Improve output
- Improve output for the VPN setup and upgrade scripts. The outputs of the scripts are now significantly reduced and only include the most useful information for users. - Other minor cleanup
This commit is contained in:
parent
89eaacc0b8
commit
5779b2e6c8
@ -263,17 +263,14 @@ EOF
|
||||
|
||||
show_start_message() {
|
||||
bigecho "Starting IKEv2 setup in auto mode, using default options."
|
||||
echo
|
||||
}
|
||||
|
||||
show_add_client_message() {
|
||||
bigecho "Adding a new IKEv2 client '$client_name', using default options."
|
||||
echo
|
||||
}
|
||||
|
||||
show_export_client_message() {
|
||||
bigecho "Exporting existing IKEv2 client '$client_name', using default options."
|
||||
echo
|
||||
}
|
||||
|
||||
get_export_dir() {
|
||||
@ -293,7 +290,7 @@ get_export_dir() {
|
||||
}
|
||||
|
||||
get_server_ip() {
|
||||
echo "Trying to auto discover IP of this server..."
|
||||
bigecho "Trying to auto discover IP of this server..."
|
||||
public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
|
||||
check_ip "$public_ip" || public_ip=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
|
||||
}
|
||||
@ -453,6 +450,7 @@ enter_custom_dns() {
|
||||
else
|
||||
echo "Using Google Public DNS (8.8.8.8, 8.8.4.4)."
|
||||
fi
|
||||
echo
|
||||
}
|
||||
|
||||
check_mobike_support() {
|
||||
@ -492,8 +490,7 @@ check_mobike_support() {
|
||||
fi
|
||||
fi
|
||||
|
||||
echo
|
||||
echo -n "Checking for MOBIKE support... "
|
||||
echo -n "## Checking for MOBIKE support... "
|
||||
if [ "$mobike_support" = "1" ]; then
|
||||
echo "available"
|
||||
else
|
||||
@ -652,13 +649,38 @@ EOF
|
||||
install_base64_uuidgen() {
|
||||
if ! command -v base64 >/dev/null 2>&1 || ! command -v uuidgen >/dev/null 2>&1; then
|
||||
bigecho "Installing required packages..."
|
||||
|
||||
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get -yqq update || exiterr "'apt-get update' failed."
|
||||
apt-get -yqq install coreutils uuid-runtime >/dev/null || exiterr "'apt-get install' failed."
|
||||
(
|
||||
set -x
|
||||
apt-get -yqq update
|
||||
) || exiterr "'apt-get update' failed."
|
||||
fi
|
||||
fi
|
||||
if ! command -v base64 >/dev/null 2>&1; then
|
||||
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
|
||||
(
|
||||
set -x
|
||||
apt-get -yqq install coreutils >/dev/null
|
||||
) || exiterr "'apt-get install' failed."
|
||||
else
|
||||
yum -yq install coreutils util-linux || exiterr "'yum install' failed."
|
||||
(
|
||||
set -x
|
||||
yum -y -q install coreutils >/dev/null
|
||||
) || exiterr "'yum install' failed."
|
||||
fi
|
||||
fi
|
||||
if ! command -v uuidgen >/dev/null 2>&1; then
|
||||
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
|
||||
(
|
||||
set -x
|
||||
apt-get -yqq install uuid-runtime >/dev/null
|
||||
) || exiterr "'apt-get install' failed."
|
||||
else
|
||||
(
|
||||
set -x
|
||||
yum -y -q install util-linux >/dev/null
|
||||
) || exiterr "'yum install' failed."
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@ -989,20 +1011,21 @@ EOF
|
||||
apply_ubuntu1804_nss_fix() {
|
||||
if [ "$os_type" = "ubuntu" ] && [ "$os_ver" = "bustersid" ] && [ "$os_arch" = "x86_64" ]; then
|
||||
bigecho "Applying fix for NSS bug on Ubuntu 18.04..."
|
||||
|
||||
nss_url1="https://mirrors.kernel.org/ubuntu/pool/main/n/nss"
|
||||
nss_url2="https://mirrors.kernel.org/ubuntu/pool/universe/n/nss"
|
||||
nss_deb1="libnss3_3.49.1-1ubuntu1.5_amd64.deb"
|
||||
nss_deb2="libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb"
|
||||
nss_deb3="libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb"
|
||||
if wget -t 3 -T 30 -nv -O "/tmp/$nss_deb1" "$nss_url1/$nss_deb1" \
|
||||
&& wget -t 3 -T 30 -nv -O "/tmp/$nss_deb2" "$nss_url1/$nss_deb2" \
|
||||
&& wget -t 3 -T 30 -nv -O "/tmp/$nss_deb3" "$nss_url2/$nss_deb3"; then
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
set -x
|
||||
if wget -t 3 -T 30 -q -O "/tmp/libnss3.deb" "$nss_url1/$nss_deb1" \
|
||||
&& wget -t 3 -T 30 -q -O "/tmp/libnss3-dev.deb" "$nss_url1/$nss_deb2" \
|
||||
&& wget -t 3 -T 30 -q -O "/tmp/libnss3-tools.deb" "$nss_url2/$nss_deb3"; then
|
||||
apt-get -yqq update
|
||||
apt-get -yqq install "/tmp/$nss_deb1" "/tmp/$nss_deb2" "/tmp/$nss_deb3"
|
||||
apt-get -yqq install "/tmp/libnss3.deb" "/tmp/libnss3-dev.deb" "/tmp/libnss3-tools.deb" >/dev/null
|
||||
/bin/rm -f "/tmp/libnss3.deb" "/tmp/libnss3-dev.deb" "/tmp/libnss3-tools.deb"
|
||||
fi
|
||||
/bin/rm -f "/tmp/$nss_deb1" "/tmp/$nss_deb2" "/tmp/$nss_deb3"
|
||||
{ set +x; } 2>&-
|
||||
fi
|
||||
}
|
||||
|
||||
@ -1010,7 +1033,7 @@ restart_ipsec_service() {
|
||||
bigecho "Restarting IPsec service..."
|
||||
|
||||
mkdir -p /run/pluto
|
||||
service ipsec restart
|
||||
service ipsec restart 2>/dev/null
|
||||
}
|
||||
|
||||
print_client_added_message() {
|
||||
|
@ -22,6 +22,7 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
|
||||
exiterr() { echo "Error: $1" >&2; exit 1; }
|
||||
exiterr2() { exiterr "'apt-get install' failed."; }
|
||||
bigecho() { echo "## $1"; }
|
||||
|
||||
vpnupgrade() {
|
||||
|
||||
@ -129,7 +130,6 @@ clear
|
||||
cat <<EOF
|
||||
Welcome! This script will build and install Libreswan on your server.
|
||||
Additional packages required for compilation will also be installed.
|
||||
|
||||
It is intended for upgrading servers to a newer Libreswan version.
|
||||
|
||||
Current version: $ipsec_ver_short
|
||||
@ -141,7 +141,6 @@ cat <<'EOF'
|
||||
Note: This script will make the following changes to your VPN configuration:
|
||||
- Fix obsolete ipsec.conf and/or ikev2.conf options
|
||||
- Optimize VPN ciphers
|
||||
|
||||
Your other VPN config files will not be modified.
|
||||
|
||||
EOF
|
||||
@ -160,8 +159,7 @@ read -r response
|
||||
case $response in
|
||||
[yY][eE][sS]|[yY])
|
||||
echo
|
||||
echo "Please be patient. Setup is continuing..."
|
||||
echo
|
||||
bigecho "Please be patient. Setup is continuing..."
|
||||
;;
|
||||
*)
|
||||
echo "Abort. No changes were made."
|
||||
@ -173,25 +171,35 @@ esac
|
||||
mkdir -p /opt/src
|
||||
cd /opt/src || exit 1
|
||||
|
||||
# Update package index
|
||||
bigecho "Installing required packages..."
|
||||
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get -yq update || exiterr "'apt-get update' failed."
|
||||
(
|
||||
set -x
|
||||
apt-get -yqq update
|
||||
) || exiterr "'apt-get update' failed."
|
||||
(
|
||||
set -x
|
||||
apt-get -yqq install libnss3-dev libnspr4-dev pkg-config \
|
||||
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
|
||||
libcurl4-nss-dev libnss3-tools libevent-dev libsystemd-dev \
|
||||
flex bison gcc make wget sed >/dev/null
|
||||
) || exiterr2
|
||||
|
||||
# Install necessary packages
|
||||
apt-get -yq install libnss3-dev libnspr4-dev pkg-config \
|
||||
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
|
||||
libcurl4-nss-dev libnss3-tools libevent-dev libsystemd-dev \
|
||||
flex bison gcc make wget sed || exiterr2
|
||||
bigecho "Downloading Libreswan..."
|
||||
|
||||
# Compile and install Libreswan
|
||||
swan_file="libreswan-$SWAN_VER.tar.gz"
|
||||
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
|
||||
swan_url2="https://download.libreswan.org/$swan_file"
|
||||
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
|
||||
exit 1
|
||||
fi
|
||||
(
|
||||
set -x
|
||||
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
|
||||
) || exit 1
|
||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
|
||||
|
||||
bigecho "Compiling and installing Libreswan, please wait..."
|
||||
|
||||
cd "libreswan-$SWAN_VER" || exit 1
|
||||
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
|
||||
cat > Makefile.inc.local <<'EOF'
|
||||
@ -216,16 +224,19 @@ if [ "$SWAN_VER" != "3.32" ]; then
|
||||
fi
|
||||
NPROCS=$(grep -c ^processor /proc/cpuinfo)
|
||||
[ -z "$NPROCS" ] && NPROCS=1
|
||||
make "-j$((NPROCS+1))" -s base && make -s install-base
|
||||
(
|
||||
set -x
|
||||
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
|
||||
)
|
||||
|
||||
# Verify the install and clean up
|
||||
cd /opt/src || exit 1
|
||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
|
||||
exiterr "Libreswan $SWAN_VER failed to build."
|
||||
fi
|
||||
|
||||
# Update IPsec config
|
||||
bigecho "Updating VPN configuration..."
|
||||
|
||||
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
||||
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
||||
|
||||
@ -265,13 +276,13 @@ if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
|
||||
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
|
||||
fi
|
||||
|
||||
# Restart IPsec service
|
||||
bigecho "Restarting IPsec service..."
|
||||
|
||||
mkdir -p /run/pluto
|
||||
service ipsec restart
|
||||
service ipsec restart 2>/dev/null
|
||||
|
||||
cat <<EOF
|
||||
|
||||
|
||||
================================================
|
||||
|
||||
Libreswan $SWAN_VER has been successfully installed!
|
||||
|
@ -22,6 +22,7 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
|
||||
exiterr() { echo "Error: $1" >&2; exit 1; }
|
||||
exiterr2() { exiterr "'yum install' failed."; }
|
||||
bigecho() { echo "## $1"; }
|
||||
|
||||
vpnupgrade() {
|
||||
|
||||
@ -108,7 +109,6 @@ clear
|
||||
cat <<EOF
|
||||
Welcome! This script will build and install Libreswan on your server.
|
||||
Additional packages required for compilation will also be installed.
|
||||
|
||||
It is intended for upgrading servers to a newer Libreswan version.
|
||||
|
||||
Current version: $ipsec_ver_short
|
||||
@ -120,7 +120,6 @@ cat <<'EOF'
|
||||
Note: This script will make the following changes to your VPN configuration:
|
||||
- Fix obsolete ipsec.conf and/or ikev2.conf options
|
||||
- Optimize VPN ciphers
|
||||
|
||||
Your other VPN config files will not be modified.
|
||||
|
||||
EOF
|
||||
@ -139,8 +138,7 @@ read -r response
|
||||
case $response in
|
||||
[yY][eE][sS]|[yY])
|
||||
echo
|
||||
echo "Please be patient. Setup is continuing..."
|
||||
echo
|
||||
bigecho "Please be patient. Setup is continuing..."
|
||||
;;
|
||||
*)
|
||||
echo "Abort. No changes were made."
|
||||
@ -152,24 +150,37 @@ esac
|
||||
mkdir -p /opt/src
|
||||
cd /opt/src || exit 1
|
||||
|
||||
# Add the EPEL repository
|
||||
amazon-linux-extras install epel -y || exiterr2
|
||||
bigecho "Adding the EPEL repository..."
|
||||
|
||||
# Install necessary packages
|
||||
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
|
||||
libcap-ng-devel libselinux-devel curl-devel nss-tools \
|
||||
flex bison gcc make wget sed tar \
|
||||
systemd-devel libevent-devel fipscheck-devel || exiterr2
|
||||
(
|
||||
set -x
|
||||
amazon-linux-extras install epel -y >/dev/null
|
||||
) || exiterr2
|
||||
|
||||
bigecho "Installing required packages..."
|
||||
|
||||
(
|
||||
set -x
|
||||
yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \
|
||||
libcap-ng-devel libselinux-devel curl-devel nss-tools \
|
||||
flex bison gcc make wget sed tar \
|
||||
systemd-devel libevent-devel fipscheck-devel >/dev/null
|
||||
) || exiterr2
|
||||
|
||||
bigecho "Downloading Libreswan..."
|
||||
|
||||
# Compile and install Libreswan
|
||||
swan_file="libreswan-$SWAN_VER.tar.gz"
|
||||
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
|
||||
swan_url2="https://download.libreswan.org/$swan_file"
|
||||
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
|
||||
exit 1
|
||||
fi
|
||||
(
|
||||
set -x
|
||||
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
|
||||
) || exit 1
|
||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
|
||||
|
||||
bigecho "Compiling and installing Libreswan, please wait..."
|
||||
|
||||
cd "libreswan-$SWAN_VER" || exit 1
|
||||
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
|
||||
cat > Makefile.inc.local <<'EOF'
|
||||
@ -186,9 +197,11 @@ if [ "$SWAN_VER" != "3.32" ]; then
|
||||
fi
|
||||
NPROCS=$(grep -c ^processor /proc/cpuinfo)
|
||||
[ -z "$NPROCS" ] && NPROCS=1
|
||||
make "-j$((NPROCS+1))" -s base && make -s install-base
|
||||
(
|
||||
set -x
|
||||
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
|
||||
)
|
||||
|
||||
# Verify the install and clean up
|
||||
cd /opt/src || exit 1
|
||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
|
||||
@ -200,7 +213,8 @@ restorecon /etc/ipsec.d/*db 2>/dev/null
|
||||
restorecon /usr/local/sbin -Rv 2>/dev/null
|
||||
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
|
||||
|
||||
# Update IPsec config
|
||||
bigecho "Updating VPN configuration..."
|
||||
|
||||
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
||||
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
||||
|
||||
@ -234,13 +248,13 @@ if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
|
||||
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
|
||||
fi
|
||||
|
||||
# Restart IPsec service
|
||||
bigecho "Restarting IPsec service..."
|
||||
|
||||
mkdir -p /run/pluto
|
||||
service ipsec restart
|
||||
service ipsec restart 2>/dev/null
|
||||
|
||||
cat <<EOF
|
||||
|
||||
|
||||
================================================
|
||||
|
||||
Libreswan $SWAN_VER has been successfully installed!
|
||||
|
@ -22,6 +22,7 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
|
||||
exiterr() { echo "Error: $1" >&2; exit 1; }
|
||||
exiterr2() { exiterr "'yum install' failed."; }
|
||||
bigecho() { echo "## $1"; }
|
||||
|
||||
vpnupgrade() {
|
||||
|
||||
@ -120,7 +121,6 @@ clear
|
||||
cat <<EOF
|
||||
Welcome! This script will build and install Libreswan on your server.
|
||||
Additional packages required for compilation will also be installed.
|
||||
|
||||
It is intended for upgrading servers to a newer Libreswan version.
|
||||
|
||||
Current version: $ipsec_ver_short
|
||||
@ -132,7 +132,6 @@ cat <<'EOF'
|
||||
Note: This script will make the following changes to your VPN configuration:
|
||||
- Fix obsolete ipsec.conf and/or ikev2.conf options
|
||||
- Optimize VPN ciphers
|
||||
|
||||
Your other VPN config files will not be modified.
|
||||
|
||||
EOF
|
||||
@ -151,8 +150,7 @@ read -r response
|
||||
case $response in
|
||||
[yY][eE][sS]|[yY])
|
||||
echo
|
||||
echo "Please be patient. Setup is continuing..."
|
||||
echo
|
||||
bigecho "Please be patient. Setup is continuing..."
|
||||
;;
|
||||
*)
|
||||
echo "Abort. No changes were made."
|
||||
@ -164,14 +162,22 @@ esac
|
||||
mkdir -p /opt/src
|
||||
cd /opt/src || exit 1
|
||||
|
||||
# Add the EPEL repository
|
||||
epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm"
|
||||
yum -y install epel-release || yum -y install "$epel_url" || exiterr2
|
||||
bigecho "Adding the EPEL repository..."
|
||||
|
||||
# Install necessary packages
|
||||
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
|
||||
libcap-ng-devel libselinux-devel curl-devel nss-tools \
|
||||
flex bison gcc make wget sed tar || exiterr2
|
||||
epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm"
|
||||
(
|
||||
set -x
|
||||
yum -y -q install epel-release >/dev/null || yum -y -q install "$epel_url" >/dev/null
|
||||
) || exiterr2
|
||||
|
||||
bigecho "Installing required packages..."
|
||||
|
||||
(
|
||||
set -x
|
||||
yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \
|
||||
libcap-ng-devel libselinux-devel curl-devel nss-tools \
|
||||
flex bison gcc make wget sed tar >/dev/null
|
||||
) || exiterr2
|
||||
|
||||
REPO1='--enablerepo=*server-*optional*'
|
||||
REPO2='--enablerepo=*releases-optional*'
|
||||
@ -179,21 +185,35 @@ REPO3='--enablerepo=[Pp]ower[Tt]ools'
|
||||
[ "$os_type" = "rhel" ] && REPO3='--enablerepo=codeready-builder-for-rhel-8-*'
|
||||
|
||||
if [ "$os_ver" = "7" ]; then
|
||||
yum -y install systemd-devel || exiterr2
|
||||
yum "$REPO1" "$REPO2" -y install libevent-devel fipscheck-devel || exiterr2
|
||||
(
|
||||
set -x
|
||||
yum -y -q install systemd-devel >/dev/null
|
||||
) || exiterr2
|
||||
(
|
||||
set -x
|
||||
yum "$REPO1" "$REPO2" -y -q install libevent-devel fipscheck-devel >/dev/null
|
||||
) || exiterr2
|
||||
else
|
||||
yum "$REPO3" -y install systemd-devel libevent-devel fipscheck-devel || exiterr2
|
||||
(
|
||||
set -x
|
||||
yum "$REPO3" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
|
||||
) || exiterr2
|
||||
fi
|
||||
|
||||
# Compile and install Libreswan
|
||||
bigecho "Downloading Libreswan..."
|
||||
|
||||
swan_file="libreswan-$SWAN_VER.tar.gz"
|
||||
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
|
||||
swan_url2="https://download.libreswan.org/$swan_file"
|
||||
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
|
||||
exit 1
|
||||
fi
|
||||
(
|
||||
set -x
|
||||
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
|
||||
) || exit 1
|
||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
|
||||
|
||||
bigecho "Compiling and installing Libreswan, please wait..."
|
||||
|
||||
cd "libreswan-$SWAN_VER" || exit 1
|
||||
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
|
||||
cat > Makefile.inc.local <<'EOF'
|
||||
@ -210,9 +230,11 @@ if [ "$SWAN_VER" != "3.32" ]; then
|
||||
fi
|
||||
NPROCS=$(grep -c ^processor /proc/cpuinfo)
|
||||
[ -z "$NPROCS" ] && NPROCS=1
|
||||
make "-j$((NPROCS+1))" -s base && make -s install-base
|
||||
(
|
||||
set -x
|
||||
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
|
||||
)
|
||||
|
||||
# Verify the install and clean up
|
||||
cd /opt/src || exit 1
|
||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
|
||||
@ -224,7 +246,8 @@ restorecon /etc/ipsec.d/*db 2>/dev/null
|
||||
restorecon /usr/local/sbin -Rv 2>/dev/null
|
||||
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
|
||||
|
||||
# Update IPsec config
|
||||
bigecho "Updating VPN configuration..."
|
||||
|
||||
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
||||
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
||||
|
||||
@ -258,13 +281,13 @@ if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
|
||||
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
|
||||
fi
|
||||
|
||||
# Restart IPsec service
|
||||
bigecho "Restarting IPsec service..."
|
||||
|
||||
mkdir -p /run/pluto
|
||||
service ipsec restart
|
||||
service ipsec restart 2>/dev/null
|
||||
|
||||
cat <<EOF
|
||||
|
||||
|
||||
================================================
|
||||
|
||||
Libreswan $SWAN_VER has been successfully installed!
|
||||
|
59
vpnsetup.sh
59
vpnsetup.sh
@ -40,7 +40,7 @@ SYS_DT=$(date +%F-%T | tr ':' '_')
|
||||
exiterr() { echo "Error: $1" >&2; exit 1; }
|
||||
exiterr2() { exiterr "'apt-get install' failed."; }
|
||||
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
|
||||
bigecho() { echo; echo "## $1"; echo; }
|
||||
bigecho() { echo "## $1"; }
|
||||
|
||||
check_ip() {
|
||||
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
|
||||
@ -157,53 +157,59 @@ while fuser "$APT_LK" "$PKG_LK" >/dev/null 2>&1 \
|
||||
sleep 3
|
||||
done
|
||||
|
||||
bigecho "Populating apt-get cache..."
|
||||
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get -yq update || exiterr "'apt-get update' failed."
|
||||
|
||||
bigecho "Installing packages required for setup..."
|
||||
|
||||
apt-get -yq install wget dnsutils openssl \
|
||||
iptables iproute2 gawk grep sed net-tools || exiterr2
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
(
|
||||
set -x
|
||||
apt-get -yqq update
|
||||
) || exiterr "'apt-get update' failed."
|
||||
(
|
||||
set -x
|
||||
apt-get -yqq install wget dnsutils openssl \
|
||||
iptables iproute2 gawk grep sed net-tools >/dev/null
|
||||
) || exiterr2
|
||||
|
||||
bigecho "Trying to auto discover IP of this server..."
|
||||
|
||||
cat <<'EOF'
|
||||
In case the script hangs here for more than a few minutes,
|
||||
press Ctrl-C to abort. Then edit it and manually enter IP.
|
||||
EOF
|
||||
|
||||
# In case auto IP discovery fails, enter server's public IP here.
|
||||
PUBLIC_IP=${VPN_PUBLIC_IP:-''}
|
||||
|
||||
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
|
||||
|
||||
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
|
||||
check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it."
|
||||
|
||||
bigecho "Installing packages required for the VPN..."
|
||||
|
||||
apt-get -yq install libnss3-dev libnspr4-dev pkg-config \
|
||||
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
|
||||
libcurl4-nss-dev flex bison gcc make libnss3-tools \
|
||||
libevent-dev libsystemd-dev ppp xl2tpd || exiterr2
|
||||
(
|
||||
set -x
|
||||
apt-get -yqq install libnss3-dev libnspr4-dev pkg-config \
|
||||
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
|
||||
libcurl4-nss-dev flex bison gcc make libnss3-tools \
|
||||
libevent-dev libsystemd-dev ppp xl2tpd >/dev/null
|
||||
) || exiterr2
|
||||
|
||||
bigecho "Installing Fail2Ban to protect SSH..."
|
||||
|
||||
apt-get -yq install fail2ban || exiterr2
|
||||
(
|
||||
set -x
|
||||
apt-get -yqq install fail2ban >/dev/null
|
||||
) || exiterr2
|
||||
|
||||
bigecho "Compiling and installing Libreswan..."
|
||||
bigecho "Downloading Libreswan..."
|
||||
|
||||
SWAN_VER=4.2
|
||||
swan_file="libreswan-$SWAN_VER.tar.gz"
|
||||
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
|
||||
swan_url2="https://download.libreswan.org/$swan_file"
|
||||
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
|
||||
exit 1
|
||||
fi
|
||||
(
|
||||
set -x
|
||||
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
|
||||
) || exit 1
|
||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
|
||||
|
||||
bigecho "Compiling and installing Libreswan, please wait..."
|
||||
|
||||
cd "libreswan-$SWAN_VER" || exit 1
|
||||
cat > Makefile.inc.local <<'EOF'
|
||||
WERROR_CFLAGS=-w
|
||||
@ -225,7 +231,10 @@ if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
|
||||
fi
|
||||
NPROCS=$(grep -c ^processor /proc/cpuinfo)
|
||||
[ -z "$NPROCS" ] && NPROCS=1
|
||||
make "-j$((NPROCS+1))" -s base && make -s install-base
|
||||
(
|
||||
set -x
|
||||
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
|
||||
)
|
||||
|
||||
cd /opt/src || exit 1
|
||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||
|
@ -39,7 +39,7 @@ SYS_DT=$(date +%F-%T | tr ':' '_')
|
||||
exiterr() { echo "Error: $1" >&2; exit 1; }
|
||||
exiterr2() { exiterr "'yum install' failed."; }
|
||||
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
|
||||
bigecho() { echo; echo "## $1"; echo; }
|
||||
bigecho() { echo "## $1"; }
|
||||
|
||||
check_ip() {
|
||||
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
|
||||
@ -116,55 +116,64 @@ cd /opt/src || exit 1
|
||||
|
||||
bigecho "Installing packages required for setup..."
|
||||
|
||||
yum -y install wget bind-utils openssl tar \
|
||||
iptables iproute gawk grep sed net-tools || exiterr2
|
||||
(
|
||||
set -x
|
||||
yum -y -q install wget bind-utils openssl tar \
|
||||
iptables iproute gawk grep sed net-tools >/dev/null
|
||||
) || exiterr2
|
||||
|
||||
bigecho "Trying to auto discover IP of this server..."
|
||||
|
||||
cat <<'EOF'
|
||||
In case the script hangs here for more than a few minutes,
|
||||
press Ctrl-C to abort. Then edit it and manually enter IP.
|
||||
EOF
|
||||
|
||||
# In case auto IP discovery fails, enter server's public IP here.
|
||||
PUBLIC_IP=${VPN_PUBLIC_IP:-''}
|
||||
|
||||
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
|
||||
|
||||
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
|
||||
check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it."
|
||||
|
||||
bigecho "Adding the EPEL repository..."
|
||||
|
||||
amazon-linux-extras install epel -y || exiterr2
|
||||
(
|
||||
set -x
|
||||
amazon-linux-extras install epel -y >/dev/null
|
||||
) || exiterr2
|
||||
|
||||
bigecho "Installing packages required for the VPN..."
|
||||
|
||||
REPO1='--enablerepo=epel'
|
||||
|
||||
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
|
||||
libcap-ng-devel libselinux-devel curl-devel nss-tools \
|
||||
flex bison gcc make ppp \
|
||||
systemd-devel iptables-services \
|
||||
libevent-devel fipscheck-devel || exiterr2
|
||||
|
||||
yum "$REPO1" -y install xl2tpd || exiterr2
|
||||
(
|
||||
set -x
|
||||
yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \
|
||||
libcap-ng-devel libselinux-devel curl-devel nss-tools \
|
||||
flex bison gcc make ppp \
|
||||
systemd-devel iptables-services \
|
||||
libevent-devel fipscheck-devel >/dev/null
|
||||
) || exiterr2
|
||||
(
|
||||
set -x
|
||||
yum --enablerepo=epel -y -q install xl2tpd >/dev/null 2>&1
|
||||
) || exiterr2
|
||||
|
||||
bigecho "Installing Fail2Ban to protect SSH..."
|
||||
|
||||
yum "$REPO1" -y install fail2ban || exiterr2
|
||||
(
|
||||
set -x
|
||||
yum --enablerepo=epel -y -q install fail2ban >/dev/null
|
||||
) || exiterr2
|
||||
|
||||
bigecho "Compiling and installing Libreswan..."
|
||||
bigecho "Downloading Libreswan..."
|
||||
|
||||
SWAN_VER=4.2
|
||||
swan_file="libreswan-$SWAN_VER.tar.gz"
|
||||
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
|
||||
swan_url2="https://download.libreswan.org/$swan_file"
|
||||
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
|
||||
exit 1
|
||||
fi
|
||||
(
|
||||
set -x
|
||||
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
|
||||
) || exit 1
|
||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
|
||||
|
||||
bigecho "Compiling and installing Libreswan, please wait..."
|
||||
|
||||
cd "libreswan-$SWAN_VER" || exit 1
|
||||
cat > Makefile.inc.local <<'EOF'
|
||||
WERROR_CFLAGS=-w
|
||||
@ -178,7 +187,10 @@ if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
|
||||
fi
|
||||
NPROCS=$(grep -c ^processor /proc/cpuinfo)
|
||||
[ -z "$NPROCS" ] && NPROCS=1
|
||||
make "-j$((NPROCS+1))" -s base && make -s install-base
|
||||
(
|
||||
set -x
|
||||
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
|
||||
)
|
||||
|
||||
cd /opt/src || exit 1
|
||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||
|
@ -40,7 +40,7 @@ SYS_DT=$(date +%F-%T | tr ':' '_')
|
||||
exiterr() { echo "Error: $1" >&2; exit 1; }
|
||||
exiterr2() { exiterr "'yum install' failed."; }
|
||||
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
|
||||
bigecho() { echo; echo "## $1"; echo; }
|
||||
bigecho() { echo "## $1"; }
|
||||
|
||||
check_ip() {
|
||||
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
|
||||
@ -129,28 +129,27 @@ cd /opt/src || exit 1
|
||||
|
||||
bigecho "Installing packages required for setup..."
|
||||
|
||||
yum -y install wget bind-utils openssl tar \
|
||||
iptables iproute gawk grep sed net-tools || exiterr2
|
||||
(
|
||||
set -x
|
||||
yum -y -q install wget bind-utils openssl tar \
|
||||
iptables iproute gawk grep sed net-tools >/dev/null
|
||||
) || exiterr2
|
||||
|
||||
bigecho "Trying to auto discover IP of this server..."
|
||||
|
||||
cat <<'EOF'
|
||||
In case the script hangs here for more than a few minutes,
|
||||
press Ctrl-C to abort. Then edit it and manually enter IP.
|
||||
EOF
|
||||
|
||||
# In case auto IP discovery fails, enter server's public IP here.
|
||||
PUBLIC_IP=${VPN_PUBLIC_IP:-''}
|
||||
|
||||
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
|
||||
|
||||
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
|
||||
check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it."
|
||||
|
||||
bigecho "Adding the EPEL repository..."
|
||||
|
||||
epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm"
|
||||
yum -y install epel-release || yum -y install "$epel_url" || exiterr2
|
||||
(
|
||||
set -x
|
||||
yum -y -q install epel-release >/dev/null || yum -y -q install "$epel_url" >/dev/null
|
||||
) || exiterr2
|
||||
|
||||
bigecho "Installing packages required for the VPN..."
|
||||
|
||||
@ -160,42 +159,69 @@ REPO3='--enablerepo=*releases-optional*'
|
||||
REPO4='--enablerepo=[Pp]ower[Tt]ools'
|
||||
[ "$os_type" = "rhel" ] && REPO4='--enablerepo=codeready-builder-for-rhel-8-*'
|
||||
|
||||
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
|
||||
libcap-ng-devel libselinux-devel curl-devel nss-tools \
|
||||
flex bison gcc make ppp || exiterr2
|
||||
|
||||
yum "$REPO1" -y install xl2tpd || exiterr2
|
||||
(
|
||||
set -x
|
||||
yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \
|
||||
libcap-ng-devel libselinux-devel curl-devel nss-tools \
|
||||
flex bison gcc make ppp >/dev/null
|
||||
) || exiterr2
|
||||
(
|
||||
set -x
|
||||
yum "$REPO1" -y -q install xl2tpd >/dev/null 2>&1
|
||||
) || exiterr2
|
||||
|
||||
use_nft=0
|
||||
if [ "$os_ver" = "7" ]; then
|
||||
yum -y install systemd-devel iptables-services || exiterr2
|
||||
yum "$REPO2" "$REPO3" -y install libevent-devel fipscheck-devel || exiterr2
|
||||
(
|
||||
set -x
|
||||
yum -y -q install systemd-devel iptables-services >/dev/null
|
||||
) || exiterr2
|
||||
(
|
||||
set -x
|
||||
yum "$REPO2" "$REPO3" -y -q install libevent-devel fipscheck-devel >/dev/null
|
||||
) || exiterr2
|
||||
else
|
||||
yum "$REPO4" -y install systemd-devel libevent-devel fipscheck-devel || exiterr2
|
||||
(
|
||||
set -x
|
||||
yum "$REPO4" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
|
||||
) || exiterr2
|
||||
if systemctl is-active --quiet firewalld.service \
|
||||
|| grep -qs "hwdsl2 VPN script" /etc/sysconfig/nftables.conf; then
|
||||
use_nft=1
|
||||
yum -y install nftables || exiterr2
|
||||
(
|
||||
set -x
|
||||
yum -y -q install nftables >/dev/null
|
||||
) || exiterr2
|
||||
else
|
||||
yum -y install iptables-services || exiterr2
|
||||
(
|
||||
set -x
|
||||
yum -y -q install iptables-services >/dev/null
|
||||
) || exiterr2
|
||||
fi
|
||||
fi
|
||||
|
||||
bigecho "Installing Fail2Ban to protect SSH..."
|
||||
|
||||
yum "$REPO1" -y install fail2ban || exiterr2
|
||||
(
|
||||
set -x
|
||||
yum "$REPO1" -y -q install fail2ban >/dev/null
|
||||
) || exiterr2
|
||||
|
||||
bigecho "Compiling and installing Libreswan..."
|
||||
bigecho "Downloading Libreswan..."
|
||||
|
||||
SWAN_VER=4.2
|
||||
swan_file="libreswan-$SWAN_VER.tar.gz"
|
||||
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
|
||||
swan_url2="https://download.libreswan.org/$swan_file"
|
||||
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
|
||||
exit 1
|
||||
fi
|
||||
(
|
||||
set -x
|
||||
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
|
||||
) || exit 1
|
||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
|
||||
|
||||
bigecho "Compiling and installing Libreswan, please wait..."
|
||||
|
||||
cd "libreswan-$SWAN_VER" || exit 1
|
||||
cat > Makefile.inc.local <<'EOF'
|
||||
WERROR_CFLAGS=-w
|
||||
@ -209,7 +235,10 @@ if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
|
||||
fi
|
||||
NPROCS=$(grep -c ^processor /proc/cpuinfo)
|
||||
[ -z "$NPROCS" ] && NPROCS=1
|
||||
make "-j$((NPROCS+1))" -s base && make -s install-base
|
||||
(
|
||||
set -x
|
||||
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
|
||||
)
|
||||
|
||||
cd /opt/src || exit 1
|
||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||
|
Loading…
Reference in New Issue
Block a user