mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-25 22:36:04 +03:00
Code Issues Projects Releases Wiki Activity

Minor fix and cleanup

Browse Source 
- Minor fix for CentOS 8 for the uncommon scenario where the server has
  "nftables" service enabled
- Cleanup
This commit is contained in:
hwdsl2 2021-04-01 23:06:36 -05:00
parent d76ded2c52
commit 804856064b
3 changed files with 35 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
extras/vpnupgrade_amzn.sh
View File

@ -149,13 +149,6 @@ esac
mkdir -p /opt/src mkdir -p /opt/src
cd /opt/src || exit 1 cd /opt/src || exit 1
bigecho "Adding the EPEL repository..."
(
set -x
amazon-linux-extras install epel -y >/dev/null
) || exiterr2
bigecho "Installing required packages..." bigecho "Installing required packages..."
( (

25
extras/vpnupgrade_centos.sh
View File

@ -161,14 +161,6 @@ esac
mkdir -p /opt/src mkdir -p /opt/src
cd /opt/src || exit 1 cd /opt/src || exit 1
bigecho "Adding the EPEL repository..."
epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm"
(
set -x
yum -y -q install epel-release >/dev/null || yum -y -q install "$epel_url" >/dev/null
) || exiterr2
bigecho "Installing required packages..." bigecho "Installing required packages..."
( (
@ -178,24 +170,21 @@ bigecho "Installing required packages..."
flex bison gcc make wget sed tar >/dev/null flex bison gcc make wget sed tar >/dev/null
) || exiterr2 ) || exiterr2
REPO1='--enablerepo=*server-*optional*' erp="--enablerepo"
REPO2='--enablerepo=*releases-optional*' rp1="$erp=*server-*optional*"
REPO3='--enablerepo=[Pp]ower[Tt]ools' rp2="$erp=*releases-optional*"
[ "$os_type" = "rhel" ] && REPO3='--enablerepo=codeready-builder-for-rhel-8-*' rp3="$erp=[Pp]ower[Tt]ools"
[ "$os_type" = "rhel" ] && rp3="$erp=codeready-builder-for-rhel-8-*"
if [ "$os_ver" = "7" ]; then if [ "$os_ver" = "7" ]; then
( (
set -x set -x
yum -y -q install systemd-devel >/dev/null yum "$rp1" "$rp2" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
) || exiterr2
(
set -x
yum "$REPO1" "$REPO2" -y -q install libevent-devel fipscheck-devel >/dev/null
) || exiterr2 ) || exiterr2
else else
( (
set -x set -x
yum "$REPO3" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null yum "$rp3" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
) || exiterr2 ) || exiterr2
fi fi

50
vpnsetup_centos.sh
View File

@ -152,11 +152,12 @@ epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{
bigecho "Installing packages required for the VPN..." bigecho "Installing packages required for the VPN..."
REPO1='--enablerepo=epel' erp="--enablerepo"
REPO2='--enablerepo=*server-*optional*' rp1="$erp=epel"
REPO3='--enablerepo=*releases-optional*' rp2="$erp=*server-*optional*"
REPO4='--enablerepo=[Pp]ower[Tt]ools' rp3="$erp=*releases-optional*"
[ "$os_type" = "rhel" ] && REPO4='--enablerepo=codeready-builder-for-rhel-8-*' rp4="$erp=[Pp]ower[Tt]ools"
[ "$os_type" = "rhel" ] && rp4="$erp=codeready-builder-for-rhel-8-*"
( (
set -x set -x
@ -166,44 +167,41 @@ REPO4='--enablerepo=[Pp]ower[Tt]ools'
) || exiterr2 ) || exiterr2
( (
set -x set -x
yum "$REPO1" -y -q install xl2tpd >/dev/null 2>&1 yum "$rp1" -y -q install xl2tpd >/dev/null 2>&1
) || exiterr2 ) || exiterr2
use_nft=0 use_nft=0
p1=systemd-devel
p2=libevent-devel
p3=fipscheck-devel
p4=iptables-services
if [ "$os_ver" = "7" ]; then if [ "$os_ver" = "7" ]; then
( (
set -x set -x
yum -y -q install systemd-devel iptables-services >/dev/null yum "$rp2" "$rp3" -y -q install $p1 $p2 $p3 $p4 >/dev/null
) || exiterr2
(
set -x
yum "$REPO2" "$REPO3" -y -q install libevent-devel fipscheck-devel >/dev/null
) || exiterr2 ) || exiterr2
else else
( (
set -x set -x
yum "$REPO4" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null yum "$rp4" -y -q install $p1 $p2 $p3 >/dev/null
) || exiterr2 ) || exiterr2
if systemctl is-active --quiet firewalld.service \ if systemctl is-active --quiet firewalld \
|| systemctl is-active --quiet nftables \
|| grep -qs "hwdsl2 VPN script" /etc/sysconfig/nftables.conf; then || grep -qs "hwdsl2 VPN script" /etc/sysconfig/nftables.conf; then
use_nft=1 use_nft=1
( p4=nftables
set -x
yum -y -q install nftables >/dev/null
) || exiterr2
else
(
set -x
yum -y -q install iptables-services >/dev/null
) || exiterr2
fi fi
(
set -x
yum -y -q install $p4 >/dev/null
) || exiterr2
fi fi
bigecho "Installing Fail2Ban to protect SSH..." bigecho "Installing Fail2Ban to protect SSH..."
( (
set -x set -x
yum "$REPO1" -y -q install fail2ban >/dev/null yum "$rp1" -y -q install fail2ban >/dev/null
) || exiterr2 ) || exiterr2
bigecho "Downloading IKEv2 script..." bigecho "Downloading IKEv2 script..."
@ -461,11 +459,13 @@ if [ "$ipt_flag" = "1" ]; then
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
if [ "$use_nft" = "1" ]; then if [ "$use_nft" = "1" ]; then
for vport in 500 4500 1701; do for vport in 500 4500 1701; do
nft insert rule inet firewalld filter_INPUT udp dport "$vport" accept nft insert rule inet firewalld filter_INPUT udp dport "$vport" accept 2>/dev/null
nft insert rule inet nftables_svc allow udp dport "$vport" accept 2>/dev/null
done done
for vnet in "$L2TP_NET" "$XAUTH_NET"; do for vnet in "$L2TP_NET" "$XAUTH_NET"; do
for vdir in saddr daddr; do for vdir in saddr daddr; do
nft insert rule inet firewalld filter_FORWARD ip "$vdir" "$vnet" accept nft insert rule inet firewalld filter_FORWARD ip "$vdir" "$vnet" accept 2>/dev/null
nft insert rule inet nftables_svc FORWARD ip "$vdir" "$vnet" accept 2>/dev/null
done done
done done
echo "flush ruleset" >> "$IPT_FILE" echo "flush ruleset" >> "$IPT_FILE"