Add: DIP Support (pia-foss#159)

* Provision of DIP Support

Added dedicated IP support, including DIP_TOKEN for one-line calls and prompts through run_setup.sh.

Adjusted package dependency response for wireguard to list the necessary package (wireguard-tools) to utilize wg-quick.

Updated README.md to clarify package dependencies and include DIP_TOKEN.

README.md

@@ -27,7 +27,7 @@ The scripts were written so that they are easy to read and to modify. The code a
 In order for the scripts to work (probably even if you do a manual setup), you will need the following packages:
  * `curl`
  * `jq`
- * (only for WireGuard) `wg-quick` and `wireguard` kernel module
+ * (only for WireGuard) `wireguard-tools` (`wg-quick` and `wireguard` kernel module)
  * (only for OpenVPN) `openvpn`
 
 ## Disclaimers
@@ -90,6 +90,7 @@ Here is a list of scripts you could find useful:
  * [Prompt based connection](run_setup.sh): This script allows connections with a one-line call, or will prompt for any missing or invalid variables. Variables available for one-line calls include:
    * `PIA_USER` - your PIA username
    * `PIA_PASS` - your PIA password
+   * `DIP_TOKEN` - your PIA dedicated IP token (can be purchased in the client control panel)
    * `PIA_DNS` - true/false
    * `PIA_PF` - true/false
    * `MAX_LATENCY` - numeric value, in seconds

connect_to_openvpn_with_token.sh

@@ -28,6 +28,7 @@ check_tool() {
     exit 1
   fi
 }
+
 # Now we call the function to make sure we can use openvpn, curl and jq.
 check_tool openvpn
 check_tool curl
@@ -124,13 +125,22 @@ if [[ -z $OVPN_SERVER_IP ||
   exit 1
 fi
 
+splitToken="dedicated_ip_$DIP_TOKEN"
+
 # Create a credentials file with the login token
 echo -n "Trying to write /opt/piavpn-manual/pia.ovpn..."
 mkdir -p /opt/piavpn-manual
 rm -f /opt/piavpn-manual/credentials /opt/piavpn-manual/route_info
-echo "${PIA_TOKEN:0:62}
+
+if [[ -z $DIP_TOKEN ]]; then
+  echo "${PIA_TOKEN:0:62}
 ${PIA_TOKEN:62}" > /opt/piavpn-manual/credentials || exit 1
-chmod 600 /opt/piavpn-manual/credentials
+  chmod 600 /opt/piavpn-manual/credentials
+else
+  echo "${splitToken:0:62}
+${splitToken:62}" > /opt/piavpn-manual/credentials || exit 1
+  chmod 600 /opt/piavpn-manual/credentials
+fi
 echo -e "${green}OK!${nc}"
 
 # Translate connection settings variable

connect_to_wireguard_with_token.sh

@@ -22,16 +22,18 @@
 # This function allows you to check if the required tools have been installed.
 check_tool() {
   cmd=$1
+  pkg=$2
   if ! command -v "$cmd" >/dev/null; then
     echo "$cmd could not be found"
-    echo "Please install $cmd"
+    echo "Please install $pkg"
     exit 1
   fi
 }
+
 # Now we call the function to make sure we can use wg-quick, curl and jq.
-check_tool wg-quick
-check_tool curl
-check_tool jq
+check_tool wg-quick wireguard-tools
+check_tool curl curl
+check_tool jq jq
 
 # Check if terminal allows output, if yes, define colors for output
 if [[ -t 1 ]]; then
@@ -93,12 +95,21 @@ export pubKey
 # https://github.com/pia-foss/manual-connections/blob/master/ca.rsa.4096.crt
 # In case you want to troubleshoot the script, replace -s with -v.
 echo "Trying to connect to the PIA WireGuard API on $WG_SERVER_IP..."
-wireguard_json="$(curl -s -G \
-  --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" \
-  --cacert "ca.rsa.4096.crt" \
-  --data-urlencode "pt=${PIA_TOKEN}" \
-  --data-urlencode "pubkey=$pubKey" \
-  "https://${WG_HOSTNAME}:1337/addKey" )"
+if [[ -z $DIP_TOKEN ]]; then
+  wireguard_json="$(curl -s -G \
+    --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" \
+    --cacert "ca.rsa.4096.crt" \
+    --data-urlencode "pt=${PIA_TOKEN}" \
+    --data-urlencode "pubkey=$pubKey" \
+    "https://${WG_HOSTNAME}:1337/addKey" )"
+else
+  wireguard_json="$(curl -s -G \
+    --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" \
+    --cacert "ca.rsa.4096.crt" \
+    --user "dedicated_ip_$DIP_TOKEN:$WG_SERVER_IP" \
+    --data-urlencode "pubkey=$pubKey" \
+    "https://$WG_HOSTNAME:1337/addKey" )"
+fi
 export wireguard_json
 
 # Check if the API returned OK and stop this script if it didn't.

get_dip.sh

@@ -0,0 +1,110 @@
+#!/bin/bash
+# Copyright (C) 2020 Private Internet Access, Inc.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+# This function allows you to check if the required tools have been installed.
+check_tool() {
+  cmd=$1
+  if ! command -v $cmd &>/dev/null; then
+    echo "$cmd could not be found"
+    echo "Please install $cmd"
+    exit 1
+  fi
+}
+
+# Now we call the function to make sure we can use curl and jq.
+check_tool curl
+check_tool jq
+
+# Check if terminal allows output, if yes, define colors for output
+if [[ -t 1 ]]; then
+  ncolors=$(tput colors)
+  if [[ -n $ncolors && $ncolors -ge 8 ]]; then
+    red=$(tput setaf 1) # ANSI red
+    green=$(tput setaf 2) # ANSI green
+    nc=$(tput sgr0) # No Color
+  else
+    red=''
+    green=''
+    nc='' # No Color
+  fi
+fi
+
+# Only allow script to run as root
+if (( EUID != 0 )); then
+  echo -e "${red}This script needs to be run as root. Try again with 'sudo $0'${nc}"
+  exit 1
+fi
+
+mkdir -p /opt/piavpn-manual
+
+if [[ -z $PIA_TOKEN ]]; then
+  echo "If you want this script to automatically retrieve dedicated IP location details"
+  echo "from the Meta service, please add the variables PIA_TOKEN and DIP_TOKEN. Example:"
+  echo "$ PIA_TOKEN DIP_TOKEN=DIP1a2b3c4d5e6f7g8h9i10j11k12l13 ./get_token.sh"
+  exit 1
+fi
+
+dipSavedLocation=/opt/piavpn-manual/dipAddress
+
+echo
+echo -n "Checking DIP token..."
+
+generateDIPResponse=$(curl -s --location --request POST \
+  'https://www.privateinternetaccess.com/api/client/v2/dedicated_ip' \
+  --header 'Content-Type: application/json' \
+  --header "Authorization: Token $PIA_TOKEN" \
+  --data-raw '{
+    "tokens":["'"$DIP_TOKEN"'"]
+  }')
+
+if [ "$(echo "$generateDIPResponse" | jq -r '.[0].status')" != "active" ]; then
+  echo
+  echo
+  echo -e "${red}Could not validate the dedicated IP token provided!${nc}"
+  echo
+  exit
+fi
+
+echo -e ${green}OK!${nc}
+echo
+dipAddress=$(echo "$generateDIPResponse" | jq -r '.[0].ip')
+dipHostname=$(echo "$generateDIPResponse" | jq -r '.[0].cn')
+keyHostname=$(echo "dedicated_ip_$DIP_TOKEN")
+dipExpiration=$(echo "$generateDIPResponse" | jq -r '.[0].dip_expire')
+dipExpiration=$(date -d @$dipExpiration)
+dipID=$(echo "$generateDIPResponse" | jq -r '.[0].id')
+echo -e The hostname of your dedicated IP is ${green}$dipHostname${nc}
+echo
+echo -e The dedicated IP address is ${green}$dipAddress${nc}
+echo 
+echo This dedicated IP is valid until $dipExpiration.
+echo
+pfCapable="true"
+if [[ $dipID == us_* ]]; then
+  pfCapable="false"
+  echo This location does not have port forwarding capability.
+  echo
+fi
+echo $dipAddress > /opt/piavpn-manual/dipAddress || exit 1
+echo $dipHostname >> /opt/piavpn-manual/dipAddress
+echo $keyHostname >> /opt/piavpn-manual/dipAddress
+echo $dipExpiration >> /opt/piavpn-manual/dipAddress
+echo $pfCapable >> /opt/piavpn-manual/dipAddress

get_region.sh

@@ -28,6 +28,7 @@ check_tool() {
     exit 1
   fi
 }
+
 # Now we call the function to make sure we can use curl and jq.
 check_tool curl
 check_tool jq

get_token.sh

@@ -28,6 +28,7 @@ check_tool() {
     exit 1
   fi
 }
+
 # Now we call the function to make sure we can use curl and jq.
 check_tool curl
 check_tool jq
@@ -68,10 +69,12 @@ fi
 
 echo -n "Checking login credentials..."
 
-generateTokenResponse=$(curl -s -u "$PIA_USER:$PIA_PASS" \
-  "https://www.privateinternetaccess.com/gtoken/generateToken")
+generateTokenResponse=$(curl -s --location --request POST \
+  'https://www.privateinternetaccess.com/api/client/v2/token' \
+  --form "username=$PIA_USER" \
+  --form "password=$PIA_PASS" )
 
-if [[ $(echo "$generateTokenResponse" | jq -r '.status') != "OK" ]]; then
+if [ "$(echo "$generateTokenResponse" | jq -r '.token')" == "" ]; then
   echo
   echo
   echo -e "${red}Could not authenticate with the login credentials provided!${nc}"
@@ -83,7 +86,7 @@ echo -e "${green}OK!"
 echo
 token=$(echo "$generateTokenResponse" | jq -r '.token')
 tokenExpiration=$(timeout_timestamp)
-tokenLocation="/opt/piavpn-manual/token"
+tokenLocation=/opt/piavpn-manual/token
 echo -e "PIA_TOKEN=$token${nc}"
 echo "$token" > "$tokenLocation" || exit 1
 echo "$tokenExpiration" >> "$tokenLocation"

port_forwarding.sh

@@ -28,6 +28,7 @@ check_tool() {
     exit 1
   fi
 }
+
 # Now we call the function to make sure we can use curl and jq.
 check_tool curl
 check_tool jq