diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a5ad304..7352b1e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -249,12 +249,11 @@ jobs: if: github.repository_owner == 'hwdsl2' strategy: matrix: - os_version: ["ubuntu:20.04", "ubuntu:18.04", "debian:10", "debian:9", "centos:6"] + os_version: ["ubuntu:20.04", "ubuntu:18.04", "debian:10", "debian:9"] fail-fast: false container: image: ${{ matrix.os_version }} env: - OS_VERSION: ${{ matrix.os_version }} EVENT_NAME: ${{ github.event_name }} options: --privileged -v /lib/modules:/lib/modules:ro steps: @@ -269,28 +268,16 @@ jobs: cd /opt/src echo "# hwdsl2" > run.sh - OS_NAME=$(echo "$OS_VERSION" | head -c6) - if [ "$OS_NAME" = "centos" ]; then - yum -y update - yum -y -q install wget rsyslog - service rsyslog start - wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-centos - else - export DEBIAN_FRONTEND=noninteractive - apt-get -yq update - apt-get -yq dist-upgrade - apt-get -yq install wget rsyslog - service rsyslog start - wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup - fi + export DEBIAN_FRONTEND=noninteractive + apt-get -yq update + apt-get -yq dist-upgrade + apt-get -yq install wget rsyslog + service rsyslog start + wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup sh vpnsetup.sh sleep 5 - if [ "$OS_NAME" = "centos" ]; then - sed -i '/^logtarget/d' /etc/fail2ban/fail2ban.conf - echo "logtarget = /var/log/fail2ban.log" >> /etc/fail2ban/fail2ban.conf - fi service fail2ban restart sleep 5 netstat -anpu | grep pluto @@ -299,17 +286,10 @@ jobs: iptables -nL | grep -q '192\.168\.42\.0/24' iptables -nL -t nat iptables -nL -t nat | grep -q '192\.168\.43\.0/24' - if [ "$OS_NAME" = "centos" ]; then - grep pluto /var/log/secure - grep pluto /var/log/secure | grep -q 'added IKEv1 connection "l2tp-psk"' - grep pluto /var/log/secure | grep -q 'added IKEv1 connection "xauth-psk"' - grep xl2tpd /var/log/messages - else - grep pluto /var/log/auth.log - grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "l2tp-psk"' - grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "xauth-psk"' - grep xl2tpd /var/log/syslog - fi + grep pluto /var/log/auth.log + grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "l2tp-psk"' + grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "xauth-psk"' + grep xl2tpd /var/log/syslog cat /var/log/fail2ban.log grep -E "Jail '(sshd?|ssh-iptables)' started" /var/log/fail2ban.log @@ -339,13 +319,8 @@ jobs: ls -ld /etc/ipsec.d/ikev2vpnca*.cer ls -ld /etc/ipsec.d/vpnclient*.p12 sleep 10 - if [ "$OS_NAME" = "centos" ]; then - grep pluto /var/log/secure | tail -n 20 - grep pluto /var/log/secure | grep -q 'added IKEv2 connection "ikev2-cp"' - else - grep pluto /var/log/auth.log | tail -n 20 - grep pluto /var/log/auth.log | grep -q 'added IKEv2 connection "ikev2-cp"' - fi + grep pluto /var/log/auth.log | tail -n 20 + grep pluto /var/log/auth.log | grep -q 'added IKEv2 connection "ikev2-cp"' bash ikev2.sh <Amazon EC2 实例,使用这些映像之一: - Ubuntu 20.04 (Focal), 18.04 (Bionic) 或者 16.04 (Xenial) - Debian 10 (Buster)[\*](#debian-10-note) 或者 9 (Stretch) -- CentOS 8 (x86_64) -- CentOS 7 (x86_64) with Updates -- CentOS 6 (x86_64) with Updates -- Red Hat Enterprise Linux (RHEL) 8, 7 或者 6 +- CentOS 8 或者 7 +- Red Hat Enterprise Linux (RHEL) 8 或者 7 请参见 详细步骤 以及 EC2 定价细节。另外,你也可以使用 CloudFormation 来快速部署。 @@ -77,7 +75,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh **» 我想建立并使用自己的 VPN ,但是没有可用的服务器** -高级用户可以在一个 $35 的 Raspberry Pi 上搭建 VPN 服务器。参见 [1] [2]。 +高级用户可以在一个 $35 的 Raspberry Pi 上搭建 VPN 服务器。参见 [1] [2] \* Debian 10 用户需要使用标准的 Linux 内核(而不是 "cloud" 版本)。更多信息请看 这里。 @@ -159,7 +157,7 @@ sh vpnsetup.sh 在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`,然后重启服务器。高级用户可以在运行 VPN 脚本时定义 `VPN_DNS_SRV1` 和 `VPN_DNS_SRV2`(可选)。 -使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 16.04-20.04, Debian 9-10 和 CentOS 6-8. Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`),然后运行 `service xl2tpd restart`。 +使用内核支持有助于提高 IPsec/L2TP 性能。它在[所有受支持的系统](#系统要求)上可用。Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`)软件包,然后运行 `service xl2tpd restart`。 如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。 diff --git a/README.md b/README.md index 63d47a9..7fd017d 100644 --- a/README.md +++ b/README.md @@ -53,17 +53,15 @@ For other installation options and how to set up VPN clients, read the sections - Encapsulates all VPN traffic in UDP - does not need ESP protocol - Can be directly used as "user-data" for a new Amazon EC2 instance - Includes `sysctl.conf` optimizations for improved performance -- Tested with Ubuntu 20.04/18.04/16.04, Debian 10/9 and CentOS 8/7/6 +- Tested with Ubuntu 20.04/18.04/16.04, Debian 10/9 and CentOS 8/7 ## Requirements A newly created Amazon EC2 instance, from one of these images: - Ubuntu 20.04 (Focal), 18.04 (Bionic) or 16.04 (Xenial) - Debian 10 (Buster)[\*](#debian-10-note) or 9 (Stretch) -- CentOS 8 (x86_64) -- CentOS 7 (x86_64) with Updates -- CentOS 6 (x86_64) with Updates -- Red Hat Enterprise Linux (RHEL) 8, 7 or 6 +- CentOS 8 or 7 +- Red Hat Enterprise Linux (RHEL) 8 or 7 See detailed instructions and EC2 pricing. Alternatively, you can deploy rapidly using CloudFormation. @@ -77,7 +75,7 @@ This also includes Linux VMs in public clouds, such as **» I want to run my own VPN but don't have a server for that** -Advanced users can set up the VPN server on a $35 Raspberry Pi. See [1] [2]. +Advanced users can set up the VPN server on a $35 Raspberry Pi. See [1] [2]. \* Debian 10 users should use the standard Linux kernel (not the "cloud" version). Read more here. @@ -159,7 +157,7 @@ For servers with an external firewall (e.g. Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`, then reboot your server. Advanced users can define `VPN_DNS_SRV1` and optionally `VPN_DNS_SRV2` when running the VPN setup script. -Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 16.04-20.04, Debian 9-10 and CentOS 6-8. Ubuntu users: Install `linux-modules-extra-$(uname -r)` (or `linux-image-extra`), then run `service xl2tpd restart`. +Using kernel support could improve IPsec/L2TP performance. It is available on [all supported OS versions](#requirements). Ubuntu users should install the `linux-modules-extra-$(uname -r)` (or `linux-image-extra`) package, then run `service xl2tpd restart`. To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). Then reboot your server. diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index b363dab..25a6f85 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -22,8 +22,8 @@ exiterr2() { exiterr "'yum install' failed."; } vpnupgrade() { -if ! grep -qs -e "release 6" -e "release 7" -e "release 8" /etc/redhat-release; then - echo "Error: This script only supports CentOS/RHEL 6, 7 and 8." >&2 +if ! grep -qs -e "release 7" -e "release 8" /etc/redhat-release; then + echo "Error: This script only supports CentOS/RHEL 7 and 8." >&2 echo "For Ubuntu/Debian, use https://git.io/vpnupgrade" >&2 exit 1 fi @@ -146,10 +146,7 @@ REPO1='--enablerepo=*server-*optional*' REPO2='--enablerepo=*releases-optional*' REPO3='--enablerepo=PowerTools' -if grep -qs "release 6" /etc/redhat-release; then - yum -y remove libevent-devel - yum "$REPO1" "$REPO2" -y install libevent2-devel fipscheck-devel || exiterr2 -elif grep -qs "release 7" /etc/redhat-release; then +if grep -qs "release 7" /etc/redhat-release; then yum -y install systemd-devel || exiterr2 yum "$REPO1" "$REPO2" -y install libevent-devel fipscheck-devel || exiterr2 else diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 0655456..907bc97 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Script for automatic setup of an IPsec VPN server on CentOS/RHEL 6-8. +# Script for automatic setup of an IPsec VPN server on CentOS/RHEL 7 and 8. # Works on any dedicated server or virtual private server (VPS) except OpenVZ. # # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! @@ -49,8 +49,8 @@ check_ip() { vpnsetup() { -if ! grep -qs -e "release 6" -e "release 7" -e "release 8" /etc/redhat-release; then - echo "Error: This script only supports CentOS/RHEL 6-8." >&2 +if ! grep -qs -e "release 7" -e "release 8" /etc/redhat-release; then + echo "Error: This script only supports CentOS/RHEL 7 and 8." >&2 echo "For Ubuntu/Debian, use https://git.io/vpnsetup" >&2 exit 1 fi @@ -156,16 +156,10 @@ yum -y install nss-devel nspr-devel pkgconfig pam-devel \ yum "$REPO1" -y install xl2tpd || exiterr2 use_nft=0 -if grep -qs "release 6" /etc/redhat-release; then - os_ver=6 - yum -y remove libevent-devel - yum "$REPO2" "$REPO3" -y install libevent2-devel fipscheck-devel || exiterr2 -elif grep -qs "release 7" /etc/redhat-release; then - os_ver=7 +if grep -qs "release 7" /etc/redhat-release; then yum -y install systemd-devel iptables-services || exiterr2 yum "$REPO2" "$REPO3" -y install libevent-devel fipscheck-devel || exiterr2 else - os_ver=8 if grep -qs "Red Hat" /etc/redhat-release; then REPO4='--enablerepo=codeready-builder-for-rhel-8-*' fi @@ -447,13 +441,7 @@ fi bigecho "Enabling services on boot..." -if [ "$os_ver" = "6" ]; then - chkconfig iptables on - chkconfig fail2ban on -else - systemctl --now mask firewalld 2>/dev/null -fi - +systemctl --now mask firewalld 2>/dev/null if [ "$use_nft" = "1" ]; then systemctl enable nftables fail2ban 2>/dev/null else @@ -495,11 +483,9 @@ else fi # Fix xl2tpd if l2tp_ppp is unavailable -if [ "$os_ver" != "6" ]; then - if ! modprobe -q l2tp_ppp; then - sed -i '/^ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service - systemctl daemon-reload - fi +if ! modprobe -q l2tp_ppp; then + sed -i '/^ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service + systemctl daemon-reload fi mkdir -p /run/pluto