mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-22 04:56:03 +03:00
Code Issues Projects Releases Wiki Activity

Minor improvements and clean up

Browse Source
This commit is contained in:
hwdsl2 2016-04-20 17:31:29 -05:00
parent 2cca7e57e7
commit af23dd290f
4 changed files with 113 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
vpnsetup.sh
View File

@ -2,7 +2,6 @@
# #
# Script for automatic setup of an IPsec/L2TP VPN server on Ubuntu LTS and Debian 8. # Script for automatic setup of an IPsec/L2TP VPN server on Ubuntu LTS and Debian 8.
# Works on dedicated servers and any KVM- or Xen-based Virtual Private Server (VPS). # Works on dedicated servers and any KVM- or Xen-based Virtual Private Server (VPS).
# It can also be used as Amazon EC2 "user-data" with the official Ubuntu or Debian AMIs.
# #
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS MEANT TO BE RUN # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS MEANT TO BE RUN
# ON YOUR DEDICATED SERVER OR VPS! # ON YOUR DEDICATED SERVER OR VPS!
@ -18,7 +17,7 @@
# ------------------------------------------------------------ # ------------------------------------------------------------
# Please define your own values for these variables # Define your own values for these variables
# - All values MUST be quoted using 'single quotes' # - All values MUST be quoted using 'single quotes'
# - DO NOT use these characters inside values: \ " ' # - DO NOT use these characters inside values: \ " '
@ -26,30 +25,30 @@ IPSEC_PSK='your_ipsec_pre_shared_key'
VPN_USER='your_vpn_username' VPN_USER='your_vpn_username'
VPN_PASSWORD='your_very_secure_password' VPN_PASSWORD='your_very_secure_password'
# Be sure to read IMPORTANT NOTES at the URL below: # Please read IMPORTANT NOTES at:
# https://github.com/hwdsl2/setup-ipsec-vpn#important-notes # https://github.com/hwdsl2/setup-ipsec-vpn#important-notes
# ------------------------------------------------------------ # ------------------------------------------------------------
if [ "$(uname)" = "Darwin" ]; then if [ "$(uname)" = "Darwin" ]; then
echo 'DO NOT run this script on your Mac! It should only be run on a dedicated server / VPS' echo 'DO NOT run this script on your Mac! It should only be used on a server.'
echo 'or a newly-created EC2 instance, after you have edited the variables above.'
exit 1 exit 1
fi fi
if [ "$(lsb_release -si 2>/dev/null)" != "Ubuntu" ] && [ "$(lsb_release -si 2>/dev/null)" != "Debian" ]; then os_type="$(lsb_release -si 2>/dev/null)"
echo "Looks like you aren't running this script on a Ubuntu or Debian system." if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ]; then
echo "This script only supports Ubuntu or Debian systems."
exit 1 exit 1
fi fi
if [ -f /proc/user_beancounters ]; then if [ -f /proc/user_beancounters ]; then
echo "This script does NOT support OpenVZ VPS." echo "This script does NOT support OpenVZ VPS."
echo "Try Nyr's OpenVPN script: https://github.com/Nyr/openvpn-install" echo "Try alternative: https://github.com/Nyr/openvpn-install"
exit 1 exit 1
fi fi
if [ "$(id -u)" != 0 ]; then if [ "$(id -u)" != 0 ]; then
echo "Sorry, you need to run this script as root." echo "Script must be run as root. Try 'sudo sh $0'"
exit 1 exit 1
fi fi
@ -73,10 +72,10 @@ apt-get -y update
apt-get -y install wget dnsutils apt-get -y install wget dnsutils
echo echo
echo 'Trying to determine Public/Private IP of this server...' echo 'Trying to find Public/Private IP of this server...'
echo echo
echo 'In case the script hangs here for more than a few minutes, press Ctrl-C to interrupt.' echo 'In case the script hangs here for more than a few minutes, press Ctrl-C to interrupt.'
echo 'Then edit the script and follow instructions to manually enter server IPs.' echo 'Then edit it and follow instructions to manually enter server IPs.'
echo echo
# In Amazon EC2, these two variables will be retrieved from metadata. # In Amazon EC2, these two variables will be retrieved from metadata.
@ -107,7 +106,7 @@ fi
# Install necessary packages # Install necessary packages
apt-get -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ apt-get -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
libcap-ng-dev libcap-ng-utils libselinux1-dev \ libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev flex bison gcc make \ libcurl4-nss-dev flex bison gcc make sed \
libunbound-dev libnss3-tools libevent-dev libunbound-dev libnss3-tools libevent-dev
apt-get -y --no-install-recommends install xmlto apt-get -y --no-install-recommends install xmlto
apt-get -y install xl2tpd apt-get -y install xl2tpd
@ -122,7 +121,7 @@ SWAN_URL="https://download.libreswan.org/$SWAN_FILE"
wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL" wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
[ ! -f "$SWAN_FILE" ] && { echo "Cannot retrieve Libreswan source file. Aborting."; exit 1; } [ ! -f "$SWAN_FILE" ] && { echo "Cannot retrieve Libreswan source file. Aborting."; exit 1; }
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE" tar xvzf "$SWAN_FILE" && /bin/rm -f "$SWAN_FILE"
cd "libreswan-$SWAN_VER" || { echo "Failed to enter Libreswan source dir. Aborting."; exit 1; } cd "libreswan-$SWAN_VER" || { echo "Failed to enter Libreswan source dir. Aborting."; exit 1; }
# Workaround for Libreswan compile issues # Workaround for Libreswan compile issues
cat > Makefile.inc.local <<EOF cat > Makefile.inc.local <<EOF
@ -132,11 +131,11 @@ make programs && make install
# Check if Libreswan install was successful # Check if Libreswan install was successful
/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$SWAN_VER" /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$SWAN_VER"
[ "$?" != "0" ] && { echo "Sorry, Libreswan $SWAN_VER failed to build. Aborting."; exit 1; } [ "$?" != "0" ] && { echo; echo "Sorry, Libreswan $SWAN_VER failed to build. Aborting."; exit 1; }
# Prepare various config files # Prepare various config files
# Create IPsec (Libreswan) config # Create IPsec (Libreswan) config
SYS_DT="$(/bin/date +%Y-%m-%d-%H:%M:%S)" SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"
/bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$SYS_DT" 2>/dev/null /bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$SYS_DT" 2>/dev/null
cat > /etc/ipsec.conf <<EOF cat > /etc/ipsec.conf <<EOF
version 2.0 version 2.0
@ -261,8 +260,8 @@ fi
# 2. If *not* empty, insert new rules and save them together with existing ones. # 2. If *not* empty, insert new rules and save them together with existing ones.
if ! grep -qs "hwdsl2 VPN script" /etc/iptables.rules; then if ! grep -qs "hwdsl2 VPN script" /etc/iptables.rules; then
/bin/cp -f /etc/iptables.rules "/etc/iptables.rules.old-$SYS_DT" 2>/dev/null /bin/cp -f /etc/iptables.rules "/etc/iptables.rules.old-$SYS_DT" 2>/dev/null
/usr/sbin/service fail2ban stop >/dev/null 2>&1 service fail2ban stop >/dev/null 2>&1
if [ "$(/sbin/iptables-save | grep -c '^\-')" = "0" ]; then if [ "$(iptables-save | grep -c '^\-')" = "0" ]; then
cat > /etc/iptables.rules <<EOF cat > /etc/iptables.rules <<EOF
# Added by hwdsl2 VPN script # Added by hwdsl2 VPN script
*filter *filter
@ -309,7 +308,7 @@ iptables -A FORWARD -j DROP
iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP" iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP"
echo "# Modified by hwdsl2 VPN script" > /etc/iptables.rules echo "# Modified by hwdsl2 VPN script" > /etc/iptables.rules
/sbin/iptables-save >> /etc/iptables.rules iptables-save >> /etc/iptables.rules
fi fi
# Update rules for iptables-persistent # Update rules for iptables-persistent
if [ -f /etc/iptables/rules.v4 ]; then if [ -f /etc/iptables/rules.v4 ]; then
@ -344,26 +343,26 @@ fi
# Load IPTables rules at system boot # Load IPTables rules at system boot
cat > /etc/network/if-pre-up.d/iptablesload <<EOF cat > /etc/network/if-pre-up.d/iptablesload <<EOF
#!/bin/sh #!/bin/sh
/sbin/iptables-restore < /etc/iptables.rules iptables-restore < /etc/iptables.rules
exit 0 exit 0
EOF EOF
cat > /etc/network/if-pre-up.d/ip6tablesload <<EOF cat > /etc/network/if-pre-up.d/ip6tablesload <<EOF
#!/bin/sh #!/bin/sh
/sbin/ip6tables-restore < /etc/ip6tables.rules ip6tables-restore < /etc/ip6tables.rules
exit 0 exit 0
EOF EOF
# Update rc.local to start services at boot # Update rc.local to start services at boot
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
/bin/cp -f /etc/rc.local "/etc/rc.local.old-$SYS_DT" 2>/dev/null /bin/cp -f /etc/rc.local "/etc/rc.local.old-$SYS_DT" 2>/dev/null
/bin/sed --follow-symlinks -i -e '/^exit 0/d' /etc/rc.local sed --follow-symlinks -i -e '/^exit 0/d' /etc/rc.local
cat >> /etc/rc.local <<EOF cat >> /etc/rc.local <<EOF
# Added by hwdsl2 VPN script # Added by hwdsl2 VPN script
/usr/sbin/service fail2ban restart || /bin/true service fail2ban restart || /bin/true
/usr/sbin/service ipsec start service ipsec start
/usr/sbin/service xl2tpd start service xl2tpd start
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
exit 0 exit 0
EOF EOF
@ -372,44 +371,44 @@ fi
# Initialize Libreswan DB # Initialize Libreswan DB
if [ ! -f /etc/ipsec.d/cert8.db ] ; then if [ ! -f /etc/ipsec.d/cert8.db ] ; then
echo > /var/tmp/libreswan-nss-pwd echo > /var/tmp/libreswan-nss-pwd
/usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
/bin/rm -f /var/tmp/libreswan-nss-pwd /bin/rm -f /var/tmp/libreswan-nss-pwd
fi fi
# Reload sysctl.conf # Reload sysctl.conf
/sbin/sysctl -p sysctl -p
# Update file attributes # Update file attributes
/bin/chmod +x /etc/rc.local chmod +x /etc/rc.local
/bin/chmod +x /etc/network/if-pre-up.d/iptablesload chmod +x /etc/network/if-pre-up.d/iptablesload
/bin/chmod +x /etc/network/if-pre-up.d/ip6tablesload chmod +x /etc/network/if-pre-up.d/ip6tablesload
/bin/chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets*
# Apply new IPTables rules # Apply new IPTables rules
/sbin/iptables-restore < /etc/iptables.rules iptables-restore < /etc/iptables.rules
/sbin/ip6tables-restore < /etc/ip6tables.rules >/dev/null 2>&1 ip6tables-restore < /etc/ip6tables.rules >/dev/null 2>&1
# Restart services # Restart services
/usr/sbin/service fail2ban stop >/dev/null 2>&1 service fail2ban stop >/dev/null 2>&1
/usr/sbin/service ipsec stop >/dev/null 2>&1 service ipsec stop >/dev/null 2>&1
/usr/sbin/service xl2tpd stop >/dev/null 2>&1 service xl2tpd stop >/dev/null 2>&1
/usr/sbin/service fail2ban start service fail2ban start
/usr/sbin/service ipsec start service ipsec start
/usr/sbin/service xl2tpd start service xl2tpd start
echo echo
echo '============================================================' echo '============================================================'
echo 'IPSec/L2TP VPN server setup is complete!' echo 'IPsec/L2TP VPN server setup is complete!'
echo echo
echo 'Connect to your new VPN with these credentials:' echo 'Connect to your new VPN with these details:'
echo echo
echo "Server IP: $PUBLIC_IP" echo "Server IP: $PUBLIC_IP"
echo "IPSec PSK: $IPSEC_PSK" echo "IPsec PSK: $IPSEC_PSK"
echo "Username: $VPN_USER" echo "Username: $VPN_USER"
echo "Password: $VPN_PASSWORD" echo "Password: $VPN_PASSWORD"
echo '============================================================' echo '============================================================'
echo echo
echo 'Please read IMPORTANT NOTES at the URL below:' echo 'Please read IMPORTANT NOTES at:'
echo 'https://github.com/hwdsl2/setup-ipsec-vpn#important-notes' echo 'https://github.com/hwdsl2/setup-ipsec-vpn#important-notes'
echo echo

84
vpnsetup_centos.sh
View File

@ -2,7 +2,6 @@
# #
# Script for automatic setup of an IPsec/L2TP VPN server on 64-bit CentOS/RHEL 6 & 7. # Script for automatic setup of an IPsec/L2TP VPN server on 64-bit CentOS/RHEL 6 & 7.
# Works on dedicated servers and any KVM- or Xen-based Virtual Private Server (VPS). # Works on dedicated servers and any KVM- or Xen-based Virtual Private Server (VPS).
# It can also be used as Amazon EC2 "user-data" with the official CentOS 6 & 7 AMIs.
# #
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS MEANT TO BE RUN # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS MEANT TO BE RUN
# ON YOUR DEDICATED SERVER OR VPS! # ON YOUR DEDICATED SERVER OR VPS!
@ -10,15 +9,15 @@
# Copyright (C) 2015-2016 Lin Song # Copyright (C) 2015-2016 Lin Song
# Based on the work of Thomas Sarlandie (Copyright 2012) # Based on the work of Thomas Sarlandie (Copyright 2012)
# #
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ # Unported License: http://creativecommons.org/licenses/by-sa/3.0/
# #
# Attribution required: please include my name in any derivative and let me # Attribution required: please include my name in any derivative and let me
# know how you have improved it! # know how you have improved it!
# ------------------------------------------------------------ # ------------------------------------------------------------
# Please define your own values for these variables # Define your own values for these variables
# - All values MUST be quoted using 'single quotes' # - All values MUST be quoted using 'single quotes'
# - DO NOT use these characters inside values: \ " ' # - DO NOT use these characters inside values: \ " '
@ -26,24 +25,23 @@ IPSEC_PSK='your_ipsec_pre_shared_key'
VPN_USER='your_vpn_username' VPN_USER='your_vpn_username'
VPN_PASSWORD='your_very_secure_password' VPN_PASSWORD='your_very_secure_password'
# Be sure to read IMPORTANT NOTES at the URL below: # Please read IMPORTANT NOTES at:
# https://github.com/hwdsl2/setup-ipsec-vpn#important-notes # https://github.com/hwdsl2/setup-ipsec-vpn#important-notes
# ------------------------------------------------------------ # ------------------------------------------------------------
if [ "$(uname)" = "Darwin" ]; then if [ "$(uname)" = "Darwin" ]; then
echo 'DO NOT run this script on your Mac! It should only be run on a dedicated server / VPS' echo 'DO NOT run this script on your Mac! It should only be used on a server.'
echo 'or a newly-created EC2 instance, after you have edited the variables above.'
exit 1 exit 1
fi fi
if [ ! -f /etc/redhat-release ]; then if [ ! -f /etc/redhat-release ]; then
echo "Looks like you aren't running this script on a CentOS/RHEL system." echo "This script only supports CentOS or RHEL systems."
exit 1 exit 1
fi fi
if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then
echo "This script only supports versions 6 and 7 of CentOS/RHEL." echo "This script only supports CentOS/RHEL 6 and 7."
exit 1 exit 1
fi fi
@ -54,12 +52,12 @@ fi
if [ -f /proc/user_beancounters ]; then if [ -f /proc/user_beancounters ]; then
echo "This script does NOT support OpenVZ VPS." echo "This script does NOT support OpenVZ VPS."
echo "Try Nyr's OpenVPN script: https://github.com/Nyr/openvpn-install" echo "Try alternative: https://github.com/Nyr/openvpn-install"
exit 1 exit 1
fi fi
if [ "$(id -u)" != 0 ]; then if [ "$(id -u)" != 0 ]; then
echo "Sorry, you need to run this script as root." echo "Script must be run as root. Try 'sudo sh $0'"
exit 1 exit 1
fi fi
@ -84,10 +82,10 @@ cd /opt/src || { echo "Failed to change working dir to /opt/src. Aborting."; exi
yum -y install wget bind-utils yum -y install wget bind-utils
echo echo
echo 'Trying to determine Public/Private IP of this server...' echo 'Trying to find Public/Private IP of this server...'
echo echo
echo 'In case the script hangs here for more than a few minutes, press Ctrl-C to interrupt.' echo 'In case the script hangs here for more than a few minutes, press Ctrl-C to interrupt.'
echo 'Then edit the script and follow instructions to manually enter server IPs.' echo 'Then edit it and follow instructions to manually enter server IPs.'
echo echo
# In Amazon EC2, these two variables will be retrieved from metadata. # In Amazon EC2, these two variables will be retrieved from metadata.
@ -162,7 +160,7 @@ SWAN_URL="https://download.libreswan.org/$SWAN_FILE"
wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL" wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
[ ! -f "$SWAN_FILE" ] && { echo "Cannot retrieve Libreswan source file. Aborting."; exit 1; } [ ! -f "$SWAN_FILE" ] && { echo "Cannot retrieve Libreswan source file. Aborting."; exit 1; }
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE" tar xvzf "$SWAN_FILE" && /bin/rm -f "$SWAN_FILE"
cd "libreswan-$SWAN_VER" || { echo "Failed to enter Libreswan source dir. Aborting."; exit 1; } cd "libreswan-$SWAN_VER" || { echo "Failed to enter Libreswan source dir. Aborting."; exit 1; }
# Workaround for Libreswan compile issues # Workaround for Libreswan compile issues
cat > Makefile.inc.local <<EOF cat > Makefile.inc.local <<EOF
@ -172,11 +170,11 @@ make programs && make install
# Check if Libreswan install was successful # Check if Libreswan install was successful
/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$SWAN_VER" /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$SWAN_VER"
[ "$?" != "0" ] && { echo "Sorry, Libreswan $SWAN_VER failed to build. Aborting."; exit 1; } [ "$?" != "0" ] && { echo; echo "Sorry, Libreswan $SWAN_VER failed to build. Aborting."; exit 1; }
# Prepare various config files # Prepare various config files
# Create IPsec (Libreswan) config # Create IPsec (Libreswan) config
SYS_DT="$(/bin/date +%Y-%m-%d-%H:%M:%S)" SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"
/bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$SYS_DT" 2>/dev/null /bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$SYS_DT" 2>/dev/null
cat > /etc/ipsec.conf <<EOF cat > /etc/ipsec.conf <<EOF
version 2.0 version 2.0
@ -301,8 +299,8 @@ fi
# 2. If *not* empty, insert new rules and save them together with existing ones. # 2. If *not* empty, insert new rules and save them together with existing ones.
if ! grep -qs "hwdsl2 VPN script" /etc/sysconfig/iptables; then if ! grep -qs "hwdsl2 VPN script" /etc/sysconfig/iptables; then
/bin/cp -f /etc/sysconfig/iptables "/etc/sysconfig/iptables.old-$SYS_DT" 2>/dev/null /bin/cp -f /etc/sysconfig/iptables "/etc/sysconfig/iptables.old-$SYS_DT" 2>/dev/null
/sbin/service fail2ban stop >/dev/null 2>&1 service fail2ban stop >/dev/null 2>&1
if [ "$(/sbin/iptables-save | grep -c '^\-')" = "0" ]; then if [ "$(iptables-save | grep -c '^\-')" = "0" ]; then
cat > /etc/sysconfig/iptables <<EOF cat > /etc/sysconfig/iptables <<EOF
# Added by hwdsl2 VPN script # Added by hwdsl2 VPN script
*filter *filter
@ -348,7 +346,7 @@ iptables -A FORWARD -j DROP
iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP" iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP"
echo "# Modified by hwdsl2 VPN script" > /etc/sysconfig/iptables echo "# Modified by hwdsl2 VPN script" > /etc/sysconfig/iptables
/sbin/iptables-save >> /etc/sysconfig/iptables iptables-save >> /etc/sysconfig/iptables
fi fi
fi fi
@ -395,11 +393,11 @@ if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
cat >> /etc/rc.local <<EOF cat >> /etc/rc.local <<EOF
# Added by hwdsl2 VPN script # Added by hwdsl2 VPN script
/sbin/iptables-restore < /etc/sysconfig/iptables iptables-restore < /etc/sysconfig/iptables
/sbin/ip6tables-restore < /etc/sysconfig/ip6tables ip6tables-restore < /etc/sysconfig/ip6tables
/sbin/service fail2ban restart service fail2ban restart
/sbin/service ipsec start service ipsec start
/sbin/service xl2tpd start service xl2tpd start
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
EOF EOF
fi fi
@ -407,47 +405,47 @@ fi
# Initialize Libreswan DB # Initialize Libreswan DB
if [ ! -f /etc/ipsec.d/cert8.db ] ; then if [ ! -f /etc/ipsec.d/cert8.db ] ; then
echo > /var/tmp/libreswan-nss-pwd echo > /var/tmp/libreswan-nss-pwd
/usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
/bin/rm -f /var/tmp/libreswan-nss-pwd /bin/rm -f /var/tmp/libreswan-nss-pwd
fi fi
# Restore SELinux contexts # Restore SELinux contexts
/sbin/restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /etc/ipsec.d/*db 2>/dev/null
/sbin/restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null
/sbin/restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Reload sysctl.conf # Reload sysctl.conf
/sbin/sysctl -p sysctl -p
# Update file attributes # Update file attributes
/bin/chmod +x /etc/rc.local chmod +x /etc/rc.local
/bin/chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets*
# Apply new IPTables rules # Apply new IPTables rules
/sbin/iptables-restore < /etc/sysconfig/iptables iptables-restore < /etc/sysconfig/iptables
/sbin/ip6tables-restore < /etc/sysconfig/ip6tables >/dev/null 2>&1 ip6tables-restore < /etc/sysconfig/ip6tables >/dev/null 2>&1
# Restart services # Restart services
/sbin/service fail2ban stop >/dev/null 2>&1 service fail2ban stop >/dev/null 2>&1
/sbin/service ipsec stop >/dev/null 2>&1 service ipsec stop >/dev/null 2>&1
/sbin/service xl2tpd stop >/dev/null 2>&1 service xl2tpd stop >/dev/null 2>&1
/sbin/service fail2ban start service fail2ban start
/sbin/service ipsec start service ipsec start
/sbin/service xl2tpd start service xl2tpd start
echo echo
echo '============================================================' echo '============================================================'
echo 'IPSec/L2TP VPN server setup is complete!' echo 'IPsec/L2TP VPN server setup is complete!'
echo echo
echo 'Connect to your new VPN with these credentials:' echo 'Connect to your new VPN with these details:'
echo echo
echo "Server IP: $PUBLIC_IP" echo "Server IP: $PUBLIC_IP"
echo "IPSec PSK: $IPSEC_PSK" echo "IPsec PSK: $IPSEC_PSK"
echo "Username: $VPN_USER" echo "Username: $VPN_USER"
echo "Password: $VPN_PASSWORD" echo "Password: $VPN_PASSWORD"
echo '============================================================' echo '============================================================'
echo echo
echo 'Please read IMPORTANT NOTES at the URL below:' echo 'Please read IMPORTANT NOTES at:'
echo 'https://github.com/hwdsl2/setup-ipsec-vpn#important-notes' echo 'https://github.com/hwdsl2/setup-ipsec-vpn#important-notes'
echo echo

28
vpnupgrade_Libreswan.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Script to upgrade Libreswan to a newer version on Ubuntu and Debian # Script to upgrade Libreswan on Ubuntu and Debian
# #
# Copyright (C) 2016 Lin Song # Copyright (C) 2016 Lin Song
# #
@ -15,8 +15,9 @@ SWAN_VER=3.17
### Do not edit below this line ### Do not edit below this line
if [ "$(lsb_release -si 2>/dev/null)" != "Ubuntu" ] && [ "$(lsb_release -si 2>/dev/null)" != "Debian" ]; then os_type="$(lsb_release -si 2>/dev/null)"
echo "Looks like you aren't running this script on a Ubuntu or Debian system." if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ]; then
echo "This script only supports Ubuntu or Debian systems."
exit 1 exit 1
fi fi
@ -26,19 +27,19 @@ if [ -f /proc/user_beancounters ]; then
fi fi
if [ "$(id -u)" != 0 ]; then if [ "$(id -u)" != 0 ]; then
echo "Sorry, you need to run this script as root." echo "Script must be run as root. Try 'sudo sh $0'"
exit 1 exit 1
fi fi
/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan" /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan"
if [ "$?" != "0" ]; then if [ "$?" != "0" ]; then
echo "This upgrade script requires you already have Libreswan installed." echo "This upgrade script requires Libreswan already installed."
exit 1 exit 1
fi fi
/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan $SWAN_VER" /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan $SWAN_VER"
if [ "$?" = "0" ]; then if [ "$?" = "0" ]; then
echo "Looks like you already have Libreswan version $SWAN_VER installed! " echo "You already have Libreswan version $SWAN_VER installed! "
echo echo
printf "Do you wish to continue anyway? [y/N] " printf "Do you wish to continue anyway? [y/N] "
read -r response read -r response
@ -56,8 +57,8 @@ fi
clear clear
echo "Welcome! This script will build and install Libreswan $SWAN_VER on your server." echo "Welcome! This script will build and install Libreswan $SWAN_VER on your server."
echo "Related packages, such as those required by Libreswan compilation will also be installed." echo "Additional packages required for Libreswan compilation will also be installed."
echo "This is intended for use on VPN servers running an older version of Libreswan." echo "This is intended for use on servers running an older version of Libreswan."
echo "Your existing VPN configuration files will NOT be modified." echo "Your existing VPN configuration files will NOT be modified."
if [ "$(sed 's/\..*//' /etc/debian_version 2>/dev/null)" = "7" ]; then if [ "$(sed 's/\..*//' /etc/debian_version 2>/dev/null)" = "7" ]; then
@ -94,7 +95,7 @@ apt-get -y install wget
# Install necessary packages # Install necessary packages
apt-get -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ apt-get -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
libcap-ng-dev libcap-ng-utils libselinux1-dev \ libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev flex bison gcc make \ libcurl4-nss-dev flex bison gcc make sed \
libunbound-dev libnss3-tools libevent-dev libunbound-dev libnss3-tools libevent-dev
apt-get -y --no-install-recommends install xmlto apt-get -y --no-install-recommends install xmlto
@ -104,7 +105,7 @@ SWAN_URL="https://download.libreswan.org/$SWAN_FILE"
wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL" wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
[ ! -f "$SWAN_FILE" ] && { echo "Cannot retrieve Libreswan source file. Aborting."; exit 1; } [ ! -f "$SWAN_FILE" ] && { echo "Cannot retrieve Libreswan source file. Aborting."; exit 1; }
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE" tar xvzf "$SWAN_FILE" && /bin/rm -f "$SWAN_FILE"
cd "libreswan-$SWAN_VER" || { echo "Failed to enter Libreswan source dir. Aborting."; exit 1; } cd "libreswan-$SWAN_VER" || { echo "Failed to enter Libreswan source dir. Aborting."; exit 1; }
# Workaround for Libreswan compile issues # Workaround for Libreswan compile issues
cat > Makefile.inc.local <<EOF cat > Makefile.inc.local <<EOF
@ -113,12 +114,13 @@ EOF
make programs && make install make programs && make install
# Restart IPsec service # Restart IPsec service
/usr/sbin/service ipsec restart service ipsec restart
# Check if Libreswan install was successful # Check if Libreswan install was successful
/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$SWAN_VER" /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$SWAN_VER"
[ "$?" != "0" ] && { echo "Sorry, Libreswan $SWAN_VER failed to build. Aborting."; exit 1; } [ "$?" != "0" ] && { echo; echo "Sorry, Libreswan $SWAN_VER failed to build. Aborting."; exit 1; }
echo echo
echo "Congratulations! Libreswan $SWAN_VER was installed successfully! " echo "Libreswan $SWAN_VER was installed successfully! "
echo
exit 0 exit 0

31
vpnupgrade_Libreswan_centos.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Script to upgrade Libreswan to a newer version on CentOS and RHEL # Script to upgrade Libreswan on CentOS and RHEL
# #
# Copyright (C) 2016 Lin Song # Copyright (C) 2016 Lin Song
# #
@ -16,12 +16,12 @@ SWAN_VER=3.17
### Do not edit below this line ### Do not edit below this line
if [ ! -f /etc/redhat-release ]; then if [ ! -f /etc/redhat-release ]; then
echo "Looks like you aren't running this script on a CentOS/RHEL system." echo "This script only supports CentOS or RHEL systems."
exit 1 exit 1
fi fi
if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then
echo "This script only supports versions 6 and 7 of CentOS/RHEL." echo "This script only supports CentOS/RHEL 6 and 7."
exit 1 exit 1
fi fi
@ -36,19 +36,19 @@ if [ -f /proc/user_beancounters ]; then
fi fi
if [ "$(id -u)" != 0 ]; then if [ "$(id -u)" != 0 ]; then
echo "Sorry, you need to run this script as root." echo "Script must be run as root. Try 'sudo sh $0'"
exit 1 exit 1
fi fi
/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan" /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan"
if [ "$?" != "0" ]; then if [ "$?" != "0" ]; then
echo "This upgrade script requires you already have Libreswan installed." echo "This upgrade script requires Libreswan already installed."
exit 1 exit 1
fi fi
/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan $SWAN_VER" /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan $SWAN_VER"
if [ "$?" = "0" ]; then if [ "$?" = "0" ]; then
echo "Looks like you already have Libreswan version $SWAN_VER installed! " echo "You already have Libreswan version $SWAN_VER installed! "
echo echo
printf "Do you wish to continue anyway? [y/N] " printf "Do you wish to continue anyway? [y/N] "
read -r response read -r response
@ -66,8 +66,8 @@ fi
clear clear
echo "Welcome! This script will build and install Libreswan $SWAN_VER on your server." echo "Welcome! This script will build and install Libreswan $SWAN_VER on your server."
echo "Related packages, such as those required by Libreswan compilation will also be installed." echo "Additional packages required for Libreswan compilation will also be installed."
echo "This is intended for use on VPN servers running an older version of Libreswan." echo "This is intended for use on servers running an older version of Libreswan."
echo "Your existing VPN configuration files will NOT be modified." echo "Your existing VPN configuration files will NOT be modified."
echo echo
@ -129,7 +129,7 @@ SWAN_URL="https://download.libreswan.org/$SWAN_FILE"
wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL" wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
[ ! -f "$SWAN_FILE" ] && { echo "Cannot retrieve Libreswan source file. Aborting."; exit 1; } [ ! -f "$SWAN_FILE" ] && { echo "Cannot retrieve Libreswan source file. Aborting."; exit 1; }
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE" tar xvzf "$SWAN_FILE" && /bin/rm -f "$SWAN_FILE"
cd "libreswan-$SWAN_VER" || { echo "Failed to enter Libreswan source dir. Aborting."; exit 1; } cd "libreswan-$SWAN_VER" || { echo "Failed to enter Libreswan source dir. Aborting."; exit 1; }
# Workaround for Libreswan compile issues # Workaround for Libreswan compile issues
cat > Makefile.inc.local <<EOF cat > Makefile.inc.local <<EOF
@ -138,17 +138,18 @@ EOF
make programs && make install make programs && make install
# Restore SELinux contexts # Restore SELinux contexts
/sbin/restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /etc/ipsec.d/*db 2>/dev/null
/sbin/restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null
/sbin/restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Restart IPsec service # Restart IPsec service
/sbin/service ipsec restart service ipsec restart
# Check if Libreswan install was successful # Check if Libreswan install was successful
/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$SWAN_VER" /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$SWAN_VER"
[ "$?" != "0" ] && { echo "Sorry, Libreswan $SWAN_VER failed to build. Aborting."; exit 1; } [ "$?" != "0" ] && { echo; echo "Sorry, Libreswan $SWAN_VER failed to build. Aborting."; exit 1; }
echo echo
echo "Congratulations! Libreswan $SWAN_VER was installed successfully! " echo "Libreswan $SWAN_VER was installed successfully! "
echo
exit 0 exit 0