Update README.md and add vpnsetup_centos.sh

2024-11-25 06:16:07 +03:00 · 2016-01-07 10:57:53 -06:00 · 2016-01-07 10:57:53 -06:00 · 2e10e6e891
commit 2e10e6e891
parent 2aaaf44385
2 changed files with 365 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -1,22 +1,50 @@
-## IPsec/L2TP VPN Auto Install Script for Ubuntu/Debian
+# IPsec/L2TP VPN Server Auto Setup Scripts
-Amazon EC2 user-data file for automatic configuration of IPsec/L2TP VPN server on a Ubuntu or Debian instance. Tested with Ubuntu 14.04 & 12.04 and Debian 8 (Jessie).
+Scripts for automatic setup of an IPsec/L2TP VPN server on Ubuntu 14.04 & 12.04, Debian 8 and CentOS/RHEL 6 & 7. Works on dedicated servers or any KVM- or XEN-based Virtual Private Server (VPS), with **freshly installed** Linux OS.
-With minor modifications, this script **can also be used** on dedicated servers or any KVM- or XEN- based Virtual Private Server (VPS) from other providers.
+They can also be used as Amazon EC2 "user-data" with the <a href="https://cloud-images.ubuntu.com/locator/ec2/" target="_blank">Ubuntu 14.04/12.04</a>, <a href="https://wiki.debian.org/Cloud/AmazonEC2Image/Jessie" target="_blank">Debian 8</a> or <a href="https://aws.amazon.com/marketplace/pp/B00O7WM7QW" target="_blank">CentOS 7</a> AMIs.
 Do **NOT** run these scripts on your PC or Mac! They are meant to be run on a dedicated server or VPS.
 #### <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/" target="_blank">My VPN tutorial with detailed usage instructions</a>  
-<a href="https://gist.github.com/hwdsl2/e9a78a50e300d12ae195" target="_blank">Alternative VPN script for CentOS/RHEL</a>  
+<a href="https://gist.github.com/hwdsl2/123b886f29f4c689f531" target="_blank">Enable multiple VPN users with different credentials</a>  
 <a href="https://gist.github.com/hwdsl2/5a769b2c4436cdf02a90" target="_blank">Workaround for Debian 7 (Wheezy)</a>  
 <a href="http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md" target="_blank">Original post by Thomas Sarlandie</a>
-&darr;&nbsp;&nbsp;&darr;&nbsp;&nbsp;&darr; Scroll down for the script &darr;&nbsp;&nbsp;&darr;&nbsp;&nbsp;&darr;
+## Installation
-### Copyright and license
+### For Ubuntu and Debian:
 ```bash
 wget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup.sh -O vpnsetup.sh
 nano -w vpnsetup.sh
 [Edit and replace IPSEC_PSK, VPN_USER and VPN_PASSWORD with your own values]
 /bin/sh vpnsetup.sh
 ```
 ### For CentOS and RHEL:
 ```bash
 wget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup_centos.sh -O vpnsetup_centos.sh
 nano -w vpnsetup_centos.sh
 [Edit and replace IPSEC_PSK, VPN_USER and VPN_PASSWORD with your own values]
 /bin/sh vpnsetup_centos.sh
 ```
 ## Important Notes
 For Windows users, a <a href="https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809" target="_blank">one-time registry change</a> is required for connections to a VPN server behind NAT (e.g. Amazon EC2).
 If using Amazon EC2, these ports must be open in the security group of your VPN server: UDP ports 500 & 4500, and TCP port 22 (optional, for SSH).
 If your server uses a custom SSH port (not 22), or if you wish to allow other services through IPTables, be sure to edit the IPTables rules in the scripts before using.
 The scripts will backup /etc/rc.local, /etc/sysctl.conf, /etc/iptables.rules and /etc/sysconfig/iptables before overwriting them. Backups can be found under the same folder with .old suffix.
 ## Copyright and license
 Copyright (C) 2014&nbsp;Lin Song&nbsp;&nbsp;&nbsp;<a href="https://www.linkedin.com/in/linsongui" target="_blank"><img src="https://static.licdn.com/scds/common/u/img/webpromo/btn_profile_bluetxt_80x15.png" width="80" height="15" border="0" alt="View my profile on LinkedIn"></a>   
 Based on the work of Thomas Sarlandie (Copyright 2012)
 This work is licensed under the <a href="http://creativecommons.org/licenses/by-sa/3.0/" target="_blank">Creative Commons Attribution-ShareAlike 3.0</a>  
 Attribution required: please include my name in any derivative and let me know how you have improved it!
 <a href="https://github.com/igrigorik/ga-beacon" target="_blank"><img src="https://ga-bc1.appspot.com/UA-46742347-4/hwdsl2/9030462?dh=gist.github.com&amp;gif=1" alt="Analytics" style="max-width:100%;"></a>
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@ -0,0 +1,329 @@
 #!/bin/sh
 #
 # Script for automatic configuration of IPsec/L2TP VPN server on 64-bit CentOS/RHEL 6 & 7.
 # Works on dedicated servers or any KVM- or XEN-based Virtual Private Server (VPS).
 # It can also be used as the Amazon EC2 "user-data" with the official CentOS 7 AMI.
 # Note that the CentOS 6 AMI does NOT come with cloud-init, therefore you need to
 # run this script manually after instance creation.
 #
 # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS MEANT TO BE RUN
 # ON YOUR DEDICATED SERVER OR VPS!
 #
 # Copyright (C) 2015 Lin Song
 # Based on the work of Thomas Sarlandie (Copyright 2012)
 #
 # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 
 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/
 #
 # Attribution required: please include my name in any derivative and let me
 # know how you have improved it! 
 if [ "$(uname)" = "Darwin" ]; then
  echo 'DO NOT run this script on your Mac! It should only be run on a Dedicated Server / VPS'
  echo 'or a newly-created EC2 instance, after you have modified it to set the variables below.'
  exit 1
 fi
 if [ ! -f /etc/redhat-release ]; then
  echo "Looks like you aren't running this script on a CentOS/RHEL system."
  exit 1
 fi
 if [ "$(uname -m)" != "x86_64" ]; then
  echo "Sorry, this script only supports 64-bit CentOS/RHEL."
  exit 1
 fi
 if [ "$(id -u)" != 0 ]; then
  echo "Sorry, you need to run this script as root."
  exit 1
 fi
 # Please define your own values for those variables
 IPSEC_PSK=your_very_secure_key
 VPN_USER=your_username
 VPN_PASSWORD=your_very_secure_password
 # IMPORTANT NOTES:
 # If you need multiple VPN users with different credentials,
 # please see: https://gist.github.com/hwdsl2/123b886f29f4c689f531
 # For Windows users, a one-time registry change is required in order to
 # connect to a VPN server behind NAT (e.g. in Amazon EC2). Please see:
 # https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
 # If using Amazon EC2, these ports must be open in the security group of
 # your VPN server: UDP ports 500 & 4500, and TCP port 22 (optional, for SSH).
 # If your server uses a custom SSH port (not 22), or if you wish to allow other services
 # through IPTables, be sure to edit the IPTables rules below before running this script.
 # This script will backup /etc/rc.local, /etc/sysctl.conf and /etc/sysconfig/iptables
 # before overwriting them. Backups can be found under the same folder with .old suffix.
 # iPhone/iOS users may need to replace this line in ipsec.conf:
 # "rightprotoport=17/%any" with "rightprotoport=17/0".
 # Install wget, dig (bind-utils) and nano
 yum -y install wget bind-utils nano
 echo 'If the script hangs here, press Ctrl-C to interrupt, then edit it and comment out'
 echo 'the next two lines PUBLIC_IP= and PRIVATE_IP=, OR replace them with the actual IPs.'
 # In Amazon EC2, these two variables will be found automatically.
 # For all other servers, you may replace them with the actual IPs,
 # or comment out and let the script auto-detect in the next section.
 # If your server only has a public IP, use that IP on both lines.
 PUBLIC_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4')
 PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4')
 # Attempt to find server IPs automatically for non-EC2 servers
 [ "$PUBLIC_IP" = "" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
 [ "$PUBLIC_IP" = "" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipecho.net/plain)
 [ "$PUBLIC_IP" = "" ] && { echo "Could not find Public IP, please edit the VPN script manually."; exit 1; }
 [ "$PRIVATE_IP" = "" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
 [ "$PRIVATE_IP" = "" ] && { echo "Could not find Private IP, please edit the VPN script manually."; exit 1; }
 # Create and change to working dir
 mkdir -p /opt/src
 cd /opt/src || { echo "Failed to change working directory to /opt/src. Aborting."; exit 1; }
 # Add the EPEL repository
 if grep -qs "release 6" /etc/redhat-release; then
  EPEL_RPM="epel-release-6-8.noarch.rpm"
  EPEL_URL="http://download.fedoraproject.org/pub/epel/6/x86_64/$EPEL_RPM"
 elif grep -qs "release 7" /etc/redhat-release; then
  EPEL_RPM="epel-release-7-5.noarch.rpm"
  EPEL_URL="http://download.fedoraproject.org/pub/epel/7/x86_64/e/$EPEL_RPM"
 else
  echo "Sorry, this script only supports versions 6 and 7 of CentOS/RHEL."
  exit 1
 fi
 wget -t 3 -T 30 -nv -O $EPEL_RPM $EPEL_URL
 [ ! -f $EPEL_RPM ] && { echo "Could not retrieve EPEL repository RPM file. Aborting."; exit 1; }
 rpm -ivh --force $EPEL_RPM && /bin/rm -f $EPEL_RPM
 # Install necessary packages
 yum -y install nss-devel nspr-devel pkgconfig pam-devel \
    libcap-ng-devel libselinux-devel \
    curl-devel gmp-devel flex bison gcc make \
    fipscheck-devel unbound-devel gmp gmp-devel xmlto
 yum -y install ppp xl2tpd
 # Installed Libevent 2. Use backported version for CentOS 6.
 if grep -qs "release 6" /etc/redhat-release; then
  LE2_URL="https://people.redhat.com/pwouters/libreswan-rhel6"
  RPM1="libevent2-2.0.21-1.el6.x86_64.rpm"
  RPM2="libevent2-devel-2.0.21-1.el6.x86_64.rpm"
  wget -t 3 -T 30 -nv -O $RPM1 $LE2_URL/$RPM1
  wget -t 3 -T 30 -nv -O $RPM2 $LE2_URL/$RPM2
  [ ! -f $RPM1 ] || [ ! -f $RPM2 ] && { echo "Could not retrieve Libevent2 RPM file(s). Aborting."; exit 1; }
  rpm -ivh --force $RPM1 $RPM2 && /bin/rm -f $RPM1 $RPM2
 elif grep -qs "release 7" /etc/redhat-release; then
  yum -y install libevent-devel
 fi
 # Compile and install Libreswan (https://libreswan.org/)
 # To upgrade Libreswan when a newer version is available, just re-run these
 # commands with the new "SWAN_VER", then restore SELinux contexts using
 # the commands at the end of this script, and finally restart services with
 # "service ipsec restart" and "service xl2tpd restart".
 SWAN_VER=3.16
 SWAN_URL=https://download.libreswan.org/libreswan-${SWAN_VER}.tar.gz
 wget -t 3 -T 30 -qO- $SWAN_URL | tar xvz
 [ ! -d libreswan-${SWAN_VER} ] && { echo "Could not retrieve Libreswan source files. Aborting."; exit 1; }
 cd libreswan-${SWAN_VER}
 make programs && make install
 # Prepare various config files
 cat > /etc/ipsec.conf <<EOF
 version 2.0
 config setup
  dumpdir=/var/run/pluto/
  nat_traversal=yes
  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
  oe=off
  protostack=netkey
  nhelpers=0
  interfaces=%defaultroute
 conn vpnpsk
  connaddrfamily=ipv4
  auto=add
  left=$PRIVATE_IP
  leftid=$PUBLIC_IP
  leftsubnet=$PRIVATE_IP/32
  leftnexthop=%defaultroute
  leftprotoport=17/1701
  rightprotoport=17/%any
  right=%any
  rightsubnetwithin=0.0.0.0/0
  forceencaps=yes
  authby=secret
  pfs=no
  type=transport
  auth=esp
  ike=3des-sha1,aes-sha1
  phase2alg=3des-sha1,aes-sha1
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
 EOF
 cat > /etc/ipsec.secrets <<EOF
 $PUBLIC_IP  %any  : PSK "$IPSEC_PSK"
 EOF
 cat > /etc/xl2tpd/xl2tpd.conf <<EOF
 [global]
 port = 1701
 ;debug avp = yes
 ;debug network = yes
 ;debug state = yes
 ;debug tunnel = yes
 [lns default]
 ip range = 192.168.42.10-192.168.42.250
 local ip = 192.168.42.1
 require chap = yes
 refuse pap = yes
 require authentication = yes
 name = l2tpd
 ;ppp debug = yes
 pppoptfile = /etc/ppp/options.xl2tpd
 length bit = yes
 EOF
 cat > /etc/ppp/options.xl2tpd <<EOF
 ipcp-accept-local
 ipcp-accept-remote
 ms-dns 8.8.8.8
 ms-dns 8.8.4.4
 noccp
 auth
 crtscts
 idle 1800
 mtu 1280
 mru 1280
 lock
 lcp-echo-failure 10
 lcp-echo-interval 60
 connect-delay 5000
 EOF
 cat > /etc/ppp/chap-secrets <<EOF
 # Secrets for authentication using CHAP
 # client  server  secret  IP addresses
 $VPN_USER  l2tpd  $VPN_PASSWORD  *
 EOF
 /bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
 cat > /etc/sysctl.conf <<EOF
 kernel.sysrq = 0
 kernel.core_uses_pid = 1
 net.ipv4.tcp_syncookies = 1
 kernel.msgmnb = 65536
 kernel.msgmax = 65536
 kernel.shmmax = 68719476736
 kernel.shmall = 4294967296
 net.ipv4.ip_forward = 1
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv4.conf.default.accept_source_route = 0
 net.ipv4.conf.all.log_martians = 1
 net.ipv4.conf.default.log_martians = 1
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0
 net.ipv4.conf.all.rp_filter = 0
 net.ipv4.conf.default.rp_filter = 0
 net.ipv6.conf.all.disable_ipv6=1
 net.ipv6.conf.default.disable_ipv6=1
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 net.ipv4.conf.all.secure_redirects = 0
 net.ipv4.conf.default.secure_redirects = 0
 kernel.randomize_va_space = 1
 net.core.wmem_max=12582912
 net.core.rmem_max=12582912
 net.ipv4.tcp_rmem= 10240 87380 12582912
 net.ipv4.tcp_wmem= 10240 87380 12582912
 EOF
 /bin/cp -f /etc/sysconfig/iptables "/etc/sysconfig/iptables.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
 cat > /etc/sysconfig/iptables <<EOF
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :ICMPALL - [0:0]
 -A INPUT -m conntrack --ctstate INVALID -j DROP
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -p icmp --icmp-type 255 -j ICMPALL
 -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
 -A INPUT -p tcp --dport 22 -j ACCEPT
 -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
 -A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
 -A INPUT -p udp --dport 1701 -j DROP
 -A INPUT -j DROP
 -A FORWARD -m conntrack --ctstate INVALID -j DROP
 -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i ppp+ -o eth+ -j ACCEPT
 # If you wish to allow traffic between VPN clients themselves, uncomment this line:
 # -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
 -A FORWARD -j DROP
 -A ICMPALL -p icmp -f -j DROP
 -A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
 -A ICMPALL -p icmp -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 -A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source ${PRIVATE_IP}
 COMMIT
 EOF
 /bin/cp -f /etc/rc.local "/etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
 cat > /etc/rc.local <<EOF
 #!/bin/sh
 #
 # This script will be executed *after* all the other init scripts.
 # You can put your own initialization stuff in here if you don't
 # want to do the full Sys V style init stuff.
 touch /var/lock/subsys/local
 /sbin/iptables-restore < /etc/sysconfig/iptables
 /sbin/service ipsec restart
 /sbin/service xl2tpd restart
 echo 1 > /proc/sys/net/ipv4/ip_forward
 EOF
 if [ ! -f /etc/ipsec.d/cert8.db ] ; then
   echo > /var/tmp/libreswan-nss-pwd
   /usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
   /bin/rm -f /var/tmp/libreswan-nss-pwd
 fi
 # Restore SELinux contexts
 restorecon /etc/ipsec.d/*db 2>/dev/null
 restorecon /usr/local/sbin -Rv 2>/dev/null
 restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
 /sbin/sysctl -p
 /bin/chmod 600 /etc/ipsec.secrets /etc/ppp/chap-secrets
 /sbin/iptables-restore < /etc/sysconfig/iptables
 /sbin/service ipsec restart
 /sbin/service xl2tpd restart