mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-26 06:46:06 +03:00
Code Issues Projects Releases Wiki Activity

Merge pull request #1 from hwdsl2/master

Browse Source 
Update from source
This commit is contained in:
StefanBuchman 2017-12-08 14:11:34 +11:00 committed by GitHub
commit bab901458f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 339 additions and 254 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.travis.yml
View File

@ -11,7 +11,7 @@ addons:
- shellcheck
script:
- export SHELLCHECK_OPTS="-e SC1091"
- export SHELLCHECK_OPTS="-e SC1091,SC1117"
- shellcheck *.sh extras/*.sh
- sudo sed -i "/debian unstable/d" /etc/apt/sources.list
- sudo VPN_IPSEC_PSK='vpn_psk'

20
README-zh.md
View File

@ -28,7 +28,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时
## 快速开始
首先,在你的 Linux 服务器* 上全新安装一个 Ubuntu LTS, Debian 或者 CentOS 系统。
首先,在你的 Linux 服务器[*](#quick-start-note) 上全新安装一个 Ubuntu LTS, Debian 或者 CentOS 系统。
使用以下命令快速搭建 IPsec VPN 服务器:
@ -42,6 +42,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
如需了解其它安装选项,以及如何配置 VPN 客户端,请继续阅读以下部分。
<a name="quick-start-note"></a>
\* 一个专用服务器或者虚拟专用服务器 (VPS)。OpenVZ VPS 不受支持。
## 功能特性
@ -66,9 +67,9 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
**-或者-**
一个专用服务器,或者基于 KVM/Xen 的虚拟专用服务器 (VPS)全新安装以上操作系统之一。OpenVZ VPS 不受支持,用户可以尝试使用比如 <a href="https://shadowsocks.org" target="_blank">Shadowsocks</a> 或者 <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a>
一个专用服务器,或者基于 KVM/Xen 的虚拟专用服务器 (VPS)全新安装以上操作系统之一。OpenVZ VPS 不受支持,用户可以另外尝试比如 <a href="https://shadowsocks.org" target="_blank">Shadowsocks</a> 或者 <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a>
这也包括各种公共云服务中的 Linux 虚拟机,比如 <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://amazonlightsail.com" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="http://www.softlayer.com/" target="_blank">IBM SoftLayer</a>, <a href="https://www.ovh.com/us/vps/" target="_blank">OVH</a><a href="https://www.rackspace.com" target="_blank">Rackspace</a>
这也包括各种公共云服务中的 Linux 虚拟机,比如 <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://amazonlightsail.com" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="https://www.ibm.com/cloud-computing/bluemix/virtual-servers" target="_blank">IBM Bluemix</a>, <a href="https://www.ovh.com/us/vps/" target="_blank">OVH</a><a href="https://www.rackspace.com" target="_blank">Rackspace</a>
<a href="azure/README-zh.md" target="_blank"><img src="docs/images/azure-deploy-button.png" alt="Deploy to Azure" /></a> <a href="http://dovpn.carlfriess.com/" target="_blank"><img src="docs/images/do-install-button.png" alt="Install on DigitalOcean" /></a> <a href="https://www.linode.com/stackscripts/view/37239" target="_blank"><img src="docs/images/linode-deploy-button.png" alt="Deploy to Linode" /></a>
@ -124,10 +125,11 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh
配置你的计算机或其它设备使用 VPN 。请参见:
<a href="docs/clients-zh.md" target="_blank">配置 IPsec/L2TP VPN 客户端</a>
<a href="docs/clients-xauth-zh.md" target="_blank">配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端</a>
<a href="docs/clients-zh.md" target="_blank">**配置 IPsec/L2TP VPN 客户端**</a>
<a href="docs/ikev2-howto-zh.md" target="_blank">如何配置 IKEv2 VPN: Windows 和 Android</a>
<a href="docs/clients-xauth-zh.md" target="_blank">**配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端**</a>
<a href="docs/ikev2-howto-zh.md" target="_blank">**如何配置 IKEv2 VPN: Windows 和 Android**</a>
如果在连接过程中遇到错误,请参见 <a href="docs/clients-zh.md#故障排除" target="_blank">故障排除</a>
@ -139,7 +141,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh
**Windows 用户** 在首次连接之前需要<a href="docs/clients-zh.md#windows-错误-809" target="_blank">修改一次注册表</a>,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。
同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 <a href="docs/clients-xauth-zh.md" target="_blank">IPsec/XAuth 模式</a>另外,你的服务器必须运行 [Libreswan 3.19 或更新版本](#升级libreswan)。
同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 <a href="docs/clients-xauth-zh.md" target="_blank">IPsec/XAuth 模式</a>
对于有外部防火墙的服务器(比如 <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">EC2</a>/<a href="https://cloud.google.com/compute/docs/vpc/firewalls" target="_blank">GCE</a>),请为 VPN 打开 UDP 端口 500 和 4500。
@ -147,6 +149,8 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh
在 VPN 已连接时,客户端配置为使用 <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a>。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd``/etc/ipsec.conf` 并替换 `8.8.8.8``8.8.4.4`。然后重启服务器。
使用 L2TP 内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 16.04, Debian 9, CentOS 7 和 6。 Ubuntu 16.04 用户需要安装 `` linux-image-extra-`uname -r` `` 软件包并且重启 `xl2tpd` 服务。
如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。
在使用 `IPsec/L2TP` 连接时VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1`
@ -155,7 +159,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh
## 升级Libreswan
提供两个额外的脚本 <a href="extras/vpnupgrade.sh" target="_blank">vpnupgrade.sh</a><a href="extras/vpnupgrade_centos.sh" target="_blank">vpnupgrade_centos.sh</a>,可用于升级 <a href="https://libreswan.org" target="_blank">Libreswan</a> <a href="https://github.com/libreswan/libreswan/blob/master/CHANGES" target="_blank">更新日志</a> | <a href="https://lists.libreswan.org/mailman/listinfo/swan-announce" target="_blank">通知列表</a>)。请在运行前根据需要修改 `swan_ver` 变量。检查已安装版本: `ipsec --version`.
提供两个额外的脚本 <a href="extras/vpnupgrade.sh" target="_blank">vpnupgrade.sh</a><a href="extras/vpnupgrade_centos.sh" target="_blank">vpnupgrade_centos.sh</a>,可用于升级 <a href="https://libreswan.org" target="_blank">Libreswan</a> <a href="https://github.com/libreswan/libreswan/blob/master/CHANGES" target="_blank">更新日志</a> | <a href="https://lists.libreswan.org/mailman/listinfo/swan-announce" target="_blank">通知列表</a>)。请在运行前根据需要修改 `SWAN_VER` 变量。查看已安装版本: `ipsec --version`.
```bash
# Ubuntu & Debian

20
README.md
View File

@ -28,7 +28,7 @@ We will use <a href="https://libreswan.org/" target="_blank">Libreswan</a> as th
## Quick start
First, prepare your Linux server* with a fresh install of Ubuntu LTS, Debian or CentOS.
First, prepare your Linux server[*](#quick-start-note) with a fresh install of Ubuntu LTS, Debian or CentOS.
Use this one-liner to set up an IPsec VPN server:
@ -42,6 +42,7 @@ Your VPN login details will be randomly generated, and displayed on the screen w
For other installation options and how to set up VPN clients, read the sections below.
<a name="quick-start-note"></a>
\* A dedicated server or virtual private server (VPS). OpenVZ VPS is not supported.
## Features
@ -68,7 +69,7 @@ Please see <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-1
A dedicated server or KVM/Xen-based virtual private server (VPS), freshly installed with one of the above OS. OpenVZ VPS is not supported, users could instead try <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a> or <a href="https://shadowsocks.org" target="_blank">Shadowsocks</a>.
This also includes Linux VMs in public clouds, such as <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://amazonlightsail.com" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="http://www.softlayer.com/" target="_blank">IBM SoftLayer</a>, <a href="https://www.ovh.com/us/vps/" target="_blank">OVH</a> and <a href="https://www.rackspace.com" target="_blank">Rackspace</a>.
This also includes Linux VMs in public clouds, such as <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://amazonlightsail.com" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="https://www.ibm.com/cloud-computing/bluemix/virtual-servers" target="_blank">IBM Bluemix</a>, <a href="https://www.ovh.com/us/vps/" target="_blank">OVH</a> and <a href="https://www.rackspace.com" target="_blank">Rackspace</a>.
<a href="azure/README.md" target="_blank"><img src="docs/images/azure-deploy-button.png" alt="Deploy to Azure" /></a> <a href="http://dovpn.carlfriess.com/" target="_blank"><img src="docs/images/do-install-button.png" alt="Install on DigitalOcean" /></a> <a href="https://www.linode.com/stackscripts/view/37239" target="_blank"><img src="docs/images/linode-deploy-button.png" alt="Deploy to Linode" /></a>
@ -105,7 +106,7 @@ sudo sh vpnsetup.sh
```bash
# All values MUST be placed inside 'single quotes'
# DO NOT use these characters within values: \ " '
# DO NOT use these special characters within values: \ " '
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo \
VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \
VPN_USER='your_vpn_username' \
@ -124,10 +125,11 @@ Follow the same steps as above, but replace `https://git.io/vpnsetup` with `http
Get your computer or device to use the VPN. Please refer to:
<a href="docs/clients.md" target="_blank">Configure IPsec/L2TP VPN Clients</a>
<a href="docs/clients-xauth.md" target="_blank">Configure IPsec/XAuth ("Cisco IPsec") VPN Clients</a>
<a href="docs/clients.md" target="_blank">**Configure IPsec/L2TP VPN Clients**</a>
<a href="docs/ikev2-howto.md" target="_blank">How-To: IKEv2 VPN for Windows and Android</a>
<a href="docs/clients-xauth.md" target="_blank">**Configure IPsec/XAuth ("Cisco IPsec") VPN Clients**</a>
<a href="docs/ikev2-howto.md" target="_blank">**How-To: IKEv2 VPN for Windows and Android**</a>
If you get an error when trying to connect, see <a href="docs/clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
@ -139,7 +141,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles:
For **Windows users**, this <a href="docs/clients.md#windows-error-809" target="_blank">one-time registry change</a> is required if the VPN server and/or client is behind NAT (e.g. home router).
The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only <a href="docs/clients-xauth.md" target="_blank">IPsec/XAuth mode</a>. Also, your server must run [Libreswan 3.19 or newer](#upgrade-libreswan).
The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only <a href="docs/clients-xauth.md" target="_blank">IPsec/XAuth mode</a>.
For servers with an external firewall (e.g. <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">EC2</a>/<a href="https://cloud.google.com/compute/docs/vpc/firewalls" target="_blank">GCE</a>), open UDP ports 500 and 4500 for the VPN.
@ -147,6 +149,8 @@ If you wish to add, edit or remove VPN user accounts, see <a href="docs/manage-u
Clients are set to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server.
Using L2TP kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 16.04, Debian 9, CentOS 7 and 6. Ubuntu 16.04 users should install the `` linux-image-extra-`uname -r` `` package and restart the `xl2tpd` service.
To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server.
When connecting via `IPsec/L2TP`, the VPN server has IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`.
@ -155,7 +159,7 @@ The scripts will backup existing config files before making changes, with `.old-
## Upgrade Libreswan
The additional scripts <a href="extras/vpnupgrade.sh" target="_blank">vpnupgrade.sh</a> and <a href="extras/vpnupgrade_centos.sh" target="_blank">vpnupgrade_centos.sh</a> can be used to upgrade <a href="https://libreswan.org" target="_blank">Libreswan</a> (<a href="https://github.com/libreswan/libreswan/blob/master/CHANGES" target="_blank">changelog</a> | <a href="https://lists.libreswan.org/mailman/listinfo/swan-announce" target="_blank">announce</a>). Edit the `swan_ver` variable as necessary. Check installed version: `ipsec --version`.
The additional scripts <a href="extras/vpnupgrade.sh" target="_blank">vpnupgrade.sh</a> and <a href="extras/vpnupgrade_centos.sh" target="_blank">vpnupgrade_centos.sh</a> can be used to upgrade <a href="https://libreswan.org" target="_blank">Libreswan</a> (<a href="https://github.com/libreswan/libreswan/blob/master/CHANGES" target="_blank">changelog</a> | <a href="https://lists.libreswan.org/mailman/listinfo/swan-announce" target="_blank">announce</a>). Edit the `SWAN_VER` variable as necessary. Check which version is installed: `ipsec --version`.
```bash
# Ubuntu & Debian

36
docs/clients-zh.md
View File

@ -20,7 +20,7 @@
* [故障排除](#故障排除)
* [Windows 错误 809](#windows-错误-809)
* [Windows 错误 628](#windows-错误-628)
* [Android 6 and 7](#android-6-and-7)
* [Android 6 及以上版本](#android-6-及以上版本)
* [Chromebook](#chromebook)
* [其它错误](#其它错误)
* [额外的步骤](#额外的步骤)
@ -182,10 +182,10 @@ yum -y install strongswan xl2tpd
创建 VPN 变量 (替换为你自己的值):
```bash
VPN_SERVER_IP='your_vpn_server_ip'
VPN_IPSEC_PSK='your_ipsec_pre_shared_key'
VPN_USER='your_vpn_username'
VPN_PASSWORD='your_vpn_password'
VPN_SERVER_IP='你的VPN服务器IP'
VPN_IPSEC_PSK='你的IPsec预共享密钥'
VPN_USER='你的VPN用户名'
VPN_PASSWORD='你的VPN密码'
```
配置 strongSwan
@ -316,13 +316,13 @@ ip route
从新的默认路由中排除你的 VPN 服务器 IP (替换为你自己的值):
```bash
route add YOUR_VPN_SERVER_IP gw X.X.X.X
route add 你的VPN服务器IP gw X.X.X.X
```
如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你本地电脑的公有 IP以避免 SSH 会话被断开 (替换为你自己的公有 IP可在 <a href="https://www.ipchicken.com" target="_blank">这里</a> 查看
如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你本地电脑的公有 IP以避免 SSH 会话被断开 (替换为<a href="https://www.ipchicken.com" target="_blank">实际值</a>
```bash
route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X
route add 你的本地电脑的公有IP gw X.X.X.X
```
添加一个新的默认路由,并且开始通过 VPN 服务器发送数据:
@ -378,6 +378,12 @@ strongswan down myvpn
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f
```
另外,某些个别的 Windows 系统禁用了 IPsec 加密,此时也会导致连接失败。要重新启用它,可以运行以下命令并重启计算机。
```console
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f
```
### Windows 错误 628
> 在连接完成前,连接被远程计算机终止。
@ -395,13 +401,12 @@ strongswan down myvpn
![Select CHAP in VPN connection properties](images/vpn-properties-zh.png)
### Android 6 and 7
### Android 6 及以上版本
如果你无法使用 Android 6 (Marshmallow) 或者 7 (Nougat) 连接:
如果你无法使用 Android 6 或以上版本连接:
1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。
1. **注:** 最新版本的 VPN 脚本已经包含这个更改。
(适用于 Android 7.1.2 及以上版本) 编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `ike=``phase2alg=` 两行的末尾添加 `,aes256-sha2_512` 字样。保存修改并运行 `service ipsec restart`。(<a href="https://github.com/hwdsl2/setup-ipsec-vpn/commit/f58afbc84ba421216ca2615d3e3654902e9a1852" target="_blank">参见</a>)
1. (适用于 Android 7.1.2 及以上版本) 编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `ike=``phase2alg=` 两行的末尾添加 `,aes256-sha2_512` 字样。保存修改并运行 `service ipsec restart`。(<a href="https://github.com/hwdsl2/setup-ipsec-vpn/commit/f58afbc84ba421216ca2615d3e3654902e9a1852" target="_blank">参见</a>) 注:最新版本的 VPN 脚本已经包含这个更改。
1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`,开头必须空两格。保存修改并运行 `service ipsec restart`。(<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">参见</a>)
![Android VPN workaround](images/vpn-profile-Android.png)
@ -414,9 +419,9 @@ Chromebook 用户: 如果你无法连接,请尝试 <a href="https://bugs.chr
如果你遇到其它错误,请参见以下链接:
* http://www.tp-link.com/en/faq-1029.html
* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues
* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/
* http://www.tp-link.com/en/faq-1029.html
### 额外的步骤
@ -433,13 +438,16 @@ service xl2tpd restart
然后重启你的 VPN 客户端设备,并重试连接。如果仍然无法连接,可以尝试删除并重新创建 VPN 连接,按照本文档中的步骤操作。请确保输入了正确的 VPN 登录凭证。
检查 Libreswan (IPsec) 日志是否有错误:
检查 Libreswan (IPsec) 和 xl2tpd 日志是否有错误:
```bash
# Ubuntu & Debian
grep pluto /var/log/auth.log
grep xl2tpd /var/log/syslog
# CentOS & RHEL
grep pluto /var/log/secure
grep xl2tpd /var/log/messages
```
查看 IPsec VPN 服务器状态:

24
docs/clients.md
View File

@ -20,7 +20,7 @@ An alternative <a href="https://usefulpcguide.com/17318/create-your-own-vpn/" ta
* [Troubleshooting](#troubleshooting)
* [Windows Error 809](#windows-error-809)
* [Windows Error 628](#windows-error-628)
* [Android 6 and 7](#android-6-and-7)
* [Android 6 and above](#android-6-and-above)
* [Chromebook](#chromebook)
* [Other errors](#other-errors)
* [Additional steps](#additional-steps)
@ -319,7 +319,7 @@ Exclude your VPN server's IP from the new default route (replace with actual val
route add YOUR_VPN_SERVER_IP gw X.X.X.X
```
If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with your actual public IP <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">from here</a>):
If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">actual value</a>):
```bash
route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X
@ -377,6 +377,12 @@ To fix this error, a <a href="https://documentation.meraki.com/MX-Z/Client_VPN/T
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f
```
Although uncommon, some Windows systems disable IPsec encryption, causing the connection to fail. To re-enable it, run the following command and reboot your PC.
```console
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f
```
### Windows Error 628
> The connection was terminated by the remote computer before it could be completed.
@ -394,13 +400,12 @@ To fix this error, please follow these steps:
![Select CHAP in VPN connection properties](images/vpn-properties.png)
### Android 6 and 7
### Android 6 and above
If you are unable to connect using Android 6 (Marshmallow) or 7 (Nougat):
If you are unable to connect using Android 6 or above:
1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step.
1. **Note:** The latest version of VPN scripts already includes this change.
(For Android 7.1.2 and newer) Edit `/etc/ipsec.conf` on the VPN server. Append `,aes256-sha2_512` to the end of both `ike=` and `phase2alg=` lines. Save the file and run `service ipsec restart`. (<a href="https://github.com/hwdsl2/setup-ipsec-vpn/commit/f58afbc84ba421216ca2615d3e3654902e9a1852" target="_blank">Ref</a>)
1. (For Android 7.1.2 and newer) Edit `/etc/ipsec.conf` on the VPN server. Append `,aes256-sha2_512` to the end of both `ike=` and `phase2alg=` lines. Save the file and run `service ipsec restart`. (<a href="https://github.com/hwdsl2/setup-ipsec-vpn/commit/f58afbc84ba421216ca2615d3e3654902e9a1852" target="_blank">Ref</a>) Note that the latest version of VPN scripts already includes this change.
1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`, indented with two spaces. Save the file and run `service ipsec restart`. (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">Ref</a>)
![Android VPN workaround](images/vpn-profile-Android.png)
@ -413,9 +418,9 @@ Chromebook users: If you are unable to connect, try <a href="https://bugs.chromi
If you encounter other errors, refer to the links below:
* http://www.tp-link.com/en/faq-1029.html
* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues
* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/
* http://www.tp-link.com/en/faq-1029.html
### Additional steps
@ -432,13 +437,16 @@ If using Docker, run `docker restart ipsec-vpn-server`.
Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly.
Check the Libreswan (IPsec) log for errors:
Check the Libreswan (IPsec) and xl2tpd logs for errors:
```bash
# Ubuntu & Debian
grep pluto /var/log/auth.log
grep xl2tpd /var/log/syslog
# CentOS & RHEL
grep pluto /var/log/secure
grep xl2tpd /var/log/messages
```
Check status of the IPsec VPN server:

18
docs/manage-users-zh.md
View File

@ -7,32 +7,32 @@
首先IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets` 中。如果要更换一个新的 PSK可以编辑此文件。所有的 VPN 用户将共享同一个 IPsec PSK。
```bash
%any %any : PSK "your_ipsec_pre_shared_key"
%any %any : PSK "你的IPsec预共享密钥"
```
对于 `IPsec/L2TP`VPN 用户账户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下:
```bash
"your_vpn_username_1" l2tpd "your_vpn_password_1" *
"your_vpn_username_2" l2tpd "your_vpn_password_2" *
"你的VPN用户名1" l2tpd "你的VPN密码1" *
"你的VPN用户名2" l2tpd "你的VPN密码2" *
... ...
```
你可以添加更多用户,每个用户对应文件中的一行。**不要**在用户名,密码或 PSK 中使用这些字符:`\ " '`
你可以添加更多用户,每个用户对应文件中的一行。**不要** 在用户名,密码或 PSK 中使用这些字符:`\ " '`
对于 `IPsec/XAuth ("Cisco IPsec")` VPN 用户账户信息保存在文件 `/etc/ipsec.d/passwd`。该文件的格式如下:
```bash
your_vpn_username_1:your_vpn_password_1_hashed:xauth-psk
your_vpn_username_2:your_vpn_password_2_hashed:xauth-psk
你的VPN用户名1:你的VPN密码1的加盐哈希值:xauth-psk
你的VPN用户名2:你的VPN密码2的加盐哈希值:xauth-psk
... ...
```
这个文件中的密码以 salted and hashed 的形式保存。该步骤可以借助比如 `openssl` 工具来完成:
这个文件中的密码以加盐哈希值的形式保存。该步骤可以借助比如 `openssl` 工具来完成:
```bash
# 以下命令的输出为 your_vpn_password_1_hashed
openssl passwd -1 'your_vpn_password_1'
# 以下命令的输出为你的VPN密码1的加盐哈希值
openssl passwd -1 '你的VPN密码1'
```
在完成后重启服务:

2
docs/manage-users.md
View File

@ -18,7 +18,7 @@ For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format
... ...
```
You can add more users, use one line for each user. DO NOT use these characters within values: `\ " '`
You can add more users, use one line for each user. DO NOT use these special characters within values: `\ " '`
For `IPsec/XAuth ("Cisco IPsec")`, VPN users are specified in `/etc/ipsec.d/passwd`. The format of this file is:

84
extras/vpnupgrade.sh
View File

@ -11,46 +11,68 @@
# know how you have improved it!
# Check https://libreswan.org for the latest version
swan_ver=3.21
SWAN_VER=3.22
### DO NOT edit below this line ###
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; }
exiterr2() { exiterr "'apt-get install' failed."; }
vpnupgrade() {
os_type="$(lsb_release -si 2>/dev/null)"
if [ -z "$os_type" ]; then
[ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")"
[ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")"
fi
if ! printf %s "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then
exiterr "This script only supports Ubuntu/Debian."
if ! printf '%s' "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then
exiterr "This script only supports Ubuntu and Debian."
fi
if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then
exiterr "This script does not support Debian 7 (Wheezy)."
exiterr "Debian 7 is not supported."
fi
if [ -f /proc/user_beancounters ]; then
exiterr "This script does not support OpenVZ VPS."
exiterr "OpenVZ VPS is not supported."
fi
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
if [ -z "$swan_ver" ]; then
exiterr "Libreswan version 'swan_ver' not specified."
if [ -z "$SWAN_VER" ]; then
exiterr "Libreswan version 'SWAN_VER' not specified."
fi
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then
exiterr "This script requires Libreswan already installed."
fi
if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then
echo "You already have Libreswan version $swan_ver installed! "
if [ "$SWAN_VER" = "3.22" ]; then
if grep -qs raspbian /etc/os-release; then
echo "Note: For Raspberry Pi systems, this script will install Libreswan"
echo "version 3.21 instead of 3.22, to avoid some recent bugs."
echo
printf "Do you wish to continue? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
echo
SWAN_VER=3.21
;;
*)
echo "Aborting."
exit 1
;;
esac
fi
fi
if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
echo "You already have Libreswan version $SWAN_VER installed! "
echo "If you continue, the same version will be re-installed."
echo
printf "Do you wish to continue anyway? [y/N] "
@ -69,7 +91,7 @@ fi
clear
cat <<EOF
Welcome! This script will build and install Libreswan $swan_ver on your server.
Welcome! This script will build and install Libreswan $SWAN_VER on your server.
Additional packages required for Libreswan compilation will also be installed.
This is intended for use on servers running an older version of Libreswan.
@ -124,22 +146,22 @@ apt-get -yq update || exiterr "'apt-get update' failed."
apt-get -yq install wget || exiterr2
# Install necessary packages
apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev flex bison gcc make \
libunbound-dev libnss3-tools libevent-dev || exiterr2
apt-get -yq --no-install-recommends install xmlto || exiterr2
apt-get -yq install libnss3-dev libnspr4-dev pkg-config \
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev flex bison gcc make libnss3-tools \
libevent-dev || exiterr2
# Compile and install Libreswan
swan_file="libreswan-$swan_ver.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz"
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
exiterr "Cannot download Libreswan source."
fi
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir."
cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir."
[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS =
USE_DNSSEC = false
@ -147,19 +169,24 @@ EOF
if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
apt-get -yq install libsystemd-dev || exiterr2
fi
make -s programs && make -s install
NPROCS="$(grep -c ^processor /proc/cpuinfo)"
[ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base
# Verify the install and clean up
cd /opt/src || exiterr "Cannot enter /opt/src."
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then
exiterr "Libreswan $swan_ver failed to build."
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
exiterr "Libreswan $SWAN_VER failed to build."
fi
# Update ipsec.conf for Libreswan 3.19 and newer
IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
if grep -qs raspbian /etc/os-release; then
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2"
fi
sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \
@ -169,7 +196,12 @@ sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
service ipsec restart
echo
echo "Libreswan $swan_ver was installed successfully! "
echo "Libreswan $SWAN_VER was installed successfully! "
echo
}
## Defer setup until we have the complete script
vpnupgrade "$@"
exit 0

62
extras/vpnupgrade_centos.sh
View File

@ -11,37 +11,39 @@
# know how you have improved it!
# Check https://libreswan.org for the latest version
swan_ver=3.21
SWAN_VER=3.22
### DO NOT edit below this line ###
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; }
exiterr2() { exiterr "'yum install' failed."; }
vpnupgrade() {
if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then
exiterr "This script only supports CentOS/RHEL 6 and 7."
fi
if [ -f /proc/user_beancounters ]; then
exiterr "This script does not support OpenVZ VPS."
exiterr "OpenVZ VPS is not supported."
fi
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
if [ -z "$swan_ver" ]; then
exiterr "Libreswan version 'swan_ver' not specified."
if [ -z "$SWAN_VER" ]; then
exiterr "Libreswan version 'SWAN_VER' not specified."
fi
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then
exiterr "This script requires Libreswan already installed."
fi
if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then
echo "You already have Libreswan version $swan_ver installed! "
if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
echo "You already have Libreswan version $SWAN_VER installed! "
echo "If you continue, the same version will be re-installed."
echo
printf "Do you wish to continue anyway? [y/N] "
@ -60,7 +62,7 @@ fi
clear
cat <<EOF
Welcome! This script will build and install Libreswan $swan_ver on your server.
Welcome! This script will build and install Libreswan $SWAN_VER on your server.
Additional packages required for Libreswan compilation will also be installed.
This is intended for use on servers running an older version of Libreswan.
@ -113,43 +115,48 @@ cd /opt/src || exiterr "Cannot enter /opt/src."
yum -y install wget || exiterr2
# Add the EPEL repository
yum -y install epel-release || exiterr2
epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm"
yum -y install epel-release || yum -y install "$epel_url" || exiterr2
# Install necessary packages
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel \
curl-devel flex bison gcc make \
fipscheck-devel unbound-devel xmlto || exiterr2
libcap-ng-devel libselinux-devel curl-devel \
flex bison gcc make || exiterr2
# Install libevent2 and systemd-devel
OPT1='--enablerepo=*server-optional*'
OPT2='--enablerepo=*releases-optional*'
if grep -qs "release 6" /etc/redhat-release; then
yum -y remove libevent-devel
yum -y install libevent2-devel || exiterr2
yum "$OPT1" "$OPT2" -y install libevent2-devel fipscheck-devel || exiterr2
else
yum -y install libevent-devel systemd-devel || exiterr2
yum -y install systemd-devel || exiterr2
yum "$OPT1" "$OPT2" -y install libevent-devel fipscheck-devel || exiterr2
fi
# Compile and install Libreswan
swan_file="libreswan-$swan_ver.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz"
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
exiterr "Cannot download Libreswan source."
fi
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir."
cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir."
[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS =
USE_DNSSEC = false
EOF
make -s programs && make -s install
NPROCS="$(grep -c ^processor /proc/cpuinfo)"
[ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base
# Verify the install and clean up
cd /opt/src || exiterr "Cannot enter /opt/src."
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then
exiterr "Libreswan $swan_ver failed to build."
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
exiterr "Libreswan $SWAN_VER failed to build."
fi
# Restore SELinux contexts
@ -160,7 +167,7 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Update ipsec.conf for Libreswan 3.19 and newer
IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \
@ -170,7 +177,12 @@ sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
service ipsec restart
echo
echo "Libreswan $swan_ver was installed successfully! "
echo "Libreswan $SWAN_VER was installed successfully! "
echo
}
## Defer setup until we have the complete script
vpnupgrade "$@"
exit 0

169
vpnsetup.sh
View File

@ -22,7 +22,7 @@
# Define your own values for these variables
# - IPsec pre-shared key, VPN username and password
# - All values MUST be placed inside 'single quotes'
# - DO NOT use these characters within values: \ " '
# - DO NOT use these special characters within values: \ " '
YOUR_IPSEC_PSK=''
YOUR_USERNAME=''
@ -34,71 +34,64 @@ YOUR_PASSWORD=''
# =====================================================
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"; export SYS_DT
SYS_DT="$(date +%F-%T)"
exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; }
exiterr2() { exiterr "'apt-get install' failed."; }
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
bigecho() { echo; echo "## $1"; echo; }
check_ip() {
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
printf %s "$1" | tr -d '\n' | grep -Eq "$IP_REGEX"
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX"
}
vpnsetup() {
os_type="$(lsb_release -si 2>/dev/null)"
if [ -z "$os_type" ]; then
[ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")"
[ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")"
fi
if ! printf %s "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then
exiterr "This script only supports Ubuntu/Debian."
if ! printf '%s' "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then
exiterr "This script only supports Ubuntu and Debian."
fi
if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then
exiterr "This script does not support Debian 7 (Wheezy)."
exiterr "Debian 7 is not supported."
fi
if [ -f /proc/user_beancounters ]; then
echo "Error: This script does not support OpenVZ VPS." >&2
echo "Try OpenVPN: https://github.com/Nyr/openvpn-install" >&2
exit 1
exiterr "OpenVZ VPS is not supported. Try OpenVPN: github.com/Nyr/openvpn-install"
fi
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
NET_IFACE=${VPN_NET_IFACE:-'eth0'}
DEF_IFACE="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')"
[ -z "$DEF_IFACE" ] && DEF_IFACE="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')"
net_iface=${VPN_NET_IFACE:-'eth0'}
def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')"
[ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')"
if_state1=$(cat "/sys/class/net/$DEF_IFACE/operstate" 2>/dev/null)
if [ -z "$VPN_NET_IFACE" ] && [ -n "$if_state1" ] && [ "$if_state1" != "down" ]; then
def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null)
if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then
if ! grep -qs raspbian /etc/os-release; then
case "$DEF_IFACE" in
case "$def_iface" in
wl*)
cat 1>&2 <<EOF
Error: Default network interface '$DEF_IFACE' detected.
>> DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! <<
If you are certain that this script is running on a server, re-run it with:
sudo VPN_NET_IFACE="$DEF_IFACE" sh "$0"
EOF
exit 1
exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
;;
esac
fi
NET_IFACE="$DEF_IFACE"
net_iface="$def_iface"
fi
if_state2=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null)
if [ -z "$if_state2" ] || [ "$if_state2" = "down" ] || [ "$NET_IFACE" = "lo" ]; then
printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2
net_iface_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null)
if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface" = "lo" ]; then
printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2
if [ -z "$VPN_NET_IFACE" ]; then
cat 1>&2 <<EOF
Unable to detect your server's default network interface.
You may manually re-run this script with:
sudo VPN_NET_IFACE="your_default_network_interface" sh "$0"
Unable to detect the default network interface. Manually re-run this script with:
sudo VPN_NET_IFACE="your_default_interface_name" sh "$0"
EOF
fi
exit 1
@ -119,13 +112,13 @@ if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
fi
if printf %s "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN credentials must not contain non-ASCII characters."
fi
case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
*[\\\"\']*)
exiterr "VPN credentials must not contain the following characters: \\ \" '"
exiterr "VPN credentials must not contain these special characters: \\ \" '"
;;
esac
@ -137,19 +130,28 @@ cd /opt/src || exiterr "Cannot enter /opt/src."
bigecho "Populating apt-get cache..."
# Wait up to 60s for apt/dpkg lock
count=0
while fuser /var/lib/apt/lists/lock /var/lib/dpkg/lock >/dev/null 2>&1; do
[ "$count" -ge "20" ] && exiterr "Cannot get apt/dpkg lock."
count=$((count+1))
printf '%s' '.'
sleep 3
done
export DEBIAN_FRONTEND=noninteractive
apt-get -yq update || exiterr "'apt-get update' failed."
bigecho "Installing packages required for setup..."
apt-get -yq install wget dnsutils openssl || exiterr2
apt-get -yq install iproute gawk grep sed net-tools || exiterr2
apt-get -yq install wget dnsutils openssl \
iproute gawk grep sed net-tools || exiterr2
bigecho "Trying to auto discover IP of this server..."
cat <<'EOF'
In case the script hangs here for more than a few minutes,
use Ctrl-C to interrupt. Then edit it and manually enter IP.
press Ctrl-C to abort. Then edit it and manually enter IP.
EOF
# In case auto IP discovery fails, enter server's public IP here.
@ -160,16 +162,14 @@ PUBLIC_IP=${VPN_PUBLIC_IP:-''}
# Check IP for correct format
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter it."
check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it."
bigecho "Installing packages required for the VPN..."
apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev flex bison gcc make \
libunbound-dev libnss3-tools libevent-dev || exiterr2
apt-get -yq --no-install-recommends install xmlto || exiterr2
apt-get -yq install ppp xl2tpd || exiterr2
apt-get -yq install libnss3-dev libnspr4-dev pkg-config \
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev flex bison gcc make libnss3-tools \
libevent-dev ppp xl2tpd || exiterr2
bigecho "Installing Fail2Ban to protect SSH..."
@ -177,16 +177,21 @@ apt-get -yq install fail2ban || exiterr2
bigecho "Compiling and installing Libreswan..."
swan_ver=3.21
swan_file="libreswan-$swan_ver.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz"
if ! grep -qs raspbian /etc/os-release; then
SWAN_VER=3.22
else
SWAN_VER=3.21
fi
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
exiterr "Cannot download Libreswan source."
fi
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir."
cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir."
[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS =
USE_DNSSEC = false
@ -194,13 +199,15 @@ EOF
if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
apt-get -yq install libsystemd-dev || exiterr2
fi
make -s programs && make -s install
NPROCS="$(grep -c ^processor /proc/cpuinfo)"
[ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base
# Verify the install and clean up
cd /opt/src || exiterr "Cannot enter /opt/src."
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then
exiterr "Libreswan $swan_ver failed to build."
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
exiterr "Libreswan $SWAN_VER failed to build."
fi
bigecho "Creating VPN configuration..."
@ -219,9 +226,8 @@ cat > /etc/ipsec.conf <<EOF
version 2.0
config setup
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET
protostack=netkey
nhelpers=0
interfaces=%defaultroute
uniqueids=no
@ -273,6 +279,11 @@ if grep -qs 'Raspbian GNU/Linux 9' /etc/os-release; then
check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf
fi
# Remove unsupported ESP algorithm on Raspbian
if grep -qs raspbian /etc/os-release; then
sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
fi
# Specify IPsec PSK
conf_bk "/etc/ipsec.secrets"
cat > /etc/ipsec.secrets <<EOF
@ -317,8 +328,6 @@ EOF
# Create VPN credentials
conf_bk "/etc/ppp/chap-secrets"
cat > /etc/ppp/chap-secrets <<EOF
# Secrets for authentication using CHAP
# client server secret IP addresses
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF
@ -332,30 +341,32 @@ bigecho "Updating sysctl settings..."
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
conf_bk "/etc/sysctl.conf"
if [ "$(getconf LONG_BIT)" = "64" ]; then
SHM_MAX=68719476736
SHM_ALL=4294967296
else
SHM_MAX=4294967295
SHM_ALL=268435456
fi
cat >> /etc/sysctl.conf <<EOF
# Added by hwdsl2 VPN script
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
kernel.shmmax = $SHM_MAX
kernel.shmall = $SHM_ALL
net.ipv4.ip_forward = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.$NET_IFACE.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.$NET_IFACE.rp_filter = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.$net_iface.send_redirects = 0
net.ipv4.conf.$net_iface.rp_filter = 0
net.core.wmem_max = 12582912
net.core.rmem_max = 12582912
@ -370,8 +381,8 @@ bigecho "Updating IPTables rules..."
ipt_flag=0
IPT_FILE="/etc/iptables.rules"
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \
|| ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null \
|| ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then
|| ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE 2>/dev/null \
|| ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then
ipt_flag=1
fi
@ -386,17 +397,17 @@ if [ "$ipt_flag" = "1" ]; then
iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
iptables -I INPUT 6 -p udp --dport 1701 -j DROP
iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT
iptables -I FORWARD 2 -i "$net_iface" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 3 -i ppp+ -o "$net_iface" -j ACCEPT
iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT
iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT
iptables -I FORWARD 5 -i "$net_iface" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$net_iface" -j ACCEPT
# Uncomment if you wish to disallow traffic between VPN clients themselves
# iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP
# iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP
iptables -A FORWARD -j DROP
iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE
iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE
iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
iptables-save >> "$IPT_FILE"
@ -434,6 +445,7 @@ cat >> /etc/rc.local <<'EOF'
(sleep 15
service ipsec restart
service xl2tpd restart
[ -f "/usr/sbin/netplan" ] && iptables-restore < /etc/iptables.rules
echo 1 > /proc/sys/net/ipv4/ip_forward)&
exit 0
EOF
@ -478,4 +490,9 @@ Setup VPN clients: https://git.io/vpnclients
EOF
}
## Defer setup until we have the complete script
vpnsetup "$@"
exit 0

156
vpnsetup_centos.sh
View File

@ -22,7 +22,7 @@
# Define your own values for these variables
# - IPsec pre-shared key, VPN username and password
# - All values MUST be placed inside 'single quotes'
# - DO NOT use these characters within values: \ " '
# - DO NOT use these special characters within values: \ " '
YOUR_IPSEC_PSK=''
YOUR_USERNAME=''
@ -34,62 +34,55 @@ YOUR_PASSWORD=''
# =====================================================
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"; export SYS_DT
SYS_DT="$(date +%F-%T)"
exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; }
exiterr2() { exiterr "'yum install' failed."; }
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
bigecho() { echo; echo "## $1"; echo; }
check_ip() {
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
printf %s "$1" | tr -d '\n' | grep -Eq "$IP_REGEX"
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX"
}
vpnsetup() {
if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then
exiterr "This script only supports CentOS/RHEL 6 and 7."
fi
if [ -f /proc/user_beancounters ]; then
echo "Error: This script does not support OpenVZ VPS." >&2
echo "Try OpenVPN: https://github.com/Nyr/openvpn-install" >&2
exit 1
exiterr "OpenVZ VPS is not supported. Try OpenVPN: github.com/Nyr/openvpn-install"
fi
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
NET_IFACE=${VPN_NET_IFACE:-'eth0'}
DEF_IFACE="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')"
[ -z "$DEF_IFACE" ] && DEF_IFACE="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')"
net_iface=${VPN_NET_IFACE:-'eth0'}
def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')"
[ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')"
if_state1=$(cat "/sys/class/net/$DEF_IFACE/operstate" 2>/dev/null)
if [ -z "$VPN_NET_IFACE" ] && [ -n "$if_state1" ] && [ "$if_state1" != "down" ]; then
def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null)
if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then
if ! grep -qs raspbian /etc/os-release; then
case "$DEF_IFACE" in
case "$def_iface" in
wl*)
cat 1>&2 <<EOF
Error: Default network interface '$DEF_IFACE' detected.
>> DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! <<
If you are certain that this script is running on a server, re-run it with:
sudo VPN_NET_IFACE="$DEF_IFACE" sh "$0"
EOF
exit 1
exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
;;
esac
fi
NET_IFACE="$DEF_IFACE"
net_iface="$def_iface"
fi
if_state2=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null)
if [ -z "$if_state2" ] || [ "$if_state2" = "down" ] || [ "$NET_IFACE" = "lo" ]; then
printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2
net_iface_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null)
if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface" = "lo" ]; then
printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2
if [ -z "$VPN_NET_IFACE" ]; then
cat 1>&2 <<EOF
Unable to detect your server's default network interface.
You may manually re-run this script with:
sudo VPN_NET_IFACE="your_default_network_interface" sh "$0"
Unable to detect the default network interface. Manually re-run this script with:
sudo VPN_NET_IFACE="your_default_interface_name" sh "$0"
EOF
fi
exit 1
@ -110,13 +103,13 @@ if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
fi
if printf %s "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN credentials must not contain non-ASCII characters."
fi
case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
*[\\\"\']*)
exiterr "VPN credentials must not contain the following characters: \\ \" '"
exiterr "VPN credentials must not contain these special characters: \\ \" '"
;;
esac
@ -128,14 +121,14 @@ cd /opt/src || exiterr "Cannot enter /opt/src."
bigecho "Installing packages required for setup..."
yum -y install wget bind-utils openssl || exiterr2
yum -y install iproute gawk grep sed net-tools || exiterr2
yum -y install wget bind-utils openssl \
iproute gawk grep sed net-tools || exiterr2
bigecho "Trying to auto discover IP of this server..."
cat <<'EOF'
In case the script hangs here for more than a few minutes,
use Ctrl-C to interrupt. Then edit it and manually enter IP.
press Ctrl-C to abort. Then edit it and manually enter IP.
EOF
# In case auto IP discovery fails, enter server's public IP here.
@ -146,26 +139,27 @@ PUBLIC_IP=${VPN_PUBLIC_IP:-''}
# Check IP for correct format
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter it."
check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it."
bigecho "Adding the EPEL repository..."
yum -y install epel-release || exiterr2
epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm"
yum -y install epel-release || yum -y install "$epel_url" || exiterr2
bigecho "Installing packages required for the VPN..."
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel \
curl-devel flex bison gcc make \
fipscheck-devel unbound-devel xmlto || exiterr2
yum -y install ppp xl2tpd || exiterr2
libcap-ng-devel libselinux-devel curl-devel \
flex bison gcc make ppp xl2tpd || exiterr2
OPT1='--enablerepo=*server-optional*'
OPT2='--enablerepo=*releases-optional*'
if grep -qs "release 6" /etc/redhat-release; then
yum -y remove libevent-devel
yum -y install libevent2-devel || exiterr2
yum "$OPT1" "$OPT2" -y install libevent2-devel fipscheck-devel || exiterr2
else
yum -y install libevent-devel systemd-devel || exiterr2
yum -y install iptables-services || exiterr2
yum -y install systemd-devel iptables-services || exiterr2
yum "$OPT1" "$OPT2" -y install libevent-devel fipscheck-devel || exiterr2
fi
bigecho "Installing Fail2Ban to protect SSH..."
@ -174,27 +168,30 @@ yum -y install fail2ban || exiterr2
bigecho "Compiling and installing Libreswan..."
swan_ver=3.21
swan_file="libreswan-$swan_ver.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz"
SWAN_VER=3.22
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
exiterr "Cannot download Libreswan source."
fi
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir."
cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir."
[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS =
USE_DNSSEC = false
EOF
make -s programs && make -s install
NPROCS="$(grep -c ^processor /proc/cpuinfo)"
[ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base
# Verify the install and clean up
cd /opt/src || exiterr "Cannot enter /opt/src."
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then
exiterr "Libreswan $swan_ver failed to build."
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
exiterr "Libreswan $SWAN_VER failed to build."
fi
bigecho "Creating VPN configuration..."
@ -213,9 +210,8 @@ cat > /etc/ipsec.conf <<EOF
version 2.0
config setup
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET
protostack=netkey
nhelpers=0
interfaces=%defaultroute
uniqueids=no
@ -305,8 +301,6 @@ EOF
# Create VPN credentials
conf_bk "/etc/ppp/chap-secrets"
cat > /etc/ppp/chap-secrets <<EOF
# Secrets for authentication using CHAP
# client server secret IP addresses
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF
@ -320,30 +314,32 @@ bigecho "Updating sysctl settings..."
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
conf_bk "/etc/sysctl.conf"
if [ "$(getconf LONG_BIT)" = "64" ]; then
SHM_MAX=68719476736
SHM_ALL=4294967296
else
SHM_MAX=4294967295
SHM_ALL=268435456
fi
cat >> /etc/sysctl.conf <<EOF
# Added by hwdsl2 VPN script
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
kernel.shmmax = $SHM_MAX
kernel.shmall = $SHM_ALL
net.ipv4.ip_forward = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.$NET_IFACE.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.$NET_IFACE.rp_filter = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.$net_iface.send_redirects = 0
net.ipv4.conf.$net_iface.rp_filter = 0
net.core.wmem_max = 12582912
net.core.rmem_max = 12582912
@ -358,8 +354,8 @@ bigecho "Updating IPTables rules..."
ipt_flag=0
IPT_FILE="/etc/sysconfig/iptables"
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \
|| ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null \
|| ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then
|| ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE 2>/dev/null \
|| ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then
ipt_flag=1
fi
@ -374,17 +370,17 @@ if [ "$ipt_flag" = "1" ]; then
iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
iptables -I INPUT 6 -p udp --dport 1701 -j DROP
iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT
iptables -I FORWARD 2 -i "$net_iface" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 3 -i ppp+ -o "$net_iface" -j ACCEPT
iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT
iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT
iptables -I FORWARD 5 -i "$net_iface" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$net_iface" -j ACCEPT
# Uncomment if you wish to disallow traffic between VPN clients themselves
# iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP
# iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP
iptables -A FORWARD -j DROP
iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE
iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE
iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
iptables-save >> "$IPT_FILE"
fi
@ -444,11 +440,10 @@ chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
# Apply new IPTables rules
iptables-restore < "$IPT_FILE"
# Fix xl2tpd on CentOS 7 for providers such as Linode,
# where kernel module "l2tp_ppp" is unavailable
# Fix xl2tpd on CentOS 7, if kernel module "l2tp_ppp" is unavailable
if grep -qs "release 7" /etc/redhat-release; then
if ! modprobe -q l2tp_ppp; then
sed -i '/ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service
sed -i '/^ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service
systemctl daemon-reload
fi
fi
@ -481,4 +476,9 @@ Setup VPN clients: https://git.io/vpnclients
EOF
}
## Defer setup until we have the complete script
vpnsetup "$@"
exit 0