mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-28 23:56:04 +03:00
Code Issues Projects Releases Wiki Activity

Minor improvements and clean up

Browse Source
This commit is contained in:
hwdsl2 2016-06-03 17:10:03 -05:00
parent 9ce1769208
commit 371b5c3e7f
4 changed files with 46 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
extras/vpnupgrade_Libreswan.sh
View File

@ -96,7 +96,7 @@ cd /opt/src || exit 1
# Update package index and install Wget # Update package index and install Wget
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
apt-get -yqq update apt-get -yq update
apt-get -yq install wget apt-get -yq install wget
# Install necessary packages # Install necessary packages
@ -120,13 +120,15 @@ WERROR_CFLAGS =
EOF EOF
make -s programs && make -s install make -s programs && make -s install
# Restart IPsec service # Verify the install and clean up
service ipsec restart cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
# Verify the install
/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver" /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"
[ "$?" != "0" ] && { echo; echo "Libreswan $swan_ver failed to build. Aborting."; exit 1; } [ "$?" != "0" ] && { echo; echo "Libreswan $swan_ver failed to build. Aborting."; exit 1; }
# Restart IPsec service
service ipsec restart
echo echo
echo "Libreswan $swan_ver was installed successfully! " echo "Libreswan $swan_ver was installed successfully! "
echo echo

10
extras/vpnupgrade_Libreswan_centos.sh
View File

@ -130,6 +130,12 @@ WERROR_CFLAGS =
EOF EOF
make -s programs && make -s install make -s programs && make -s install
# Verify the install and clean up
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"
[ "$?" != "0" ] && { echo; echo "Libreswan $swan_ver failed to build. Aborting."; exit 1; }
# Restore SELinux contexts # Restore SELinux contexts
restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null
@ -138,10 +144,6 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Restart IPsec service # Restart IPsec service
service ipsec restart service ipsec restart
# Verify the install
/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"
[ "$?" != "0" ] && { echo; echo "Libreswan $swan_ver failed to build. Aborting."; exit 1; }
echo echo
echo "Libreswan $swan_ver was installed successfully! " echo "Libreswan $swan_ver was installed successfully! "
echo echo

36
vpnsetup.sh
View File

@ -15,21 +15,20 @@
# Attribution required: please include my name in any derivative and let me # Attribution required: please include my name in any derivative and let me
# know how you have improved it! # know how you have improved it!
# ===================================================== # ===========================================================
# Define your own values for these variables # Define your own values for these variables
# - IPsec pre-shared key, VPN username and password
# - All values MUST be placed inside 'single quotes' # - All values MUST be placed inside 'single quotes'
# - DO NOT use these characters within values: \ " ' # - DO NOT use these characters within values: \ " '
VPN_IPSEC_PSK=${VPN_IPSEC_PSK:-'your_ipsec_psk'} VPN_IPSEC_PSK=${VPN_IPSEC_PSK:-'your_ipsec_pre_shared_key'}
VPN_USER=${VPN_USER:-'your_vpn_username'} VPN_USER=${VPN_USER:-'your_vpn_username'}
VPN_PASSWORD=${VPN_PASSWORD:-'your_vpn_password'} VPN_PASSWORD=${VPN_PASSWORD:-'your_vpn_password'}
# Important Notes: https://git.io/vpnnotes # Important Notes: https://git.io/vpnnotes
# Setup VPN Clients: https://git.io/vpnclients # Setup VPN Clients: https://git.io/vpnclients
# ===================================================== # ===========================================================
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@ -65,7 +64,7 @@ EOF
exit 1 exit 1
fi fi
[ "$VPN_IPSEC_PSK" = "your_ipsec_psk" ] && VPN_IPSEC_PSK='' [ "$VPN_IPSEC_PSK" = "your_ipsec_pre_shared_key" ] && VPN_IPSEC_PSK=''
[ "$VPN_USER" = "your_vpn_username" ] && VPN_USER='' [ "$VPN_USER" = "your_vpn_username" ] && VPN_USER=''
[ "$VPN_PASSWORD" = "your_vpn_password" ] && VPN_PASSWORD='' [ "$VPN_PASSWORD" = "your_vpn_password" ] && VPN_PASSWORD=''
@ -101,7 +100,7 @@ cd /opt/src || exit 1
# Update package index # Update package index
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
apt-get -yqq update apt-get -yq update
# Make sure basic commands exist # Make sure basic commands exist
apt-get -yq install wget dnsutils openssl apt-get -yq install wget dnsutils openssl
@ -122,8 +121,8 @@ PUBLIC_IP=${VPN_PUBLIC_IP:-''}
PRIVATE_IP=${VPN_PRIVATE_IP:-''} PRIVATE_IP=${VPN_PRIVATE_IP:-''}
# In Amazon EC2, these two variables will be retrieved from metadata # In Amazon EC2, these two variables will be retrieved from metadata
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4') [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4')
[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4') [ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(wget -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4')
# Try to find IPs for non-EC2 servers # Try to find IPs for non-EC2 servers
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com) [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
@ -168,7 +167,9 @@ WERROR_CFLAGS =
EOF EOF
make -s programs && make -s install make -s programs && make -s install
# Verify the install # Verify the install and clean up
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver" /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"
[ "$?" != "0" ] && { echo; echo "Libreswan $swan_ver failed to build. Aborting."; exit 1; } [ "$?" != "0" ] && { echo; echo "Libreswan $swan_ver failed to build. Aborting."; exit 1; }
@ -346,9 +347,6 @@ cat > /etc/iptables.rules <<EOF
-A FORWARD -i ppp+ -o eth+ -j ACCEPT -A FORWARD -i ppp+ -o eth+ -j ACCEPT
-A FORWARD -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.43.0/24 -o eth+ -j ACCEPT -A FORWARD -s 192.168.43.0/24 -o eth+ -j ACCEPT
# To allow traffic between VPN clients themselves, uncomment these lines:
# -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
# -A FORWARD -s 192.168.43.0/24 -d 192.168.43.0/24 -j ACCEPT
-A FORWARD -j DROP -A FORWARD -j DROP
COMMIT COMMIT
*nat *nat
@ -371,9 +369,6 @@ iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED
iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT
iptables -I FORWARD 4 -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD 4 -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 5 -s 192.168.43.0/24 -o eth+ -j ACCEPT iptables -I FORWARD 5 -s 192.168.43.0/24 -o eth+ -j ACCEPT
# iptables -I FORWARD 6 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
# iptables -I FORWARD 7 -s 192.168.43.0/24 -d 192.168.43.0/24 -j ACCEPT
iptables -A FORWARD -j DROP
iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP"
iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP" iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP"
@ -440,7 +435,7 @@ EOF
fi fi
# Reload sysctl.conf # Reload sysctl.conf
sysctl -q -p sysctl -q -p 2>/dev/null
# Update file attributes # Update file attributes
chmod +x /etc/rc.local chmod +x /etc/rc.local
@ -453,9 +448,12 @@ iptables-restore < /etc/iptables.rules
ip6tables-restore < /etc/ip6tables.rules >/dev/null 2>&1 ip6tables-restore < /etc/ip6tables.rules >/dev/null 2>&1
# Restart services # Restart services
service fail2ban restart service fail2ban stop >/dev/null 2>&1
service ipsec restart service ipsec stop >/dev/null 2>&1
service xl2tpd restart service xl2tpd stop >/dev/null 2>&1
service fail2ban start
service ipsec start
service xl2tpd start
cat <<EOF cat <<EOF

34
vpnsetup_centos.sh
View File

@ -15,21 +15,20 @@
# Attribution required: please include my name in any derivative and let me # Attribution required: please include my name in any derivative and let me
# know how you have improved it! # know how you have improved it!
# ===================================================== # ===========================================================
# Define your own values for these variables # Define your own values for these variables
# - IPsec pre-shared key, VPN username and password
# - All values MUST be placed inside 'single quotes' # - All values MUST be placed inside 'single quotes'
# - DO NOT use these characters within values: \ " ' # - DO NOT use these characters within values: \ " '
VPN_IPSEC_PSK=${VPN_IPSEC_PSK:-'your_ipsec_psk'} VPN_IPSEC_PSK=${VPN_IPSEC_PSK:-'your_ipsec_pre_shared_key'}
VPN_USER=${VPN_USER:-'your_vpn_username'} VPN_USER=${VPN_USER:-'your_vpn_username'}
VPN_PASSWORD=${VPN_PASSWORD:-'your_vpn_password'} VPN_PASSWORD=${VPN_PASSWORD:-'your_vpn_password'}
# Important Notes: https://git.io/vpnnotes # Important Notes: https://git.io/vpnnotes
# Setup VPN Clients: https://git.io/vpnclients # Setup VPN Clients: https://git.io/vpnclients
# ===================================================== # ===========================================================
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@ -74,7 +73,7 @@ EOF
exit 1 exit 1
fi fi
[ "$VPN_IPSEC_PSK" = "your_ipsec_psk" ] && VPN_IPSEC_PSK='' [ "$VPN_IPSEC_PSK" = "your_ipsec_pre_shared_key" ] && VPN_IPSEC_PSK=''
[ "$VPN_USER" = "your_vpn_username" ] && VPN_USER='' [ "$VPN_USER" = "your_vpn_username" ] && VPN_USER=''
[ "$VPN_PASSWORD" = "your_vpn_password" ] && VPN_PASSWORD='' [ "$VPN_PASSWORD" = "your_vpn_password" ] && VPN_PASSWORD=''
@ -115,8 +114,8 @@ PUBLIC_IP=${VPN_PUBLIC_IP:-''}
PRIVATE_IP=${VPN_PRIVATE_IP:-''} PRIVATE_IP=${VPN_PRIVATE_IP:-''}
# In Amazon EC2, these two variables will be retrieved from metadata # In Amazon EC2, these two variables will be retrieved from metadata
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4') [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4')
[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4') [ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(wget -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4')
# Try to find IPs for non-EC2 servers # Try to find IPs for non-EC2 servers
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com) [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
@ -178,7 +177,9 @@ WERROR_CFLAGS =
EOF EOF
make -s programs && make -s install make -s programs && make -s install
# Verify the install # Verify the install and clean up
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver" /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"
[ "$?" != "0" ] && { echo; echo "Libreswan $swan_ver failed to build. Aborting."; exit 1; } [ "$?" != "0" ] && { echo; echo "Libreswan $swan_ver failed to build. Aborting."; exit 1; }
@ -356,9 +357,6 @@ cat > /etc/sysconfig/iptables <<EOF
-A FORWARD -i ppp+ -o eth+ -j ACCEPT -A FORWARD -i ppp+ -o eth+ -j ACCEPT
-A FORWARD -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.43.0/24 -o eth+ -j ACCEPT -A FORWARD -s 192.168.43.0/24 -o eth+ -j ACCEPT
# To allow traffic between VPN clients themselves, uncomment these lines:
# -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
# -A FORWARD -s 192.168.43.0/24 -d 192.168.43.0/24 -j ACCEPT
-A FORWARD -j DROP -A FORWARD -j DROP
COMMIT COMMIT
*nat *nat
@ -380,9 +378,6 @@ iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED
iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT
iptables -I FORWARD 4 -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD 4 -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 5 -s 192.168.43.0/24 -o eth+ -j ACCEPT iptables -I FORWARD 5 -s 192.168.43.0/24 -o eth+ -j ACCEPT
# iptables -I FORWARD 6 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
# iptables -I FORWARD 7 -s 192.168.43.0/24 -d 192.168.43.0/24 -j ACCEPT
iptables -A FORWARD -j DROP
iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP"
iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP" iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP"
@ -449,7 +444,7 @@ restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Reload sysctl.conf # Reload sysctl.conf
sysctl -q -p sysctl -q -p 2>/dev/null
# Update file attributes # Update file attributes
chmod +x /etc/rc.local chmod +x /etc/rc.local
@ -460,9 +455,12 @@ iptables-restore < /etc/sysconfig/iptables
ip6tables-restore < /etc/sysconfig/ip6tables >/dev/null 2>&1 ip6tables-restore < /etc/sysconfig/ip6tables >/dev/null 2>&1
# Restart services # Restart services
service fail2ban restart service fail2ban stop >/dev/null 2>&1
service ipsec restart service ipsec stop >/dev/null 2>&1
service xl2tpd restart service xl2tpd stop >/dev/null 2>&1
service fail2ban start
service ipsec start
service xl2tpd start
cat <<EOF cat <<EOF