mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-23 05:26:02 +03:00
Code Issues Projects Releases Wiki Activity

Improve update scripts

Browse Source 
- Refactor VPN update scripts into functions
- Cleanup
This commit is contained in:
hwdsl2 2021-08-22 00:43:14 -05:00
parent 665349336d
commit 52216d8f59
3 changed files with 639 additions and 546 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

258
extras/vpnupgrade_amzn.sh
View File

@ -19,25 +19,27 @@ SWAN_VER=4.4
### DO NOT edit below this line ### ### DO NOT edit below this line ###
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
[ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER"
exiterr() { echo "Error: $1" >&2; exit 1; } exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { exiterr "'yum install' failed."; } exiterr2() { exiterr "'yum install' failed."; }
bigecho() { echo "## $1"; } bigecho() { echo "## $1"; }
vpnupgrade() { check_root() {
if [ "$(id -u)" != 0 ]; then
[ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER"
os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-')
if ! grep -qs "Amazon Linux release 2" /etc/system-release; then
exiterr "This script only supports Amazon Linux 2."
fi
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'" exiterr "Script must be run as root. Try 'sudo sh $0'"
fi fi
}
case $SWAN_VER in check_os() {
os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-')
if ! grep -qs "Amazon Linux release 2" /etc/system-release; then
exiterr "This script only supports Amazon Linux 2."
fi
}
check_libreswan() {
case $SWAN_VER in
3.32|4.[1234]) 3.32|4.[1234])
true true
;; ;;
@ -49,28 +51,24 @@ Error: Libreswan version '$SWAN_VER' is not supported.
EOF EOF
exit 1 exit 1
;; ;;
esac esac
ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null) ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
swan_ver_old=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//') swan_ver_old=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//')
if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
cat 1>&2 <<'EOF' cat 1>&2 <<'EOF'
Error: This script requires Libreswan already installed. Error: This script requires Libreswan already installed.
See: https://github.com/hwdsl2/setup-ipsec-vpn See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF EOF
exit 1 exit 1
fi fi
swan_ver_cur=4.4 if [ "$swan_ver_old" = "$SWAN_VER" ]; then
swan_ver_url="https://dl.ls20.com/v1/amzn/2/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER" cat <<EOF
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url") You already have Libreswan version $SWAN_VER installed!
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \ If you continue, the same version will be re-installed.
&& [ "$swan_ver_cur" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then EOF
echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
echo " To update to the new version, exit this script and run:"
echo " wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh"
echo
printf "Do you want to continue anyway? [y/N] " printf "Do you want to continue anyway? [y/N] "
read -r response read -r response
case $response in case $response in
@ -82,25 +80,10 @@ if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|
exit 1 exit 1
;; ;;
esac esac
fi fi
}
if [ "$swan_ver_old" = "$SWAN_VER" ]; then
echo "You already have Libreswan version $SWAN_VER installed! "
echo "If you continue, the same version will be re-installed."
echo
printf "Do you want to continue anyway? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
echo
;;
*)
echo "Abort. No changes were made."
exit 1
;;
esac
fi
show_setup_info() {
cat <<EOF cat <<EOF
Welcome! Use this script to update Libreswan on your IPsec VPN server. Welcome! Use this script to update Libreswan on your IPsec VPN server.
@ -108,9 +91,6 @@ Welcome! Use this script to update Libreswan on your IPsec VPN server.
Current version: Libreswan $swan_ver_old Current version: Libreswan $swan_ver_old
Version to install: Libreswan $SWAN_VER Version to install: Libreswan $SWAN_VER
EOF
cat <<'EOF'
Note: This script will make the following changes to your VPN configuration: Note: This script will make the following changes to your VPN configuration:
- Fix obsolete ipsec.conf and/or ikev2.conf options - Fix obsolete ipsec.conf and/or ikev2.conf options
- Optimize VPN ciphers - Optimize VPN ciphers
@ -118,100 +98,109 @@ Note: This script will make the following changes to your VPN configuration:
EOF EOF
if [ "$SWAN_VER" != "4.4" ]; then if [ "$SWAN_VER" != "4.4" ]; then
cat <<'EOF' cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities. WARNING: Older versions of Libreswan could contain known security vulnerabilities.
See https://libreswan.org/security/ for more information. See https://libreswan.org/security/ for more information.
Are you sure you want to install an older version? Are you sure you want to install an older version?
EOF EOF
fi fi
printf "Do you want to continue? [y/N] " printf "Do you want to continue? [y/N] "
read -r response read -r response
case $response in case $response in
[yY][eE][sS]|[yY]) [yY][eE][sS]|[yY])
echo echo
bigecho "Please be patient. Setup is continuing..."
;; ;;
*) *)
echo "Abort. No changes were made." echo "Abort. No changes were made."
exit 1 exit 1
;; ;;
esac esac
}
mkdir -p /opt/src # shellcheck disable=SC2154,SC2039,SC3047
cd /opt/src || exit 1 start_setup() {
trap 'dlo=$dl;dl=$LINENO' DEBUG 2>/dev/null
trap 'finish $? $((dlo+1))' EXIT
mkdir -p /opt/src
cd /opt/src || exit 1
}
bigecho "Installing required packages..." install_pkgs() {
bigecho "Installing required packages..."
( (
set -x set -x
yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \ yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel curl-devel nss-tools \ libcap-ng-devel libselinux-devel curl-devel nss-tools \
flex bison gcc make wget sed tar \ flex bison gcc make wget sed tar \
systemd-devel libevent-devel fipscheck-devel >/dev/null systemd-devel libevent-devel fipscheck-devel >/dev/null
) || exiterr2 ) || exiterr2
}
bigecho "Downloading Libreswan..." get_libreswan() {
bigecho "Downloading Libreswan..."
swan_file="libreswan-$SWAN_VER.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file" swan_url2="https://download.libreswan.org/$swan_file"
( (
set -x set -x
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2" wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1 ) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file" tar xzf "$swan_file" && /bin/rm -f "$swan_file"
}
bigecho "Compiling and installing Libreswan, please wait..." install_libreswan() {
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1 cd "libreswan-$SWAN_VER" || exit 1
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in [ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w -s WERROR_CFLAGS=-w -s
USE_DNSSEC=false USE_DNSSEC=false
EOF EOF
echo "USE_DH2=true" >> Makefile.inc.local echo "USE_DH2=true" >> Makefile.inc.local
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
fi fi
if [ "$SWAN_VER" != "3.32" ]; then if [ "$SWAN_VER" != "3.32" ]; then
echo "USE_NSS_KDF=false" >> Makefile.inc.local echo "USE_NSS_KDF=false" >> Makefile.inc.local
echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local
fi fi
NPROCS=$(grep -c ^processor /proc/cpuinfo) NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1 [ -z "$NPROCS" ] && NPROCS=1
( (
set -x set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
) )
cd /opt/src || exit 1 cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
exiterr "Libreswan $SWAN_VER failed to build." exiterr "Libreswan $SWAN_VER failed to build."
fi fi
}
# Restore SELinux contexts restore_selinux() {
restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
}
bigecho "Updating VPN configuration..." update_config() {
bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" dns_state=0
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2" DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
dns_state=0 sed -i".old-$(date +%F-%T)" \
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=/ phase2=/" \ -e "s/^[[:space:]]\+auth=/ phase2=/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
-e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \ -e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \
@ -220,25 +209,28 @@ sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \ -e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf -e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then if [ "$dns_state" = "1" ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf -e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then elif [ "$dns_state" = "2" ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi fi
sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/ikev2=never/d" /etc/ipsec.conf
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi fi
}
bigecho "Restarting IPsec service..." restart_ipsec() {
bigecho "Restarting IPsec service..."
mkdir -p /run/pluto mkdir -p /run/pluto
service ipsec restart 2>/dev/null service ipsec restart 2>/dev/null
}
show_setup_complete() {
cat <<EOF cat <<EOF
================================================ ================================================
@ -249,7 +241,7 @@ Libreswan $SWAN_VER has been successfully installed!
EOF EOF
if [ "$dns_state" = "3" ]; then if [ "$dns_state" = "3" ]; then
cat <<'EOF' cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace IMPORTANT: You must edit /etc/ipsec.conf and replace
all occurrences of these two lines: all occurrences of these two lines:
@ -262,8 +254,44 @@ IMPORTANT: You must edit /etc/ipsec.conf and replace
Then run "sudo service ipsec restart". Then run "sudo service ipsec restart".
EOF EOF
fi fi
}
check_swan_ver() {
swan_ver_cur=4.4
swan_ver_url="https://dl.ls20.com/v1/amzn/2/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
[ "$1" != "0" ] && swan_ver_url="$swan_ver_url&e=$2"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
&& [ "$1" = "0" ] && [ "$swan_ver_cur" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
cat <<EOF
Note: A newer version of Libreswan ($swan_ver_latest) is available.
To update, run:
wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh
EOF
fi
}
finish() {
check_swan_ver "$1" "$2"
exit "$1"
}
vpnupgrade() {
check_root
check_os
check_libreswan
show_setup_info
start_setup
install_pkgs
get_libreswan
install_libreswan
restore_selinux
update_config
restart_ipsec
show_setup_complete
} }
## Defer setup until we have the complete script ## Defer setup until we have the complete script

297
extras/vpnupgrade_centos.sh
View File

@ -19,41 +19,45 @@ SWAN_VER=4.4
### DO NOT edit below this line ### ### DO NOT edit below this line ###
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
[ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER"
exiterr() { echo "Error: $1" >&2; exit 1; } exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { exiterr "'yum install' failed."; } exiterr2() { exiterr "'yum install' failed."; }
bigecho() { echo "## $1"; } bigecho() { echo "## $1"; }
vpnupgrade() { check_root() {
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
}
[ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER" check_vz() {
if [ -f /proc/user_beancounters ]; then
exiterr "OpenVZ VPS is not supported."
fi
}
os_type=centos check_os() {
os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-') os_type=centos
rh_file="/etc/redhat-release" os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-')
if grep -qs "Red Hat" "$rh_file"; then rh_file="/etc/redhat-release"
if grep -qs "Red Hat" "$rh_file"; then
os_type=rhel os_type=rhel
fi fi
if grep -qs "release 7" "$rh_file"; then if grep -qs "release 7" "$rh_file"; then
os_ver=7 os_ver=7
elif grep -qs "release 8" "$rh_file"; then elif grep -qs "release 8" "$rh_file"; then
os_ver=8 os_ver=8
grep -qi stream "$rh_file" && os_ver=8s grep -qi stream "$rh_file" && os_ver=8s
grep -qi rocky "$rh_file" && os_type=rocky grep -qi rocky "$rh_file" && os_type=rocky
grep -qi alma "$rh_file" && os_type=alma grep -qi alma "$rh_file" && os_type=alma
else else
exiterr "This script only supports CentOS/RHEL 7 and 8." exiterr "This script only supports CentOS/RHEL 7 and 8."
fi fi
}
if [ -f /proc/user_beancounters ]; then check_libreswan() {
exiterr "OpenVZ VPS is not supported." case $SWAN_VER in
fi
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
case $SWAN_VER in
3.32|4.[1234]) 3.32|4.[1234])
true true
;; ;;
@ -65,28 +69,24 @@ Error: Libreswan version '$SWAN_VER' is not supported.
EOF EOF
exit 1 exit 1
;; ;;
esac esac
ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null) ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
swan_ver_old=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//') swan_ver_old=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//')
if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
cat 1>&2 <<'EOF' cat 1>&2 <<'EOF'
Error: This script requires Libreswan already installed. Error: This script requires Libreswan already installed.
See: https://github.com/hwdsl2/setup-ipsec-vpn See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF EOF
exit 1 exit 1
fi fi
swan_ver_cur=4.4 if [ "$swan_ver_old" = "$SWAN_VER" ]; then
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER" cat <<EOF
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url") You already have Libreswan version $SWAN_VER installed!
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \ If you continue, the same version will be re-installed.
&& [ "$swan_ver_cur" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then EOF
echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
echo " To update to the new version, exit this script and run:"
echo " wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh"
echo
printf "Do you want to continue anyway? [y/N] " printf "Do you want to continue anyway? [y/N] "
read -r response read -r response
case $response in case $response in
@ -98,25 +98,10 @@ if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|
exit 1 exit 1
;; ;;
esac esac
fi fi
}
if [ "$swan_ver_old" = "$SWAN_VER" ]; then
echo "You already have Libreswan version $SWAN_VER installed! "
echo "If you continue, the same version will be re-installed."
echo
printf "Do you want to continue anyway? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
echo
;;
*)
echo "Abort. No changes were made."
exit 1
;;
esac
fi
show_setup_info() {
cat <<EOF cat <<EOF
Welcome! Use this script to update Libreswan on your IPsec VPN server. Welcome! Use this script to update Libreswan on your IPsec VPN server.
@ -124,9 +109,6 @@ Welcome! Use this script to update Libreswan on your IPsec VPN server.
Current version: Libreswan $swan_ver_old Current version: Libreswan $swan_ver_old
Version to install: Libreswan $SWAN_VER Version to install: Libreswan $SWAN_VER
EOF
cat <<'EOF'
Note: This script will make the following changes to your VPN configuration: Note: This script will make the following changes to your VPN configuration:
- Fix obsolete ipsec.conf and/or ikev2.conf options - Fix obsolete ipsec.conf and/or ikev2.conf options
- Optimize VPN ciphers - Optimize VPN ciphers
@ -134,117 +116,127 @@ Note: This script will make the following changes to your VPN configuration:
EOF EOF
if [ "$SWAN_VER" != "4.4" ]; then if [ "$SWAN_VER" != "4.4" ]; then
cat <<'EOF' cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities. WARNING: Older versions of Libreswan could contain known security vulnerabilities.
See https://libreswan.org/security/ for more information. See https://libreswan.org/security/ for more information.
Are you sure you want to install an older version? Are you sure you want to install an older version?
EOF EOF
fi fi
printf "Do you want to continue? [y/N] " printf "Do you want to continue? [y/N] "
read -r response read -r response
case $response in case $response in
[yY][eE][sS]|[yY]) [yY][eE][sS]|[yY])
echo echo
bigecho "Please be patient. Setup is continuing..."
;; ;;
*) *)
echo "Abort. No changes were made." echo "Abort. No changes were made."
exit 1 exit 1
;; ;;
esac esac
}
mkdir -p /opt/src # shellcheck disable=SC2154,SC2039,SC3047
cd /opt/src || exit 1 start_setup() {
trap 'dlo=$dl;dl=$LINENO' DEBUG 2>/dev/null
trap 'finish $? $((dlo+1))' EXIT
mkdir -p /opt/src
cd /opt/src || exit 1
}
bigecho "Installing required packages..." install_pkgs_1() {
bigecho "Installing required packages..."
( (
set -x set -x
yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \ yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel curl-devel nss-tools \ libcap-ng-devel libselinux-devel curl-devel nss-tools \
flex bison gcc make wget sed tar >/dev/null flex bison gcc make wget sed tar >/dev/null
) || exiterr2 ) || exiterr2
}
erp="--enablerepo" install_pkgs_2() {
rp1="$erp=*server-*optional*" erp="--enablerepo"
rp2="$erp=*releases-optional*" rp1="$erp=*server-*optional*"
rp3="$erp=[Pp]ower[Tt]ools" rp2="$erp=*releases-optional*"
[ "$os_type" = "rhel" ] && rp3="$erp=codeready-builder-for-rhel-8-*" rp3="$erp=[Pp]ower[Tt]ools"
[ "$os_type" = "rhel" ] && rp3="$erp=codeready-builder-for-rhel-8-*"
if [ "$os_ver" = "7" ]; then if [ "$os_ver" = "7" ]; then
( (
set -x set -x
yum "$rp1" "$rp2" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null yum "$rp1" "$rp2" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
) || exiterr2 ) || exiterr2
else else
( (
set -x set -x
yum "$rp3" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null yum "$rp3" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
) || exiterr2 ) || exiterr2
fi fi
}
bigecho "Downloading Libreswan..." get_libreswan() {
bigecho "Downloading Libreswan..."
swan_file="libreswan-$SWAN_VER.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file" swan_url2="https://download.libreswan.org/$swan_file"
( (
set -x set -x
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2" wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1 ) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file" tar xzf "$swan_file" && /bin/rm -f "$swan_file"
}
bigecho "Compiling and installing Libreswan, please wait..." install_libreswan() {
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1 cd "libreswan-$SWAN_VER" || exit 1
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in [ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w -s WERROR_CFLAGS=-w -s
USE_DNSSEC=false USE_DNSSEC=false
EOF EOF
echo "USE_DH2=true" >> Makefile.inc.local echo "USE_DH2=true" >> Makefile.inc.local
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
fi fi
if [ "$SWAN_VER" != "3.32" ]; then if [ "$SWAN_VER" != "3.32" ]; then
echo "USE_NSS_KDF=false" >> Makefile.inc.local echo "USE_NSS_KDF=false" >> Makefile.inc.local
echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local
fi fi
NPROCS=$(grep -c ^processor /proc/cpuinfo) NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1 [ -z "$NPROCS" ] && NPROCS=1
( (
set -x set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
) )
cd /opt/src || exit 1 cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
exiterr "Libreswan $SWAN_VER failed to build." exiterr "Libreswan $SWAN_VER failed to build."
fi fi
}
# Restore SELinux contexts restore_selinux() {
restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
}
bigecho "Updating VPN configuration..." update_config() {
bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" dns_state=0
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2" DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
dns_state=0 sed -i".old-$(date +%F-%T)" \
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=/ phase2=/" \ -e "s/^[[:space:]]\+auth=/ phase2=/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
-e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \ -e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \
@ -253,25 +245,28 @@ sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \ -e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf -e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then if [ "$dns_state" = "1" ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf -e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then elif [ "$dns_state" = "2" ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi fi
sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/ikev2=never/d" /etc/ipsec.conf
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi fi
}
bigecho "Restarting IPsec service..." restart_ipsec() {
bigecho "Restarting IPsec service..."
mkdir -p /run/pluto mkdir -p /run/pluto
service ipsec restart 2>/dev/null service ipsec restart 2>/dev/null
}
show_setup_complete() {
cat <<EOF cat <<EOF
================================================ ================================================
@ -282,7 +277,7 @@ Libreswan $SWAN_VER has been successfully installed!
EOF EOF
if [ "$dns_state" = "3" ]; then if [ "$dns_state" = "3" ]; then
cat <<'EOF' cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace IMPORTANT: You must edit /etc/ipsec.conf and replace
all occurrences of these two lines: all occurrences of these two lines:
@ -295,8 +290,46 @@ IMPORTANT: You must edit /etc/ipsec.conf and replace
Then run "sudo service ipsec restart". Then run "sudo service ipsec restart".
EOF EOF
fi fi
}
check_swan_ver() {
swan_ver_cur=4.4
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
[ "$1" != "0" ] && swan_ver_url="$swan_ver_url&e=$2"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
&& [ "$1" = "0" ] && [ "$swan_ver_cur" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
cat <<EOF
Note: A newer version of Libreswan ($swan_ver_latest) is available.
To update, run:
wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh
EOF
fi
}
finish() {
check_swan_ver "$1" "$2"
exit "$1"
}
vpnupgrade() {
check_root
check_vz
check_os
check_libreswan
show_setup_info
start_setup
install_pkgs_1
install_pkgs_2
get_libreswan
install_libreswan
restore_selinux
update_config
restart_ipsec
show_setup_complete
} }
## Defer setup until we have the complete script ## Defer setup until we have the complete script

284
extras/vpnupgrade_ubuntu.sh
View File

@ -19,19 +19,29 @@ SWAN_VER=4.4
### DO NOT edit below this line ### ### DO NOT edit below this line ###
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
[ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER"
exiterr() { echo "Error: $1" >&2; exit 1; } exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { exiterr "'apt-get install' failed."; } exiterr2() { exiterr "'apt-get install' failed."; }
bigecho() { echo "## $1"; } bigecho() { echo "## $1"; }
vpnupgrade() { check_root() {
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
}
[ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER" check_vz() {
if [ -f /proc/user_beancounters ]; then
exiterr "OpenVZ VPS is not supported."
fi
}
os_type=$(lsb_release -si 2>/dev/null) check_os() {
os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-') os_type=$(lsb_release -si 2>/dev/null)
[ -z "$os_type" ] && [ -f /etc/os-release ] && os_type=$(. /etc/os-release && printf '%s' "$ID") os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-')
case $os_type in [ -z "$os_type" ] && [ -f /etc/os-release ] && os_type=$(. /etc/os-release && printf '%s' "$ID")
case $os_type in
[Uu]buntu) [Uu]buntu)
os_type=ubuntu os_type=ubuntu
;; ;;
@ -44,22 +54,15 @@ case $os_type in
*) *)
exiterr "This script only supports Ubuntu and Debian." exiterr "This script only supports Ubuntu and Debian."
;; ;;
esac esac
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9') if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then
if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then
exiterr "Debian 8 or Ubuntu < 16.04 is not supported." exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
fi fi
}
if [ -f /proc/user_beancounters ]; then check_libreswan() {
exiterr "OpenVZ VPS is not supported." case $SWAN_VER in
fi
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
case $SWAN_VER in
3.32|4.[1234]) 3.32|4.[1234])
true true
;; ;;
@ -71,32 +74,28 @@ Error: Libreswan version '$SWAN_VER' is not supported.
EOF EOF
exit 1 exit 1
;; ;;
esac esac
if [ "$SWAN_VER" = "3.32" ] && [ "$os_ver" = "11" ]; then if [ "$SWAN_VER" = "3.32" ] && [ "$os_ver" = "11" ]; then
exiterr "Libreswan 3.32 is not supported on Debian 11." exiterr "Libreswan 3.32 is not supported on Debian 11."
fi fi
ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null) ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
swan_ver_old=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//') swan_ver_old=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//')
if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
cat 1>&2 <<'EOF' cat 1>&2 <<'EOF'
Error: This script requires Libreswan already installed. Error: This script requires Libreswan already installed.
See: https://github.com/hwdsl2/setup-ipsec-vpn See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF EOF
exit 1 exit 1
fi fi
swan_ver_cur=4.4 if [ "$swan_ver_old" = "$SWAN_VER" ]; then
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER" cat <<EOF
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url") You already have Libreswan version $SWAN_VER installed!
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \ If you continue, the same version will be re-installed.
&& [ "$swan_ver_cur" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then EOF
echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
echo " To update to the new version, exit this script and run:"
echo " wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh"
echo
printf "Do you want to continue anyway? [y/N] " printf "Do you want to continue anyway? [y/N] "
read -r response read -r response
case $response in case $response in
@ -108,25 +107,10 @@ if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|
exit 1 exit 1
;; ;;
esac esac
fi fi
}
if [ "$swan_ver_old" = "$SWAN_VER" ]; then
echo "You already have Libreswan version $SWAN_VER installed! "
echo "If you continue, the same version will be re-installed."
echo
printf "Do you want to continue anyway? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
echo
;;
*)
echo "Abort. No changes were made."
exit 1
;;
esac
fi
show_setup_info() {
cat <<EOF cat <<EOF
Welcome! Use this script to update Libreswan on your IPsec VPN server. Welcome! Use this script to update Libreswan on your IPsec VPN server.
@ -134,9 +118,6 @@ Welcome! Use this script to update Libreswan on your IPsec VPN server.
Current version: Libreswan $swan_ver_old Current version: Libreswan $swan_ver_old
Version to install: Libreswan $SWAN_VER Version to install: Libreswan $SWAN_VER
EOF
cat <<'EOF'
Note: This script will make the following changes to your VPN configuration: Note: This script will make the following changes to your VPN configuration:
- Fix obsolete ipsec.conf and/or ikev2.conf options - Fix obsolete ipsec.conf and/or ikev2.conf options
- Optimize VPN ciphers - Optimize VPN ciphers
@ -144,114 +125,125 @@ Note: This script will make the following changes to your VPN configuration:
EOF EOF
if [ "$SWAN_VER" != "4.4" ]; then if [ "$SWAN_VER" != "4.4" ]; then
cat <<'EOF' cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities. WARNING: Older versions of Libreswan could contain known security vulnerabilities.
See https://libreswan.org/security/ for more information. See https://libreswan.org/security/ for more information.
Are you sure you want to install an older version? Are you sure you want to install an older version?
EOF EOF
fi fi
printf "Do you want to continue? [y/N] " printf "Do you want to continue? [y/N] "
read -r response read -r response
case $response in case $response in
[yY][eE][sS]|[yY]) [yY][eE][sS]|[yY])
echo echo
bigecho "Please be patient. Setup is continuing..."
;; ;;
*) *)
echo "Abort. No changes were made." echo "Abort. No changes were made."
exit 1 exit 1
;; ;;
esac esac
}
mkdir -p /opt/src # shellcheck disable=SC2154,SC2039,SC3047
cd /opt/src || exit 1 start_setup() {
trap 'dlo=$dl;dl=$LINENO' DEBUG 2>/dev/null
trap 'finish $? $((dlo+1))' EXIT
mkdir -p /opt/src
cd /opt/src || exit 1
}
bigecho "Installing required packages..." install_pkgs_1() {
bigecho "Installing required packages..."
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
( (
set -x set -x
apt-get -yqq update apt-get -yqq update
) || exiterr "'apt-get update' failed." ) || exiterr "'apt-get update' failed."
( }
install_pkgs_2() {
(
set -x set -x
apt-get -yqq install libnss3-dev libnspr4-dev pkg-config \ apt-get -yqq install libnss3-dev libnspr4-dev pkg-config \
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \ libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev libnss3-tools libevent-dev libsystemd-dev \ libcurl4-nss-dev libnss3-tools libevent-dev libsystemd-dev \
flex bison gcc make wget sed >/dev/null flex bison gcc make wget sed >/dev/null
) || exiterr2 ) || exiterr2
}
bigecho "Downloading Libreswan..." get_libreswan() {
bigecho "Downloading Libreswan..."
swan_file="libreswan-$SWAN_VER.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file" swan_url2="https://download.libreswan.org/$swan_file"
( (
set -x set -x
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2" wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1 ) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file" tar xzf "$swan_file" && /bin/rm -f "$swan_file"
}
bigecho "Compiling and installing Libreswan, please wait..." install_libreswan() {
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1 cd "libreswan-$SWAN_VER" || exit 1
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in [ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w -s WERROR_CFLAGS=-w -s
USE_DNSSEC=false USE_DNSSEC=false
EOF EOF
if [ "$SWAN_VER" = "3.32" ] || ! grep -qs 'VERSION_CODENAME=' /etc/os-release; then if [ "$SWAN_VER" = "3.32" ] || ! grep -qs 'VERSION_CODENAME=' /etc/os-release; then
cat >> Makefile.inc.local <<'EOF' cat >> Makefile.inc.local <<'EOF'
USE_DH31=false USE_DH31=false
USE_NSS_AVA_COPY=true USE_NSS_AVA_COPY=true
USE_NSS_IPSEC_PROFILE=false USE_NSS_IPSEC_PROFILE=false
USE_GLIBC_KERN_FLIP_HEADERS=true USE_GLIBC_KERN_FLIP_HEADERS=true
EOF EOF
fi fi
echo "USE_DH2=true" >> Makefile.inc.local echo "USE_DH2=true" >> Makefile.inc.local
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
fi fi
if [ "$SWAN_VER" != "3.32" ]; then if [ "$SWAN_VER" != "3.32" ]; then
echo "USE_NSS_KDF=false" >> Makefile.inc.local echo "USE_NSS_KDF=false" >> Makefile.inc.local
echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local
fi fi
NPROCS=$(grep -c ^processor /proc/cpuinfo) NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1 [ -z "$NPROCS" ] && NPROCS=1
( (
set -x set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
) )
cd /opt/src || exit 1 cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
exiterr "Libreswan $SWAN_VER failed to build." exiterr "Libreswan $SWAN_VER failed to build."
fi fi
}
bigecho "Updating VPN configuration..." update_config() {
bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" if uname -m | grep -qi '^arm'; then
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
if uname -m | grep -qi '^arm'; then
if ! modprobe -q sha512; then if ! modprobe -q sha512; then
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2" PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2"
fi fi
fi fi
dns_state=0 dns_state=0
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2 [ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3 [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
sed -i".old-$(date +%F-%T)" \ sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=/ phase2=/" \ -e "s/^[[:space:]]\+auth=/ phase2=/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
-e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \ -e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \
@ -260,25 +252,28 @@ sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \ -e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf -e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then if [ "$dns_state" = "1" ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf -e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then elif [ "$dns_state" = "2" ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi fi
sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/ikev2=never/d" /etc/ipsec.conf
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi fi
}
bigecho "Restarting IPsec service..." restart_ipsec() {
bigecho "Restarting IPsec service..."
mkdir -p /run/pluto mkdir -p /run/pluto
service ipsec restart 2>/dev/null service ipsec restart 2>/dev/null
}
show_setup_complete() {
cat <<EOF cat <<EOF
================================================ ================================================
@ -289,7 +284,7 @@ Libreswan $SWAN_VER has been successfully installed!
EOF EOF
if [ "$dns_state" = "3" ]; then if [ "$dns_state" = "3" ]; then
cat <<'EOF' cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace IMPORTANT: You must edit /etc/ipsec.conf and replace
all occurrences of these two lines: all occurrences of these two lines:
@ -302,8 +297,45 @@ IMPORTANT: You must edit /etc/ipsec.conf and replace
Then run "sudo service ipsec restart". Then run "sudo service ipsec restart".
EOF EOF
fi fi
}
check_swan_ver() {
swan_ver_cur=4.4
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
[ "$1" != "0" ] && swan_ver_url="$swan_ver_url&e=$2"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
&& [ "$1" = "0" ] && [ "$swan_ver_cur" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
cat <<EOF
Note: A newer version of Libreswan ($swan_ver_latest) is available.
To update, run:
wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh
EOF
fi
}
finish() {
check_swan_ver "$1" "$2"
exit "$1"
}
vpnupgrade() {
check_root
check_vz
check_os
check_libreswan
show_setup_info
start_setup
install_pkgs_1
install_pkgs_2
get_libreswan
install_libreswan
update_config
restart_ipsec
show_setup_complete
} }
## Defer setup until we have the complete script ## Defer setup until we have the complete script