain.*policy" | while read line; do
if echo "$line" | grep -q "DROP"; then
echo -e " ${GREEN}${NC} $line"
else
echo -e " ${RED}${NC} $line"
fi
done
echo ""
echo "Active Rules Summary:"
echo " INPUT: $(iptables -L INPUT -n | grep -c ACCEPT) ACCEPT rules"
echo " OUTPUT: $(iptables -L OUTPUT -n | grep -c ACCEPT) ACCEPT rules"
echo " FORWARD: $(iptables -L FORWARD -n | grep -c ACCEPT) ACCEPT rules"
echo ""
echo "VPN Status:"
if wg show wg0 >/dev/null 2>&1; then
echo -e " ${GREEN}${NC} WireGuard interface active"
echo " Endpoint: $(wg show wg0 endpoints | awk '{print $2}')"
else
echo -e " ${YELLOW}${NC} WireGuard interface not active"
fi
echo ""
echo "Leak Test:"
if ping -c 1 -W 1 8.8.8.8 >/dev/null 2>&1; then
if wg show wg0 >/dev/null 2>&1; then
echo -e " ${GREEN}${NC} Internet accessible via VPN"
else
echo -e " ${RED}✗ LEAK: Internet accessible without VPN!${NC}"
fi
else
echo -e " ${GREEN}${NC} Internet blocked (killswitch working)"
fi
}
# Main logic
case "${1:-enable}" in
enable|start)
enable_killswitch
;;
disable|stop)
disable_killswitch
;;
verify|check)
verify_killswitch
;;
status)
status_killswitch
;;
restart|reload)
enable_killswitch
;;
*)
echo "Usage: $0 {enable|disable|verify|status|restart}"
echo " enable - Enable killswitch (default)"
echo " disable - Disable killswitch (blocked for security)"
echo " verify - Verify killswitch is working"
echo " status - Show detailed status"
echo " restart - Restart killswitch"
exit 1
;;
esac

258
scripts/security-monitor.sh Executable file
View file

@ -0,0 +1,258 @@
#############################################################
# scripts/security-monitor.sh #
#############################################################
cat > scripts/security-monitor.sh << 'EOFSECMON'
#!/bin/bash
# VPN Security Monitor
# Continuous monitoring of killswitch and VPN status
# Version: 1.0.0
# Configuration
CHECK_INTERVAL=10 # seconds
ALERT_EMAIL="" # Set email for alerts
LOG_FILE="/var/log/vpn-security-monitor.log"
STATE_FILE="/var/run/vpn-monitor.state"
# Source network config
if [ -f /opt/vpn-gateway/network.conf ]; then
source /opt/vpn-gateway/network.conf
fi
# Logging functions
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" >> "$LOG_FILE"
}
alert() {
local message="$1"
log "ALERT: $message"
# Send email alert if configured
if [ -n "$ALERT_EMAIL" ]; then
echo "$message" | mail -s "VPN Security Alert" "$ALERT_EMAIL" 2>/dev/null || true
fi
# System notification (if available)
if command -v notify-send >/dev/null 2>&1; then
notify-send "VPN Security Alert" "$message" -u critical
fi
# Log to syslog
logger -t "vpn-security" -p auth.crit "$message"
}
# Check functions
check_killswitch() {
# Verify DROP policies are active
local policies_ok=true
for chain in INPUT OUTPUT FORWARD; do
if ! iptables -L $chain -n | grep -q "policy DROP"; then
alert "Killswitch policy missing for chain $chain!"
policies_ok=false
fi
done
if [ "$policies_ok" = false ]; then
log "Reactivating killswitch..."
/usr/local/bin/vpn-killswitch.sh enable
return 1
fi
return 0
}
check_vpn_connection() {
if wg show wg0 >/dev/null 2>&1; then
# VPN interface exists, check if it's actually working
local endpoint=$(wg show wg0 endpoints | awk '{print $2}')
if [ -z "$endpoint" ]; then
log "WARNING: VPN interface exists but no endpoint configured"
return 1
fi
# Check last handshake
local last_handshake=$(wg show wg0 latest-handshakes | awk '{print $2}')
local current_time=$(date +%s)
if [ -n "$last_handshake" ] && [ "$last_handshake" -ne 0 ]; then
local time_diff=$((current_time - last_handshake))
# If last handshake was more than 3 minutes ago, connection might be dead
if [ $time_diff -gt 180 ]; then
log "WARNING: Last WireGuard handshake was ${time_diff} seconds ago"
return 2
fi
fi
return 0
else
return 1
fi
}
check_dns_leaks() {
# Check if DNS is going through VPN
local dns_servers=$(cat /etc/resolv.conf | grep "^nameserver" | awk '{print $2}')
for dns in $dns_servers; do
# Check if DNS server is in private range or VPN provider's DNS
case "$dns" in
10.*|172.16.*|172.17.*|172.18.*|172.19.*|172.2*|172.30.*|172.31.*|192.168.*|100.64.*)
# Private IP, likely VPN DNS
;;
127.*)
# Localhost, check if it's a DNS proxy
if systemctl is-active systemd-resolved >/dev/null 2>&1; then
log "WARNING: systemd-resolved is active, checking for leaks"
# Additional checks for systemd-resolved
fi
;;
*)
alert "Potential DNS leak detected! Public DNS server: $dns"
return 1
;;
esac
done
return 0
}
check_leak_test() {
# Try to reach internet without VPN
local vpn_active=$(check_vpn_connection; echo $?)
if [ $vpn_active -eq 1 ]; then
# VPN not active, internet should be blocked
if ping -c 1 -W 1 8.8.8.8 >/dev/null 2>&1; then
alert "CRITICAL: Internet accessible without VPN! Leak detected!"
# Immediately re-enable killswitch
/usr/local/bin/vpn-killswitch.sh enable
return 1
fi
fi
return 0
}
check_processes() {
# Check for processes that might bypass VPN
local suspicious_processes=$(netstat -tunp 2>/dev/null | grep -v "127.0.0.1\|::1\|$LAN_NET" | grep ESTABLISHED)
if [ -n "$suspicious_processes" ]; then
log "WARNING: Detected network connections that might bypass VPN:"
echo "$suspicious_processes" >> "$LOG_FILE"
fi
}
monitor_bandwidth() {
# Monitor bandwidth to detect unusual activity
if command -v vnstat >/dev/null 2>&1; then
local current_tx=$(vnstat --oneline | cut -d';' -f9)
local current_rx=$(vnstat --oneline | cut -d';' -f10)
if [ -f "$STATE_FILE" ]; then
source "$STATE_FILE"
# Compare with previous values
# Alert if sudden spike in traffic when VPN is down
if ! check_vpn_connection && [ -n "$LAST_TX" ]; then
# Calculate difference
# If significant traffic when VPN is down, alert
log "Bandwidth check: TX=$current_tx RX=$current_rx"
fi
fi
# Save current state
echo "LAST_TX='$current_tx'" > "$STATE_FILE"
echo "LAST_RX='$current_rx'" >> "$STATE_FILE"
fi
}
auto_recovery() {
local vpn_status=$(check_vpn_connection; echo $?)
if [ $vpn_status -eq 2 ]; then
# Connection stale, try to reconnect
log "Attempting auto-recovery of VPN connection..."
# Get last used server from config
if [ -f /etc/wireguard/wg0.conf ]; then
systemctl restart wg-quick@wg0 2>/dev/null || \
wg-quick down wg0 2>/dev/null && wg-quick up wg0 2>/dev/null
sleep 5
if check_vpn_connection; then
log "Auto-recovery successful"
return 0
else
alert "Auto-recovery failed - manual intervention required"
return 1
fi
fi
fi
return 0
}
# Main monitoring loop
main() {
log "VPN Security Monitor started"
log "Check interval: ${CHECK_INTERVAL}s"
# Initial checks
check_killswitch
check_vpn_connection
check_dns_leaks
local error_count=0
while true; do
# Run all checks
local all_ok=true
if ! check_killswitch; then
all_ok=false
((error_count++))
fi
if ! check_leak_test; then
all_ok=false
((error_count++))
fi
if ! check_dns_leaks; then
all_ok=false
((error_count++))
fi
check_processes
monitor_bandwidth
# Auto-recovery if needed
if [ $error_count -gt 3 ]; then
auto_recovery
error_count=0
fi
# Status indicator
if [ "$all_ok" = true ]; then
echo -n "."
error_count=0
else
echo -n "!"
fi
sleep "$CHECK_INTERVAL"
done
}
# Signal handlers
trap 'log "Security monitor stopped"; exit 0' SIGTERM SIGINT
# Run main loop
main

156
scripts/uninstall.sh Executable file
View file

@ -0,0 +1,156 @@
#!/bin/bash
# VPN Gateway Uninstall Script
# Completely removes VPN Gateway
# Version: 1.0.0
set -e
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
INSTALL_DIR="/opt/vpn-gateway"
log() {
echo -e "${GREEN}[+]${NC} $1"
}
error() {
echo -e "${RED}[!]${NC} $1"
}
warning() {
echo -e "${YELLOW}[!]${NC} $1"
}
# Check root
if [[ $EUID -ne 0 ]]; then
error "This script must be run as root"
exit 1
fi
echo -e "${RED}=== VPN Gateway Uninstaller ===${NC}"
echo ""
warning "This will completely remove VPN Gateway and its components."
warning "The killswitch will be DISABLED, potentially exposing your traffic!"
echo ""
echo "The following will be removed:"
echo " - VPN Gateway application ($INSTALL_DIR)"
echo " - WireGuard configurations"
echo " - Systemd services"
echo " - Firewall rules (killswitch)"
echo " - Nginx configuration"
echo ""
read -p "Are you SURE you want to uninstall? Type 'YES' to confirm: " CONFIRM
if [ "$CONFIRM" != "YES" ]; then
log "Uninstall cancelled"
exit 0
fi
# Create backup just in case
BACKUP_DIR="/root/vpn-gateway-final-backup-$(date +%Y%m%d-%H%M%S)"
log "Creating final backup at $BACKUP_DIR..."
mkdir -p "$BACKUP_DIR"
# Backup configs
cp -r /etc/wireguard "$BACKUP_DIR/wireguard" 2>/dev/null || true
cp -r "$INSTALL_DIR" "$BACKUP_DIR/app" 2>/dev/null || true
iptables-save > "$BACKUP_DIR/iptables.rules" 2>/dev/null || true
# Stop and disable services
log "Stopping services..."
systemctl stop vpn-webui vpn-killswitch vpn-security-monitor 2>/dev/null || true
systemctl disable vpn-webui vpn-killswitch vpn-security-monitor 2>/dev/null || true
# Stop WireGuard
wg-quick down wg0 2>/dev/null || true
systemctl stop wg-quick@wg0 2>/dev/null || true
systemctl disable wg-quick@wg0 2>/dev/null || true
# Remove systemd services
log "Removing systemd services..."
rm -f /etc/systemd/system/vpn-*.service
systemctl daemon-reload
# Remove application files
log "Removing application files..."
rm -rf "$INSTALL_DIR"
# Remove scripts
log "Removing scripts..."
rm -f /usr/local/bin/vpn-*.sh
# Remove Nginx configuration
log "Removing Nginx configuration..."
rm -f /etc/nginx/sites-enabled/vpn-gateway
rm -f /etc/nginx/sites-available/vpn-gateway
systemctl reload nginx 2>/dev/null || true
# Remove WireGuard configs (optional)
read -p "Remove WireGuard configurations? (y/N): " -n 1 -r
echo ""
if [[ $REPLY =~ ^[Yy]$ ]]; then
rm -rf /etc/wireguard
log "WireGuard configurations removed"
fi
# CRITICAL: Remove killswitch
warning "Removing killswitch - your traffic will no longer be protected!"
read -p "Remove killswitch firewall rules? (y/N): " -n 1 -r
echo ""
if [[ $REPLY =~ ^[Yy]$ ]]; then
# Reset firewall to default ACCEPT policies
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# IPv6
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -F
ip6tables -X
# Save clean rules
iptables-save > /etc/iptables/rules.v4 2>/dev/null || true
ip6tables-save > /etc/iptables/rules.v6 2>/dev/null || true
warning "Firewall reset to ACCEPT all - System is no longer protected!"
else
warning "Killswitch still active - you may have no internet access!"
fi
# Remove log files
read -p "Remove log files? (y/N): " -n 1 -r
echo ""
if [[ $REPLY =~ ^[Yy]$ ]]; then
rm -f /var/log/vpn-*.log
log "Log files removed"
fi
# Final cleanup
log "Cleaning up..."
rm -f /tmp/vpn-gateway* 2>/dev/null || true
echo ""
echo -e "${GREEN}=== Uninstall Complete ===${NC}"
echo ""
echo "VPN Gateway has been removed."
echo "Backup saved at: $BACKUP_DIR"
echo ""
warning "IMPORTANT: Your system is no longer protected by the killswitch!"
warning "All traffic will now use your regular internet connection."
echo ""
echo "To reinstall, run:"
echo " curl -sSL https://your-domain/install.sh | bash"

146
scripts/update.sh Executable file
View file

@ -0,0 +1,146 @@
#############################################################
# scripts/update.sh #
#############################################################
cat > scripts/update.sh << 'EOFUPDATE'
#!/bin/bash
# VPN Gateway Update Script
# Updates the VPN Gateway installation
# Version: 1.0.0
set -e
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
INSTALL_DIR="/opt/vpn-gateway"
BACKUP_DIR="/opt/vpn-gateway-backup-$(date +%Y%m%d-%H%M%S)"
GITHUB_REPO="https://github.com/yourusername/vpn-gateway"
log() {
echo -e "${GREEN}[+]${NC} $1"
}
error() {
echo -e "${RED}[!]${NC} $1"
exit 1
}
warning() {
echo -e "${YELLOW}[*]${NC} $1"
}
# Check root
if [[ $EUID -ne 0 ]]; then
error "This script must be run as root"
fi
echo -e "${BLUE}=== VPN Gateway Update ===${NC}"
echo ""
# Check current version
if [ -f "$INSTALL_DIR/version" ]; then
CURRENT_VERSION=$(cat "$INSTALL_DIR/version")
log "Current version: $CURRENT_VERSION"
else
warning "Version file not found"
CURRENT_VERSION="unknown"
fi
# Check for updates
log "Checking for updates..."
LATEST_VERSION=$(curl -s "$GITHUB_REPO/raw/main/version" 2>/dev/null || echo "")
if [ -z "$LATEST_VERSION" ]; then
error "Could not fetch latest version"
fi
if [ "$CURRENT_VERSION" = "$LATEST_VERSION" ]; then
log "Already running latest version: $LATEST_VERSION"
exit 0
fi
log "New version available: $LATEST_VERSION"
echo ""
read -p "Update to version $LATEST_VERSION? (y/N): " -n 1 -r
echo ""
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
log "Update cancelled"
exit 0
fi
# Backup current installation
log "Creating backup at $BACKUP_DIR..."
cp -r "$INSTALL_DIR" "$BACKUP_DIR"
# Backup WireGuard configs
cp -r /etc/wireguard "$BACKUP_DIR/wireguard-configs"
# Backup iptables rules
iptables-save > "$BACKUP_DIR/iptables.rules"
ip6tables-save > "$BACKUP_DIR/ip6tables.rules"
log "Backup complete"
# Stop services
log "Stopping services..."
systemctl stop vpn-webui vpn-security-monitor 2>/dev/null || true
# Download updates
log "Downloading updates..."
cd /tmp
rm -rf vpn-gateway-update
git clone "$GITHUB_REPO" vpn-gateway-update || \
error "Failed to download updates"
# Update backend
log "Updating backend..."
cp /tmp/vpn-gateway-update/backend/app.py "$INSTALL_DIR/app.py"
# Update frontend
log "Updating frontend..."
cp /tmp/vpn-gateway-update/frontend/index.html "$INSTALL_DIR/static/index.html"
# Update scripts
log "Updating scripts..."
cp /tmp/vpn-gateway-update/scripts/*.sh /usr/local/bin/
chmod +x /usr/local/bin/vpn-*.sh
# Update Python dependencies
log "Updating dependencies..."
source "$INSTALL_DIR/venv/bin/activate"
pip install --upgrade -r /tmp/vpn-gateway-update/backend/requirements.txt
# Update version file
echo "$LATEST_VERSION" > "$INSTALL_DIR/version"
# Restart services
log "Restarting services..."
systemctl daemon-reload
systemctl start vpn-webui vpn-security-monitor
# Cleanup
rm -rf /tmp/vpn-gateway-update
# Verify update
sleep 3
if systemctl is-active vpn-webui >/dev/null 2>&1; then
log "Update successful!"
log "Version $LATEST_VERSION is now running"
echo ""
echo -e "${GREEN}Update complete!${NC}"
echo "Backup saved at: $BACKUP_DIR"
else
error "Services failed to start after update!"
echo "Restore from backup with:"
echo " rm -rf $INSTALL_DIR"
echo " mv $BACKUP_DIR $INSTALL_DIR"
echo " systemctl restart vpn-webui"
fi