1
0
mirror of synced 2024-11-26 06:46:06 +03:00

Update IKEv2 script

- Improve output
This commit is contained in:
hwdsl2 2021-03-30 23:47:59 -05:00
parent 7f8f231479
commit 7ac343db4d

View File

@ -17,6 +17,7 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr() { echo "Error: $1" >&2; exit 1; } exiterr() { echo "Error: $1" >&2; exit 1; }
bigecho() { echo "## $1"; } bigecho() { echo "## $1"; }
bigecho2() { printf '\e[2K\r%s' "## $1"; }
check_ip() { check_ip() {
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
@ -294,7 +295,6 @@ select_swan_update() {
} }
show_welcome_message() { show_welcome_message() {
clear
cat <<'EOF' cat <<'EOF'
Welcome! Use this script to set up IKEv2 after setting up your own IPsec VPN server. Welcome! Use this script to set up IKEv2 after setting up your own IPsec VPN server.
Alternatively, you may manually set up IKEv2. See: https://git.io/ikev2 Alternatively, you may manually set up IKEv2. See: https://git.io/ikev2
@ -334,7 +334,7 @@ get_export_dir() {
} }
get_server_ip() { get_server_ip() {
bigecho "Trying to auto discover IP of this server..." bigecho2 "Trying to auto discover IP of this server..."
public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
check_ip "$public_ip" || public_ip=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) check_ip "$public_ip" || public_ip=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
} }
@ -374,6 +374,7 @@ enter_server_address() {
else else
get_server_ip get_server_ip
echo echo
echo
read -rp "Enter the IPv4 address of this VPN server: [$public_ip] " server_addr read -rp "Enter the IPv4 address of this VPN server: [$public_ip] " server_addr
[ -z "$server_addr" ] && server_addr="$public_ip" [ -z "$server_addr" ] && server_addr="$public_ip"
until check_ip "$server_addr"; do until check_ip "$server_addr"; do
@ -528,15 +529,15 @@ check_mobike_support() {
fi fi
fi fi
echo -n "## Checking for MOBIKE support... "
if [ "$mobike_support" = "1" ]; then if [ "$mobike_support" = "1" ]; then
echo "available" bigecho2 "Checking for MOBIKE support... available"
else else
echo "not available" bigecho2 "Checking for MOBIKE support... not available"
fi fi
} }
select_mobike() { select_mobike() {
echo
mobike_enable=0 mobike_enable=0
if [ "$mobike_support" = "1" ]; then if [ "$mobike_support" = "1" ]; then
echo echo
@ -598,7 +599,7 @@ select_menu_option() {
confirm_setup_options() { confirm_setup_options() {
cat <<EOF cat <<EOF
Below are the IKEv2 setup options you selected. We are ready to set up IKEv2 now. Below are the setup options you selected.
Please double check before continuing! Please double check before continuing!
====================================== ======================================
@ -631,7 +632,7 @@ DNS server(s): $dns_servers
EOF EOF
printf "We are ready to set up IKEv2 now. Do you want to continue? [y/N] " printf "Do you want to continue? [y/N] "
read -r response read -r response
case $response in case $response in
[yY][eE][sS]|[yY]) [yY][eE][sS]|[yY])
@ -645,7 +646,7 @@ EOF
} }
create_client_cert() { create_client_cert() {
bigecho "Generating client certificate..." bigecho2 "Generating client certificate..."
sleep $((RANDOM % 3 + 1)) sleep $((RANDOM % 3 + 1))
@ -659,10 +660,12 @@ create_client_cert() {
} }
export_p12_file() { export_p12_file() {
bigecho "Creating client configuration..." bigecho2 "Creating client configuration..."
if [ "$use_own_password" = "1" ]; then if [ "$use_own_password" = "1" ]; then
cat <<'EOF' cat <<'EOF'
Enter a *secure* password to protect the client configuration files. Enter a *secure* password to protect the client configuration files.
When importing into an iOS or macOS device, this password cannot be empty. When importing into an iOS or macOS device, this password cannot be empty.
@ -687,39 +690,24 @@ EOF
install_base64_uuidgen() { install_base64_uuidgen() {
if ! command -v base64 >/dev/null 2>&1 || ! command -v uuidgen >/dev/null 2>&1; then if ! command -v base64 >/dev/null 2>&1 || ! command -v uuidgen >/dev/null 2>&1; then
bigecho "Installing required packages..." bigecho2 "Installing required packages..."
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
( apt-get -yqq update || exiterr "'apt-get update' failed."
set -x
apt-get -yqq update
) || exiterr "'apt-get update' failed."
fi fi
fi fi
if ! command -v base64 >/dev/null 2>&1; then if ! command -v base64 >/dev/null 2>&1; then
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
( apt-get -yqq install coreutils >/dev/null || exiterr "'apt-get install' failed."
set -x
apt-get -yqq install coreutils >/dev/null
) || exiterr "'apt-get install' failed."
else else
( yum -y -q install coreutils >/dev/null || exiterr "'yum install' failed."
set -x
yum -y -q install coreutils >/dev/null
) || exiterr "'yum install' failed."
fi fi
fi fi
if ! command -v uuidgen >/dev/null 2>&1; then if ! command -v uuidgen >/dev/null 2>&1; then
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
( apt-get -yqq install uuid-runtime >/dev/null || exiterr "'apt-get install' failed."
set -x
apt-get -yqq install uuid-runtime >/dev/null
) || exiterr "'apt-get install' failed."
else else
( yum -y -q install util-linux >/dev/null || exiterr "'yum install' failed."
set -x
yum -y -q install util-linux >/dev/null
) || exiterr "'yum install' failed."
fi fi
fi fi
} }
@ -925,7 +913,7 @@ EOF
} }
create_ca_server_certs() { create_ca_server_certs() {
bigecho "Generating CA and server certificates..." bigecho2 "Generating CA and server certificates..."
certutil -z <(head -c 1024 /dev/urandom) \ certutil -z <(head -c 1024 /dev/urandom) \
-S -x -n "IKEv2 VPN CA" \ -S -x -n "IKEv2 VPN CA" \
@ -961,7 +949,7 @@ ANSWERS
} }
add_ikev2_connection() { add_ikev2_connection() {
bigecho "Adding a new IKEv2 connection..." bigecho2 "Adding a new IKEv2 connection..."
if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' /etc/ipsec.conf; then if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' /etc/ipsec.conf; then
echo >> /etc/ipsec.conf echo >> /etc/ipsec.conf
@ -1033,16 +1021,14 @@ apply_ubuntu1804_nss_fix() {
nss_deb3="libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb" nss_deb3="libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb"
TMPDIR=$(mktemp -d /tmp/nss.XXX 2>/dev/null) TMPDIR=$(mktemp -d /tmp/nss.XXX 2>/dev/null)
if [ -d "$TMPDIR" ]; then if [ -d "$TMPDIR" ]; then
bigecho "Applying fix for NSS bug on Ubuntu 18.04..." bigecho2 "Applying fix for NSS bug on Ubuntu 18.04..."
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
set -x
if wget -t 3 -T 30 -q -O "$TMPDIR/1.deb" "$nss_url1/$nss_deb1" \ if wget -t 3 -T 30 -q -O "$TMPDIR/1.deb" "$nss_url1/$nss_deb1" \
&& wget -t 3 -T 30 -q -O "$TMPDIR/2.deb" "$nss_url1/$nss_deb2" \ && wget -t 3 -T 30 -q -O "$TMPDIR/2.deb" "$nss_url1/$nss_deb2" \
&& wget -t 3 -T 30 -q -O "$TMPDIR/3.deb" "$nss_url2/$nss_deb3"; then && wget -t 3 -T 30 -q -O "$TMPDIR/3.deb" "$nss_url2/$nss_deb3"; then
apt-get -yqq update apt-get -yqq update
apt-get -yqq install "$TMPDIR/1.deb" "$TMPDIR/2.deb" "$TMPDIR/3.deb" >/dev/null apt-get -yqq install "$TMPDIR/1.deb" "$TMPDIR/2.deb" "$TMPDIR/3.deb" >/dev/null
fi fi
{ set +x; } 2>&-
/bin/rm -f "$TMPDIR/1.deb" "$TMPDIR/2.deb" "$TMPDIR/3.deb" /bin/rm -f "$TMPDIR/1.deb" "$TMPDIR/2.deb" "$TMPDIR/3.deb"
/bin/rmdir "$TMPDIR" /bin/rmdir "$TMPDIR"
fi fi
@ -1051,7 +1037,7 @@ apply_ubuntu1804_nss_fix() {
restart_ipsec_service() { restart_ipsec_service() {
if [ "$in_container" = "0" ] || { [ "$in_container" = "1" ] && service ipsec status >/dev/null 2>&1; } then if [ "$in_container" = "0" ] || { [ "$in_container" = "1" ] && service ipsec status >/dev/null 2>&1; } then
bigecho "Restarting IPsec service..." bigecho2 "Restarting IPsec service..."
mkdir -p /run/pluto mkdir -p /run/pluto
service ipsec restart 2>/dev/null service ipsec restart 2>/dev/null
@ -1061,6 +1047,7 @@ restart_ipsec_service() {
print_client_added_message() { print_client_added_message() {
cat <<EOF cat <<EOF
================================================ ================================================
New IKEv2 VPN client "$client_name" added! New IKEv2 VPN client "$client_name" added!
@ -1074,6 +1061,7 @@ EOF
print_client_exported_message() { print_client_exported_message() {
cat <<EOF cat <<EOF
================================================ ================================================
IKEv2 VPN client "$client_name" exported! IKEv2 VPN client "$client_name" exported!
@ -1102,6 +1090,7 @@ show_swan_update_info() {
} }
print_setup_complete_message() { print_setup_complete_message() {
printf '\e[2K\r'
cat <<EOF cat <<EOF
================================================ ================================================
@ -1128,7 +1117,7 @@ EOF
cat <<EOF cat <<EOF
$export_dir$client_name.p12 (for Windows) $export_dir$client_name.p12 (for Windows & Linux)
$export_dir$client_name.sswan (for Android) $export_dir$client_name.sswan (for Android)
$export_dir$client_name.mobileconfig (for iOS & macOS) $export_dir$client_name.mobileconfig (for iOS & macOS)
EOF EOF
@ -1188,6 +1177,7 @@ delete_ikev2_conf() {
} }
delete_certificates() { delete_certificates() {
echo
bigecho "Deleting certificates and keys from the IPsec database..." bigecho "Deleting certificates and keys from the IPsec database..."
certutil -L -d sql:/etc/ipsec.d | grep -v -e '^$' -e 'IKEv2 VPN CA' | tail -n +3 | cut -f1 -d ' ' | while read -r line; do certutil -L -d sql:/etc/ipsec.d | grep -v -e '^$' -e 'IKEv2 VPN CA' | tail -n +3 | cut -f1 -d ' ' | while read -r line; do
certutil -F -d sql:/etc/ipsec.d -n "$line" certutil -F -d sql:/etc/ipsec.d -n "$line"
@ -1198,6 +1188,7 @@ delete_certificates() {
} }
print_ikev2_removed_message() { print_ikev2_removed_message() {
echo
echo "IKEv2 removed!" echo "IKEv2 removed!"
} }