Update IKEv2 script
- Improve output
This commit is contained in:
parent
7f8f231479
commit
7ac343db4d
@ -17,6 +17,7 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|||||||
|
|
||||||
exiterr() { echo "Error: $1" >&2; exit 1; }
|
exiterr() { echo "Error: $1" >&2; exit 1; }
|
||||||
bigecho() { echo "## $1"; }
|
bigecho() { echo "## $1"; }
|
||||||
|
bigecho2() { printf '\e[2K\r%s' "## $1"; }
|
||||||
|
|
||||||
check_ip() {
|
check_ip() {
|
||||||
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
|
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
|
||||||
@ -294,7 +295,6 @@ select_swan_update() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
show_welcome_message() {
|
show_welcome_message() {
|
||||||
clear
|
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
Welcome! Use this script to set up IKEv2 after setting up your own IPsec VPN server.
|
Welcome! Use this script to set up IKEv2 after setting up your own IPsec VPN server.
|
||||||
Alternatively, you may manually set up IKEv2. See: https://git.io/ikev2
|
Alternatively, you may manually set up IKEv2. See: https://git.io/ikev2
|
||||||
@ -334,7 +334,7 @@ get_export_dir() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
get_server_ip() {
|
get_server_ip() {
|
||||||
bigecho "Trying to auto discover IP of this server..."
|
bigecho2 "Trying to auto discover IP of this server..."
|
||||||
public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
|
public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
|
||||||
check_ip "$public_ip" || public_ip=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
|
check_ip "$public_ip" || public_ip=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
|
||||||
}
|
}
|
||||||
@ -374,6 +374,7 @@ enter_server_address() {
|
|||||||
else
|
else
|
||||||
get_server_ip
|
get_server_ip
|
||||||
echo
|
echo
|
||||||
|
echo
|
||||||
read -rp "Enter the IPv4 address of this VPN server: [$public_ip] " server_addr
|
read -rp "Enter the IPv4 address of this VPN server: [$public_ip] " server_addr
|
||||||
[ -z "$server_addr" ] && server_addr="$public_ip"
|
[ -z "$server_addr" ] && server_addr="$public_ip"
|
||||||
until check_ip "$server_addr"; do
|
until check_ip "$server_addr"; do
|
||||||
@ -528,15 +529,15 @@ check_mobike_support() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo -n "## Checking for MOBIKE support... "
|
|
||||||
if [ "$mobike_support" = "1" ]; then
|
if [ "$mobike_support" = "1" ]; then
|
||||||
echo "available"
|
bigecho2 "Checking for MOBIKE support... available"
|
||||||
else
|
else
|
||||||
echo "not available"
|
bigecho2 "Checking for MOBIKE support... not available"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
select_mobike() {
|
select_mobike() {
|
||||||
|
echo
|
||||||
mobike_enable=0
|
mobike_enable=0
|
||||||
if [ "$mobike_support" = "1" ]; then
|
if [ "$mobike_support" = "1" ]; then
|
||||||
echo
|
echo
|
||||||
@ -598,7 +599,7 @@ select_menu_option() {
|
|||||||
|
|
||||||
confirm_setup_options() {
|
confirm_setup_options() {
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
Below are the IKEv2 setup options you selected.
|
We are ready to set up IKEv2 now. Below are the setup options you selected.
|
||||||
Please double check before continuing!
|
Please double check before continuing!
|
||||||
|
|
||||||
======================================
|
======================================
|
||||||
@ -631,7 +632,7 @@ DNS server(s): $dns_servers
|
|||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
printf "We are ready to set up IKEv2 now. Do you want to continue? [y/N] "
|
printf "Do you want to continue? [y/N] "
|
||||||
read -r response
|
read -r response
|
||||||
case $response in
|
case $response in
|
||||||
[yY][eE][sS]|[yY])
|
[yY][eE][sS]|[yY])
|
||||||
@ -645,7 +646,7 @@ EOF
|
|||||||
}
|
}
|
||||||
|
|
||||||
create_client_cert() {
|
create_client_cert() {
|
||||||
bigecho "Generating client certificate..."
|
bigecho2 "Generating client certificate..."
|
||||||
|
|
||||||
sleep $((RANDOM % 3 + 1))
|
sleep $((RANDOM % 3 + 1))
|
||||||
|
|
||||||
@ -659,10 +660,12 @@ create_client_cert() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
export_p12_file() {
|
export_p12_file() {
|
||||||
bigecho "Creating client configuration..."
|
bigecho2 "Creating client configuration..."
|
||||||
|
|
||||||
if [ "$use_own_password" = "1" ]; then
|
if [ "$use_own_password" = "1" ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
|
|
||||||
|
|
||||||
Enter a *secure* password to protect the client configuration files.
|
Enter a *secure* password to protect the client configuration files.
|
||||||
When importing into an iOS or macOS device, this password cannot be empty.
|
When importing into an iOS or macOS device, this password cannot be empty.
|
||||||
|
|
||||||
@ -687,39 +690,24 @@ EOF
|
|||||||
|
|
||||||
install_base64_uuidgen() {
|
install_base64_uuidgen() {
|
||||||
if ! command -v base64 >/dev/null 2>&1 || ! command -v uuidgen >/dev/null 2>&1; then
|
if ! command -v base64 >/dev/null 2>&1 || ! command -v uuidgen >/dev/null 2>&1; then
|
||||||
bigecho "Installing required packages..."
|
bigecho2 "Installing required packages..."
|
||||||
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
|
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
|
||||||
export DEBIAN_FRONTEND=noninteractive
|
export DEBIAN_FRONTEND=noninteractive
|
||||||
(
|
apt-get -yqq update || exiterr "'apt-get update' failed."
|
||||||
set -x
|
|
||||||
apt-get -yqq update
|
|
||||||
) || exiterr "'apt-get update' failed."
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if ! command -v base64 >/dev/null 2>&1; then
|
if ! command -v base64 >/dev/null 2>&1; then
|
||||||
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
|
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
|
||||||
(
|
apt-get -yqq install coreutils >/dev/null || exiterr "'apt-get install' failed."
|
||||||
set -x
|
|
||||||
apt-get -yqq install coreutils >/dev/null
|
|
||||||
) || exiterr "'apt-get install' failed."
|
|
||||||
else
|
else
|
||||||
(
|
yum -y -q install coreutils >/dev/null || exiterr "'yum install' failed."
|
||||||
set -x
|
|
||||||
yum -y -q install coreutils >/dev/null
|
|
||||||
) || exiterr "'yum install' failed."
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if ! command -v uuidgen >/dev/null 2>&1; then
|
if ! command -v uuidgen >/dev/null 2>&1; then
|
||||||
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
|
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
|
||||||
(
|
apt-get -yqq install uuid-runtime >/dev/null || exiterr "'apt-get install' failed."
|
||||||
set -x
|
|
||||||
apt-get -yqq install uuid-runtime >/dev/null
|
|
||||||
) || exiterr "'apt-get install' failed."
|
|
||||||
else
|
else
|
||||||
(
|
yum -y -q install util-linux >/dev/null || exiterr "'yum install' failed."
|
||||||
set -x
|
|
||||||
yum -y -q install util-linux >/dev/null
|
|
||||||
) || exiterr "'yum install' failed."
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
@ -925,7 +913,7 @@ EOF
|
|||||||
}
|
}
|
||||||
|
|
||||||
create_ca_server_certs() {
|
create_ca_server_certs() {
|
||||||
bigecho "Generating CA and server certificates..."
|
bigecho2 "Generating CA and server certificates..."
|
||||||
|
|
||||||
certutil -z <(head -c 1024 /dev/urandom) \
|
certutil -z <(head -c 1024 /dev/urandom) \
|
||||||
-S -x -n "IKEv2 VPN CA" \
|
-S -x -n "IKEv2 VPN CA" \
|
||||||
@ -961,7 +949,7 @@ ANSWERS
|
|||||||
}
|
}
|
||||||
|
|
||||||
add_ikev2_connection() {
|
add_ikev2_connection() {
|
||||||
bigecho "Adding a new IKEv2 connection..."
|
bigecho2 "Adding a new IKEv2 connection..."
|
||||||
|
|
||||||
if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' /etc/ipsec.conf; then
|
if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' /etc/ipsec.conf; then
|
||||||
echo >> /etc/ipsec.conf
|
echo >> /etc/ipsec.conf
|
||||||
@ -1033,16 +1021,14 @@ apply_ubuntu1804_nss_fix() {
|
|||||||
nss_deb3="libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb"
|
nss_deb3="libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb"
|
||||||
TMPDIR=$(mktemp -d /tmp/nss.XXX 2>/dev/null)
|
TMPDIR=$(mktemp -d /tmp/nss.XXX 2>/dev/null)
|
||||||
if [ -d "$TMPDIR" ]; then
|
if [ -d "$TMPDIR" ]; then
|
||||||
bigecho "Applying fix for NSS bug on Ubuntu 18.04..."
|
bigecho2 "Applying fix for NSS bug on Ubuntu 18.04..."
|
||||||
export DEBIAN_FRONTEND=noninteractive
|
export DEBIAN_FRONTEND=noninteractive
|
||||||
set -x
|
|
||||||
if wget -t 3 -T 30 -q -O "$TMPDIR/1.deb" "$nss_url1/$nss_deb1" \
|
if wget -t 3 -T 30 -q -O "$TMPDIR/1.deb" "$nss_url1/$nss_deb1" \
|
||||||
&& wget -t 3 -T 30 -q -O "$TMPDIR/2.deb" "$nss_url1/$nss_deb2" \
|
&& wget -t 3 -T 30 -q -O "$TMPDIR/2.deb" "$nss_url1/$nss_deb2" \
|
||||||
&& wget -t 3 -T 30 -q -O "$TMPDIR/3.deb" "$nss_url2/$nss_deb3"; then
|
&& wget -t 3 -T 30 -q -O "$TMPDIR/3.deb" "$nss_url2/$nss_deb3"; then
|
||||||
apt-get -yqq update
|
apt-get -yqq update
|
||||||
apt-get -yqq install "$TMPDIR/1.deb" "$TMPDIR/2.deb" "$TMPDIR/3.deb" >/dev/null
|
apt-get -yqq install "$TMPDIR/1.deb" "$TMPDIR/2.deb" "$TMPDIR/3.deb" >/dev/null
|
||||||
fi
|
fi
|
||||||
{ set +x; } 2>&-
|
|
||||||
/bin/rm -f "$TMPDIR/1.deb" "$TMPDIR/2.deb" "$TMPDIR/3.deb"
|
/bin/rm -f "$TMPDIR/1.deb" "$TMPDIR/2.deb" "$TMPDIR/3.deb"
|
||||||
/bin/rmdir "$TMPDIR"
|
/bin/rmdir "$TMPDIR"
|
||||||
fi
|
fi
|
||||||
@ -1051,7 +1037,7 @@ apply_ubuntu1804_nss_fix() {
|
|||||||
|
|
||||||
restart_ipsec_service() {
|
restart_ipsec_service() {
|
||||||
if [ "$in_container" = "0" ] || { [ "$in_container" = "1" ] && service ipsec status >/dev/null 2>&1; } then
|
if [ "$in_container" = "0" ] || { [ "$in_container" = "1" ] && service ipsec status >/dev/null 2>&1; } then
|
||||||
bigecho "Restarting IPsec service..."
|
bigecho2 "Restarting IPsec service..."
|
||||||
|
|
||||||
mkdir -p /run/pluto
|
mkdir -p /run/pluto
|
||||||
service ipsec restart 2>/dev/null
|
service ipsec restart 2>/dev/null
|
||||||
@ -1061,6 +1047,7 @@ restart_ipsec_service() {
|
|||||||
print_client_added_message() {
|
print_client_added_message() {
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
|
|
||||||
|
|
||||||
================================================
|
================================================
|
||||||
|
|
||||||
New IKEv2 VPN client "$client_name" added!
|
New IKEv2 VPN client "$client_name" added!
|
||||||
@ -1074,6 +1061,7 @@ EOF
|
|||||||
print_client_exported_message() {
|
print_client_exported_message() {
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
|
|
||||||
|
|
||||||
================================================
|
================================================
|
||||||
|
|
||||||
IKEv2 VPN client "$client_name" exported!
|
IKEv2 VPN client "$client_name" exported!
|
||||||
@ -1102,6 +1090,7 @@ show_swan_update_info() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
print_setup_complete_message() {
|
print_setup_complete_message() {
|
||||||
|
printf '\e[2K\r'
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
|
|
||||||
================================================
|
================================================
|
||||||
@ -1128,7 +1117,7 @@ EOF
|
|||||||
|
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
|
|
||||||
$export_dir$client_name.p12 (for Windows)
|
$export_dir$client_name.p12 (for Windows & Linux)
|
||||||
$export_dir$client_name.sswan (for Android)
|
$export_dir$client_name.sswan (for Android)
|
||||||
$export_dir$client_name.mobileconfig (for iOS & macOS)
|
$export_dir$client_name.mobileconfig (for iOS & macOS)
|
||||||
EOF
|
EOF
|
||||||
@ -1188,6 +1177,7 @@ delete_ikev2_conf() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
delete_certificates() {
|
delete_certificates() {
|
||||||
|
echo
|
||||||
bigecho "Deleting certificates and keys from the IPsec database..."
|
bigecho "Deleting certificates and keys from the IPsec database..."
|
||||||
certutil -L -d sql:/etc/ipsec.d | grep -v -e '^$' -e 'IKEv2 VPN CA' | tail -n +3 | cut -f1 -d ' ' | while read -r line; do
|
certutil -L -d sql:/etc/ipsec.d | grep -v -e '^$' -e 'IKEv2 VPN CA' | tail -n +3 | cut -f1 -d ' ' | while read -r line; do
|
||||||
certutil -F -d sql:/etc/ipsec.d -n "$line"
|
certutil -F -d sql:/etc/ipsec.d -n "$line"
|
||||||
@ -1198,6 +1188,7 @@ delete_certificates() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
print_ikev2_removed_message() {
|
print_ikev2_removed_message() {
|
||||||
|
echo
|
||||||
echo "IKEv2 removed!"
|
echo "IKEv2 removed!"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user