mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-25 14:26:09 +03:00
Code Issues Projects Releases Wiki Activity

Improve script outputs

Browse Source
This commit is contained in:
hwdsl2 2017-01-09 02:23:09 -06:00
parent c23d5c972a
commit ba0fbb3860
3 changed files with 58 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
extras/vpnupgrade.sh
View File

@ -72,7 +72,7 @@ Your existing VPN configuration files will NOT be modified.
EOF EOF
if [ "$(sed 's/\..*//' /etc/debian_version 2>/dev/null)" = "7" ]; then if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then
cat <<'EOF' cat <<'EOF'
IMPORTANT: Workaround required for Debian 7 (Wheezy). IMPORTANT: Workaround required for Debian 7 (Wheezy).
You must first run the script at: https://git.io/vpndeb7 You must first run the script at: https://git.io/vpndeb7

45
vpnsetup.sh
View File

@ -39,6 +39,7 @@ SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"; export SYS_DT
exiterr() { echo "Error: $1" >&2; exit 1; } exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; }
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
print_status() { echo; echo "## $1"; echo; }
check_ip() { check_ip() {
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
@ -88,8 +89,7 @@ fi
[ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD" [ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD"
if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then
echo "VPN credentials not set by user. Generating random PSK and password..." print_status "VPN credentials not set by user. Generating random PSK and password..."
echo
VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)"
VPN_USER=vpnuser VPN_USER=vpnuser
VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)"
@ -105,7 +105,7 @@ case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
;; ;;
esac esac
if [ "$(sed 's/\..*//' /etc/debian_version 2>/dev/null)" = "7" ]; then if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then
cat <<'EOF' cat <<'EOF'
IMPORTANT: Workaround required for Debian 7 (Wheezy). IMPORTANT: Workaround required for Debian 7 (Wheezy).
You must first run the script at: https://git.io/vpndeb7 You must first run the script at: https://git.io/vpndeb7
@ -117,28 +117,27 @@ EOF
sleep 30 sleep 30
fi fi
echo "VPN setup in progress... Please be patient." print_status "VPN setup in progress... Please be patient."
echo
# Create and change to working dir # Create and change to working dir
mkdir -p /opt/src mkdir -p /opt/src
cd /opt/src || exiterr "Cannot enter /opt/src." cd /opt/src || exiterr "Cannot enter /opt/src."
# Update package index print_status "Populating apt-get cache..."
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
apt-get -yq update || exiterr "'apt-get update' failed." apt-get -yq update || exiterr "'apt-get update' failed."
# Make sure basic commands exist print_status "Installing packages required for setup..."
apt-get -yq install wget dnsutils openssl || exiterr2 apt-get -yq install wget dnsutils openssl || exiterr2
apt-get -yq install iproute gawk grep sed net-tools || exiterr2 apt-get -yq install iproute gawk grep sed net-tools || exiterr2
print_status "Trying to auto discover IPs of this server..."
cat <<'EOF' cat <<'EOF'
Trying to auto discover IPs of this server...
In case the script hangs here for more than a few minutes, In case the script hangs here for more than a few minutes,
use Ctrl-C to interrupt. Then edit it and manually enter IPs. use Ctrl-C to interrupt. Then edit it and manually enter IPs.
EOF EOF
# In case auto IP discovery fails, you may manually enter server IPs here. # In case auto IP discovery fails, you may manually enter server IPs here.
@ -156,7 +155,8 @@ check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script a
check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig "$NET_IF0" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig "$NET_IF0" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
check_ip "$PRIVATE_IP" || exiterr "Cannot find valid private IP. Edit the script and manually enter IPs." check_ip "$PRIVATE_IP" || exiterr "Cannot find valid private IP. Edit the script and manually enter IPs."
# Install necessary packages print_status "Installing packages required for the VPN..."
apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
libcap-ng-dev libcap-ng-utils libselinux1-dev \ libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev flex bison gcc make \ libcurl4-nss-dev flex bison gcc make \
@ -164,10 +164,12 @@ apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
apt-get -yq --no-install-recommends install xmlto || exiterr2 apt-get -yq --no-install-recommends install xmlto || exiterr2
apt-get -yq install ppp xl2tpd || exiterr2 apt-get -yq install ppp xl2tpd || exiterr2
# Install Fail2Ban to protect SSH server print_status "Installing Fail2Ban to protect SSH..."
apt-get -yq install fail2ban || exiterr2 apt-get -yq install fail2ban || exiterr2
# Compile and install Libreswan print_status "Compiling and installing Libreswan..."
swan_ver=3.18 swan_ver=3.18
swan_file="libreswan-$swan_ver.tar.gz" swan_file="libreswan-$swan_ver.tar.gz"
swan_url1="https://download.libreswan.org/$swan_file" swan_url1="https://download.libreswan.org/$swan_file"
@ -191,6 +193,8 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then
exiterr "Libreswan $swan_ver failed to build." exiterr "Libreswan $swan_ver failed to build."
fi fi
print_status "Creating VPN configuration..."
# Create IPsec (Libreswan) config # Create IPsec (Libreswan) config
conf_bk "/etc/ipsec.conf" conf_bk "/etc/ipsec.conf"
cat > /etc/ipsec.conf <<EOF cat > /etc/ipsec.conf <<EOF
@ -302,7 +306,8 @@ cat > /etc/ipsec.d/passwd <<EOF
$VPN_USER:$VPN_PASSWORD_ENC:xauth-psk $VPN_USER:$VPN_PASSWORD_ENC:xauth-psk
EOF EOF
# Update sysctl settings print_status "Updating sysctl settings..."
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
conf_bk "/etc/sysctl.conf" conf_bk "/etc/sysctl.conf"
cat >> /etc/sysctl.conf <<EOF cat >> /etc/sysctl.conf <<EOF
@ -337,6 +342,8 @@ net.ipv4.tcp_wmem = 10240 87380 12582912
EOF EOF
fi fi
print_status "Updating IPTables rules..."
# Check if IPTables rules need updating # Check if IPTables rules need updating
ipt_flag=0 ipt_flag=0
IPT_FILE="/etc/iptables.rules" IPT_FILE="/etc/iptables.rules"
@ -378,7 +385,8 @@ if [ "$ipt_flag" = "1" ]; then
fi fi
fi fi
# Load IPTables rules at boot print_status "Enabling services on boot..."
mkdir -p /etc/network/if-pre-up.d mkdir -p /etc/network/if-pre-up.d
cat > /etc/network/if-pre-up.d/iptablesload <<'EOF' cat > /etc/network/if-pre-up.d/iptablesload <<'EOF'
#!/bin/sh #!/bin/sh
@ -386,10 +394,9 @@ iptables-restore < /etc/iptables.rules
exit 0 exit 0
EOF EOF
# Start services at boot
for svc in fail2ban ipsec xl2tpd; do for svc in fail2ban ipsec xl2tpd; do
update-rc.d "$svc" enable >/dev/null 2>&1 update-rc.d "$svc" enable >/dev/null 2>&1
systemctl enable "$svc" >/dev/null 2>&1 systemctl enable "$svc" 2>/dev/null
done done
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
if [ -f /etc/rc.local ]; then if [ -f /etc/rc.local ]; then
@ -411,6 +418,8 @@ EOF
fi fi
fi fi
print_status "Starting services..."
# Reload sysctl.conf # Reload sysctl.conf
sysctl -e -q -p sysctl -e -q -p

50
vpnsetup_centos.sh
View File

@ -39,6 +39,7 @@ SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"; export SYS_DT
exiterr() { echo "Error: $1" >&2; exit 1; } exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; } exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; }
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
print_status() { echo; echo "## $1"; echo; }
check_ip() { check_ip() {
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
@ -84,8 +85,7 @@ fi
[ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD" [ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD"
if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then
echo "VPN credentials not set by user. Generating random PSK and password..." print_status "VPN credentials not set by user. Generating random PSK and password..."
echo
VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)"
VPN_USER=vpnuser VPN_USER=vpnuser
VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)"
@ -101,24 +101,22 @@ case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
;; ;;
esac esac
echo "VPN setup in progress... Please be patient." print_status "VPN setup in progress... Please be patient."
echo
# Create and change to working dir # Create and change to working dir
mkdir -p /opt/src mkdir -p /opt/src
cd /opt/src || exiterr "Cannot enter /opt/src." cd /opt/src || exiterr "Cannot enter /opt/src."
# Make sure basic commands exist print_status "Installing packages required for setup..."
yum -y install wget bind-utils openssl || exiterr2 yum -y install wget bind-utils openssl || exiterr2
yum -y install iproute gawk grep sed net-tools || exiterr2 yum -y install iproute gawk grep sed net-tools || exiterr2
print_status "Trying to auto discover IPs of this server..."
cat <<'EOF' cat <<'EOF'
Trying to auto discover IPs of this server...
In case the script hangs here for more than a few minutes, In case the script hangs here for more than a few minutes,
use Ctrl-C to interrupt. Then edit it and manually enter IPs. use Ctrl-C to interrupt. Then edit it and manually enter IPs.
EOF EOF
# In case auto IP discovery fails, you may manually enter server IPs here. # In case auto IP discovery fails, you may manually enter server IPs here.
@ -136,20 +134,18 @@ check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script a
check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig "$NET_IF0" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig "$NET_IF0" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
check_ip "$PRIVATE_IP" || exiterr "Cannot find valid private IP. Edit the script and manually enter IPs." check_ip "$PRIVATE_IP" || exiterr "Cannot find valid private IP. Edit the script and manually enter IPs."
# Add the EPEL repository print_status "Adding the EPEL repository..."
yum -y install epel-release || exiterr2 yum -y install epel-release || exiterr2
# Install necessary packages print_status "Installing packages required for the VPN..."
yum -y install nss-devel nspr-devel pkgconfig pam-devel \ yum -y install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel \ libcap-ng-devel libselinux-devel \
curl-devel flex bison gcc make \ curl-devel flex bison gcc make \
fipscheck-devel unbound-devel xmlto || exiterr2 fipscheck-devel unbound-devel xmlto || exiterr2
yum -y install ppp xl2tpd || exiterr2 yum -y install ppp xl2tpd || exiterr2
# Install Fail2Ban to protect SSH server
yum -y install fail2ban || exiterr2
# Install libevent2 and systemd-devel
if grep -qs "release 6" /etc/redhat-release; then if grep -qs "release 6" /etc/redhat-release; then
yum -y remove libevent-devel yum -y remove libevent-devel
yum -y install libevent2-devel || exiterr2 yum -y install libevent2-devel || exiterr2
@ -157,7 +153,12 @@ else
yum -y install libevent-devel systemd-devel || exiterr2 yum -y install libevent-devel systemd-devel || exiterr2
fi fi
# Compile and install Libreswan print_status "Installing Fail2Ban to protect SSH..."
yum -y install fail2ban || exiterr2
print_status "Compiling and installing Libreswan..."
swan_ver=3.18 swan_ver=3.18
swan_file="libreswan-$swan_ver.tar.gz" swan_file="libreswan-$swan_ver.tar.gz"
swan_url1="https://download.libreswan.org/$swan_file" swan_url1="https://download.libreswan.org/$swan_file"
@ -178,6 +179,8 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then
exiterr "Libreswan $swan_ver failed to build." exiterr "Libreswan $swan_ver failed to build."
fi fi
print_status "Creating VPN configuration..."
# Create IPsec (Libreswan) config # Create IPsec (Libreswan) config
conf_bk "/etc/ipsec.conf" conf_bk "/etc/ipsec.conf"
cat > /etc/ipsec.conf <<EOF cat > /etc/ipsec.conf <<EOF
@ -289,7 +292,8 @@ cat > /etc/ipsec.d/passwd <<EOF
$VPN_USER:$VPN_PASSWORD_ENC:xauth-psk $VPN_USER:$VPN_PASSWORD_ENC:xauth-psk
EOF EOF
# Update sysctl settings print_status "Updating sysctl settings..."
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
conf_bk "/etc/sysctl.conf" conf_bk "/etc/sysctl.conf"
cat >> /etc/sysctl.conf <<EOF cat >> /etc/sysctl.conf <<EOF
@ -324,6 +328,8 @@ net.ipv4.tcp_wmem = 10240 87380 12582912
EOF EOF
fi fi
print_status "Updating IPTables rules..."
# Check if IPTables rules need updating # Check if IPTables rules need updating
ipt_flag=0 ipt_flag=0
IPT_FILE="/etc/sysconfig/iptables" IPT_FILE="/etc/sysconfig/iptables"
@ -358,7 +364,8 @@ if [ "$ipt_flag" = "1" ]; then
iptables-save >> "$IPT_FILE" iptables-save >> "$IPT_FILE"
fi fi
# Create basic Fail2Ban rules print_status "Creating basic Fail2Ban rules..."
if [ ! -f /etc/fail2ban/jail.local ] ; then if [ ! -f /etc/fail2ban/jail.local ] ; then
cat > /etc/fail2ban/jail.local <<'EOF' cat > /etc/fail2ban/jail.local <<'EOF'
[ssh-iptables] [ssh-iptables]
@ -369,14 +376,15 @@ logpath = /var/log/secure
EOF EOF
fi fi
# Start services at boot print_status "Enabling services on boot..."
if grep -qs "release 6" /etc/redhat-release; then if grep -qs "release 6" /etc/redhat-release; then
chkconfig iptables on chkconfig iptables on
chkconfig fail2ban on chkconfig fail2ban on
else else
systemctl --now mask firewalld systemctl --now mask firewalld
yum -y install iptables-services || exiterr2 yum -y install iptables-services || exiterr2
systemctl enable iptables fail2ban >/dev/null 2>&1 systemctl enable iptables fail2ban
fi fi
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
if [ -f /etc/rc.local ]; then if [ -f /etc/rc.local ]; then
@ -394,6 +402,8 @@ echo 1 > /proc/sys/net/ipv4/ip_forward
EOF EOF
fi fi
print_status "Starting services..."
# Restore SELinux contexts # Restore SELinux contexts
restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null