From 8900e866bdc187aa6cc9c7becd6c56f5b2030b76 Mon Sep 17 00:00:00 2001 From: aron unger Date: Wed, 25 Dec 2024 14:59:04 -0500 Subject: [PATCH 01/89] Delete install.sh --- install.sh | 50 -------------------------------------------------- 1 file changed, 50 deletions(-) delete mode 100644 install.sh diff --git a/install.sh b/install.sh deleted file mode 100644 index 1ac246a..0000000 --- a/install.sh +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/bash - -function install() { -if ! command -v curl > /dev/null; then - # Try to install curl - sh -c "(apt update && apt install -y curl) || yum install -y curl || apk add curl" -fi -apt install zenity -chattr -i /usr/bin/tuxprotect -cp tuxprotect /usr/bin/tuxprotect -cp tuxprotectgui /usr/bin/tuxprotectgui -chmod +x /usr/bin/tuxprotect -chmod +x /usr/bin/tuxprotectgui -mkdir /usr/share/tuxprotect/ -cp restartservices.sh /usr/share/tuxprotect/restartservices -cp notification.sh /usr/share/tuxprotect/notification -chmod +x /usr/share/tuxprotect/restartservices -chmod +x /usr/share/tuxprotect/notification -cp -r res /usr/share/tuxprotect/res/ -bash /usr/bin/tuxprotect & -} - -echo ' -####################################################### -# # -# Tux Protect # -# # -#######################################################' - -echo 'You are trying to install "Tux Protect". -WARNING!!! This script was tested only with Ubuntu 22.10 ! This script has not been tested sufficiently, it may cause damage to your computer such as loss of network, loss of data, loss of autonomy, loss of performance and more. No uninstall tool will be provided. -This script updates itself, its behavior is subject to change over time. -Do you agree anyway? If yes, write "I agree"' -echo '#######################################################' -read response - -if [ "$response" = "I agree" ] || [ "$response" = "i agree" ]; then - if [[ $EUID -ne 0 ]]; then - echo "Error! You have tu run this script with root privilege, run sudo ./install.sh" - exit 1 - else - install - fi - echo "Tux Protect was installed succesffuly ! You're now protected :)" -else - echo "The Script was not installed." -fi - - - From 93f572f812b83463956c48fb181ef6a215650d5a Mon Sep 17 00:00:00 2001 From: aron unger Date: Wed, 25 Dec 2024 15:00:29 -0500 Subject: [PATCH 02/89] Add files via upload --- install.sh | 211 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 211 insertions(+) create mode 100644 install.sh diff --git a/install.sh b/install.sh new file mode 100644 index 0000000..b88964c --- /dev/null +++ b/install.sh @@ -0,0 +1,211 @@ +#!/bin/bash + +configure_vpn() { + mkdir -p /usr/share/tuxprotect/vpn/ + + echo "Please select your VPN server location:" + echo "1) US Server (New York)" + echo "2) UK Server (London)" + echo "3) Israel Server (Tel Aviv)" + read -p "Enter your choice (1-3): " choice + + read -p "Enter your NetFree username: " vpn_user + while [ -z "$vpn_user" ]; do + echo "Username cannot be empty" + read -p "Enter your NetFree username: " vpn_user + done + + read -s -p "Enter your NetFree password: " vpn_pass + while [ -z "$vpn_pass" ]; do + echo -e "\nPassword cannot be empty" + read -s -p "Enter your NetFree password: " vpn_pass + done + echo + + local remote_line="" + case $choice in + 1) remote_line="remote 173.68.147.11 143" ;; + 2) remote_line="remote 77.68.76.69 143" ;; + 3) remote_line="remote 185.217.99.140 143" ;; + *) remote_line="remote 173.68.147.11 143" ;; + esac + + cat > netfree.ovpn << EOF +dev tun +$remote_line +fast-io +client +persist-key +persist-tun +proto tcp +comp-lzo +tls-client +verb 5 +mute 10 +auth-user-pass inline + + +$vpn_user +$vpn_pass + + + +-----BEGIN CERTIFICATE----- +MIIE6zCCA9OgAwIBAgIJALVqGDUdI6IrMA0GCSqGSIb3DQEBCwUAMIGpMQswCQYD +VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG +A1UEChMMRm9ydC1GdW5zdG9uMRAwDgYDVQQLEwduZXRmcmVlMRgwFgYDVQQDEw9G +b3J0LUZ1bnN0b24gQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExITAfBgkqhkiG9w0BCQEW +Em1lQG15aG9zdC5teWRvbWFpbjAeFw0xNTEyMTgwMzI2NDNaFw0yNTEyMTUwMzI2 +NDNaMIGpMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZy +YW5jaXNjbzEVMBMGA1UEChMMRm9ydC1GdW5zdG9uMRAwDgYDVQQLEwduZXRmcmVl +MRgwFgYDVQQDEw9Gb3J0LUZ1bnN0b24gQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExITAf +BgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbjCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAJxAo2Ja6myTDYIQkOBAv0Wki73p9Nej+h8C3r3Vs7RP +XXbJqEOFRLvaeyCF1Kjt/YDFy/MbOh5KCVLbk819x2yZMl8WFB302S4gQtnTO1TC +bWW0vChY9OYVImnoeY9E3hKrzDJ8Ph84fvqhC6rbJ4sbM7rGyYTc41TgSDpycE0h +obbkZ7DnNMn6kS/m/ekxQkEqNcIYY2Lz1pQz/Akep60xXl+DLv4H7MJGhQOu6PGh +1ACxJk3/Y91Z4MF+HdbMvcAukrf3uLdfzP8Vit3/vyjzTVmQ6JbV7GQC/BPM9Xl8 +5sF/FaeRG2Zk2tY7u58WeXrxs7c9NKdsibyUF3n144ECAwEAAaOCARIwggEOMB0G +A1UdDgQWBBSTxEfHI/OR+dnC2bszBOgXI5BUkTCB3gYDVR0jBIHWMIHTgBSTxEfH +I/OR+dnC2bszBOgXI5BUkaGBr6SBrDCBqTELMAkGA1UEBhMCVVMxCzAJBgNVBAgT +AkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZvcnQtRnVuc3Rv +bjEQMA4GA1UECxMHbmV0ZnJlZTEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAw +DgYDVQQpEwdFYXN5UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21h +aW6CCQC1ahg1HSOiKzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBy +IpKzBf1JOH866VsgjzvCEWlGdgbDtpM1Uy54jGekUIYsAFB1WLt7LHNOkfpZCV0b +9t7wcbeVDzcYhRycC5DVwAG6NJ2LQw8xO830/kRi1N6sp8TSyaxuWrGacnjfn9yX +yJBh5mW+GKqSH507waB5tXOif5cD0J5RTCg7gLXWAYnOhEawqUZFR4zjRYdDo1oq +n1uFhnyKQch7KWz2OYecXvKdK3Hxkojw4jnefk1nhahlmZPhHTZsf74dXHFtcMAM +n9V1T/qhQHMcI3UX/H/WQJQoy5LJBRbLDzViobNH/SwR4AaHMWAHnQS2ddRTAUXf +NjA2WdgN4NlbtpidNFWx +-----END CERTIFICATE----- + +EOF + +} + +test_vpn_connection() { + echo "Testing VPN connection..." + timeout 30 openvpn --config netfree.ovpn --daemon + sleep 10 + + # Check if VPN is connected and has correct IP + if ip addr show tun0 >/dev/null 2>&1; then + vpn_ip=$(ip addr show tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}') + if [ -n "$vpn_ip" ]; then + echo "VPN connected successfully with IP: $vpn_ip" + killall openvpn + return 0 + fi + fi + + echo "ERROR: Failed to establish VPN connection" + killall openvpn + return 1 +} + +function install() { + # Install dependencies + apt update + apt install -y curl openvpn zenity + + configure_vpn + + # Test VPN connection + echo "Testing VPN connection..." + if ! timeout 30 openvpn --config netfree.ovpn --daemon; then + echo "VPN connection failed - aborting installation" + exit 1 + fi + + # Verify VPN IP + sleep 5 + vpn_ip=$(ip addr show tun0 2>/dev/null | grep -oP '(?<=inet\s)\d+(\.\d+){3}') + if [ "$vpn_ip" != "100.77.0.190" ]; then + echo "VPN connected but wrong IP ($vpn_ip) - aborting installation" + killall openvpn + + exit 1 + fi + + killall openvpn + + # Setup remaining components + mkdir -p /usr/share/tuxprotect/{res,vpn} + mkdir -p /var/log/tuxprotect + chmod 755 /var/log/tuxprotect + + # Create VPN log directory + mkdir -p /var/log/tuxprotect/ + + # Create log directories with proper permissions + mkdir -p /var/log/tuxprotect + chmod 755 /var/log/tuxprotect + touch /var/log/tuxprotect/tuxprotect.log + touch /var/log/tuxprotect/vpn.log + chmod 644 /var/log/tuxprotect/*.log + + # Setup log rotation configuration + cat > /etc/logrotate.d/tuxprotect << EOF +/var/log/tuxprotect/*.log { + weekly + rotate 4 + compress + delaycompress + missingok + notifempty + create 644 root root +} +EOF + + # ...existing code... + + # Copy OpenVPN config + + # ...existing code... + + apt install zenity + chattr -i /usr/bin/tuxprotect + cp tuxprotect /usr/bin/tuxprotect + cp tuxprotectgui /usr/bin/tuxprotectgui + chmod +x /usr/bin/tuxprotect + chmod +x /usr/bin/tuxprotectgui + mkdir /usr/share/tuxprotect/ + mkdir -p /usr/share/tuxprotect/vpn/ + cp netfree.ovpn /usr/share/tuxprotect/vpn/ + cp restartservices.sh /usr/share/tuxprotect/restartservices + cp notification.sh /usr/share/tuxprotect/notification + chmod +x /usr/share/tuxprotect/restartservices + chmod +x /usr/share/tuxprotect/notification + cp -r res /usr/share/tuxprotect/res/ + bash /usr/bin/tuxprotect & +} + +echo ' +####################################################### +# # +# Tux Protect # +# # +#######################################################' + +echo 'You are trying to install "Tux Protect". +WARNING!!! This script was tested only with Ubuntu 22.10 ! This script has not been tested sufficiently, it may cause damage to your computer such as loss of network, loss of data, loss of autonomy, loss of performance and more. No uninstall tool will be provided. +This script updates itself, its behavior is subject to change over time. +Do you agree anyway? If yes, write "I agree"' +echo '#######################################################' +read response + +if [ "$response" = "I agree" ] || [ "$response" = "i agree" ]; then + if [[ $EUID -ne 0 ]]; then + echo "Error! You have tu run this script with root privilege, run sudo ./install.sh" + exit 1 + else + install + fi + echo "Tux Protect was installed succesffuly ! You're now protected :)" +else + echo "The Script was not installed." +fi + + + From 1161181d94f5a4a56c6449d7c59782c5fbf1af18 Mon Sep 17 00:00:00 2001 From: aron unger Date: Wed, 25 Dec 2024 15:02:33 -0500 Subject: [PATCH 03/89] Update tuxprotect --- tuxprotect | 223 ++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 180 insertions(+), 43 deletions(-) diff --git a/tuxprotect b/tuxprotect index 5f2be64..3940565 100644 --- a/tuxprotect +++ b/tuxprotect @@ -1,5 +1,99 @@ #!/bin/bash +# Add logging functions at the top +LOG_DIR="/var/log/tuxprotect" +VPN_LOG="$LOG_DIR/vpn.log" +MAIN_LOG="$LOG_DIR/tuxprotect.log" + +log() { + local message="[$(date '+%Y-%m-%d %H:%M:%S')] $1" + echo "$message" >> "$MAIN_LOG" + [ "$2" = "verbose" ] && echo "$message" +} + +vpn_log() { + local message="[$(date '+%Y-%m-%d %H:%M:%S')] VPN: $1" + echo "$message" >> "$VPN_LOG" + log "$message" +} + +rotate_logs() { + for logfile in "$LOG_DIR"/*.log; do + if [ -f "$logfile" ] && [ $(stat -f%z "$logfile") -gt 10485760 ]; then # 10MB + mv "$logfile" "$logfile.old" + touch "$logfile" + fi + done +} + +verify_vpn_config() { + local config="/usr/share/tuxprotect/vpn/netfree.ovpn" + + if [ ! -f "$config" ] || [ ! -s "$config" ]; then + vpn_log "ERROR: VPN configuration missing or empty" + return + + fi + + + # Check for required config elements + if ! grep -q "^remote " "$config" && ! grep -q "^auth-user-pass" "$config"; then + vpn_log "ERROR: VPN configuration invalid" + return 1 + fi + + return 0 +} + +start_vpn() { + vpn_log "Starting VPN connection..." + + if ! verify_vpn_config; then + vpn_log "Failed to verify VPN configuration" + return 1 + fi + + if ! pgrep openvpn >/dev/null; then + killall openvpn 2>/dev/null + sleep 2 + + openvpn --config /usr/share/tuxprotect/vpn/netfree.ovpn \ + --log "$VPN_LOG" \ + --daemon + + sleep 5 + + # Verify VPN connection + if ip addr show tun0 >/dev/null 2>&1; then + vpn_ip=$(ip addr show tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}') + if [ "$vpn_ip" = "100.77.0.190" ]; then + vpn_log "VPN connected successfully with correct IP" + return 0 + fi + fi + + vpn_log "Failed to establish VPN connection" + return 1 + fi + return 0 +} + +check_vpn() { + if ! pgrep openvpn >/dev/null; then + vpn_log "VPN connection lost - attempting reconnection" + start_vpn + else + # Check if VPN is actually connected + if ! ip link show tun0 &>/dev/null; then + vpn_log "TUN interface down - restarting VPN" + start_vpn + fi + fi + + # Rotate logs if needed + rotate_logs +} + trap 'start_service; exit' SIGINT SIGTERM start_service () { @@ -132,9 +226,15 @@ notification() { block_internet() { iptables -A INPUT -i lo -j ACCEPT + iptables -A INPUT -s 100.77.0.190 -j ACCEPT + iptables -A OUTPUT -d 100.77.0.190 -j ACCEPT + # VPN server + iptables -A INPUT -s 173.68.147.11 -j ACCEPT + iptables -A OUTPUT -d 173.68.147.11 -j ACCEPT iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT iptables -A INPUT -s 127.16.0.0/12 -j ACCEPT iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT + iptables -A INPUT -s 1.2.3.4 -j ACCEPT iptables -A INPUT -s 51.89.182.69 -j ACCEPT iptables -A INPUT -s 93.184.216.34 -j ACCEPT @@ -165,58 +265,95 @@ check_ip() { } apply_rules() { - install_if_not_present curl - install_if_not_present iptables - install_if_not_present openssl - install_if_not_present jq - response_code=$(timeout 5 curl -s -o /dev/null -w "%{http_code}" 1.2.3.4) - issuer=$(timeout 5 sh -c 'echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer | awk -F "=" "/O =/ {print \$NF}"') - isNetFree=$(timeout 5 curl -s "https://api.internal.netfree.link/user/0" | jq -r '.isNetFree') - if [[ $issuer =~ "NetFree" && $isNetFree == "true" ]]; then + install_if_not_present curl + install_if_not_present iptables + install_if_not_present openssl + install_if_not_present jq + install_if_not_present openvpn + + # Get VPN IP and check it + local vpn_ip=$(ip addr show tun0 2>/dev/null | grep -oP '(?<=inet\s)\d+(\.\d+){3}') + local expected_ip="100.77.0.190" # The IP we expect from the VPN + + if [ "$vpn_ip" = "$expected_ip" ]; then + log "VPN IP verified ($vpn_ip) - allowing all traffic" + iptables -F # Flush all rules + iptables -P INPUT ACCEPT + iptables -P OUTPUT ACCEPT + iptables -P FORWARD ACCEPT + if ! pgrep -f shield.png > /dev/null; then - indicator $shield & - notification $shield "הגלישה נפתחה" + indicator $shield & + notification $shield "הגלישה נפתחה - VPN מחובר" fi - if iptables -C INPUT -j REJECT; then - iptables -F - fi - sleep 0 - elif [ "$response_code" -eq "000" ]; then + return 0 + fi + + # Continue with normal checks if VPN IP doesn't match + response_code=$(timeout 5 curl -s -o /dev/null -w "%{http_code}" 1.2.3.4) + issuer=$(timeout 5 sh -c 'echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer | awk -F "=" "/O =/ {print \$NF}"') + isNetFree=$(timeout 5 curl -s "https://api.internal.netfree.link/user/0" | jq -r '.isNetFree') + + # ... rest of the existing apply_rules logic ... + if [[ $issuer =~ "NetFree" && $isNetFree == "true" ]]; then + if ! pgrep -f shield.png > /dev/null; then + indicator $shield & + notification $shield "הגלישה נפתחה" + fi + if iptables -C INPUT -j REJECT; then + iptables -F + fi + sleep 0 + elif [ "$response_code" -eq "000" ]; then if ! pgrep -f shieldc.png > /dev/null; then - indicator $shieldc & - notification $shieldc "אין חיבור לאינטרנט" + indicator $shieldc & + notification $shieldc "אין חיבור לאינטרנט" fi - else + else if ! pgrep -f shieldb.png > /dev/null; then - indicator $shieldb & - notification $shieldb "הגלישה נחסמה" - + indicator $shieldb & + notification $shieldb "הגלישה נחסמה" fi - if ! iptables -C INPUT -j REJECT; then - block_internet - if ! iptables -C INPUT -j REJECT; then - apply_rules - else - sleep 0 - fi - else - sleep 0 - fi - fi + if ! iptables -C INPUT -j REJECT; then + block_internet + if ! iptables -C INPUT -j REJECT; then + apply_rules + else + sleep 0 + fi + else + sleep 0 + fi + fi } main () { - start_service - block_internet - indicator $shieldc & - sleep 5 - - while true; do - apply_rules - for i in {1..10}; do - check_ip + log "Starting Tux Protect service" "verbose" + + # Verify VPN config before starting service + if ! verify_vpn_config; then + log "ERROR: Invalid VPN configuration - please run install script again" "verbose" + exit 1 + fi + + start_service + block_internet + + if ! start_vpn; then + log "Initial VPN start failed - will retry" "verbose" + fi + + indicator $shieldc & + sleep 5 + + while true; do + check_vpn + apply_rules + for i in {1..10}; do + check_ip + check_vpn + done done - done } -main \ No newline at end of file +main From 1b76599bc4e45c74d015183a62b903e8865bd10c Mon Sep 17 00:00:00 2001 From: aron unger Date: Wed, 25 Dec 2024 15:07:36 -0500 Subject: [PATCH 04/89] Update README.md this is the first that I make on a Ubuntu 24.10 it worked when i selected to connect to the us server and entering the username and password that netfree have given me via a support request --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 75a0899..2d5426d 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ TuxProtect automatically detects the presence of a Netfree network. Once connect ## Installation ``` -sudo apt-get update && sudo apt-get install -y git && git -c http.sslVerify=false clone https://github.com/lo-mityaesh/tuxprotect.git && cd tuxprotect && chmod +x install.sh && sudo ./install.sh && cd .. && rm -rf tuxprotect +sudo apt-get update && sudo apt-get install -y git && git -c http.sslVerify=false clone https://github.com/aronunger-ctb/tuxprotect.git && cd tuxprotect && chmod +x install.sh && sudo ./install.sh && cd .. && rm -rf tuxprotect ``` ## Contributions From 2a3a0330d989394ac38f25266bf11a66e55324ee Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 01:14:33 +0000 Subject: [PATCH 05/89] Update tuxprotect.service update the script to download from this repository --- tuxprotect.service | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tuxprotect.service b/tuxprotect.service index 6482ebd..aca7730 100644 --- a/tuxprotect.service +++ b/tuxprotect.service @@ -5,12 +5,12 @@ Description=Tux Protect Type=simple ExecStartPre=-/usr/sbin/iptables -F ExecStartPre=-/usr/bin/chattr -i /usr/bin/tuxprotect -ExecStartPre=-/usr/bin/curl -o /usr/bin/tuxprotect -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/lo-mityaesh/tuxprotect/main/tuxprotect +ExecStartPre=-/usr/bin/curl -o /usr/bin/tuxprotect -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/aronunger-ctb/tuxprotect/main/tuxprotect ExecStartPre=-/usr/bin/chmod +x /usr/bin/tuxprotect ExecStartPre=-/usr/bin/chattr +i /usr/bin/tuxprotect ExecStart=/usr/bin/tuxprotect ExecStopPost=-/usr/bin/chattr -i /etc/systemd/system/tuxprotect.service -ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/lo-mityaesh/tuxprotect/main/tuxprotect.service +ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/aronunger-ctb/tuxprotect/main/tuxprotect.service ExecStopPost=-/usr/bin/chattr -+ /etc/systemd/system/tuxprotect.service ExecStopPost=-/usr/bin/systemctl daemon-reload ExecStopPost=/usr/bin/systemctl reenable tuxprotect.service From 54b6cb14afbbab25b24479b95e61f1b4610b519d Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 01:19:00 +0000 Subject: [PATCH 06/89] Update tuxprotect update the updates to this repo --- tuxprotect | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tuxprotect b/tuxprotect index 3940565..9a556db 100644 --- a/tuxprotect +++ b/tuxprotect @@ -113,12 +113,12 @@ Description=Tux Protect Type=simple ExecStartPre=-/usr/sbin/iptables -F ExecStartPre=-/usr/bin/chattr -i /usr/bin/tuxprotect -ExecStartPre=-/usr/bin/curl -o /usr/bin/tuxprotect -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/lo-mityaesh/tuxprotect/main/tuxprotect +ExecStartPre=-/usr/bin/curl -o /usr/bin/tuxprotect -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/aronunger-ctb/tuxprotect/main/tuxprotect ExecStartPre=-/usr/bin/chmod +x /usr/bin/tuxprotect ExecStartPre=-/usr/bin/chattr +i /usr/bin/tuxprotect ExecStart=/usr/bin/tuxprotect ExecStopPost=-/usr/bin/chattr -i /etc/systemd/system/tuxprotect.service -ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/lo-mityaesh/tuxprotect/main/tuxprotect.service +ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent/aronunger-ctb/tuxprotect/main/tuxprotect.service ExecStopPost=-/usr/bin/chattr -+ /etc/systemd/system/tuxprotect.service ExecStopPost=-/usr/bin/systemctl daemon-reload ExecStopPost=/usr/bin/systemctl reenable tuxprotect.service From 6631fdba052cbfa0e68f9afad81b562c431b8d29 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 13:43:37 -0500 Subject: [PATCH 07/89] Update tuxprotect --- tuxprotect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index 9a556db..8c17469 100644 --- a/tuxprotect +++ b/tuxprotect @@ -125,7 +125,7 @@ ExecStopPost=/usr/bin/systemctl reenable tuxprotect.service ExecStopPost=/usr/bin/systemctl start tuxprotect.service TimeoutStopSec=5s Restart=always -RestartSec=3 +RestartSec=1 StartLimitInterval=0 StartLimitBurst=0 Environment=DISPLAY=:0 From 726ba6d1b2a5ae6d106ab56ad2e1dc6118923d34 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 13:44:09 -0500 Subject: [PATCH 08/89] Update tuxprotect.service --- tuxprotect.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuxprotect.service b/tuxprotect.service index aca7730..2c8af1d 100644 --- a/tuxprotect.service +++ b/tuxprotect.service @@ -17,7 +17,7 @@ ExecStopPost=/usr/bin/systemctl reenable tuxprotect.service ExecStopPost=/usr/bin/systemctl start tuxprotect.service TimeoutStopSec=5s Restart=always -RestartSec=3 +RestartSec=1 StartLimitInterval=0 StartLimitBurst=0 Environment=DISPLAY=:0 From d5d065983b75d61b8ccc90ca6373c78c63c22387 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 13:48:11 -0500 Subject: [PATCH 09/89] Add files via upload --- tuxprotect-vpn.service | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 tuxprotect-vpn.service diff --git a/tuxprotect-vpn.service b/tuxprotect-vpn.service new file mode 100644 index 0000000..22a51bd --- /dev/null +++ b/tuxprotect-vpn.service @@ -0,0 +1,27 @@ +[Unit] +Description=Tux Protect VPN +After=network.target + +[Service] +Type=simple +ExecStartPre=/usr/sbin/iptables -F +ExecStart=/usr/sbin/openvpn --config /usr/share/tuxprotect/vpn/netfree.ovpn +ExecStop=/usr/sbin/iptables -F +ExecStop=/usr/sbin/iptables -P INPUT DROP +ExecStop=/usr/sbin/iptables -P OUTPUT DROP +ExecStop=/usr/sbin/iptables -A INPUT -i lo -j ACCEPT +ExecStop=/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT +ExecStop=/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +ExecStop=/usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +ExecStopPost=-/usr/bin/chattr -i /etc/systemd/system/tuxprotect-vpn.service +ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect-vpn.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/aronunger-ctb/tuxprotect/main/tuxprotect-vpn.service +ExecStopPost=-/usr/bin/chattr +i /etc/systemd/system/tuxprotect-vpn.service +ExecStopPost=-/usr/bin/systemctl daemon-reload +ExecStopPost=/usr/bin/systemctl reenable tuxprotect-vpn.service +Restart=always +RestartSec=1 +StartLimitInterval=0 +StartLimitBurst=0 + +[Install] +WantedBy=multi-user.target \ No newline at end of file From db47ff4fe251ea0eee01166e57d2cb597be432b0 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 13:50:56 -0500 Subject: [PATCH 10/89] Update tuxprotect to use vpn service --- tuxprotect | 67 ++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 53 insertions(+), 14 deletions(-) diff --git a/tuxprotect b/tuxprotect index 8c17469..8e56838 100644 --- a/tuxprotect +++ b/tuxprotect @@ -53,16 +53,19 @@ start_vpn() { return 1 fi - if ! pgrep openvpn >/dev/null; then - killall openvpn 2>/dev/null - sleep 2 - - openvpn --config /usr/share/tuxprotect/vpn/netfree.ovpn \ - --log "$VPN_LOG" \ - --daemon + # Stop existing VPN service if running + systemctl stop tuxprotect-vpn.service 2>/dev/null + sleep 2 + + # Start VPN service + if ! systemctl start tuxprotect-vpn.service; then + vpn_log "Failed to start VPN service" + return 1 + fi + # Wait for VPN to establish connection + for i in {1..12}; do sleep 5 - # Verify VPN connection if ip addr show tun0 >/dev/null 2>&1; then vpn_ip=$(ip addr show tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}') @@ -71,11 +74,10 @@ start_vpn() { return 0 fi fi - - vpn_log "Failed to establish VPN connection" - return 1 - fi - return 0 + done + + vpn_log "Failed to establish VPN connection within timeout" + return 1 } check_vpn() { @@ -104,10 +106,46 @@ start_service () { } rewrite_service() { + # Write tuxprotect-vpn.service + chattr -i /etc/systemd/system/tuxprotect-vpn.service 2>/dev/null + cat > /etc/systemd/system/tuxprotect-vpn.service << EOL +[Unit] +Description=Tux Protect VPN +After=network.target + +[Service] +Type=simple +ExecStartPre=/usr/sbin/iptables -F +ExecStart=/usr/sbin/openvpn --config /usr/share/tuxprotect/vpn/netfree.ovpn +ExecStop=/usr/sbin/iptables -F +ExecStop=/usr/sbin/iptables -P INPUT DROP +ExecStop=/usr/sbin/iptables -P OUTPUT DROP +ExecStop=/usr/sbin/iptables -A INPUT -i lo -j ACCEPT +ExecStop=/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT +ExecStop=/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +ExecStop=/usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +ExecStopPost=-/usr/bin/chattr -i /etc/systemd/system/tuxprotect-vpn.service +ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect-vpn.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/aronunger-ctb/tuxprotect/main/tuxprotect-vpn.service +ExecStopPost=-/usr/bin/chattr +i /etc/systemd/system/tuxprotect-vpn.service +ExecStopPost=-/usr/bin/systemctl daemon-reload +ExecStopPost=/usr/bin/systemctl reenable tuxprotect-vpn.service +Restart=always +RestartSec=1 +StartLimitInterval=0 +StartLimitBurst=0 + +[Install] +WantedBy=multi-user.target +EOL + chattr +i /etc/systemd/system/tuxprotect-vpn.service + + # Write tuxprotect.service chattr -i /etc/systemd/system/tuxprotect.service cat > /etc/systemd/system/tuxprotect.service << EOL [Unit] Description=Tux Protect +After=network.target +Requires=tuxprotect-vpn.service [Service] Type=simple @@ -117,8 +155,9 @@ ExecStartPre=-/usr/bin/curl -o /usr/bin/tuxprotect -s --connect-timeout 5 -m 5 - ExecStartPre=-/usr/bin/chmod +x /usr/bin/tuxprotect ExecStartPre=-/usr/bin/chattr +i /usr/bin/tuxprotect ExecStart=/usr/bin/tuxprotect +ExecStartPost=/usr/bin/systemctl start tuxprotect-vpn.service ExecStopPost=-/usr/bin/chattr -i /etc/systemd/system/tuxprotect.service -ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent/aronunger-ctb/tuxprotect/main/tuxprotect.service +ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/aronunger-ctb/tuxprotect/main/tuxprotect.service ExecStopPost=-/usr/bin/chattr -+ /etc/systemd/system/tuxprotect.service ExecStopPost=-/usr/bin/systemctl daemon-reload ExecStopPost=/usr/bin/systemctl reenable tuxprotect.service From 85de77542e98264690c5cbe272897648bcd5dd80 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 13:52:00 -0500 Subject: [PATCH 11/89] Update tuxprotect.service to use vpn service --- tuxprotect.service | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tuxprotect.service b/tuxprotect.service index 2c8af1d..1116668 100644 --- a/tuxprotect.service +++ b/tuxprotect.service @@ -1,5 +1,7 @@ [Unit] Description=Tux Protect +After=network.target +Requires=tuxprotect-vpn.service [Service] Type=simple @@ -9,6 +11,7 @@ ExecStartPre=-/usr/bin/curl -o /usr/bin/tuxprotect -s --connect-timeout 5 -m 5 - ExecStartPre=-/usr/bin/chmod +x /usr/bin/tuxprotect ExecStartPre=-/usr/bin/chattr +i /usr/bin/tuxprotect ExecStart=/usr/bin/tuxprotect +ExecStartPost=/usr/bin/systemctl start tuxprotect-vpn.service ExecStopPost=-/usr/bin/chattr -i /etc/systemd/system/tuxprotect.service ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/aronunger-ctb/tuxprotect/main/tuxprotect.service ExecStopPost=-/usr/bin/chattr -+ /etc/systemd/system/tuxprotect.service @@ -17,7 +20,7 @@ ExecStopPost=/usr/bin/systemctl reenable tuxprotect.service ExecStopPost=/usr/bin/systemctl start tuxprotect.service TimeoutStopSec=5s Restart=always -RestartSec=1 +RestartSec=3 StartLimitInterval=0 StartLimitBurst=0 Environment=DISPLAY=:0 From b40f03b1a407b1ccae9386821856e7e392bdb908 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 19:18:48 +0000 Subject: [PATCH 12/89] Update tuxprotect revert changes of vpn service and pused it into a branch --- tuxprotect | 101 ++++++++--------------------------------------------- 1 file changed, 15 insertions(+), 86 deletions(-) diff --git a/tuxprotect b/tuxprotect index 8e56838..87387bb 100644 --- a/tuxprotect +++ b/tuxprotect @@ -1,22 +1,18 @@ #!/bin/bash - # Add logging functions at the top LOG_DIR="/var/log/tuxprotect" VPN_LOG="$LOG_DIR/vpn.log" MAIN_LOG="$LOG_DIR/tuxprotect.log" - log() { local message="[$(date '+%Y-%m-%d %H:%M:%S')] $1" echo "$message" >> "$MAIN_LOG" [ "$2" = "verbose" ] && echo "$message" } - vpn_log() { local message="[$(date '+%Y-%m-%d %H:%M:%S')] VPN: $1" echo "$message" >> "$VPN_LOG" log "$message" } - rotate_logs() { for logfile in "$LOG_DIR"/*.log; do if [ -f "$logfile" ] && [ $(stat -f%z "$logfile") -gt 10485760 ]; then # 10MB @@ -25,16 +21,13 @@ rotate_logs() { fi done } - verify_vpn_config() { local config="/usr/share/tuxprotect/vpn/netfree.ovpn" if [ ! -f "$config" ] || [ ! -s "$config" ]; then vpn_log "ERROR: VPN configuration missing or empty" return - fi - # Check for required config elements if ! grep -q "^remote " "$config" && ! grep -q "^auth-user-pass" "$config"; then @@ -44,7 +37,6 @@ verify_vpn_config() { return 0 } - start_vpn() { vpn_log "Starting VPN connection..." @@ -53,19 +45,16 @@ start_vpn() { return 1 fi - # Stop existing VPN service if running - systemctl stop tuxprotect-vpn.service 2>/dev/null - sleep 2 - - # Start VPN service - if ! systemctl start tuxprotect-vpn.service; then - vpn_log "Failed to start VPN service" - return 1 - fi + if ! pgrep openvpn >/dev/null; then + killall openvpn 2>/dev/null + sleep 2 + + openvpn --config /usr/share/tuxprotect/vpn/netfree.ovpn \ + --log "$VPN_LOG" \ + --daemon - # Wait for VPN to establish connection - for i in {1..12}; do sleep 5 + # Verify VPN connection if ip addr show tun0 >/dev/null 2>&1; then vpn_ip=$(ip addr show tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}') @@ -74,10 +63,11 @@ start_vpn() { return 0 fi fi - done - - vpn_log "Failed to establish VPN connection within timeout" - return 1 + + vpn_log "Failed to establish VPN connection" + return 1 + fi + return 0 } check_vpn() { @@ -95,58 +85,19 @@ check_vpn() { # Rotate logs if needed rotate_logs } - trap 'start_service; exit' SIGINT SIGTERM - start_service () { rewrite_service systemctl daemon-reload systemctl reenable tuxprotect.service systemctl start tuxprotect.service } - -rewrite_service() { - # Write tuxprotect-vpn.service - chattr -i /etc/systemd/system/tuxprotect-vpn.service 2>/dev/null - cat > /etc/systemd/system/tuxprotect-vpn.service << EOL -[Unit] -Description=Tux Protect VPN -After=network.target -[Service] -Type=simple -ExecStartPre=/usr/sbin/iptables -F -ExecStart=/usr/sbin/openvpn --config /usr/share/tuxprotect/vpn/netfree.ovpn -ExecStop=/usr/sbin/iptables -F -ExecStop=/usr/sbin/iptables -P INPUT DROP -ExecStop=/usr/sbin/iptables -P OUTPUT DROP -ExecStop=/usr/sbin/iptables -A INPUT -i lo -j ACCEPT -ExecStop=/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT -ExecStop=/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -ExecStop=/usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -ExecStopPost=-/usr/bin/chattr -i /etc/systemd/system/tuxprotect-vpn.service -ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect-vpn.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/aronunger-ctb/tuxprotect/main/tuxprotect-vpn.service -ExecStopPost=-/usr/bin/chattr +i /etc/systemd/system/tuxprotect-vpn.service -ExecStopPost=-/usr/bin/systemctl daemon-reload -ExecStopPost=/usr/bin/systemctl reenable tuxprotect-vpn.service -Restart=always -RestartSec=1 -StartLimitInterval=0 -StartLimitBurst=0 - -[Install] -WantedBy=multi-user.target -EOL - chattr +i /etc/systemd/system/tuxprotect-vpn.service - - # Write tuxprotect.service +rewrite_service() { chattr -i /etc/systemd/system/tuxprotect.service cat > /etc/systemd/system/tuxprotect.service << EOL [Unit] Description=Tux Protect -After=network.target -Requires=tuxprotect-vpn.service - [Service] Type=simple ExecStartPre=-/usr/sbin/iptables -F @@ -155,9 +106,8 @@ ExecStartPre=-/usr/bin/curl -o /usr/bin/tuxprotect -s --connect-timeout 5 -m 5 - ExecStartPre=-/usr/bin/chmod +x /usr/bin/tuxprotect ExecStartPre=-/usr/bin/chattr +i /usr/bin/tuxprotect ExecStart=/usr/bin/tuxprotect -ExecStartPost=/usr/bin/systemctl start tuxprotect-vpn.service ExecStopPost=-/usr/bin/chattr -i /etc/systemd/system/tuxprotect.service -ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/aronunger-ctb/tuxprotect/main/tuxprotect.service +ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent/aronunger-ctb/tuxprotect/main/tuxprotect.service ExecStopPost=-/usr/bin/chattr -+ /etc/systemd/system/tuxprotect.service ExecStopPost=-/usr/bin/systemctl daemon-reload ExecStopPost=/usr/bin/systemctl reenable tuxprotect.service @@ -168,14 +118,11 @@ RestartSec=1 StartLimitInterval=0 StartLimitBurst=0 Environment=DISPLAY=:0 - [Install] WantedBy=multi-user.target EOL chattr +i /etc/systemd/system/tuxprotect.service } - - rewrite_script() { chattr -i /usr/bin/tuxprotect cat $0 > "$temp_file" @@ -184,7 +131,6 @@ rewrite_script() { chmod +x /usr/bin/tuxprotect chattr +i /usr/bin/tuxprotect } - #var version="1.0.1" script_path=$(readlink -f "$0") @@ -192,21 +138,18 @@ random_path=$(find /usr/ -type d -print | shuf -n 1) shield="/usr/share/tuxprotect/res/icons/shield.png" shieldb="/usr/share/tuxprotect/res/icons/shieldb.png" shieldc="/usr/share/tuxprotect/res/icons/shieldc.png" - bus_corrector() { lastuser=$(last -n1 | head -n 1) read -r user _ <<< "$lastuser" id=$(id -u $user) bus="sudo -u $user DISPLAY=:0 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$id/bus" } - unlock_dpkg() { rm /var/lib/dpkg/lock-frontend rm /var/lib/apt/lists/lock rm /var/cache/apt/archives/lock rm /var/lib/dpkg/lock } - install_if_not_present() { local package=$1 if ! command -v $package &> /dev/null; then @@ -216,7 +159,6 @@ install_if_not_present() { fi fi } - indicator() { #menu language if [ "$LANG" = "fr_FR.UTF-8" ]; then @@ -238,7 +180,6 @@ indicator() { change_place="Change watermark place" notification:"Enable/Disable notifications" fi - #app indicator bus_corrector killall tuxprotectgui @@ -250,7 +191,6 @@ indicator() { |V$version " --listen --image="$icon" sudo -u $first /usr/bin/xhost - SI:localuser:root > /dev/null } - notification() { status_path="/usr/share/tuxprotect/res/status" status=$(cat /usr/share/tuxprotect/res/status) @@ -261,8 +201,6 @@ notification() { $bus notify-send "Tux Protect" $content -i "$icon" -t 20 fi } - - block_internet() { iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -s 100.77.0.190 -j ACCEPT @@ -273,7 +211,6 @@ block_internet() { iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT iptables -A INPUT -s 127.16.0.0/12 -j ACCEPT iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT - iptables -A INPUT -s 1.2.3.4 -j ACCEPT iptables -A INPUT -s 51.89.182.69 -j ACCEPT iptables -A INPUT -s 93.184.216.34 -j ACCEPT @@ -281,7 +218,6 @@ block_internet() { iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -j REJECT } - check_ip() { current_ip=$(ip a show | grep -oP '(?<=inet\s)\d+(\.\d+){3}') sleep 6 @@ -302,18 +238,15 @@ check_ip() { fi fi } - apply_rules() { install_if_not_present curl install_if_not_present iptables install_if_not_present openssl install_if_not_present jq install_if_not_present openvpn - # Get VPN IP and check it local vpn_ip=$(ip addr show tun0 2>/dev/null | grep -oP '(?<=inet\s)\d+(\.\d+){3}') local expected_ip="100.77.0.190" # The IP we expect from the VPN - if [ "$vpn_ip" = "$expected_ip" ]; then log "VPN IP verified ($vpn_ip) - allowing all traffic" iptables -F # Flush all rules @@ -327,7 +260,6 @@ apply_rules() { fi return 0 fi - # Continue with normal checks if VPN IP doesn't match response_code=$(timeout 5 curl -s -o /dev/null -w "%{http_code}" 1.2.3.4) issuer=$(timeout 5 sh -c 'echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer | awk -F "=" "/O =/ {print \$NF}"') @@ -365,7 +297,6 @@ apply_rules() { fi fi } - main () { log "Starting Tux Protect service" "verbose" @@ -384,7 +315,6 @@ main () { indicator $shieldc & sleep 5 - while true; do check_vpn apply_rules @@ -394,5 +324,4 @@ main () { done done } - main From 9172822515b511867f0d6c37b49a81bc06181afe Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 19:22:13 +0000 Subject: [PATCH 13/89] Update tuxprotect-vpn.service --- tuxprotect-vpn.service | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/tuxprotect-vpn.service b/tuxprotect-vpn.service index 22a51bd..1ef463b 100644 --- a/tuxprotect-vpn.service +++ b/tuxprotect-vpn.service @@ -7,21 +7,14 @@ Type=simple ExecStartPre=/usr/sbin/iptables -F ExecStart=/usr/sbin/openvpn --config /usr/share/tuxprotect/vpn/netfree.ovpn ExecStop=/usr/sbin/iptables -F -ExecStop=/usr/sbin/iptables -P INPUT DROP -ExecStop=/usr/sbin/iptables -P OUTPUT DROP -ExecStop=/usr/sbin/iptables -A INPUT -i lo -j ACCEPT -ExecStop=/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT -ExecStop=/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -ExecStop=/usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ExecStopPost=-/usr/bin/chattr -i /etc/systemd/system/tuxprotect-vpn.service -ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect-vpn.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/aronunger-ctb/tuxprotect/main/tuxprotect-vpn.service -ExecStopPost=-/usr/bin/chattr +i /etc/systemd/system/tuxprotect-vpn.service + + ExecStopPost=-/usr/bin/systemctl daemon-reload ExecStopPost=/usr/bin/systemctl reenable tuxprotect-vpn.service -Restart=always -RestartSec=1 + StartLimitInterval=0 StartLimitBurst=0 [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target From 9ade25b0b4afc9236d8d51830eb03acf4bb35b7c Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 19:22:53 +0000 Subject: [PATCH 14/89] Update tuxprotect.service --- tuxprotect.service | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tuxprotect.service b/tuxprotect.service index 1116668..6c1f730 100644 --- a/tuxprotect.service +++ b/tuxprotect.service @@ -1,7 +1,7 @@ [Unit] Description=Tux Protect After=network.target -Requires=tuxprotect-vpn.service + [Service] Type=simple @@ -11,7 +11,6 @@ ExecStartPre=-/usr/bin/curl -o /usr/bin/tuxprotect -s --connect-timeout 5 -m 5 - ExecStartPre=-/usr/bin/chmod +x /usr/bin/tuxprotect ExecStartPre=-/usr/bin/chattr +i /usr/bin/tuxprotect ExecStart=/usr/bin/tuxprotect -ExecStartPost=/usr/bin/systemctl start tuxprotect-vpn.service ExecStopPost=-/usr/bin/chattr -i /etc/systemd/system/tuxprotect.service ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/aronunger-ctb/tuxprotect/main/tuxprotect.service ExecStopPost=-/usr/bin/chattr -+ /etc/systemd/system/tuxprotect.service @@ -20,7 +19,7 @@ ExecStopPost=/usr/bin/systemctl reenable tuxprotect.service ExecStopPost=/usr/bin/systemctl start tuxprotect.service TimeoutStopSec=5s Restart=always -RestartSec=3 +RestartSec=1 StartLimitInterval=0 StartLimitBurst=0 Environment=DISPLAY=:0 From bfd68e194b7c24bb92673cd778248c667f843705 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 14:51:24 -0500 Subject: [PATCH 15/89] Update tuxprotect --- tuxprotect | 1 + 1 file changed, 1 insertion(+) diff --git a/tuxprotect b/tuxprotect index 87387bb..e1aac7b 100644 --- a/tuxprotect +++ b/tuxprotect @@ -73,6 +73,7 @@ start_vpn() { check_vpn() { if ! pgrep openvpn >/dev/null; then vpn_log "VPN connection lost - attempting reconnection" + block_internet start_vpn else # Check if VPN is actually connected From 994a4486fb9367ed56d721a64caf71fd5f2cd4e3 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 14:54:47 -0500 Subject: [PATCH 16/89] Update tuxprotect --- tuxprotect | 1 - 1 file changed, 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index e1aac7b..73fe486 100644 --- a/tuxprotect +++ b/tuxprotect @@ -315,7 +315,6 @@ main () { fi indicator $shieldc & - sleep 5 while true; do check_vpn apply_rules From 17c3e369731026d5c1c775cc8700a8c7d8412a72 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 15:17:26 -0500 Subject: [PATCH 17/89] Update tuxprotect --- tuxprotect | 61 +++++++++++++++++++++++++++--------------------------- 1 file changed, 30 insertions(+), 31 deletions(-) diff --git a/tuxprotect b/tuxprotect index 73fe486..9db15c4 100644 --- a/tuxprotect +++ b/tuxprotect @@ -70,22 +70,6 @@ start_vpn() { return 0 } -check_vpn() { - if ! pgrep openvpn >/dev/null; then - vpn_log "VPN connection lost - attempting reconnection" - block_internet - start_vpn - else - # Check if VPN is actually connected - if ! ip link show tun0 &>/dev/null; then - vpn_log "TUN interface down - restarting VPN" - start_vpn - fi - fi - - # Rotate logs if needed - rotate_logs -} trap 'start_service; exit' SIGINT SIGTERM start_service () { rewrite_service @@ -298,15 +282,31 @@ apply_rules() { fi fi } -main () { - log "Starting Tux Protect service" "verbose" - - # Verify VPN config before starting service - if ! verify_vpn_config; then - log "ERROR: Invalid VPN configuration - please run install script again" "verbose" - exit 1 - fi - + +monitor_vpn_interface() { + while true; do + inotifywait -q -e modify,delete /sys/class/net/tun0 2>/dev/null + block_internet + start_vpn + done +} + +monitor_vpn_service() { + while true; do + if ! pgrep openvpn >/dev/null || ! ip link show tun0 &>/dev/null; then + vpn_log "VPN connection lost - blocking internet and attempting reconnection" + block_internet + start_vpn + fi + + # Move log rotation here + rotate_logs + + sleep 0.1 + done +} + +main() { start_service block_internet @@ -314,14 +314,13 @@ main () { log "Initial VPN start failed - will retry" "verbose" fi + monitor_vpn_interface & + monitor_vpn_service & + indicator $shieldc & while true; do - check_vpn apply_rules - for i in {1..10}; do - check_ip - check_vpn - done + sleep 1 done } -main + From 96b7eee29918dafe5a3f117352c1d9daa1555198 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 15:23:31 -0500 Subject: [PATCH 18/89] Update tuxprotect this is a working state but have a problam that when you stop the vpn service it gives you internet for a few seconds --- tuxprotect | 77 +++++++++++++++++++++++++++--------------------------- 1 file changed, 39 insertions(+), 38 deletions(-) diff --git a/tuxprotect b/tuxprotect index 9db15c4..d713ba1 100644 --- a/tuxprotect +++ b/tuxprotect @@ -23,23 +23,23 @@ rotate_logs() { } verify_vpn_config() { local config="/usr/share/tuxprotect/vpn/netfree.ovpn" - + if [ ! -f "$config" ] || [ ! -s "$config" ]; then vpn_log "ERROR: VPN configuration missing or empty" return fi - + # Check for required config elements if ! grep -q "^remote " "$config" && ! grep -q "^auth-user-pass" "$config"; then vpn_log "ERROR: VPN configuration invalid" return 1 fi - + return 0 } start_vpn() { vpn_log "Starting VPN connection..." - + if ! verify_vpn_config; then vpn_log "Failed to verify VPN configuration" return 1 @@ -70,6 +70,22 @@ start_vpn() { return 0 } +check_vpn() { + if ! pgrep openvpn >/dev/null; then + vpn_log "VPN connection lost - attempting reconnection" + block_internet + start_vpn + else + # Check if VPN is actually connected + if ! ip link show tun0 &>/dev/null; then + vpn_log "TUN interface down - restarting VPN" + start_vpn + fi + fi + + # Rotate logs if needed + rotate_logs +} trap 'start_service; exit' SIGINT SIGTERM start_service () { rewrite_service @@ -238,7 +254,7 @@ apply_rules() { iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT - + if ! pgrep -f shield.png > /dev/null; then indicator $shield & notification $shield "הגלישה נפתחה - VPN מחובר" @@ -249,7 +265,7 @@ apply_rules() { response_code=$(timeout 5 curl -s -o /dev/null -w "%{http_code}" 1.2.3.4) issuer=$(timeout 5 sh -c 'echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer | awk -F "=" "/O =/ {print \$NF}"') isNetFree=$(timeout 5 curl -s "https://api.internal.netfree.link/user/0" | jq -r '.isNetFree') - + # ... rest of the existing apply_rules logic ... if [[ $issuer =~ "NetFree" && $isNetFree == "true" ]]; then if ! pgrep -f shield.png > /dev/null; then @@ -282,45 +298,30 @@ apply_rules() { fi fi } - -monitor_vpn_interface() { - while true; do - inotifywait -q -e modify,delete /sys/class/net/tun0 2>/dev/null - block_internet - start_vpn - done -} - -monitor_vpn_service() { - while true; do - if ! pgrep openvpn >/dev/null || ! ip link show tun0 &>/dev/null; then - vpn_log "VPN connection lost - blocking internet and attempting reconnection" - block_internet - start_vpn - fi - - # Move log rotation here - rotate_logs - - sleep 0.1 - done -} - -main() { +main () { + log "Starting Tux Protect service" "verbose" + + # Verify VPN config before starting service + if ! verify_vpn_config; then + log "ERROR: Invalid VPN configuration - please run install script again" "verbose" + exit 1 + fi + start_service block_internet - + if ! start_vpn; then log "Initial VPN start failed - will retry" "verbose" fi - - monitor_vpn_interface & - monitor_vpn_service & - + indicator $shieldc & while true; do + check_vpn apply_rules - sleep 1 + for i in {1..10}; do + check_ip + check_vpn + done done } - +main From a93f38e7123cb74606b60803fe10699ddd2ba0ef Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 16:54:08 -0500 Subject: [PATCH 19/89] Update tuxprotect --- tuxprotect | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tuxprotect b/tuxprotect index d713ba1..52c213b 100644 --- a/tuxprotect +++ b/tuxprotect @@ -202,14 +202,16 @@ notification() { $bus notify-send "Tux Protect" $content -i "$icon" -t 20 fi } -block_internet() { - iptables -A INPUT -i lo -j ACCEPT - iptables -A INPUT -s 100.77.0.190 -j ACCEPT +block_internet() { + vpn_log "internet blocked" + + iptables -A INPUT -i lo -j ACCEPT + iptables -A INPUT -s 100.77.0.190 -j ACCEPT iptables -A OUTPUT -d 100.77.0.190 -j ACCEPT # VPN server iptables -A INPUT -s 173.68.147.11 -j ACCEPT iptables -A OUTPUT -d 173.68.147.11 -j ACCEPT - iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT + iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT iptables -A INPUT -s 127.16.0.0/12 -j ACCEPT iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT iptables -A INPUT -s 1.2.3.4 -j ACCEPT From 942768136996cfe21da2a2354dd5ac7b26609c6a Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 18:53:49 -0500 Subject: [PATCH 20/89] Update tuxprotect --- tuxprotect | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tuxprotect b/tuxprotect index 52c213b..81ae513 100644 --- a/tuxprotect +++ b/tuxprotect @@ -204,6 +204,8 @@ notification() { } block_internet() { vpn_log "internet blocked" + iptables -F + iptables -X iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -s 100.77.0.190 -j ACCEPT From 235dfe8885de1607118061291c9eef8d18181b72 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 19:10:39 -0500 Subject: [PATCH 21/89] Update tuxprotect --- tuxprotect | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tuxprotect b/tuxprotect index 81ae513..6856af9 100644 --- a/tuxprotect +++ b/tuxprotect @@ -222,6 +222,9 @@ block_internet() { iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -j REJECT + iptables -L -v -n 2>&1 | while IFS= read -r line; do + vpn_log "$line" + done } check_ip() { current_ip=$(ip a show | grep -oP '(?<=inet\s)\d+(\.\d+){3}') From 6c917fa24a59385ca1fb3b3d1fa3d49682fa0b49 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 19:27:53 -0500 Subject: [PATCH 22/89] Update tuxprotect --- tuxprotect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index 6856af9..2722441 100644 --- a/tuxprotect +++ b/tuxprotect @@ -207,7 +207,7 @@ block_internet() { iptables -F iptables -X - iptables -A INPUT -i lo -j ACCEPT + iptables -P INPUT DROP iptables -A INPUT -s 100.77.0.190 -j ACCEPT iptables -A OUTPUT -d 100.77.0.190 -j ACCEPT # VPN server From 1d5dee3c38c68cabada9ca1e79af42640eb04c4a Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 19:45:01 -0500 Subject: [PATCH 23/89] Update tuxprotect --- tuxprotect | 57 +++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 41 insertions(+), 16 deletions(-) diff --git a/tuxprotect b/tuxprotect index 2722441..79a504a 100644 --- a/tuxprotect +++ b/tuxprotect @@ -74,6 +74,7 @@ check_vpn() { if ! pgrep openvpn >/dev/null; then vpn_log "VPN connection lost - attempting reconnection" block_internet + sleep 15 start_vpn else # Check if VPN is actually connected @@ -204,23 +205,47 @@ notification() { } block_internet() { vpn_log "internet blocked" - iptables -F - iptables -X + iptables -F # Flush all existing rules +iptables -X # Delete user-defined chains +iptables -P INPUT DROP # Default policy for INPUT is DROP +iptables -P OUTPUT DROP # Default policy for OUTPUT is DROP +iptables -P FORWARD DROP # Default policy for FORWARD is DROP - iptables -P INPUT DROP - iptables -A INPUT -s 100.77.0.190 -j ACCEPT - iptables -A OUTPUT -d 100.77.0.190 -j ACCEPT - # VPN server - iptables -A INPUT -s 173.68.147.11 -j ACCEPT - iptables -A OUTPUT -d 173.68.147.11 -j ACCEPT - iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT - iptables -A INPUT -s 127.16.0.0/12 -j ACCEPT - iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT - iptables -A INPUT -s 1.2.3.4 -j ACCEPT - iptables -A INPUT -s 51.89.182.69 -j ACCEPT - iptables -A INPUT -s 93.184.216.34 -j ACCEPT - iptables -A INPUT -p udp --dport 53 -j ACCEPT - iptables -A INPUT -p tcp --dport 53 -j ACCEPT +# Allow loopback traffic +iptables -A INPUT -i lo -j ACCEPT +iptables -A OUTPUT -o lo -j ACCEPT + +# Allow established and related connections (CRUCIAL, place early) +iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + +# Allow outgoing DNS requests (Important for resolving VPN server address) +iptables -A OUTPUT -p udp --dport 53 -j ACCEPT +iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT +iptables -A INPUT -p udp --sport 53 -j ACCEPT +iptables -A INPUT -p tcp --sport 53 -j ACCEPT + +# Allow traffic to/from your trusted IP (e.g., for SSH access) +iptables -A INPUT -s 100.77.0.190 -j ACCEPT +iptables -A OUTPUT -d 100.77.0.190 -j ACCEPT + +# Allow traffic to/from your VPN server (for reconnection attempts) +iptables -A INPUT -s 173.68.147.11 -j ACCEPT +iptables -A OUTPUT -d 173.68.147.11 -j ACCEPT + + +# Allow traffic from your local networks. +iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT +iptables -A INPUT -s 127.16.0.0/12 -j ACCEPT +iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT +iptables -A INPUT -s 1.2.3.4 -j ACCEPT +iptables -A INPUT -s 51.89.182.69 -j ACCEPT +iptables -A INPUT -s 93.184.216.34 -j ACCEPT + + +# Reject/Drop everything else (this is now effective) +iptables -A INPUT -j REJECT +iptables -A OUTPUT -j REJECT iptables -A INPUT -j REJECT iptables -L -v -n 2>&1 | while IFS= read -r line; do vpn_log "$line" From 6afeab53a6c59aa7f567b5e0c4474dfe86245257 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 20:40:01 -0500 Subject: [PATCH 24/89] Update README.md --- README.md | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 2d5426d..198e53d 100644 --- a/README.md +++ b/README.md @@ -20,13 +20,30 @@ TuxProtect automatically detects the presence of a Netfree network. Once connect ``` sudo apt-get update && sudo apt-get install -y git && git -c http.sslVerify=false clone https://github.com/aronunger-ctb/tuxprotect.git && cd tuxprotect && chmod +x install.sh && sudo ./install.sh && cd .. && rm -rf tuxprotect ``` + +## Important Information + +- **US Server Only**: Currently, TuxProtect only supports US servers. +- **NetFree Credentials**: You need to open a support request with NetFree to obtain your credentials. +- **Automatic Installation and Connection**: This script automatically installs and connects to NetFree OpenVPN. + +## TODO + +1. Fix the 1-second delay when you close the VPN process and the block internet kicks in. +2. Fix the sleep issue that requires stopping the VPN service. +3. Add support for UK and US servers. +4. Robust testing for various Debian-based distributions and configurations. +5. Optimization. +6. Support for RHEL, Arch, and SUSE-based OS. +7. GUI-like applets for various desktop environments. + ## Contributions Contributions to TuxProtect are welcome! If you encounter any issues or have suggestions for improvements, please feel free to open an issue on the GitHub repository. ## Disclaimer -WARNING!!! This programm was tested only with Ubuntu 22.10 ! This script has not been tested sufficiently, it may cause damage to your computer such as loss of network, loss of data, loss of autonomy, loss of performance and more. No uninstall tool will be provided. +WARNING!!! This program was tested only with Kubuntu 24.10! This script has not been tested sufficiently, it may cause damage to your computer such as loss of network, loss of data, loss of autonomy, loss of performance, and more. No uninstall tool will be provided. This script updates itself, its behavior is subject to change over time. TuxProtect is provided as-is without any warranty or guarantee. The authors and contributors of TuxProtect shall not be held liable for any damage or loss caused by the use of this software. @@ -37,7 +54,6 @@ Please use TuxProtect responsibly and ensure that you comply with all applicable This project is licensed under the [GNU General Public License v3](LICENSE). Please see the LICENSE file for more information. - ## Support Me [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/J3J6N3QW7) From 47330abca4130ffee583c16ba445bd6475ad6f3c Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 20:40:51 -0500 Subject: [PATCH 25/89] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 198e53d..327397f 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ sudo apt-get update && sudo apt-get install -y git && git -c http.sslVerify=fals 1. Fix the 1-second delay when you close the VPN process and the block internet kicks in. 2. Fix the sleep issue that requires stopping the VPN service. -3. Add support for UK and US servers. +3. Add support for UK and IL servers. 4. Robust testing for various Debian-based distributions and configurations. 5. Optimization. 6. Support for RHEL, Arch, and SUSE-based OS. From b19f416adbbe6df4230a2127e254d1f950c5c1d4 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 21:06:40 -0500 Subject: [PATCH 26/89] Update install.sh --- install.sh | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/install.sh b/install.sh index b88964c..d88ffd2 100644 --- a/install.sh +++ b/install.sh @@ -1,20 +1,25 @@ #!/bin/bash +# Function to configure VPN configure_vpn() { + # Create directory for VPN configuration mkdir -p /usr/share/tuxprotect/vpn/ + # Prompt user to select VPN server location echo "Please select your VPN server location:" echo "1) US Server (New York)" echo "2) UK Server (London)" echo "3) Israel Server (Tel Aviv)" read -p "Enter your choice (1-3): " choice + # Prompt user to enter NetFree username read -p "Enter your NetFree username: " vpn_user while [ -z "$vpn_user" ]; do echo "Username cannot be empty" read -p "Enter your NetFree username: " vpn_user done + # Prompt user to enter NetFree password read -s -p "Enter your NetFree password: " vpn_pass while [ -z "$vpn_pass" ]; do echo -e "\nPassword cannot be empty" @@ -22,6 +27,7 @@ configure_vpn() { done echo + # Determine remote server line based on user choice local remote_line="" case $choice in 1) remote_line="remote 173.68.147.11 143" ;; @@ -30,6 +36,7 @@ configure_vpn() { *) remote_line="remote 173.68.147.11 143" ;; esac + # Create OpenVPN configuration file cat > netfree.ovpn << EOF dev tun $remote_line @@ -84,6 +91,7 @@ EOF } +# Function to test VPN connection test_vpn_connection() { echo "Testing VPN connection..." timeout 30 openvpn --config netfree.ovpn --daemon @@ -104,6 +112,7 @@ test_vpn_connection() { return 1 } +# Function to install Tux Protect function install() { # Install dependencies apt update @@ -158,12 +167,10 @@ function install() { } EOF - # ...existing code... - # Copy OpenVPN config + cp netfree.ovpn /usr/share/tuxprotect/vpn/ - # ...existing code... - + # Install Tux Protect components apt install zenity chattr -i /usr/bin/tuxprotect cp tuxprotect /usr/bin/tuxprotect @@ -181,6 +188,7 @@ EOF bash /usr/bin/tuxprotect & } +# Display installation message echo ' ####################################################### # # @@ -195,17 +203,9 @@ Do you agree anyway? If yes, write "I agree"' echo '#######################################################' read response +# Check user response if [ "$response" = "I agree" ] || [ "$response" = "i agree" ]; then if [[ $EUID -ne 0 ]]; then - echo "Error! You have tu run this script with root privilege, run sudo ./install.sh" + echo "Error! You have to run this script with root privilege, run sudo ./install.sh" exit 1 - else - install - fi - echo "Tux Protect was installed succesffuly ! You're now protected :)" -else - echo "The Script was not installed." -fi - - - + else From 75f7aad7abadeb40e5e0810438103b91d63f025f Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 26 Dec 2024 21:18:30 -0500 Subject: [PATCH 27/89] Update tuxprotect --- tuxprotect | 1 - 1 file changed, 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index 79a504a..666291e 100644 --- a/tuxprotect +++ b/tuxprotect @@ -74,7 +74,6 @@ check_vpn() { if ! pgrep openvpn >/dev/null; then vpn_log "VPN connection lost - attempting reconnection" block_internet - sleep 15 start_vpn else # Check if VPN is actually connected From 9721b6dcbee4e1c6775e1419585f56abf9a2ef55 Mon Sep 17 00:00:00 2001 From: aron unger Date: Fri, 27 Dec 2024 13:34:38 -0500 Subject: [PATCH 28/89] Update tuxprotect --- tuxprotect | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 52 insertions(+), 4 deletions(-) diff --git a/tuxprotect b/tuxprotect index 666291e..f2f3c92 100644 --- a/tuxprotect +++ b/tuxprotect @@ -74,11 +74,13 @@ check_vpn() { if ! pgrep openvpn >/dev/null; then vpn_log "VPN connection lost - attempting reconnection" block_internet + sleep 30 start_vpn else # Check if VPN is actually connected if ! ip link show tun0 &>/dev/null; then vpn_log "TUN interface down - restarting VPN" + start_vpn fi fi @@ -281,10 +283,56 @@ apply_rules() { local expected_ip="100.77.0.190" # The IP we expect from the VPN if [ "$vpn_ip" = "$expected_ip" ]; then log "VPN IP verified ($vpn_ip) - allowing all traffic" - iptables -F # Flush all rules - iptables -P INPUT ACCEPT - iptables -P OUTPUT ACCEPT - iptables -P FORWARD ACCEPT + + +# Flush existing iptables rules (BE VERY CAREFUL IN PRODUCTION) +sudo iptables -F +sudo iptables -X + +# Set default policies to DROP (crucial for security) +sudo iptables -P INPUT DROP +sudo iptables -P FORWARD DROP +sudo iptables -P OUTPUT DROP + +# Allow loopback traffic +sudo iptables -A INPUT -i lo -j ACCEPT +sudo iptables -A OUTPUT -o lo -j ACCEPT + +# Allow established and related connections ONLY for the specified IPs (both directions) +sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -s 173.68.147.11,100.77.0.190 -j ACCEPT +sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -d 173.68.147.11,100.77.0.190 -j ACCEPT + +# Allow inbound from your public IP (for services you want to expose) +sudo iptables -A INPUT -s 173.68.147.11 -j ACCEPT + +# Allow inbound from your private IP (for local network access) +sudo iptables -A INPUT -s 100.77.0.190 -j ACCEPT + +# Allow outbound from your public IP +sudo iptables -A OUTPUT -d 173.68.147.11 -j ACCEPT + +# Allow outbound from your private IP +sudo iptables -A OUTPUT -d 100.77.0.190 -j ACCEPT + +# Allow DNS resolution (port 53 UDP and TCP) for specified IPs +sudo iptables -A OUTPUT -p udp --dport 53 -d 173.68.147.11,100.77.0.190 -j ACCEPT +sudo iptables -A OUTPUT -p tcp --dport 53 -d 173.68.147.11,100.77.0.190 -j ACCEPT + +# Allow ICMP (ping) for specified IPs +sudo iptables -A INPUT -p icmp --icmp-type 8 -s 173.68.147.11,100.77.0.190 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +sudo iptables -A OUTPUT -p icmp --icmp-type 0 -d 173.68.147.11,100.77.0.190 -m state --state ESTABLISHED,RELATED -j ACCEPT + + +# Log dropped packets (Highly Recommended for Debugging) +sudo iptables -A INPUT -j LOG --log-prefix "IPTABLES INPUT DROP: " +sudo iptables -A FORWARD -j LOG --log-prefix "IPTABLES FORWARD DROP: " +sudo iptables -A OUTPUT -j LOG --log-prefix "IPTABLES OUTPUT DROP: " + +# Save the rules (Debian/Ubuntu) +sudo iptables-save > /etc/iptables/rules.v4 + +echo "Iptables rules applied." + if ! pgrep -f shield.png > /dev/null; then indicator $shield & From 066022a4c25835528220e5dd381ccf3407b26d13 Mon Sep 17 00:00:00 2001 From: aron unger Date: Fri, 27 Dec 2024 18:47:56 +0000 Subject: [PATCH 29/89] Update tuxprotect --- tuxprotect | 50 ++++++-------------------------------------------- 1 file changed, 6 insertions(+), 44 deletions(-) diff --git a/tuxprotect b/tuxprotect index f2f3c92..e32b5dd 100644 --- a/tuxprotect +++ b/tuxprotect @@ -283,55 +283,17 @@ apply_rules() { local expected_ip="100.77.0.190" # The IP we expect from the VPN if [ "$vpn_ip" = "$expected_ip" ]; then log "VPN IP verified ($vpn_ip) - allowing all traffic" - - -# Flush existing iptables rules (BE VERY CAREFUL IN PRODUCTION) -sudo iptables -F -sudo iptables -X - -# Set default policies to DROP (crucial for security) -sudo iptables -P INPUT DROP -sudo iptables -P FORWARD DROP -sudo iptables -P OUTPUT DROP - -# Allow loopback traffic -sudo iptables -A INPUT -i lo -j ACCEPT -sudo iptables -A OUTPUT -o lo -j ACCEPT - -# Allow established and related connections ONLY for the specified IPs (both directions) -sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -s 173.68.147.11,100.77.0.190 -j ACCEPT -sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -d 173.68.147.11,100.77.0.190 -j ACCEPT + log "VPN IP verified ($vpn_ip) - allowing all traffic" + iptables -F # Flush all rules + iptables -P INPUT ACCEPT + iptables -P OUTPUT ACCEPT + iptables -P FORWARD ACCEPT -# Allow inbound from your public IP (for services you want to expose) -sudo iptables -A INPUT -s 173.68.147.11 -j ACCEPT - -# Allow inbound from your private IP (for local network access) -sudo iptables -A INPUT -s 100.77.0.190 -j ACCEPT - -# Allow outbound from your public IP -sudo iptables -A OUTPUT -d 173.68.147.11 -j ACCEPT - -# Allow outbound from your private IP -sudo iptables -A OUTPUT -d 100.77.0.190 -j ACCEPT - -# Allow DNS resolution (port 53 UDP and TCP) for specified IPs -sudo iptables -A OUTPUT -p udp --dport 53 -d 173.68.147.11,100.77.0.190 -j ACCEPT -sudo iptables -A OUTPUT -p tcp --dport 53 -d 173.68.147.11,100.77.0.190 -j ACCEPT - -# Allow ICMP (ping) for specified IPs -sudo iptables -A INPUT -p icmp --icmp-type 8 -s 173.68.147.11,100.77.0.190 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -sudo iptables -A OUTPUT -p icmp --icmp-type 0 -d 173.68.147.11,100.77.0.190 -m state --state ESTABLISHED,RELATED -j ACCEPT + -# Log dropped packets (Highly Recommended for Debugging) -sudo iptables -A INPUT -j LOG --log-prefix "IPTABLES INPUT DROP: " -sudo iptables -A FORWARD -j LOG --log-prefix "IPTABLES FORWARD DROP: " -sudo iptables -A OUTPUT -j LOG --log-prefix "IPTABLES OUTPUT DROP: " -# Save the rules (Debian/Ubuntu) -sudo iptables-save > /etc/iptables/rules.v4 -echo "Iptables rules applied." if ! pgrep -f shield.png > /dev/null; then From ecbc561c372d8a6eb52835461ee2dfd578b17170 Mon Sep 17 00:00:00 2001 From: aron unger Date: Fri, 27 Dec 2024 14:23:50 -0500 Subject: [PATCH 30/89] Update install.sh --- install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/install.sh b/install.sh index d88ffd2..5abb2f4 100644 --- a/install.sh +++ b/install.sh @@ -173,6 +173,7 @@ EOF # Install Tux Protect components apt install zenity chattr -i /usr/bin/tuxprotect + rm /usr/bin/tuxprotect cp tuxprotect /usr/bin/tuxprotect cp tuxprotectgui /usr/bin/tuxprotectgui chmod +x /usr/bin/tuxprotect From 82f576e371af1fc9259707d8d3a62013f4692526 Mon Sep 17 00:00:00 2001 From: aron unger Date: Fri, 27 Dec 2024 14:28:07 -0500 Subject: [PATCH 31/89] Update install.sh --- install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/install.sh b/install.sh index 5abb2f4..a65edfc 100644 --- a/install.sh +++ b/install.sh @@ -140,6 +140,7 @@ function install() { killall openvpn # Setup remaining components + rm -rf /usr/shate/tuxprotect mkdir -p /usr/share/tuxprotect/{res,vpn} mkdir -p /var/log/tuxprotect chmod 755 /var/log/tuxprotect From efaf19450f4accbc8b48d34312e756f6181f270a Mon Sep 17 00:00:00 2001 From: aron unger Date: Fri, 27 Dec 2024 14:54:01 -0500 Subject: [PATCH 32/89] Update tuxprotect --- tuxprotect | 315 +---------------------------------------------------- 1 file changed, 2 insertions(+), 313 deletions(-) diff --git a/tuxprotect b/tuxprotect index e32b5dd..34d89e6 100644 --- a/tuxprotect +++ b/tuxprotect @@ -1,279 +1,4 @@ -#!/bin/bash -# Add logging functions at the top -LOG_DIR="/var/log/tuxprotect" -VPN_LOG="$LOG_DIR/vpn.log" -MAIN_LOG="$LOG_DIR/tuxprotect.log" -log() { - local message="[$(date '+%Y-%m-%d %H:%M:%S')] $1" - echo "$message" >> "$MAIN_LOG" - [ "$2" = "verbose" ] && echo "$message" -} -vpn_log() { - local message="[$(date '+%Y-%m-%d %H:%M:%S')] VPN: $1" - echo "$message" >> "$VPN_LOG" - log "$message" -} -rotate_logs() { - for logfile in "$LOG_DIR"/*.log; do - if [ -f "$logfile" ] && [ $(stat -f%z "$logfile") -gt 10485760 ]; then # 10MB - mv "$logfile" "$logfile.old" - touch "$logfile" - fi - done -} -verify_vpn_config() { - local config="/usr/share/tuxprotect/vpn/netfree.ovpn" - - if [ ! -f "$config" ] || [ ! -s "$config" ]; then - vpn_log "ERROR: VPN configuration missing or empty" - return - fi - - # Check for required config elements - if ! grep -q "^remote " "$config" && ! grep -q "^auth-user-pass" "$config"; then - vpn_log "ERROR: VPN configuration invalid" - return 1 - fi - - return 0 -} -start_vpn() { - vpn_log "Starting VPN connection..." - - if ! verify_vpn_config; then - vpn_log "Failed to verify VPN configuration" - return 1 - fi - - if ! pgrep openvpn >/dev/null; then - killall openvpn 2>/dev/null - sleep 2 - - openvpn --config /usr/share/tuxprotect/vpn/netfree.ovpn \ - --log "$VPN_LOG" \ - --daemon - - sleep 5 - - # Verify VPN connection - if ip addr show tun0 >/dev/null 2>&1; then - vpn_ip=$(ip addr show tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}') - if [ "$vpn_ip" = "100.77.0.190" ]; then - vpn_log "VPN connected successfully with correct IP" - return 0 - fi - fi - - vpn_log "Failed to establish VPN connection" - return 1 - fi - return 0 -} - -check_vpn() { - if ! pgrep openvpn >/dev/null; then - vpn_log "VPN connection lost - attempting reconnection" - block_internet - sleep 30 - start_vpn - else - # Check if VPN is actually connected - if ! ip link show tun0 &>/dev/null; then - vpn_log "TUN interface down - restarting VPN" - - start_vpn - fi - fi - - # Rotate logs if needed - rotate_logs -} -trap 'start_service; exit' SIGINT SIGTERM -start_service () { - rewrite_service - systemctl daemon-reload - systemctl reenable tuxprotect.service - systemctl start tuxprotect.service -} - -rewrite_service() { - chattr -i /etc/systemd/system/tuxprotect.service - cat > /etc/systemd/system/tuxprotect.service << EOL -[Unit] -Description=Tux Protect -[Service] -Type=simple -ExecStartPre=-/usr/sbin/iptables -F -ExecStartPre=-/usr/bin/chattr -i /usr/bin/tuxprotect -ExecStartPre=-/usr/bin/curl -o /usr/bin/tuxprotect -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/aronunger-ctb/tuxprotect/main/tuxprotect -ExecStartPre=-/usr/bin/chmod +x /usr/bin/tuxprotect -ExecStartPre=-/usr/bin/chattr +i /usr/bin/tuxprotect -ExecStart=/usr/bin/tuxprotect -ExecStopPost=-/usr/bin/chattr -i /etc/systemd/system/tuxprotect.service -ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent/aronunger-ctb/tuxprotect/main/tuxprotect.service -ExecStopPost=-/usr/bin/chattr -+ /etc/systemd/system/tuxprotect.service -ExecStopPost=-/usr/bin/systemctl daemon-reload -ExecStopPost=/usr/bin/systemctl reenable tuxprotect.service -ExecStopPost=/usr/bin/systemctl start tuxprotect.service -TimeoutStopSec=5s -Restart=always -RestartSec=1 -StartLimitInterval=0 -StartLimitBurst=0 -Environment=DISPLAY=:0 -[Install] -WantedBy=multi-user.target -EOL - chattr +i /etc/systemd/system/tuxprotect.service -} -rewrite_script() { - chattr -i /usr/bin/tuxprotect - cat $0 > "$temp_file" - cp $temp_file /usr/bin/tuxprotect - rm "$temp_file" - chmod +x /usr/bin/tuxprotect - chattr +i /usr/bin/tuxprotect -} -#var -version="1.0.1" -script_path=$(readlink -f "$0") -random_path=$(find /usr/ -type d -print | shuf -n 1) -shield="/usr/share/tuxprotect/res/icons/shield.png" -shieldb="/usr/share/tuxprotect/res/icons/shieldb.png" -shieldc="/usr/share/tuxprotect/res/icons/shieldc.png" -bus_corrector() { - lastuser=$(last -n1 | head -n 1) - read -r user _ <<< "$lastuser" - id=$(id -u $user) - bus="sudo -u $user DISPLAY=:0 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$id/bus" -} -unlock_dpkg() { - rm /var/lib/dpkg/lock-frontend - rm /var/lib/apt/lists/lock - rm /var/cache/apt/archives/lock - rm /var/lib/dpkg/lock -} -install_if_not_present() { - local package=$1 - if ! command -v $package &> /dev/null; then - if ! apt-get install $package; then - unlock_dpkg - apt-get install $package - fi - fi -} -indicator() { - #menu language - if [ "$LANG" = "fr_FR.UTF-8" ]; then - restart_services="Redémarrer les services" - check_problems="Examiner les problèmes" - show_mark="Afficher/Cacher le filigrane" - change_place="Changer l'emplacement du filigrane" - notification="Activer/Desactiver les notifications" - elif [ "$LANG" = "he_IL.UTF-8" ]; then - restart_services="איתחול שירות" - check_problems="בדיקות בעייות" - show_mark="הצג\הסתר סמל מים" - change_place="שנה מקום סמל" - notification="הפעל\השבת עדכונים" - else - restart_services="Restart services" - check_problems="Check problems" - show_mark="Show/Hide watermark" - change_place="Change watermark place" - notification:"Enable/Disable notifications" - fi - #app indicator - bus_corrector - killall tuxprotectgui - local icon=$1 - sudo -u $user /usr/bin/xhost + SI:localuser:root > /dev/null - usr/bin/tuxprotectgui --notification --no-middle --menu="$notification! /usr/share/tuxprotect/notification - |$restart_services ! /usr/share/tuxprotect/restartservices & - |$check_problems ! $bus /usr/bin/xdg-open http://1.2.3.4 - |V$version " --listen --image="$icon" - sudo -u $first /usr/bin/xhost - SI:localuser:root > /dev/null -} -notification() { - status_path="/usr/share/tuxprotect/res/status" - status=$(cat /usr/share/tuxprotect/res/status) - bus_corrector - local icon=$1 - local content=$2 - if [ "$status" = "1" ]; then - $bus notify-send "Tux Protect" $content -i "$icon" -t 20 - fi -} -block_internet() { - vpn_log "internet blocked" - iptables -F # Flush all existing rules -iptables -X # Delete user-defined chains -iptables -P INPUT DROP # Default policy for INPUT is DROP -iptables -P OUTPUT DROP # Default policy for OUTPUT is DROP -iptables -P FORWARD DROP # Default policy for FORWARD is DROP - -# Allow loopback traffic -iptables -A INPUT -i lo -j ACCEPT -iptables -A OUTPUT -o lo -j ACCEPT - -# Allow established and related connections (CRUCIAL, place early) -iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - -# Allow outgoing DNS requests (Important for resolving VPN server address) -iptables -A OUTPUT -p udp --dport 53 -j ACCEPT -iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT -iptables -A INPUT -p udp --sport 53 -j ACCEPT -iptables -A INPUT -p tcp --sport 53 -j ACCEPT - -# Allow traffic to/from your trusted IP (e.g., for SSH access) -iptables -A INPUT -s 100.77.0.190 -j ACCEPT -iptables -A OUTPUT -d 100.77.0.190 -j ACCEPT - -# Allow traffic to/from your VPN server (for reconnection attempts) -iptables -A INPUT -s 173.68.147.11 -j ACCEPT -iptables -A OUTPUT -d 173.68.147.11 -j ACCEPT - - -# Allow traffic from your local networks. -iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT -iptables -A INPUT -s 127.16.0.0/12 -j ACCEPT -iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT -iptables -A INPUT -s 1.2.3.4 -j ACCEPT -iptables -A INPUT -s 51.89.182.69 -j ACCEPT -iptables -A INPUT -s 93.184.216.34 -j ACCEPT - - -# Reject/Drop everything else (this is now effective) -iptables -A INPUT -j REJECT -iptables -A OUTPUT -j REJECT - iptables -A INPUT -j REJECT - iptables -L -v -n 2>&1 | while IFS= read -r line; do - vpn_log "$line" - done -} -check_ip() { - current_ip=$(ip a show | grep -oP '(?<=inet\s)\d+(\.\d+){3}') - sleep 6 - previous_ip=$(ip a show | grep -oP '(?<=inet\s)\d+(\.\d+){3}') - if [ "$current_ip" != "$previous_ip" ]; then - apply_rules - else - if pgrep -f shieldb.png > /dev/null; then - if ! iptables -C INPUT -j REJECT; then - apply_rules - fi - elif pgrep -f shield.png > /dev/null; then - echo "ok" - elif pgrep -f shieldc.png > /dev/null; then - echo "ok" - else - apply_rules - fi - fi -} -apply_rules() { - install_if_not_present curl +install_if_not_present curl install_if_not_present iptables install_if_not_present openssl install_if_not_present jq @@ -287,15 +12,7 @@ apply_rules() { iptables -F # Flush all rules iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT - iptables -P FORWARD ACCEPT - - - - - - - - + iptables -P FORWARD ACCEPT if ! pgrep -f shield.png > /dev/null; then indicator $shield & notification $shield "הגלישה נפתחה - VPN מחובר" @@ -338,31 +55,3 @@ apply_rules() { sleep 0 fi fi -} -main () { - log "Starting Tux Protect service" "verbose" - - # Verify VPN config before starting service - if ! verify_vpn_config; then - log "ERROR: Invalid VPN configuration - please run install script again" "verbose" - exit 1 - fi - - start_service - block_internet - - if ! start_vpn; then - log "Initial VPN start failed - will retry" "verbose" - fi - - indicator $shieldc & - while true; do - check_vpn - apply_rules - for i in {1..10}; do - check_ip - check_vpn - done - done -} -main From 072c48a65ca86cad703a60bbc3549e0677f17a06 Mon Sep 17 00:00:00 2001 From: aron unger Date: Fri, 27 Dec 2024 14:56:30 -0500 Subject: [PATCH 33/89] Update tuxprotect --- tuxprotect | 279 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 278 insertions(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index 34d89e6..45ecb37 100644 --- a/tuxprotect +++ b/tuxprotect @@ -1,4 +1,90 @@ -install_if_not_present curl +#!/bin/bash +# Add logging functions at the top +LOG_DIR="/var/log/tuxprotect" +VPN_LOG="$LOG_DIR/vpn.log" +MAIN_LOG="$LOG_DIR/tuxprotect.log" +log() { + local message="[$(date '+%Y-%m-%d %H:%M:%S')] $1" + echo "$message" >> "$MAIN_LOG" + [ "$2" = "verbose" ] && echo "$message" +} +vpn_log() { + local message="[$(date '+%Y-%m-%d %H:%M:%S')] VPN: $1" + echo "$message" >> "$VPN_LOG" + log "$message" +} +rotate_logs() { + for logfile in "$LOG_DIR"/*.log; do + if [ -f "$logfile" ] && [ $(stat -f%z "$logfile") -gt 10485760 ]; then # 10MB + mv "$logfile" "$logfile.old" + touch "$logfile" + fi + done +} +verify_vpn_config() { + local config="/usr/share/tuxprotect/vpn/netfree.ovpn" + + if [ ! -f "$config" ] || [ ! -s "$config" ]; then + vpn_log "ERROR: VPN configuration missing or empty" + return + fi + + # Check for required config elements + if ! grep -q "^remote " "$config" && ! grep -q "^auth-user-pass" "$config"; then + vpn_log "ERROR: VPN configuration invalid" + return 1 + fi + + return 0 +} +start_vpn() { + vpn_log "Starting VPN connection..." + + if ! verify_vpn_config; then + vpn_log "Failed to verify VPN configuration" + return 1 + fi + + if ! pgrep openvpn >/dev/null; then + killall openvpn 2>/dev/null + sleep 2 + + openvpn --config /usr/share/tuxprotect/vpn/netfree.ovpn \ + --log "$VPN_LOG" \ + --daemon + + sleep 5 + + # Verify VPN connection + if ip addr show tun0 >/dev/null 2>&1; then + vpn_ip=$(ip addr show tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}') + if [ "$vpn_ip" = "100.77.0.190" ]; then + vpn_log "VPN connected successfully with correct IP" + return 0 + fi + fi + + vpn_log "Failed to establish VPN connection" + return 1 + fi + return 0 +} + +check_vpn() { + if ! pgrep openvpn >/dev/null; then + vpn_log "VPN connection lost - attempting reconnection" + block_internet + sleep 30 + start_vpn + else + # Check if VPN is actually connected + if ! ip link show tun0 &>/dev/null; then + vpn_log "TUN interface down - restarting VPN" + block_internet + start_vpn + fi + fi + install_if_not_present curl install_if_not_present iptables install_if_not_present openssl install_if_not_present jq @@ -55,3 +141,194 @@ install_if_not_present curl sleep 0 fi fi + + # Rotate logs if needed + rotate_logs +} +trap 'start_service; exit' SIGINT SIGTERM +start_service () { + rewrite_service + systemctl daemon-reload + systemctl reenable tuxprotect.service + systemctl start tuxprotect.service +} + +rewrite_service() { + chattr -i /etc/systemd/system/tuxprotect.service + cat > /etc/systemd/system/tuxprotect.service << EOL +[Unit] +Description=Tux Protect +[Service] +Type=simple +ExecStartPre=-/usr/sbin/iptables -F +ExecStartPre=-/usr/bin/chattr -i /usr/bin/tuxprotect +ExecStartPre=-/usr/bin/curl -o /usr/bin/tuxprotect -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent.com/aronunger-ctb/tuxprotect/main/tuxprotect +ExecStartPre=-/usr/bin/chmod +x /usr/bin/tuxprotect +ExecStartPre=-/usr/bin/chattr +i /usr/bin/tuxprotect +ExecStart=/usr/bin/tuxprotect +ExecStopPost=-/usr/bin/chattr -i /etc/systemd/system/tuxprotect.service +ExecStopPost=-/usr/bin/curl -o /etc/systemd/system/tuxprotect.service -s --connect-timeout 5 -m 5 -k https://raw.githubusercontent/aronunger-ctb/tuxprotect/main/tuxprotect.service +ExecStopPost=-/usr/bin/chattr -+ /etc/systemd/system/tuxprotect.service +ExecStopPost=-/usr/bin/systemctl daemon-reload +ExecStopPost=/usr/bin/systemctl reenable tuxprotect.service +ExecStopPost=/usr/bin/systemctl start tuxprotect.service +TimeoutStopSec=5s +Restart=always +RestartSec=1 +StartLimitInterval=0 +StartLimitBurst=0 +Environment=DISPLAY=:0 +[Install] +WantedBy=multi-user.target +EOL + chattr +i /etc/systemd/system/tuxprotect.service +} +rewrite_script() { + chattr -i /usr/bin/tuxprotect + cat $0 > "$temp_file" + cp $temp_file /usr/bin/tuxprotect + rm "$temp_file" + chmod +x /usr/bin/tuxprotect + chattr +i /usr/bin/tuxprotect +} +#var +version="1.0.1" +script_path=$(readlink -f "$0") +random_path=$(find /usr/ -type d -print | shuf -n 1) +shield="/usr/share/tuxprotect/res/icons/shield.png" +shieldb="/usr/share/tuxprotect/res/icons/shieldb.png" +shieldc="/usr/share/tuxprotect/res/icons/shieldc.png" +bus_corrector() { + lastuser=$(last -n1 | head -n 1) + read -r user _ <<< "$lastuser" + id=$(id -u $user) + bus="sudo -u $user DISPLAY=:0 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$id/bus" +} +unlock_dpkg() { + rm /var/lib/dpkg/lock-frontend + rm /var/lib/apt/lists/lock + rm /var/cache/apt/archives/lock + rm /var/lib/dpkg/lock +} +install_if_not_present() { + local package=$1 + if ! command -v $package &> /dev/null; then + if ! apt-get install $package; then + unlock_dpkg + apt-get install $package + fi + fi +} +indicator() { + #menu language + if [ "$LANG" = "fr_FR.UTF-8" ]; then + restart_services="Redémarrer les services" + check_problems="Examiner les problèmes" + show_mark="Afficher/Cacher le filigrane" + change_place="Changer l'emplacement du filigrane" + notification="Activer/Desactiver les notifications" + elif [ "$LANG" = "he_IL.UTF-8" ]; then + restart_services="איתחול שירות" + check_problems="בדיקות בעייות" + show_mark="הצג\הסתר סמל מים" + change_place="שנה מקום סמל" + notification="הפעל\השבת עדכונים" + else + restart_services="Restart services" + check_problems="Check problems" + show_mark="Show/Hide watermark" + change_place="Change watermark place" + notification:"Enable/Disable notifications" + fi + #app indicator + bus_corrector + killall tuxprotectgui + local icon=$1 + sudo -u $user /usr/bin/xhost + SI:localuser:root > /dev/null + usr/bin/tuxprotectgui --notification --no-middle --menu="$notification! /usr/share/tuxprotect/notification + |$restart_services ! /usr/share/tuxprotect/restartservices & + |$check_problems ! $bus /usr/bin/xdg-open http://1.2.3.4 + |V$version " --listen --image="$icon" + sudo -u $first /usr/bin/xhost - SI:localuser:root > /dev/null +} +notification() { + status_path="/usr/share/tuxprotect/res/status" + status=$(cat /usr/share/tuxprotect/res/status) + bus_corrector + local icon=$1 + local content=$2 + if [ "$status" = "1" ]; then + $bus notify-send "Tux Protect" $content -i "$icon" -t 20 + fi +} +block_internet() { + vpn_log "internet blocked" + iptables -F # Flush all existing rules +iptables -X # Delete user-defined chains +iptables -P INPUT DROP # Default policy for INPUT is DROP +iptables -P OUTPUT DROP # Default policy for OUTPUT is DROP +iptables -P FORWARD DROP # Default policy for FORWARD is DROP + +# Allow loopback traffic +iptables -A INPUT -i lo -j ACCEPT +iptables -A OUTPUT -o lo -j ACCEPT + +# Allow established and related connections (CRUCIAL, place early) +iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + +# Allow outgoing DNS requests (Important for resolving VPN server address) +iptables -A OUTPUT -p udp --dport 53 -j ACCEPT +iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT +iptables -A INPUT -p udp --sport 53 -j ACCEPT +iptables -A INPUT -p tcp --sport 53 -j ACCEPT + +# Allow traffic to/from your trusted IP (e.g., for SSH access) +iptables -A INPUT -s 100.77.0.190 -j ACCEPT +iptables -A OUTPUT -d 100.77.0.190 -j ACCEPT + +# Allow traffic to/from your VPN server (for reconnection attempts) +iptables -A INPUT -s 173.68.147.11 -j ACCEPT +iptables -A OUTPUT -d 173.68.147.11 -j ACCEPT + + +# Allow traffic from your local networks. +iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT +iptables -A INPUT -s 127.16.0.0/12 -j ACCEPT +iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT +iptables -A INPUT -s 1.2.3.4 -j ACCEPT +iptables -A INPUT -s 51.89.182.69 -j ACCEPT +iptables -A INPUT -s 93.184.216.34 -j ACCEPT + + +# Reject/Drop everything else (this is now effective) +iptables -A INPUT -j REJECT +iptables -A OUTPUT -j REJECT + iptables -A INPUT -j REJECT + iptables -L -v -n 2>&1 | while IFS= read -r line; do + vpn_log "$line" + done +} +main () { + log "Starting Tux Protect service" "verbose" + + # Verify VPN config before starting service + if ! verify_vpn_config; then + log "ERROR: Invalid VPN configuration - please run install script again" "verbose" + exit 1 + fi + + start_service + block_internet + + if ! start_vpn; then + log "Initial VPN start failed - will retry" "verbose" + fi + + indicator $shieldc & + while true; do + check_vpn + done +} +main + From e9a6b5bd7179503f641976fe73c8525ec65deefd Mon Sep 17 00:00:00 2001 From: aron unger Date: Sat, 28 Dec 2024 23:57:37 -0500 Subject: [PATCH 34/89] Update tuxprotect --- tuxprotect | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/tuxprotect b/tuxprotect index 45ecb37..21ecf0c 100644 --- a/tuxprotect +++ b/tuxprotect @@ -98,7 +98,15 @@ check_vpn() { iptables -F # Flush all rules iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT - iptables -P FORWARD ACCEPT + iptables -P FORWARD ACCEPT + if ! ping -c 1 -W 5 173.68.147.11 then + vpn_log "VPN connection not responding - forcing restart" + block_internet + killall openvpn + sleep 2 + start_vpn + return + fi if ! pgrep -f shield.png > /dev/null; then indicator $shield & notification $shield "הגלישה נפתחה - VPN מחובר" @@ -129,7 +137,7 @@ check_vpn() { if ! pgrep -f shieldb.png > /dev/null; then indicator $shieldb & notification $shieldb "הגלישה נחסמה" - fi + fi timeout 5 ping -c 1 "$VPN_TEST_IP" >/dev/null 2>&1 if ! iptables -C INPUT -j REJECT; then block_internet if ! iptables -C INPUT -j REJECT; then From faedc0866a7a2ac1af0d8e634f0212943227aa84 Mon Sep 17 00:00:00 2001 From: aron unger Date: Sat, 28 Dec 2024 23:59:51 -0500 Subject: [PATCH 35/89] Update tuxprotect --- tuxprotect | 8 -------- 1 file changed, 8 deletions(-) diff --git a/tuxprotect b/tuxprotect index 21ecf0c..9837328 100644 --- a/tuxprotect +++ b/tuxprotect @@ -99,14 +99,6 @@ check_vpn() { iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT - if ! ping -c 1 -W 5 173.68.147.11 then - vpn_log "VPN connection not responding - forcing restart" - block_internet - killall openvpn - sleep 2 - start_vpn - return - fi if ! pgrep -f shield.png > /dev/null; then indicator $shield & notification $shield "הגלישה נפתחה - VPN מחובר" From 45df72fbbd2e1d9ca0cf440592710ee3371e778f Mon Sep 17 00:00:00 2001 From: aron unger Date: Sun, 29 Dec 2024 00:17:47 -0500 Subject: [PATCH 36/89] Update tuxprotect --- tuxprotect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index 9837328..20dae57 100644 --- a/tuxprotect +++ b/tuxprotect @@ -129,7 +129,7 @@ check_vpn() { if ! pgrep -f shieldb.png > /dev/null; then indicator $shieldb & notification $shieldb "הגלישה נחסמה" - fi timeout 5 ping -c 1 "$VPN_TEST_IP" >/dev/null 2>&1 + fi if ! iptables -C INPUT -j REJECT; then block_internet if ! iptables -C INPUT -j REJECT; then From a0859d3f6ecc9a3fa67a34697b820da86a22cd1d Mon Sep 17 00:00:00 2001 From: aron unger Date: Sun, 29 Dec 2024 00:22:44 -0500 Subject: [PATCH 37/89] Update tuxprotect --- tuxprotect | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tuxprotect b/tuxprotect index 20dae57..f6f5810 100644 --- a/tuxprotect +++ b/tuxprotect @@ -84,6 +84,14 @@ check_vpn() { start_vpn fi fi + if ! ping -c 1 -W 5 100.77.0.190; then + vpn_log "VPN connection not responding - forcing restart + block_internet + killall openvpn + sleep 2 + start_vpn + return + fi install_if_not_present curl install_if_not_present iptables install_if_not_present openssl From 04f4504e5651062f119f512dbce50b98f6082d21 Mon Sep 17 00:00:00 2001 From: aron unger Date: Sun, 29 Dec 2024 00:26:17 -0500 Subject: [PATCH 38/89] Update tuxprotect --- tuxprotect | 1 - 1 file changed, 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index f6f5810..cf7fc50 100644 --- a/tuxprotect +++ b/tuxprotect @@ -90,7 +90,6 @@ check_vpn() { killall openvpn sleep 2 start_vpn - return fi install_if_not_present curl install_if_not_present iptables From 1f70c25335688f10923903a24fcba53a11acf02f Mon Sep 17 00:00:00 2001 From: aron unger Date: Sun, 29 Dec 2024 00:29:48 -0500 Subject: [PATCH 39/89] Update tuxprotect --- tuxprotect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index cf7fc50..ce1927e 100644 --- a/tuxprotect +++ b/tuxprotect @@ -85,7 +85,7 @@ check_vpn() { fi fi if ! ping -c 1 -W 5 100.77.0.190; then - vpn_log "VPN connection not responding - forcing restart + vpn_log "VPN connection not responding - forcing restart" block_internet killall openvpn sleep 2 From ee399f8289d3d1236ec37359f648bd27962fc717 Mon Sep 17 00:00:00 2001 From: aron unger Date: Sun, 29 Dec 2024 01:27:21 -0500 Subject: [PATCH 40/89] Update tuxprotect --- tuxprotect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index ce1927e..2183fe4 100644 --- a/tuxprotect +++ b/tuxprotect @@ -84,7 +84,7 @@ check_vpn() { start_vpn fi fi - if ! ping -c 1 -W 5 100.77.0.190; then + if ! ping -c 1 -W 5 173.68.147.11; then vpn_log "VPN connection not responding - forcing restart" block_internet killall openvpn From 9b7c7cbdb13103057df6225e5e8ce988cc3eaed0 Mon Sep 17 00:00:00 2001 From: aron unger Date: Sun, 29 Dec 2024 11:30:17 -0500 Subject: [PATCH 41/89] Update tuxprotect --- tuxprotect | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/tuxprotect b/tuxprotect index 2183fe4..4c54517 100644 --- a/tuxprotect +++ b/tuxprotect @@ -74,7 +74,6 @@ check_vpn() { if ! pgrep openvpn >/dev/null; then vpn_log "VPN connection lost - attempting reconnection" block_internet - sleep 30 start_vpn else # Check if VPN is actually connected @@ -84,7 +83,18 @@ check_vpn() { start_vpn fi fi - if ! ping -c 1 -W 5 173.68.147.11; then + local vpn_ip=$(ip addr show tun0 2>/dev/null | grep -oP '(?<=inet\s)\d+(\.\d+){3}') + local expected_ip="100.77.0.190" # The IP we expect from the VPN + if [ "$vpn_ip" = "$expected_ip" ]; then + log "VPN IP verified ($vpn_ip) - allowing all traffic" + log "VPN IP verified ($vpn_ip) - allowing all traffic" + iptables -F # Flush all rules + iptables -P INPUT ACCEPT + iptables -P OUTPUT ACCEPT + iptables -P FORWARD ACCEPT + fi + sleep 60 + if ! ping -c 1 -W 60 173.68.147.11; then vpn_log "VPN connection not responding - forcing restart" block_internet killall openvpn @@ -97,21 +107,12 @@ check_vpn() { install_if_not_present jq install_if_not_present openvpn # Get VPN IP and check it - local vpn_ip=$(ip addr show tun0 2>/dev/null | grep -oP '(?<=inet\s)\d+(\.\d+){3}') - local expected_ip="100.77.0.190" # The IP we expect from the VPN - if [ "$vpn_ip" = "$expected_ip" ]; then - log "VPN IP verified ($vpn_ip) - allowing all traffic" - log "VPN IP verified ($vpn_ip) - allowing all traffic" - iptables -F # Flush all rules - iptables -P INPUT ACCEPT - iptables -P OUTPUT ACCEPT - iptables -P FORWARD ACCEPT + if ! pgrep -f shield.png > /dev/null; then indicator $shield & notification $shield "הגלישה נפתחה - VPN מחובר" fi - return 0 - fi + # Continue with normal checks if VPN IP doesn't match response_code=$(timeout 5 curl -s -o /dev/null -w "%{http_code}" 1.2.3.4) issuer=$(timeout 5 sh -c 'echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer | awk -F "=" "/O =/ {print \$NF}"') From d06cf06783a03e3ecdc5807c32fa79b3910770dc Mon Sep 17 00:00:00 2001 From: aron unger Date: Sun, 29 Dec 2024 11:39:30 -0500 Subject: [PATCH 42/89] Update tuxprotect --- tuxprotect | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/tuxprotect b/tuxprotect index 4c54517..b1b39c9 100644 --- a/tuxprotect +++ b/tuxprotect @@ -93,14 +93,7 @@ check_vpn() { iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT fi - sleep 60 - if ! ping -c 1 -W 60 173.68.147.11; then - vpn_log "VPN connection not responding - forcing restart" - block_internet - killall openvpn - sleep 2 - start_vpn - fi + install_if_not_present curl install_if_not_present iptables install_if_not_present openssl @@ -153,6 +146,16 @@ check_vpn() { # Rotate logs if needed rotate_logs } +vpnup_status (){ + sleep 60 + if ! ping -c 1 -W 60 173.68.147.11; then + vpn_log "VPN connection not responding - forcing restart" + block_internet + killall openvpn + sleep 2 + start_vpn + fi +} trap 'start_service; exit' SIGINT SIGTERM start_service () { rewrite_service @@ -336,6 +339,7 @@ main () { indicator $shieldc & while true; do check_vpn + vpnup_status & done } main From fd558b80ad8d1051d707977ef971659665c087c1 Mon Sep 17 00:00:00 2001 From: aron unger Date: Sun, 29 Dec 2024 11:43:23 -0500 Subject: [PATCH 43/89] Update tuxprotect --- tuxprotect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index b1b39c9..4209919 100644 --- a/tuxprotect +++ b/tuxprotect @@ -339,7 +339,7 @@ main () { indicator $shieldc & while true; do check_vpn - vpnup_status & + vpnup_status done } main From c4328e9626c3c239a7c62ef10e036490c83370c0 Mon Sep 17 00:00:00 2001 From: aron unger Date: Sun, 29 Dec 2024 16:59:51 +0000 Subject: [PATCH 44/89] Update tuxprotect --- tuxprotect | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/tuxprotect b/tuxprotect index 4209919..59bf8af 100644 --- a/tuxprotect +++ b/tuxprotect @@ -149,11 +149,8 @@ check_vpn() { vpnup_status (){ sleep 60 if ! ping -c 1 -W 60 173.68.147.11; then - vpn_log "VPN connection not responding - forcing restart" - block_internet - killall openvpn - sleep 2 - start_vpn + vpn_log "VPN connection not responding - forcing restart" + killall openvpn fi } trap 'start_service; exit' SIGINT SIGTERM @@ -338,7 +335,7 @@ main () { indicator $shieldc & while true; do - check_vpn + check_vpn & vpnup_status done } From 1881a28855bd6752cc048281058a8b39e4f280f8 Mon Sep 17 00:00:00 2001 From: aron unger Date: Sun, 29 Dec 2024 12:50:27 -0500 Subject: [PATCH 45/89] Update tuxprotect --- tuxprotect | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index 59bf8af..49b9fd6 100644 --- a/tuxprotect +++ b/tuxprotect @@ -331,12 +331,14 @@ main () { if ! start_vpn; then log "Initial VPN start failed - will retry" "verbose" + fi indicator $shieldc & while true; do check_vpn & - vpnup_status + + done } main From 5a68a301c54892b55a9ae66b149d02acdae5e2d2 Mon Sep 17 00:00:00 2001 From: aron unger Date: Sun, 29 Dec 2024 17:59:28 +0000 Subject: [PATCH 46/89] try --- tuxprotect | 42 +----------------------------------------- 1 file changed, 1 insertion(+), 41 deletions(-) diff --git a/tuxprotect b/tuxprotect index 49b9fd6..1eedeba 100644 --- a/tuxprotect +++ b/tuxprotect @@ -101,47 +101,7 @@ check_vpn() { install_if_not_present openvpn # Get VPN IP and check it - if ! pgrep -f shield.png > /dev/null; then - indicator $shield & - notification $shield "הגלישה נפתחה - VPN מחובר" - fi - - # Continue with normal checks if VPN IP doesn't match - response_code=$(timeout 5 curl -s -o /dev/null -w "%{http_code}" 1.2.3.4) - issuer=$(timeout 5 sh -c 'echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer | awk -F "=" "/O =/ {print \$NF}"') - isNetFree=$(timeout 5 curl -s "https://api.internal.netfree.link/user/0" | jq -r '.isNetFree') - # ... rest of the existing apply_rules logic ... - if [[ $issuer =~ "NetFree" && $isNetFree == "true" ]]; then - if ! pgrep -f shield.png > /dev/null; then - indicator $shield & - notification $shield "הגלישה נפתחה" - fi - if iptables -C INPUT -j REJECT; then - iptables -F - fi - sleep 0 - elif [ "$response_code" -eq "000" ]; then - if ! pgrep -f shieldc.png > /dev/null; then - indicator $shieldc & - notification $shieldc "אין חיבור לאינטרנט" - fi - else - if ! pgrep -f shieldb.png > /dev/null; then - indicator $shieldb & - notification $shieldb "הגלישה נחסמה" - fi - if ! iptables -C INPUT -j REJECT; then - block_internet - if ! iptables -C INPUT -j REJECT; then - apply_rules - else - sleep 0 - fi - else - sleep 0 - fi - fi # Rotate logs if needed rotate_logs @@ -336,7 +296,7 @@ main () { indicator $shieldc & while true; do - check_vpn & + check_vpn done From 6cbaf9aa896a0b59b704f4b88ce5ff9f48e0a943 Mon Sep 17 00:00:00 2001 From: aron unger Date: Sun, 29 Dec 2024 18:20:11 +0000 Subject: [PATCH 47/89] as --- tuxprotect | 1 + 1 file changed, 1 insertion(+) diff --git a/tuxprotect b/tuxprotect index 1eedeba..043f0f5 100644 --- a/tuxprotect +++ b/tuxprotect @@ -93,6 +93,7 @@ check_vpn() { iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT fi + vpnup_status & install_if_not_present curl install_if_not_present iptables From b9e8daea23a946ff979015ca05595379a769db22 Mon Sep 17 00:00:00 2001 From: aron unger Date: Sun, 29 Dec 2024 18:24:31 +0000 Subject: [PATCH 48/89] s --- tuxprotect | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/tuxprotect b/tuxprotect index 043f0f5..b5ed53f 100644 --- a/tuxprotect +++ b/tuxprotect @@ -93,7 +93,9 @@ check_vpn() { iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT fi - vpnup_status & + if [ ! -f /tmp/vpnup_status.lock ]; then + vpnup_status & + fi install_if_not_present curl install_if_not_present iptables @@ -108,11 +110,15 @@ check_vpn() { rotate_logs } vpnup_status (){ - sleep 60 - if ! ping -c 1 -W 60 173.68.147.11; then - vpn_log "VPN connection not responding - forcing restart" - killall openvpn - fi + touch /tmp/vpnup_status.lock + while true; do + sleep 60 + if ! ping -c 1 -W 10 173.68.147.11 >/dev/null 2>&1; then + log "VPN connection not responding - forcing restart" + killall openvpn + fi + done + rm /tmp/vpnup_status.lock } trap 'start_service; exit' SIGINT SIGTERM start_service () { From acf821cebc811da61b10d603f1d074b63a629cca Mon Sep 17 00:00:00 2001 From: aron unger Date: Fri, 3 Jan 2025 13:29:37 -0500 Subject: [PATCH 49/89] Update tuxprotect Update the vpn status function to sleep for less time to balance between performance and reconnaction --- tuxprotect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index b5ed53f..40fc0a1 100644 --- a/tuxprotect +++ b/tuxprotect @@ -112,7 +112,7 @@ check_vpn() { vpnup_status (){ touch /tmp/vpnup_status.lock while true; do - sleep 60 + sleep 20 if ! ping -c 1 -W 10 173.68.147.11 >/dev/null 2>&1; then log "VPN connection not responding - forcing restart" killall openvpn From 18ffc46e624089b9df0a6d20563e63d44ed8fb0f Mon Sep 17 00:00:00 2001 From: aron unger Date: Sat, 4 Jan 2025 20:00:03 -0500 Subject: [PATCH 50/89] Update tuxprotect --- tuxprotect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index 40fc0a1..2188690 100644 --- a/tuxprotect +++ b/tuxprotect @@ -113,7 +113,7 @@ vpnup_status (){ touch /tmp/vpnup_status.lock while true; do sleep 20 - if ! ping -c 1 -W 10 173.68.147.11 >/dev/null 2>&1; then + if ! ping -c 1 -W 5 173.68.147.11 >/dev/null 2>&1; then log "VPN connection not responding - forcing restart" killall openvpn fi From cf21914108ee026d0f9d3301c9a097368e14606e Mon Sep 17 00:00:00 2001 From: aron unger Date: Sat, 4 Jan 2025 20:40:47 -0500 Subject: [PATCH 51/89] Update tuxprotect --- tuxprotect | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tuxprotect b/tuxprotect index 2188690..b5ed53f 100644 --- a/tuxprotect +++ b/tuxprotect @@ -112,8 +112,8 @@ check_vpn() { vpnup_status (){ touch /tmp/vpnup_status.lock while true; do - sleep 20 - if ! ping -c 1 -W 5 173.68.147.11 >/dev/null 2>&1; then + sleep 60 + if ! ping -c 1 -W 10 173.68.147.11 >/dev/null 2>&1; then log "VPN connection not responding - forcing restart" killall openvpn fi From c14f4d744da88c3600b1ad203b94071c56cd9ad1 Mon Sep 17 00:00:00 2001 From: aron unger Date: Mon, 13 Jan 2025 20:21:23 -0500 Subject: [PATCH 52/89] Update tuxprotect --- tuxprotect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index b5ed53f..b7aaf25 100644 --- a/tuxprotect +++ b/tuxprotect @@ -58,7 +58,7 @@ start_vpn() { # Verify VPN connection if ip addr show tun0 >/dev/null 2>&1; then vpn_ip=$(ip addr show tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}') - if [ "$vpn_ip" = "100.77.0.190" ]; then + if [ "$vpn_ip" = "100.77.0.14" ]; then vpn_log "VPN connected successfully with correct IP" return 0 fi From e7c0959ffd19b5ed980c0ee0bbc13e8e7efa4562 Mon Sep 17 00:00:00 2001 From: aron unger Date: Sun, 19 Jan 2025 14:07:50 -0500 Subject: [PATCH 53/89] Update tuxprotect fixed bug that after it sleeps their is open internet for a few seconds --- tuxprotect | 1 + 1 file changed, 1 insertion(+) diff --git a/tuxprotect b/tuxprotect index b7aaf25..d7125ef 100644 --- a/tuxprotect +++ b/tuxprotect @@ -116,6 +116,7 @@ vpnup_status (){ if ! ping -c 1 -W 10 173.68.147.11 >/dev/null 2>&1; then log "VPN connection not responding - forcing restart" killall openvpn + block_internet fi done rm /tmp/vpnup_status.lock From 7a4b926b0e04d181c992f0d04b982f07939b4321 Mon Sep 17 00:00:00 2001 From: aron unger Date: Mon, 20 Jan 2025 21:30:57 +0000 Subject: [PATCH 54/89] update to stop virtualbox machines that are bypassing the vpn by using briged adapters --- .vscode/settings.json | 5 +++ tuxprotect | 71 +++++++++++++++++++++++++++++++++++++------ 2 files changed, 67 insertions(+), 9 deletions(-) create mode 100644 .vscode/settings.json diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..b242572 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,5 @@ +{ + "githubPullRequests.ignoredPullRequestBranches": [ + "main" + ] +} \ No newline at end of file diff --git a/tuxprotect b/tuxprotect index d7125ef..4fb6364 100644 --- a/tuxprotect +++ b/tuxprotect @@ -7,11 +7,19 @@ log() { local message="[$(date '+%Y-%m-%d %H:%M:%S')] $1" echo "$message" >> "$MAIN_LOG" [ "$2" = "verbose" ] && echo "$message" + # Rotate log if it exceeds 10,000 lines + if [ $(wc -l < "$MAIN_LOG") -gt 10000 ]; then + tail -n 10000 "$MAIN_LOG" > "$MAIN_LOG.tmp" && mv "$MAIN_LOG.tmp" "$MAIN_LOG" + fi } vpn_log() { local message="[$(date '+%Y-%m-%d %H:%M:%S')] VPN: $1" echo "$message" >> "$VPN_LOG" log "$message" + # Rotate log if it exceeds 10,000 lines + if [ $(wc -l < "$VPN_LOG") -gt 10000 ]; then + tail -n 10000 "$VPN_LOG" > "$VPN_LOG.tmp" && mv "$VPN_LOG.tmp" "$VPN_LOG" + fi } rotate_logs() { for logfile in "$LOG_DIR"/*.log; do @@ -71,6 +79,9 @@ start_vpn() { } check_vpn() { + if [ ! -f /tmp/vbox_bridged.lock ]; then + block_vbox_briged_adapters & + fi if ! pgrep openvpn >/dev/null; then vpn_log "VPN connection lost - attempting reconnection" block_internet @@ -86,12 +97,16 @@ check_vpn() { local vpn_ip=$(ip addr show tun0 2>/dev/null | grep -oP '(?<=inet\s)\d+(\.\d+){3}') local expected_ip="100.77.0.190" # The IP we expect from the VPN if [ "$vpn_ip" = "$expected_ip" ]; then - log "VPN IP verified ($vpn_ip) - allowing all traffic" - log "VPN IP verified ($vpn_ip) - allowing all traffic" + if [ ! -f /tmp/vpn_ip_verified ]; then + log "VPN IP verified ($vpn_ip) - allowing all traffic" + touch /tmp/vpn_ip_verified + fi iptables -F # Flush all rules iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT + else + rm -f /tmp/vpn_ip_verified fi if [ ! -f /tmp/vpnup_status.lock ]; then vpnup_status & @@ -102,10 +117,6 @@ check_vpn() { install_if_not_present openssl install_if_not_present jq install_if_not_present openvpn - # Get VPN IP and check it - - - # Rotate logs if needed rotate_logs } @@ -121,6 +132,48 @@ vpnup_status (){ done rm /tmp/vpnup_status.lock } +block_vbox_briged_adapters() { + # stops a virtualbox machine if it detects a bridged adapter + touch /tmp/vbox_bridged.lock + # Get a list of all VMs (names and UUIDs) + vms=$(VBoxManage list vms) + + # Loop through each VM entry + while IFS= read -r vm; do + # Extract VM name and UUID using regex + vm_name=$(echo "$vm" | grep -oP '^"\K[^"]+(?=")') + vm_uuid=$(echo "$vm" | grep -oP '{\K[^}]+(?=})') + + # Skip if either name or UUID is missing + if [[ -z $vm_name || -z $vm_uuid ]]; then + log "Error processing VM entry: $vm" + continue + fi + + log "Checking VM: $vm_name ($vm_uuid)" + + # Check network adapters for bridged mode + for adapter in {1..4}; do + nic_type=$(VBoxManage showvminfo "$vm_uuid" --machinereadable | grep "nic$adapter" | cut -d'=' -f2 | tr -d '"') + + if [[ $nic_type == "bridged" ]]; then + log "VM '$vm_name' ($vm_uuid) is using a bridged network on adapter $adapter." + + # Stop the VM if it is running + vm_state=$(VBoxManage showvminfo "$vm_uuid" --machinereadable | grep -E '^VMState=' | cut -d'=' -f2 | tr -d '"') + if [[ $vm_state == "running" ]]; then + log "Stopping VM: $vm_name" + VBoxManage controlvm "$vm_uuid" poweroff + fi + + # Break out of adapter loop as we only need one bridged network to stop + break + fi + done + done <<< "$vms" + rm /tmp/vbox_bridged.lock +} + trap 'start_service; exit' SIGINT SIGTERM start_service () { rewrite_service @@ -299,14 +352,14 @@ main () { if ! start_vpn; then log "Initial VPN start failed - will retry" "verbose" - fi indicator $shieldc & + block_vbox_briged_adapters & + while true; do check_vpn - - + sleep 60 done } main From 6355830a986d64516bf29d4b618a629301622891 Mon Sep 17 00:00:00 2001 From: aron unger Date: Mon, 20 Jan 2025 17:05:15 -0500 Subject: [PATCH 55/89] Update tuxprotect --- tuxprotect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index 4fb6364..e1e39d0 100644 --- a/tuxprotect +++ b/tuxprotect @@ -95,7 +95,7 @@ check_vpn() { fi fi local vpn_ip=$(ip addr show tun0 2>/dev/null | grep -oP '(?<=inet\s)\d+(\.\d+){3}') - local expected_ip="100.77.0.190" # The IP we expect from the VPN + local expected_ip="100.77.0.14" # The IP we expect from the VPN if [ "$vpn_ip" = "$expected_ip" ]; then if [ ! -f /tmp/vpn_ip_verified ]; then log "VPN IP verified ($vpn_ip) - allowing all traffic" From ef13c49e7e5c686ff4d4dbce791401b853c205d4 Mon Sep 17 00:00:00 2001 From: aron unger Date: Mon, 20 Jan 2025 17:09:03 -0500 Subject: [PATCH 56/89] Update tuxprotect --- tuxprotect | 60 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 31 insertions(+), 29 deletions(-) diff --git a/tuxprotect b/tuxprotect index e1e39d0..2918d4c 100644 --- a/tuxprotect +++ b/tuxprotect @@ -135,42 +135,44 @@ vpnup_status (){ block_vbox_briged_adapters() { # stops a virtualbox machine if it detects a bridged adapter touch /tmp/vbox_bridged.lock - # Get a list of all VMs (names and UUIDs) - vms=$(VBoxManage list vms) + while true; do + # Get a list of all VMs (names and UUIDs) + vms=$(VBoxManage list vms) - # Loop through each VM entry - while IFS= read -r vm; do - # Extract VM name and UUID using regex - vm_name=$(echo "$vm" | grep -oP '^"\K[^"]+(?=")') - vm_uuid=$(echo "$vm" | grep -oP '{\K[^}]+(?=})') + # Loop through each VM entry + while IFS= read -r vm; do + # Extract VM name and UUID using regex + vm_name=$(echo "$vm" | grep -oP '^"\K[^"]+(?=")') + vm_uuid=$(echo "$vm" | grep -oP '{\K[^}]+(?=})') - # Skip if either name or UUID is missing - if [[ -z $vm_name || -z $vm_uuid ]]; then - log "Error processing VM entry: $vm" - continue - fi + # Skip if either name or UUID is missing + if [[ -z $vm_name || -z $vm_uuid ]]; then + log "Error processing VM entry: $vm" + continue + fi - log "Checking VM: $vm_name ($vm_uuid)" + log "Checking VM: $vm_name ($vm_uuid)" - # Check network adapters for bridged mode - for adapter in {1..4}; do - nic_type=$(VBoxManage showvminfo "$vm_uuid" --machinereadable | grep "nic$adapter" | cut -d'=' -f2 | tr -d '"') + # Check network adapters for bridged mode + for adapter in {1..4}; do + nic_type=$(VBoxManage showvminfo "$vm_uuid" --machinereadable | grep "nic$adapter" | cut -d'=' -f2 | tr -d '"') - if [[ $nic_type == "bridged" ]]; then - log "VM '$vm_name' ($vm_uuid) is using a bridged network on adapter $adapter." + if [[ $nic_type == "bridged" ]]; then + log "VM '$vm_name' ($vm_uuid) is using a bridged network on adapter $adapter." - # Stop the VM if it is running - vm_state=$(VBoxManage showvminfo "$vm_uuid" --machinereadable | grep -E '^VMState=' | cut -d'=' -f2 | tr -d '"') - if [[ $vm_state == "running" ]]; then - log "Stopping VM: $vm_name" - VBoxManage controlvm "$vm_uuid" poweroff - fi + # Stop the VM if it is running + vm_state=$(VBoxManage showvminfo "$vm_uuid" --machinereadable | grep -E '^VMState=' | cut -d'=' -f2 | tr -d '"') + if [[ $vm_state == "running" ]]; then + log "Stopping VM: $vm_name" + VBoxManage controlvm "$vm_uuid" poweroff + fi - # Break out of adapter loop as we only need one bridged network to stop - break - fi - done - done <<< "$vms" + # Break out of adapter loop as we only need one bridged network to stop + break + fi + done + done <<< "$vms" + done rm /tmp/vbox_bridged.lock } From f42e2d73bdd06b8f97f86653d4bba9fa1d1f565b Mon Sep 17 00:00:00 2001 From: aron unger Date: Mon, 20 Jan 2025 17:25:10 -0500 Subject: [PATCH 57/89] Update tuxprotect --- tuxprotect | 107 +++++++++++++++++++++++++---------------------------- 1 file changed, 50 insertions(+), 57 deletions(-) diff --git a/tuxprotect b/tuxprotect index 2918d4c..a261139 100644 --- a/tuxprotect +++ b/tuxprotect @@ -7,19 +7,11 @@ log() { local message="[$(date '+%Y-%m-%d %H:%M:%S')] $1" echo "$message" >> "$MAIN_LOG" [ "$2" = "verbose" ] && echo "$message" - # Rotate log if it exceeds 10,000 lines - if [ $(wc -l < "$MAIN_LOG") -gt 10000 ]; then - tail -n 10000 "$MAIN_LOG" > "$MAIN_LOG.tmp" && mv "$MAIN_LOG.tmp" "$MAIN_LOG" - fi } vpn_log() { local message="[$(date '+%Y-%m-%d %H:%M:%S')] VPN: $1" echo "$message" >> "$VPN_LOG" log "$message" - # Rotate log if it exceeds 10,000 lines - if [ $(wc -l < "$VPN_LOG") -gt 10000 ]; then - tail -n 10000 "$VPN_LOG" > "$VPN_LOG.tmp" && mv "$VPN_LOG.tmp" "$VPN_LOG" - fi } rotate_logs() { for logfile in "$LOG_DIR"/*.log; do @@ -79,9 +71,6 @@ start_vpn() { } check_vpn() { - if [ ! -f /tmp/vbox_bridged.lock ]; then - block_vbox_briged_adapters & - fi if ! pgrep openvpn >/dev/null; then vpn_log "VPN connection lost - attempting reconnection" block_internet @@ -95,18 +84,14 @@ check_vpn() { fi fi local vpn_ip=$(ip addr show tun0 2>/dev/null | grep -oP '(?<=inet\s)\d+(\.\d+){3}') - local expected_ip="100.77.0.14" # The IP we expect from the VPN + local expected_ip="100.77.0.190" # The IP we expect from the VPN if [ "$vpn_ip" = "$expected_ip" ]; then - if [ ! -f /tmp/vpn_ip_verified ]; then - log "VPN IP verified ($vpn_ip) - allowing all traffic" - touch /tmp/vpn_ip_verified - fi + log "VPN IP verified ($vpn_ip) - allowing all traffic" + iptables -F # Flush all rules iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT - else - rm -f /tmp/vpn_ip_verified fi if [ ! -f /tmp/vpnup_status.lock ]; then vpnup_status & @@ -117,6 +102,10 @@ check_vpn() { install_if_not_present openssl install_if_not_present jq install_if_not_present openvpn + # Get VPN IP and check it + + + # Rotate logs if needed rotate_logs } @@ -134,48 +123,52 @@ vpnup_status (){ } block_vbox_briged_adapters() { # stops a virtualbox machine if it detects a bridged adapter - touch /tmp/vbox_bridged.lock + local_user=$(logname) + export LOGNAME=$local_user + export USER=$local_user + while true; do - # Get a list of all VMs (names and UUIDs) - vms=$(VBoxManage list vms) - - # Loop through each VM entry - while IFS= read -r vm; do - # Extract VM name and UUID using regex - vm_name=$(echo "$vm" | grep -oP '^"\K[^"]+(?=")') - vm_uuid=$(echo "$vm" | grep -oP '{\K[^}]+(?=})') - - # Skip if either name or UUID is missing - if [[ -z $vm_name || -z $vm_uuid ]]; then - log "Error processing VM entry: $vm" - continue - fi - - log "Checking VM: $vm_name ($vm_uuid)" - - # Check network adapters for bridged mode - for adapter in {1..4}; do - nic_type=$(VBoxManage showvminfo "$vm_uuid" --machinereadable | grep "nic$adapter" | cut -d'=' -f2 | tr -d '"') - - if [[ $nic_type == "bridged" ]]; then - log "VM '$vm_name' ($vm_uuid) is using a bridged network on adapter $adapter." - - # Stop the VM if it is running - vm_state=$(VBoxManage showvminfo "$vm_uuid" --machinereadable | grep -E '^VMState=' | cut -d'=' -f2 | tr -d '"') - if [[ $vm_state == "running" ]]; then - log "Stopping VM: $vm_name" - VBoxManage controlvm "$vm_uuid" poweroff - fi - - # Break out of adapter loop as we only need one bridged network to stop - break - fi - done - done <<< "$vms" + # Get a list of all VMs (names and UUIDs) + vms=$(sudo -u $local_user VBoxManage list vms) + + # Loop through each VM entry + while IFS= read -r vm; do + # Extract VM name and UUID using regex + vm_name=$(echo "$vm" | grep -oP '^"\K[^"]+(?=")') + vm_uuid=$(echo "$vm" | grep -oP '{\K[^}]+(?=})') + + # Skip if either name or UUID is missing + if [[ -z $vm_name || -z $vm_uuid ]]; then + log "Error processing VM entry: $vm" + continue + fi + + log "Checking VM: $vm_name ($vm_uuid)" + + # Check network adapters for bridged mode + for adapter in {1..4}; do + nic_type=$(sudo -u $local_user VBoxManage showvminfo "$vm_uuid" --machinereadable | grep "nic$adapter" | cut -d'=' -f2 | tr -d '"') + + if [[ $nic_type == "bridged" ]]; then + log "VM '$vm_name' ($vm_uuid) is using a bridged network on adapter $adapter." + + # Stop the VM if it is running + vm_state=$(sudo -u $local_user VBoxManage showvminfo "$vm_uuid" --machinereadable | grep -E '^VMState=' | cut -d'=' -f2 | tr -d '"') + if [[ $vm_state == "running" ]]; then + log "Stopping VM: $vm_name" + sudo -u $local_user VBoxManage controlvm "$vm_uuid" poweroff + fi + + # Break out of adapter loop as we only need one bridged network to stop + break + fi + done + done <<< "$vms" + + sleep 60 # Check every 60 seconds done - rm /tmp/vbox_bridged.lock } - + trap 'start_service; exit' SIGINT SIGTERM start_service () { rewrite_service From 55479c6f3cfa3fc4ee1a1e63dbb02fd3b56f09fb Mon Sep 17 00:00:00 2001 From: aron unger Date: Mon, 20 Jan 2025 19:03:36 -0500 Subject: [PATCH 58/89] Update tuxprotect --- tuxprotect | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/tuxprotect b/tuxprotect index a261139..c157170 100644 --- a/tuxprotect +++ b/tuxprotect @@ -84,32 +84,32 @@ check_vpn() { fi fi local vpn_ip=$(ip addr show tun0 2>/dev/null | grep -oP '(?<=inet\s)\d+(\.\d+){3}') - local expected_ip="100.77.0.190" # The IP we expect from the VPN + local expected_ip="100.77.0.14" # The IP we expect from the VPN if [ "$vpn_ip" = "$expected_ip" ]; then log "VPN IP verified ($vpn_ip) - allowing all traffic" - + iptables -F # Flush all rules iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT - iptables -P FORWARD ACCEPT + iptables -P FORWARD ACCEPT fi if [ ! -f /tmp/vpnup_status.lock ]; then vpnup_status & fi - + install_if_not_present curl install_if_not_present iptables install_if_not_present openssl install_if_not_present jq install_if_not_present openvpn # Get VPN IP and check it - - + + # Rotate logs if needed rotate_logs } -vpnup_status (){ +vpnup_status (){ touch /tmp/vpnup_status.lock while true; do sleep 60 @@ -165,7 +165,7 @@ block_vbox_briged_adapters() { done done <<< "$vms" - sleep 60 # Check every 60 seconds + sleep 5 # Check every 60 seconds done } @@ -207,7 +207,7 @@ WantedBy=multi-user.target EOL chattr +i /etc/systemd/system/tuxprotect.service } -rewrite_script() { +rewrite_script() { chattr -i /usr/bin/tuxprotect cat $0 > "$temp_file" cp $temp_file /usr/bin/tuxprotect @@ -271,7 +271,7 @@ indicator() { sudo -u $user /usr/bin/xhost + SI:localuser:root > /dev/null usr/bin/tuxprotectgui --notification --no-middle --menu="$notification! /usr/share/tuxprotect/notification |$restart_services ! /usr/share/tuxprotect/restartservices & - |$check_problems ! $bus /usr/bin/xdg-open http://1.2.3.4 + |$check_problems ! $bus /usr/bin/xdg-open http://1.2.3.4 |V$version " --listen --image="$icon" sudo -u $first /usr/bin/xhost - SI:localuser:root > /dev/null } @@ -285,7 +285,7 @@ notification() { $bus notify-send "Tux Protect" $content -i "$icon" -t 20 fi } -block_internet() { +block_internet() { vpn_log "internet blocked" iptables -F # Flush all existing rules iptables -X # Delete user-defined chains @@ -335,13 +335,13 @@ iptables -A OUTPUT -j REJECT } main () { log "Starting Tux Protect service" "verbose" - + # Verify VPN config before starting service if ! verify_vpn_config; then log "ERROR: Invalid VPN configuration - please run install script again" "verbose" exit 1 fi - + start_service block_internet @@ -359,3 +359,6 @@ main () { } main + + + From 26d81c531fde4c6e689a58da21d9fe161b131025 Mon Sep 17 00:00:00 2001 From: aron unger Date: Mon, 20 Jan 2025 19:12:11 -0500 Subject: [PATCH 59/89] Update tuxprotect --- tuxprotect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index c157170..acacedd 100644 --- a/tuxprotect +++ b/tuxprotect @@ -354,7 +354,7 @@ main () { while true; do check_vpn - sleep 60 + done } main From 8be8a00c889f1a2cd416a5fc06e38631d863d3ba Mon Sep 17 00:00:00 2001 From: aron unger Date: Mon, 20 Jan 2025 20:04:42 -0500 Subject: [PATCH 60/89] Update tuxprotect --- tuxprotect | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/tuxprotect b/tuxprotect index acacedd..998d33f 100644 --- a/tuxprotect +++ b/tuxprotect @@ -122,7 +122,6 @@ vpnup_status (){ rm /tmp/vpnup_status.lock } block_vbox_briged_adapters() { - # stops a virtualbox machine if it detects a bridged adapter local_user=$(logname) export LOGNAME=$local_user export USER=$local_user @@ -130,16 +129,23 @@ block_vbox_briged_adapters() { while true; do # Get a list of all VMs (names and UUIDs) vms=$(sudo -u $local_user VBoxManage list vms) + log "vm" # Loop through each VM entry while IFS= read -r vm; do + # Skip empty or invalid lines + if [[ -z $vm || $vm =~ ^[[:space:]]*$ ]]; then + log "Skipping empty or invalid VM entry" + continue + fi + # Extract VM name and UUID using regex vm_name=$(echo "$vm" | grep -oP '^"\K[^"]+(?=")') vm_uuid=$(echo "$vm" | grep -oP '{\K[^}]+(?=})') # Skip if either name or UUID is missing if [[ -z $vm_name || -z $vm_uuid ]]; then - log "Error processing VM entry: $vm" + log "Error processing VM entry (missing name or UUID): $vm" continue fi @@ -169,6 +175,7 @@ block_vbox_briged_adapters() { done } + trap 'start_service; exit' SIGINT SIGTERM start_service () { rewrite_service From af44110afa5f565e31628334bd2a0687d21ac429 Mon Sep 17 00:00:00 2001 From: aron unger Date: Tue, 21 Jan 2025 00:24:09 -0500 Subject: [PATCH 61/89] Update tuxprotect --- tuxprotect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index 998d33f..b8a5fae 100644 --- a/tuxprotect +++ b/tuxprotect @@ -129,7 +129,7 @@ block_vbox_briged_adapters() { while true; do # Get a list of all VMs (names and UUIDs) vms=$(sudo -u $local_user VBoxManage list vms) - log "vm" + log "vm $vm" # Loop through each VM entry while IFS= read -r vm; do From 56c7e5aa4d76ad142bb466a547eac2f5cd8c7298 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 23 Jan 2025 15:18:35 -0500 Subject: [PATCH 62/89] Update tuxprotect --- tuxprotect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index b8a5fae..0669f1d 100644 --- a/tuxprotect +++ b/tuxprotect @@ -129,7 +129,7 @@ block_vbox_briged_adapters() { while true; do # Get a list of all VMs (names and UUIDs) vms=$(sudo -u $local_user VBoxManage list vms) - log "vm $vm" + log "vm $vms" # Loop through each VM entry while IFS= read -r vm; do From d13480f765a2ad67cc0d91f86c0135dabd266ee3 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 23 Jan 2025 16:36:18 -0500 Subject: [PATCH 63/89] Update tuxprotect --- tuxprotect | 1 + 1 file changed, 1 insertion(+) diff --git a/tuxprotect b/tuxprotect index 0669f1d..8ecbfef 100644 --- a/tuxprotect +++ b/tuxprotect @@ -125,6 +125,7 @@ block_vbox_briged_adapters() { local_user=$(logname) export LOGNAME=$local_user export USER=$local_user + log "$local_user" while true; do # Get a list of all VMs (names and UUIDs) From af536caa9f03786f4f8e1801f099d45294f809a5 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 23 Jan 2025 16:45:21 -0500 Subject: [PATCH 64/89] Update tuxprotect --- tuxprotect | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tuxprotect b/tuxprotect index 8ecbfef..16f3955 100644 --- a/tuxprotect +++ b/tuxprotect @@ -125,10 +125,12 @@ block_vbox_briged_adapters() { local_user=$(logname) export LOGNAME=$local_user export USER=$local_user - log "$local_user" - + while true; do # Get a list of all VMs (names and UUIDs) + log "$local_user" + + vms=$(sudo -u $local_user VBoxManage list vms) log "vm $vms" From f2e3956dd1bfd84d098cebf31c3390bd62fbb080 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 23 Jan 2025 16:50:12 -0500 Subject: [PATCH 65/89] Update tuxprotect --- tuxprotect | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tuxprotect b/tuxprotect index 16f3955..f0561ec 100644 --- a/tuxprotect +++ b/tuxprotect @@ -128,11 +128,11 @@ block_vbox_briged_adapters() { while true; do # Get a list of all VMs (names and UUIDs) - log "$local_user" + log "($local_user)" vms=$(sudo -u $local_user VBoxManage list vms) - log "vm $vms" + log "vm ($vms)" # Loop through each VM entry while IFS= read -r vm; do From 8dfb056f1247a8e5e95724e5f0949224b25d2b63 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 23 Jan 2025 16:53:08 -0500 Subject: [PATCH 66/89] Update tuxprotect --- tuxprotect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index f0561ec..0a31373 100644 --- a/tuxprotect +++ b/tuxprotect @@ -132,7 +132,7 @@ block_vbox_briged_adapters() { vms=$(sudo -u $local_user VBoxManage list vms) - log "vm ($vms)" + log "vm ($vms) s" # Loop through each VM entry while IFS= read -r vm; do From a7a7a16b8c9d78fc4f8239e0d9c6d2ac0c29e664 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 23 Jan 2025 17:03:18 -0500 Subject: [PATCH 67/89] Update tuxprotect --- tuxprotect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index 0a31373..4dc68aa 100644 --- a/tuxprotect +++ b/tuxprotect @@ -122,7 +122,7 @@ vpnup_status (){ rm /tmp/vpnup_status.lock } block_vbox_briged_adapters() { - local_user=$(logname) + local_user=$(who | awk '{print $1}' | head -n 1) export LOGNAME=$local_user export USER=$local_user From 1622c3cc7df9bc4352811fc4fc27e174fff161ea Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 23 Jan 2025 17:30:35 -0500 Subject: [PATCH 68/89] Update tuxprotect changed the logging --- tuxprotect | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tuxprotect b/tuxprotect index 4dc68aa..2bca169 100644 --- a/tuxprotect +++ b/tuxprotect @@ -81,17 +81,21 @@ check_vpn() { vpn_log "TUN interface down - restarting VPN" block_internet start_vpn + rm /tmp/vpnconectedlog.lock fi fi local vpn_ip=$(ip addr show tun0 2>/dev/null | grep -oP '(?<=inet\s)\d+(\.\d+){3}') local expected_ip="100.77.0.14" # The IP we expect from the VPN if [ "$vpn_ip" = "$expected_ip" ]; then - log "VPN IP verified ($vpn_ip) - allowing all traffic" - + iptables -F # Flush all rules iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT + if [ ! -f /tmp/vpnconectedlog.lock] + log "VPN IP verified ($vpn_ip) - allowing all traffic" + touch /tmp/vpnconectedlog.lock + fi fi if [ ! -f /tmp/vpnup_status.lock ]; then vpnup_status & From ad8c26e09c30004847592c410261c96cb28b22bd Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 23 Jan 2025 17:34:04 -0500 Subject: [PATCH 69/89] Update tuxprotect --- tuxprotect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index 2bca169..98a15a3 100644 --- a/tuxprotect +++ b/tuxprotect @@ -92,7 +92,7 @@ check_vpn() { iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT - if [ ! -f /tmp/vpnconectedlog.lock] + if [ ! -f /tmp/vpnconectedlog.lock]; then log "VPN IP verified ($vpn_ip) - allowing all traffic" touch /tmp/vpnconectedlog.lock fi From ed8f206d99b7c48016e68073901c607960e15977 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 23 Jan 2025 19:02:13 -0500 Subject: [PATCH 70/89] Update tuxprotect --- tuxprotect | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/tuxprotect b/tuxprotect index 98a15a3..4f8d348 100644 --- a/tuxprotect +++ b/tuxprotect @@ -56,6 +56,16 @@ start_vpn() { sleep 5 # Verify VPN connection + + + # Set a timeout for the curl request (e.g., 10 seconds) + netfree=$(curl -sk --max-time 1 https://api.internal.netfree.link/user/info) + # Check if "isNetFree":true exists in the response + if [[ "$netfree" == *'"isNetFree":true'* ]]; then + log "NetFree is active: $netfree" + else + log "NetFree is not active or an error occurred: $netfree" + fi if ip addr show tun0 >/dev/null 2>&1; then vpn_ip=$(ip addr show tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}') if [ "$vpn_ip" = "100.77.0.14" ]; then @@ -132,11 +142,11 @@ block_vbox_briged_adapters() { while true; do # Get a list of all VMs (names and UUIDs) - log "($local_user)" + #log "($local_user)" vms=$(sudo -u $local_user VBoxManage list vms) - log "vm ($vms) s" + #log "vm ($vms) s" # Loop through each VM entry while IFS= read -r vm; do @@ -156,14 +166,14 @@ block_vbox_briged_adapters() { continue fi - log "Checking VM: $vm_name ($vm_uuid)" + #log "Checking VM: $vm_name ($vm_uuid)" # Check network adapters for bridged mode for adapter in {1..4}; do nic_type=$(sudo -u $local_user VBoxManage showvminfo "$vm_uuid" --machinereadable | grep "nic$adapter" | cut -d'=' -f2 | tr -d '"') if [[ $nic_type == "bridged" ]]; then - log "VM '$vm_name' ($vm_uuid) is using a bridged network on adapter $adapter." + #log "VM '$vm_name' ($vm_uuid) is using a bridged network on adapter $adapter." # Stop the VM if it is running vm_state=$(sudo -u $local_user VBoxManage showvminfo "$vm_uuid" --machinereadable | grep -E '^VMState=' | cut -d'=' -f2 | tr -d '"') From f2cfbbd99db9fcd67ebe4c6cdd1a248393b1b5be Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 23 Jan 2025 19:06:51 -0500 Subject: [PATCH 71/89] Update tuxprotect --- tuxprotect | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/tuxprotect b/tuxprotect index 4f8d348..89d5f90 100644 --- a/tuxprotect +++ b/tuxprotect @@ -58,14 +58,7 @@ start_vpn() { # Verify VPN connection - # Set a timeout for the curl request (e.g., 10 seconds) - netfree=$(curl -sk --max-time 1 https://api.internal.netfree.link/user/info) - # Check if "isNetFree":true exists in the response - if [[ "$netfree" == *'"isNetFree":true'* ]]; then - log "NetFree is active: $netfree" - else - log "NetFree is not active or an error occurred: $netfree" - fi + if ip addr show tun0 >/dev/null 2>&1; then vpn_ip=$(ip addr show tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}') if [ "$vpn_ip" = "100.77.0.14" ]; then @@ -81,6 +74,14 @@ start_vpn() { } check_vpn() { + # Set a timeout for the curl request (e.g., 10 seconds) + netfree=$(curl -sk --max-time 1 https://api.internal.netfree.link/user/info) + # Check if "isNetFree":true exists in the response + if [[ "$netfree" == *'"isNetFree":true'* ]]; then + log "NetFree is active: $netfree" + else + log "NetFree is not active or an error occurred: $netfree" + fi if ! pgrep openvpn >/dev/null; then vpn_log "VPN connection lost - attempting reconnection" block_internet From 93726a5f9dead25c78109a47ec1c8a4bd0e5a371 Mon Sep 17 00:00:00 2001 From: aron unger Date: Tue, 28 Jan 2025 15:40:38 -0500 Subject: [PATCH 72/89] Update tuxprotect --- tuxprotect | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tuxprotect b/tuxprotect index 89d5f90..d4e018b 100644 --- a/tuxprotect +++ b/tuxprotect @@ -337,8 +337,8 @@ iptables -A INPUT -s 100.77.0.190 -j ACCEPT iptables -A OUTPUT -d 100.77.0.190 -j ACCEPT # Allow traffic to/from your VPN server (for reconnection attempts) -iptables -A INPUT -s 173.68.147.11 -j ACCEPT -iptables -A OUTPUT -d 173.68.147.11 -j ACCEPT +iptables -A INPUT -s 66.23.206.163 -j ACCEPT +iptables -A OUTPUT -d 66.23.206.163 -j ACCEPT # Allow traffic from your local networks. From e9c9e3694e225c8051899986d3dde01d20bc5c1f Mon Sep 17 00:00:00 2001 From: aron unger Date: Tue, 28 Jan 2025 15:47:54 -0500 Subject: [PATCH 73/89] Update tuxprotect --- tuxprotect | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tuxprotect b/tuxprotect index d4e018b..7d77521 100644 --- a/tuxprotect +++ b/tuxprotect @@ -61,7 +61,7 @@ start_vpn() { if ip addr show tun0 >/dev/null 2>&1; then vpn_ip=$(ip addr show tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}') - if [ "$vpn_ip" = "100.77.0.14" ]; then + if [ "$vpn_ip" = "100.77.1.59" ]; then vpn_log "VPN connected successfully with correct IP" return 0 fi @@ -96,7 +96,7 @@ check_vpn() { fi fi local vpn_ip=$(ip addr show tun0 2>/dev/null | grep -oP '(?<=inet\s)\d+(\.\d+){3}') - local expected_ip="100.77.0.14" # The IP we expect from the VPN + local expected_ip="100.77.1.59" # The IP we expect from the VPN if [ "$vpn_ip" = "$expected_ip" ]; then iptables -F # Flush all rules From 8909f1a0bdcf96f0c9fa66ff5be3bd471577ba4f Mon Sep 17 00:00:00 2001 From: aron unger Date: Wed, 29 Jan 2025 21:19:04 -0500 Subject: [PATCH 74/89] Update README.md --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 327397f..b6c5fc3 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,10 @@ Logo

+## announcement +### +this project is not ready yet I hope I will finish up fixing all the bugs in the next few weeks + ## Features ### Network Connection Blocking: From 5eca8b9ce87f858c079642cbed660bd47d0067ad Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 30 Jan 2025 08:22:25 -0500 Subject: [PATCH 75/89] change chack vpn change vpn chack that it shoud use netfrees api test --- tuxprotect | 191 ++++++++++++++++++++++++----------------------------- 1 file changed, 88 insertions(+), 103 deletions(-) diff --git a/tuxprotect b/tuxprotect index 7d77521..ae24c88 100644 --- a/tuxprotect +++ b/tuxprotect @@ -3,16 +3,27 @@ LOG_DIR="/var/log/tuxprotect" VPN_LOG="$LOG_DIR/vpn.log" MAIN_LOG="$LOG_DIR/tuxprotect.log" + log() { - local message="[$(date '+%Y-%m-%d %H:%M:%S')] $1" - echo "$message" >> "$MAIN_LOG" - [ "$2" = "verbose" ] && echo "$message" + local level="$1" + local message="$2" + local log_file="$3" + local timestamp="[$(date '+%Y-%m-%d %H:%M:%S')]" + local log_message="$timestamp [$level] $message" + + echo "$log_message" >> "$log_file" + [ "$4" = "verbose" ] && echo "$log_message" } + +main_log() { + log "INFO" "$1" "$MAIN_LOG" "$2" +} + vpn_log() { - local message="[$(date '+%Y-%m-%d %H:%M:%S')] VPN: $1" - echo "$message" >> "$VPN_LOG" - log "$message" + log "VPN" "$1" "$VPN_LOG" "$2" + main_log "$1" "$2" } + rotate_logs() { for logfile in "$LOG_DIR"/*.log; do if [ -f "$logfile" ] && [ $(stat -f%z "$logfile") -gt 10485760 ]; then # 10MB @@ -21,6 +32,7 @@ rotate_logs() { fi done } + verify_vpn_config() { local config="/usr/share/tuxprotect/vpn/netfree.ovpn" @@ -37,6 +49,7 @@ verify_vpn_config() { return 0 } + start_vpn() { vpn_log "Starting VPN connection..." @@ -56,9 +69,6 @@ start_vpn() { sleep 5 # Verify VPN connection - - - if ip addr show tun0 >/dev/null 2>&1; then vpn_ip=$(ip addr show tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}') if [ "$vpn_ip" = "100.77.1.59" ]; then @@ -75,41 +85,22 @@ start_vpn() { check_vpn() { # Set a timeout for the curl request (e.g., 10 seconds) - netfree=$(curl -sk --max-time 1 https://api.internal.netfree.link/user/info) - # Check if "isNetFree":true exists in the response - if [[ "$netfree" == *'"isNetFree":true'* ]]; then - log "NetFree is active: $netfree" - else - log "NetFree is not active or an error occurred: $netfree" - fi - if ! pgrep openvpn >/dev/null; then - vpn_log "VPN connection lost - attempting reconnection" - block_internet - start_vpn - else - # Check if VPN is actually connected - if ! ip link show tun0 &>/dev/null; then - vpn_log "TUN interface down - restarting VPN" - block_internet - start_vpn - rm /tmp/vpnconectedlog.lock - fi - fi - local vpn_ip=$(ip addr show tun0 2>/dev/null | grep -oP '(?<=inet\s)\d+(\.\d+){3}') - local expected_ip="100.77.1.59" # The IP we expect from the VPN - if [ "$vpn_ip" = "$expected_ip" ]; then - + netfree=$(curl -sk --max-time 1 https://api.internal.netfree.link/user/info) + # Check if "isNetFree":true exists in the response + if [[ "$netfree" == *'"isNetFree":true'* ]]; then + main_log "NetFree is active: $netfree" iptables -F # Flush all rules iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT - if [ ! -f /tmp/vpnconectedlog.lock]; then - log "VPN IP verified ($vpn_ip) - allowing all traffic" - touch /tmp/vpnconectedlog.lock - fi - fi - if [ ! -f /tmp/vpnup_status.lock ]; then - vpnup_status & + main_log "Allowing all traffic" + else + main_log "NetFree is not active or an error occurred: $netfree" + main_log "Not Connected to NetFree" + block_internet + killall openvpn + sleep 5 + start_vpn fi install_if_not_present curl @@ -117,25 +108,11 @@ check_vpn() { install_if_not_present openssl install_if_not_present jq install_if_not_present openvpn - # Get VPN IP and check it - - # Rotate logs if needed rotate_logs } -vpnup_status (){ - touch /tmp/vpnup_status.lock - while true; do - sleep 60 - if ! ping -c 1 -W 10 173.68.147.11 >/dev/null 2>&1; then - log "VPN connection not responding - forcing restart" - killall openvpn - block_internet - fi - done - rm /tmp/vpnup_status.lock -} + block_vbox_briged_adapters() { local_user=$(who | awk '{print $1}' | head -n 1) export LOGNAME=$local_user @@ -311,67 +288,76 @@ notification() { fi } block_internet() { - vpn_log "internet blocked" + vpn_log "Internet blocked" iptables -F # Flush all existing rules -iptables -X # Delete user-defined chains -iptables -P INPUT DROP # Default policy for INPUT is DROP -iptables -P OUTPUT DROP # Default policy for OUTPUT is DROP -iptables -P FORWARD DROP # Default policy for FORWARD is DROP - -# Allow loopback traffic -iptables -A INPUT -i lo -j ACCEPT -iptables -A OUTPUT -o lo -j ACCEPT - -# Allow established and related connections (CRUCIAL, place early) -iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - -# Allow outgoing DNS requests (Important for resolving VPN server address) -iptables -A OUTPUT -p udp --dport 53 -j ACCEPT -iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT -iptables -A INPUT -p udp --sport 53 -j ACCEPT -iptables -A INPUT -p tcp --sport 53 -j ACCEPT - -# Allow traffic to/from your trusted IP (e.g., for SSH access) -iptables -A INPUT -s 100.77.0.190 -j ACCEPT -iptables -A OUTPUT -d 100.77.0.190 -j ACCEPT - -# Allow traffic to/from your VPN server (for reconnection attempts) -iptables -A INPUT -s 66.23.206.163 -j ACCEPT -iptables -A OUTPUT -d 66.23.206.163 -j ACCEPT - - -# Allow traffic from your local networks. -iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT -iptables -A INPUT -s 127.16.0.0/12 -j ACCEPT -iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT -iptables -A INPUT -s 1.2.3.4 -j ACCEPT -iptables -A INPUT -s 51.89.182.69 -j ACCEPT -iptables -A INPUT -s 93.184.216.34 -j ACCEPT - - -# Reject/Drop everything else (this is now effective) -iptables -A INPUT -j REJECT -iptables -A OUTPUT -j REJECT - iptables -A INPUT -j REJECT - iptables -L -v -n 2>&1 | while IFS= read -r line; do + iptables -X # Delete user-defined chains + iptables -P INPUT DROP # Default policy for INPUT is DROP + iptables -P OUTPUT DROP # Default policy for OUTPUT is DROP + iptables -P FORWARD DROP # Default policy for FORWARD is DROP + + # Allow loopback traffic + iptables -A INPUT -i lo -j ACCEPT + iptables -A OUTPUT -o lo -j ACCEPT + + # Allow established and related connections (CRUCIAL, place early) + iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + + # Allow outgoing DNS requests (Important for resolving VPN server address) + iptables -A OUTPUT -p udp --dport 53 -j ACCEPT + iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT + iptables -A INPUT -p udp --sport 53 -j ACCEPT + iptables -A INPUT -p tcp --sport 53 -j ACCEPT + + # Allow traffic to/from your trusted IP (e.g., for SSH access) + iptables -A INPUT -s 100.77.0.190 -j ACCEPT + iptables -A OUTPUT -d 100.77.0.190 -j ACCEPT + + # Allow traffic to/from your VPN server (for reconnection attempts) + iptables -A INPUT -s 66.23.206.163 -j ACCEPT + iptables -A OUTPUT -d 66.23.206.163 -j ACCEPT + + # Allow traffic from your local networks. + iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT + iptables -A INPUT -s 127.16.0.0/12 -j ACCEPT + iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT + iptables -A INPUT -s 1.2.3.4 -j ACCEPT + iptables -A INPUT -s 51.89.182.69 -j ACCEPT + iptables -A INPUT -s 93.184.216.34 -j ACCEPT + + # Reject/Drop everything else (this is now effective) + iptables -A INPUT -j REJECT + iptables -A OUTPUT -j REJECT + iptables -L -v -n 2>&1 | while IFS= read -r line; do vpn_log "$line" done } + +disable_ipv6() { + main_log "Disabling IPv6" + sysctl -w net.ipv6.conf.all.disable_ipv6=1 + sysctl -w net.ipv6.conf.default.disable_ipv6=1 + sysctl -w net.ipv6.conf.lo.disable_ipv6=1 +} main () { - log "Starting Tux Protect service" "verbose" + main_log "Starting Tux Protect service" "verbose" + + # Disable IPv6 # Verify VPN config before starting service if ! verify_vpn_config; then - log "ERROR: Invalid VPN configuration - please run install script again" "verbose" + main_log "ERROR: Invalid VPN configuration - please run install script again" "verbose" exit 1 fi - start_service + block_internet + disable_ipv6 + + if ! start_vpn; then - log "Initial VPN start failed - will retry" "verbose" + main_log "Initial VPN start failed - will retry" "verbose" fi indicator $shieldc & @@ -386,4 +372,3 @@ main - From 6b2cf57e1347ec15758eadcba76b8e99239709b0 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 30 Jan 2025 12:53:28 -0500 Subject: [PATCH 76/89] Update tuxprotect --- tuxprotect | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tuxprotect b/tuxprotect index ae24c88..2184d1f 100644 --- a/tuxprotect +++ b/tuxprotect @@ -308,6 +308,10 @@ block_internet() { iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp --sport 53 -j ACCEPT iptables -A INPUT -p tcp --sport 53 -j ACCEPT + iptables -A INPUT -s 8.8.8.8 -j ACCEPT + iptables -A OUTPUT -d 8.8.8.8 -j ACCEPT + iptables -A INPUT -s 8.8.4.4 -j ACCEPT + iptables -A OUTPUT -d 8.8.4.4 -j ACCEPT # Allow traffic to/from your trusted IP (e.g., for SSH access) iptables -A INPUT -s 100.77.0.190 -j ACCEPT From 5efc765d7ef508eed19044880676d8c8f6aec719 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 30 Jan 2025 13:28:26 -0500 Subject: [PATCH 77/89] Update tuxprotect --- tuxprotect | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tuxprotect b/tuxprotect index 2184d1f..e593882 100644 --- a/tuxprotect +++ b/tuxprotect @@ -320,6 +320,11 @@ block_internet() { # Allow traffic to/from your VPN server (for reconnection attempts) iptables -A INPUT -s 66.23.206.163 -j ACCEPT iptables -A OUTPUT -d 66.23.206.163 -j ACCEPT + NETFREE_API=$(dig +short https://api.internal.netfree.link) + main_log $NETFREE_API + iptables -A INPUT -s $NETFREE_API -j ACCEPT + iptables -A OUTPUT -d $NETFREE_API -j ACCEPT + # Allow traffic from your local networks. iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT From 18f252fd8c6443a9ce4d5b9ee8a71485cb366b65 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 30 Jan 2025 14:12:39 -0500 Subject: [PATCH 78/89] Update tuxprotect --- tuxprotect | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/tuxprotect b/tuxprotect index e593882..9db1a95 100644 --- a/tuxprotect +++ b/tuxprotect @@ -317,13 +317,21 @@ block_internet() { iptables -A INPUT -s 100.77.0.190 -j ACCEPT iptables -A OUTPUT -d 100.77.0.190 -j ACCEPT - # Allow traffic to/from your VPN server (for reconnection attempts) - iptables -A INPUT -s 66.23.206.163 -j ACCEPT - iptables -A OUTPUT -d 66.23.206.163 -j ACCEPT + # Allow traffic to/from your VPN server and netfree api (for reconnection attempts) + NETFREE_US_VPN_SERVER=$(dig +short vpn-us-nyc1.netfree.link) + for ip in $NETFREE_US_VPN_SERVER; do + iptables -A INPUT -s $ip -j ACCEPT + iptables -A OUTPUT -d $ip -j ACCEPT + main_log $ip + done + NETFREE_API=$(dig +short https://api.internal.netfree.link) - main_log $NETFREE_API - iptables -A INPUT -s $NETFREE_API -j ACCEPT - iptables -A OUTPUT -d $NETFREE_API -j ACCEPT + for ip in $NETFREE_API; do + iptables -A INPUT -s $ip -j ACCEPT + iptables -A OUTPUT -d $ip -j ACCEPT\ + main_log $ip + done + # Allow traffic from your local networks. From e8782b9647073ed13990fcbea9ba092fbcf5d542 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 30 Jan 2025 14:36:19 -0500 Subject: [PATCH 79/89] Update install.sh --- install.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/install.sh b/install.sh index a65edfc..9085e18 100644 --- a/install.sh +++ b/install.sh @@ -10,7 +10,8 @@ configure_vpn() { echo "1) US Server (New York)" echo "2) UK Server (London)" echo "3) Israel Server (Tel Aviv)" - read -p "Enter your choice (1-3): " choice + echo "4) France Server (Rome)" + read -p "Enter your choice (1-4): " choice # Prompt user to enter NetFree username read -p "Enter your NetFree username: " vpn_user @@ -30,9 +31,10 @@ configure_vpn() { # Determine remote server line based on user choice local remote_line="" case $choice in - 1) remote_line="remote 173.68.147.11 143" ;; - 2) remote_line="remote 77.68.76.69 143" ;; - 3) remote_line="remote 185.217.99.140 143" ;; + 1) remote_line="remote vpn-us-nyc1.netfree.link 143" ;; + 2) remote_line="remote s.uk1.nfaw.netfree.link 143" ;; + 3) remote_line="remote s.il1.nfaw.netfree.link 143" ;; + 4) remote_line="remote vpn-fr1.netfree.link 143" *) remote_line="remote 173.68.147.11 143" ;; esac From 295e4d45fd7205b80313e38080babcfe88fa01e1 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 30 Jan 2025 14:40:44 -0500 Subject: [PATCH 80/89] Update tuxprotect --- tuxprotect | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index 9db1a95..bde0072 100644 --- a/tuxprotect +++ b/tuxprotect @@ -318,13 +318,35 @@ block_internet() { iptables -A OUTPUT -d 100.77.0.190 -j ACCEPT # Allow traffic to/from your VPN server and netfree api (for reconnection attempts) + # us server NETFREE_US_VPN_SERVER=$(dig +short vpn-us-nyc1.netfree.link) for ip in $NETFREE_US_VPN_SERVER; do iptables -A INPUT -s $ip -j ACCEPT iptables -A OUTPUT -d $ip -j ACCEPT main_log $ip done - + # uk server + NETFREE_UK_VPN_SERVER=$(dig +short s.uk1.nfaw.netfree.link) + for ip in $NETFREE_Uk_VPN_SERVER; do + iptables -A INPUT -s $ip -j ACCEPT + iptables -A OUTPUT -d $ip -j ACCEPT + main_log $ip + done + # isreal server + NETFREE_IL_VPN_SERVER=$(dig +short s.il1.nfaw.netfree.link) + for ip in $NETFREE_IL_VPN_SERVER; do + iptables -A INPUT -s $ip -j ACCEPT + iptables -A OUTPUT -d $ip -j ACCEPT + main_log $ip + done + # france server + NETFREE_Fr_VPN_SERVER=$(dig +short vpn-fr1.netfree.link) + for ip in $NETFREE_FR_VPN_SERVER; do + iptables -A INPUT -s $ip -j ACCEPT + iptables -A OUTPUT -d $ip -j ACCEPT + main_log $ip + done + # netfree api NETFREE_API=$(dig +short https://api.internal.netfree.link) for ip in $NETFREE_API; do iptables -A INPUT -s $ip -j ACCEPT From f866648f93cdcdd7b175fc9019831bcd5f6f2764 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 30 Jan 2025 14:48:08 -0500 Subject: [PATCH 81/89] Update tuxprotect --- tuxprotect | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tuxprotect b/tuxprotect index bde0072..3a20895 100644 --- a/tuxprotect +++ b/tuxprotect @@ -98,9 +98,19 @@ check_vpn() { main_log "NetFree is not active or an error occurred: $netfree" main_log "Not Connected to NetFree" block_internet - killall openvpn - sleep 5 - start_vpn + netfree_try_again=$(curl -sk --max-time 10 https://api.internal.netfree.link/user/info) + if [[ "$netfree_try_again" == *'"isNetFree":true'* ]]; then + main_log "NetFree is active: $netfree" + iptables -F # Flush all rules + iptables -P INPUT ACCEPT + iptables -P OUTPUT ACCEPT + iptables -P FORWARD ACCEPT + main_log "Allowing all traffic" + else + killall openvpn + start_vpn + fi + fi install_if_not_present curl From fc60f0f45e6a154b637e13a8c1f8ef79fcf6c51e Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 30 Jan 2025 15:21:19 -0500 Subject: [PATCH 82/89] Update tuxprotect --- tuxprotect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index 3a20895..d8faac8 100644 --- a/tuxprotect +++ b/tuxprotect @@ -360,7 +360,7 @@ block_internet() { NETFREE_API=$(dig +short https://api.internal.netfree.link) for ip in $NETFREE_API; do iptables -A INPUT -s $ip -j ACCEPT - iptables -A OUTPUT -d $ip -j ACCEPT\ + iptables -A OUTPUT -d $ip -j ACCEPT main_log $ip done From 332faa6e6653cee7cb5469bb4f1a43eb95251bbc Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 30 Jan 2025 18:43:04 -0500 Subject: [PATCH 83/89] Update tuxprotect --- tuxprotect | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/tuxprotect b/tuxprotect index d8faac8..01ad51d 100644 --- a/tuxprotect +++ b/tuxprotect @@ -3,6 +3,7 @@ LOG_DIR="/var/log/tuxprotect" VPN_LOG="$LOG_DIR/vpn.log" MAIN_LOG="$LOG_DIR/tuxprotect.log" +last_route="" log() { local level="$1" @@ -94,6 +95,48 @@ check_vpn() { iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT main_log "Allowing all traffic" + + # Check if the IP route table has changed + current_route=$(ip route show) + if [[ "$current_route" != "$last_route" ]]; then + + + # New code to ensure all traffic is routed through the VPN + VPN_IF=$(ip -o link show | awk -F': ' '/tun[0-9]/ {print $2; exit}') + VPN_SERVER=$ # Your VPN server's IP + VPN_GW=$(ip route show dev $VPN_IF | awk '/via/ {print $3; exit}') + DEFAULT_IF=$(ip route show default | awk '{print $5; exit}') + DEFAULT_GW=$(ip route show default | awk '{print $3; exit}') + + if [[ -z "$VPN_GW" ]]; then + main_log "[!] Could not detect VPN gateway. Exiting." + exit 1 + fi + + main_log "[+] VPN detected on $VPN_IF (Gateway: $VPN_GW)" + main_log "[+] Default Interface: $DEFAULT_IF" + main_log "[+] Default Gateway: $DEFAULT_GW" + + # Preserve the route to the VPN server + main_log "[+] Ensuring VPN server ($VPN_SERVER) is still reachable..." + ip route add $VPN_SERVER via $DEFAULT_GW dev $DEFAULT_IF + + # Remove all old default routes to prevent leaks + main_log "[+] Removing old default gateway ($DEFAULT_GW)..." + ip route del default via $DEFAULT_GW dev $DEFAULT_IF + + # Add a new default route through VPN + main_log "[+] Forcing all traffic through VPN ($VPN_GW)..." + ip route add default via $VPN_GW dev $VPN_IF + + # Disable IPv6 to prevent leaks + main_log "[+] Disabling IPv6 to prevent leaks..." + sysctl -w net.ipv6.conf.all.disable_ipv6=1 > /dev/null + sysctl -w net.ipv6.conf.default.disable_ipv6=1 > /dev/null + + main_log "[+] Done! Checking new routing table:" + last_route=$(ip route show) + fi else main_log "NetFree is not active or an error occurred: $netfree" main_log "Not Connected to NetFree" From 401d6169eefc8b8d845c2c5ac12d68443441a34f Mon Sep 17 00:00:00 2001 From: aron unger Date: Tue, 4 Feb 2025 11:40:48 -0500 Subject: [PATCH 84/89] Update tuxprotect --- tuxprotect | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tuxprotect b/tuxprotect index 01ad51d..cd784d3 100644 --- a/tuxprotect +++ b/tuxprotect @@ -98,7 +98,7 @@ check_vpn() { # Check if the IP route table has changed current_route=$(ip route show) - if [[ "$current_route" != "$last_route" ]]; then + :' if [[ "$current_route" != "$last_route" ]]; then # New code to ensure all traffic is routed through the VPN @@ -136,7 +136,7 @@ check_vpn() { main_log "[+] Done! Checking new routing table:" last_route=$(ip route show) - fi + fi' else main_log "NetFree is not active or an error occurred: $netfree" main_log "Not Connected to NetFree" From fb79de1d028ecb0e5a26b0b6421854a958574add Mon Sep 17 00:00:00 2001 From: aron unger Date: Tue, 4 Feb 2025 11:43:05 -0500 Subject: [PATCH 85/89] Update tuxprotect --- tuxprotect | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tuxprotect b/tuxprotect index cd784d3..01ad51d 100644 --- a/tuxprotect +++ b/tuxprotect @@ -98,7 +98,7 @@ check_vpn() { # Check if the IP route table has changed current_route=$(ip route show) - :' if [[ "$current_route" != "$last_route" ]]; then + if [[ "$current_route" != "$last_route" ]]; then # New code to ensure all traffic is routed through the VPN @@ -136,7 +136,7 @@ check_vpn() { main_log "[+] Done! Checking new routing table:" last_route=$(ip route show) - fi' + fi else main_log "NetFree is not active or an error occurred: $netfree" main_log "Not Connected to NetFree" From 08e0d8ab2c55d29e3047a4e618d07413cb85a631 Mon Sep 17 00:00:00 2001 From: aron unger Date: Tue, 4 Feb 2025 17:46:28 +0000 Subject: [PATCH 86/89] chattr --- tuxprotect | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tuxprotect b/tuxprotect index 01ad51d..4de067e 100644 --- a/tuxprotect +++ b/tuxprotect @@ -24,6 +24,9 @@ vpn_log() { log "VPN" "$1" "$VPN_LOG" "$2" main_log "$1" "$2" } +ensure_immutable() { + chattr +i "$/usr/bin/tuxprotect" +} rotate_logs() { for logfile in "$LOG_DIR"/*.log; do From 1dae9e3628382dc583ea0d71b30164755257259f Mon Sep 17 00:00:00 2001 From: aron unger Date: Tue, 4 Feb 2025 18:06:17 +0000 Subject: [PATCH 87/89] Add ensure_immutable function call to main execution flow --- tuxprotect | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tuxprotect b/tuxprotect index 4de067e..4dbc741 100644 --- a/tuxprotect +++ b/tuxprotect @@ -457,6 +457,8 @@ main () { indicator $shieldc & block_vbox_briged_adapters & + ensure_immutable & + while true; do check_vpn From 5b482abf99820adda54f5b1128dc5c26e4bc3eba Mon Sep 17 00:00:00 2001 From: aron unger Date: Tue, 4 Feb 2025 13:10:50 -0500 Subject: [PATCH 88/89] Update tuxprotect --- tuxprotect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuxprotect b/tuxprotect index 4dbc741..b6a4630 100644 --- a/tuxprotect +++ b/tuxprotect @@ -25,7 +25,7 @@ vpn_log() { main_log "$1" "$2" } ensure_immutable() { - chattr +i "$/usr/bin/tuxprotect" + chattr +i /usr/bin/tuxprotect } rotate_logs() { From 58cadd348577a243676002f1e82a60db12f4a955 Mon Sep 17 00:00:00 2001 From: aron unger Date: Thu, 6 Feb 2025 13:51:54 -0500 Subject: [PATCH 89/89] Update tuxprotect --- tuxprotect | 1 + 1 file changed, 1 insertion(+) diff --git a/tuxprotect b/tuxprotect index b6a4630..b210cd8 100644 --- a/tuxprotect +++ b/tuxprotect @@ -462,6 +462,7 @@ main () { while true; do check_vpn + chattr +i /usr/bin/tuxprotect done }