mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-02-16 20:13:19 +03:00
Code Issues Projects Releases Wiki Activity

Better handling of existing config files

Browse Source
This commit is contained in:
hwdsl2 2016-01-17 00:41:12 -06:00
parent 7ac6a030b1
commit 28d7da66c8
2 changed files with 118 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
vpnsetup.sh
View File

@ -24,17 +24,16 @@ if [ "$(uname)" = "Darwin" ]; then
fi fi
# Please define your own values for these variables # Please define your own values for these variables
# IMPORTANT: # Escape *all* non-alphanumeric characters with a backslash (or 3 backslashes for \ and ").
# Escape all non-alphanumeric characters with a backslash (or 3 backslashes for \ and ").
# Examples: \ --> \\\\, " --> \\\", ' --> \', $ --> \$, ` --> \`, [space] --> \[space] # Examples: \ --> \\\\, " --> \\\", ' --> \', $ --> \$, ` --> \`, [space] --> \[space]
IPSEC_PSK=your_very_secure_key IPSEC_PSK=your_very_secure_key
VPN_USER=your_username VPN_USER=your_username
VPN_PASSWORD=your_very_secure_password VPN_PASSWORD=your_very_secure_password
# -------------------- # -----------------
# | IMPORTANT NOTES | # IMPORTANT NOTES
# -------------------- # -----------------
# To support multiple VPN users with different credentials, just edit a few lines below. # To support multiple VPN users with different credentials, just edit a few lines below.
# See: https://gist.github.com/hwdsl2/123b886f29f4c689f531 # See: https://gist.github.com/hwdsl2/123b886f29f4c689f531
@ -44,8 +43,8 @@ VPN_PASSWORD=your_very_secure_password
# https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809 # https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
# **Android 6.0 users**: Edit /etc/ipsec.conf and append ",aes256-sha2_256" to the end of # **Android 6.0 users**: Edit /etc/ipsec.conf and append ",aes256-sha2_256" to the end of
# both "ike=" and "phase2alg=", then add a new line "sha2-truncbug=yes". Must start lines with # both "ike=" and "phase2alg=", then add a new line "sha2-truncbug=yes". Must start lines
# two spaces. Finally, run "service ipsec restart". # with two spaces. Finally, run "service ipsec restart".
# **iPhone/iOS users**: In iOS settings, choose L2TP (instead of IPSec) for the VPN type. # **iPhone/iOS users**: In iOS settings, choose L2TP (instead of IPSec) for the VPN type.
# In case you're unable to connect, try replacing this line in /etc/ipsec.conf: # In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
@ -60,8 +59,8 @@ VPN_PASSWORD=your_very_secure_password
# If your server uses a custom SSH port (not 22), or if you wish to allow other services # If your server uses a custom SSH port (not 22), or if you wish to allow other services
# through IPTables, be sure to edit the IPTables rules below before running this script. # through IPTables, be sure to edit the IPTables rules below before running this script.
# This script will backup /etc/rc.local, /etc/sysctl.conf and /etc/iptables.rules # This script will backup your existing configuration files before overwriting them.
# before overwriting them. Backups can be found under the same folder with .old suffix. # Backups can be found in the same folder as the original, with .old-date/time suffix.
if [ "$(lsb_release -si)" != "Ubuntu" ] && [ "$(lsb_release -si)" != "Debian" ]; then if [ "$(lsb_release -si)" != "Ubuntu" ] && [ "$(lsb_release -si)" != "Debian" ]; then
echo "Looks like you aren't running this script on a Ubuntu or Debian system." echo "Looks like you aren't running this script on a Ubuntu or Debian system."
@ -88,10 +87,10 @@ fi
mkdir -p /opt/src mkdir -p /opt/src
cd /opt/src || { echo "Failed to change working directory to /opt/src. Aborting."; exit 1; } cd /opt/src || { echo "Failed to change working directory to /opt/src. Aborting."; exit 1; }
# Update package index and install wget, dig (dnsutils) and nano # Update package index and install wget, dig (dnsutils), sed and nano
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
apt-get -y update apt-get -y update
apt-get -y install wget dnsutils nano apt-get -y install wget dnsutils sed nano
echo echo
echo 'Please wait... Trying to find Public IP and Private IP of this server.' echo 'Please wait... Trying to find Public IP and Private IP of this server.'
@ -150,6 +149,7 @@ cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source directory
make programs && make install make programs && make install
# Prepare various config files # Prepare various config files
/bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/ipsec.conf <<EOF cat > /etc/ipsec.conf <<EOF
version 2.0 version 2.0
@ -187,10 +187,12 @@ conn vpnpsk
dpdaction=clear dpdaction=clear
EOF EOF
/bin/cp -f /etc/ipsec.secrets "/etc/ipsec.secrets.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/ipsec.secrets <<EOF cat > /etc/ipsec.secrets <<EOF
$PUBLIC_IP %any : PSK "$IPSEC_PSK" $PUBLIC_IP %any : PSK "$IPSEC_PSK"
EOF EOF
/bin/cp -f /etc/xl2tpd/xl2tpd.conf "/etc/xl2tpd/xl2tpd.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/xl2tpd/xl2tpd.conf <<EOF cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[global] [global]
port = 1701 port = 1701
@ -212,6 +214,7 @@ pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes length bit = yes
EOF EOF
/bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/ppp/options.xl2tpd <<EOF cat > /etc/ppp/options.xl2tpd <<EOF
ipcp-accept-local ipcp-accept-local
ipcp-accept-remote ipcp-accept-remote
@ -229,15 +232,20 @@ lcp-echo-interval 60
connect-delay 5000 connect-delay 5000
EOF EOF
/bin/cp -f /etc/ppp/chap-secrets "/etc/ppp/chap-secrets.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/ppp/chap-secrets <<EOF cat > /etc/ppp/chap-secrets <<EOF
# Secrets for authentication using CHAP # Secrets for authentication using CHAP
# client server secret IP addresses # client server secret IP addresses
"$VPN_USER" l2tpd "$VPN_PASSWORD" * "$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF EOF
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
/bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/sysctl.conf <<EOF cat >> /etc/sysctl.conf <<EOF
# Added by hwdsl2 VPN script
kernel.sysrq = 0 kernel.sysrq = 0
kernel.core_uses_pid = 1 kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_syncookies = 1
@ -256,8 +264,6 @@ net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.secure_redirects = 0
@ -269,8 +275,16 @@ net.ipv4.tcp_rmem= 10240 87380 12582912
net.ipv4.tcp_wmem= 10240 87380 12582912 net.ipv4.tcp_wmem= 10240 87380 12582912
EOF EOF
fi
if ! grep -qs "hwdsl2 VPN script" /etc/iptables.rules; then
/bin/cp -f /etc/iptables.rules "/etc/iptables.rules.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/iptables.rules "/etc/iptables.rules.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
/usr/sbin/service fail2ban stop >/dev/null 2>&1
if [ "$(/sbin/iptables-save | grep -c '^\-')" = "0" ]; then
cat > /etc/iptables.rules <<EOF cat > /etc/iptables.rules <<EOF
# Added by hwdsl2 VPN script
*filter *filter
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0] :FORWARD ACCEPT [0:0]
@ -305,31 +319,44 @@ COMMIT
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source ${PRIVATE_IP} -A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}"
COMMIT COMMIT
EOF EOF
else
iptables -I INPUT 1 -p udp -m multiport --dports 500,4500 -j ACCEPT
iptables -I INPUT 2 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
iptables -I INPUT 3 -p udp --dport 1701 -j DROP
iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT
# If you wish to allow traffic between VPN clients themselves, uncomment this line:
# iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
iptables -A FORWARD -j DROP
iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}"
/sbin/iptables-save > /etc/iptables.rules
echo "# Modified by hwdsl2 VPN script" >> /etc/iptables.rules
fi
fi
cat > /etc/network/if-pre-up.d/iptablesload <<EOF cat > /etc/network/if-pre-up.d/iptablesload <<EOF
#!/bin/sh #!/bin/sh
/sbin/iptables-restore < /etc/iptables.rules /sbin/iptables-restore < /etc/iptables.rules
exit 0 exit 0
EOF EOF
/bin/cp -f /etc/rc.local "/etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
cat > /etc/rc.local <<EOF
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
/bin/cp -f /etc/rc.local "/etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
/bin/sed --follow-symlinks -i -e '/^exit 0/d' /etc/rc.local
cat >> /etc/rc.local <<EOF
# Added by hwdsl2 VPN script
/usr/sbin/service fail2ban restart || /bin/true /usr/sbin/service fail2ban restart || /bin/true
/usr/sbin/service ipsec start /usr/sbin/service ipsec start
/usr/sbin/service xl2tpd start /usr/sbin/service xl2tpd start
@ -337,6 +364,8 @@ echo 1 > /proc/sys/net/ipv4/ip_forward
exit 0 exit 0
EOF EOF
fi
if [ ! -f /etc/ipsec.d/cert8.db ] ; then if [ ! -f /etc/ipsec.d/cert8.db ] ; then
echo > /var/tmp/libreswan-nss-pwd echo > /var/tmp/libreswan-nss-pwd
/usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d /usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
@ -346,7 +375,7 @@ fi
/sbin/sysctl -p /sbin/sysctl -p
/bin/chmod +x /etc/rc.local /bin/chmod +x /etc/rc.local
/bin/chmod +x /etc/network/if-pre-up.d/iptablesload /bin/chmod +x /etc/network/if-pre-up.d/iptablesload
/bin/chmod 600 /etc/ipsec.secrets /etc/ppp/chap-secrets /bin/chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets*
/sbin/iptables-restore < /etc/iptables.rules /sbin/iptables-restore < /etc/iptables.rules
/usr/sbin/service fail2ban stop >/dev/null 2>&1 /usr/sbin/service fail2ban stop >/dev/null 2>&1

82
vpnsetup_centos.sh
View File

@ -23,17 +23,16 @@ if [ "$(uname)" = "Darwin" ]; then
fi fi
# Please define your own values for these variables # Please define your own values for these variables
# IMPORTANT: # Escape *all* non-alphanumeric characters with a backslash (or 3 backslashes for \ and ").
# Escape all non-alphanumeric characters with a backslash (or 3 backslashes for \ and ").
# Examples: \ --> \\\\, " --> \\\", ' --> \', $ --> \$, ` --> \`, [space] --> \[space] # Examples: \ --> \\\\, " --> \\\", ' --> \', $ --> \$, ` --> \`, [space] --> \[space]
IPSEC_PSK=your_very_secure_key IPSEC_PSK=your_very_secure_key
VPN_USER=your_username VPN_USER=your_username
VPN_PASSWORD=your_very_secure_password VPN_PASSWORD=your_very_secure_password
# -------------------- # -----------------
# | IMPORTANT NOTES | # IMPORTANT NOTES
# -------------------- # -----------------
# To support multiple VPN users with different credentials, just edit a few lines below. # To support multiple VPN users with different credentials, just edit a few lines below.
# See: https://gist.github.com/hwdsl2/123b886f29f4c689f531 # See: https://gist.github.com/hwdsl2/123b886f29f4c689f531
@ -43,8 +42,8 @@ VPN_PASSWORD=your_very_secure_password
# https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809 # https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
# **Android 6.0 users**: Edit /etc/ipsec.conf and append ",aes256-sha2_256" to the end of # **Android 6.0 users**: Edit /etc/ipsec.conf and append ",aes256-sha2_256" to the end of
# both "ike=" and "phase2alg=", then add a new line "sha2-truncbug=yes". Must start lines with # both "ike=" and "phase2alg=", then add a new line "sha2-truncbug=yes". Must start lines
# two spaces. Finally, run "service ipsec restart". # with two spaces. Finally, run "service ipsec restart".
# **iPhone/iOS users**: In iOS settings, choose L2TP (instead of IPSec) for the VPN type. # **iPhone/iOS users**: In iOS settings, choose L2TP (instead of IPSec) for the VPN type.
# In case you're unable to connect, try replacing this line in /etc/ipsec.conf: # In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
@ -59,8 +58,8 @@ VPN_PASSWORD=your_very_secure_password
# If your server uses a custom SSH port (not 22), or if you wish to allow other services # If your server uses a custom SSH port (not 22), or if you wish to allow other services
# through IPTables, be sure to edit the IPTables rules below before running this script. # through IPTables, be sure to edit the IPTables rules below before running this script.
# This script will backup /etc/rc.local, /etc/sysctl.conf and /etc/sysconfig/iptables # This script will backup your existing configuration files before overwriting them.
# before overwriting them. Backups can be found under the same folder with .old suffix. # Backups can be found in the same folder as the original, with .old-date/time suffix.
if [ ! -f /etc/redhat-release ]; then if [ ! -f /etc/redhat-release ]; then
echo "Looks like you aren't running this script on a CentOS/RHEL system." echo "Looks like you aren't running this script on a CentOS/RHEL system."
@ -159,7 +158,7 @@ yum -y install ppp xl2tpd
# Install Fail2Ban to protect SSH server # Install Fail2Ban to protect SSH server
yum -y install fail2ban yum -y install fail2ban
# Installed Libevent 2. Use backported version for CentOS 6. # Installed Libevent2. Use backported version for CentOS 6.
if grep -qs "release 6" /etc/redhat-release; then if grep -qs "release 6" /etc/redhat-release; then
LE2_URL="https://people.redhat.com/pwouters/libreswan-rhel6" LE2_URL="https://people.redhat.com/pwouters/libreswan-rhel6"
RPM1="libevent2-2.0.21-1.el6.x86_64.rpm" RPM1="libevent2-2.0.21-1.el6.x86_64.rpm"
@ -184,6 +183,7 @@ cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source directory
make programs && make install make programs && make install
# Prepare various config files # Prepare various config files
/bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/ipsec.conf <<EOF cat > /etc/ipsec.conf <<EOF
version 2.0 version 2.0
@ -221,10 +221,12 @@ conn vpnpsk
dpdaction=clear dpdaction=clear
EOF EOF
/bin/cp -f /etc/ipsec.secrets "/etc/ipsec.secrets.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/ipsec.secrets <<EOF cat > /etc/ipsec.secrets <<EOF
$PUBLIC_IP %any : PSK "$IPSEC_PSK" $PUBLIC_IP %any : PSK "$IPSEC_PSK"
EOF EOF
/bin/cp -f /etc/xl2tpd/xl2tpd.conf "/etc/xl2tpd/xl2tpd.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/xl2tpd/xl2tpd.conf <<EOF cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[global] [global]
port = 1701 port = 1701
@ -246,6 +248,7 @@ pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes length bit = yes
EOF EOF
/bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/ppp/options.xl2tpd <<EOF cat > /etc/ppp/options.xl2tpd <<EOF
ipcp-accept-local ipcp-accept-local
ipcp-accept-remote ipcp-accept-remote
@ -263,15 +266,20 @@ lcp-echo-interval 60
connect-delay 5000 connect-delay 5000
EOF EOF
/bin/cp -f /etc/ppp/chap-secrets "/etc/ppp/chap-secrets.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/ppp/chap-secrets <<EOF cat > /etc/ppp/chap-secrets <<EOF
# Secrets for authentication using CHAP # Secrets for authentication using CHAP
# client server secret IP addresses # client server secret IP addresses
"$VPN_USER" l2tpd "$VPN_PASSWORD" * "$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF EOF
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
/bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/sysctl.conf <<EOF cat >> /etc/sysctl.conf <<EOF
# Added by hwdsl2 VPN script
kernel.sysrq = 0 kernel.sysrq = 0
kernel.core_uses_pid = 1 kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_syncookies = 1
@ -290,8 +298,6 @@ net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.secure_redirects = 0
@ -303,8 +309,16 @@ net.ipv4.tcp_rmem= 10240 87380 12582912
net.ipv4.tcp_wmem= 10240 87380 12582912 net.ipv4.tcp_wmem= 10240 87380 12582912
EOF EOF
fi
if ! grep -qs "hwdsl2 VPN script" /etc/sysconfig/iptables; then
/bin/cp -f /etc/sysconfig/iptables "/etc/sysconfig/iptables.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/sysconfig/iptables "/etc/sysconfig/iptables.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
/sbin/service fail2ban stop >/dev/null 2>&1
if [ "$(/sbin/iptables-save | grep -c '^\-')" = "0" ]; then
cat > /etc/sysconfig/iptables <<EOF cat > /etc/sysconfig/iptables <<EOF
# Added by hwdsl2 VPN script
*filter *filter
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0] :FORWARD ACCEPT [0:0]
@ -338,10 +352,31 @@ COMMIT
:PREROUTING ACCEPT [0:0] :PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source ${PRIVATE_IP} -A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}"
COMMIT COMMIT
EOF EOF
else
iptables -I INPUT 1 -p udp -m multiport --dports 500,4500 -j ACCEPT
iptables -I INPUT 2 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
iptables -I INPUT 3 -p udp --dport 1701 -j DROP
iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT
# If you wish to allow traffic between VPN clients themselves, uncomment this line:
# iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
iptables -A FORWARD -j DROP
iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}"
/sbin/iptables-save > /etc/sysconfig/iptables
echo "# Modified by hwdsl2 VPN script" >> /etc/sysconfig/iptables
fi
fi
if [ ! -f /etc/fail2ban/jail.local ] ; then if [ ! -f /etc/fail2ban/jail.local ] ; then
cat > /etc/fail2ban/jail.local <<EOF cat > /etc/fail2ban/jail.local <<EOF
@ -361,15 +396,12 @@ EOF
fi fi
/bin/cp -f /etc/rc.local "/etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
cat > /etc/rc.local <<EOF
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local /bin/cp -f /etc/rc.local "/etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat >> /etc/rc.local <<EOF
# Added by hwdsl2 VPN script
/sbin/iptables-restore < /etc/sysconfig/iptables /sbin/iptables-restore < /etc/sysconfig/iptables
/sbin/service fail2ban restart /sbin/service fail2ban restart
/sbin/service ipsec start /sbin/service ipsec start
@ -377,6 +409,8 @@ touch /var/lock/subsys/local
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
EOF EOF
fi
if [ ! -f /etc/ipsec.d/cert8.db ] ; then if [ ! -f /etc/ipsec.d/cert8.db ] ; then
echo > /var/tmp/libreswan-nss-pwd echo > /var/tmp/libreswan-nss-pwd
/usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d /usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
@ -390,7 +424,7 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
/sbin/sysctl -p /sbin/sysctl -p
/bin/chmod +x /etc/rc.local /bin/chmod +x /etc/rc.local
/bin/chmod 600 /etc/ipsec.secrets /etc/ppp/chap-secrets /bin/chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets*
/sbin/iptables-restore < /etc/sysconfig/iptables /sbin/iptables-restore < /etc/sysconfig/iptables
/sbin/service fail2ban stop >/dev/null 2>&1 /sbin/service fail2ban stop >/dev/null 2>&1