1
0
mirror of synced 2024-11-28 15:56:01 +03:00

Various clean up

This commit is contained in:
hwdsl2 2017-11-01 01:01:49 -05:00
parent b7a4bed866
commit 70c6d6b540
7 changed files with 114 additions and 140 deletions

View File

@ -159,7 +159,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh
## 升级Libreswan ## 升级Libreswan
提供两个额外的脚本 <a href="extras/vpnupgrade.sh" target="_blank">vpnupgrade.sh</a><a href="extras/vpnupgrade_centos.sh" target="_blank">vpnupgrade_centos.sh</a>,可用于升级 <a href="https://libreswan.org" target="_blank">Libreswan</a> <a href="https://github.com/libreswan/libreswan/blob/master/CHANGES" target="_blank">更新日志</a> | <a href="https://lists.libreswan.org/mailman/listinfo/swan-announce" target="_blank">通知列表</a>)。请在运行前根据需要修改 `swan_ver` 变量。查看已安装版本: `ipsec --version`. 提供两个额外的脚本 <a href="extras/vpnupgrade.sh" target="_blank">vpnupgrade.sh</a><a href="extras/vpnupgrade_centos.sh" target="_blank">vpnupgrade_centos.sh</a>,可用于升级 <a href="https://libreswan.org" target="_blank">Libreswan</a> <a href="https://github.com/libreswan/libreswan/blob/master/CHANGES" target="_blank">更新日志</a> | <a href="https://lists.libreswan.org/mailman/listinfo/swan-announce" target="_blank">通知列表</a>)。请在运行前根据需要修改 `SWAN_VER` 变量。查看已安装版本: `ipsec --version`.
```bash ```bash
# Ubuntu & Debian # Ubuntu & Debian

View File

@ -106,7 +106,7 @@ sudo sh vpnsetup.sh
```bash ```bash
# All values MUST be placed inside 'single quotes' # All values MUST be placed inside 'single quotes'
# DO NOT use these characters within values: \ " ' # DO NOT use these special characters within values: \ " '
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo \ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo \
VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \ VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \
VPN_USER='your_vpn_username' \ VPN_USER='your_vpn_username' \
@ -159,7 +159,7 @@ The scripts will backup existing config files before making changes, with `.old-
## Upgrade Libreswan ## Upgrade Libreswan
The additional scripts <a href="extras/vpnupgrade.sh" target="_blank">vpnupgrade.sh</a> and <a href="extras/vpnupgrade_centos.sh" target="_blank">vpnupgrade_centos.sh</a> can be used to upgrade <a href="https://libreswan.org" target="_blank">Libreswan</a> (<a href="https://github.com/libreswan/libreswan/blob/master/CHANGES" target="_blank">changelog</a> | <a href="https://lists.libreswan.org/mailman/listinfo/swan-announce" target="_blank">announce</a>). Edit the `swan_ver` variable as necessary. Check which version is installed: `ipsec --version`. The additional scripts <a href="extras/vpnupgrade.sh" target="_blank">vpnupgrade.sh</a> and <a href="extras/vpnupgrade_centos.sh" target="_blank">vpnupgrade_centos.sh</a> can be used to upgrade <a href="https://libreswan.org" target="_blank">Libreswan</a> (<a href="https://github.com/libreswan/libreswan/blob/master/CHANGES" target="_blank">changelog</a> | <a href="https://lists.libreswan.org/mailman/listinfo/swan-announce" target="_blank">announce</a>). Edit the `SWAN_VER` variable as necessary. Check which version is installed: `ipsec --version`.
```bash ```bash
# Ubuntu & Debian # Ubuntu & Debian

View File

@ -18,7 +18,7 @@ For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format
... ... ... ...
``` ```
You can add more users, use one line for each user. DO NOT use these characters within values: `\ " '` You can add more users, use one line for each user. DO NOT use these special characters within values: `\ " '`
For `IPsec/XAuth ("Cisco IPsec")`, VPN users are specified in `/etc/ipsec.d/passwd`. The format of this file is: For `IPsec/XAuth ("Cisco IPsec")`, VPN users are specified in `/etc/ipsec.d/passwd`. The format of this file is:

View File

@ -11,14 +11,14 @@
# know how you have improved it! # know how you have improved it!
# Check https://libreswan.org for the latest version # Check https://libreswan.org for the latest version
swan_ver=3.22 SWAN_VER=3.22
### DO NOT edit below this line ### ### DO NOT edit below this line ###
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr() { echo "Error: $1" >&2; exit 1; } exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } exiterr2() { exiterr "'apt-get install' failed."; }
vpnupgrade() { vpnupgrade() {
@ -27,31 +27,31 @@ if [ -z "$os_type" ]; then
[ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")" [ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")"
[ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")" [ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")"
fi fi
if ! printf %s "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then if ! printf '%s' "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then
exiterr "This script only supports Ubuntu/Debian." exiterr "This script only supports Ubuntu and Debian."
fi fi
if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then
exiterr "This script does not support Debian 7 (Wheezy)." exiterr "Debian 7 is not supported."
fi fi
if [ -f /proc/user_beancounters ]; then if [ -f /proc/user_beancounters ]; then
exiterr "This script does not support OpenVZ VPS." exiterr "OpenVZ VPS is not supported."
fi fi
if [ "$(id -u)" != 0 ]; then if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'" exiterr "Script must be run as root. Try 'sudo sh $0'"
fi fi
if [ -z "$swan_ver" ]; then if [ -z "$SWAN_VER" ]; then
exiterr "Libreswan version 'swan_ver' not specified." exiterr "Libreswan version 'SWAN_VER' not specified."
fi fi
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then
exiterr "This script requires Libreswan already installed." exiterr "This script requires Libreswan already installed."
fi fi
if [ "$swan_ver" = "3.22" ]; then if [ "$SWAN_VER" = "3.22" ]; then
if grep -qs raspbian /etc/os-release; then if grep -qs raspbian /etc/os-release; then
echo "Note: For Raspberry Pi systems, this script will install Libreswan" echo "Note: For Raspberry Pi systems, this script will install Libreswan"
echo "version 3.21 instead of 3.22, to avoid some recent bugs." echo "version 3.21 instead of 3.22, to avoid some recent bugs."
@ -61,7 +61,7 @@ if [ "$swan_ver" = "3.22" ]; then
case $response in case $response in
[yY][eE][sS]|[yY]) [yY][eE][sS]|[yY])
echo echo
swan_ver=3.21 SWAN_VER=3.21
;; ;;
*) *)
echo "Aborting." echo "Aborting."
@ -71,8 +71,8 @@ if [ "$swan_ver" = "3.22" ]; then
fi fi
fi fi
if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
echo "You already have Libreswan version $swan_ver installed! " echo "You already have Libreswan version $SWAN_VER installed! "
echo "If you continue, the same version will be re-installed." echo "If you continue, the same version will be re-installed."
echo echo
printf "Do you wish to continue anyway? [y/N] " printf "Do you wish to continue anyway? [y/N] "
@ -91,7 +91,7 @@ fi
clear clear
cat <<EOF cat <<EOF
Welcome! This script will build and install Libreswan $swan_ver on your server. Welcome! This script will build and install Libreswan $SWAN_VER on your server.
Additional packages required for Libreswan compilation will also be installed. Additional packages required for Libreswan compilation will also be installed.
This is intended for use on servers running an older version of Libreswan. This is intended for use on servers running an older version of Libreswan.
@ -146,21 +146,21 @@ apt-get -yq update || exiterr "'apt-get update' failed."
apt-get -yq install wget || exiterr2 apt-get -yq install wget || exiterr2
# Install necessary packages # Install necessary packages
apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ apt-get -yq install libnss3-dev libnspr4-dev pkg-config \
libcap-ng-dev libcap-ng-utils libselinux1-dev \ libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev flex bison gcc make \ libcurl4-nss-dev flex bison gcc make libnss3-tools \
libnss3-tools libevent-dev || exiterr2 libevent-dev || exiterr2
# Compile and install Libreswan # Compile and install Libreswan
swan_file="libreswan-$swan_ver.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file" swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
exiterr "Cannot download Libreswan source." exiterr "Cannot download Libreswan source."
fi fi
/bin/rm -rf "/opt/src/libreswan-$swan_ver" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file" tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir." cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir."
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS = WERROR_CFLAGS =
USE_DNSSEC = false USE_DNSSEC = false
@ -174,15 +174,15 @@ make "-j$((NPROCS+1))" -s base && make -s install-base
# Verify the install and clean up # Verify the install and clean up
cd /opt/src || exiterr "Cannot enter /opt/src." cd /opt/src || exiterr "Cannot enter /opt/src."
/bin/rm -rf "/opt/src/libreswan-$swan_ver" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
exiterr "Libreswan $swan_ver failed to build." exiterr "Libreswan $SWAN_VER failed to build."
fi fi
# Update ipsec.conf for Libreswan 3.19 and newer # Update ipsec.conf for Libreswan 3.19 and newer
IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512" IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \ sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \
@ -192,7 +192,7 @@ sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
service ipsec restart service ipsec restart
echo echo
echo "Libreswan $swan_ver was installed successfully! " echo "Libreswan $SWAN_VER was installed successfully! "
echo echo
} }

View File

@ -11,14 +11,14 @@
# know how you have improved it! # know how you have improved it!
# Check https://libreswan.org for the latest version # Check https://libreswan.org for the latest version
swan_ver=3.22 SWAN_VER=3.22
### DO NOT edit below this line ### ### DO NOT edit below this line ###
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr() { echo "Error: $1" >&2; exit 1; } exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; } exiterr2() { exiterr "'yum install' failed."; }
vpnupgrade() { vpnupgrade() {
@ -27,23 +27,23 @@ if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then
fi fi
if [ -f /proc/user_beancounters ]; then if [ -f /proc/user_beancounters ]; then
exiterr "This script does not support OpenVZ VPS." exiterr "OpenVZ VPS is not supported."
fi fi
if [ "$(id -u)" != 0 ]; then if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'" exiterr "Script must be run as root. Try 'sudo sh $0'"
fi fi
if [ -z "$swan_ver" ]; then if [ -z "$SWAN_VER" ]; then
exiterr "Libreswan version 'swan_ver' not specified." exiterr "Libreswan version 'SWAN_VER' not specified."
fi fi
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then
exiterr "This script requires Libreswan already installed." exiterr "This script requires Libreswan already installed."
fi fi
if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
echo "You already have Libreswan version $swan_ver installed! " echo "You already have Libreswan version $SWAN_VER installed! "
echo "If you continue, the same version will be re-installed." echo "If you continue, the same version will be re-installed."
echo echo
printf "Do you wish to continue anyway? [y/N] " printf "Do you wish to continue anyway? [y/N] "
@ -62,7 +62,7 @@ fi
clear clear
cat <<EOF cat <<EOF
Welcome! This script will build and install Libreswan $swan_ver on your server. Welcome! This script will build and install Libreswan $SWAN_VER on your server.
Additional packages required for Libreswan compilation will also be installed. Additional packages required for Libreswan compilation will also be installed.
This is intended for use on servers running an older version of Libreswan. This is intended for use on servers running an older version of Libreswan.
@ -119,11 +119,9 @@ yum -y install epel-release || exiterr2
# Install necessary packages # Install necessary packages
yum -y install nss-devel nspr-devel pkgconfig pam-devel \ yum -y install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel \ libcap-ng-devel libselinux-devel curl-devel \
curl-devel flex bison gcc make \ flex bison gcc make fipscheck-devel || exiterr2
fipscheck-devel || exiterr2
# Install libevent2 and systemd-devel
if grep -qs "release 6" /etc/redhat-release; then if grep -qs "release 6" /etc/redhat-release; then
yum -y remove libevent-devel yum -y remove libevent-devel
yum -y install libevent2-devel || exiterr2 yum -y install libevent2-devel || exiterr2
@ -132,15 +130,15 @@ else
fi fi
# Compile and install Libreswan # Compile and install Libreswan
swan_file="libreswan-$swan_ver.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file" swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
exiterr "Cannot download Libreswan source." exiterr "Cannot download Libreswan source."
fi fi
/bin/rm -rf "/opt/src/libreswan-$swan_ver" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file" tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir." cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir."
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS = WERROR_CFLAGS =
USE_DNSSEC = false USE_DNSSEC = false
@ -151,9 +149,9 @@ make "-j$((NPROCS+1))" -s base && make -s install-base
# Verify the install and clean up # Verify the install and clean up
cd /opt/src || exiterr "Cannot enter /opt/src." cd /opt/src || exiterr "Cannot enter /opt/src."
/bin/rm -rf "/opt/src/libreswan-$swan_ver" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
exiterr "Libreswan $swan_ver failed to build." exiterr "Libreswan $SWAN_VER failed to build."
fi fi
# Restore SELinux contexts # Restore SELinux contexts
@ -164,7 +162,7 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Update ipsec.conf for Libreswan 3.19 and newer # Update ipsec.conf for Libreswan 3.19 and newer
IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512" IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \ sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \
@ -174,7 +172,7 @@ sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
service ipsec restart service ipsec restart
echo echo
echo "Libreswan $swan_ver was installed successfully! " echo "Libreswan $SWAN_VER was installed successfully! "
echo echo
} }

View File

@ -22,7 +22,7 @@
# Define your own values for these variables # Define your own values for these variables
# - IPsec pre-shared key, VPN username and password # - IPsec pre-shared key, VPN username and password
# - All values MUST be placed inside 'single quotes' # - All values MUST be placed inside 'single quotes'
# - DO NOT use these characters within values: \ " ' # - DO NOT use these special characters within values: \ " '
YOUR_IPSEC_PSK='' YOUR_IPSEC_PSK=''
YOUR_USERNAME='' YOUR_USERNAME=''
@ -36,13 +36,13 @@ YOUR_PASSWORD=''
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr() { echo "Error: $1" >&2; exit 1; } exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } exiterr2() { exiterr "'apt-get install' failed."; }
conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null; } conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%F-%T)" 2>/dev/null; }
bigecho() { echo; echo "## $1"; echo; } bigecho() { echo; echo "## $1"; echo; }
check_ip() { check_ip() {
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
printf %s "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX"
} }
vpnsetup() { vpnsetup() {
@ -52,18 +52,16 @@ if [ -z "$os_type" ]; then
[ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")" [ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")"
[ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")" [ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")"
fi fi
if ! printf %s "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then if ! printf '%s' "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then
exiterr "This script only supports Ubuntu/Debian." exiterr "This script only supports Ubuntu and Debian."
fi fi
if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then
exiterr "This script does not support Debian 7 (Wheezy)." exiterr "Debian 7 is not supported."
fi fi
if [ -f /proc/user_beancounters ]; then if [ -f /proc/user_beancounters ]; then
echo "Error: This script does not support OpenVZ VPS." >&2 exiterr "OpenVZ VPS is not supported. Try OpenVPN: github.com/Nyr/openvpn-install"
echo "Try OpenVPN: https://github.com/Nyr/openvpn-install" >&2
exit 1
fi fi
if [ "$(id -u)" != 0 ]; then if [ "$(id -u)" != 0 ]; then
@ -75,17 +73,11 @@ def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')"
[ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')"
def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null)
if [ -z "$VPN_NET_IFACE" ] && [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then
if ! grep -qs raspbian /etc/os-release; then if ! grep -qs raspbian /etc/os-release; then
case "$def_iface" in case "$def_iface" in
wl*) wl*)
cat 1>&2 <<EOF exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
Error: Default network interface '$def_iface' detected.
>> DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! <<
If you are certain that this script is running on a server, re-run it with:
sudo VPN_NET_IFACE="$def_iface" sh "$0"
EOF
exit 1
;; ;;
esac esac
fi fi
@ -97,9 +89,8 @@ if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface
printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2
if [ -z "$VPN_NET_IFACE" ]; then if [ -z "$VPN_NET_IFACE" ]; then
cat 1>&2 <<EOF cat 1>&2 <<EOF
Unable to detect your server's default network interface. Unable to detect the default network interface. Manually re-run this script with:
You may manually re-run this script with: sudo VPN_NET_IFACE="your_default_interface_name" sh "$0"
sudo VPN_NET_IFACE="your_default_network_interface" sh "$0"
EOF EOF
fi fi
exit 1 exit 1
@ -120,13 +111,13 @@ if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
exiterr "All VPN credentials must be specified. Edit the script and re-enter them." exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
fi fi
if printf %s "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN credentials must not contain non-ASCII characters." exiterr "VPN credentials must not contain non-ASCII characters."
fi fi
case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
*[\\\"\']*) *[\\\"\']*)
exiterr "VPN credentials must not contain the following characters: \\ \" '" exiterr "VPN credentials must not contain these special characters: \\ \" '"
;; ;;
esac esac
@ -138,11 +129,12 @@ cd /opt/src || exiterr "Cannot enter /opt/src."
bigecho "Populating apt-get cache..." bigecho "Populating apt-get cache..."
# Wait up to 60s for apt/dpkg lock
count=0 count=0
while fuser /var/lib/apt/lists/lock /var/lib/dpkg/lock >/dev/null 2>&1; do while fuser /var/lib/apt/lists/lock /var/lib/dpkg/lock >/dev/null 2>&1; do
[ "$count" -ge "20" ] && exiterr "Cannot get apt/dpkg lock." [ "$count" -ge "20" ] && exiterr "Cannot get apt/dpkg lock."
count=$((count+1)) count=$((count+1))
printf %s . printf '%s' '.'
sleep 3 sleep 3
done done
@ -151,14 +143,14 @@ apt-get -yq update || exiterr "'apt-get update' failed."
bigecho "Installing packages required for setup..." bigecho "Installing packages required for setup..."
apt-get -yq install wget dnsutils openssl || exiterr2 apt-get -yq install wget dnsutils openssl \
apt-get -yq install iproute gawk grep sed net-tools || exiterr2 iproute gawk grep sed net-tools || exiterr2
bigecho "Trying to auto discover IP of this server..." bigecho "Trying to auto discover IP of this server..."
cat <<'EOF' cat <<'EOF'
In case the script hangs here for more than a few minutes, In case the script hangs here for more than a few minutes,
use Ctrl-C to interrupt. Then edit it and manually enter IP. press Ctrl-C to abort. Then edit it and manually enter IP.
EOF EOF
# In case auto IP discovery fails, enter server's public IP here. # In case auto IP discovery fails, enter server's public IP here.
@ -169,15 +161,14 @@ PUBLIC_IP=${VPN_PUBLIC_IP:-''}
# Check IP for correct format # Check IP for correct format
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter it." check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it."
bigecho "Installing packages required for the VPN..." bigecho "Installing packages required for the VPN..."
apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ apt-get -yq install libnss3-dev libnspr4-dev pkg-config \
libcap-ng-dev libcap-ng-utils libselinux1-dev \ libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev flex bison gcc make \ libcurl4-nss-dev flex bison gcc make libnss3-tools \
libnss3-tools libevent-dev || exiterr2 libevent-dev ppp xl2tpd || exiterr2
apt-get -yq install ppp xl2tpd || exiterr2
bigecho "Installing Fail2Ban to protect SSH..." bigecho "Installing Fail2Ban to protect SSH..."
@ -185,19 +176,20 @@ apt-get -yq install fail2ban || exiterr2
bigecho "Compiling and installing Libreswan..." bigecho "Compiling and installing Libreswan..."
swan_ver=3.22 if ! grep -qs raspbian /etc/os-release; then
if grep -qs raspbian /etc/os-release; then SWAN_VER=3.22
swan_ver=3.21 else
SWAN_VER=3.21
fi fi
swan_file="libreswan-$swan_ver.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file" swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
exiterr "Cannot download Libreswan source." exiterr "Cannot download Libreswan source."
fi fi
/bin/rm -rf "/opt/src/libreswan-$swan_ver" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file" tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir." cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir."
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS = WERROR_CFLAGS =
USE_DNSSEC = false USE_DNSSEC = false
@ -211,9 +203,9 @@ make "-j$((NPROCS+1))" -s base && make -s install-base
# Verify the install and clean up # Verify the install and clean up
cd /opt/src || exiterr "Cannot enter /opt/src." cd /opt/src || exiterr "Cannot enter /opt/src."
/bin/rm -rf "/opt/src/libreswan-$swan_ver" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
exiterr "Libreswan $swan_ver failed to build." exiterr "Libreswan $SWAN_VER failed to build."
fi fi
bigecho "Creating VPN configuration..." bigecho "Creating VPN configuration..."
@ -329,8 +321,6 @@ EOF
# Create VPN credentials # Create VPN credentials
conf_bk "/etc/ppp/chap-secrets" conf_bk "/etc/ppp/chap-secrets"
cat > /etc/ppp/chap-secrets <<EOF cat > /etc/ppp/chap-secrets <<EOF
# Secrets for authentication using CHAP
# client server secret IP addresses
"$VPN_USER" l2tpd "$VPN_PASSWORD" * "$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF EOF
@ -392,7 +382,7 @@ fi
# Add IPTables rules for VPN # Add IPTables rules for VPN
if [ "$ipt_flag" = "1" ]; then if [ "$ipt_flag" = "1" ]; then
service fail2ban stop >/dev/null 2>&1 service fail2ban stop >/dev/null 2>&1
iptables-save > "$IPT_FILE.old-$(date +%Y-%m-%d-%H:%M:%S)" iptables-save > "$IPT_FILE.old-$(date +%F-%T)"
iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP
iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

View File

@ -22,7 +22,7 @@
# Define your own values for these variables # Define your own values for these variables
# - IPsec pre-shared key, VPN username and password # - IPsec pre-shared key, VPN username and password
# - All values MUST be placed inside 'single quotes' # - All values MUST be placed inside 'single quotes'
# - DO NOT use these characters within values: \ " ' # - DO NOT use these special characters within values: \ " '
YOUR_IPSEC_PSK='' YOUR_IPSEC_PSK=''
YOUR_USERNAME='' YOUR_USERNAME=''
@ -36,13 +36,13 @@ YOUR_PASSWORD=''
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr() { echo "Error: $1" >&2; exit 1; } exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; } exiterr2() { exiterr "'yum install' failed."; }
conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null; } conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%F-%T)" 2>/dev/null; }
bigecho() { echo; echo "## $1"; echo; } bigecho() { echo; echo "## $1"; echo; }
check_ip() { check_ip() {
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
printf %s "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX"
} }
vpnsetup() { vpnsetup() {
@ -52,9 +52,7 @@ if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then
fi fi
if [ -f /proc/user_beancounters ]; then if [ -f /proc/user_beancounters ]; then
echo "Error: This script does not support OpenVZ VPS." >&2 exiterr "OpenVZ VPS is not supported. Try OpenVPN: github.com/Nyr/openvpn-install"
echo "Try OpenVPN: https://github.com/Nyr/openvpn-install" >&2
exit 1
fi fi
if [ "$(id -u)" != 0 ]; then if [ "$(id -u)" != 0 ]; then
@ -66,17 +64,11 @@ def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')"
[ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')"
def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null)
if [ -z "$VPN_NET_IFACE" ] && [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then
if ! grep -qs raspbian /etc/os-release; then if ! grep -qs raspbian /etc/os-release; then
case "$def_iface" in case "$def_iface" in
wl*) wl*)
cat 1>&2 <<EOF exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
Error: Default network interface '$def_iface' detected.
>> DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! <<
If you are certain that this script is running on a server, re-run it with:
sudo VPN_NET_IFACE="$def_iface" sh "$0"
EOF
exit 1
;; ;;
esac esac
fi fi
@ -88,9 +80,8 @@ if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface
printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2
if [ -z "$VPN_NET_IFACE" ]; then if [ -z "$VPN_NET_IFACE" ]; then
cat 1>&2 <<EOF cat 1>&2 <<EOF
Unable to detect your server's default network interface. Unable to detect the default network interface. Manually re-run this script with:
You may manually re-run this script with: sudo VPN_NET_IFACE="your_default_interface_name" sh "$0"
sudo VPN_NET_IFACE="your_default_network_interface" sh "$0"
EOF EOF
fi fi
exit 1 exit 1
@ -111,13 +102,13 @@ if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
exiterr "All VPN credentials must be specified. Edit the script and re-enter them." exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
fi fi
if printf %s "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN credentials must not contain non-ASCII characters." exiterr "VPN credentials must not contain non-ASCII characters."
fi fi
case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
*[\\\"\']*) *[\\\"\']*)
exiterr "VPN credentials must not contain the following characters: \\ \" '" exiterr "VPN credentials must not contain these special characters: \\ \" '"
;; ;;
esac esac
@ -129,14 +120,14 @@ cd /opt/src || exiterr "Cannot enter /opt/src."
bigecho "Installing packages required for setup..." bigecho "Installing packages required for setup..."
yum -y install wget bind-utils openssl || exiterr2 yum -y install wget bind-utils openssl \
yum -y install iproute gawk grep sed net-tools || exiterr2 iproute gawk grep sed net-tools || exiterr2
bigecho "Trying to auto discover IP of this server..." bigecho "Trying to auto discover IP of this server..."
cat <<'EOF' cat <<'EOF'
In case the script hangs here for more than a few minutes, In case the script hangs here for more than a few minutes,
use Ctrl-C to interrupt. Then edit it and manually enter IP. press Ctrl-C to abort. Then edit it and manually enter IP.
EOF EOF
# In case auto IP discovery fails, enter server's public IP here. # In case auto IP discovery fails, enter server's public IP here.
@ -147,7 +138,7 @@ PUBLIC_IP=${VPN_PUBLIC_IP:-''}
# Check IP for correct format # Check IP for correct format
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter it." check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it."
bigecho "Adding the EPEL repository..." bigecho "Adding the EPEL repository..."
@ -156,17 +147,15 @@ yum -y install epel-release || exiterr2
bigecho "Installing packages required for the VPN..." bigecho "Installing packages required for the VPN..."
yum -y install nss-devel nspr-devel pkgconfig pam-devel \ yum -y install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel \ libcap-ng-devel libselinux-devel curl-devel \
curl-devel flex bison gcc make \ flex bison gcc make fipscheck-devel \
fipscheck-devel || exiterr2 ppp xl2tpd || exiterr2
yum -y install ppp xl2tpd || exiterr2
if grep -qs "release 6" /etc/redhat-release; then if grep -qs "release 6" /etc/redhat-release; then
yum -y remove libevent-devel yum -y remove libevent-devel
yum -y install libevent2-devel || exiterr2 yum -y install libevent2-devel || exiterr2
else else
yum -y install libevent-devel systemd-devel || exiterr2 yum -y install libevent-devel systemd-devel iptables-services || exiterr2
yum -y install iptables-services || exiterr2
fi fi
bigecho "Installing Fail2Ban to protect SSH..." bigecho "Installing Fail2Ban to protect SSH..."
@ -175,16 +164,16 @@ yum -y install fail2ban || exiterr2
bigecho "Compiling and installing Libreswan..." bigecho "Compiling and installing Libreswan..."
swan_ver=3.22 SWAN_VER=3.22
swan_file="libreswan-$swan_ver.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file" swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
exiterr "Cannot download Libreswan source." exiterr "Cannot download Libreswan source."
fi fi
/bin/rm -rf "/opt/src/libreswan-$swan_ver" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file" tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir." cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir."
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS = WERROR_CFLAGS =
USE_DNSSEC = false USE_DNSSEC = false
@ -195,9 +184,9 @@ make "-j$((NPROCS+1))" -s base && make -s install-base
# Verify the install and clean up # Verify the install and clean up
cd /opt/src || exiterr "Cannot enter /opt/src." cd /opt/src || exiterr "Cannot enter /opt/src."
/bin/rm -rf "/opt/src/libreswan-$swan_ver" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
exiterr "Libreswan $swan_ver failed to build." exiterr "Libreswan $SWAN_VER failed to build."
fi fi
bigecho "Creating VPN configuration..." bigecho "Creating VPN configuration..."
@ -307,8 +296,6 @@ EOF
# Create VPN credentials # Create VPN credentials
conf_bk "/etc/ppp/chap-secrets" conf_bk "/etc/ppp/chap-secrets"
cat > /etc/ppp/chap-secrets <<EOF cat > /etc/ppp/chap-secrets <<EOF
# Secrets for authentication using CHAP
# client server secret IP addresses
"$VPN_USER" l2tpd "$VPN_PASSWORD" * "$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF EOF
@ -370,7 +357,7 @@ fi
# Add IPTables rules for VPN # Add IPTables rules for VPN
if [ "$ipt_flag" = "1" ]; then if [ "$ipt_flag" = "1" ]; then
service fail2ban stop >/dev/null 2>&1 service fail2ban stop >/dev/null 2>&1
iptables-save > "$IPT_FILE.old-$(date +%Y-%m-%d-%H:%M:%S)" iptables-save > "$IPT_FILE.old-$(date +%F-%T)"
iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP
iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@ -448,8 +435,7 @@ chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
# Apply new IPTables rules # Apply new IPTables rules
iptables-restore < "$IPT_FILE" iptables-restore < "$IPT_FILE"
# Fix xl2tpd on CentOS 7 for providers such as Linode, # Fix xl2tpd on CentOS 7, if kernel module "l2tp_ppp" is unavailable
# where kernel module "l2tp_ppp" is unavailable
if grep -qs "release 7" /etc/redhat-release; then if grep -qs "release 7" /etc/redhat-release; then
if ! modprobe -q l2tp_ppp; then if ! modprobe -q l2tp_ppp; then
sed -i '/ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service sed -i '/ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service