#!/bin/bash
# shellcheck disable=SC2062

# This file is part of TorBox, an easy to use anonymizing router based on Raspberry Pi.
# Copyright (C) 2026 radio_24
# Contact: anonym@torbox.ch
# Website: https://www.torbox.ch
# Github:  https://github.com/radio24/TorBox
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it is useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# DESCRIPTION
# This file displays the Danger Zone with all risky settings.
#
# SYNTAX
# ./menu-danger
#
#
###### SET VARIABLES ######
#
# SIZE OF THE MENU
#
# How many items do you have in the main menu?
NO_ITEMS=13
#
# How many lines are only for decoration and spaces?
NO_SPACER=4
#
#Set the the variables for the menu
MENU_WIDTH=80
MENU_WIDTH_REDUX=60
MENU_HEIGHT_10=10
MENU_HEIGHT_15=15
MENU_HEIGHT_20=20
MENU_HEIGHT_25=25
# MENU_HEIGHT should not exceed 26
MENU_HEIGHT=$((8+NO_ITEMS+NO_SPACER))
MENU_LIST_HEIGHT=$((NO_ITEMS+NO_SPACER))

#Colors
RED='\033[1;31m'
YELLOW='\033[1;93m'
NOCOLOR='\033[0m'

#Other variables
RUNFILE="/home/torbox/torbox/run/torbox.run"
HOSTAPD="/etc/hostapd/hostapd.conf"
SSHD_CONFIG="/etc/ssh/sshd_config"
SSHD_CONFIGD_DIR="/etc/ssh/sshd_config.d/"
CLEARNET_LIST="clearnet-list"
CLEARNET_LIST_FILE="run/$CLEARNET_LIST"
# Format of CLEARNET_LIST_FILE_OWN: <DOMAINNAME> <IP1> [<IPn>]
CLEARNET_LIST_FILE_OWN="run/clearnet-list.own"
VPN_LIST="vpn-list"
VPN_LIST_FILE="run/$VPN_LIST"
# Format of CLEARNET_LIST_FILE_OWN: <DOMAINNAME> <IP1> [<IPn>]
VPN_LIST_FILE_OWN="run/vpn-list.own"

# Read configuration from run/torbox.run
TORBOX_MINI=$(grep "^TORBOX_MINI=.*" ${RUNFILE} | sed "s/.*=//g")
TORBOX_MINI_DEFAULT=$(grep "^TORBOX_MINI_DEFAULT=.*" ${RUNFILE} | sed "s/.*=//g")

##############################
######## FUNCTIONS ########

# include lib
.  /home/torbox/torbox/lib/torbox.lib

# This function imports the configuration and makes some preparations
read_config()
{
	# Is TorBox connected to a VPN?
	tun0up=$(ip link | grep tun0)
	clear

	# TOGGLE11 shows if TorBox can be accessed by root
	ROOT_SHADOW_LINE=$(sudo grep '^root:' /etc/shadow | cut -d: -f2 | grep -E '^!|^\*')
	if [ -z "$ROOT_SHADOW_LINE" ]; then
		TOGGLE11="Disable"
	else
	  # Check if /etc/securetty allows root login (e.g., on tty1, tty2, etc.)
	  if [ -s /etc/securetty ]; then
			TOGGLE11="Disable"
	  else
			TOGGLE11="Enable"
	  fi
	fi

	# TOGGLE17 shows if TWEBSSH is enabled or disabled
	clear
	check_ssh_status
	if grep -q "TWEBSSH=1" ${RUNFILE} && [ "$SSH_SERVICE_CHECK" == "ON" ]; then
		clear
		TOGGLE17="Disable"
	else
		clear
		TOGGLE17="Enable"
	fi

	# TOGGLE19 shows if domain exclusion active or not
	if grep -q "UNPROTECTED_DOMAIN=0" ${RUNFILE} ; then
		TOGGLE19="Start"
	else
		TOGGLE19="Stop"
	fi

	# TOGGLE20 shows if the wlan1 failsafe is enabled or disabled
	if grep -q "WLAN_FAILSAFE=1" ${RUNFILE} ; then
		TOGGLE20="Disable"
	else
		TOGGLE20="Enable"
	fi

	# TOGGLE21 shows if SSH pasword login is enabled or disable
	if sudo grep -q "^PasswordAuthentication no" ${SSHD_CONFIG} ; then
		TOGGLE21="Enable"
		if sudo grep -q "^PasswordAuthentication yes" $SSHD_CONFIGD_DIR* ; then
			TOGGLE21="Disable"
		fi
	else
		TOGGLE21="Disable"
		if sudo grep -q "^PasswordAuthentication no" $SSHD_CONFIGD_DIR* ; then
			TOGGLE21="Enable"
		fi
  fi

	# TOGGLE23 shows if TorBox mini default configuration is enabled or disable
	if [ "$TORBOX_MINI_DEFAULT" -eq "1" ]; then
		TOGGLE23="Activate"
	else
		TOGGLE23="Deactivate"
	fi

	# TOGGLE24 shows if passwordless TorBox's WLAN is enabled or disabled
	if grep "wpa=0" ${HOSTAPD}; then
		TOGGLE24="Deactivate"
	else
		TOGGLE24="Activate"
	fi

}


######## PREPARATIONS ########
read_config
clear

# Resetting
cd "$(dirname "$0")" || exit 1
shopt -s checkwinsize
[ -f nohup.out ] && sudo rm nohup.out
stty intr ^c
trap


###### DISPLAY THE MENU ######
clear

if [ "$TORBOX_MINI" -eq "1" ]; then
	CHOICE=$(whiptail --cancel-button "Back" --title "TorBox v.0.5.5 - DANGER ZONE" --menu "Choose an option (ESC -> back to the main menu)" $MENU_HEIGHT $MENU_WIDTH $MENU_LIST_HEIGHT \
	"==" "==========================================[Domain Exclusion]===" \
	" 1" "$TOGGLE19 the exclusion of domains from tor protection"  \
	" 2" "Add, change or remove a domain/IP entry in the exclusion lists"  \
	" 3" "List the exclusion lists" \
	" 4" "Backup/restore the exclusion lists" \
	"==" "=============================================[Lock-out risk]===" \
	" 5" "$TOGGLE20 the AP on wlan1 failsafe" \
	" 6" "$TOGGLE17 Torbox's WebSSH access" \
	" 7" "Change SSH access from the Internet and from the Clients" \
	" 8" "$TOGGLE21 SSH password login" \
	"==" "==============================================[Expert Tools]===" \
	" 9" "$TOGGLE11 root access" \
	"10" "$TOGGLE24 passwordless TorBox's WLAN (reboot required)" \
	"11" "Forwarding only - tor protection disabled" \
	"12" "$TOGGLE23 other connection options in TorBox mini's Main Menu" \
	"13" "Convert a TorBox mini installation to a default TorBox installation" \
	3>&1 1>&2 2>&3)
else
	CHOICE=$(whiptail --cancel-button "Back" --title "TorBox v.0.5.5 - DANGER ZONE" --menu "Choose an option (ESC -> back to the main menu)" $MENU_HEIGHT $MENU_WIDTH $MENU_LIST_HEIGHT \
	"==" "==========================================[Domain Exclusion]===" \
	" 1" "$TOGGLE19 the exclusion of domains from tor protection"  \
	" 2" "Add, change or remove a domain/IP entry in the exclusion lists"  \
	" 3" "List the exclusion lists" \
	" 4" "Backup/restore the exclusion lists" \
	"==" "=============================================[Lock-out risk]===" \
	" 5" "$TOGGLE20 the AP on wlan1 failsafe" \
	" 6" "$TOGGLE17 Torbox's WebSSH access" \
	" 7" "Change SSH access from the Internet and from the Clients" \
	" 8" "$TOGGLE21 SSH password login" \
	"==" "==========================================[Developer Tools]===" \
	" 9" "$TOGGLE11 root access" \
	"10" "$TOGGLE24 passwordless TorBox's WLAN" \
	"11" "Forwarding only - tor protection disabled" \
	"12" "Convert a default TorBox installation to a TorBox mini installation" \
	3>&1 1>&2 2>&3)
	if [ "$CHOICE" == "12" ]; then CHOICE="13"; fi
fi
exitstatus=$?
# exitstatus == 255 means that the ESC key was pressed
[ "$exitstatus" == "255" ] && exit 0

CHOICE=$(echo "$CHOICE" | tr -d ' ')
case "$CHOICE" in

  # Domains without tor protection
	1)
		if [ "$TOGGLE19" == "Start" ]; then
			clear
    	INPUT=$(cat text/domains_without_tor-text)
    	if (whiptail --title "TorBox - DOMAIN EXCLUSION" --yesno "$INPUT" $MENU_HEIGHT_25 $MENU_WIDTH); then
				exitstatus=$?
				# exitstatus == 255 means that the ESC key was pressed
				[ "$exitstatus" == "255" ] && exit 1
				# Is there an option to route from tor excluded domains through VPN?
				if [ -z "$tun0up" ] ; then
					INPUT=$(cat text/connecting-VPN-exclusion-text)
	      	if (whiptail --title "TorBox - INFO" --defaultno --yesno "$INPUT" $MENU_HEIGHT_25 $MENU_WIDTH); then
						connecting_to_VPN
						sudo systemctl restart tor &
					fi
				fi
				# Start the exclusion
				# Check if exceptionslists already exist and decide what to do with them --> Keep it, delete it, or escape
				# At the end sudo ipset create $CLEARNET_LIST hash:ip AND sudo ipset create $VPN_LIST hash:ip has to be executed
				# Always both lists have to be loaded, even if one of them isn't used
				clear
				if [ -f "$CLEARNET_LIST_FILE_OWN" ]; then
					if (whiptail --title "TorBox - INFO" --yesno "We found a list of domains that will NOT be routed through tor. The communication with these domains will be DIRECT. It comes with the risk that you will leak information and location!\n\nDo you want to use this list of domains (NO will delte the list, press ESC to leave)?" $MENU_HEIGHT_15 $MENU_WIDTH); then
						exitstatus=$?
						# exitstatus == 255 means that the ESC key was pressed
						[ "$exitstatus" == "255" ] && exit 0
						(sudo ipset destroy $CLEARNET_LIST) 2>/dev/null
						sudo ipset create $CLEARNET_LIST hash:ip
						config_ipset $CLEARNET_LIST_FILE_OWN $CLEARNET_LIST $CLEARNET_LIST_FILE
					else
						exitstatus=$?
						# exitstatus == 255 means that the ESC key was pressed
						[ "$exitstatus" == "255" ] && exit 0
						[ -f "$CLEARNET_LIST_FILE_OWN" ] && (rm $CLEARNET_LIST_FILE_OWN $CLEARNET_LIST_FILE) 2>/dev/null
						[ -f "$CLEARNET_LIST_FILE" ] && (rm $CLEARNET_LIST_FILE) 2>/dev/null
						(sudo ipset destroy $CLEARNET_LIST) 2>/dev/null
						sudo ipset create $CLEARNET_LIST hash:ip
					fi
				else
					sudo ipset create $CLEARNET_LIST hash:ip
				fi
				if [ -f "$VPN_LIST_FILE_OWN" ]; then
					if (whiptail --title "TorBox - INFO" --yesno "We found a list of domains that will NOT be routed through tor. The communication with these domains will be over VPN, if available. It comes with the risk that you will leak information and location!\n\nDo you want to use this list of domains (NO will delte the list, press ESC to leave)?" $MENU_HEIGHT_15 $MENU_WIDTH); then
						exitstatus=$?
						# exitstatus == 255 means that the ESC key was pressed
						[ "$exitstatus" == "255" ] && exit 0
						(sudo ipset destroy $VPN_LIST) 2>/dev/null
						sudo ipset create $VPN_LIST hash:ip
						config_ipset $VPN_LIST_FILE_OWN $CLEARNET_LIST $VPN_LIST_FILE
					else
						exitstatus=$?
						# exitstatus == 255 means that the ESC key was pressed
						[ "$exitstatus" == "255" ] && exit 0
						[ -f "$VPN_LIST_FILE" ] && (rm $VPN_LIST_FILE_OWN $VPN_LIST_FILE) 2>/dev/null
						(sudo ipset destroy $VPN_LIST) 2>/dev/null
						sudo ipset create $VPN_LIST hash:ip
					fi
				else
					sudo ipset create $VPN_LIST hash:ip
				fi
				(sed -i "s/^UNPROTECTED_DOMAIN=.*/UNPROTECTED_DOMAIN=1/" ${RUNFILE}) 2>/dev/null
				bin/set_interfaces_3
			fi
		fi
		if [ "$TOGGLE19" == "Stop" ]; then stopping_domain_exclusion; fi
  ;;

	# Add, change or remove a domain/IP entry in the exclusion lists
	2)
		clear
		INPUT=$(cat text/exclude_domain-text)
		if (whiptail --title "TorBox - INFO" --yesno "$INPUT" $MENU_HEIGHT_20 $MENU_WIDTH); then
			exitstatus=$?
			# exitstatus == 255 means that the ESC key was pressed
			[ "$exitstatus" == "255" ] && exit 1
			DOMAINNAME=$(whiptail --title "Domainname" --inputbox "\nEnter the Domainname (for example: netflix.com):" $MENU_HEIGHT_15 $MENU_WIDTH_REDUX 3>&1 1>&2 2>&3)
			exitstatus=$?
			# exitstatus == 255 means that the ESC key was pressed
			[ "$exitstatus" == "255" ] && exit 1
			if [ "$DOMAINNAME" != "" ] ; then
				#Is this domain structuraly valid?
				DOMAINNAME=$(grep -P '(?=^.{4,253}$)(^(?:[a-zA-Z0-9](?:(?:[a-zA-Z0-9\-]){0,61}[a-zA-Z0-9])?\.)+([a-zA-Z]{2,}|xn--[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])$)' <<< "$DOMAINNAME")
				if [ "$DOMAINNAME" == "" ] ; then
					clear
					echo -e "${YELLOW}[!] Hmmm that's not a valid domain name, right?${NOCOLOR}"
					echo -e "${RED}[!] You have to enter a valid domain name, for example netflix.com ${NOCOLOR}"
					echo " "
					read -n 1 -s -r -p $'\e[1;31mPlease press any key to continue... \e[0m'
					clear
					exit 0
				fi
				if [ -f "$CLEARNET_LIST_FILE_OWN" ]; then
					readarray -t DOMAIN_EXIST_CLEAR < <(grep "$DOMAINNAME" ${CLEARNET_LIST_FILE_OWN})
					NUMBER_DOMAIN_EXIST_CLEAR=${#DOMAIN_EXIST_CLEAR[@]}
					if [ "$NUMBER_DOMAIN_EXIST_CLEAR" -gt "0" ]; then
						LISTE01=CLEARNET;
						LISTE02=VPN;
					fi
				else
					touch "$CLEARNET_LIST_FILE_OWN"
				fi
				if [ -f "$VPN_LIST_FILE_OWN" ]; then
					readarray -t DOMAIN_EXIST_VPN < <(grep "$DOMAINNAME" ${VPN_LIST_FILE_OWN})
					NUMBER_DOMAIN_EXIST_VPN=${#DOMAIN_EXIST_VPN[@]}
					if [ "$NUMBER_DOMAIN_EXIST_VPN" -gt "0" ]; then
						LISTE01=VPN;
						LISTE02=CLEARNET;
					fi
				else
					touch "$VPN_LIST_FILE_OWN"
				fi

				# The domain is already added
				if [ "$NUMBER_DOMAIN_EXIST_CLEAR" -gt "0" ] || [ "$NUMBER_DOMAIN_EXIST_VPN" -gt "0" ]; then
					CHOICE=$(whiptail --cancel-button "Back" --title "TorBox v.0.5.5 - DOMAIN EXCLUSION" --menu "The domain is already on the exclusion list. You can do the following:" 11 $MENU_WIDTH 3 \
					" 1" "Rescan and add more subdomains and IPs connected to the domain" \
					" 2" "Move entries (for example netflix.com) from $LISTE01 to $LISTE02"  \
					" 3" "Remove a domain from the exclusion list"  \
					3>&1 1>&2 2>&3)
					exitstatus=$?
					# exitstatus == 255 means that the ESC key was pressed
					[ "$exitstatus" == "255" ] && exit 0

					CHOICE=$(echo "$CHOICE" | tr -d ' ')
					case "$CHOICE" in

						# Rescan and add more subdomains and IPs connected to the domain
						1)
						  INPUT=$(cat text/rescan_domain-text)
							whiptail --title "TorBox v.0.5.5 - DOMAIN EXCLUSION" --textbox text/rescan_domain-text $MENU_HEIGHT_25 $MENU_WIDTH
					    bin/find_domains "$DOMAINNAME" 1
							clear
							config_ipset $CLEARNET_LIST_FILE_OWN $CLEARNET_LIST $CLEARNET_LIST_FILE
							config_ipset $VPN_LIST_FILE_OWN $CLEARNET_LIST $VPN_LIST_FILE
							echo -e "${YELLOW}[+] DONE!${NOCOLOR}"
							sleep 3
						;;

						# Move the entries from one list to another
						2)
							if [ "$LISTE01" == "CLEARNET" ]; then
								echo -e "${RED}Moving ${YELLOW}$DOMAINNAME${RED} from ${YELLOW}$LISTE01${RED} to ${YELLOW}$LISTE02${RED}...${NOCOLOR}"
								readarray -t DOMAIN_NOT_EXIST_CLEAR < <(grep "$DOMAINNAME" ${CLEARNET_LIST_FILE_OWN})
								(printf "%s\n" "${DOMAIN_NOT_EXIST_CLEAR[@]}" >> ${VPN_LIST_FILE_OWN}) &>/dev/null
								readarray -t DOMAIN_NOT_EXIST_CLEAR < <(grep -v "$DOMAINNAME" ${CLEARNET_LIST_FILE_OWN})
								(printf "%s\n" "${DOMAIN_NOT_EXIST_CLEAR[@]}" > ${CLEARNET_LIST_FILE_OWN}) &>/dev/null
								(sort ${CLEARNET_LIST_FILE_OWN} -o ${CLEARNET_LIST_FILE_OWN}) &>/dev/null
								(sort ${VPN_LIST_FILE_OWN} -o ${VPN_LIST_FILE_OWN}) &>/dev/null
								sed -i '/^[[:blank:]]*$/ d' ${CLEARNET_LIST_FILE_OWN}
								sed -i '/^[[:blank:]]*$/ d' ${VPN_LIST_FILE_OWN}
							elif [ "$LISTE01" == "VPN" ]; then
								echo -e "${RED}Moving ${YELLOW}$DOMAINNAME${RED} from ${YELLOW}$LISTE01${RED} to ${YELLOW}$LISTE02${RED}...${NOCOLOR}"
								readarray -t DOMAIN_NOT_EXIST_VPN < <(grep "$DOMAINNAME" ${VPN_LIST_FILE_OWN})
								(printf "%s\n" "${DOMAIN_NOT_EXIST_VPN[@]}" >> ${CLEARNET_LIST_FILE_OWN}) &>/dev/null
								readarray -t DOMAIN_NOT_EXIST_VPN < <(grep -v "$DOMAINNAME" ${VPN_LIST_FILE_OWN})
								(printf "%s\n" "${DOMAIN_NOT_EXIST_VPN[@]}" > ${VPN_LIST_FILE_OWN}) &>/dev/null
								(sort ${CLEARNET_LIST_FILE_OWN} -o ${CLEARNET_LIST_FILE_OWN}) &>/dev/null
								(sort ${VPN_LIST_FILE_OWN} -o ${VPN_LIST_FILE_OWN}) &>/dev/null
								sed -i '/^[[:blank:]]*$/ d' ${CLEARNET_LIST_FILE_OWN}
								sed -i '/^[[:blank:]]*$/ d' ${VPN_LIST_FILE_OWN}
							fi
							config_ipset $CLEARNET_LIST_FILE_OWN $CLEARNET_LIST $CLEARNET_LIST_FILE
							config_ipset $VPN_LIST_FILE_OWN $CLEARNET_LIST $VPN_LIST_FILE
							echo -e "${YELLOW}[+] DONE!${NOCOLOR}"
							sleep 3
						;;

						# Remove a domains from the exclusion lists
						3)
							clear
							INPUT=$(cat text/remove_domain-text)
							if (whiptail --title "TorBox - DOMAIN EXCLUSION" --yesno "$INPUT" $MENU_HEIGHT_20 $MENU_WIDTH); then
								exitstatus=$?
								# exitstatus == 255 means that the ESC key was pressed
								[ "$exitstatus" == "255" ] && exit 1
								echo -e "${RED}Remove ${YELLOW}$DOMAINNAME${RED} from the exclusion lists...${NOCOLOR}"
								if grep -q "$DOMAINNAME" ${CLEARNET_LIST_FILE_OWN}; then
									readarray -t DOMAIN_NOT_EXIST_CLEAR < <(grep -v "$DOMAINNAME" ${CLEARNET_LIST_FILE_OWN})
									(printf "%s\n" "${DOMAIN_NOT_EXIST_CLEAR[@]}" > ${CLEARNET_LIST_FILE_OWN}) &>/dev/null
									(sort ${CLEARNET_LIST_FILE_OWN} -o ${CLEARNET_LIST_FILE_OWN}) &>/dev/null
									sed -i '/^[[:blank:]]*$/ d' ${CLEARNET_LIST_FILE_OWN}
								fi
								if grep -q "$DOMAINNAME" ${VPN_LIST_FILE_OWN}; then
									readarray -t DOMAIN_NOT_EXIST_VPN < <(grep -v "$DOMAINNAME" ${VPN_LIST_FILE_OWN})
									(printf "%s\n" "${DOMAIN_NOT_EXIST_VPN[@]}" > ${VPN_LIST_FILE_OWN}) &>/dev/null
									(sort ${VPN_LIST_FILE_OWN} -o ${VPN_LIST_FILE_OWN}) &>/dev/null
									sed -i '/^[[:blank:]]*$/ d' ${VPN_LIST_FILE_OWN}
								fi
								echo -e "${RED}[+] Removing done!${NOCOLOR}"
								echo ""
								config_ipset $CLEARNET_LIST_FILE_OWN $CLEARNET_LIST $CLEARNET_LIST_FILE
								config_ipset $VPN_LIST_FILE_OWN $CLEARNET_LIST $VPN_LIST_FILE
								sleep 3
							fi
						;;
					esac

				# The domain is not added, yet.
				else
					CHOICE=$(whiptail --cancel-button "Back" --title "TorBox v.0.5.5 - DOMAIN EXCLUSION" --menu "The domain is not added, yet! You have to chose in which exceptionslist you want to add the domain:" $MENU_HEIGHT_10 $MENU_WIDTH 2 \
					" 1" "CLEARNET - direct connection, no protection" \
					" 2" "VPN      - works only with VPN connection"  \
					3>&1 1>&2 2>&3)
					exitstatus=$?
					# exitstatus == 255 means that the ESC key was pressed
					[ "$exitstatus" == "255" ] && exit 0

					CHOICE=$(echo "$CHOICE" | tr -d ' ')
					case "$CHOICE" in
						1)
							LISTE01="CLEARNET"
							;;

						2)
							LISTE01="VPN"
							;;
					esac
					clear
					echo -e "${RED}[+] Finding obvious IPs for ${YELLOW}$DOMAINNAME${NOCOLOR}"
					add_open_dns
					echo ""
					MORE_IPs=$(nslookup $DOMAINNAME | grep "Address: " | sed "s/Address: //g" | grep -v -E "(([a-f0-9]{0,4}:){4}))" | grep -v -E "([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}" | tr '\n' ' ' | sed "s/::/:/g" | sed -E "s/(([a-f0-9]{0,4}+\:){3}+[a-f0-9]{0,4})//g" | sed -E "s/(:[a-f0-9]{0,4})//g" | sed "s/8.8.8.8//g" | sed "s/8.8.4.4//g" | sed "s/^[ \t]//g")
					#"
					if [ ! -z "$MORE_IPs" ]; then
						echo -e "${RED}[+] Adding IPs for ${YELLOW}$DOMAINNAME${NOCOLOR}"
						MORE_IPs="$DOMAINNAME $MORE_IPs"
						if [ "$LISTE01" == "CLEARNET" ]; then
							(printf "%s\n" "$MORE_IPs" >> ${CLEARNET_LIST_FILE_OWN}) &>/dev/null
							(sort ${CLEARNET_LIST_FILE_OWN} -o ${CLEARNET_LIST_FILE_OWN}) &>/dev/null
							(sed -i '/^[[:blank:]]*$/ d' ${CLEARNET_LIST_FILE_OWN}) &>/dev/null
						elif [ "$LISTE01" == "VPN" ]; then
							(printf "%s\n" "$MORE_IPs" >> ${VPN_LIST_FILE_OWN}) &>/dev/null
							(sort ${VPN_LIST_FILE_OWN} -o ${VPN_LIST_FILE_OWN}) &>/dev/null
							(sed -i '/^[[:blank:]]*$/ d' ${VPN_LIST_FILE_OWN}) &>/dev/null
						fi
						config_ipset $CLEARNET_LIST_FILE_OWN $CLEARNET_LIST $CLEARNET_LIST_FILE
						config_ipset $VPN_LIST_FILE_OWN $CLEARNET_LIST $VPN_LIST_FILE
						echo -e "${YELLOW}[+] DONE!${NOCOLOR}"
						sleep 3
					else
						clear
						echo -e "${YELLOW}[!] NO IP FOUND!${NOCOLOR}"
						echo -e "${RED}[!] There is something wrong! The domain name may not exist!${NOCOLOR}"
						echo -e "${RED}[!] Possibly, there is no Internet connection or DNS resolution is broken.${NOCOLOR}"
						echo " "
						read -n 1 -s -r -p $'\e[1;31mPlease press any key to continue... \e[0m'
						clear
						exit 0
					fi
					INPUT=$(cat text/rescan_domain_after_adding-text)
					if (whiptail --title "TorBox - DOMAIN EXCLUSION (scroll down!)" --scrolltext --yesno "$INPUT" $MENU_HEIGHT_25 $MENU_WIDTH); then
						exitstatus=$?
						# exitstatus == 255 means that the ESC key was pressed
						[ "$exitstatus" == "255" ] && exit 1
						bin/find_domains "$DOMAINNAME" 1
						config_ipset $CLEARNET_LIST_FILE_OWN $CLEARNET_LIST $CLEARNET_LIST_FILE
						config_ipset $VPN_LIST_FILE_OWN $CLEARNET_LIST $VPN_LIST_FILE
						echo -e "${YELLOW}[+] DONE!${NOCOLOR}"
						sleep 3
					fi
				fi
				if grep -q "UNPROTECTED_DOMAIN=1" ${RUNFILE} ; then bin/set_interfaces_3; fi
			else
				clear
				echo -e "${YELLOW}[!] NO DOMAIN NAME GIVEN!${NOCOLOR}"
				echo -e "${RED}[!] You have to enter a domain name, for example netflix.com ${NOCOLOR}"
				echo " "
				read -n 1 -s -r -p $'\e[1;31mPlease press any key to continue... \e[0m'
				clear
				exit 0
			fi
		fi
	;;

	# List the exclusion lists
	3)
		clear
		if [ -f $CLEARNET_LIST_FILE_OWN ]; then
			if grep -q "$DOMAINNAME" ${CLEARNET_LIST_FILE_OWN}; then
				echo " "
				echo -e "${YELLOW}[+] DOMAINS LISTED IN THE CLEARNET LIST${NOCOLOR}"
				echo -e "${RED}[+] The connection to the domain's IPs on this list is established directly${NOCOLOR}"
				echo -e "${RED}[+] and unprotected. However, if available, the domain is accessed through VPN.${NOCOLOR}"
				echo " "
				trap "bash menu-danger; exit 0" SIGINT
				readarray -t CLEARNET_LIST_FILE_OWN_ARRAY < "$CLEARNET_LIST_FILE_OWN"
				for CLEARNET_LIST_FILE_OWN_STRING in "${CLEARNET_LIST_FILE_OWN_ARRAY[@]}"
				do
					SUBDOMAIN=$(cut -d ' ' -f1 <<< $CLEARNET_LIST_FILE_OWN_STRING)
					IP_ROW=$(cut -d ' ' -f2- <<< $CLEARNET_LIST_FILE_OWN_STRING)
					echo -e "${YELLOW}$SUBDOMAIN${NOCOLOR} --> ${RED}${IP_ROW}${NOCOLOR}"
				done
				echo " "
			fi
		fi
		if [ -f $VPN_LIST_FILE_OWN ]; then
			if grep -q "$DOMAINNAME" ${VPN_LIST_FILE_OWN}; then
				echo " "
				echo -e "${YELLOW}[+] DOMAINS LISTED IN THE VPN LIST${NOCOLOR}"
				echo -e "${RED}[+] The connection to the domain's IPs are established through VPN.${NOCOLOR}"
				echo -e "${RED}[+] However, if VPN is unavailable, the domain is still accessed through tor.${NOCOLOR}"
				echo " "
				trap "bash menu-danger; exit 0" SIGINT
				readarray -t VPN_LIST_FILE_OWN_ARRAY < "$VPN_LIST_FILE_OWN"
				for VPN_LIST_FILE_OWN_STRING in "${VPN_LIST_FILE_OWN_ARRAY[@]}"
				do
					SUBDOMAIN=$(cut -d ' ' -f1 <<< $VPN_LIST_FILE_OWN_STRING)
					IP_ROW=$(cut -d ' ' -f2- <<< $VPN_LIST_FILE_OWN_STRING)
					echo -e "${YELLOW}$SUBDOMAIN${NOCOLOR} --> ${RED}${IP_ROW}${NOCOLOR}"
				done
				echo " "
			fi
		fi
		read -n 1 -s -r -p "Press any key to continue"
	;;

	# Backup/restore the exlusion lists
	4)
		clear
		INPUT=$(cat text/backup_restore_the_exclusion_lists-text)
		whiptail --title "TorBox - INFO (scroll down!)" --msgbox --scrolltext "$INPUT" $MENU_HEIGHT_25 $MENU_WIDTH
	;;

	# Enable/Disable the AP on wlan1 failsafe
	5)
		clear
		if [ "$ON_A_CLOUD" -eq "1" ]; then
			INPUT=$(cat text/on_a_cloud_warning-text)
			if (whiptail --title "TorBox - INFO" --yesno --defaultno --no-button "BACK!" --yes-button "DO IT!" "$INPUT" $MENU_HEIGHT_15 $MENU_WIDTH_REDUX); then
				exitstatus=$?
				# exitstatus = 255 means that the ESC key was pressed / exitstatus = 1 is cancelled
				if [ "$exitstatus" = "1" ] || [ "$exitstatus" = "255" ] ; then exit 0 ; fi
			else
				trap "bash menu-danger; exit 0" EXIT
				exit 0
			fi
		fi
		INPUT=$(cat text/disable_wlan1_failsafe-text)
		if (whiptail --title "TorBox - INFO" --defaultno --yesno --no-button "ENABLE" --yes-button "Disable" "$INPUT" $MENU_HEIGHT_20 $MENU_WIDTH); then
			sed -i "s/^WLAN_FAILSAFE=.*/WLAN_FAILSAFE=0/" ${RUNFILE}
			(sudo sh -c "iptables-save > /etc/iptables.ipv4.nat") 2>/dev/null
		else
			exitstatus=$?
			# exitstatus == 255 means that the ESC key was pressed
			[ "$exitstatus" == "255" ] && exit 0
			sed -i "s/^WLAN_FAILSAFE=.*/WLAN_FAILSAFE=1/" ${RUNFILE}
		fi
	;;

	#This disables / enables Torbox's WebSSH access
	6)
		if [ "$TOGGLE17" = "Disable" ]; then
			INPUT=$(cat text/disable_twebssh-text)
			if (whiptail --yesno "$INPUT" $MENU_HEIGHT_15 $MENU_WIDTH); then
				sudo pkill -f "twebssh"
				sudo rm /etc/nginx/sites-enabled/webssh.conf
				sudo ls /var/run/ | grep .*-onion-.*.sock | xargs -I {} -d"\n" sudo rm /var/run/{} ; sudo rm /var/run/webssh.sock
				clear
				sudo systemctl restart nginx
				sudo sed -i "s/^TWEBSSH=.*/TWEBSSH=0/" ${RUNFILE}
			fi
		else
			if [ "$SSH_SERVICE_CHECK" == "OFF" ]; then
				whiptail --title "TorBox - INFO" --textbox text/no_ssh-text $MENU_HEIGHT_15 $MENU_WIDTH_REDUX
			else
				INPUT=$(cat text/enable_twebssh-text)
				if (whiptail --yesno "$INPUT" $MENU_HEIGHT_20 $MENU_WIDTH); then
					[ ! -f /etc/nginx/sites-available/webssh.conf ] && sudo cp etc/nginx/sites-available/sample-webssh.conf /etc/nginx/sites-available/webssh.conf
					[ ! -L /etc/nginx/sites-enabled/webssh.conf ] && sudo ln -sf /etc/nginx/sites-available/webssh.conf /etc/nginx/sites-enabled/
					sudo ls /var/run/ | grep .*-onion-.*.sock | xargs -I {} -d"\n" sudo rm /var/run/{}
					clear
					sleep 3
					(nohup sudo /home/torbox/torbox/lib/webssh/twebssh --unix-socket=/var/run/webssh.sock &) 2>/dev/null
					clear
					sleep 2
					sudo systemctl restart nginx
					sudo sed -i "s/^TWEBSSH=.*/TWEBSSH=1/" ${RUNFILE}
				fi
			fi
		fi
		read_config
  ;;

	#This disables / enables SSH access through Internet
	7)
		sudo bash bin/ssh_handling
  ;;

	# Enable/disable SSH password login
	8)
		clear
		if [ "$TOGGLE21" == "Disable" ]; then
			cd
			if [ -f .ssh/authorized_keys ]; then
				cd torbox
				INPUT=$(cat text/disable_SSH_pasword_login-text)
				if (whiptail --title "TorBox - INFO" --defaultno --yesno "$INPUT" $MENU_HEIGHT_10 $MENU_WIDTH); then
					clear
					echo -e "${RED}[+] Disabling SSH password login...${NOCOLOR}"
					(sudo sed -i "s/#PasswordAuthentication .*/PasswordAuthentication no/" ${SSHD_CONFIG}) 2>/dev/null
					(sudo sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/" ${SSHD_CONFIG}) 2>/dev/null
					(sudo sed -i 's/PasswordAuthentication[[:space:]]\+yes/PasswordAuthentication no/' "$SSHD_CONFIGD_DIR"*) 2>/dev/null
					(printf "\nKbdInteractiveAuthentication no\n" | sudo tee -a $SSHD_CONFIG) 2>/dev/null
					echo ""
					echo -e "${RED}[+] Restarting SSH service...${NOCOLOR}"
					sudo systemctl restart sshd
					echo -e "${RED}[+] SSH password login has been disabled.${NOCOLOR}"
					echo -e "${YELLOW}[+] DONE!${NOCOLOR}"
					sleep 3
					clear
				fi
			else
				cd torbox
				clear
				echo -e "${YELLOW}[!] NO SSH PUBLIC KEY FOUND!${NOCOLOR}"
				echo -e "${RED}[!] Disabling SSH password login is only possible if SSH keys are configured.${NOCOLOR}"
				echo -e "${RED}[!] Password authentication will remain enabled.${NOCOLOR}"
				echo " "
				read -n 1 -s -r -p $'\e[1;31mPlease press any key to continue... \e[0m'
				clear
			fi
		else
			clear
			echo -e "${RED}[+] Enabling SSH password login...${NOCOLOR}"
			(sudo sed -i "s/PasswordAuthentication no/#PasswordAuthentication yes/" ${SSHD_CONFIG}) 2>/dev/null
			(sudo sed -i 's/PasswordAuthentication[[:space:]]\+no/PasswordAuthentication yes/' "$SSHD_CONFIGD_DIR"*) 2>/dev/null
			(sudo sed -i "/KbdInteractiveAuthentication no/d" ${SSHD_CONFIG}) 2>/dev/null
			echo ""
			echo -e "${RED}[+] Restarting SSH service...${NOCOLOR}"
			sudo systemctl restart sshd
			echo -e "${RED}[+] SSH password login has been enabled.${NOCOLOR}"
			echo -e "${YELLOW}[+] DONE! ${NOCOLOR}"
			sleep 3
			clear
		fi
	;;

	#This disables / enables root access
	9)
		if [ "$TOGGLE11" = "Enable" ]; then
			INPUT=$(cat text/root_access-on-txt)
			if (whiptail --yesno "$INPUT" $MENU_HEIGHT_15 $MENU_WIDTH); then
				clear
				echo " "
				echo -e "${RED}[+] Enable root access!${NOCOLOR}"
				sudo passwd -u root
				sudo usermod -s /bin/bash root
				sudo passwd root
				if grep -qE '^PermitRootLogin' "$SSHD_CONFIG"; then
					sudo sed -i 's/^PermitRootLogin.*/PermitRootLogin yes/' ${SSHD_CONFIG}
				else
					(printf "PermitRootLogin yes\n" | tee -a "$SSHD_CONFIG") >/dev/null 2>&1
				fi
				sudo systemctl reload sshd 2>/dev/null
			fi
		fi
		if [ "$TOGGLE11" = "Disable" ]; then
			INPUT=$(cat text/root_access-off-txt)
			if (whiptail --yesno "$INPUT" $MENU_HEIGHT_15 $MENU_WIDTH); then
				clear
				echo " "
				echo -e "${RED}[+] Disable root access!${NOCOLOR}"
				sudo passwd -l root
				sudo usermod -s /sbin/nologin root
				sudo sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' ${SSHD_CONFIG}
				sudo systemctl reload sshd 2>/dev/null
				sleep 2
			fi
		fi
  ;;

	#Activate / Deactivate passwordless TorBox's WLAN
	10)
		clear
		if [ "$ON_A_CLOUD" -eq "1" ]; then
			INPUT=$(cat text/on_a_cloud_warning-text)
			if (whiptail --title "TorBox - INFO" --yesno --defaultno --no-button "BACK!" --yes-button "DO IT!" "$INPUT" $MENU_HEIGHT_15 $MENU_WIDTH_REDUX); then
				exitstatus=$?
				# exitstatus = 255 means that the ESC key was pressed / exitstatus = 1 is cancelled
				if [ "$exitstatus" = "1" ] || [ "$exitstatus" = "255" ] ; then exit 0 ; fi
			else
				trap "bash menu-danger; exit 0" EXIT
				exit 0
			fi
		fi
		if [ "$TOGGLE24" == "Activate" ]; then
			INPUT=$(cat text/enable_passwordless_wifi-text)
			if (whiptail --title "TorBox - INFO" --defaultno --yesno "$INPUT" $MENU_HEIGHT_25 $MENU_WIDTH); then
				sudo sed -i "s/^wpa=.*/wpa=0/" ${HOSTAPD}
				sudo sed -i "s/^wpa_passphrase=/#wpa_passphrase=/" ${HOSTAPD}
				sudo sed -i "s/^wpa_key_mgmt=/#wpa_key_mgmt=/" ${HOSTAPD}
				sudo sed -i "s/^rsn_pairwise=/#rsn_pairwise=/" ${HOSTAPD}
				echo -e "${RED}[+] Passwordless TorBox's WLAN is now activated! Please be very careful!${NOCOLOR}"
				echo -e "${RED}[+] For activation, we will reboot TorBox in about 3 seconds.${NOCOLOR}"
				sleep 3
				sudo reboot
				exit 0
			fi
		else
			INPUT=$(cat text/disable_passwordless_wifi-text)
			if (whiptail --title "TorBox - INFO" --yesno "$INPUT" $MENU_HEIGHT_25 $MENU_WIDTH); then
				INPUT=$(whiptail --title "Setting the password for TorBox's WLAN" --inputbox "\n\nOnly letters (upper and lower case) and numbers are allowed. The length must be between 8 and 63 characters.\n\nEnter your new password:" $MENU_HEIGHT_15 $MENU_WIDTH_REDUX 3>&1 1>&2 2>&3)
				if [ ! -z "$INPUT" ]; then
					if [[ $INPUT != *[0123456789ABCDEFGHIJKLMNOPQRSTUVWXZYabcdefghijklmnopqrstuvwxzy-]* ]]; then
						clear
						echo " "
						echo -e "${YELLOW}[!] Only letters (upper and lower case) and numbers are allowed.${NOCOLOR}"
						echo -e "${YELLOW}[!] We didn't change anything - try again!${NOCOLOR}"
						sleep 5
						trap "bash menu-danger; exit 0" EXIT
						exit 0
					elif ${#INPUT} -lt 8 || ${#INPUT} -gt 63 ; then
						clear
						echo " "
						echo -e "${YELLOW}[!] The password has to be between 8 and 63 charcters.${NOCOLOR}"
						echo -e "${YELLOW}[!] We didn't change anything - try again!${NOCOLOR}"
						sleep 5
						trap "bash menu-danger; exit 0" EXIT
						exit 0
					else
						clear
						echo -e "${RED}[+] Setting the password...${NOCOLOR}"
						SSID_PW=wpa_passphrase=$INPUT
						sudo sed -i "s/^#wpa_passphrase=.*/${SSID_PW}/" ${HOSTAPD}
						echo -e "${RED}[+] Configuring hostapd.conf..${NOCOLOR}"
						sudo sed -i "s/^wpa=.*/wpa=2/" ${HOSTAPD}
						sudo sed -i "s/^#wpa_key_mgmt=/wpa_key_mgmt=/" ${HOSTAPD}
						sudo sed -i "s/^#rsn_pairwise=/rsn_pairwise=/" ${HOSTAPD}
						echo -e "${RED}[+] Passwordless TorBox's WLAN is now activated! Please be very careful!${NOCOLOR}"
						echo -e "${RED}[+] For activation, we will reboot TorBox in about 3 seconds.${NOCOLOR}"
						sleep 3
						sudo reboot
						exit 0
					fi
				fi
			fi
		fi
  ;;

	# Forwarding only - tor protection disabled
	11)
		# Where is the Internet
		INTERNET_IFACE=$(grep "^INTERNET_IFACE=" ${RUNFILE} | sed "s/.*=//g")
		# Where are the clients
		CLIENT_IFACE=$(grep "^CLIENT_IFACE=" ${RUNFILE} | sed "s/CLIENT_IFACE=//g") 2>/dev/null
		NUMBER_OF_WORD=$(wc -w <<< "${CLIENT_IFACE}")
		if [ "$NUMBER_OF_WORD" == "1" ]; then
			I_DEVICE1=$CLIENT_IFACE
			if [ "$INTERNET_IFACE" == "eth0" ]; then I_DEVICE2="eth1"; else I_DEVICE2="eth0"; fi
		elif [ "$NUMBER_OF_WORD" == "2" ]; then
			I_DEVICE1=$(cut -d ' ' -f1 <<< $CLIENT_IFACE)
			I_DEVICE2=$(cut -d ' ' -f2 <<< $CLIENT_IFACE)
		else
			I_DEVICE1=$(cut -d ' ' -f1 <<< $CLIENT_IFACE)
			I_DEVICE2=$(cut -d ' ' -f2 <<< $CLIENT_IFACE)
			I_DEVICE3=$(cut -d ' ' -f3 <<< $CLIENT_IFACE)
		fi
    sudo bash bin/set_captive_2 $INTERNET_IFACE $I_DEVICE1 $I_DEVICE2 $I_DEVICE3
	;;

	# Activate / Deactivate other connection options in TorBox mini's Main Menu
	12)
		clear
		if [ "$TOGGLE23" == "Activate" ]; then
			INPUT=$(cat text/disable_TorBox_mini_default-text)
			if (whiptail --title "TorBox - INFO" --defaultno --yesno "$INPUT" $MENU_HEIGHT_25 $MENU_WIDTH); then
				sudo sed -i "s/^TORBOX_MINI_DEFAULT=.*/TORBOX_MINI_DEFAULT=0/" ${RUNFILE}
				echo -e "${RED}[+] Other connection options in TorBox mini's Main Menu are now activated!${NOCOLOR}"
				sleep 3
			fi
		else
			INPUT=$(cat text/enable_TorBox_mini_default-text)
			if (whiptail --title "TorBox - INFO" --defaultno --yesno "$INPUT" $MENU_HEIGHT_20 $MENU_WIDTH); then
				sudo sed -i "s/^TORBOX_MINI_DEFAULT=.*/TORBOX_MINI_DEFAULT=1/" ${RUNFILE}
				echo -e "${RED}[+] Permanently disabling TorBox's WLAN...${NOCOLOR}"
				echo -e "${RED}[+] Other connection options in TorBox mini's Main Menu are now deactivated!${NOCOLOR}"
				sleep 3
				sudo systemctl mask --now hostapd
				sudo systemctl daemon-reload
				sudo cp etc/rc.local.mini /etc/rc.local
				sudo chmod a+x /etc/rc.local
			fi
		fi
	;;

	# Convert a default TorBox installation to a TorBox mini installation (or the other way around)
	13)
		if [ "$TORBOX_MINI" -eq "1" ]; then sudo ./install/convert_to_torbox
		else sudo ./install/convert_to_torbox_mini
		fi
	;;

  *)
    clear
    exit 0
esac
bash menu-danger
