Minor improvements and clean up
This commit is contained in:
parent
d909b986cf
commit
04c8155791
@ -21,7 +21,7 @@ We will use <a href="https://libreswan.org/" target="_blank">Libreswan</a> as th
|
|||||||
|
|
||||||
## Author
|
## Author
|
||||||
|
|
||||||
- Lin Song - Final year Ph.D. candidate seeking opportunities in Software or Systems Engineering.
|
- Lin Song - Final year U.S. PhD candidate seeking opportunities in Software or Systems Engineering.
|
||||||
View my profile on LinkedIn at <a href="https://www.linkedin.com/in/linsongui" target="_blank">www.linkedin.com/in/linsongui</a>.
|
View my profile on LinkedIn at <a href="https://www.linkedin.com/in/linsongui" target="_blank">www.linkedin.com/in/linsongui</a>.
|
||||||
- Based on the work of Thomas Sarlandie (<a href="https://github.com/sarfata/voodooprivacy" target="_blank">sarfata/voodooprivacy</a>).
|
- Based on the work of Thomas Sarlandie (<a href="https://github.com/sarfata/voodooprivacy" target="_blank">sarfata/voodooprivacy</a>).
|
||||||
|
|
||||||
@ -82,7 +82,7 @@ nano -w vpnsetup_centos.sh
|
|||||||
/bin/sh vpnsetup_centos.sh
|
/bin/sh vpnsetup_centos.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
If unable to download via `wget`, you may alternatively open <a href="vpnsetup.sh" target="_blank">vpnsetup.sh</a> (or <a href="vpnsetup_centos.sh" target="_blank">vpnsetup_centos.sh</a>) and click the **`Raw`** button. Press `Ctrl+A` to select all, `Ctrl-C` to copy, then paste into your favorite editor.
|
If unable to download via `wget`, you may alternatively open <a href="vpnsetup.sh" target="_blank">vpnsetup.sh</a> (or <a href="vpnsetup_centos.sh" target="_blank">vpnsetup_centos.sh</a>) and click the **`Raw`** button. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor.
|
||||||
|
|
||||||
## Next Steps
|
## Next Steps
|
||||||
|
|
||||||
@ -102,9 +102,9 @@ If you wish to create multiple VPN users with different credentials, just <a hre
|
|||||||
|
|
||||||
Clients are configured to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. To change, set `ms-dns` in `options.xl2tpd`.
|
Clients are configured to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. To change, set `ms-dns` in `options.xl2tpd`.
|
||||||
|
|
||||||
For Amazon EC2 instances only: In the <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">security group</a>, open **UDP ports 500 & 4500** and **TCP port 22** (optional, for SSH).
|
For Amazon EC2 instances only: In the <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">security group</a>, open UDP ports 500 & 4500 and TCP port 22 (optional, for SSH).
|
||||||
|
|
||||||
If you configured a custom SSH port (not 22) or wish to allow other services, edit <a href="vpnsetup.sh#L285" target="_blank">IPTables rules</a> before using the scripts.
|
If you configured a custom SSH port (not 22) or wish to allow other services, edit <a href="vpnsetup.sh#L278" target="_blank">IPTables rules</a> before using the scripts.
|
||||||
|
|
||||||
The scripts will backup your existing config files before making changes, to the same folder with `.old-date-time` suffix.
|
The scripts will backup your existing config files before making changes, to the same folder with `.old-date-time` suffix.
|
||||||
|
|
||||||
|
28
vpnsetup.sh
28
vpnsetup.sh
@ -26,14 +26,14 @@ IPSEC_PSK='your_ipsec_pre_shared_key'
|
|||||||
VPN_USER='your_vpn_username'
|
VPN_USER='your_vpn_username'
|
||||||
VPN_PASSWORD='your_very_secure_password'
|
VPN_PASSWORD='your_very_secure_password'
|
||||||
|
|
||||||
# Be sure to read *important notes* at the URL below:
|
# Be sure to read IMPORTANT NOTES at the URL below:
|
||||||
# https://github.com/hwdsl2/setup-ipsec-vpn#important-notes
|
# https://github.com/hwdsl2/setup-ipsec-vpn#important-notes
|
||||||
|
|
||||||
# ------------------------------------------------------------
|
# ------------------------------------------------------------
|
||||||
|
|
||||||
if [ "$(uname)" = "Darwin" ]; then
|
if [ "$(uname)" = "Darwin" ]; then
|
||||||
echo 'DO NOT run this script on your Mac! It should only be run on a dedicated server / VPS'
|
echo 'DO NOT run this script on your Mac! It should only be run on a dedicated server / VPS'
|
||||||
echo 'or a newly-created EC2 instance, after you have modified it to set the variables above.'
|
echo 'or a newly-created EC2 instance, after you have edited the variables above.'
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -96,11 +96,11 @@ PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/la
|
|||||||
# Check IPs for correct format
|
# Check IPs for correct format
|
||||||
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
|
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
|
||||||
if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then
|
if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then
|
||||||
echo "Cannot find valid public IP, please edit the script and manually enter."
|
echo "Cannot find valid public IP. Edit the script and manually enter."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then
|
if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then
|
||||||
echo "Cannot find valid private IP, please edit the script and manually enter."
|
echo "Cannot find valid private IP. Edit the script and manually enter."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -142,16 +142,12 @@ cat > /etc/ipsec.conf <<EOF
|
|||||||
version 2.0
|
version 2.0
|
||||||
|
|
||||||
config setup
|
config setup
|
||||||
dumpdir=/var/run/pluto/
|
|
||||||
nat_traversal=yes
|
|
||||||
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
|
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
|
||||||
oe=off
|
|
||||||
protostack=netkey
|
protostack=netkey
|
||||||
nhelpers=0
|
nhelpers=0
|
||||||
interfaces=%defaultroute
|
interfaces=%defaultroute
|
||||||
|
|
||||||
conn vpnpsk
|
conn vpnpsk
|
||||||
connaddrfamily=ipv4
|
|
||||||
auto=add
|
auto=add
|
||||||
left=$PRIVATE_IP
|
left=$PRIVATE_IP
|
||||||
leftid=$PUBLIC_IP
|
leftid=$PUBLIC_IP
|
||||||
@ -187,11 +183,6 @@ cat > /etc/xl2tpd/xl2tpd.conf <<EOF
|
|||||||
[global]
|
[global]
|
||||||
port = 1701
|
port = 1701
|
||||||
|
|
||||||
;debug avp = yes
|
|
||||||
;debug network = yes
|
|
||||||
;debug state = yes
|
|
||||||
;debug tunnel = yes
|
|
||||||
|
|
||||||
[lns default]
|
[lns default]
|
||||||
ip range = 192.168.42.10-192.168.42.250
|
ip range = 192.168.42.10-192.168.42.250
|
||||||
local ip = 192.168.42.1
|
local ip = 192.168.42.1
|
||||||
@ -199,7 +190,6 @@ require chap = yes
|
|||||||
refuse pap = yes
|
refuse pap = yes
|
||||||
require authentication = yes
|
require authentication = yes
|
||||||
name = l2tpd
|
name = l2tpd
|
||||||
;ppp debug = yes
|
|
||||||
pppoptfile = /etc/ppp/options.xl2tpd
|
pppoptfile = /etc/ppp/options.xl2tpd
|
||||||
length bit = yes
|
length bit = yes
|
||||||
EOF
|
EOF
|
||||||
@ -279,12 +269,11 @@ cat > /etc/iptables.rules <<EOF
|
|||||||
:INPUT ACCEPT [0:0]
|
:INPUT ACCEPT [0:0]
|
||||||
:FORWARD ACCEPT [0:0]
|
:FORWARD ACCEPT [0:0]
|
||||||
:OUTPUT ACCEPT [0:0]
|
:OUTPUT ACCEPT [0:0]
|
||||||
:ICMPALL - [0:0]
|
|
||||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
-A INPUT -i lo -j ACCEPT
|
-A INPUT -i lo -j ACCEPT
|
||||||
-A INPUT -d 127.0.0.0/8 -j REJECT
|
-A INPUT -d 127.0.0.0/8 -j REJECT
|
||||||
-A INPUT -p icmp --icmp-type 255 -j ICMPALL
|
-A INPUT -p icmp -j ACCEPT
|
||||||
-A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
|
-A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
|
||||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||||
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
|
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
|
||||||
@ -297,13 +286,6 @@ cat > /etc/iptables.rules <<EOF
|
|||||||
# If you wish to allow traffic between VPN clients themselves, uncomment this line:
|
# If you wish to allow traffic between VPN clients themselves, uncomment this line:
|
||||||
# -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
|
# -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
|
||||||
-A FORWARD -j DROP
|
-A FORWARD -j DROP
|
||||||
-A ICMPALL -p icmp -f -j DROP
|
|
||||||
-A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
|
|
||||||
-A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
|
|
||||||
-A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
|
|
||||||
-A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
|
|
||||||
-A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
|
|
||||||
-A ICMPALL -p icmp -j DROP
|
|
||||||
COMMIT
|
COMMIT
|
||||||
*nat
|
*nat
|
||||||
:PREROUTING ACCEPT [0:0]
|
:PREROUTING ACCEPT [0:0]
|
||||||
|
@ -26,14 +26,14 @@ IPSEC_PSK='your_ipsec_pre_shared_key'
|
|||||||
VPN_USER='your_vpn_username'
|
VPN_USER='your_vpn_username'
|
||||||
VPN_PASSWORD='your_very_secure_password'
|
VPN_PASSWORD='your_very_secure_password'
|
||||||
|
|
||||||
# Be sure to read *important notes* at the URL below:
|
# Be sure to read IMPORTANT NOTES at the URL below:
|
||||||
# https://github.com/hwdsl2/setup-ipsec-vpn#important-notes
|
# https://github.com/hwdsl2/setup-ipsec-vpn#important-notes
|
||||||
|
|
||||||
# ------------------------------------------------------------
|
# ------------------------------------------------------------
|
||||||
|
|
||||||
if [ "$(uname)" = "Darwin" ]; then
|
if [ "$(uname)" = "Darwin" ]; then
|
||||||
echo 'DO NOT run this script on your Mac! It should only be run on a dedicated server / VPS'
|
echo 'DO NOT run this script on your Mac! It should only be run on a dedicated server / VPS'
|
||||||
echo 'or a newly-created EC2 instance, after you have modified it to set the variables above.'
|
echo 'or a newly-created EC2 instance, after you have edited the variables above.'
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -107,11 +107,11 @@ PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/la
|
|||||||
# Check IPs for correct format
|
# Check IPs for correct format
|
||||||
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
|
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
|
||||||
if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then
|
if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then
|
||||||
echo "Cannot find valid public IP, please edit the script and manually enter."
|
echo "Cannot find valid public IP. Edit the script and manually enter."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then
|
if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then
|
||||||
echo "Cannot find valid private IP, please edit the script and manually enter."
|
echo "Cannot find valid private IP. Edit the script and manually enter."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -182,16 +182,12 @@ cat > /etc/ipsec.conf <<EOF
|
|||||||
version 2.0
|
version 2.0
|
||||||
|
|
||||||
config setup
|
config setup
|
||||||
dumpdir=/var/run/pluto/
|
|
||||||
nat_traversal=yes
|
|
||||||
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
|
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
|
||||||
oe=off
|
|
||||||
protostack=netkey
|
protostack=netkey
|
||||||
nhelpers=0
|
nhelpers=0
|
||||||
interfaces=%defaultroute
|
interfaces=%defaultroute
|
||||||
|
|
||||||
conn vpnpsk
|
conn vpnpsk
|
||||||
connaddrfamily=ipv4
|
|
||||||
auto=add
|
auto=add
|
||||||
left=$PRIVATE_IP
|
left=$PRIVATE_IP
|
||||||
leftid=$PUBLIC_IP
|
leftid=$PUBLIC_IP
|
||||||
@ -227,11 +223,6 @@ cat > /etc/xl2tpd/xl2tpd.conf <<EOF
|
|||||||
[global]
|
[global]
|
||||||
port = 1701
|
port = 1701
|
||||||
|
|
||||||
;debug avp = yes
|
|
||||||
;debug network = yes
|
|
||||||
;debug state = yes
|
|
||||||
;debug tunnel = yes
|
|
||||||
|
|
||||||
[lns default]
|
[lns default]
|
||||||
ip range = 192.168.42.10-192.168.42.250
|
ip range = 192.168.42.10-192.168.42.250
|
||||||
local ip = 192.168.42.1
|
local ip = 192.168.42.1
|
||||||
@ -239,7 +230,6 @@ require chap = yes
|
|||||||
refuse pap = yes
|
refuse pap = yes
|
||||||
require authentication = yes
|
require authentication = yes
|
||||||
name = l2tpd
|
name = l2tpd
|
||||||
;ppp debug = yes
|
|
||||||
pppoptfile = /etc/ppp/options.xl2tpd
|
pppoptfile = /etc/ppp/options.xl2tpd
|
||||||
length bit = yes
|
length bit = yes
|
||||||
EOF
|
EOF
|
||||||
@ -319,12 +309,11 @@ cat > /etc/sysconfig/iptables <<EOF
|
|||||||
:INPUT ACCEPT [0:0]
|
:INPUT ACCEPT [0:0]
|
||||||
:FORWARD ACCEPT [0:0]
|
:FORWARD ACCEPT [0:0]
|
||||||
:OUTPUT ACCEPT [0:0]
|
:OUTPUT ACCEPT [0:0]
|
||||||
:ICMPALL - [0:0]
|
|
||||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
-A INPUT -i lo -j ACCEPT
|
-A INPUT -i lo -j ACCEPT
|
||||||
-A INPUT -d 127.0.0.0/8 -j REJECT
|
-A INPUT -d 127.0.0.0/8 -j REJECT
|
||||||
-A INPUT -p icmp --icmp-type 255 -j ICMPALL
|
-A INPUT -p icmp -j ACCEPT
|
||||||
-A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
|
-A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
|
||||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||||
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
|
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
|
||||||
@ -337,13 +326,6 @@ cat > /etc/sysconfig/iptables <<EOF
|
|||||||
# If you wish to allow traffic between VPN clients themselves, uncomment this line:
|
# If you wish to allow traffic between VPN clients themselves, uncomment this line:
|
||||||
# -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
|
# -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
|
||||||
-A FORWARD -j DROP
|
-A FORWARD -j DROP
|
||||||
-A ICMPALL -p icmp -f -j DROP
|
|
||||||
-A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
|
|
||||||
-A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
|
|
||||||
-A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
|
|
||||||
-A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
|
|
||||||
-A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
|
|
||||||
-A ICMPALL -p icmp -j DROP
|
|
||||||
COMMIT
|
COMMIT
|
||||||
*nat
|
*nat
|
||||||
:PREROUTING ACCEPT [0:0]
|
:PREROUTING ACCEPT [0:0]
|
||||||
|
Loading…
Reference in New Issue
Block a user