1
0
mirror of synced 2024-11-26 23:06:03 +03:00

Update IKEv2 script

- New: Users can now specify '--addclient [client name]' or
  '--exportclient [client name]' command-line arguments to automatically
  add or export an IKEv2 client using default options.
- Show script usage when '-h' or '--help' is specified.
- Other minor improvements
This commit is contained in:
hwdsl2 2021-01-24 13:53:55 -06:00
parent 83d7309147
commit 625ddd3d32

View File

@ -73,42 +73,6 @@ check_os_type() {
fi fi
} }
check_utils_exist() {
command -v certutil >/dev/null 2>&1 || exiterr "'certutil' not found. Abort."
command -v pk12util >/dev/null 2>&1 || exiterr "'pk12util' not found. Abort."
}
check_container() {
in_container=0
export_dir=~/
if grep -qs "hwdsl2" /opt/src/run.sh; then
in_container=1
export_dir="/etc/ipsec.d/"
fi
}
check_ca_cert_exists() {
if certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" >/dev/null 2>&1; then
exiterr "Certificate 'IKEv2 VPN CA' already exists."
fi
}
check_server_cert_exists() {
if certutil -L -d sql:/etc/ipsec.d -n "$server_addr" >/dev/null 2>&1; then
echo "Error: Certificate '$server_addr' already exists." >&2
echo "Abort. No changes were made." >&2
exit 1
fi
}
check_client_cert_exists() {
if certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then
echo "Error: Client '$client_name' already exists." >&2
echo "Abort. No changes were made." >&2
exit 1
fi
}
check_swan_install() { check_swan_install() {
ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null) ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux //' -e 's/Libreswan //' -e 's/ (netkey).*//') swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux //' -e 's/Libreswan //' -e 's/ (netkey).*//')
@ -139,6 +103,94 @@ EOF
esac esac
} }
check_utils_exist() {
command -v certutil >/dev/null 2>&1 || exiterr "'certutil' not found. Abort."
command -v pk12util >/dev/null 2>&1 || exiterr "'pk12util' not found. Abort."
}
check_container() {
in_container=0
export_dir=~/
if grep -qs "hwdsl2" /opt/src/run.sh; then
in_container=1
export_dir="/etc/ipsec.d/"
fi
}
show_usage() {
if [ -n "$1" ]; then
echo "Error: $1" >&2;
fi
cat 1>&2 <<EOF
Usage: $0 [options]
Options:
--auto run IKEv2 setup in auto mode using default options (for initial IKEv2 setup only)
--addclient [client name] add a new IKEv2 client using default options (after IKEv2 setup)
--exportclient [client name] export an existing IKEv2 client using default options (after IKEv2 setup)
-h, --help show this help message and exit
If you want to customize options, run this script without arguments.
EOF
exit 1
}
check_arguments() {
if [ "$use_defaults" = "1" ]; then
if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then
show_usage "Invalid parameter. '--auto' can only be specified for initial IKEv2 setup."
fi
fi
if [ "$add_client_using_defaults" = "1" ] && [ "$export_client_using_defaults" = "1" ]; then
show_usage "Invalid parameters. '--addclient' and '--exportclient' cannot be specified at the same time."
fi
if [ "$add_client_using_defaults" = "1" ]; then
if ! grep -qs "conn ikev2-cp" /etc/ipsec.conf && [ ! -f /etc/ipsec.d/ikev2.conf ]; then
exiterr "You must first set up IKEv2 before adding a new client."
fi
if [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \
|| printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+'; then
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
elif certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then
exiterr "Invalid client name. Client '$client_name' already exists."
fi
fi
if [ "$export_client_using_defaults" = "1" ]; then
if ! grep -qs "conn ikev2-cp" /etc/ipsec.conf && [ ! -f /etc/ipsec.d/ikev2.conf ]; then
exiterr "You must first set up IKEv2 before exporting a client configuration."
fi
get_server_address
if [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \
|| printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| [ "$client_name" = "IKEv2 VPN CA" ] || [ "$client_name" = "$server_addr" ] \
|| ! certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then
exiterr "Invalid client name, or client does not exist."
fi
fi
}
check_ca_cert_exists() {
if certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" >/dev/null 2>&1; then
exiterr "Certificate 'IKEv2 VPN CA' already exists."
fi
}
check_server_cert_exists() {
if certutil -L -d sql:/etc/ipsec.d -n "$server_addr" >/dev/null 2>&1; then
echo "Error: Certificate '$server_addr' already exists." >&2
echo "Abort. No changes were made." >&2
exit 1
fi
}
check_client_cert_exists() {
if certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then
echo "Error: Client '$client_name' already exists." >&2
echo "Abort. No changes were made." >&2
exit 1
fi
}
check_swan_ver() { check_swan_ver() {
if [ "$in_container" = "0" ]; then if [ "$in_container" = "0" ]; then
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverikev2?arch=$os_arch&ver=$swan_ver&auto=$use_defaults" swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverikev2?arch=$os_arch&ver=$swan_ver&auto=$use_defaults"
@ -197,6 +249,14 @@ show_start_message() {
bigecho "Starting IKEv2 setup in auto mode, using default options." bigecho "Starting IKEv2 setup in auto mode, using default options."
} }
show_add_client_message() {
bigecho2 "Adding a new IKEv2 client '$client_name', using default options."
}
show_export_client_message() {
bigecho2 "Exporting existing IKEv2 client '$client_name', using default options."
}
get_server_ip() { get_server_ip() {
echo "Trying to auto discover IP of this server..." echo "Trying to auto discover IP of this server..."
public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
@ -540,6 +600,8 @@ EOF
install_base64_uuidgen() { install_base64_uuidgen() {
if ! command -v base64 >/dev/null 2>&1 || ! command -v uuidgen >/dev/null 2>&1; then if ! command -v base64 >/dev/null 2>&1 || ! command -v uuidgen >/dev/null 2>&1; then
bigecho "Installing required packages..."
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
apt-get -yqq update || exiterr "'apt-get update' failed." apt-get -yqq update || exiterr "'apt-get update' failed."
@ -553,7 +615,6 @@ install_base64_uuidgen() {
create_mobileconfig() { create_mobileconfig() {
bigecho "Creating .mobileconfig for iOS and macOS..." bigecho "Creating .mobileconfig for iOS and macOS..."
install_base64_uuidgen
[ -z "$server_addr" ] && get_server_address [ -z "$server_addr" ] && get_server_address
p12_base64=$(base64 -w 52 "$export_dir$client_name-$SYS_DT.p12") p12_base64=$(base64 -w 52 "$export_dir$client_name-$SYS_DT.p12")
@ -719,7 +780,6 @@ EOF
create_android_profile() { create_android_profile() {
bigecho "Creating client profile for Android..." bigecho "Creating client profile for Android..."
install_base64_uuidgen
[ -z "$server_addr" ] && get_server_address [ -z "$server_addr" ] && get_server_address
p12_base64_oneline=$(base64 -w 52 "$export_dir$client_name-$SYS_DT.p12" | sed 's/$/\\n/' | tr -d '\n') p12_base64_oneline=$(base64 -w 52 "$export_dir$client_name-$SYS_DT.p12" | sed 's/$/\\n/' | tr -d '\n')
@ -1026,21 +1086,70 @@ print_ikev2_removed_message() {
} }
ikev2setup() { ikev2setup() {
case $1 in
--auto)
use_defaults=1
;;
*)
use_defaults=0
;;
esac
check_run_as_root check_run_as_root
check_os_type check_os_type
check_swan_install check_swan_install
check_utils_exist check_utils_exist
check_container check_container
use_defaults=0
add_client_using_defaults=0
export_client_using_defaults=0
while [ "$#" -gt 0 ]; do
case $1 in
--auto)
use_defaults=1
shift
;;
--addclient)
add_client_using_defaults=1
client_name="$2"
shift
shift
;;
--exportclient)
export_client_using_defaults=1
client_name="$2"
shift
shift
;;
-h|--help)
show_usage
;;
*)
show_usage "Unknown parameter: $1"
;;
esac
done
check_arguments
if [ "$add_client_using_defaults" = "1" ]; then
show_add_client_message
client_validity=120
use_own_password=0
create_client_cert
export_p12_file
install_base64_uuidgen
create_mobileconfig
create_android_profile
print_client_added_message
print_client_info
exit 0
fi
if [ "$export_client_using_defaults" = "1" ]; then
show_export_client_message
use_own_password=0
export_p12_file
install_base64_uuidgen
create_mobileconfig
create_android_profile
print_client_exported_message
print_client_info
exit 0
fi
if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then
select_menu_option select_menu_option
case $selected_option in case $selected_option in
@ -1050,6 +1159,7 @@ ikev2setup() {
select_p12_password select_p12_password
create_client_cert create_client_cert
export_p12_file export_p12_file
install_base64_uuidgen
create_mobileconfig create_mobileconfig
create_android_profile create_android_profile
print_client_added_message print_client_added_message
@ -1060,6 +1170,7 @@ ikev2setup() {
enter_client_name_for_export enter_client_name_for_export
select_p12_password select_p12_password
export_p12_file export_p12_file
install_base64_uuidgen
create_mobileconfig create_mobileconfig
create_android_profile create_android_profile
print_client_exported_message print_client_exported_message
@ -1120,6 +1231,7 @@ ikev2setup() {
create_server_cert create_server_cert
create_client_cert create_client_cert
export_p12_file export_p12_file
install_base64_uuidgen
create_mobileconfig create_mobileconfig
create_android_profile create_android_profile
add_ikev2_connection add_ikev2_connection