diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..b242572 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,5 @@ +{ + "githubPullRequests.ignoredPullRequestBranches": [ + "main" + ] +} \ No newline at end of file diff --git a/README.md b/README.md index 75a0899..b6c5fc3 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,10 @@ Logo

+## announcement +### +this project is not ready yet I hope I will finish up fixing all the bugs in the next few weeks + ## Features ### Network Connection Blocking: @@ -18,15 +22,32 @@ TuxProtect automatically detects the presence of a Netfree network. Once connect ## Installation ``` -sudo apt-get update && sudo apt-get install -y git && git -c http.sslVerify=false clone https://github.com/lo-mityaesh/tuxprotect.git && cd tuxprotect && chmod +x install.sh && sudo ./install.sh && cd .. && rm -rf tuxprotect +sudo apt-get update && sudo apt-get install -y git && git -c http.sslVerify=false clone https://github.com/aronunger-ctb/tuxprotect.git && cd tuxprotect && chmod +x install.sh && sudo ./install.sh && cd .. && rm -rf tuxprotect ``` + +## Important Information + +- **US Server Only**: Currently, TuxProtect only supports US servers. +- **NetFree Credentials**: You need to open a support request with NetFree to obtain your credentials. +- **Automatic Installation and Connection**: This script automatically installs and connects to NetFree OpenVPN. + +## TODO + +1. Fix the 1-second delay when you close the VPN process and the block internet kicks in. +2. Fix the sleep issue that requires stopping the VPN service. +3. Add support for UK and IL servers. +4. Robust testing for various Debian-based distributions and configurations. +5. Optimization. +6. Support for RHEL, Arch, and SUSE-based OS. +7. GUI-like applets for various desktop environments. + ## Contributions Contributions to TuxProtect are welcome! If you encounter any issues or have suggestions for improvements, please feel free to open an issue on the GitHub repository. ## Disclaimer -WARNING!!! This programm was tested only with Ubuntu 22.10 ! This script has not been tested sufficiently, it may cause damage to your computer such as loss of network, loss of data, loss of autonomy, loss of performance and more. No uninstall tool will be provided. +WARNING!!! This program was tested only with Kubuntu 24.10! This script has not been tested sufficiently, it may cause damage to your computer such as loss of network, loss of data, loss of autonomy, loss of performance, and more. No uninstall tool will be provided. This script updates itself, its behavior is subject to change over time. TuxProtect is provided as-is without any warranty or guarantee. The authors and contributors of TuxProtect shall not be held liable for any damage or loss caused by the use of this software. @@ -37,7 +58,6 @@ Please use TuxProtect responsibly and ensure that you comply with all applicable This project is licensed under the [GNU General Public License v3](LICENSE). Please see the LICENSE file for more information. - ## Support Me [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/J3J6N3QW7) diff --git a/install.sh b/install.sh index 1ac246a..9085e18 100644 --- a/install.sh +++ b/install.sh @@ -1,25 +1,198 @@ #!/bin/bash +# Function to configure VPN +configure_vpn() { + # Create directory for VPN configuration + mkdir -p /usr/share/tuxprotect/vpn/ + + # Prompt user to select VPN server location + echo "Please select your VPN server location:" + echo "1) US Server (New York)" + echo "2) UK Server (London)" + echo "3) Israel Server (Tel Aviv)" + echo "4) France Server (Rome)" + read -p "Enter your choice (1-4): " choice + + # Prompt user to enter NetFree username + read -p "Enter your NetFree username: " vpn_user + while [ -z "$vpn_user" ]; do + echo "Username cannot be empty" + read -p "Enter your NetFree username: " vpn_user + done + + # Prompt user to enter NetFree password + read -s -p "Enter your NetFree password: " vpn_pass + while [ -z "$vpn_pass" ]; do + echo -e "\nPassword cannot be empty" + read -s -p "Enter your NetFree password: " vpn_pass + done + echo + + # Determine remote server line based on user choice + local remote_line="" + case $choice in + 1) remote_line="remote vpn-us-nyc1.netfree.link 143" ;; + 2) remote_line="remote s.uk1.nfaw.netfree.link 143" ;; + 3) remote_line="remote s.il1.nfaw.netfree.link 143" ;; + 4) remote_line="remote vpn-fr1.netfree.link 143" + *) remote_line="remote 173.68.147.11 143" ;; + esac + + # Create OpenVPN configuration file + cat > netfree.ovpn << EOF +dev tun +$remote_line +fast-io +client +persist-key +persist-tun +proto tcp +comp-lzo +tls-client +verb 5 +mute 10 +auth-user-pass inline + + +$vpn_user +$vpn_pass + + + +-----BEGIN CERTIFICATE----- +MIIE6zCCA9OgAwIBAgIJALVqGDUdI6IrMA0GCSqGSIb3DQEBCwUAMIGpMQswCQYD +VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG +A1UEChMMRm9ydC1GdW5zdG9uMRAwDgYDVQQLEwduZXRmcmVlMRgwFgYDVQQDEw9G +b3J0LUZ1bnN0b24gQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExITAfBgkqhkiG9w0BCQEW +Em1lQG15aG9zdC5teWRvbWFpbjAeFw0xNTEyMTgwMzI2NDNaFw0yNTEyMTUwMzI2 +NDNaMIGpMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZy +YW5jaXNjbzEVMBMGA1UEChMMRm9ydC1GdW5zdG9uMRAwDgYDVQQLEwduZXRmcmVl +MRgwFgYDVQQDEw9Gb3J0LUZ1bnN0b24gQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExITAf +BgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbjCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAJxAo2Ja6myTDYIQkOBAv0Wki73p9Nej+h8C3r3Vs7RP +XXbJqEOFRLvaeyCF1Kjt/YDFy/MbOh5KCVLbk819x2yZMl8WFB302S4gQtnTO1TC +bWW0vChY9OYVImnoeY9E3hKrzDJ8Ph84fvqhC6rbJ4sbM7rGyYTc41TgSDpycE0h +obbkZ7DnNMn6kS/m/ekxQkEqNcIYY2Lz1pQz/Akep60xXl+DLv4H7MJGhQOu6PGh +1ACxJk3/Y91Z4MF+HdbMvcAukrf3uLdfzP8Vit3/vyjzTVmQ6JbV7GQC/BPM9Xl8 +5sF/FaeRG2Zk2tY7u58WeXrxs7c9NKdsibyUF3n144ECAwEAAaOCARIwggEOMB0G +A1UdDgQWBBSTxEfHI/OR+dnC2bszBOgXI5BUkTCB3gYDVR0jBIHWMIHTgBSTxEfH +I/OR+dnC2bszBOgXI5BUkaGBr6SBrDCBqTELMAkGA1UEBhMCVVMxCzAJBgNVBAgT +AkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZvcnQtRnVuc3Rv +bjEQMA4GA1UECxMHbmV0ZnJlZTEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAw +DgYDVQQpEwdFYXN5UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21h +aW6CCQC1ahg1HSOiKzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBy +IpKzBf1JOH866VsgjzvCEWlGdgbDtpM1Uy54jGekUIYsAFB1WLt7LHNOkfpZCV0b +9t7wcbeVDzcYhRycC5DVwAG6NJ2LQw8xO830/kRi1N6sp8TSyaxuWrGacnjfn9yX +yJBh5mW+GKqSH507waB5tXOif5cD0J5RTCg7gLXWAYnOhEawqUZFR4zjRYdDo1oq +n1uFhnyKQch7KWz2OYecXvKdK3Hxkojw4jnefk1nhahlmZPhHTZsf74dXHFtcMAM +n9V1T/qhQHMcI3UX/H/WQJQoy5LJBRbLDzViobNH/SwR4AaHMWAHnQS2ddRTAUXf +NjA2WdgN4NlbtpidNFWx +-----END CERTIFICATE----- + +EOF + +} + +# Function to test VPN connection +test_vpn_connection() { + echo "Testing VPN connection..." + timeout 30 openvpn --config netfree.ovpn --daemon + sleep 10 + + # Check if VPN is connected and has correct IP + if ip addr show tun0 >/dev/null 2>&1; then + vpn_ip=$(ip addr show tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}') + if [ -n "$vpn_ip" ]; then + echo "VPN connected successfully with IP: $vpn_ip" + killall openvpn + return 0 + fi + fi + + echo "ERROR: Failed to establish VPN connection" + killall openvpn + return 1 +} + +# Function to install Tux Protect function install() { -if ! command -v curl > /dev/null; then - # Try to install curl - sh -c "(apt update && apt install -y curl) || yum install -y curl || apk add curl" -fi -apt install zenity -chattr -i /usr/bin/tuxprotect -cp tuxprotect /usr/bin/tuxprotect -cp tuxprotectgui /usr/bin/tuxprotectgui -chmod +x /usr/bin/tuxprotect -chmod +x /usr/bin/tuxprotectgui -mkdir /usr/share/tuxprotect/ -cp restartservices.sh /usr/share/tuxprotect/restartservices -cp notification.sh /usr/share/tuxprotect/notification -chmod +x /usr/share/tuxprotect/restartservices -chmod +x /usr/share/tuxprotect/notification -cp -r res /usr/share/tuxprotect/res/ -bash /usr/bin/tuxprotect & + # Install dependencies + apt update + apt install -y curl openvpn zenity + + configure_vpn + + # Test VPN connection + echo "Testing VPN connection..." + if ! timeout 30 openvpn --config netfree.ovpn --daemon; then + echo "VPN connection failed - aborting installation" + exit 1 + fi + + # Verify VPN IP + sleep 5 + vpn_ip=$(ip addr show tun0 2>/dev/null | grep -oP '(?<=inet\s)\d+(\.\d+){3}') + if [ "$vpn_ip" != "100.77.0.190" ]; then + echo "VPN connected but wrong IP ($vpn_ip) - aborting installation" + killall openvpn + + exit 1 + fi + + killall openvpn + + # Setup remaining components + rm -rf /usr/shate/tuxprotect + mkdir -p /usr/share/tuxprotect/{res,vpn} + mkdir -p /var/log/tuxprotect + chmod 755 /var/log/tuxprotect + + # Create VPN log directory + mkdir -p /var/log/tuxprotect/ + + # Create log directories with proper permissions + mkdir -p /var/log/tuxprotect + chmod 755 /var/log/tuxprotect + touch /var/log/tuxprotect/tuxprotect.log + touch /var/log/tuxprotect/vpn.log + chmod 644 /var/log/tuxprotect/*.log + + # Setup log rotation configuration + cat > /etc/logrotate.d/tuxprotect << EOF +/var/log/tuxprotect/*.log { + weekly + rotate 4 + compress + delaycompress + missingok + notifempty + create 644 root root } +EOF + + # Copy OpenVPN config + cp netfree.ovpn /usr/share/tuxprotect/vpn/ + # Install Tux Protect components + apt install zenity + chattr -i /usr/bin/tuxprotect + rm /usr/bin/tuxprotect + cp tuxprotect /usr/bin/tuxprotect + cp tuxprotectgui /usr/bin/tuxprotectgui + chmod +x /usr/bin/tuxprotect + chmod +x /usr/bin/tuxprotectgui + mkdir /usr/share/tuxprotect/ + mkdir -p /usr/share/tuxprotect/vpn/ + cp netfree.ovpn /usr/share/tuxprotect/vpn/ + cp restartservices.sh /usr/share/tuxprotect/restartservices + cp notification.sh /usr/share/tuxprotect/notification + chmod +x /usr/share/tuxprotect/restartservices + chmod +x /usr/share/tuxprotect/notification + cp -r res /usr/share/tuxprotect/res/ + bash /usr/bin/tuxprotect & +} + +# Display installation message echo ' ####################################################### # # @@ -34,17 +207,9 @@ Do you agree anyway? If yes, write "I agree"' echo '#######################################################' read response +# Check user response if [ "$response" = "I agree" ] || [ "$response" = "i agree" ]; then if [[ $EUID -ne 0 ]]; then - echo "Error! You have tu run this script with root privilege, run sudo ./install.sh" + echo "Error! You have to run this script with root privilege, run sudo ./install.sh" exit 1 - else - install - fi - echo "Tux Protect was installed succesffuly ! You're now protected :)" -else - echo "The Script was not installed." -fi - - - + else diff --git a/tuxprotect b/tuxprotect index 5f2be64..b210cd8 100644 --- a/tuxprotect +++ b/tuxprotect @@ -1,49 +1,271 @@ #!/bin/bash +# Add logging functions at the top +LOG_DIR="/var/log/tuxprotect" +VPN_LOG="$LOG_DIR/vpn.log" +MAIN_LOG="$LOG_DIR/tuxprotect.log" +last_route="" -trap 'start_service; exit' SIGINT SIGTERM +log() { + local level="$1" + local message="$2" + local log_file="$3" + local timestamp="[$(date '+%Y-%m-%d %H:%M:%S')]" + local log_message="$timestamp [$level] $message" + + echo "$log_message" >> "$log_file" + [ "$4" = "verbose" ] && echo "$log_message" +} + +main_log() { + log "INFO" "$1" "$MAIN_LOG" "$2" +} + +vpn_log() { + log "VPN" "$1" "$VPN_LOG" "$2" + main_log "$1" "$2" +} +ensure_immutable() { + chattr +i /usr/bin/tuxprotect +} + +rotate_logs() { + for logfile in "$LOG_DIR"/*.log; do + if [ -f "$logfile" ] && [ $(stat -f%z "$logfile") -gt 10485760 ]; then # 10MB + mv "$logfile" "$logfile.old" + touch "$logfile" + fi + done +} + +verify_vpn_config() { + local config="/usr/share/tuxprotect/vpn/netfree.ovpn" + + if [ ! -f "$config" ] || [ ! -s "$config" ]; then + vpn_log "ERROR: VPN configuration missing or empty" + return + fi + + # Check for required config elements + if ! grep -q "^remote " "$config" && ! grep -q "^auth-user-pass" "$config"; then + vpn_log "ERROR: VPN configuration invalid" + return 1 + fi + + return 0 +} + +start_vpn() { + vpn_log "Starting VPN connection..." + + if ! verify_vpn_config; then + vpn_log "Failed to verify VPN configuration" + return 1 + fi + + if ! pgrep openvpn >/dev/null; then + killall openvpn 2>/dev/null + sleep 2 + + openvpn --config /usr/share/tuxprotect/vpn/netfree.ovpn \ + --log "$VPN_LOG" \ + --daemon + + sleep 5 + + # Verify VPN connection + if ip addr show tun0 >/dev/null 2>&1; then + vpn_ip=$(ip addr show tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}') + if [ "$vpn_ip" = "100.77.1.59" ]; then + vpn_log "VPN connected successfully with correct IP" + return 0 + fi + fi + + vpn_log "Failed to establish VPN connection" + return 1 + fi + return 0 +} + +check_vpn() { + # Set a timeout for the curl request (e.g., 10 seconds) + netfree=$(curl -sk --max-time 1 https://api.internal.netfree.link/user/info) + # Check if "isNetFree":true exists in the response + if [[ "$netfree" == *'"isNetFree":true'* ]]; then + main_log "NetFree is active: $netfree" + iptables -F # Flush all rules + iptables -P INPUT ACCEPT + iptables -P OUTPUT ACCEPT + iptables -P FORWARD ACCEPT + main_log "Allowing all traffic" + + # Check if the IP route table has changed + current_route=$(ip route show) + if [[ "$current_route" != "$last_route" ]]; then + + + # New code to ensure all traffic is routed through the VPN + VPN_IF=$(ip -o link show | awk -F': ' '/tun[0-9]/ {print $2; exit}') + VPN_SERVER=$ # Your VPN server's IP + VPN_GW=$(ip route show dev $VPN_IF | awk '/via/ {print $3; exit}') + DEFAULT_IF=$(ip route show default | awk '{print $5; exit}') + DEFAULT_GW=$(ip route show default | awk '{print $3; exit}') + + if [[ -z "$VPN_GW" ]]; then + main_log "[!] Could not detect VPN gateway. Exiting." + exit 1 + fi + + main_log "[+] VPN detected on $VPN_IF (Gateway: $VPN_GW)" + main_log "[+] Default Interface: $DEFAULT_IF" + main_log "[+] Default Gateway: $DEFAULT_GW" + + # Preserve the route to the VPN server + main_log "[+] Ensuring VPN server ($VPN_SERVER) is still reachable..." + ip route add $VPN_SERVER via $DEFAULT_GW dev $DEFAULT_IF + + # Remove all old default routes to prevent leaks + main_log "[+] Removing old default gateway ($DEFAULT_GW)..." + ip route del default via $DEFAULT_GW dev $DEFAULT_IF + + # Add a new default route through VPN + main_log "[+] Forcing all traffic through VPN ($VPN_GW)..." + ip route add default via $VPN_GW dev $VPN_IF + + # Disable IPv6 to prevent leaks + main_log "[+] Disabling IPv6 to prevent leaks..." + sysctl -w net.ipv6.conf.all.disable_ipv6=1 > /dev/null + sysctl -w net.ipv6.conf.default.disable_ipv6=1 > /dev/null + + main_log "[+] Done! Checking new routing table:" + last_route=$(ip route show) + fi + else + main_log "NetFree is not active or an error occurred: $netfree" + main_log "Not Connected to NetFree" + block_internet + netfree_try_again=$(curl -sk --max-time 10 https://api.internal.netfree.link/user/info) + if [[ "$netfree_try_again" == *'"isNetFree":true'* ]]; then + main_log "NetFree is active: $netfree" + iptables -F # Flush all rules + iptables -P INPUT ACCEPT + iptables -P OUTPUT ACCEPT + iptables -P FORWARD ACCEPT + main_log "Allowing all traffic" + else + killall openvpn + start_vpn + fi + + fi + + install_if_not_present curl + install_if_not_present iptables + install_if_not_present openssl + install_if_not_present jq + install_if_not_present openvpn + + # Rotate logs if needed + rotate_logs +} + +block_vbox_briged_adapters() { + local_user=$(who | awk '{print $1}' | head -n 1) + export LOGNAME=$local_user + export USER=$local_user + + while true; do + # Get a list of all VMs (names and UUIDs) + #log "($local_user)" + + + vms=$(sudo -u $local_user VBoxManage list vms) + #log "vm ($vms) s" + + # Loop through each VM entry + while IFS= read -r vm; do + # Skip empty or invalid lines + if [[ -z $vm || $vm =~ ^[[:space:]]*$ ]]; then + log "Skipping empty or invalid VM entry" + continue + fi + + # Extract VM name and UUID using regex + vm_name=$(echo "$vm" | grep -oP '^"\K[^"]+(?=")') + vm_uuid=$(echo "$vm" | grep -oP '{\K[^}]+(?=})') + + # Skip if either name or UUID is missing + if [[ -z $vm_name || -z $vm_uuid ]]; then + log "Error processing VM entry (missing name or UUID): $vm" + continue + fi + + #log "Checking VM: $vm_name ($vm_uuid)" + # Check network adapters for bridged mode + for adapter in {1..4}; do + nic_type=$(sudo -u $local_user VBoxManage showvminfo "$vm_uuid" --machinereadable | grep "nic$adapter" | cut -d'=' -f2 | tr -d '"') + + if [[ $nic_type == "bridged" ]]; then + #log "VM '$vm_name' ($vm_uuid) is using a bridged network on adapter $adapter." + + # Stop the VM if it is running + vm_state=$(sudo -u $local_user VBoxManage showvminfo "$vm_uuid" --machinereadable | grep -E '^VMState=' | cut -d'=' -f2 | tr -d '"') + if [[ $vm_state == "running" ]]; then + log "Stopping VM: $vm_name" + sudo -u $local_user VBoxManage controlvm "$vm_uuid" poweroff + fi + + # Break out of adapter loop as we only need one bridged network to stop + break + fi + done + done <<< "$vms" + + sleep 5 # Check every 60 seconds + done +} + + +trap 'start_service; exit' SIGINT SIGTERM start_service () { rewrite_service systemctl daemon-reload systemctl reenable tuxprotect.service systemctl start tuxprotect.service } - + rewrite_service() { chattr -i /etc/systemd/system/tuxprotect.service cat > /etc/systemd/system/tuxprotect.service << EOL [Unit] Description=Tux Protect - [Service] Type=simple ExecStartPre=-/usr/sbin/iptables -F ExecStartPre=-/usr/bin/chattr -i /usr/bin/tuxprotect -ExecStartPre=-/usr/bin/curl -o /usr/bin/tuxprotect -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/lo-mityaesh/tuxprotect/main/tuxprotect +ExecStartPre=-/usr/bin/curl -o /usr/bin/tuxprotect -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/aronunger-ctb/tuxprotect/main/tuxprotect ExecStartPre=-/usr/bin/chmod +x /usr/bin/tuxprotect ExecStartPre=-/usr/bin/chattr +i /usr/bin/tuxprotect ExecStart=/usr/bin/tuxprotect ExecStopPost=-/usr/bin/chattr -i /etc/systemd/system/tuxprotect.service -ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/lo-mityaesh/tuxprotect/main/tuxprotect.service +ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent/aronunger-ctb/tuxprotect/main/tuxprotect.service ExecStopPost=-/usr/bin/chattr -+ /etc/systemd/system/tuxprotect.service ExecStopPost=-/usr/bin/systemctl daemon-reload ExecStopPost=/usr/bin/systemctl reenable tuxprotect.service ExecStopPost=/usr/bin/systemctl start tuxprotect.service TimeoutStopSec=5s Restart=always -RestartSec=3 +RestartSec=1 StartLimitInterval=0 StartLimitBurst=0 Environment=DISPLAY=:0 - [Install] WantedBy=multi-user.target EOL chattr +i /etc/systemd/system/tuxprotect.service } - - -rewrite_script() { +rewrite_script() { chattr -i /usr/bin/tuxprotect cat $0 > "$temp_file" cp $temp_file /usr/bin/tuxprotect @@ -51,7 +273,6 @@ rewrite_script() { chmod +x /usr/bin/tuxprotect chattr +i /usr/bin/tuxprotect } - #var version="1.0.1" script_path=$(readlink -f "$0") @@ -59,21 +280,18 @@ random_path=$(find /usr/ -type d -print | shuf -n 1) shield="/usr/share/tuxprotect/res/icons/shield.png" shieldb="/usr/share/tuxprotect/res/icons/shieldb.png" shieldc="/usr/share/tuxprotect/res/icons/shieldc.png" - bus_corrector() { lastuser=$(last -n1 | head -n 1) read -r user _ <<< "$lastuser" id=$(id -u $user) bus="sudo -u $user DISPLAY=:0 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$id/bus" } - unlock_dpkg() { rm /var/lib/dpkg/lock-frontend rm /var/lib/apt/lists/lock rm /var/cache/apt/archives/lock rm /var/lib/dpkg/lock } - install_if_not_present() { local package=$1 if ! command -v $package &> /dev/null; then @@ -83,7 +301,6 @@ install_if_not_present() { fi fi } - indicator() { #menu language if [ "$LANG" = "fr_FR.UTF-8" ]; then @@ -105,7 +322,6 @@ indicator() { change_place="Change watermark place" notification:"Enable/Disable notifications" fi - #app indicator bus_corrector killall tuxprotectgui @@ -113,11 +329,10 @@ indicator() { sudo -u $user /usr/bin/xhost + SI:localuser:root > /dev/null usr/bin/tuxprotectgui --notification --no-middle --menu="$notification! /usr/share/tuxprotect/notification |$restart_services ! /usr/share/tuxprotect/restartservices & - |$check_problems ! $bus /usr/bin/xdg-open http://1.2.3.4 + |$check_problems ! $bus /usr/bin/xdg-open http://1.2.3.4 |V$version " --listen --image="$icon" sudo -u $first /usr/bin/xhost - SI:localuser:root > /dev/null } - notification() { status_path="/usr/share/tuxprotect/res/status" status=$(cat /usr/share/tuxprotect/res/status) @@ -128,95 +343,130 @@ notification() { $bus notify-send "Tux Protect" $content -i "$icon" -t 20 fi } +block_internet() { + vpn_log "Internet blocked" + iptables -F # Flush all existing rules + iptables -X # Delete user-defined chains + iptables -P INPUT DROP # Default policy for INPUT is DROP + iptables -P OUTPUT DROP # Default policy for OUTPUT is DROP + iptables -P FORWARD DROP # Default policy for FORWARD is DROP + # Allow loopback traffic + iptables -A INPUT -i lo -j ACCEPT + iptables -A OUTPUT -o lo -j ACCEPT -block_internet() { - iptables -A INPUT -i lo -j ACCEPT - iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT - iptables -A INPUT -s 127.16.0.0/12 -j ACCEPT - iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT - iptables -A INPUT -s 1.2.3.4 -j ACCEPT - iptables -A INPUT -s 51.89.182.69 -j ACCEPT - iptables -A INPUT -s 93.184.216.34 -j ACCEPT - iptables -A INPUT -p udp --dport 53 -j ACCEPT - iptables -A INPUT -p tcp --dport 53 -j ACCEPT - iptables -A INPUT -j REJECT -} - -check_ip() { - current_ip=$(ip a show | grep -oP '(?<=inet\s)\d+(\.\d+){3}') - sleep 6 - previous_ip=$(ip a show | grep -oP '(?<=inet\s)\d+(\.\d+){3}') - if [ "$current_ip" != "$previous_ip" ]; then - apply_rules - else - if pgrep -f shieldb.png > /dev/null; then - if ! iptables -C INPUT -j REJECT; then - apply_rules - fi - elif pgrep -f shield.png > /dev/null; then - echo "ok" - elif pgrep -f shieldc.png > /dev/null; then - echo "ok" - else - apply_rules - fi - fi -} + # Allow established and related connections (CRUCIAL, place early) + iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -apply_rules() { - install_if_not_present curl - install_if_not_present iptables - install_if_not_present openssl - install_if_not_present jq - response_code=$(timeout 5 curl -s -o /dev/null -w "%{http_code}" 1.2.3.4) - issuer=$(timeout 5 sh -c 'echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer | awk -F "=" "/O =/ {print \$NF}"') - isNetFree=$(timeout 5 curl -s "https://api.internal.netfree.link/user/0" | jq -r '.isNetFree') - if [[ $issuer =~ "NetFree" && $isNetFree == "true" ]]; then - if ! pgrep -f shield.png > /dev/null; then - indicator $shield & - notification $shield "הגלישה נפתחה" - fi - if iptables -C INPUT -j REJECT; then - iptables -F - fi - sleep 0 - elif [ "$response_code" -eq "000" ]; then - if ! pgrep -f shieldc.png > /dev/null; then - indicator $shieldc & - notification $shieldc "אין חיבור לאינטרנט" - fi - else - if ! pgrep -f shieldb.png > /dev/null; then - indicator $shieldb & - notification $shieldb "הגלישה נחסמה" + # Allow outgoing DNS requests (Important for resolving VPN server address) + iptables -A OUTPUT -p udp --dport 53 -j ACCEPT + iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT + iptables -A INPUT -p udp --sport 53 -j ACCEPT + iptables -A INPUT -p tcp --sport 53 -j ACCEPT + iptables -A INPUT -s 8.8.8.8 -j ACCEPT + iptables -A OUTPUT -d 8.8.8.8 -j ACCEPT + iptables -A INPUT -s 8.8.4.4 -j ACCEPT + iptables -A OUTPUT -d 8.8.4.4 -j ACCEPT - fi - if ! iptables -C INPUT -j REJECT; then - block_internet - if ! iptables -C INPUT -j REJECT; then - apply_rules - else - sleep 0 - fi - else - sleep 0 - fi - fi + # Allow traffic to/from your trusted IP (e.g., for SSH access) + iptables -A INPUT -s 100.77.0.190 -j ACCEPT + iptables -A OUTPUT -d 100.77.0.190 -j ACCEPT + + # Allow traffic to/from your VPN server and netfree api (for reconnection attempts) + # us server + NETFREE_US_VPN_SERVER=$(dig +short vpn-us-nyc1.netfree.link) + for ip in $NETFREE_US_VPN_SERVER; do + iptables -A INPUT -s $ip -j ACCEPT + iptables -A OUTPUT -d $ip -j ACCEPT + main_log $ip + done + # uk server + NETFREE_UK_VPN_SERVER=$(dig +short s.uk1.nfaw.netfree.link) + for ip in $NETFREE_Uk_VPN_SERVER; do + iptables -A INPUT -s $ip -j ACCEPT + iptables -A OUTPUT -d $ip -j ACCEPT + main_log $ip + done + # isreal server + NETFREE_IL_VPN_SERVER=$(dig +short s.il1.nfaw.netfree.link) + for ip in $NETFREE_IL_VPN_SERVER; do + iptables -A INPUT -s $ip -j ACCEPT + iptables -A OUTPUT -d $ip -j ACCEPT + main_log $ip + done + # france server + NETFREE_Fr_VPN_SERVER=$(dig +short vpn-fr1.netfree.link) + for ip in $NETFREE_FR_VPN_SERVER; do + iptables -A INPUT -s $ip -j ACCEPT + iptables -A OUTPUT -d $ip -j ACCEPT + main_log $ip + done + # netfree api + NETFREE_API=$(dig +short https://api.internal.netfree.link) + for ip in $NETFREE_API; do + iptables -A INPUT -s $ip -j ACCEPT + iptables -A OUTPUT -d $ip -j ACCEPT + main_log $ip + done + + + + # Allow traffic from your local networks. + iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT + iptables -A INPUT -s 127.16.0.0/12 -j ACCEPT + iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT + iptables -A INPUT -s 1.2.3.4 -j ACCEPT + iptables -A INPUT -s 51.89.182.69 -j ACCEPT + iptables -A INPUT -s 93.184.216.34 -j ACCEPT + + # Reject/Drop everything else (this is now effective) + iptables -A INPUT -j REJECT + iptables -A OUTPUT -j REJECT + iptables -L -v -n 2>&1 | while IFS= read -r line; do + vpn_log "$line" + done } +disable_ipv6() { + main_log "Disabling IPv6" + sysctl -w net.ipv6.conf.all.disable_ipv6=1 + sysctl -w net.ipv6.conf.default.disable_ipv6=1 + sysctl -w net.ipv6.conf.lo.disable_ipv6=1 +} main () { - start_service - block_internet - indicator $shieldc & - sleep 5 - - while true; do - apply_rules - for i in {1..10}; do - check_ip + main_log "Starting Tux Protect service" "verbose" + + # Disable IPv6 + + # Verify VPN config before starting service + if ! verify_vpn_config; then + main_log "ERROR: Invalid VPN configuration - please run install script again" "verbose" + exit 1 + fi + + + block_internet + disable_ipv6 + + + + if ! start_vpn; then + main_log "Initial VPN start failed - will retry" "verbose" + fi + + indicator $shieldc & + block_vbox_briged_adapters & + ensure_immutable & + + + while true; do + check_vpn + chattr +i /usr/bin/tuxprotect + done - done } +main + + -main \ No newline at end of file diff --git a/tuxprotect-vpn.service b/tuxprotect-vpn.service new file mode 100644 index 0000000..1ef463b --- /dev/null +++ b/tuxprotect-vpn.service @@ -0,0 +1,20 @@ +[Unit] +Description=Tux Protect VPN +After=network.target + +[Service] +Type=simple +ExecStartPre=/usr/sbin/iptables -F +ExecStart=/usr/sbin/openvpn --config /usr/share/tuxprotect/vpn/netfree.ovpn +ExecStop=/usr/sbin/iptables -F +ExecStopPost=-/usr/bin/chattr -i /etc/systemd/system/tuxprotect-vpn.service + + +ExecStopPost=-/usr/bin/systemctl daemon-reload +ExecStopPost=/usr/bin/systemctl reenable tuxprotect-vpn.service + +StartLimitInterval=0 +StartLimitBurst=0 + +[Install] +WantedBy=multi-user.target diff --git a/tuxprotect.service b/tuxprotect.service index 6482ebd..6c1f730 100644 --- a/tuxprotect.service +++ b/tuxprotect.service @@ -1,23 +1,25 @@ [Unit] Description=Tux Protect +After=network.target + [Service] Type=simple ExecStartPre=-/usr/sbin/iptables -F ExecStartPre=-/usr/bin/chattr -i /usr/bin/tuxprotect -ExecStartPre=-/usr/bin/curl -o /usr/bin/tuxprotect -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/lo-mityaesh/tuxprotect/main/tuxprotect +ExecStartPre=-/usr/bin/curl -o /usr/bin/tuxprotect -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/aronunger-ctb/tuxprotect/main/tuxprotect ExecStartPre=-/usr/bin/chmod +x /usr/bin/tuxprotect ExecStartPre=-/usr/bin/chattr +i /usr/bin/tuxprotect ExecStart=/usr/bin/tuxprotect ExecStopPost=-/usr/bin/chattr -i /etc/systemd/system/tuxprotect.service -ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/lo-mityaesh/tuxprotect/main/tuxprotect.service +ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/aronunger-ctb/tuxprotect/main/tuxprotect.service ExecStopPost=-/usr/bin/chattr -+ /etc/systemd/system/tuxprotect.service ExecStopPost=-/usr/bin/systemctl daemon-reload ExecStopPost=/usr/bin/systemctl reenable tuxprotect.service ExecStopPost=/usr/bin/systemctl start tuxprotect.service TimeoutStopSec=5s Restart=always -RestartSec=3 +RestartSec=1 StartLimitInterval=0 StartLimitBurst=0 Environment=DISPLAY=:0