mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-02-17 04:23:16 +03:00
Code Issues Projects Releases Wiki Activity

Improve update scripts

Browse Source 
- Refactor VPN update scripts into functions
- Cleanup
This commit is contained in:
hwdsl2 2021-08-22 00:43:14 -05:00
parent 665349336d
commit 52216d8f59
3 changed files with 639 additions and 546 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

354
extras/vpnupgrade_amzn.sh
View File

@ -19,88 +19,71 @@ SWAN_VER=4.4
### DO NOT edit below this line ### ### DO NOT edit below this line ###
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
[ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER"
exiterr() { echo "Error: $1" >&2; exit 1; } exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { exiterr "'yum install' failed."; } exiterr2() { exiterr "'yum install' failed."; }
bigecho() { echo "## $1"; } bigecho() { echo "## $1"; }
vpnupgrade() { check_root() {
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
}
[ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER" check_os() {
os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-')
if ! grep -qs "Amazon Linux release 2" /etc/system-release; then
exiterr "This script only supports Amazon Linux 2."
fi
}
os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-') check_libreswan() {
if ! grep -qs "Amazon Linux release 2" /etc/system-release; then case $SWAN_VER in
exiterr "This script only supports Amazon Linux 2." 3.32|4.[1234])
fi true
;;
if [ "$(id -u)" != 0 ]; then *)
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
case $SWAN_VER in
3.32|4.[1234])
true
;;
*)
cat 1>&2 <<EOF cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported. Error: Libreswan version '$SWAN_VER' is not supported.
This script can install one of these versions: This script can install one of these versions:
3.32, 4.1-4.3 or 4.4 3.32, 4.1-4.3 or 4.4
EOF EOF
exit 1 exit 1
;; ;;
esac esac
ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null) ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
swan_ver_old=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//') swan_ver_old=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//')
if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
cat 1>&2 <<'EOF' cat 1>&2 <<'EOF'
Error: This script requires Libreswan already installed. Error: This script requires Libreswan already installed.
See: https://github.com/hwdsl2/setup-ipsec-vpn See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF EOF
exit 1 exit 1
fi fi
swan_ver_cur=4.4 if [ "$swan_ver_old" = "$SWAN_VER" ]; then
swan_ver_url="https://dl.ls20.com/v1/amzn/2/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER" cat <<EOF
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url") You already have Libreswan version $SWAN_VER installed!
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \ If you continue, the same version will be re-installed.
&& [ "$swan_ver_cur" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
echo " To update to the new version, exit this script and run:"
echo " wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh"
echo
printf "Do you want to continue anyway? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
echo
;;
*)
echo "Abort. No changes were made."
exit 1
;;
esac
fi
if [ "$swan_ver_old" = "$SWAN_VER" ]; then EOF
echo "You already have Libreswan version $SWAN_VER installed! " printf "Do you want to continue anyway? [y/N] "
echo "If you continue, the same version will be re-installed." read -r response
echo case $response in
printf "Do you want to continue anyway? [y/N] " [yY][eE][sS]|[yY])
read -r response echo
case $response in ;;
[yY][eE][sS]|[yY]) *)
echo echo "Abort. No changes were made."
;; exit 1
*) ;;
echo "Abort. No changes were made." esac
exit 1 fi
;; }
esac
fi
show_setup_info() {
cat <<EOF cat <<EOF
Welcome! Use this script to update Libreswan on your IPsec VPN server. Welcome! Use this script to update Libreswan on your IPsec VPN server.
@ -108,9 +91,6 @@ Welcome! Use this script to update Libreswan on your IPsec VPN server.
Current version: Libreswan $swan_ver_old Current version: Libreswan $swan_ver_old
Version to install: Libreswan $SWAN_VER Version to install: Libreswan $SWAN_VER
EOF
cat <<'EOF'
Note: This script will make the following changes to your VPN configuration: Note: This script will make the following changes to your VPN configuration:
- Fix obsolete ipsec.conf and/or ikev2.conf options - Fix obsolete ipsec.conf and/or ikev2.conf options
- Optimize VPN ciphers - Optimize VPN ciphers
@ -118,127 +98,139 @@ Note: This script will make the following changes to your VPN configuration:
EOF EOF
if [ "$SWAN_VER" != "4.4" ]; then if [ "$SWAN_VER" != "4.4" ]; then
cat <<'EOF' cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities. WARNING: Older versions of Libreswan could contain known security vulnerabilities.
See https://libreswan.org/security/ for more information. See https://libreswan.org/security/ for more information.
Are you sure you want to install an older version? Are you sure you want to install an older version?
EOF EOF
fi fi
printf "Do you want to continue? [y/N] " printf "Do you want to continue? [y/N] "
read -r response read -r response
case $response in case $response in
[yY][eE][sS]|[yY]) [yY][eE][sS]|[yY])
echo echo
bigecho "Please be patient. Setup is continuing..." ;;
;; *)
*) echo "Abort. No changes were made."
echo "Abort. No changes were made." exit 1
exit 1 ;;
;; esac
esac }
mkdir -p /opt/src # shellcheck disable=SC2154,SC2039,SC3047
cd /opt/src || exit 1 start_setup() {
trap 'dlo=$dl;dl=$LINENO' DEBUG 2>/dev/null
trap 'finish $? $((dlo+1))' EXIT
mkdir -p /opt/src
cd /opt/src || exit 1
}
bigecho "Installing required packages..." install_pkgs() {
bigecho "Installing required packages..."
(
set -x
yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel curl-devel nss-tools \
flex bison gcc make wget sed tar \
systemd-devel libevent-devel fipscheck-devel >/dev/null
) || exiterr2
}
( get_libreswan() {
set -x bigecho "Downloading Libreswan..."
yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \ swan_file="libreswan-$SWAN_VER.tar.gz"
libcap-ng-devel libselinux-devel curl-devel nss-tools \ swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
flex bison gcc make wget sed tar \ swan_url2="https://download.libreswan.org/$swan_file"
systemd-devel libevent-devel fipscheck-devel >/dev/null (
) || exiterr2 set -x
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
}
bigecho "Downloading Libreswan..." install_libreswan() {
bigecho "Compiling and installing Libreswan, please wait..."
swan_file="libreswan-$SWAN_VER.tar.gz" cd "libreswan-$SWAN_VER" || exit 1
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" [ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
swan_url2="https://download.libreswan.org/$swan_file"
(
set -x
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w -s WERROR_CFLAGS=-w -s
USE_DNSSEC=false USE_DNSSEC=false
EOF EOF
echo "USE_DH2=true" >> Makefile.inc.local echo "USE_DH2=true" >> Makefile.inc.local
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
fi fi
if [ "$SWAN_VER" != "3.32" ]; then if [ "$SWAN_VER" != "3.32" ]; then
echo "USE_NSS_KDF=false" >> Makefile.inc.local echo "USE_NSS_KDF=false" >> Makefile.inc.local
echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local
fi fi
NPROCS=$(grep -c ^processor /proc/cpuinfo) NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1 [ -z "$NPROCS" ] && NPROCS=1
( (
set -x set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
) )
cd /opt/src || exit 1 cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
exiterr "Libreswan $SWAN_VER failed to build." exiterr "Libreswan $SWAN_VER failed to build."
fi fi
}
# Restore SELinux contexts restore_selinux() {
restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
}
bigecho "Updating VPN configuration..." update_config() {
bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" dns_state=0
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2" DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
dns_state=0 sed -i".old-$(date +%F-%T)" \
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) -e "s/^[[:space:]]\+auth=/ phase2=/" \
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
[ -n "$DNS_SRV1" ] && dns_state=2 -e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 -e "s/^[[:space:]]\+sha2_truncbug=/ sha2-truncbug=/" \
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3 -e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
sed -i".old-$(date +%F-%T)" \ if [ "$dns_state" = "1" ]; then
-e "s/^[[:space:]]\+auth=/ phase2=/" \ sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ -e "/modecfgdns2=/d" /etc/ipsec.conf
-e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \ elif [ "$dns_state" = "2" ]; then
-e "s/^[[:space:]]\+sha2_truncbug=/ sha2-truncbug=/" \ sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \ fi
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then sed -i "/ikev2=never/d" /etc/ipsec.conf
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
-e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi
sed -i "/ikev2=never/d" /etc/ipsec.conf if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi
}
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then restart_ipsec() {
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf bigecho "Restarting IPsec service..."
fi mkdir -p /run/pluto
service ipsec restart 2>/dev/null
bigecho "Restarting IPsec service..." }
mkdir -p /run/pluto
service ipsec restart 2>/dev/null
show_setup_complete() {
cat <<EOF cat <<EOF
================================================ ================================================
@ -249,7 +241,7 @@ Libreswan $SWAN_VER has been successfully installed!
EOF EOF
if [ "$dns_state" = "3" ]; then if [ "$dns_state" = "3" ]; then
cat <<'EOF' cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace IMPORTANT: You must edit /etc/ipsec.conf and replace
all occurrences of these two lines: all occurrences of these two lines:
@ -262,8 +254,44 @@ IMPORTANT: You must edit /etc/ipsec.conf and replace
Then run "sudo service ipsec restart". Then run "sudo service ipsec restart".
EOF EOF
fi fi
}
check_swan_ver() {
swan_ver_cur=4.4
swan_ver_url="https://dl.ls20.com/v1/amzn/2/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
[ "$1" != "0" ] && swan_ver_url="$swan_ver_url&e=$2"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
&& [ "$1" = "0" ] && [ "$swan_ver_cur" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
cat <<EOF
Note: A newer version of Libreswan ($swan_ver_latest) is available.
To update, run:
wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh
EOF
fi
}
finish() {
check_swan_ver "$1" "$2"
exit "$1"
}
vpnupgrade() {
check_root
check_os
check_libreswan
show_setup_info
start_setup
install_pkgs
get_libreswan
install_libreswan
restore_selinux
update_config
restart_ipsec
show_setup_complete
} }
## Defer setup until we have the complete script ## Defer setup until we have the complete script

415
extras/vpnupgrade_centos.sh
View File

@ -19,104 +19,89 @@ SWAN_VER=4.4
### DO NOT edit below this line ### ### DO NOT edit below this line ###
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
[ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER"
exiterr() { echo "Error: $1" >&2; exit 1; } exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { exiterr "'yum install' failed."; } exiterr2() { exiterr "'yum install' failed."; }
bigecho() { echo "## $1"; } bigecho() { echo "## $1"; }
vpnupgrade() { check_root() {
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
}
[ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER" check_vz() {
if [ -f /proc/user_beancounters ]; then
exiterr "OpenVZ VPS is not supported."
fi
}
os_type=centos check_os() {
os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-') os_type=centos
rh_file="/etc/redhat-release" os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-')
if grep -qs "Red Hat" "$rh_file"; then rh_file="/etc/redhat-release"
os_type=rhel if grep -qs "Red Hat" "$rh_file"; then
fi os_type=rhel
if grep -qs "release 7" "$rh_file"; then fi
os_ver=7 if grep -qs "release 7" "$rh_file"; then
elif grep -qs "release 8" "$rh_file"; then os_ver=7
os_ver=8 elif grep -qs "release 8" "$rh_file"; then
grep -qi stream "$rh_file" && os_ver=8s os_ver=8
grep -qi rocky "$rh_file" && os_type=rocky grep -qi stream "$rh_file" && os_ver=8s
grep -qi alma "$rh_file" && os_type=alma grep -qi rocky "$rh_file" && os_type=rocky
else grep -qi alma "$rh_file" && os_type=alma
exiterr "This script only supports CentOS/RHEL 7 and 8." else
fi exiterr "This script only supports CentOS/RHEL 7 and 8."
fi
}
if [ -f /proc/user_beancounters ]; then check_libreswan() {
exiterr "OpenVZ VPS is not supported." case $SWAN_VER in
fi 3.32|4.[1234])
true
if [ "$(id -u)" != 0 ]; then ;;
exiterr "Script must be run as root. Try 'sudo sh $0'" *)
fi
case $SWAN_VER in
3.32|4.[1234])
true
;;
*)
cat 1>&2 <<EOF cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported. Error: Libreswan version '$SWAN_VER' is not supported.
This script can install one of these versions: This script can install one of these versions:
3.32, 4.1-4.3 or 4.4 3.32, 4.1-4.3 or 4.4
EOF EOF
exit 1 exit 1
;; ;;
esac esac
ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null) ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
swan_ver_old=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//') swan_ver_old=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//')
if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
cat 1>&2 <<'EOF' cat 1>&2 <<'EOF'
Error: This script requires Libreswan already installed. Error: This script requires Libreswan already installed.
See: https://github.com/hwdsl2/setup-ipsec-vpn See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF EOF
exit 1 exit 1
fi fi
swan_ver_cur=4.4 if [ "$swan_ver_old" = "$SWAN_VER" ]; then
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER" cat <<EOF
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url") You already have Libreswan version $SWAN_VER installed!
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \ If you continue, the same version will be re-installed.
&& [ "$swan_ver_cur" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
echo " To update to the new version, exit this script and run:"
echo " wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh"
echo
printf "Do you want to continue anyway? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
echo
;;
*)
echo "Abort. No changes were made."
exit 1
;;
esac
fi
if [ "$swan_ver_old" = "$SWAN_VER" ]; then EOF
echo "You already have Libreswan version $SWAN_VER installed! " printf "Do you want to continue anyway? [y/N] "
echo "If you continue, the same version will be re-installed." read -r response
echo case $response in
printf "Do you want to continue anyway? [y/N] " [yY][eE][sS]|[yY])
read -r response echo
case $response in ;;
[yY][eE][sS]|[yY]) *)
echo echo "Abort. No changes were made."
;; exit 1
*) ;;
echo "Abort. No changes were made." esac
exit 1 fi
;; }
esac
fi
show_setup_info() {
cat <<EOF cat <<EOF
Welcome! Use this script to update Libreswan on your IPsec VPN server. Welcome! Use this script to update Libreswan on your IPsec VPN server.
@ -124,9 +109,6 @@ Welcome! Use this script to update Libreswan on your IPsec VPN server.
Current version: Libreswan $swan_ver_old Current version: Libreswan $swan_ver_old
Version to install: Libreswan $SWAN_VER Version to install: Libreswan $SWAN_VER
EOF
cat <<'EOF'
Note: This script will make the following changes to your VPN configuration: Note: This script will make the following changes to your VPN configuration:
- Fix obsolete ipsec.conf and/or ikev2.conf options - Fix obsolete ipsec.conf and/or ikev2.conf options
- Optimize VPN ciphers - Optimize VPN ciphers
@ -134,144 +116,157 @@ Note: This script will make the following changes to your VPN configuration:
EOF EOF
if [ "$SWAN_VER" != "4.4" ]; then if [ "$SWAN_VER" != "4.4" ]; then
cat <<'EOF' cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities. WARNING: Older versions of Libreswan could contain known security vulnerabilities.
See https://libreswan.org/security/ for more information. See https://libreswan.org/security/ for more information.
Are you sure you want to install an older version? Are you sure you want to install an older version?
EOF EOF
fi fi
printf "Do you want to continue? [y/N] " printf "Do you want to continue? [y/N] "
read -r response read -r response
case $response in case $response in
[yY][eE][sS]|[yY]) [yY][eE][sS]|[yY])
echo echo
bigecho "Please be patient. Setup is continuing..." ;;
;; *)
*) echo "Abort. No changes were made."
echo "Abort. No changes were made." exit 1
exit 1 ;;
;; esac
esac }
mkdir -p /opt/src # shellcheck disable=SC2154,SC2039,SC3047
cd /opt/src || exit 1 start_setup() {
trap 'dlo=$dl;dl=$LINENO' DEBUG 2>/dev/null
trap 'finish $? $((dlo+1))' EXIT
mkdir -p /opt/src
cd /opt/src || exit 1
}
bigecho "Installing required packages..." install_pkgs_1() {
bigecho "Installing required packages..."
(
set -x
yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel curl-devel nss-tools \
flex bison gcc make wget sed tar >/dev/null
) || exiterr2
erp="--enablerepo"
rp1="$erp=*server-*optional*"
rp2="$erp=*releases-optional*"
rp3="$erp=[Pp]ower[Tt]ools"
[ "$os_type" = "rhel" ] && rp3="$erp=codeready-builder-for-rhel-8-*"
if [ "$os_ver" = "7" ]; then
( (
set -x set -x
yum "$rp1" "$rp2" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel curl-devel nss-tools \
flex bison gcc make wget sed tar >/dev/null
) || exiterr2 ) || exiterr2
else }
install_pkgs_2() {
erp="--enablerepo"
rp1="$erp=*server-*optional*"
rp2="$erp=*releases-optional*"
rp3="$erp=[Pp]ower[Tt]ools"
[ "$os_type" = "rhel" ] && rp3="$erp=codeready-builder-for-rhel-8-*"
if [ "$os_ver" = "7" ]; then
(
set -x
yum "$rp1" "$rp2" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
) || exiterr2
else
(
set -x
yum "$rp3" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
) || exiterr2
fi
}
get_libreswan() {
bigecho "Downloading Libreswan..."
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
( (
set -x set -x
yum "$rp3" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exiterr2 ) || exit 1
fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
}
bigecho "Downloading Libreswan..." install_libreswan() {
bigecho "Compiling and installing Libreswan, please wait..."
swan_file="libreswan-$SWAN_VER.tar.gz" cd "libreswan-$SWAN_VER" || exit 1
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" [ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
swan_url2="https://download.libreswan.org/$swan_file"
(
set -x
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w -s WERROR_CFLAGS=-w -s
USE_DNSSEC=false USE_DNSSEC=false
EOF EOF
echo "USE_DH2=true" >> Makefile.inc.local echo "USE_DH2=true" >> Makefile.inc.local
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
fi fi
if [ "$SWAN_VER" != "3.32" ]; then if [ "$SWAN_VER" != "3.32" ]; then
echo "USE_NSS_KDF=false" >> Makefile.inc.local echo "USE_NSS_KDF=false" >> Makefile.inc.local
echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local
fi fi
NPROCS=$(grep -c ^processor /proc/cpuinfo) NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1 [ -z "$NPROCS" ] && NPROCS=1
( (
set -x set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
) )
cd /opt/src || exit 1 cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
exiterr "Libreswan $SWAN_VER failed to build." exiterr "Libreswan $SWAN_VER failed to build."
fi fi
}
# Restore SELinux contexts restore_selinux() {
restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
}
bigecho "Updating VPN configuration..." update_config() {
bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" dns_state=0
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2" DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
dns_state=0 sed -i".old-$(date +%F-%T)" \
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) -e "s/^[[:space:]]\+auth=/ phase2=/" \
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
[ -n "$DNS_SRV1" ] && dns_state=2 -e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 -e "s/^[[:space:]]\+sha2_truncbug=/ sha2-truncbug=/" \
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3 -e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
sed -i".old-$(date +%F-%T)" \ if [ "$dns_state" = "1" ]; then
-e "s/^[[:space:]]\+auth=/ phase2=/" \ sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ -e "/modecfgdns2=/d" /etc/ipsec.conf
-e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \ elif [ "$dns_state" = "2" ]; then
-e "s/^[[:space:]]\+sha2_truncbug=/ sha2-truncbug=/" \ sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \ fi
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then sed -i "/ikev2=never/d" /etc/ipsec.conf
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
-e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi
sed -i "/ikev2=never/d" /etc/ipsec.conf if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi
}
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then restart_ipsec() {
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf bigecho "Restarting IPsec service..."
fi mkdir -p /run/pluto
service ipsec restart 2>/dev/null
bigecho "Restarting IPsec service..." }
mkdir -p /run/pluto
service ipsec restart 2>/dev/null
show_setup_complete() {
cat <<EOF cat <<EOF
================================================ ================================================
@ -282,7 +277,7 @@ Libreswan $SWAN_VER has been successfully installed!
EOF EOF
if [ "$dns_state" = "3" ]; then if [ "$dns_state" = "3" ]; then
cat <<'EOF' cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace IMPORTANT: You must edit /etc/ipsec.conf and replace
all occurrences of these two lines: all occurrences of these two lines:
@ -295,8 +290,46 @@ IMPORTANT: You must edit /etc/ipsec.conf and replace
Then run "sudo service ipsec restart". Then run "sudo service ipsec restart".
EOF EOF
fi fi
}
check_swan_ver() {
swan_ver_cur=4.4
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
[ "$1" != "0" ] && swan_ver_url="$swan_ver_url&e=$2"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
&& [ "$1" = "0" ] && [ "$swan_ver_cur" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
cat <<EOF
Note: A newer version of Libreswan ($swan_ver_latest) is available.
To update, run:
wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh
EOF
fi
}
finish() {
check_swan_ver "$1" "$2"
exit "$1"
}
vpnupgrade() {
check_root
check_vz
check_os
check_libreswan
show_setup_info
start_setup
install_pkgs_1
install_pkgs_2
get_libreswan
install_libreswan
restore_selinux
update_config
restart_ipsec
show_setup_complete
} }
## Defer setup until we have the complete script ## Defer setup until we have the complete script

416
extras/vpnupgrade_ubuntu.sh
View File

@ -19,114 +19,98 @@ SWAN_VER=4.4
### DO NOT edit below this line ### ### DO NOT edit below this line ###
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
[ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER"
exiterr() { echo "Error: $1" >&2; exit 1; } exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { exiterr "'apt-get install' failed."; } exiterr2() { exiterr "'apt-get install' failed."; }
bigecho() { echo "## $1"; } bigecho() { echo "## $1"; }
vpnupgrade() { check_root() {
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
}
[ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER" check_vz() {
if [ -f /proc/user_beancounters ]; then
exiterr "OpenVZ VPS is not supported."
fi
}
os_type=$(lsb_release -si 2>/dev/null) check_os() {
os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-') os_type=$(lsb_release -si 2>/dev/null)
[ -z "$os_type" ] && [ -f /etc/os-release ] && os_type=$(. /etc/os-release && printf '%s' "$ID") os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-')
case $os_type in [ -z "$os_type" ] && [ -f /etc/os-release ] && os_type=$(. /etc/os-release && printf '%s' "$ID")
[Uu]buntu) case $os_type in
os_type=ubuntu [Uu]buntu)
;; os_type=ubuntu
[Dd]ebian) ;;
os_type=debian [Dd]ebian)
;; os_type=debian
[Rr]aspbian) ;;
os_type=raspbian [Rr]aspbian)
;; os_type=raspbian
*) ;;
exiterr "This script only supports Ubuntu and Debian." *)
;; exiterr "This script only supports Ubuntu and Debian."
esac ;;
esac
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then
exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
fi
}
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9') check_libreswan() {
if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then case $SWAN_VER in
exiterr "Debian 8 or Ubuntu < 16.04 is not supported." 3.32|4.[1234])
fi true
;;
if [ -f /proc/user_beancounters ]; then *)
exiterr "OpenVZ VPS is not supported."
fi
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
case $SWAN_VER in
3.32|4.[1234])
true
;;
*)
cat 1>&2 <<EOF cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported. Error: Libreswan version '$SWAN_VER' is not supported.
This script can install one of these versions: This script can install one of these versions:
3.32, 4.1-4.3 or 4.4 3.32, 4.1-4.3 or 4.4
EOF EOF
exit 1 exit 1
;; ;;
esac esac
if [ "$SWAN_VER" = "3.32" ] && [ "$os_ver" = "11" ]; then if [ "$SWAN_VER" = "3.32" ] && [ "$os_ver" = "11" ]; then
exiterr "Libreswan 3.32 is not supported on Debian 11." exiterr "Libreswan 3.32 is not supported on Debian 11."
fi fi
ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null) ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
swan_ver_old=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//') swan_ver_old=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//')
if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
cat 1>&2 <<'EOF' cat 1>&2 <<'EOF'
Error: This script requires Libreswan already installed. Error: This script requires Libreswan already installed.
See: https://github.com/hwdsl2/setup-ipsec-vpn See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF EOF
exit 1 exit 1
fi fi
swan_ver_cur=4.4 if [ "$swan_ver_old" = "$SWAN_VER" ]; then
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER" cat <<EOF
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url") You already have Libreswan version $SWAN_VER installed!
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \ If you continue, the same version will be re-installed.
&& [ "$swan_ver_cur" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
echo " To update to the new version, exit this script and run:"
echo " wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh"
echo
printf "Do you want to continue anyway? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
echo
;;
*)
echo "Abort. No changes were made."
exit 1
;;
esac
fi
if [ "$swan_ver_old" = "$SWAN_VER" ]; then EOF
echo "You already have Libreswan version $SWAN_VER installed! " printf "Do you want to continue anyway? [y/N] "
echo "If you continue, the same version will be re-installed." read -r response
echo case $response in
printf "Do you want to continue anyway? [y/N] " [yY][eE][sS]|[yY])
read -r response echo
case $response in ;;
[yY][eE][sS]|[yY]) *)
echo echo "Abort. No changes were made."
;; exit 1
*) ;;
echo "Abort. No changes were made." esac
exit 1 fi
;; }
esac
fi
show_setup_info() {
cat <<EOF cat <<EOF
Welcome! Use this script to update Libreswan on your IPsec VPN server. Welcome! Use this script to update Libreswan on your IPsec VPN server.
@ -134,9 +118,6 @@ Welcome! Use this script to update Libreswan on your IPsec VPN server.
Current version: Libreswan $swan_ver_old Current version: Libreswan $swan_ver_old
Version to install: Libreswan $SWAN_VER Version to install: Libreswan $SWAN_VER
EOF
cat <<'EOF'
Note: This script will make the following changes to your VPN configuration: Note: This script will make the following changes to your VPN configuration:
- Fix obsolete ipsec.conf and/or ikev2.conf options - Fix obsolete ipsec.conf and/or ikev2.conf options
- Optimize VPN ciphers - Optimize VPN ciphers
@ -144,141 +125,155 @@ Note: This script will make the following changes to your VPN configuration:
EOF EOF
if [ "$SWAN_VER" != "4.4" ]; then if [ "$SWAN_VER" != "4.4" ]; then
cat <<'EOF' cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities. WARNING: Older versions of Libreswan could contain known security vulnerabilities.
See https://libreswan.org/security/ for more information. See https://libreswan.org/security/ for more information.
Are you sure you want to install an older version? Are you sure you want to install an older version?
EOF EOF
fi fi
printf "Do you want to continue? [y/N] " printf "Do you want to continue? [y/N] "
read -r response read -r response
case $response in case $response in
[yY][eE][sS]|[yY]) [yY][eE][sS]|[yY])
echo echo
bigecho "Please be patient. Setup is continuing..." ;;
;; *)
*) echo "Abort. No changes were made."
echo "Abort. No changes were made." exit 1
exit 1 ;;
;; esac
esac }
mkdir -p /opt/src # shellcheck disable=SC2154,SC2039,SC3047
cd /opt/src || exit 1 start_setup() {
trap 'dlo=$dl;dl=$LINENO' DEBUG 2>/dev/null
trap 'finish $? $((dlo+1))' EXIT
mkdir -p /opt/src
cd /opt/src || exit 1
}
bigecho "Installing required packages..." install_pkgs_1() {
bigecho "Installing required packages..."
export DEBIAN_FRONTEND=noninteractive
(
set -x
apt-get -yqq update
) || exiterr "'apt-get update' failed."
}
export DEBIAN_FRONTEND=noninteractive install_pkgs_2() {
( (
set -x set -x
apt-get -yqq update apt-get -yqq install libnss3-dev libnspr4-dev pkg-config \
) || exiterr "'apt-get update' failed." libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
( libcurl4-nss-dev libnss3-tools libevent-dev libsystemd-dev \
set -x flex bison gcc make wget sed >/dev/null
apt-get -yqq install libnss3-dev libnspr4-dev pkg-config \ ) || exiterr2
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \ }
libcurl4-nss-dev libnss3-tools libevent-dev libsystemd-dev \
flex bison gcc make wget sed >/dev/null
) || exiterr2
bigecho "Downloading Libreswan..." get_libreswan() {
bigecho "Downloading Libreswan..."
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
(
set -x
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
}
swan_file="libreswan-$SWAN_VER.tar.gz" install_libreswan() {
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" bigecho "Compiling and installing Libreswan, please wait..."
swan_url2="https://download.libreswan.org/$swan_file" cd "libreswan-$SWAN_VER" || exit 1
( [ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
set -x
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w -s WERROR_CFLAGS=-w -s
USE_DNSSEC=false USE_DNSSEC=false
EOF EOF
if [ "$SWAN_VER" = "3.32" ] || ! grep -qs 'VERSION_CODENAME=' /etc/os-release; then if [ "$SWAN_VER" = "3.32" ] || ! grep -qs 'VERSION_CODENAME=' /etc/os-release; then
cat >> Makefile.inc.local <<'EOF' cat >> Makefile.inc.local <<'EOF'
USE_DH31=false USE_DH31=false
USE_NSS_AVA_COPY=true USE_NSS_AVA_COPY=true
USE_NSS_IPSEC_PROFILE=false USE_NSS_IPSEC_PROFILE=false
USE_GLIBC_KERN_FLIP_HEADERS=true USE_GLIBC_KERN_FLIP_HEADERS=true
EOF EOF
fi
echo "USE_DH2=true" >> Makefile.inc.local
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
fi
if [ "$SWAN_VER" != "3.32" ]; then
echo "USE_NSS_KDF=false" >> Makefile.inc.local
echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local
fi
NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1
(
set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
)
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
exiterr "Libreswan $SWAN_VER failed to build."
fi
bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
if uname -m | grep -qi '^arm'; then
if ! modprobe -q sha512; then
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2"
fi fi
fi echo "USE_DH2=true" >> Makefile.inc.local
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
fi
if [ "$SWAN_VER" != "3.32" ]; then
echo "USE_NSS_KDF=false" >> Makefile.inc.local
echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local
fi
NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1
(
set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
)
dns_state=0 cd /opt/src || exit 1
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
[ -n "$DNS_SRV1" ] && dns_state=2 exiterr "Libreswan $SWAN_VER failed to build."
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 fi
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3 }
sed -i".old-$(date +%F-%T)" \ update_config() {
-e "s/^[[:space:]]\+auth=/ phase2=/" \ bigecho "Updating VPN configuration..."
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
-e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \ PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
-e "s/^[[:space:]]\+sha2_truncbug=/ sha2-truncbug=/" \
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then if uname -m | grep -qi '^arm'; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ if ! modprobe -q sha512; then
-e "/modecfgdns2=/d" /etc/ipsec.conf PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2"
elif [ "$dns_state" = "2" ]; then fi
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf fi
fi
sed -i "/ikev2=never/d" /etc/ipsec.conf dns_state=0
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then sed -i".old-$(date +%F-%T)" \
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf -e "s/^[[:space:]]\+auth=/ phase2=/" \
fi -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
-e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \
-e "s/^[[:space:]]\+sha2_truncbug=/ sha2-truncbug=/" \
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
bigecho "Restarting IPsec service..." if [ "$dns_state" = "1" ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi
mkdir -p /run/pluto sed -i "/ikev2=never/d" /etc/ipsec.conf
service ipsec restart 2>/dev/null sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi
}
restart_ipsec() {
bigecho "Restarting IPsec service..."
mkdir -p /run/pluto
service ipsec restart 2>/dev/null
}
show_setup_complete() {
cat <<EOF cat <<EOF
================================================ ================================================
@ -289,7 +284,7 @@ Libreswan $SWAN_VER has been successfully installed!
EOF EOF
if [ "$dns_state" = "3" ]; then if [ "$dns_state" = "3" ]; then
cat <<'EOF' cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace IMPORTANT: You must edit /etc/ipsec.conf and replace
all occurrences of these two lines: all occurrences of these two lines:
@ -302,8 +297,45 @@ IMPORTANT: You must edit /etc/ipsec.conf and replace
Then run "sudo service ipsec restart". Then run "sudo service ipsec restart".
EOF EOF
fi fi
}
check_swan_ver() {
swan_ver_cur=4.4
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
[ "$1" != "0" ] && swan_ver_url="$swan_ver_url&e=$2"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
&& [ "$1" = "0" ] && [ "$swan_ver_cur" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
cat <<EOF
Note: A newer version of Libreswan ($swan_ver_latest) is available.
To update, run:
wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh
EOF
fi
}
finish() {
check_swan_ver "$1" "$2"
exit "$1"
}
vpnupgrade() {
check_root
check_vz
check_os
check_libreswan
show_setup_info
start_setup
install_pkgs_1
install_pkgs_2
get_libreswan
install_libreswan
update_config
restart_ipsec
show_setup_complete
} }
## Defer setup until we have the complete script ## Defer setup until we have the complete script