Update IKEv2 script
- New: Users can now specify '--addclient [client name]' or '--exportclient [client name]' command-line arguments to automatically add or export an IKEv2 client using default options. - Show script usage when '-h' or '--help' is specified. - Other minor improvements
This commit is contained in:
hwdsl2
parent
83d7309147
commit
625ddd3d32
@ -73,42 +73,6 @@ check_os_type() {
|
||||
fi
|
||||
}
|
||||
|
||||
check_utils_exist() {
|
||||
command -v certutil >/dev/null 2>&1 || exiterr "'certutil' not found. Abort."
|
||||
command -v pk12util >/dev/null 2>&1 || exiterr "'pk12util' not found. Abort."
|
||||
}
|
||||
|
||||
check_container() {
|
||||
in_container=0
|
||||
export_dir=~/
|
||||
if grep -qs "hwdsl2" /opt/src/run.sh; then
|
||||
in_container=1
|
||||
export_dir="/etc/ipsec.d/"
|
||||
fi
|
||||
}
|
||||
|
||||
check_ca_cert_exists() {
|
||||
if certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" >/dev/null 2>&1; then
|
||||
exiterr "Certificate 'IKEv2 VPN CA' already exists."
|
||||
fi
|
||||
}
|
||||
|
||||
check_server_cert_exists() {
|
||||
if certutil -L -d sql:/etc/ipsec.d -n "$server_addr" >/dev/null 2>&1; then
|
||||
echo "Error: Certificate '$server_addr' already exists." >&2
|
||||
echo "Abort. No changes were made." >&2
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
check_client_cert_exists() {
|
||||
if certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then
|
||||
echo "Error: Client '$client_name' already exists." >&2
|
||||
echo "Abort. No changes were made." >&2
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
check_swan_install() {
|
||||
ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
|
||||
swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux //' -e 's/Libreswan //' -e 's/ (netkey).*//')
|
||||
@ -139,6 +103,94 @@ EOF
|
||||
esac
|
||||
}
|
||||
|
||||
check_utils_exist() {
|
||||
command -v certutil >/dev/null 2>&1 || exiterr "'certutil' not found. Abort."
|
||||
command -v pk12util >/dev/null 2>&1 || exiterr "'pk12util' not found. Abort."
|
||||
}
|
||||
|
||||
check_container() {
|
||||
in_container=0
|
||||
export_dir=~/
|
||||
if grep -qs "hwdsl2" /opt/src/run.sh; then
|
||||
in_container=1
|
||||
export_dir="/etc/ipsec.d/"
|
||||
fi
|
||||
}
|
||||
|
||||
show_usage() {
|
||||
if [ -n "$1" ]; then
|
||||
echo "Error: $1" >&2;
|
||||
fi
|
||||
cat 1>&2 <<EOF
|
||||
Usage: $0 [options]
|
||||
|
||||
Options:
|
||||
--auto run IKEv2 setup in auto mode using default options (for initial IKEv2 setup only)
|
||||
--addclient [client name] add a new IKEv2 client using default options (after IKEv2 setup)
|
||||
--exportclient [client name] export an existing IKEv2 client using default options (after IKEv2 setup)
|
||||
-h, --help show this help message and exit
|
||||
|
||||
If you want to customize options, run this script without arguments.
|
||||
EOF
|
||||
exit 1
|
||||
}
|
||||
|
||||
check_arguments() {
|
||||
if [ "$use_defaults" = "1" ]; then
|
||||
if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then
|
||||
show_usage "Invalid parameter. '--auto' can only be specified for initial IKEv2 setup."
|
||||
fi
|
||||
fi
|
||||
if [ "$add_client_using_defaults" = "1" ] && [ "$export_client_using_defaults" = "1" ]; then
|
||||
show_usage "Invalid parameters. '--addclient' and '--exportclient' cannot be specified at the same time."
|
||||
fi
|
||||
if [ "$add_client_using_defaults" = "1" ]; then
|
||||
if ! grep -qs "conn ikev2-cp" /etc/ipsec.conf && [ ! -f /etc/ipsec.d/ikev2.conf ]; then
|
||||
exiterr "You must first set up IKEv2 before adding a new client."
|
||||
fi
|
||||
if [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \
|
||||
|| printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+'; then
|
||||
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
|
||||
elif certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then
|
||||
exiterr "Invalid client name. Client '$client_name' already exists."
|
||||
fi
|
||||
fi
|
||||
if [ "$export_client_using_defaults" = "1" ]; then
|
||||
if ! grep -qs "conn ikev2-cp" /etc/ipsec.conf && [ ! -f /etc/ipsec.d/ikev2.conf ]; then
|
||||
exiterr "You must first set up IKEv2 before exporting a client configuration."
|
||||
fi
|
||||
get_server_address
|
||||
if [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \
|
||||
|| printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|
||||
|| [ "$client_name" = "IKEv2 VPN CA" ] || [ "$client_name" = "$server_addr" ] \
|
||||
|| ! certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then
|
||||
exiterr "Invalid client name, or client does not exist."
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
check_ca_cert_exists() {
|
||||
if certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" >/dev/null 2>&1; then
|
||||
exiterr "Certificate 'IKEv2 VPN CA' already exists."
|
||||
fi
|
||||
}
|
||||
|
||||
check_server_cert_exists() {
|
||||
if certutil -L -d sql:/etc/ipsec.d -n "$server_addr" >/dev/null 2>&1; then
|
||||
echo "Error: Certificate '$server_addr' already exists." >&2
|
||||
echo "Abort. No changes were made." >&2
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
check_client_cert_exists() {
|
||||
if certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then
|
||||
echo "Error: Client '$client_name' already exists." >&2
|
||||
echo "Abort. No changes were made." >&2
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
check_swan_ver() {
|
||||
if [ "$in_container" = "0" ]; then
|
||||
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverikev2?arch=$os_arch&ver=$swan_ver&auto=$use_defaults"
|
||||
@ -197,6 +249,14 @@ show_start_message() {
|
||||
bigecho "Starting IKEv2 setup in auto mode, using default options."
|
||||
}
|
||||
|
||||
show_add_client_message() {
|
||||
bigecho2 "Adding a new IKEv2 client '$client_name', using default options."
|
||||
}
|
||||
|
||||
show_export_client_message() {
|
||||
bigecho2 "Exporting existing IKEv2 client '$client_name', using default options."
|
||||
}
|
||||
|
||||
get_server_ip() {
|
||||
echo "Trying to auto discover IP of this server..."
|
||||
public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
|
||||
@ -540,6 +600,8 @@ EOF
|
||||
|
||||
install_base64_uuidgen() {
|
||||
if ! command -v base64 >/dev/null 2>&1 || ! command -v uuidgen >/dev/null 2>&1; then
|
||||
bigecho "Installing required packages..."
|
||||
|
||||
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get -yqq update || exiterr "'apt-get update' failed."
|
||||
@ -553,7 +615,6 @@ install_base64_uuidgen() {
|
||||
create_mobileconfig() {
|
||||
bigecho "Creating .mobileconfig for iOS and macOS..."
|
||||
|
||||
install_base64_uuidgen
|
||||
[ -z "$server_addr" ] && get_server_address
|
||||
|
||||
p12_base64=$(base64 -w 52 "$export_dir$client_name-$SYS_DT.p12")
|
||||
@ -719,7 +780,6 @@ EOF
|
||||
create_android_profile() {
|
||||
bigecho "Creating client profile for Android..."
|
||||
|
||||
install_base64_uuidgen
|
||||
[ -z "$server_addr" ] && get_server_address
|
||||
|
||||
p12_base64_oneline=$(base64 -w 52 "$export_dir$client_name-$SYS_DT.p12" | sed 's/$/\\n/' | tr -d '\n')
|
||||
@ -1026,21 +1086,70 @@ print_ikev2_removed_message() {
|
||||
}
|
||||
|
||||
ikev2setup() {
|
||||
case $1 in
|
||||
--auto)
|
||||
use_defaults=1
|
||||
;;
|
||||
*)
|
||||
use_defaults=0
|
||||
;;
|
||||
esac
|
||||
|
||||
check_run_as_root
|
||||
check_os_type
|
||||
check_swan_install
|
||||
check_utils_exist
|
||||
check_container
|
||||
|
||||
use_defaults=0
|
||||
add_client_using_defaults=0
|
||||
export_client_using_defaults=0
|
||||
while [ "$#" -gt 0 ]; do
|
||||
case $1 in
|
||||
--auto)
|
||||
use_defaults=1
|
||||
shift
|
||||
;;
|
||||
--addclient)
|
||||
add_client_using_defaults=1
|
||||
client_name="$2"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
--exportclient)
|
||||
export_client_using_defaults=1
|
||||
client_name="$2"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
-h|--help)
|
||||
show_usage
|
||||
;;
|
||||
*)
|
||||
show_usage "Unknown parameter: $1"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
check_arguments
|
||||
|
||||
if [ "$add_client_using_defaults" = "1" ]; then
|
||||
show_add_client_message
|
||||
client_validity=120
|
||||
use_own_password=0
|
||||
create_client_cert
|
||||
export_p12_file
|
||||
install_base64_uuidgen
|
||||
create_mobileconfig
|
||||
create_android_profile
|
||||
print_client_added_message
|
||||
print_client_info
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$export_client_using_defaults" = "1" ]; then
|
||||
show_export_client_message
|
||||
use_own_password=0
|
||||
export_p12_file
|
||||
install_base64_uuidgen
|
||||
create_mobileconfig
|
||||
create_android_profile
|
||||
print_client_exported_message
|
||||
print_client_info
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then
|
||||
select_menu_option
|
||||
case $selected_option in
|
||||
@ -1050,6 +1159,7 @@ ikev2setup() {
|
||||
select_p12_password
|
||||
create_client_cert
|
||||
export_p12_file
|
||||
install_base64_uuidgen
|
||||
create_mobileconfig
|
||||
create_android_profile
|
||||
print_client_added_message
|
||||
@ -1060,6 +1170,7 @@ ikev2setup() {
|
||||
enter_client_name_for_export
|
||||
select_p12_password
|
||||
export_p12_file
|
||||
install_base64_uuidgen
|
||||
create_mobileconfig
|
||||
create_android_profile
|
||||
print_client_exported_message
|
||||
@ -1120,6 +1231,7 @@ ikev2setup() {
|
||||
create_server_cert
|
||||
create_client_cert
|
||||
export_p12_file
|
||||
install_base64_uuidgen
|
||||
create_mobileconfig
|
||||
create_android_profile
|
||||
add_ikev2_connection
|
||||
|
||||
Loading…
Reference in New Issue
Block a user