From 536ac8f54b3cc8682f56a0ade828429284d5beb6 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 27 Sep 2017 21:41:24 -0500 Subject: [PATCH 01/22] Update ipsec.conf - Replace obsolete keyword "virtual_private" with "virtual-private" --- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index aebc7ce..773fcc7 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -219,7 +219,7 @@ cat > /etc/ipsec.conf < /etc/ipsec.conf < Date: Thu, 28 Sep 2017 00:15:08 -0500 Subject: [PATCH 02/22] Skip building manpages - Skip building manpages for Libreswan - No longer need/install "xmlto" package - Reduce Libreswan compilation time by ~30% --- extras/vpnupgrade.sh | 3 +-- extras/vpnupgrade_centos.sh | 4 ++-- vpnsetup.sh | 3 +-- vpnsetup_centos.sh | 4 ++-- 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index bb9aaec..e3b1137 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -128,7 +128,6 @@ apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ libcap-ng-dev libcap-ng-utils libselinux1-dev \ libcurl4-nss-dev flex bison gcc make \ libunbound-dev libnss3-tools libevent-dev || exiterr2 -apt-get -yq --no-install-recommends install xmlto || exiterr2 # Compile and install Libreswan swan_file="libreswan-$swan_ver.tar.gz" @@ -147,7 +146,7 @@ EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then apt-get -yq install libsystemd-dev || exiterr2 fi -make -s programs && make -s install +make -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index e44887f..7030d17 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -119,7 +119,7 @@ yum -y install epel-release || exiterr2 yum -y install nss-devel nspr-devel pkgconfig pam-devel \ libcap-ng-devel libselinux-devel \ curl-devel flex bison gcc make \ - fipscheck-devel unbound-devel xmlto || exiterr2 + fipscheck-devel unbound-devel || exiterr2 # Install libevent2 and systemd-devel if grep -qs "release 6" /etc/redhat-release; then @@ -143,7 +143,7 @@ cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false EOF -make -s programs && make -s install +make -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." diff --git a/vpnsetup.sh b/vpnsetup.sh index 773fcc7..bb89b3f 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -168,7 +168,6 @@ apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ libcap-ng-dev libcap-ng-utils libselinux1-dev \ libcurl4-nss-dev flex bison gcc make \ libunbound-dev libnss3-tools libevent-dev || exiterr2 -apt-get -yq --no-install-recommends install xmlto || exiterr2 apt-get -yq install ppp xl2tpd || exiterr2 bigecho "Installing Fail2Ban to protect SSH..." @@ -194,7 +193,7 @@ EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then apt-get -yq install libsystemd-dev || exiterr2 fi -make -s programs && make -s install +make -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 2bee99d..e294341 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -157,7 +157,7 @@ bigecho "Installing packages required for the VPN..." yum -y install nss-devel nspr-devel pkgconfig pam-devel \ libcap-ng-devel libselinux-devel \ curl-devel flex bison gcc make \ - fipscheck-devel unbound-devel xmlto || exiterr2 + fipscheck-devel unbound-devel || exiterr2 yum -y install ppp xl2tpd || exiterr2 if grep -qs "release 6" /etc/redhat-release; then @@ -188,7 +188,7 @@ cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false EOF -make -s programs && make -s install +make -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." From 23c4a287d3dc074432d2d6bcf1bcc764efdf2d8d Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 28 Sep 2017 01:02:15 -0500 Subject: [PATCH 03/22] Use parallel make - Speed up Libreswan compilation using parallel make ("-j" option) --- extras/vpnupgrade.sh | 4 +++- extras/vpnupgrade_centos.sh | 4 +++- vpnsetup.sh | 4 +++- vpnsetup_centos.sh | 4 +++- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index e3b1137..a79864b 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -146,7 +146,9 @@ EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then apt-get -yq install libsystemd-dev || exiterr2 fi -make -s base && make -s install-base +NPROCS="$(grep -c ^processor /proc/cpuinfo)" +[ -z "$NPROCS" ] && NPROCS=1 +make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 7030d17..1b04fc6 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -143,7 +143,9 @@ cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false EOF -make -s base && make -s install-base +NPROCS="$(grep -c ^processor /proc/cpuinfo)" +[ -z "$NPROCS" ] && NPROCS=1 +make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." diff --git a/vpnsetup.sh b/vpnsetup.sh index bb89b3f..ca280da 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -193,7 +193,9 @@ EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then apt-get -yq install libsystemd-dev || exiterr2 fi -make -s base && make -s install-base +NPROCS="$(grep -c ^processor /proc/cpuinfo)" +[ -z "$NPROCS" ] && NPROCS=1 +make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index e294341..290ef44 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -188,7 +188,9 @@ cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false EOF -make -s base && make -s install-base +NPROCS="$(grep -c ^processor /proc/cpuinfo)" +[ -z "$NPROCS" ] && NPROCS=1 +make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." From 9cd6cb50b7c67c4683fb0eb8da2d7499e8d67b34 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 2 Oct 2017 20:33:24 -0500 Subject: [PATCH 04/22] Clean up packages - Remove libunbound-dev / unbound-devel (these packages are not needed because we are not enabling DNSSEC) Ref: https://github.com/libreswan/libreswan/issues/117 --- extras/vpnupgrade.sh | 2 +- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index a79864b..2351684 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -127,7 +127,7 @@ apt-get -yq install wget || exiterr2 apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ libcap-ng-dev libcap-ng-utils libselinux1-dev \ libcurl4-nss-dev flex bison gcc make \ - libunbound-dev libnss3-tools libevent-dev || exiterr2 + libnss3-tools libevent-dev || exiterr2 # Compile and install Libreswan swan_file="libreswan-$swan_ver.tar.gz" diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 1b04fc6..552bb4f 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -119,7 +119,7 @@ yum -y install epel-release || exiterr2 yum -y install nss-devel nspr-devel pkgconfig pam-devel \ libcap-ng-devel libselinux-devel \ curl-devel flex bison gcc make \ - fipscheck-devel unbound-devel || exiterr2 + fipscheck-devel || exiterr2 # Install libevent2 and systemd-devel if grep -qs "release 6" /etc/redhat-release; then diff --git a/vpnsetup.sh b/vpnsetup.sh index ca280da..34f50f7 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -167,7 +167,7 @@ bigecho "Installing packages required for the VPN..." apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ libcap-ng-dev libcap-ng-utils libselinux1-dev \ libcurl4-nss-dev flex bison gcc make \ - libunbound-dev libnss3-tools libevent-dev || exiterr2 + libnss3-tools libevent-dev || exiterr2 apt-get -yq install ppp xl2tpd || exiterr2 bigecho "Installing Fail2Ban to protect SSH..." diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 290ef44..5a6204e 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -157,7 +157,7 @@ bigecho "Installing packages required for the VPN..." yum -y install nss-devel nspr-devel pkgconfig pam-devel \ libcap-ng-devel libselinux-devel \ curl-devel flex bison gcc make \ - fipscheck-devel unbound-devel || exiterr2 + fipscheck-devel || exiterr2 yum -y install ppp xl2tpd || exiterr2 if grep -qs "release 6" /etc/redhat-release; then From 087306dbf5f6207215e566df7ace5ae150f7bab7 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 2 Oct 2017 21:55:21 -0500 Subject: [PATCH 05/22] Update docs --- README-zh.md | 18 ++++++++++-------- README.md | 16 +++++++++------- docs/clients-zh.md | 30 ++++++++++++++++-------------- docs/clients.md | 18 ++++++++++-------- docs/manage-users-zh.md | 18 +++++++++--------- 5 files changed, 54 insertions(+), 46 deletions(-) diff --git a/README-zh.md b/README-zh.md index ab4e44f..14eb4d3 100644 --- a/README-zh.md +++ b/README-zh.md @@ -28,7 +28,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 ## 快速开始 -首先,在你的 Linux 服务器* 上全新安装一个 Ubuntu LTS, Debian 或者 CentOS 系统。 +首先,在你的 Linux 服务器[*](#quick-start-note) 上全新安装一个 Ubuntu LTS, Debian 或者 CentOS 系统。 使用以下命令快速搭建 IPsec VPN 服务器: @@ -42,6 +42,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 如需了解其它安装选项,以及如何配置 VPN 客户端,请继续阅读以下部分。 + \* 一个专用服务器或者虚拟专用服务器 (VPS)。OpenVZ VPS 不受支持。 ## 功能特性 @@ -66,9 +67,9 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh **-或者-** -一个专用服务器,或者基于 KVM/Xen 的虚拟专用服务器 (VPS),全新安装以上操作系统之一。OpenVZ VPS 不受支持,用户可以尝试使用比如 Shadowsocks 或者 OpenVPN。 +一个专用服务器,或者基于 KVM/Xen 的虚拟专用服务器 (VPS),全新安装以上操作系统之一。OpenVZ VPS 不受支持,用户可以另外尝试比如 Shadowsocks 或者 OpenVPN。 -这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer, OVHRackspace。 +这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Bluemix, OVHRackspaceDeploy to Azure Install on DigitalOcean Deploy to Linode @@ -124,10 +125,11 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh 配置你的计算机或其它设备使用 VPN 。请参见: -配置 IPsec/L2TP VPN 客户端 -配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端 +**配置 IPsec/L2TP VPN 客户端** -如何配置 IKEv2 VPN: Windows 和 Android +**配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端** + +**如何配置 IKEv2 VPN: Windows 和 Android** 如果在连接过程中遇到错误,请参见 故障排除。 @@ -139,7 +141,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh **Windows 用户** 在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。 -同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。另外,你的服务器必须运行 [Libreswan 3.19 或更新版本](#升级libreswan)。 +同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。 对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 @@ -155,7 +157,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh ## 升级Libreswan -提供两个额外的脚本 vpnupgrade.shvpnupgrade_centos.sh,可用于升级 Libreswan更新日志 | 通知列表)。请在运行前根据需要修改 `swan_ver` 变量。检查已安装版本: `ipsec --version`. +提供两个额外的脚本 vpnupgrade.shvpnupgrade_centos.sh,可用于升级 Libreswan更新日志 | 通知列表)。请在运行前根据需要修改 `swan_ver` 变量。查看已安装版本: `ipsec --version`. ```bash # Ubuntu & Debian diff --git a/README.md b/README.md index b3f4319..860c00f 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ We will use Libreswan as th ## Quick start -First, prepare your Linux server* with a fresh install of Ubuntu LTS, Debian or CentOS. +First, prepare your Linux server[*](#quick-start-note) with a fresh install of Ubuntu LTS, Debian or CentOS. Use this one-liner to set up an IPsec VPN server: @@ -42,6 +42,7 @@ Your VPN login details will be randomly generated, and displayed on the screen w For other installation options and how to set up VPN clients, read the sections below. + \* A dedicated server or virtual private server (VPS). OpenVZ VPS is not supported. ## Features @@ -68,7 +69,7 @@ Please see OpenVPN or Shadowsocks. -This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer, OVH and Rackspace. +This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Bluemix, OVH and Rackspace. Deploy to Azure Install on DigitalOcean Deploy to Linode @@ -124,10 +125,11 @@ Follow the same steps as above, but replace `https://git.io/vpnsetup` with `http Get your computer or device to use the VPN. Please refer to: -Configure IPsec/L2TP VPN Clients -Configure IPsec/XAuth ("Cisco IPsec") VPN Clients +**Configure IPsec/L2TP VPN Clients** -How-To: IKEv2 VPN for Windows and Android +**Configure IPsec/XAuth ("Cisco IPsec") VPN Clients** + +**How-To: IKEv2 VPN for Windows and Android** If you get an error when trying to connect, see Troubleshooting. @@ -139,7 +141,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: For **Windows users**, this one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). -The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. Also, your server must run [Libreswan 3.19 or newer](#upgrade-libreswan). +The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. @@ -155,7 +157,7 @@ The scripts will backup existing config files before making changes, with `.old- ## Upgrade Libreswan -The additional scripts vpnupgrade.sh and vpnupgrade_centos.sh can be used to upgrade Libreswan (changelog | announce). Edit the `swan_ver` variable as necessary. Check installed version: `ipsec --version`. +The additional scripts vpnupgrade.sh and vpnupgrade_centos.sh can be used to upgrade Libreswan (changelog | announce). Edit the `swan_ver` variable as necessary. Check which version is installed: `ipsec --version`. ```bash # Ubuntu & Debian diff --git a/docs/clients-zh.md b/docs/clients-zh.md index be2d84f..7f7014b 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -20,7 +20,7 @@ * [故障排除](#故障排除) * [Windows 错误 809](#windows-错误-809) * [Windows 错误 628](#windows-错误-628) - * [Android 6 and 7](#android-6-and-7) + * [Android 6 及以上版本](#android-6-及以上版本) * [Chromebook](#chromebook) * [其它错误](#其它错误) * [额外的步骤](#额外的步骤) @@ -182,10 +182,10 @@ yum -y install strongswan xl2tpd 创建 VPN 变量 (替换为你自己的值): ```bash -VPN_SERVER_IP='your_vpn_server_ip' -VPN_IPSEC_PSK='your_ipsec_pre_shared_key' -VPN_USER='your_vpn_username' -VPN_PASSWORD='your_vpn_password' +VPN_SERVER_IP='你的VPN服务器IP' +VPN_IPSEC_PSK='你的IPsec预共享密钥' +VPN_USER='你的VPN用户名' +VPN_PASSWORD='你的VPN密码' ``` 配置 strongSwan: @@ -316,13 +316,13 @@ ip route 从新的默认路由中排除你的 VPN 服务器 IP (替换为你自己的值): ```bash -route add YOUR_VPN_SERVER_IP gw X.X.X.X +route add 你的VPN服务器IP gw X.X.X.X ``` -如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你本地电脑的公有 IP,以避免 SSH 会话被断开 (替换为你自己的公有 IP,可在 这里 查看): +如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你的本地电脑的公有 IP,以避免 SSH 会话被断开 (替换为实际值): ```bash -route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X +route add 你的本地电脑的公有IP gw X.X.X.X ``` 添加一个新的默认路由,并且开始通过 VPN 服务器发送数据: @@ -395,13 +395,12 @@ strongswan down myvpn ![Select CHAP in VPN connection properties](images/vpn-properties-zh.png) -### Android 6 and 7 +### Android 6 及以上版本 -如果你无法使用 Android 6 (Marshmallow) 或者 7 (Nougat) 连接: +如果你无法使用 Android 6 或以上版本连接: 1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 -1. **注:** 最新版本的 VPN 脚本已经包含这个更改。 - (适用于 Android 7.1.2 及以上版本) 编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `ike=` 和 `phase2alg=` 两行的末尾添加 `,aes256-sha2_512` 字样。保存修改并运行 `service ipsec restart`。(参见) +1. (适用于 Android 7.1.2 及以上版本) 编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `ike=` 和 `phase2alg=` 两行的末尾添加 `,aes256-sha2_512` 字样。保存修改并运行 `service ipsec restart`。(参见) 注:最新版本的 VPN 脚本已经包含这个更改。 1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`,开头必须空两格。保存修改并运行 `service ipsec restart`。(参见) ![Android VPN workaround](images/vpn-profile-Android.png) @@ -414,9 +413,9 @@ Chromebook 用户: 如果你无法连接,请尝试 from here): +If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value): ```bash route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X @@ -394,13 +394,12 @@ To fix this error, please follow these steps: ![Select CHAP in VPN connection properties](images/vpn-properties.png) -### Android 6 and 7 +### Android 6 and above -If you are unable to connect using Android 6 (Marshmallow) or 7 (Nougat): +If you are unable to connect using Android 6 or above: 1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. -1. **Note:** The latest version of VPN scripts already includes this change. - (For Android 7.1.2 and newer) Edit `/etc/ipsec.conf` on the VPN server. Append `,aes256-sha2_512` to the end of both `ike=` and `phase2alg=` lines. Save the file and run `service ipsec restart`. (Ref) +1. (For Android 7.1.2 and newer) Edit `/etc/ipsec.conf` on the VPN server. Append `,aes256-sha2_512` to the end of both `ike=` and `phase2alg=` lines. Save the file and run `service ipsec restart`. (Ref) Note that the latest version of VPN scripts already includes this change. 1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`, indented with two spaces. Save the file and run `service ipsec restart`. (Ref) ![Android VPN workaround](images/vpn-profile-Android.png) @@ -413,9 +412,9 @@ Chromebook users: If you are unable to connect, try Date: Thu, 26 Oct 2017 01:30:37 -0500 Subject: [PATCH 06/22] Workaround for Netplan - Newer Ubuntu versions use netplan instead of ifupdown by default for network configuration - Scripts in /etc/network/if-pre-up.d/ does not work under netplan - Add workaround in /etc/rc.local for the above --- vpnsetup.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/vpnsetup.sh b/vpnsetup.sh index 34f50f7..3c3494b 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -435,6 +435,7 @@ cat >> /etc/rc.local <<'EOF' (sleep 15 service ipsec restart service xl2tpd restart +[ -f "/usr/sbin/netplan" ] && iptables-restore < /etc/iptables.rules echo 1 > /proc/sys/net/ipv4/ip_forward)& exit 0 EOF From 47e1c9205166099beacfcbeda5fa52ebc07490aa Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 26 Oct 2017 01:37:35 -0500 Subject: [PATCH 07/22] Clean up ipsec.conf - Remove unneeded option nhelpers=0 --- vpnsetup.sh | 1 - vpnsetup_centos.sh | 1 - 2 files changed, 2 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 3c3494b..ce468cb 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -222,7 +222,6 @@ version 2.0 config setup virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET protostack=netkey - nhelpers=0 interfaces=%defaultroute uniqueids=no diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 5a6204e..0f7c115 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -217,7 +217,6 @@ version 2.0 config setup virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET protostack=netkey - nhelpers=0 interfaces=%defaultroute uniqueids=no From ef90b6ff1976eb1c5dd0eb74d1fe94b7c4c0ab68 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 26 Oct 2017 01:42:50 -0500 Subject: [PATCH 08/22] Upgrade Libreswan to 3.22 --- extras/vpnupgrade.sh | 2 +- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 2351684..712eaf5 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -swan_ver=3.21 +swan_ver=3.22 ### DO NOT edit below this line ### diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 552bb4f..dfe2f10 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -swan_ver=3.21 +swan_ver=3.22 ### DO NOT edit below this line ### diff --git a/vpnsetup.sh b/vpnsetup.sh index ce468cb..3c39bef 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -176,7 +176,7 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -swan_ver=3.21 +swan_ver=3.22 swan_file="libreswan-$swan_ver.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 0f7c115..bfa11a4 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -174,7 +174,7 @@ yum -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -swan_ver=3.21 +swan_ver=3.22 swan_file="libreswan-$swan_ver.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" From 1488ac0ce88c6f938604b59ba8669e90c7bda006 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 27 Oct 2017 00:14:38 -0500 Subject: [PATCH 09/22] Workaround for Raspberry Pi - Libreswan version 3.22 does not start on Raspberry Pi - Install version 3.21 on these systems as a workaround --- extras/vpnupgrade.sh | 20 ++++++++++++++++++++ vpnsetup.sh | 3 +++ 2 files changed, 23 insertions(+) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 712eaf5..29089b2 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -49,6 +49,26 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi +if [ "$swan_ver" = "3.22" ]; then + if grep -qs raspbian /etc/os-release; then + echo "Note: For Raspberry Pi systems, this script will install Libreswan" + echo "version 3.21 instead of 3.22, to avoid some recent bugs." + echo + printf "Do you wish to continue? [y/N] " + read -r response + case $response in + [yY][eE][sS]|[yY]) + echo + swan_ver=3.21 + ;; + *) + echo "Aborting." + exit 1 + ;; + esac + fi +fi + if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then echo "You already have Libreswan version $swan_ver installed! " echo "If you continue, the same version will be re-installed." diff --git a/vpnsetup.sh b/vpnsetup.sh index 3c39bef..d61db85 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -177,6 +177,9 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." swan_ver=3.22 +if grep -qs raspbian /etc/os-release; then + swan_ver=3.21 +fi swan_file="libreswan-$swan_ver.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" From e316c8cdf81440fbd29342677d6ba7fc09cc9661 Mon Sep 17 00:00:00 2001 From: Any <406088125@qq.com> Date: Fri, 27 Oct 2017 13:35:51 +0800 Subject: [PATCH 10/22] Troubleshooting error 728 (#250) * Update docs --- docs/clients-zh.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 7f7014b..0d241ef 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -18,7 +18,7 @@ * [Windows Phone](#windows-phone) * [Linux](#linux) * [故障排除](#故障排除) - * [Windows 错误 809](#windows-错误-809) + * [Windows 错误 809 和 728](#windows-错误-809-和-728) * [Windows 错误 628](#windows-错误-628) * [Android 6 及以上版本](#android-6-及以上版本) * [Chromebook](#chromebook) @@ -362,7 +362,7 @@ strongswan down myvpn *其他语言版本: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* -### Windows 错误 809 +### Windows 错误 809 和 728 > 无法建立计算机与 VPN 服务器之间的网络连接,因为远程服务器未响应。 @@ -378,6 +378,11 @@ strongswan down myvpn REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f ``` +- 某些 Windows 系统默认禁用了 IPSec 加密, 此时也会导致连接失败. 可通过该命令启用 IPSec + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f + ``` + ### Windows 错误 628 > 在连接完成前,连接被远程计算机终止。 From 68a6375399f947bb391ff8ccfe56751950b1e04b Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 27 Oct 2017 01:02:03 -0500 Subject: [PATCH 11/22] Update docs --- docs/clients-zh.md | 13 +++++++------ docs/clients.md | 6 ++++++ 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 0d241ef..f478aa4 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -18,7 +18,7 @@ * [Windows Phone](#windows-phone) * [Linux](#linux) * [故障排除](#故障排除) - * [Windows 错误 809 和 728](#windows-错误-809-和-728) + * [Windows 错误 809](#windows-错误-809) * [Windows 错误 628](#windows-错误-628) * [Android 6 及以上版本](#android-6-及以上版本) * [Chromebook](#chromebook) @@ -362,7 +362,7 @@ strongswan down myvpn *其他语言版本: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* -### Windows 错误 809 和 728 +### Windows 错误 809 > 无法建立计算机与 VPN 服务器之间的网络连接,因为远程服务器未响应。 @@ -378,10 +378,11 @@ strongswan down myvpn REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f ``` -- 某些 Windows 系统默认禁用了 IPSec 加密, 此时也会导致连接失败. 可通过该命令启用 IPSec - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f - ``` +另外,某些个别的 Windows 系统禁用了 IPsec 加密,此时也会导致连接失败。要重新启用它,可以运行以下命令并重启计算机。 + +```console +REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f +``` ### Windows 错误 628 diff --git a/docs/clients.md b/docs/clients.md index cae2c39..b3ac7e9 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -377,6 +377,12 @@ To fix this error, a > /etc/sysctl.conf <> /etc/sysctl.conf < Date: Sat, 28 Oct 2017 17:06:35 -0500 Subject: [PATCH 13/22] Update docs - Add a note on using L2TP kernel support --- README-zh.md | 2 ++ README.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/README-zh.md b/README-zh.md index 14eb4d3..aa33857 100644 --- a/README-zh.md +++ b/README-zh.md @@ -149,6 +149,8 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh 在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。 +使用 L2TP 内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 16.04, Debian 9, CentOS 7 和 6。 Ubuntu 16.04 用户需要安装 `` linux-image-extra-`uname -r` `` 软件包并且重启 `xl2tpd` 服务。 + 如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。 在使用 `IPsec/L2TP` 连接时,VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1`。 diff --git a/README.md b/README.md index 860c00f..fb7c7e5 100644 --- a/README.md +++ b/README.md @@ -149,6 +149,8 @@ If you wish to add, edit or remove VPN user accounts, see Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. +Using L2TP kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 16.04, Debian 9, CentOS 7 and 6. Ubuntu 16.04 users should install the `` linux-image-extra-`uname -r` `` package and restart the `xl2tpd` service. + To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server. When connecting via `IPsec/L2TP`, the VPN server has IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`. From 16e437f58ed2448222e21561b70ec039ff91bd6c Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 29 Oct 2017 19:53:35 -0500 Subject: [PATCH 14/22] Minor clean up - Wrap the scripts in a big function which is only called at the very end, to protect against the possibility of connection interruptions - Clean up some variables names --- .travis.yml | 2 +- extras/vpnupgrade.sh | 7 +++++ extras/vpnupgrade_centos.sh | 7 +++++ vpnsetup.sh | 58 ++++++++++++++++++++----------------- vpnsetup_centos.sh | 58 ++++++++++++++++++++----------------- 5 files changed, 79 insertions(+), 53 deletions(-) diff --git a/.travis.yml b/.travis.yml index 3eb710a..e4b7961 100644 --- a/.travis.yml +++ b/.travis.yml @@ -11,7 +11,7 @@ addons: - shellcheck script: - - export SHELLCHECK_OPTS="-e SC1091" + - export SHELLCHECK_OPTS="-e SC1091,SC1117" - shellcheck *.sh extras/*.sh - sudo sed -i "/debian unstable/d" /etc/apt/sources.list - sudo VPN_IPSEC_PSK='vpn_psk' diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 29089b2..65644b0 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -20,6 +20,8 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } +vpnupgrade() { + os_type="$(lsb_release -si 2>/dev/null)" if [ -z "$os_type" ]; then [ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")" @@ -193,4 +195,9 @@ echo echo "Libreswan $swan_ver was installed successfully! " echo +} + +## Defer setup until we have the complete script +vpnupgrade "$@" + exit 0 diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index dfe2f10..f4f607a 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -20,6 +20,8 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; } +vpnupgrade() { + if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then exiterr "This script only supports CentOS/RHEL 6 and 7." fi @@ -175,4 +177,9 @@ echo echo "Libreswan $swan_ver was installed successfully! " echo +} + +## Defer setup until we have the complete script +vpnupgrade "$@" + exit 0 diff --git a/vpnsetup.sh b/vpnsetup.sh index c6335be..13d04b7 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -34,18 +34,19 @@ YOUR_PASSWORD='' # ===================================================== export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"; export SYS_DT exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } -conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } +conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null; } bigecho() { echo; echo "## $1"; echo; } check_ip() { - IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" + IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' printf %s "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" } +vpnsetup() { + os_type="$(lsb_release -si 2>/dev/null)" if [ -z "$os_type" ]; then [ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")" @@ -69,31 +70,31 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -NET_IFACE=${VPN_NET_IFACE:-'eth0'} -DEF_IFACE="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" -[ -z "$DEF_IFACE" ] && DEF_IFACE="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" +net_iface=${VPN_NET_IFACE:-'eth0'} +def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" +[ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" -if_state1=$(cat "/sys/class/net/$DEF_IFACE/operstate" 2>/dev/null) -if [ -z "$VPN_NET_IFACE" ] && [ -n "$if_state1" ] && [ "$if_state1" != "down" ]; then +def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) +if [ -z "$VPN_NET_IFACE" ] && [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then if ! grep -qs raspbian /etc/os-release; then - case "$DEF_IFACE" in + case "$def_iface" in wl*) cat 1>&2 <> DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! << If you are certain that this script is running on a server, re-run it with: - sudo VPN_NET_IFACE="$DEF_IFACE" sh "$0" + sudo VPN_NET_IFACE="$def_iface" sh "$0" EOF exit 1 ;; esac fi - NET_IFACE="$DEF_IFACE" + net_iface="$def_iface" fi -if_state2=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null) -if [ -z "$if_state2" ] || [ "$if_state2" = "down" ] || [ "$NET_IFACE" = "lo" ]; then - printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2 +net_iface_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) +if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface" = "lo" ]; then + printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 </dev/null \ - || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then + || ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE 2>/dev/null \ + || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then ipt_flag=1 fi # Add IPTables rules for VPN if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 - iptables-save > "$IPT_FILE.old-$SYS_DT" + iptables-save > "$IPT_FILE.old-$(date +%Y-%m-%d-%H:%M:%S)" iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -391,17 +392,17 @@ if [ "$ipt_flag" = "1" ]; then iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT iptables -I INPUT 6 -p udp --dport 1701 -j DROP iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP - iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT + iptables -I FORWARD 2 -i "$net_iface" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 3 -i ppp+ -o "$net_iface" -j ACCEPT iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT - iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT + iptables -I FORWARD 5 -i "$net_iface" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$net_iface" -j ACCEPT # Uncomment if you wish to disallow traffic between VPN clients themselves # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP # iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP iptables -A FORWARD -j DROP - iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE - iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" iptables-save >> "$IPT_FILE" @@ -484,4 +485,9 @@ Setup VPN clients: https://git.io/vpnclients EOF +} + +## Defer setup until we have the complete script +vpnsetup "$@" + exit 0 diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 43b4f92..bc8405d 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -34,18 +34,19 @@ YOUR_PASSWORD='' # ===================================================== export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"; export SYS_DT exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; } -conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } +conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null; } bigecho() { echo; echo "## $1"; echo; } check_ip() { - IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" + IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' printf %s "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" } +vpnsetup() { + if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then exiterr "This script only supports CentOS/RHEL 6 and 7." fi @@ -60,31 +61,31 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -NET_IFACE=${VPN_NET_IFACE:-'eth0'} -DEF_IFACE="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" -[ -z "$DEF_IFACE" ] && DEF_IFACE="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" +net_iface=${VPN_NET_IFACE:-'eth0'} +def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" +[ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" -if_state1=$(cat "/sys/class/net/$DEF_IFACE/operstate" 2>/dev/null) -if [ -z "$VPN_NET_IFACE" ] && [ -n "$if_state1" ] && [ "$if_state1" != "down" ]; then +def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) +if [ -z "$VPN_NET_IFACE" ] && [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then if ! grep -qs raspbian /etc/os-release; then - case "$DEF_IFACE" in + case "$def_iface" in wl*) cat 1>&2 <> DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! << If you are certain that this script is running on a server, re-run it with: - sudo VPN_NET_IFACE="$DEF_IFACE" sh "$0" + sudo VPN_NET_IFACE="$def_iface" sh "$0" EOF exit 1 ;; esac fi - NET_IFACE="$DEF_IFACE" + net_iface="$def_iface" fi -if_state2=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null) -if [ -z "$if_state2" ] || [ "$if_state2" = "down" ] || [ "$NET_IFACE" = "lo" ]; then - printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2 +net_iface_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) +if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface" = "lo" ]; then + printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 </dev/null \ - || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then + || ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE 2>/dev/null \ + || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then ipt_flag=1 fi # Add IPTables rules for VPN if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 - iptables-save > "$IPT_FILE.old-$SYS_DT" + iptables-save > "$IPT_FILE.old-$(date +%Y-%m-%d-%H:%M:%S)" iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -377,17 +378,17 @@ if [ "$ipt_flag" = "1" ]; then iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT iptables -I INPUT 6 -p udp --dport 1701 -j DROP iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP - iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT + iptables -I FORWARD 2 -i "$net_iface" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 3 -i ppp+ -o "$net_iface" -j ACCEPT iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT - iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT + iptables -I FORWARD 5 -i "$net_iface" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$net_iface" -j ACCEPT # Uncomment if you wish to disallow traffic between VPN clients themselves # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP # iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP iptables -A FORWARD -j DROP - iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE - iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" iptables-save >> "$IPT_FILE" fi @@ -484,4 +485,9 @@ Setup VPN clients: https://git.io/vpnclients EOF +} + +## Defer setup until we have the complete script +vpnsetup "$@" + exit 0 From b7a4bed866ac70efc617789460edd340aef73114 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 30 Oct 2017 01:56:00 -0500 Subject: [PATCH 15/22] Improve startup - Ubuntu 16.04 (and newer) may run apt tasks automatically on boot - If used as a startup script, apt-get commands could fail due to this - Wait for apt/dpkg lock (up to 60s) as a workaround - Ref: #252 --- vpnsetup.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/vpnsetup.sh b/vpnsetup.sh index 13d04b7..90f21e4 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -138,6 +138,14 @@ cd /opt/src || exiterr "Cannot enter /opt/src." bigecho "Populating apt-get cache..." +count=0 +while fuser /var/lib/apt/lists/lock /var/lib/dpkg/lock >/dev/null 2>&1; do + [ "$count" -ge "20" ] && exiterr "Cannot get apt/dpkg lock." + count=$((count+1)) + printf %s . + sleep 3 +done + export DEBIAN_FRONTEND=noninteractive apt-get -yq update || exiterr "'apt-get update' failed." From 70c6d6b5401e8955b5322cbd4b4e42c3b5ace0e7 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 1 Nov 2017 01:01:49 -0500 Subject: [PATCH 16/22] Various clean up --- README-zh.md | 2 +- README.md | 4 +- docs/manage-users.md | 2 +- extras/vpnupgrade.sh | 52 +++++++++++------------ extras/vpnupgrade_centos.sh | 40 +++++++++--------- vpnsetup.sh | 82 ++++++++++++++++--------------------- vpnsetup_centos.sh | 72 +++++++++++++------------------- 7 files changed, 114 insertions(+), 140 deletions(-) diff --git a/README-zh.md b/README-zh.md index aa33857..1bd9c08 100644 --- a/README-zh.md +++ b/README-zh.md @@ -159,7 +159,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh ## 升级Libreswan -提供两个额外的脚本 vpnupgrade.shvpnupgrade_centos.sh,可用于升级 Libreswan更新日志 | 通知列表)。请在运行前根据需要修改 `swan_ver` 变量。查看已安装版本: `ipsec --version`. +提供两个额外的脚本 vpnupgrade.shvpnupgrade_centos.sh,可用于升级 Libreswan更新日志 | 通知列表)。请在运行前根据需要修改 `SWAN_VER` 变量。查看已安装版本: `ipsec --version`. ```bash # Ubuntu & Debian diff --git a/README.md b/README.md index fb7c7e5..37eecff 100644 --- a/README.md +++ b/README.md @@ -106,7 +106,7 @@ sudo sh vpnsetup.sh ```bash # All values MUST be placed inside 'single quotes' -# DO NOT use these characters within values: \ " ' +# DO NOT use these special characters within values: \ " ' wget https://git.io/vpnsetup -O vpnsetup.sh && sudo \ VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \ VPN_USER='your_vpn_username' \ @@ -159,7 +159,7 @@ The scripts will backup existing config files before making changes, with `.old- ## Upgrade Libreswan -The additional scripts vpnupgrade.sh and vpnupgrade_centos.sh can be used to upgrade Libreswan (changelog | announce). Edit the `swan_ver` variable as necessary. Check which version is installed: `ipsec --version`. +The additional scripts vpnupgrade.sh and vpnupgrade_centos.sh can be used to upgrade Libreswan (changelog | announce). Edit the `SWAN_VER` variable as necessary. Check which version is installed: `ipsec --version`. ```bash # Ubuntu & Debian diff --git a/docs/manage-users.md b/docs/manage-users.md index cfd7bf4..c14dc53 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -18,7 +18,7 @@ For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format ... ... ``` -You can add more users, use one line for each user. DO NOT use these characters within values: `\ " '` +You can add more users, use one line for each user. DO NOT use these special characters within values: `\ " '` For `IPsec/XAuth ("Cisco IPsec")`, VPN users are specified in `/etc/ipsec.d/passwd`. The format of this file is: diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 65644b0..1a4616d 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,14 +11,14 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -swan_ver=3.22 +SWAN_VER=3.22 ### DO NOT edit below this line ### export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" exiterr() { echo "Error: $1" >&2; exit 1; } -exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } +exiterr2() { exiterr "'apt-get install' failed."; } vpnupgrade() { @@ -27,31 +27,31 @@ if [ -z "$os_type" ]; then [ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")" [ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")" fi -if ! printf %s "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then - exiterr "This script only supports Ubuntu/Debian." +if ! printf '%s' "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then + exiterr "This script only supports Ubuntu and Debian." fi if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then - exiterr "This script does not support Debian 7 (Wheezy)." + exiterr "Debian 7 is not supported." fi if [ -f /proc/user_beancounters ]; then - exiterr "This script does not support OpenVZ VPS." + exiterr "OpenVZ VPS is not supported." fi if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -if [ -z "$swan_ver" ]; then - exiterr "Libreswan version 'swan_ver' not specified." +if [ -z "$SWAN_VER" ]; then + exiterr "Libreswan version 'SWAN_VER' not specified." fi if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -if [ "$swan_ver" = "3.22" ]; then +if [ "$SWAN_VER" = "3.22" ]; then if grep -qs raspbian /etc/os-release; then echo "Note: For Raspberry Pi systems, this script will install Libreswan" echo "version 3.21 instead of 3.22, to avoid some recent bugs." @@ -61,7 +61,7 @@ if [ "$swan_ver" = "3.22" ]; then case $response in [yY][eE][sS]|[yY]) echo - swan_ver=3.21 + SWAN_VER=3.21 ;; *) echo "Aborting." @@ -71,8 +71,8 @@ if [ "$swan_ver" = "3.22" ]; then fi fi -if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then - echo "You already have Libreswan version $swan_ver installed! " +if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then + echo "You already have Libreswan version $SWAN_VER installed! " echo "If you continue, the same version will be re-installed." echo printf "Do you wish to continue anyway? [y/N] " @@ -91,7 +91,7 @@ fi clear cat < Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -174,15 +174,15 @@ make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." -/bin/rm -rf "/opt/src/libreswan-$swan_ver" -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then - exiterr "Libreswan $swan_ver failed to build." +/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then + exiterr "Libreswan $SWAN_VER failed to build." fi # Update ipsec.conf for Libreswan 3.19 and newer IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" -sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \ +sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \ @@ -192,7 +192,7 @@ sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \ service ipsec restart echo -echo "Libreswan $swan_ver was installed successfully! " +echo "Libreswan $SWAN_VER was installed successfully! " echo } diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index f4f607a..f7337ff 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -11,14 +11,14 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -swan_ver=3.22 +SWAN_VER=3.22 ### DO NOT edit below this line ### export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" exiterr() { echo "Error: $1" >&2; exit 1; } -exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; } +exiterr2() { exiterr "'yum install' failed."; } vpnupgrade() { @@ -27,23 +27,23 @@ if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then fi if [ -f /proc/user_beancounters ]; then - exiterr "This script does not support OpenVZ VPS." + exiterr "OpenVZ VPS is not supported." fi if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -if [ -z "$swan_ver" ]; then - exiterr "Libreswan version 'swan_ver' not specified." +if [ -z "$SWAN_VER" ]; then + exiterr "Libreswan version 'SWAN_VER' not specified." fi if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then - echo "You already have Libreswan version $swan_ver installed! " +if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then + echo "You already have Libreswan version $SWAN_VER installed! " echo "If you continue, the same version will be re-installed." echo printf "Do you wish to continue anyway? [y/N] " @@ -62,7 +62,7 @@ fi clear cat < Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -151,9 +149,9 @@ make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." -/bin/rm -rf "/opt/src/libreswan-$swan_ver" -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then - exiterr "Libreswan $swan_ver failed to build." +/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then + exiterr "Libreswan $SWAN_VER failed to build." fi # Restore SELinux contexts @@ -164,7 +162,7 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null # Update ipsec.conf for Libreswan 3.19 and newer IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" -sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \ +sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \ @@ -174,7 +172,7 @@ sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \ service ipsec restart echo -echo "Libreswan $swan_ver was installed successfully! " +echo "Libreswan $SWAN_VER was installed successfully! " echo } diff --git a/vpnsetup.sh b/vpnsetup.sh index 90f21e4..b76df8a 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -22,7 +22,7 @@ # Define your own values for these variables # - IPsec pre-shared key, VPN username and password # - All values MUST be placed inside 'single quotes' -# - DO NOT use these characters within values: \ " ' +# - DO NOT use these special characters within values: \ " ' YOUR_IPSEC_PSK='' YOUR_USERNAME='' @@ -36,13 +36,13 @@ YOUR_PASSWORD='' export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" exiterr() { echo "Error: $1" >&2; exit 1; } -exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } -conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null; } +exiterr2() { exiterr "'apt-get install' failed."; } +conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%F-%T)" 2>/dev/null; } bigecho() { echo; echo "## $1"; echo; } check_ip() { IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' - printf %s "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" + printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" } vpnsetup() { @@ -52,18 +52,16 @@ if [ -z "$os_type" ]; then [ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")" [ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")" fi -if ! printf %s "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then - exiterr "This script only supports Ubuntu/Debian." +if ! printf '%s' "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then + exiterr "This script only supports Ubuntu and Debian." fi if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then - exiterr "This script does not support Debian 7 (Wheezy)." + exiterr "Debian 7 is not supported." fi if [ -f /proc/user_beancounters ]; then - echo "Error: This script does not support OpenVZ VPS." >&2 - echo "Try OpenVPN: https://github.com/Nyr/openvpn-install" >&2 - exit 1 + exiterr "OpenVZ VPS is not supported. Try OpenVPN: github.com/Nyr/openvpn-install" fi if [ "$(id -u)" != 0 ]; then @@ -75,17 +73,11 @@ def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) -if [ -z "$VPN_NET_IFACE" ] && [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then +if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then if ! grep -qs raspbian /etc/os-release; then case "$def_iface" in wl*) -cat 1>&2 <> DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! << -If you are certain that this script is running on a server, re-run it with: - sudo VPN_NET_IFACE="$def_iface" sh "$0" -EOF - exit 1 + exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" ;; esac fi @@ -97,9 +89,8 @@ if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 </dev/null 2>&1; do [ "$count" -ge "20" ] && exiterr "Cannot get apt/dpkg lock." count=$((count+1)) - printf %s . + printf '%s' '.' sleep 3 done @@ -151,14 +143,14 @@ apt-get -yq update || exiterr "'apt-get update' failed." bigecho "Installing packages required for setup..." -apt-get -yq install wget dnsutils openssl || exiterr2 -apt-get -yq install iproute gawk grep sed net-tools || exiterr2 +apt-get -yq install wget dnsutils openssl \ + iproute gawk grep sed net-tools || exiterr2 bigecho "Trying to auto discover IP of this server..." cat <<'EOF' In case the script hangs here for more than a few minutes, -use Ctrl-C to interrupt. Then edit it and manually enter IP. +press Ctrl-C to abort. Then edit it and manually enter IP. EOF # In case auto IP discovery fails, enter server's public IP here. @@ -169,15 +161,14 @@ PUBLIC_IP=${VPN_PUBLIC_IP:-''} # Check IP for correct format check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) -check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter it." +check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it." bigecho "Installing packages required for the VPN..." -apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ - libcap-ng-dev libcap-ng-utils libselinux1-dev \ - libcurl4-nss-dev flex bison gcc make \ - libnss3-tools libevent-dev || exiterr2 -apt-get -yq install ppp xl2tpd || exiterr2 +apt-get -yq install libnss3-dev libnspr4-dev pkg-config \ + libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \ + libcurl4-nss-dev flex bison gcc make libnss3-tools \ + libevent-dev ppp xl2tpd || exiterr2 bigecho "Installing Fail2Ban to protect SSH..." @@ -185,19 +176,20 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -swan_ver=3.22 -if grep -qs raspbian /etc/os-release; then - swan_ver=3.21 +if ! grep -qs raspbian /etc/os-release; then + SWAN_VER=3.22 +else + SWAN_VER=3.21 fi -swan_file="libreswan-$swan_ver.tar.gz" -swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" +swan_file="libreswan-$SWAN_VER.tar.gz" +swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then exiterr "Cannot download Libreswan source." fi -/bin/rm -rf "/opt/src/libreswan-$swan_ver" +/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" -cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir." +cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -211,9 +203,9 @@ make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." -/bin/rm -rf "/opt/src/libreswan-$swan_ver" -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then - exiterr "Libreswan $swan_ver failed to build." +/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then + exiterr "Libreswan $SWAN_VER failed to build." fi bigecho "Creating VPN configuration..." @@ -329,8 +321,6 @@ EOF # Create VPN credentials conf_bk "/etc/ppp/chap-secrets" cat > /etc/ppp/chap-secrets </dev/null 2>&1 - iptables-save > "$IPT_FILE.old-$(date +%Y-%m-%d-%H:%M:%S)" + iptables-save > "$IPT_FILE.old-$(date +%F-%T)" iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index bc8405d..1827d07 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -22,7 +22,7 @@ # Define your own values for these variables # - IPsec pre-shared key, VPN username and password # - All values MUST be placed inside 'single quotes' -# - DO NOT use these characters within values: \ " ' +# - DO NOT use these special characters within values: \ " ' YOUR_IPSEC_PSK='' YOUR_USERNAME='' @@ -36,13 +36,13 @@ YOUR_PASSWORD='' export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" exiterr() { echo "Error: $1" >&2; exit 1; } -exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; } -conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null; } +exiterr2() { exiterr "'yum install' failed."; } +conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%F-%T)" 2>/dev/null; } bigecho() { echo; echo "## $1"; echo; } check_ip() { IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' - printf %s "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" + printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" } vpnsetup() { @@ -52,9 +52,7 @@ if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then fi if [ -f /proc/user_beancounters ]; then - echo "Error: This script does not support OpenVZ VPS." >&2 - echo "Try OpenVPN: https://github.com/Nyr/openvpn-install" >&2 - exit 1 + exiterr "OpenVZ VPS is not supported. Try OpenVPN: github.com/Nyr/openvpn-install" fi if [ "$(id -u)" != 0 ]; then @@ -66,17 +64,11 @@ def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) -if [ -z "$VPN_NET_IFACE" ] && [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then +if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then if ! grep -qs raspbian /etc/os-release; then case "$def_iface" in wl*) -cat 1>&2 <> DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! << -If you are certain that this script is running on a server, re-run it with: - sudo VPN_NET_IFACE="$def_iface" sh "$0" -EOF - exit 1 + exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" ;; esac fi @@ -88,9 +80,8 @@ if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 < Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -195,9 +184,9 @@ make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." -/bin/rm -rf "/opt/src/libreswan-$swan_ver" -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then - exiterr "Libreswan $swan_ver failed to build." +/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then + exiterr "Libreswan $SWAN_VER failed to build." fi bigecho "Creating VPN configuration..." @@ -307,8 +296,6 @@ EOF # Create VPN credentials conf_bk "/etc/ppp/chap-secrets" cat > /etc/ppp/chap-secrets </dev/null 2>&1 - iptables-save > "$IPT_FILE.old-$(date +%Y-%m-%d-%H:%M:%S)" + iptables-save > "$IPT_FILE.old-$(date +%F-%T)" iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -448,8 +435,7 @@ chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* # Apply new IPTables rules iptables-restore < "$IPT_FILE" -# Fix xl2tpd on CentOS 7 for providers such as Linode, -# where kernel module "l2tp_ppp" is unavailable +# Fix xl2tpd on CentOS 7, if kernel module "l2tp_ppp" is unavailable if grep -qs "release 7" /etc/redhat-release; then if ! modprobe -q l2tp_ppp; then sed -i '/ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service From 7190577c9999b21c8f0154c9aac4a77345e2f973 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 1 Nov 2017 22:15:56 -0500 Subject: [PATCH 17/22] Minor clean up --- vpnsetup.sh | 5 +++-- vpnsetup_centos.sh | 7 ++++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index b76df8a..a4eedb8 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -34,10 +34,11 @@ YOUR_PASSWORD='' # ===================================================== export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT="$(date +%F-%T)" exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { exiterr "'apt-get install' failed."; } -conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%F-%T)" 2>/dev/null; } +conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } bigecho() { echo; echo "## $1"; echo; } check_ip() { @@ -382,7 +383,7 @@ fi # Add IPTables rules for VPN if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 - iptables-save > "$IPT_FILE.old-$(date +%F-%T)" + iptables-save > "$IPT_FILE.old-$SYS_DT" iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 1827d07..8cb8401 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -34,10 +34,11 @@ YOUR_PASSWORD='' # ===================================================== export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT="$(date +%F-%T)" exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { exiterr "'yum install' failed."; } -conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%F-%T)" 2>/dev/null; } +conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } bigecho() { echo; echo "## $1"; echo; } check_ip() { @@ -357,7 +358,7 @@ fi # Add IPTables rules for VPN if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 - iptables-save > "$IPT_FILE.old-$(date +%F-%T)" + iptables-save > "$IPT_FILE.old-$SYS_DT" iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -438,7 +439,7 @@ iptables-restore < "$IPT_FILE" # Fix xl2tpd on CentOS 7, if kernel module "l2tp_ppp" is unavailable if grep -qs "release 7" /etc/redhat-release; then if ! modprobe -q l2tp_ppp; then - sed -i '/ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service + sed -i '/^ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service systemctl daemon-reload fi fi From 2dfa587a7193d265bbdb86360ab8951521d25572 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 12 Nov 2017 23:51:53 -0600 Subject: [PATCH 18/22] Fix Libreswan 3.22 bug - This bug causes Libreswan 3.22 fail to start on a Raspberry Pi - Apply fix from Libreswan GitHub repo: libreswan/libreswan@e154ae7 - Ref: https://lists.libreswan.org/pipermail/swan/2017/002338.html --- extras/vpnupgrade.sh | 1 + extras/vpnupgrade_centos.sh | 1 + vpnsetup.sh | 1 + vpnsetup_centos.sh | 1 + 4 files changed, 4 insertions(+) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 1a4616d..88f0d0e 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -161,6 +161,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." +sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index f7337ff..ee2ad84 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -139,6 +139,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." +sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false diff --git a/vpnsetup.sh b/vpnsetup.sh index a4eedb8..30cd001 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -191,6 +191,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." +sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 8cb8401..8c6513b 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -175,6 +175,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." +sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false From 8b40709d4da7d1565486960e17fb264c3e3769e8 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 13 Nov 2017 00:12:16 -0600 Subject: [PATCH 19/22] Improve VPN ciphers - Remove unsupported ESP algorithm on Raspbian --- extras/vpnupgrade.sh | 3 +++ vpnsetup.sh | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 88f0d0e..83569e2 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -183,6 +183,9 @@ fi # Update ipsec.conf for Libreswan 3.19 and newer IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" +if grep -qs raspbian /etc/os-release; then + PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" +fi sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ diff --git a/vpnsetup.sh b/vpnsetup.sh index 30cd001..22b22c9 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -279,6 +279,11 @@ if grep -qs 'Raspbian GNU/Linux 9' /etc/os-release; then check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf fi +# Remove unsupported ESP algorithm on Raspbian +if grep -qs raspbian /etc/os-release; then + sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf +fi + # Specify IPsec PSK conf_bk "/etc/ipsec.secrets" cat > /etc/ipsec.secrets < Date: Mon, 13 Nov 2017 00:17:38 -0600 Subject: [PATCH 20/22] Remove RPi workaround - No longer needed with fix 2dfa587 and 8b40709 - Ref: 1488ac0 --- extras/vpnupgrade.sh | 20 -------------------- vpnsetup.sh | 6 +----- 2 files changed, 1 insertion(+), 25 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 83569e2..b8fdb8e 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -51,26 +51,6 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -if [ "$SWAN_VER" = "3.22" ]; then - if grep -qs raspbian /etc/os-release; then - echo "Note: For Raspberry Pi systems, this script will install Libreswan" - echo "version 3.21 instead of 3.22, to avoid some recent bugs." - echo - printf "Do you wish to continue? [y/N] " - read -r response - case $response in - [yY][eE][sS]|[yY]) - echo - SWAN_VER=3.21 - ;; - *) - echo "Aborting." - exit 1 - ;; - esac - fi -fi - if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then echo "You already have Libreswan version $SWAN_VER installed! " echo "If you continue, the same version will be re-installed." diff --git a/vpnsetup.sh b/vpnsetup.sh index 22b22c9..3954085 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -177,11 +177,7 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -if ! grep -qs raspbian /etc/os-release; then - SWAN_VER=3.22 -else - SWAN_VER=3.21 -fi +SWAN_VER=3.22 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" From 3f39255f841e2ee612bffba9633b3d71b7729626 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 20 Nov 2017 00:33:36 -0600 Subject: [PATCH 21/22] Bug fix for RHEL 6/7 - Fix compatibility with Red Hat Enterprise Linux (RHEL) 6 and 7 - Ref: #273 --- extras/vpnupgrade_centos.sh | 12 ++++++++---- vpnsetup_centos.sh | 13 ++++++++----- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index ee2ad84..76692d0 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -115,18 +115,22 @@ cd /opt/src || exiterr "Cannot enter /opt/src." yum -y install wget || exiterr2 # Add the EPEL repository -yum -y install epel-release || exiterr2 +epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm" +yum -y install epel-release || yum -y install "$epel_url" || exiterr2 # Install necessary packages yum -y install nss-devel nspr-devel pkgconfig pam-devel \ libcap-ng-devel libselinux-devel curl-devel \ - flex bison gcc make fipscheck-devel || exiterr2 + flex bison gcc make || exiterr2 +OPT1='--enablerepo=*server-optional*' +OPT2='--enablerepo=*releases-optional*' if grep -qs "release 6" /etc/redhat-release; then yum -y remove libevent-devel - yum -y install libevent2-devel || exiterr2 + yum "$OPT1" "$OPT2" -y install libevent2-devel fipscheck-devel || exiterr2 else - yum -y install libevent-devel systemd-devel || exiterr2 + yum -y install systemd-devel || exiterr2 + yum "$OPT1" "$OPT2" -y install libevent-devel fipscheck-devel || exiterr2 fi # Compile and install Libreswan diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 8c6513b..405fc09 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -143,20 +143,23 @@ check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit th bigecho "Adding the EPEL repository..." -yum -y install epel-release || exiterr2 +epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm" +yum -y install epel-release || yum -y install "$epel_url" || exiterr2 bigecho "Installing packages required for the VPN..." yum -y install nss-devel nspr-devel pkgconfig pam-devel \ libcap-ng-devel libselinux-devel curl-devel \ - flex bison gcc make fipscheck-devel \ - ppp xl2tpd || exiterr2 + flex bison gcc make ppp xl2tpd || exiterr2 +OPT1='--enablerepo=*server-optional*' +OPT2='--enablerepo=*releases-optional*' if grep -qs "release 6" /etc/redhat-release; then yum -y remove libevent-devel - yum -y install libevent2-devel || exiterr2 + yum "$OPT1" "$OPT2" -y install libevent2-devel fipscheck-devel || exiterr2 else - yum -y install libevent-devel systemd-devel iptables-services || exiterr2 + yum -y install systemd-devel iptables-services || exiterr2 + yum "$OPT1" "$OPT2" -y install libevent-devel fipscheck-devel || exiterr2 fi bigecho "Installing Fail2Ban to protect SSH..." From cc64a29c016c6937bb7d7d8b031c702c33636821 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 6 Dec 2017 04:36:33 -0600 Subject: [PATCH 22/22] Re-add RPi workaround - Libreswan 3.22 may fail to compile on Raspberry Pi w/ Raspbian 9 - Use version 3.21 instead of 3.22 for Raspbian systems - Ref: d472c65 --- extras/vpnupgrade.sh | 22 +++++++++++++++++++++- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 8 ++++++-- vpnsetup_centos.sh | 2 +- 4 files changed, 29 insertions(+), 5 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index b8fdb8e..27f2b88 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -51,6 +51,26 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi +if [ "$SWAN_VER" = "3.22" ]; then + if grep -qs raspbian /etc/os-release; then + echo "Note: For Raspberry Pi systems, this script will install Libreswan" + echo "version 3.21 instead of 3.22, to avoid some recent bugs." + echo + printf "Do you wish to continue? [y/N] " + read -r response + case $response in + [yY][eE][sS]|[yY]) + echo + SWAN_VER=3.21 + ;; + *) + echo "Aborting." + exit 1 + ;; + esac + fi +fi + if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then echo "You already have Libreswan version $SWAN_VER installed! " echo "If you continue, the same version will be re-installed." @@ -141,7 +161,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." -sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 76692d0..1e44f5b 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -143,7 +143,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." -sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false diff --git a/vpnsetup.sh b/vpnsetup.sh index 3954085..a8527e6 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -177,7 +177,11 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -SWAN_VER=3.22 +if ! grep -qs raspbian /etc/os-release; then + SWAN_VER=3.22 +else + SWAN_VER=3.21 +fi swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -187,7 +191,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." -sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 405fc09..0c8121a 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -178,7 +178,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." -sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false