From 80c0b971d655db975fb3d252c21eb2c6e29df1e3 Mon Sep 17 00:00:00 2001
From: angristan <angristan@pm.me>
Date: Fri, 21 Sep 2018 23:48:11 +0200
Subject: [PATCH] Improved and safer code

Thanks to shellcheck!
---
 openvpn-install.sh | 50 +++++++++++++++++++++-------------------------
 1 file changed, 23 insertions(+), 27 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 02c1f7d..f8c2f3a 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -153,7 +153,7 @@ function installOpenVPN () {
 
 	# Detect public IPv4 address and pre-fill for the user
 	IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
-	read -rp "IP address: " -e -i $IP IP
+	read -rp "IP address: " -e -i "$IP" IP
 	# If $IP is a private IP address, the server must be behind NAT
 	if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
 		echo ""
@@ -167,8 +167,7 @@ function installOpenVPN () {
 	echo ""
 	echo "Checking for IPv6 connectivity..."
 	echo ""
-	ping6 -c4 ipv6.google.com > /dev/null 2>&1
-	if [[ $? == 0 ]]; then
+	if ping -c4 ipv6.google.com > /dev/null 2>&1; then
 		echo "Your host appears to have IPv6 connectivity."
 		SUGGESTION="y"
 	else
@@ -186,15 +185,15 @@ function installOpenVPN () {
 	echo "   2) Custom"
 	echo "   3) Random [49152-65535]"
 	until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do
-		read -p "Port choice [1-3]: " -e -i 1 PORT_CHOICE
+		read -rp "Port choice [1-3]: " -e -i 1 PORT_CHOICE
 	done
 	case $PORT_CHOICE in
 		1)
 			PORT="1194"
 		;;
 		2)
-			until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 -a "$PORT" -le 65535 ]; do
-				read -p "Custom port [1-65535]: " -e -i 1194 PORT
+			until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do
+				read -rp "Custom port [1-65535]: " -e -i 1194 PORT
 			done
 		;;
 		3)
@@ -231,7 +230,7 @@ function installOpenVPN () {
 	echo "   8) Google (Anycast: worldwide)"
 	echo "   9) Yandex Basic (Russia)"
 	echo "   10) AdGuard DNS (Russia)"
-	until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 -a "$DNS" -le 10 ]; do
+	until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 10 ]; do
 		read -rp "DNS [1-10]: " -e -i 3 DNS
 			if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
 				echo ""
@@ -271,7 +270,7 @@ function installOpenVPN () {
 		echo "   1) AES-128-CBC (recommended)"
 		echo "   2) AES-192-CBC"
 		echo "   3) AES-256-CBC"
-		until [[ "$CIPHER_CHOICE" =~ ^[0-9]+$ ]] && [ "$CIPHER_CHOICE" -ge 1 -a "$CIPHER_CHOICE" -le 3 ]; do
+		until [[ "$CIPHER_CHOICE" =~ ^[0-9]+$ ]] && [ "$CIPHER_CHOICE" -ge 1 ] && [ "$CIPHER_CHOICE" -le 3 ]; do
 			read -rp "Cipher [1-7]: " -e -i 1 CIPHER_CHOICE
 		done
 		case $CIPHER_CHOICE in
@@ -290,7 +289,7 @@ function installOpenVPN () {
 		echo "   1) 2048 bits (fastest)"
 		echo "   2) 3072 bits (recommended, best compromise)"
 		echo "   3) 4096 bits (most secure)"
-		until [[ "$DH_KEY_SIZE_CHOICE" =~ ^[0-9]+$ ]] && [ "$DH_KEY_SIZE_CHOICE" -ge 1 -a "$DH_KEY_SIZE_CHOICE" -le 3 ]; do
+		until [[ "$DH_KEY_SIZE_CHOICE" =~ ^[0-9]+$ ]] && [ "$DH_KEY_SIZE_CHOICE" -ge 1 ] && [ "$DH_KEY_SIZE_CHOICE" -le 3 ]; do
 			read -rp "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE_CHOICE
 		done
 		case $DH_KEY_SIZE_CHOICE in
@@ -309,7 +308,7 @@ function installOpenVPN () {
 		echo "   1) 2048 bits (fastest)"
 		echo "   2) 3072 bits (recommended, best compromise)"
 		echo "   3) 4096 bits (most secure)"
-		until [[ "$RSA_KEY_SIZE_CHOICE" =~ ^[0-9]+$ ]] && [ "$RSA_KEY_SIZE_CHOICE" -ge 1 -a "$RSA_KEY_SIZE_CHOICE" -le 3 ]; do
+		until [[ "$RSA_KEY_SIZE_CHOICE" =~ ^[0-9]+$ ]] && [ "$RSA_KEY_SIZE_CHOICE" -ge 1 ] && [ "$RSA_KEY_SIZE_CHOICE" -le 3 ]; do
 			read -rp "RSA key size [1-3]: " -e -i 2 RSA_KEY_SIZE_CHOICE
 		done
 		case $RSA_KEY_SIZE_CHOICE in
@@ -380,12 +379,12 @@ function installOpenVPN () {
 	./easyrsa init-pki
 	./easyrsa --batch build-ca nopass
 	openssl dhparam -out dh.pem $DH_KEY_SIZE
-	./easyrsa build-server-full $SERVER_NAME nopass
+	./easyrsa build-server-full "$SERVER_NAME" nopass
 	EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
 	# Generate tls-auth key
 	openvpn --genkey --secret /etc/openvpn/tls-auth.key
 	# Move all the generated files
-	cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/$SERVER_NAME.crt pki/private/$SERVER_NAME.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
+	cp pki/ca.crt pki/private/ca.key dh.pem "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
 	# Make cert revocation list readable for non-root
 	chmod 644 /etc/openvpn/crl.pem
 
@@ -498,7 +497,7 @@ verb 3" >> /etc/openvpn/server.conf
 	if hash sestatus 2>/dev/null; then
 		if sestatus | grep "Current mode" | grep -qs "enforcing"; then
 			if [[ "$PORT" != '1194' ]]; then
-				semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT
+				semanage port -a -t openvpn_port_t -p "$PROTOCOL" "$PORT"
 			fi
 		fi
 	fi
@@ -638,11 +637,11 @@ function newClient () {
 	cd /etc/openvpn/easy-rsa/ || return
 	case $PASS in
 		1)
-			./easyrsa build-client-full $CLIENT nopass
+			./easyrsa build-client-full "$CLIENT" nopass
 		;;
 		2)
 		echo "⚠️ You will be asked for the client password below ⚠️"
-			./easyrsa build-client-full $CLIENT
+			./easyrsa build-client-full "$CLIENT"
 		;;
 	esac
 
@@ -700,17 +699,17 @@ function revokeClient () {
 
 	CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
 	cd /etc/openvpn/easy-rsa/
-	./easyrsa --batch revoke $CLIENT
+	./easyrsa --batch revoke "$CLIENT"
 	EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
 	# Cleanup
-	rm -f pki/reqs/$CLIENT.req
-	rm -f pki/private/$CLIENT.key
-	rm -f pki/issued/$CLIENT.crt
+	rm -f "pki/reqs/$CLIENT.req"
+	rm -f "pki/private/$CLIENT.key"
+	rm -f "pki/issued/$CLIENT.crt"
 	rm -f /etc/openvpn/crl.pem
 	cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
 	chmod 644 /etc/openvpn/crl.pem
-	rm -f $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null
-	rm -f /root/$CLIENT.ovpn 2>/dev/null
+	find /home/ -maxdepth 2 -name "$CLIENT.ovpn" -delete
+	rm -f "/root/$CLIENT.ovpn"
 
 	echo ""
 	echo "Certificate for client $CLIENT revoked."
@@ -777,7 +776,7 @@ function removeOpenVPN () {
 		if hash sestatus 2>/dev/null; then
 			if sestatus | grep "Current mode" | grep -qs "enforcing"; then
 				if [[ "$PORT" != '1194' ]]; then
-					semanage port -d -t openvpn_port_t -p udp $PORT
+					semanage port -d -t openvpn_port_t -p udp "$PORT"
 				fi
 			fi
 		fi
@@ -791,11 +790,8 @@ function removeOpenVPN () {
 		fi
 
 		# Cleanup
-		OVPNS=$(ls /etc/openvpn/easy-rsa/pki/issued | awk -F "." {'print $1'})
-		for i in $OVPNS;do
-			rm $(find /home -maxdepth 2 | grep $i.ovpn) 2>/dev/null
-			rm /root/$i.ovpn 2>/dev/null
-		done
+		find /home/ -maxdepth 2 -name "*.ovpn" -delete
+		find /root/ -maxdepth 1 -name "*.ovpn" -delete
 		rm -rf /etc/openvpn
 		rm -rf /usr/share/doc/openvpn*
 		rm -f /etc/sysctl.d/20-openvpn.conf