From 95c8a178e76e768165e023032d7fe7449de36d4d Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 18 Sep 2018 00:57:03 -0500 Subject: [PATCH] Improve variables - Move SWAN_VER to the top of the scripts - Add check for Libreswan version - Cleanup --- extras/vpnupgrade.sh | 15 +++++-------- extras/vpnupgrade_centos.sh | 15 +++++-------- vpnsetup.sh | 42 +++++++++++++++++++++++-------------- vpnsetup_centos.sh | 42 +++++++++++++++++++++++-------------- 4 files changed, 62 insertions(+), 52 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 0a268ea..a551c8c 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -10,7 +10,7 @@ # Attribution required: please include my name in any derivative and let me # know how you have improved it! -# Check https://libreswan.org for the latest version +# Specify which Libreswan version to install. See: https://libreswan.org SWAN_VER=3.22 ### DO NOT edit below this line ### @@ -43,19 +43,14 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -if [ -z "$SWAN_VER" ]; then - exiterr "Libreswan version 'SWAN_VER' not specified." -fi - -swan_ver_is_supported=0 case "$SWAN_VER" in 3.19|3.2[01235]) - swan_ver_is_supported=1 + /bin/true + ;; + *) + exiterr "Libreswan version '$SWAN_VER' is not supported." ;; esac -if [ "$swan_ver_is_supported" != "1" ]; then - exiterr "Libreswan version $SWAN_VER is not supported." -fi ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" ipsec_ver_short="$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//')" diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 3168cb5..45d068f 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -10,7 +10,7 @@ # Attribution required: please include my name in any derivative and let me # know how you have improved it! -# Check https://libreswan.org for the latest version +# Specify which Libreswan version to install. See: https://libreswan.org SWAN_VER=3.22 ### DO NOT edit below this line ### @@ -34,19 +34,14 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -if [ -z "$SWAN_VER" ]; then - exiterr "Libreswan version 'SWAN_VER' not specified." -fi - -swan_ver_is_supported=0 case "$SWAN_VER" in 3.19|3.2[01235]) - swan_ver_is_supported=1 + /bin/true + ;; + *) + exiterr "Libreswan version '$SWAN_VER' is not supported." ;; esac -if [ "$swan_ver_is_supported" != "1" ]; then - exiterr "Libreswan version $SWAN_VER is not supported." -fi ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" ipsec_ver_short="$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//')" diff --git a/vpnsetup.sh b/vpnsetup.sh index ff00b3f..c1d692c 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -36,6 +36,8 @@ YOUR_PASSWORD='' export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" SYS_DT="$(date +%F-%T)" +SWAN_VER=3.22 + exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { exiterr "'apt-get install' failed."; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } @@ -69,7 +71,16 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -net_iface=${VPN_NET_IFACE:-'eth0'} +case "$SWAN_VER" in + 3.19|3.2[01235]) + /bin/true + ;; + *) + exiterr "Libreswan version '$SWAN_VER' is not supported." + ;; +esac + +NET_IFACE=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" @@ -82,12 +93,12 @@ if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then ;; esac fi - net_iface="$def_iface" + NET_IFACE="$def_iface" fi -net_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) -if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$net_iface" = "lo" ]; then - printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 +net_state=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null) +if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$NET_IFACE" = "lo" ]; then + printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 </dev/null \ - || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then + || ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null \ + || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then ipt_flag=1 fi @@ -418,17 +428,17 @@ if [ "$ipt_flag" = "1" ]; then iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT iptables -I INPUT 6 -p udp --dport 1701 -j DROP iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP - iptables -I FORWARD 2 -i "$net_iface" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 3 -i ppp+ -o "$net_iface" -j ACCEPT + iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT - iptables -I FORWARD 5 -i "$net_iface" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$net_iface" -j ACCEPT + iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT # Uncomment if you wish to disallow traffic between VPN clients themselves # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP # iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP iptables -A FORWARD -j DROP - iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE - iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" iptables-save >> "$IPT_FILE" diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 36eb6c3..f2b12ed 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -36,6 +36,8 @@ YOUR_PASSWORD='' export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" SYS_DT="$(date +%F-%T)" +SWAN_VER=3.22 + exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { exiterr "'yum install' failed."; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } @@ -60,7 +62,16 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -net_iface=${VPN_NET_IFACE:-'eth0'} +case "$SWAN_VER" in + 3.19|3.2[01235]) + /bin/true + ;; + *) + exiterr "Libreswan version '$SWAN_VER' is not supported." + ;; +esac + +NET_IFACE=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" @@ -71,12 +82,12 @@ if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" ;; esac - net_iface="$def_iface" + NET_IFACE="$def_iface" fi -net_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) -if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$net_iface" = "lo" ]; then - printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 +net_state=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null) +if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$NET_IFACE" = "lo" ]; then + printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 </dev/null \ - || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then + || ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null \ + || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then ipt_flag=1 fi @@ -401,17 +411,17 @@ if [ "$ipt_flag" = "1" ]; then iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT iptables -I INPUT 6 -p udp --dport 1701 -j DROP iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP - iptables -I FORWARD 2 -i "$net_iface" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 3 -i ppp+ -o "$net_iface" -j ACCEPT + iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT - iptables -I FORWARD 5 -i "$net_iface" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$net_iface" -j ACCEPT + iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT # Uncomment if you wish to disallow traffic between VPN clients themselves # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP # iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP iptables -A FORWARD -j DROP - iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE - iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" iptables-save >> "$IPT_FILE" fi