1
0
mirror of synced 2024-11-22 13:06:02 +03:00

Minor improvements and clean up

This commit is contained in:
hwdsl2 2016-04-07 12:20:08 -05:00
parent d909b986cf
commit 04c8155791
3 changed files with 14 additions and 50 deletions

View File

@ -21,7 +21,7 @@ We will use <a href="https://libreswan.org/" target="_blank">Libreswan</a> as th
## Author ## Author
- Lin Song - Final year Ph.D. candidate seeking opportunities in Software or Systems Engineering. - Lin Song - Final year U.S. PhD candidate seeking opportunities in Software or Systems Engineering.
View my profile on LinkedIn at <a href="https://www.linkedin.com/in/linsongui" target="_blank">www.linkedin.com/in/linsongui</a>. View my profile on LinkedIn at <a href="https://www.linkedin.com/in/linsongui" target="_blank">www.linkedin.com/in/linsongui</a>.
- Based on the work of Thomas Sarlandie (<a href="https://github.com/sarfata/voodooprivacy" target="_blank">sarfata/voodooprivacy</a>). - Based on the work of Thomas Sarlandie (<a href="https://github.com/sarfata/voodooprivacy" target="_blank">sarfata/voodooprivacy</a>).
@ -82,7 +82,7 @@ nano -w vpnsetup_centos.sh
/bin/sh vpnsetup_centos.sh /bin/sh vpnsetup_centos.sh
``` ```
If unable to download via `wget`, you may alternatively open <a href="vpnsetup.sh" target="_blank">vpnsetup.sh</a> (or <a href="vpnsetup_centos.sh" target="_blank">vpnsetup_centos.sh</a>) and click the **`Raw`** button. Press `Ctrl+A` to select all, `Ctrl-C` to copy, then paste into your favorite editor. If unable to download via `wget`, you may alternatively open <a href="vpnsetup.sh" target="_blank">vpnsetup.sh</a> (or <a href="vpnsetup_centos.sh" target="_blank">vpnsetup_centos.sh</a>) and click the **`Raw`** button. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor.
## Next Steps ## Next Steps
@ -102,9 +102,9 @@ If you wish to create multiple VPN users with different credentials, just <a hre
Clients are configured to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. To change, set `ms-dns` in `options.xl2tpd`. Clients are configured to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. To change, set `ms-dns` in `options.xl2tpd`.
For Amazon EC2 instances only: In the <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">security group</a>, open **UDP ports 500 & 4500** and **TCP port 22** (optional, for SSH). For Amazon EC2 instances only: In the <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">security group</a>, open UDP ports 500 & 4500 and TCP port 22 (optional, for SSH).
If you configured a custom SSH port (not 22) or wish to allow other services, edit <a href="vpnsetup.sh#L285" target="_blank">IPTables rules</a> before using the scripts. If you configured a custom SSH port (not 22) or wish to allow other services, edit <a href="vpnsetup.sh#L278" target="_blank">IPTables rules</a> before using the scripts.
The scripts will backup your existing config files before making changes, to the same folder with `.old-date-time` suffix. The scripts will backup your existing config files before making changes, to the same folder with `.old-date-time` suffix.

View File

@ -26,14 +26,14 @@ IPSEC_PSK='your_ipsec_pre_shared_key'
VPN_USER='your_vpn_username' VPN_USER='your_vpn_username'
VPN_PASSWORD='your_very_secure_password' VPN_PASSWORD='your_very_secure_password'
# Be sure to read *important notes* at the URL below: # Be sure to read IMPORTANT NOTES at the URL below:
# https://github.com/hwdsl2/setup-ipsec-vpn#important-notes # https://github.com/hwdsl2/setup-ipsec-vpn#important-notes
# ------------------------------------------------------------ # ------------------------------------------------------------
if [ "$(uname)" = "Darwin" ]; then if [ "$(uname)" = "Darwin" ]; then
echo 'DO NOT run this script on your Mac! It should only be run on a dedicated server / VPS' echo 'DO NOT run this script on your Mac! It should only be run on a dedicated server / VPS'
echo 'or a newly-created EC2 instance, after you have modified it to set the variables above.' echo 'or a newly-created EC2 instance, after you have edited the variables above.'
exit 1 exit 1
fi fi
@ -96,11 +96,11 @@ PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/la
# Check IPs for correct format # Check IPs for correct format
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then
echo "Cannot find valid public IP, please edit the script and manually enter." echo "Cannot find valid public IP. Edit the script and manually enter."
exit 1 exit 1
fi fi
if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then
echo "Cannot find valid private IP, please edit the script and manually enter." echo "Cannot find valid private IP. Edit the script and manually enter."
exit 1 exit 1
fi fi
@ -142,16 +142,12 @@ cat > /etc/ipsec.conf <<EOF
version 2.0 version 2.0
config setup config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
oe=off
protostack=netkey protostack=netkey
nhelpers=0 nhelpers=0
interfaces=%defaultroute interfaces=%defaultroute
conn vpnpsk conn vpnpsk
connaddrfamily=ipv4
auto=add auto=add
left=$PRIVATE_IP left=$PRIVATE_IP
leftid=$PUBLIC_IP leftid=$PUBLIC_IP
@ -187,11 +183,6 @@ cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[global] [global]
port = 1701 port = 1701
;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes
[lns default] [lns default]
ip range = 192.168.42.10-192.168.42.250 ip range = 192.168.42.10-192.168.42.250
local ip = 192.168.42.1 local ip = 192.168.42.1
@ -199,7 +190,6 @@ require chap = yes
refuse pap = yes refuse pap = yes
require authentication = yes require authentication = yes
name = l2tpd name = l2tpd
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes length bit = yes
EOF EOF
@ -279,12 +269,11 @@ cat > /etc/iptables.rules <<EOF
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0] :FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:ICMPALL - [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT -A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT -A INPUT -d 127.0.0.0/8 -j REJECT
-A INPUT -p icmp --icmp-type 255 -j ICMPALL -A INPUT -p icmp -j ACCEPT
-A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
@ -297,13 +286,6 @@ cat > /etc/iptables.rules <<EOF
# If you wish to allow traffic between VPN clients themselves, uncomment this line: # If you wish to allow traffic between VPN clients themselves, uncomment this line:
# -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT # -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
-A FORWARD -j DROP -A FORWARD -j DROP
-A ICMPALL -p icmp -f -j DROP
-A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
-A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
-A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
-A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
-A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
-A ICMPALL -p icmp -j DROP
COMMIT COMMIT
*nat *nat
:PREROUTING ACCEPT [0:0] :PREROUTING ACCEPT [0:0]

View File

@ -26,14 +26,14 @@ IPSEC_PSK='your_ipsec_pre_shared_key'
VPN_USER='your_vpn_username' VPN_USER='your_vpn_username'
VPN_PASSWORD='your_very_secure_password' VPN_PASSWORD='your_very_secure_password'
# Be sure to read *important notes* at the URL below: # Be sure to read IMPORTANT NOTES at the URL below:
# https://github.com/hwdsl2/setup-ipsec-vpn#important-notes # https://github.com/hwdsl2/setup-ipsec-vpn#important-notes
# ------------------------------------------------------------ # ------------------------------------------------------------
if [ "$(uname)" = "Darwin" ]; then if [ "$(uname)" = "Darwin" ]; then
echo 'DO NOT run this script on your Mac! It should only be run on a dedicated server / VPS' echo 'DO NOT run this script on your Mac! It should only be run on a dedicated server / VPS'
echo 'or a newly-created EC2 instance, after you have modified it to set the variables above.' echo 'or a newly-created EC2 instance, after you have edited the variables above.'
exit 1 exit 1
fi fi
@ -107,11 +107,11 @@ PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/la
# Check IPs for correct format # Check IPs for correct format
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then
echo "Cannot find valid public IP, please edit the script and manually enter." echo "Cannot find valid public IP. Edit the script and manually enter."
exit 1 exit 1
fi fi
if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then
echo "Cannot find valid private IP, please edit the script and manually enter." echo "Cannot find valid private IP. Edit the script and manually enter."
exit 1 exit 1
fi fi
@ -182,16 +182,12 @@ cat > /etc/ipsec.conf <<EOF
version 2.0 version 2.0
config setup config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
oe=off
protostack=netkey protostack=netkey
nhelpers=0 nhelpers=0
interfaces=%defaultroute interfaces=%defaultroute
conn vpnpsk conn vpnpsk
connaddrfamily=ipv4
auto=add auto=add
left=$PRIVATE_IP left=$PRIVATE_IP
leftid=$PUBLIC_IP leftid=$PUBLIC_IP
@ -227,11 +223,6 @@ cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[global] [global]
port = 1701 port = 1701
;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes
[lns default] [lns default]
ip range = 192.168.42.10-192.168.42.250 ip range = 192.168.42.10-192.168.42.250
local ip = 192.168.42.1 local ip = 192.168.42.1
@ -239,7 +230,6 @@ require chap = yes
refuse pap = yes refuse pap = yes
require authentication = yes require authentication = yes
name = l2tpd name = l2tpd
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes length bit = yes
EOF EOF
@ -319,12 +309,11 @@ cat > /etc/sysconfig/iptables <<EOF
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0] :FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:ICMPALL - [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT -A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT -A INPUT -d 127.0.0.0/8 -j REJECT
-A INPUT -p icmp --icmp-type 255 -j ICMPALL -A INPUT -p icmp -j ACCEPT
-A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
@ -337,13 +326,6 @@ cat > /etc/sysconfig/iptables <<EOF
# If you wish to allow traffic between VPN clients themselves, uncomment this line: # If you wish to allow traffic between VPN clients themselves, uncomment this line:
# -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT # -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
-A FORWARD -j DROP -A FORWARD -j DROP
-A ICMPALL -p icmp -f -j DROP
-A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
-A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
-A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
-A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
-A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
-A ICMPALL -p icmp -j DROP
COMMIT COMMIT
*nat *nat
:PREROUTING ACCEPT [0:0] :PREROUTING ACCEPT [0:0]