mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-22 04:56:03 +03:00
Code Issues Projects Releases Wiki Activity

Minor improvements and clean up

Browse Source
This commit is contained in:
hwdsl2 2016-07-03 17:54:15 -05:00
parent 9b541c6da3
commit 7bece1681d
5 changed files with 58 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
extras/vpnsetup-debian-7-workaround.sh
View File

@ -42,8 +42,8 @@ cd /opt/src || exiterr "Cannot enter /opt/src."
# Update package index and install wget # Update package index and install wget
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
apt-get -yq update apt-get -yq update || exiterr "'apt-get update' failed."
apt-get -yq install wget apt-get -yq install wget || exiterr "Failed to install 'wget'."
# Install libnss/libnspr packages from download.libreswan.org. # Install libnss/libnspr packages from download.libreswan.org.
# Ref: https://libreswan.org/wiki/3.14_on_Debian_Wheezy # Ref: https://libreswan.org/wiki/3.14_on_Debian_Wheezy

13
extras/vpnupgrade.sh
View File

@ -17,7 +17,8 @@ swan_ver=3.17
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr() { echo "Error: ${1}" >&2; exit 1; } exiterr() { echo "Error: ${1}" >&2; exit 1; }
exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; }
os_type="$(lsb_release -si 2>/dev/null)" os_type="$(lsb_release -si 2>/dev/null)"
if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ]; then if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ]; then
@ -99,15 +100,15 @@ cd /opt/src || exiterr "Cannot enter /opt/src."
# Update package index and install Wget # Update package index and install Wget
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
apt-get -yq update apt-get -yq update || exiterr "'apt-get update' failed."
apt-get -yq install wget apt-get -yq install wget || exiterr2
# Install necessary packages # Install necessary packages
apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
libcap-ng-dev libcap-ng-utils libselinux1-dev \ libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev flex bison gcc make \ libcurl4-nss-dev flex bison gcc make \
libunbound-dev libnss3-tools libevent-dev libunbound-dev libnss3-tools libevent-dev || exiterr2
apt-get -yq --no-install-recommends install xmlto apt-get -yq --no-install-recommends install xmlto || exiterr2
# Compile and install Libreswan # Compile and install Libreswan
swan_file="libreswan-${swan_ver}.tar.gz" swan_file="libreswan-${swan_ver}.tar.gz"
@ -120,7 +121,7 @@ tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir." cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir."
echo "WERROR_CFLAGS =" > Makefile.inc.local echo "WERROR_CFLAGS =" > Makefile.inc.local
if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
apt-get -yq install libsystemd-dev apt-get -yq install libsystemd-dev || exiterr2
fi fi
make -s programs && make -s install make -s programs && make -s install

15
extras/vpnupgrade_centos.sh
View File

@ -17,7 +17,8 @@ swan_ver=3.17
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr() { echo "Error: ${1}" >&2; exit 1; } exiterr() { echo "Error: ${1}" >&2; exit 1; }
exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; }
if [ ! -f /etc/redhat-release ]; then if [ ! -f /etc/redhat-release ]; then
exiterr "This script only supports CentOS/RHEL." exiterr "This script only supports CentOS/RHEL."
@ -92,25 +93,23 @@ mkdir -p /opt/src
cd /opt/src || exiterr "Cannot enter /opt/src." cd /opt/src || exiterr "Cannot enter /opt/src."
# Install Wget # Install Wget
yum -y install wget yum -y install wget || exiterr2
# Add the EPEL repository # Add the EPEL repository
yum -y install epel-release yum -y install epel-release || exiterr2
yum list installed epel-release >/dev/null 2>&1
[ "$?" != "0" ] && exiterr "Cannot add EPEL repository."
# Install necessary packages # Install necessary packages
yum -y install nss-devel nspr-devel pkgconfig pam-devel \ yum -y install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel \ libcap-ng-devel libselinux-devel \
curl-devel flex bison gcc make \ curl-devel flex bison gcc make \
fipscheck-devel unbound-devel xmlto fipscheck-devel unbound-devel xmlto || exiterr2
# Install libevent2 and systemd-devel (CentOS 7) # Install libevent2 and systemd-devel (CentOS 7)
if grep -qs "release 6" /etc/redhat-release; then if grep -qs "release 6" /etc/redhat-release; then
yum -y remove libevent-devel yum -y remove libevent-devel
yum -y install libevent2-devel yum -y install libevent2-devel || exiterr2
elif grep -qs "release 7" /etc/redhat-release; then elif grep -qs "release 7" /etc/redhat-release; then
yum -y install libevent-devel systemd-devel yum -y install libevent-devel systemd-devel || exiterr2
fi fi
# Compile and install Libreswan # Compile and install Libreswan

41
vpnsetup.sh
View File

@ -33,7 +33,8 @@ YOUR_PASSWORD=''
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr() { echo "Error: ${1}" >&2; exit 1; } exiterr() { echo "Error: ${1}" >&2; exit 1; }
exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; }
os_type="$(lsb_release -si 2>/dev/null)" os_type="$(lsb_release -si 2>/dev/null)"
if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ]; then if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ]; then
@ -81,10 +82,10 @@ IMPORTANT: Workaround required for Debian 7 (Wheezy).
You must first run the script at: https://git.io/vpndeb7 You must first run the script at: https://git.io/vpndeb7
If not already done so, press Ctrl-C to interrupt now. If not already done so, press Ctrl-C to interrupt now.
Pausing for 60 seconds... Pausing for 30 seconds...
EOF EOF
sleep 60 sleep 30
fi fi
cat <<'EOF' cat <<'EOF'
@ -98,11 +99,11 @@ cd /opt/src || exiterr "Cannot enter /opt/src."
# Update package index # Update package index
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
apt-get -yq update apt-get -yq update || exiterr "'apt-get update' failed."
# Make sure basic commands exist # Make sure basic commands exist
apt-get -yq install wget dnsutils openssl apt-get -yq install wget dnsutils openssl || exiterr2
apt-get -yq install iproute gawk grep sed net-tools apt-get -yq install iproute gawk grep sed net-tools || exiterr2
cat <<'EOF' cat <<'EOF'
@ -142,12 +143,12 @@ fi
apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
libcap-ng-dev libcap-ng-utils libselinux1-dev \ libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev flex bison gcc make \ libcurl4-nss-dev flex bison gcc make \
libunbound-dev libnss3-tools libevent-dev libunbound-dev libnss3-tools libevent-dev || exiterr2
apt-get -yq --no-install-recommends install xmlto apt-get -yq --no-install-recommends install xmlto || exiterr2
apt-get -yq install xl2tpd apt-get -yq install ppp xl2tpd || exiterr2
# Install Fail2Ban to protect SSH # Install Fail2Ban to protect SSH
apt-get -yq install fail2ban apt-get -yq install fail2ban || exiterr2
# Compile and install Libreswan # Compile and install Libreswan
swan_ver=3.17 swan_ver=3.17
@ -161,7 +162,7 @@ tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir." cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir."
echo "WERROR_CFLAGS =" > Makefile.inc.local echo "WERROR_CFLAGS =" > Makefile.inc.local
if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
apt-get -yq install libsystemd-dev apt-get -yq install libsystemd-dev || exiterr2
fi fi
make -s programs && make -s install make -s programs && make -s install
@ -235,7 +236,7 @@ EOF
# Create xl2tpd config # Create xl2tpd config
/bin/cp -f /etc/xl2tpd/xl2tpd.conf "/etc/xl2tpd/xl2tpd.conf.old-$sys_dt" 2>/dev/null /bin/cp -f /etc/xl2tpd/xl2tpd.conf "/etc/xl2tpd/xl2tpd.conf.old-$sys_dt" 2>/dev/null
cat > /etc/xl2tpd/xl2tpd.conf <<EOF cat > /etc/xl2tpd/xl2tpd.conf <<'EOF'
[global] [global]
port = 1701 port = 1701
@ -252,7 +253,7 @@ EOF
# Set xl2tpd options # Set xl2tpd options
/bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-$sys_dt" 2>/dev/null /bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-$sys_dt" 2>/dev/null
cat > /etc/ppp/options.xl2tpd <<EOF cat > /etc/ppp/options.xl2tpd <<'EOF'
ipcp-accept-local ipcp-accept-local
ipcp-accept-remote ipcp-accept-remote
ms-dns 8.8.8.8 ms-dns 8.8.8.8
@ -279,12 +280,14 @@ EOF
/bin/cp -f /etc/ipsec.d/passwd "/etc/ipsec.d/passwd.old-$sys_dt" 2>/dev/null /bin/cp -f /etc/ipsec.d/passwd "/etc/ipsec.d/passwd.old-$sys_dt" 2>/dev/null
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD") VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
echo "${VPN_USER}:${VPN_PASSWORD_ENC}:xauth-psk" > /etc/ipsec.d/passwd cat > /etc/ipsec.d/passwd <<EOF
$VPN_USER:$VPN_PASSWORD_ENC:xauth-psk
EOF
# Update sysctl settings # Update sysctl settings
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
/bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$sys_dt" 2>/dev/null /bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$sys_dt" 2>/dev/null
cat >> /etc/sysctl.conf <<EOF cat >> /etc/sysctl.conf <<'EOF'
# Added by hwdsl2 VPN script # Added by hwdsl2 VPN script
kernel.msgmnb = 65536 kernel.msgmnb = 65536
@ -355,8 +358,8 @@ COMMIT
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP" -A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source $PRIVATE_IP
-A POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" -A POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source $PRIVATE_IP
COMMIT COMMIT
EOF EOF
@ -392,7 +395,7 @@ fi
# Load IPTables rules at system boot # Load IPTables rules at system boot
mkdir -p /etc/network/if-pre-up.d mkdir -p /etc/network/if-pre-up.d
cat > /etc/network/if-pre-up.d/iptablesload <<EOF cat > /etc/network/if-pre-up.d/iptablesload <<'EOF'
#!/bin/sh #!/bin/sh
iptables-restore < /etc/iptables.rules iptables-restore < /etc/iptables.rules
exit 0 exit 0
@ -402,7 +405,7 @@ EOF
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
/bin/cp -f /etc/rc.local "/etc/rc.local.old-$sys_dt" 2>/dev/null /bin/cp -f /etc/rc.local "/etc/rc.local.old-$sys_dt" 2>/dev/null
sed --follow-symlinks -i -e '/^exit 0/d' /etc/rc.local sed --follow-symlinks -i -e '/^exit 0/d' /etc/rc.local
cat >> /etc/rc.local <<EOF cat >> /etc/rc.local <<'EOF'
# Added by hwdsl2 VPN script # Added by hwdsl2 VPN script
service fail2ban restart || /bin/true service fail2ban restart || /bin/true

39
vpnsetup_centos.sh
View File

@ -33,7 +33,8 @@ YOUR_PASSWORD=''
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr() { echo "Error: ${1}" >&2; exit 1; } exiterr() { echo "Error: ${1}" >&2; exit 1; }
exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; }
if [ ! -f /etc/redhat-release ]; then if [ ! -f /etc/redhat-release ]; then
exiterr "This script only supports CentOS/RHEL." exiterr "This script only supports CentOS/RHEL."
@ -88,8 +89,8 @@ mkdir -p /opt/src
cd /opt/src || exiterr "Cannot enter /opt/src." cd /opt/src || exiterr "Cannot enter /opt/src."
# Make sure basic commands exist # Make sure basic commands exist
yum -y install wget bind-utils openssl yum -y install wget bind-utils openssl || exiterr2
yum -y install iproute gawk grep sed net-tools yum -y install iproute gawk grep sed net-tools || exiterr2
cat <<'EOF' cat <<'EOF'
@ -126,26 +127,24 @@ if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then
fi fi
# Add the EPEL repository # Add the EPEL repository
yum -y install epel-release yum -y install epel-release || exiterr2
yum list installed epel-release >/dev/null 2>&1
[ "$?" != "0" ] && exiterr "Cannot add EPEL repository."
# Install necessary packages # Install necessary packages
yum -y install nss-devel nspr-devel pkgconfig pam-devel \ yum -y install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel \ libcap-ng-devel libselinux-devel \
curl-devel flex bison gcc make \ curl-devel flex bison gcc make \
fipscheck-devel unbound-devel xmlto fipscheck-devel unbound-devel xmlto || exiterr2
yum -y install ppp xl2tpd yum -y install ppp xl2tpd || exiterr2
# Install Fail2Ban to protect SSH # Install Fail2Ban to protect SSH
yum -y install fail2ban yum -y install fail2ban || exiterr2
# Install libevent2 and systemd-devel (CentOS 7) # Install libevent2 and systemd-devel (CentOS 7)
if grep -qs "release 6" /etc/redhat-release; then if grep -qs "release 6" /etc/redhat-release; then
yum -y remove libevent-devel yum -y remove libevent-devel
yum -y install libevent2-devel yum -y install libevent2-devel || exiterr2
elif grep -qs "release 7" /etc/redhat-release; then elif grep -qs "release 7" /etc/redhat-release; then
yum -y install libevent-devel systemd-devel yum -y install libevent-devel systemd-devel || exiterr2
fi fi
# Compile and install Libreswan # Compile and install Libreswan
@ -231,7 +230,7 @@ EOF
# Create xl2tpd config # Create xl2tpd config
/bin/cp -f /etc/xl2tpd/xl2tpd.conf "/etc/xl2tpd/xl2tpd.conf.old-$sys_dt" 2>/dev/null /bin/cp -f /etc/xl2tpd/xl2tpd.conf "/etc/xl2tpd/xl2tpd.conf.old-$sys_dt" 2>/dev/null
cat > /etc/xl2tpd/xl2tpd.conf <<EOF cat > /etc/xl2tpd/xl2tpd.conf <<'EOF'
[global] [global]
port = 1701 port = 1701
@ -248,7 +247,7 @@ EOF
# Set xl2tpd options # Set xl2tpd options
/bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-$sys_dt" 2>/dev/null /bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-$sys_dt" 2>/dev/null
cat > /etc/ppp/options.xl2tpd <<EOF cat > /etc/ppp/options.xl2tpd <<'EOF'
ipcp-accept-local ipcp-accept-local
ipcp-accept-remote ipcp-accept-remote
ms-dns 8.8.8.8 ms-dns 8.8.8.8
@ -275,12 +274,14 @@ EOF
/bin/cp -f /etc/ipsec.d/passwd "/etc/ipsec.d/passwd.old-$sys_dt" 2>/dev/null /bin/cp -f /etc/ipsec.d/passwd "/etc/ipsec.d/passwd.old-$sys_dt" 2>/dev/null
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD") VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
echo "${VPN_USER}:${VPN_PASSWORD_ENC}:xauth-psk" > /etc/ipsec.d/passwd cat > /etc/ipsec.d/passwd <<EOF
$VPN_USER:$VPN_PASSWORD_ENC:xauth-psk
EOF
# Update sysctl settings # Update sysctl settings
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
/bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$sys_dt" 2>/dev/null /bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$sys_dt" 2>/dev/null
cat >> /etc/sysctl.conf <<EOF cat >> /etc/sysctl.conf <<'EOF'
# Added by hwdsl2 VPN script # Added by hwdsl2 VPN script
kernel.msgmnb = 65536 kernel.msgmnb = 65536
@ -350,8 +351,8 @@ COMMIT
:PREROUTING ACCEPT [0:0] :PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP" -A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source $PRIVATE_IP
-A POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" -A POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source $PRIVATE_IP
COMMIT COMMIT
EOF EOF
@ -382,7 +383,7 @@ fi
# Create basic Fail2Ban rules # Create basic Fail2Ban rules
if [ ! -f /etc/fail2ban/jail.local ] ; then if [ ! -f /etc/fail2ban/jail.local ] ; then
cat > /etc/fail2ban/jail.local <<EOF cat > /etc/fail2ban/jail.local <<'EOF'
[DEFAULT] [DEFAULT]
ignoreip = 127.0.0.1/8 ignoreip = 127.0.0.1/8
bantime = 600 bantime = 600
@ -401,7 +402,7 @@ fi
# Start services at boot # Start services at boot
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
/bin/cp -f /etc/rc.local "/etc/rc.local.old-$sys_dt" 2>/dev/null /bin/cp -f /etc/rc.local "/etc/rc.local.old-$sys_dt" 2>/dev/null
cat >> /etc/rc.local <<EOF cat >> /etc/rc.local <<'EOF'
# Added by hwdsl2 VPN script # Added by hwdsl2 VPN script
iptables-restore < /etc/sysconfig/iptables iptables-restore < /etc/sysconfig/iptables