commit
bab901458f
@ -11,7 +11,7 @@ addons:
|
|||||||
- shellcheck
|
- shellcheck
|
||||||
|
|
||||||
script:
|
script:
|
||||||
- export SHELLCHECK_OPTS="-e SC1091"
|
- export SHELLCHECK_OPTS="-e SC1091,SC1117"
|
||||||
- shellcheck *.sh extras/*.sh
|
- shellcheck *.sh extras/*.sh
|
||||||
- sudo sed -i "/debian unstable/d" /etc/apt/sources.list
|
- sudo sed -i "/debian unstable/d" /etc/apt/sources.list
|
||||||
- sudo VPN_IPSEC_PSK='vpn_psk'
|
- sudo VPN_IPSEC_PSK='vpn_psk'
|
||||||
|
20
README-zh.md
20
README-zh.md
@ -28,7 +28,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时
|
|||||||
|
|
||||||
## 快速开始
|
## 快速开始
|
||||||
|
|
||||||
首先,在你的 Linux 服务器* 上全新安装一个 Ubuntu LTS, Debian 或者 CentOS 系统。
|
首先,在你的 Linux 服务器[*](#quick-start-note) 上全新安装一个 Ubuntu LTS, Debian 或者 CentOS 系统。
|
||||||
|
|
||||||
使用以下命令快速搭建 IPsec VPN 服务器:
|
使用以下命令快速搭建 IPsec VPN 服务器:
|
||||||
|
|
||||||
@ -42,6 +42,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
|
|||||||
|
|
||||||
如需了解其它安装选项,以及如何配置 VPN 客户端,请继续阅读以下部分。
|
如需了解其它安装选项,以及如何配置 VPN 客户端,请继续阅读以下部分。
|
||||||
|
|
||||||
|
<a name="quick-start-note"></a>
|
||||||
\* 一个专用服务器或者虚拟专用服务器 (VPS)。OpenVZ VPS 不受支持。
|
\* 一个专用服务器或者虚拟专用服务器 (VPS)。OpenVZ VPS 不受支持。
|
||||||
|
|
||||||
## 功能特性
|
## 功能特性
|
||||||
@ -66,9 +67,9 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
|
|||||||
|
|
||||||
**-或者-**
|
**-或者-**
|
||||||
|
|
||||||
一个专用服务器,或者基于 KVM/Xen 的虚拟专用服务器 (VPS),全新安装以上操作系统之一。OpenVZ VPS 不受支持,用户可以尝试使用比如 <a href="https://shadowsocks.org" target="_blank">Shadowsocks</a> 或者 <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a>。
|
一个专用服务器,或者基于 KVM/Xen 的虚拟专用服务器 (VPS),全新安装以上操作系统之一。OpenVZ VPS 不受支持,用户可以另外尝试比如 <a href="https://shadowsocks.org" target="_blank">Shadowsocks</a> 或者 <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a>。
|
||||||
|
|
||||||
这也包括各种公共云服务中的 Linux 虚拟机,比如 <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://amazonlightsail.com" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="http://www.softlayer.com/" target="_blank">IBM SoftLayer</a>, <a href="https://www.ovh.com/us/vps/" target="_blank">OVH</a> 和 <a href="https://www.rackspace.com" target="_blank">Rackspace</a>。
|
这也包括各种公共云服务中的 Linux 虚拟机,比如 <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://amazonlightsail.com" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="https://www.ibm.com/cloud-computing/bluemix/virtual-servers" target="_blank">IBM Bluemix</a>, <a href="https://www.ovh.com/us/vps/" target="_blank">OVH</a> 和 <a href="https://www.rackspace.com" target="_blank">Rackspace</a>。
|
||||||
|
|
||||||
<a href="azure/README-zh.md" target="_blank"><img src="docs/images/azure-deploy-button.png" alt="Deploy to Azure" /></a> <a href="http://dovpn.carlfriess.com/" target="_blank"><img src="docs/images/do-install-button.png" alt="Install on DigitalOcean" /></a> <a href="https://www.linode.com/stackscripts/view/37239" target="_blank"><img src="docs/images/linode-deploy-button.png" alt="Deploy to Linode" /></a>
|
<a href="azure/README-zh.md" target="_blank"><img src="docs/images/azure-deploy-button.png" alt="Deploy to Azure" /></a> <a href="http://dovpn.carlfriess.com/" target="_blank"><img src="docs/images/do-install-button.png" alt="Install on DigitalOcean" /></a> <a href="https://www.linode.com/stackscripts/view/37239" target="_blank"><img src="docs/images/linode-deploy-button.png" alt="Deploy to Linode" /></a>
|
||||||
|
|
||||||
@ -124,10 +125,11 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh
|
|||||||
|
|
||||||
配置你的计算机或其它设备使用 VPN 。请参见:
|
配置你的计算机或其它设备使用 VPN 。请参见:
|
||||||
|
|
||||||
<a href="docs/clients-zh.md" target="_blank">配置 IPsec/L2TP VPN 客户端</a>
|
<a href="docs/clients-zh.md" target="_blank">**配置 IPsec/L2TP VPN 客户端**</a>
|
||||||
<a href="docs/clients-xauth-zh.md" target="_blank">配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端</a>
|
|
||||||
|
|
||||||
<a href="docs/ikev2-howto-zh.md" target="_blank">如何配置 IKEv2 VPN: Windows 和 Android</a>
|
<a href="docs/clients-xauth-zh.md" target="_blank">**配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端**</a>
|
||||||
|
|
||||||
|
<a href="docs/ikev2-howto-zh.md" target="_blank">**如何配置 IKEv2 VPN: Windows 和 Android**</a>
|
||||||
|
|
||||||
如果在连接过程中遇到错误,请参见 <a href="docs/clients-zh.md#故障排除" target="_blank">故障排除</a>。
|
如果在连接过程中遇到错误,请参见 <a href="docs/clients-zh.md#故障排除" target="_blank">故障排除</a>。
|
||||||
|
|
||||||
@ -139,7 +141,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh
|
|||||||
|
|
||||||
**Windows 用户** 在首次连接之前需要<a href="docs/clients-zh.md#windows-错误-809" target="_blank">修改一次注册表</a>,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。
|
**Windows 用户** 在首次连接之前需要<a href="docs/clients-zh.md#windows-错误-809" target="_blank">修改一次注册表</a>,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。
|
||||||
|
|
||||||
同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 <a href="docs/clients-xauth-zh.md" target="_blank">IPsec/XAuth 模式</a>。另外,你的服务器必须运行 [Libreswan 3.19 或更新版本](#升级libreswan)。
|
同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 <a href="docs/clients-xauth-zh.md" target="_blank">IPsec/XAuth 模式</a>。
|
||||||
|
|
||||||
对于有外部防火墙的服务器(比如 <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">EC2</a>/<a href="https://cloud.google.com/compute/docs/vpc/firewalls" target="_blank">GCE</a>),请为 VPN 打开 UDP 端口 500 和 4500。
|
对于有外部防火墙的服务器(比如 <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">EC2</a>/<a href="https://cloud.google.com/compute/docs/vpc/firewalls" target="_blank">GCE</a>),请为 VPN 打开 UDP 端口 500 和 4500。
|
||||||
|
|
||||||
@ -147,6 +149,8 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh
|
|||||||
|
|
||||||
在 VPN 已连接时,客户端配置为使用 <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a>。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。
|
在 VPN 已连接时,客户端配置为使用 <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a>。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。
|
||||||
|
|
||||||
|
使用 L2TP 内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 16.04, Debian 9, CentOS 7 和 6。 Ubuntu 16.04 用户需要安装 `` linux-image-extra-`uname -r` `` 软件包并且重启 `xl2tpd` 服务。
|
||||||
|
|
||||||
如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。
|
如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。
|
||||||
|
|
||||||
在使用 `IPsec/L2TP` 连接时,VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1`。
|
在使用 `IPsec/L2TP` 连接时,VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1`。
|
||||||
@ -155,7 +159,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh
|
|||||||
|
|
||||||
## 升级Libreswan
|
## 升级Libreswan
|
||||||
|
|
||||||
提供两个额外的脚本 <a href="extras/vpnupgrade.sh" target="_blank">vpnupgrade.sh</a> 和 <a href="extras/vpnupgrade_centos.sh" target="_blank">vpnupgrade_centos.sh</a>,可用于升级 <a href="https://libreswan.org" target="_blank">Libreswan</a> (<a href="https://github.com/libreswan/libreswan/blob/master/CHANGES" target="_blank">更新日志</a> | <a href="https://lists.libreswan.org/mailman/listinfo/swan-announce" target="_blank">通知列表</a>)。请在运行前根据需要修改 `swan_ver` 变量。检查已安装版本: `ipsec --version`.
|
提供两个额外的脚本 <a href="extras/vpnupgrade.sh" target="_blank">vpnupgrade.sh</a> 和 <a href="extras/vpnupgrade_centos.sh" target="_blank">vpnupgrade_centos.sh</a>,可用于升级 <a href="https://libreswan.org" target="_blank">Libreswan</a> (<a href="https://github.com/libreswan/libreswan/blob/master/CHANGES" target="_blank">更新日志</a> | <a href="https://lists.libreswan.org/mailman/listinfo/swan-announce" target="_blank">通知列表</a>)。请在运行前根据需要修改 `SWAN_VER` 变量。查看已安装版本: `ipsec --version`.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Ubuntu & Debian
|
# Ubuntu & Debian
|
||||||
|
20
README.md
20
README.md
@ -28,7 +28,7 @@ We will use <a href="https://libreswan.org/" target="_blank">Libreswan</a> as th
|
|||||||
|
|
||||||
## Quick start
|
## Quick start
|
||||||
|
|
||||||
First, prepare your Linux server* with a fresh install of Ubuntu LTS, Debian or CentOS.
|
First, prepare your Linux server[*](#quick-start-note) with a fresh install of Ubuntu LTS, Debian or CentOS.
|
||||||
|
|
||||||
Use this one-liner to set up an IPsec VPN server:
|
Use this one-liner to set up an IPsec VPN server:
|
||||||
|
|
||||||
@ -42,6 +42,7 @@ Your VPN login details will be randomly generated, and displayed on the screen w
|
|||||||
|
|
||||||
For other installation options and how to set up VPN clients, read the sections below.
|
For other installation options and how to set up VPN clients, read the sections below.
|
||||||
|
|
||||||
|
<a name="quick-start-note"></a>
|
||||||
\* A dedicated server or virtual private server (VPS). OpenVZ VPS is not supported.
|
\* A dedicated server or virtual private server (VPS). OpenVZ VPS is not supported.
|
||||||
|
|
||||||
## Features
|
## Features
|
||||||
@ -68,7 +69,7 @@ Please see <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-1
|
|||||||
|
|
||||||
A dedicated server or KVM/Xen-based virtual private server (VPS), freshly installed with one of the above OS. OpenVZ VPS is not supported, users could instead try <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a> or <a href="https://shadowsocks.org" target="_blank">Shadowsocks</a>.
|
A dedicated server or KVM/Xen-based virtual private server (VPS), freshly installed with one of the above OS. OpenVZ VPS is not supported, users could instead try <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a> or <a href="https://shadowsocks.org" target="_blank">Shadowsocks</a>.
|
||||||
|
|
||||||
This also includes Linux VMs in public clouds, such as <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://amazonlightsail.com" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="http://www.softlayer.com/" target="_blank">IBM SoftLayer</a>, <a href="https://www.ovh.com/us/vps/" target="_blank">OVH</a> and <a href="https://www.rackspace.com" target="_blank">Rackspace</a>.
|
This also includes Linux VMs in public clouds, such as <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://amazonlightsail.com" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="https://www.ibm.com/cloud-computing/bluemix/virtual-servers" target="_blank">IBM Bluemix</a>, <a href="https://www.ovh.com/us/vps/" target="_blank">OVH</a> and <a href="https://www.rackspace.com" target="_blank">Rackspace</a>.
|
||||||
|
|
||||||
<a href="azure/README.md" target="_blank"><img src="docs/images/azure-deploy-button.png" alt="Deploy to Azure" /></a> <a href="http://dovpn.carlfriess.com/" target="_blank"><img src="docs/images/do-install-button.png" alt="Install on DigitalOcean" /></a> <a href="https://www.linode.com/stackscripts/view/37239" target="_blank"><img src="docs/images/linode-deploy-button.png" alt="Deploy to Linode" /></a>
|
<a href="azure/README.md" target="_blank"><img src="docs/images/azure-deploy-button.png" alt="Deploy to Azure" /></a> <a href="http://dovpn.carlfriess.com/" target="_blank"><img src="docs/images/do-install-button.png" alt="Install on DigitalOcean" /></a> <a href="https://www.linode.com/stackscripts/view/37239" target="_blank"><img src="docs/images/linode-deploy-button.png" alt="Deploy to Linode" /></a>
|
||||||
|
|
||||||
@ -105,7 +106,7 @@ sudo sh vpnsetup.sh
|
|||||||
|
|
||||||
```bash
|
```bash
|
||||||
# All values MUST be placed inside 'single quotes'
|
# All values MUST be placed inside 'single quotes'
|
||||||
# DO NOT use these characters within values: \ " '
|
# DO NOT use these special characters within values: \ " '
|
||||||
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo \
|
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo \
|
||||||
VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \
|
VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \
|
||||||
VPN_USER='your_vpn_username' \
|
VPN_USER='your_vpn_username' \
|
||||||
@ -124,10 +125,11 @@ Follow the same steps as above, but replace `https://git.io/vpnsetup` with `http
|
|||||||
|
|
||||||
Get your computer or device to use the VPN. Please refer to:
|
Get your computer or device to use the VPN. Please refer to:
|
||||||
|
|
||||||
<a href="docs/clients.md" target="_blank">Configure IPsec/L2TP VPN Clients</a>
|
<a href="docs/clients.md" target="_blank">**Configure IPsec/L2TP VPN Clients**</a>
|
||||||
<a href="docs/clients-xauth.md" target="_blank">Configure IPsec/XAuth ("Cisco IPsec") VPN Clients</a>
|
|
||||||
|
|
||||||
<a href="docs/ikev2-howto.md" target="_blank">How-To: IKEv2 VPN for Windows and Android</a>
|
<a href="docs/clients-xauth.md" target="_blank">**Configure IPsec/XAuth ("Cisco IPsec") VPN Clients**</a>
|
||||||
|
|
||||||
|
<a href="docs/ikev2-howto.md" target="_blank">**How-To: IKEv2 VPN for Windows and Android**</a>
|
||||||
|
|
||||||
If you get an error when trying to connect, see <a href="docs/clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
|
If you get an error when trying to connect, see <a href="docs/clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
|
||||||
|
|
||||||
@ -139,7 +141,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles:
|
|||||||
|
|
||||||
For **Windows users**, this <a href="docs/clients.md#windows-error-809" target="_blank">one-time registry change</a> is required if the VPN server and/or client is behind NAT (e.g. home router).
|
For **Windows users**, this <a href="docs/clients.md#windows-error-809" target="_blank">one-time registry change</a> is required if the VPN server and/or client is behind NAT (e.g. home router).
|
||||||
|
|
||||||
The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only <a href="docs/clients-xauth.md" target="_blank">IPsec/XAuth mode</a>. Also, your server must run [Libreswan 3.19 or newer](#upgrade-libreswan).
|
The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only <a href="docs/clients-xauth.md" target="_blank">IPsec/XAuth mode</a>.
|
||||||
|
|
||||||
For servers with an external firewall (e.g. <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">EC2</a>/<a href="https://cloud.google.com/compute/docs/vpc/firewalls" target="_blank">GCE</a>), open UDP ports 500 and 4500 for the VPN.
|
For servers with an external firewall (e.g. <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">EC2</a>/<a href="https://cloud.google.com/compute/docs/vpc/firewalls" target="_blank">GCE</a>), open UDP ports 500 and 4500 for the VPN.
|
||||||
|
|
||||||
@ -147,6 +149,8 @@ If you wish to add, edit or remove VPN user accounts, see <a href="docs/manage-u
|
|||||||
|
|
||||||
Clients are set to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server.
|
Clients are set to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server.
|
||||||
|
|
||||||
|
Using L2TP kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 16.04, Debian 9, CentOS 7 and 6. Ubuntu 16.04 users should install the `` linux-image-extra-`uname -r` `` package and restart the `xl2tpd` service.
|
||||||
|
|
||||||
To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server.
|
To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server.
|
||||||
|
|
||||||
When connecting via `IPsec/L2TP`, the VPN server has IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`.
|
When connecting via `IPsec/L2TP`, the VPN server has IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`.
|
||||||
@ -155,7 +159,7 @@ The scripts will backup existing config files before making changes, with `.old-
|
|||||||
|
|
||||||
## Upgrade Libreswan
|
## Upgrade Libreswan
|
||||||
|
|
||||||
The additional scripts <a href="extras/vpnupgrade.sh" target="_blank">vpnupgrade.sh</a> and <a href="extras/vpnupgrade_centos.sh" target="_blank">vpnupgrade_centos.sh</a> can be used to upgrade <a href="https://libreswan.org" target="_blank">Libreswan</a> (<a href="https://github.com/libreswan/libreswan/blob/master/CHANGES" target="_blank">changelog</a> | <a href="https://lists.libreswan.org/mailman/listinfo/swan-announce" target="_blank">announce</a>). Edit the `swan_ver` variable as necessary. Check installed version: `ipsec --version`.
|
The additional scripts <a href="extras/vpnupgrade.sh" target="_blank">vpnupgrade.sh</a> and <a href="extras/vpnupgrade_centos.sh" target="_blank">vpnupgrade_centos.sh</a> can be used to upgrade <a href="https://libreswan.org" target="_blank">Libreswan</a> (<a href="https://github.com/libreswan/libreswan/blob/master/CHANGES" target="_blank">changelog</a> | <a href="https://lists.libreswan.org/mailman/listinfo/swan-announce" target="_blank">announce</a>). Edit the `SWAN_VER` variable as necessary. Check which version is installed: `ipsec --version`.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Ubuntu & Debian
|
# Ubuntu & Debian
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
* [故障排除](#故障排除)
|
* [故障排除](#故障排除)
|
||||||
* [Windows 错误 809](#windows-错误-809)
|
* [Windows 错误 809](#windows-错误-809)
|
||||||
* [Windows 错误 628](#windows-错误-628)
|
* [Windows 错误 628](#windows-错误-628)
|
||||||
* [Android 6 and 7](#android-6-and-7)
|
* [Android 6 及以上版本](#android-6-及以上版本)
|
||||||
* [Chromebook](#chromebook)
|
* [Chromebook](#chromebook)
|
||||||
* [其它错误](#其它错误)
|
* [其它错误](#其它错误)
|
||||||
* [额外的步骤](#额外的步骤)
|
* [额外的步骤](#额外的步骤)
|
||||||
@ -182,10 +182,10 @@ yum -y install strongswan xl2tpd
|
|||||||
创建 VPN 变量 (替换为你自己的值):
|
创建 VPN 变量 (替换为你自己的值):
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
VPN_SERVER_IP='your_vpn_server_ip'
|
VPN_SERVER_IP='你的VPN服务器IP'
|
||||||
VPN_IPSEC_PSK='your_ipsec_pre_shared_key'
|
VPN_IPSEC_PSK='你的IPsec预共享密钥'
|
||||||
VPN_USER='your_vpn_username'
|
VPN_USER='你的VPN用户名'
|
||||||
VPN_PASSWORD='your_vpn_password'
|
VPN_PASSWORD='你的VPN密码'
|
||||||
```
|
```
|
||||||
|
|
||||||
配置 strongSwan:
|
配置 strongSwan:
|
||||||
@ -316,13 +316,13 @@ ip route
|
|||||||
从新的默认路由中排除你的 VPN 服务器 IP (替换为你自己的值):
|
从新的默认路由中排除你的 VPN 服务器 IP (替换为你自己的值):
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
route add YOUR_VPN_SERVER_IP gw X.X.X.X
|
route add 你的VPN服务器IP gw X.X.X.X
|
||||||
```
|
```
|
||||||
|
|
||||||
如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你本地电脑的公有 IP,以避免 SSH 会话被断开 (替换为你自己的公有 IP,可在 <a href="https://www.ipchicken.com" target="_blank">这里</a> 查看):
|
如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你的本地电脑的公有 IP,以避免 SSH 会话被断开 (替换为<a href="https://www.ipchicken.com" target="_blank">实际值</a>):
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X
|
route add 你的本地电脑的公有IP gw X.X.X.X
|
||||||
```
|
```
|
||||||
|
|
||||||
添加一个新的默认路由,并且开始通过 VPN 服务器发送数据:
|
添加一个新的默认路由,并且开始通过 VPN 服务器发送数据:
|
||||||
@ -378,6 +378,12 @@ strongswan down myvpn
|
|||||||
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f
|
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f
|
||||||
```
|
```
|
||||||
|
|
||||||
|
另外,某些个别的 Windows 系统禁用了 IPsec 加密,此时也会导致连接失败。要重新启用它,可以运行以下命令并重启计算机。
|
||||||
|
|
||||||
|
```console
|
||||||
|
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f
|
||||||
|
```
|
||||||
|
|
||||||
### Windows 错误 628
|
### Windows 错误 628
|
||||||
|
|
||||||
> 在连接完成前,连接被远程计算机终止。
|
> 在连接完成前,连接被远程计算机终止。
|
||||||
@ -395,13 +401,12 @@ strongswan down myvpn
|
|||||||
|
|
||||||
![Select CHAP in VPN connection properties](images/vpn-properties-zh.png)
|
![Select CHAP in VPN connection properties](images/vpn-properties-zh.png)
|
||||||
|
|
||||||
### Android 6 and 7
|
### Android 6 及以上版本
|
||||||
|
|
||||||
如果你无法使用 Android 6 (Marshmallow) 或者 7 (Nougat) 连接:
|
如果你无法使用 Android 6 或以上版本连接:
|
||||||
|
|
||||||
1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。
|
1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。
|
||||||
1. **注:** 最新版本的 VPN 脚本已经包含这个更改。
|
1. (适用于 Android 7.1.2 及以上版本) 编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `ike=` 和 `phase2alg=` 两行的末尾添加 `,aes256-sha2_512` 字样。保存修改并运行 `service ipsec restart`。(<a href="https://github.com/hwdsl2/setup-ipsec-vpn/commit/f58afbc84ba421216ca2615d3e3654902e9a1852" target="_blank">参见</a>) 注:最新版本的 VPN 脚本已经包含这个更改。
|
||||||
(适用于 Android 7.1.2 及以上版本) 编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `ike=` 和 `phase2alg=` 两行的末尾添加 `,aes256-sha2_512` 字样。保存修改并运行 `service ipsec restart`。(<a href="https://github.com/hwdsl2/setup-ipsec-vpn/commit/f58afbc84ba421216ca2615d3e3654902e9a1852" target="_blank">参见</a>)
|
|
||||||
1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`,开头必须空两格。保存修改并运行 `service ipsec restart`。(<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">参见</a>)
|
1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`,开头必须空两格。保存修改并运行 `service ipsec restart`。(<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">参见</a>)
|
||||||
|
|
||||||
![Android VPN workaround](images/vpn-profile-Android.png)
|
![Android VPN workaround](images/vpn-profile-Android.png)
|
||||||
@ -414,9 +419,9 @@ Chromebook 用户: 如果你无法连接,请尝试 <a href="https://bugs.chr
|
|||||||
|
|
||||||
如果你遇到其它错误,请参见以下链接:
|
如果你遇到其它错误,请参见以下链接:
|
||||||
|
|
||||||
|
* http://www.tp-link.com/en/faq-1029.html
|
||||||
* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues
|
* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues
|
||||||
* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/
|
* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/
|
||||||
* http://www.tp-link.com/en/faq-1029.html
|
|
||||||
|
|
||||||
### 额外的步骤
|
### 额外的步骤
|
||||||
|
|
||||||
@ -433,13 +438,16 @@ service xl2tpd restart
|
|||||||
|
|
||||||
然后重启你的 VPN 客户端设备,并重试连接。如果仍然无法连接,可以尝试删除并重新创建 VPN 连接,按照本文档中的步骤操作。请确保输入了正确的 VPN 登录凭证。
|
然后重启你的 VPN 客户端设备,并重试连接。如果仍然无法连接,可以尝试删除并重新创建 VPN 连接,按照本文档中的步骤操作。请确保输入了正确的 VPN 登录凭证。
|
||||||
|
|
||||||
检查 Libreswan (IPsec) 日志是否有错误:
|
检查 Libreswan (IPsec) 和 xl2tpd 日志是否有错误:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Ubuntu & Debian
|
# Ubuntu & Debian
|
||||||
grep pluto /var/log/auth.log
|
grep pluto /var/log/auth.log
|
||||||
|
grep xl2tpd /var/log/syslog
|
||||||
|
|
||||||
# CentOS & RHEL
|
# CentOS & RHEL
|
||||||
grep pluto /var/log/secure
|
grep pluto /var/log/secure
|
||||||
|
grep xl2tpd /var/log/messages
|
||||||
```
|
```
|
||||||
|
|
||||||
查看 IPsec VPN 服务器状态:
|
查看 IPsec VPN 服务器状态:
|
||||||
|
@ -20,7 +20,7 @@ An alternative <a href="https://usefulpcguide.com/17318/create-your-own-vpn/" ta
|
|||||||
* [Troubleshooting](#troubleshooting)
|
* [Troubleshooting](#troubleshooting)
|
||||||
* [Windows Error 809](#windows-error-809)
|
* [Windows Error 809](#windows-error-809)
|
||||||
* [Windows Error 628](#windows-error-628)
|
* [Windows Error 628](#windows-error-628)
|
||||||
* [Android 6 and 7](#android-6-and-7)
|
* [Android 6 and above](#android-6-and-above)
|
||||||
* [Chromebook](#chromebook)
|
* [Chromebook](#chromebook)
|
||||||
* [Other errors](#other-errors)
|
* [Other errors](#other-errors)
|
||||||
* [Additional steps](#additional-steps)
|
* [Additional steps](#additional-steps)
|
||||||
@ -319,7 +319,7 @@ Exclude your VPN server's IP from the new default route (replace with actual val
|
|||||||
route add YOUR_VPN_SERVER_IP gw X.X.X.X
|
route add YOUR_VPN_SERVER_IP gw X.X.X.X
|
||||||
```
|
```
|
||||||
|
|
||||||
If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with your actual public IP <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">from here</a>):
|
If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">actual value</a>):
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X
|
route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X
|
||||||
@ -377,6 +377,12 @@ To fix this error, a <a href="https://documentation.meraki.com/MX-Z/Client_VPN/T
|
|||||||
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f
|
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Although uncommon, some Windows systems disable IPsec encryption, causing the connection to fail. To re-enable it, run the following command and reboot your PC.
|
||||||
|
|
||||||
|
```console
|
||||||
|
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f
|
||||||
|
```
|
||||||
|
|
||||||
### Windows Error 628
|
### Windows Error 628
|
||||||
|
|
||||||
> The connection was terminated by the remote computer before it could be completed.
|
> The connection was terminated by the remote computer before it could be completed.
|
||||||
@ -394,13 +400,12 @@ To fix this error, please follow these steps:
|
|||||||
|
|
||||||
![Select CHAP in VPN connection properties](images/vpn-properties.png)
|
![Select CHAP in VPN connection properties](images/vpn-properties.png)
|
||||||
|
|
||||||
### Android 6 and 7
|
### Android 6 and above
|
||||||
|
|
||||||
If you are unable to connect using Android 6 (Marshmallow) or 7 (Nougat):
|
If you are unable to connect using Android 6 or above:
|
||||||
|
|
||||||
1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step.
|
1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step.
|
||||||
1. **Note:** The latest version of VPN scripts already includes this change.
|
1. (For Android 7.1.2 and newer) Edit `/etc/ipsec.conf` on the VPN server. Append `,aes256-sha2_512` to the end of both `ike=` and `phase2alg=` lines. Save the file and run `service ipsec restart`. (<a href="https://github.com/hwdsl2/setup-ipsec-vpn/commit/f58afbc84ba421216ca2615d3e3654902e9a1852" target="_blank">Ref</a>) Note that the latest version of VPN scripts already includes this change.
|
||||||
(For Android 7.1.2 and newer) Edit `/etc/ipsec.conf` on the VPN server. Append `,aes256-sha2_512` to the end of both `ike=` and `phase2alg=` lines. Save the file and run `service ipsec restart`. (<a href="https://github.com/hwdsl2/setup-ipsec-vpn/commit/f58afbc84ba421216ca2615d3e3654902e9a1852" target="_blank">Ref</a>)
|
|
||||||
1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`, indented with two spaces. Save the file and run `service ipsec restart`. (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">Ref</a>)
|
1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`, indented with two spaces. Save the file and run `service ipsec restart`. (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">Ref</a>)
|
||||||
|
|
||||||
![Android VPN workaround](images/vpn-profile-Android.png)
|
![Android VPN workaround](images/vpn-profile-Android.png)
|
||||||
@ -413,9 +418,9 @@ Chromebook users: If you are unable to connect, try <a href="https://bugs.chromi
|
|||||||
|
|
||||||
If you encounter other errors, refer to the links below:
|
If you encounter other errors, refer to the links below:
|
||||||
|
|
||||||
|
* http://www.tp-link.com/en/faq-1029.html
|
||||||
* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues
|
* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues
|
||||||
* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/
|
* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/
|
||||||
* http://www.tp-link.com/en/faq-1029.html
|
|
||||||
|
|
||||||
### Additional steps
|
### Additional steps
|
||||||
|
|
||||||
@ -432,13 +437,16 @@ If using Docker, run `docker restart ipsec-vpn-server`.
|
|||||||
|
|
||||||
Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly.
|
Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly.
|
||||||
|
|
||||||
Check the Libreswan (IPsec) log for errors:
|
Check the Libreswan (IPsec) and xl2tpd logs for errors:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Ubuntu & Debian
|
# Ubuntu & Debian
|
||||||
grep pluto /var/log/auth.log
|
grep pluto /var/log/auth.log
|
||||||
|
grep xl2tpd /var/log/syslog
|
||||||
|
|
||||||
# CentOS & RHEL
|
# CentOS & RHEL
|
||||||
grep pluto /var/log/secure
|
grep pluto /var/log/secure
|
||||||
|
grep xl2tpd /var/log/messages
|
||||||
```
|
```
|
||||||
|
|
||||||
Check status of the IPsec VPN server:
|
Check status of the IPsec VPN server:
|
||||||
|
@ -7,14 +7,14 @@
|
|||||||
首先,IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets` 中。如果要更换一个新的 PSK,可以编辑此文件。所有的 VPN 用户将共享同一个 IPsec PSK。
|
首先,IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets` 中。如果要更换一个新的 PSK,可以编辑此文件。所有的 VPN 用户将共享同一个 IPsec PSK。
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
%any %any : PSK "your_ipsec_pre_shared_key"
|
%any %any : PSK "你的IPsec预共享密钥"
|
||||||
```
|
```
|
||||||
|
|
||||||
对于 `IPsec/L2TP`,VPN 用户账户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下:
|
对于 `IPsec/L2TP`,VPN 用户账户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
"your_vpn_username_1" l2tpd "your_vpn_password_1" *
|
"你的VPN用户名1" l2tpd "你的VPN密码1" *
|
||||||
"your_vpn_username_2" l2tpd "your_vpn_password_2" *
|
"你的VPN用户名2" l2tpd "你的VPN密码2" *
|
||||||
... ...
|
... ...
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -23,16 +23,16 @@
|
|||||||
对于 `IPsec/XAuth ("Cisco IPsec")`, VPN 用户账户信息保存在文件 `/etc/ipsec.d/passwd`。该文件的格式如下:
|
对于 `IPsec/XAuth ("Cisco IPsec")`, VPN 用户账户信息保存在文件 `/etc/ipsec.d/passwd`。该文件的格式如下:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
your_vpn_username_1:your_vpn_password_1_hashed:xauth-psk
|
你的VPN用户名1:你的VPN密码1的加盐哈希值:xauth-psk
|
||||||
your_vpn_username_2:your_vpn_password_2_hashed:xauth-psk
|
你的VPN用户名2:你的VPN密码2的加盐哈希值:xauth-psk
|
||||||
... ...
|
... ...
|
||||||
```
|
```
|
||||||
|
|
||||||
这个文件中的密码以 salted and hashed 的形式保存。该步骤可以借助比如 `openssl` 工具来完成:
|
这个文件中的密码以加盐哈希值的形式保存。该步骤可以借助比如 `openssl` 工具来完成:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# 以下命令的输出为 your_vpn_password_1_hashed
|
# 以下命令的输出为:你的VPN密码1的加盐哈希值
|
||||||
openssl passwd -1 'your_vpn_password_1'
|
openssl passwd -1 '你的VPN密码1'
|
||||||
```
|
```
|
||||||
|
|
||||||
在完成后重启服务:
|
在完成后重启服务:
|
||||||
|
@ -18,7 +18,7 @@ For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format
|
|||||||
... ...
|
... ...
|
||||||
```
|
```
|
||||||
|
|
||||||
You can add more users, use one line for each user. DO NOT use these characters within values: `\ " '`
|
You can add more users, use one line for each user. DO NOT use these special characters within values: `\ " '`
|
||||||
|
|
||||||
For `IPsec/XAuth ("Cisco IPsec")`, VPN users are specified in `/etc/ipsec.d/passwd`. The format of this file is:
|
For `IPsec/XAuth ("Cisco IPsec")`, VPN users are specified in `/etc/ipsec.d/passwd`. The format of this file is:
|
||||||
|
|
||||||
|
@ -11,46 +11,68 @@
|
|||||||
# know how you have improved it!
|
# know how you have improved it!
|
||||||
|
|
||||||
# Check https://libreswan.org for the latest version
|
# Check https://libreswan.org for the latest version
|
||||||
swan_ver=3.21
|
SWAN_VER=3.22
|
||||||
|
|
||||||
### DO NOT edit below this line ###
|
### DO NOT edit below this line ###
|
||||||
|
|
||||||
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||||
|
|
||||||
exiterr() { echo "Error: $1" >&2; exit 1; }
|
exiterr() { echo "Error: $1" >&2; exit 1; }
|
||||||
exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; }
|
exiterr2() { exiterr "'apt-get install' failed."; }
|
||||||
|
|
||||||
|
vpnupgrade() {
|
||||||
|
|
||||||
os_type="$(lsb_release -si 2>/dev/null)"
|
os_type="$(lsb_release -si 2>/dev/null)"
|
||||||
if [ -z "$os_type" ]; then
|
if [ -z "$os_type" ]; then
|
||||||
[ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")"
|
[ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")"
|
||||||
[ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")"
|
[ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")"
|
||||||
fi
|
fi
|
||||||
if ! printf %s "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then
|
if ! printf '%s' "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then
|
||||||
exiterr "This script only supports Ubuntu/Debian."
|
exiterr "This script only supports Ubuntu and Debian."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then
|
if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then
|
||||||
exiterr "This script does not support Debian 7 (Wheezy)."
|
exiterr "Debian 7 is not supported."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f /proc/user_beancounters ]; then
|
if [ -f /proc/user_beancounters ]; then
|
||||||
exiterr "This script does not support OpenVZ VPS."
|
exiterr "OpenVZ VPS is not supported."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$(id -u)" != 0 ]; then
|
if [ "$(id -u)" != 0 ]; then
|
||||||
exiterr "Script must be run as root. Try 'sudo sh $0'"
|
exiterr "Script must be run as root. Try 'sudo sh $0'"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$swan_ver" ]; then
|
if [ -z "$SWAN_VER" ]; then
|
||||||
exiterr "Libreswan version 'swan_ver' not specified."
|
exiterr "Libreswan version 'SWAN_VER' not specified."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then
|
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then
|
||||||
exiterr "This script requires Libreswan already installed."
|
exiterr "This script requires Libreswan already installed."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then
|
if [ "$SWAN_VER" = "3.22" ]; then
|
||||||
echo "You already have Libreswan version $swan_ver installed! "
|
if grep -qs raspbian /etc/os-release; then
|
||||||
|
echo "Note: For Raspberry Pi systems, this script will install Libreswan"
|
||||||
|
echo "version 3.21 instead of 3.22, to avoid some recent bugs."
|
||||||
|
echo
|
||||||
|
printf "Do you wish to continue? [y/N] "
|
||||||
|
read -r response
|
||||||
|
case $response in
|
||||||
|
[yY][eE][sS]|[yY])
|
||||||
|
echo
|
||||||
|
SWAN_VER=3.21
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Aborting."
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
|
||||||
|
echo "You already have Libreswan version $SWAN_VER installed! "
|
||||||
echo "If you continue, the same version will be re-installed."
|
echo "If you continue, the same version will be re-installed."
|
||||||
echo
|
echo
|
||||||
printf "Do you wish to continue anyway? [y/N] "
|
printf "Do you wish to continue anyway? [y/N] "
|
||||||
@ -69,7 +91,7 @@ fi
|
|||||||
clear
|
clear
|
||||||
|
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
Welcome! This script will build and install Libreswan $swan_ver on your server.
|
Welcome! This script will build and install Libreswan $SWAN_VER on your server.
|
||||||
Additional packages required for Libreswan compilation will also be installed.
|
Additional packages required for Libreswan compilation will also be installed.
|
||||||
|
|
||||||
This is intended for use on servers running an older version of Libreswan.
|
This is intended for use on servers running an older version of Libreswan.
|
||||||
@ -124,22 +146,22 @@ apt-get -yq update || exiterr "'apt-get update' failed."
|
|||||||
apt-get -yq install wget || exiterr2
|
apt-get -yq install wget || exiterr2
|
||||||
|
|
||||||
# Install necessary packages
|
# Install necessary packages
|
||||||
apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
|
apt-get -yq install libnss3-dev libnspr4-dev pkg-config \
|
||||||
libcap-ng-dev libcap-ng-utils libselinux1-dev \
|
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
|
||||||
libcurl4-nss-dev flex bison gcc make \
|
libcurl4-nss-dev flex bison gcc make libnss3-tools \
|
||||||
libunbound-dev libnss3-tools libevent-dev || exiterr2
|
libevent-dev || exiterr2
|
||||||
apt-get -yq --no-install-recommends install xmlto || exiterr2
|
|
||||||
|
|
||||||
# Compile and install Libreswan
|
# Compile and install Libreswan
|
||||||
swan_file="libreswan-$swan_ver.tar.gz"
|
swan_file="libreswan-$SWAN_VER.tar.gz"
|
||||||
swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz"
|
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
|
||||||
swan_url2="https://download.libreswan.org/$swan_file"
|
swan_url2="https://download.libreswan.org/$swan_file"
|
||||||
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
|
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
|
||||||
exiterr "Cannot download Libreswan source."
|
exiterr "Cannot download Libreswan source."
|
||||||
fi
|
fi
|
||||||
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
|
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||||
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
|
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
|
||||||
cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir."
|
cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir."
|
||||||
|
[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
|
||||||
cat > Makefile.inc.local <<'EOF'
|
cat > Makefile.inc.local <<'EOF'
|
||||||
WERROR_CFLAGS =
|
WERROR_CFLAGS =
|
||||||
USE_DNSSEC = false
|
USE_DNSSEC = false
|
||||||
@ -147,19 +169,24 @@ EOF
|
|||||||
if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
|
if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
|
||||||
apt-get -yq install libsystemd-dev || exiterr2
|
apt-get -yq install libsystemd-dev || exiterr2
|
||||||
fi
|
fi
|
||||||
make -s programs && make -s install
|
NPROCS="$(grep -c ^processor /proc/cpuinfo)"
|
||||||
|
[ -z "$NPROCS" ] && NPROCS=1
|
||||||
|
make "-j$((NPROCS+1))" -s base && make -s install-base
|
||||||
|
|
||||||
# Verify the install and clean up
|
# Verify the install and clean up
|
||||||
cd /opt/src || exiterr "Cannot enter /opt/src."
|
cd /opt/src || exiterr "Cannot enter /opt/src."
|
||||||
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
|
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||||
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then
|
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
|
||||||
exiterr "Libreswan $swan_ver failed to build."
|
exiterr "Libreswan $SWAN_VER failed to build."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Update ipsec.conf for Libreswan 3.19 and newer
|
# Update ipsec.conf for Libreswan 3.19 and newer
|
||||||
IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
|
IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
|
||||||
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
|
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
|
||||||
sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
|
if grep -qs raspbian /etc/os-release; then
|
||||||
|
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2"
|
||||||
|
fi
|
||||||
|
sed -i".old-$(date +%F-%T)" \
|
||||||
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \
|
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \
|
||||||
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \
|
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \
|
||||||
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \
|
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \
|
||||||
@ -169,7 +196,12 @@ sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
|
|||||||
service ipsec restart
|
service ipsec restart
|
||||||
|
|
||||||
echo
|
echo
|
||||||
echo "Libreswan $swan_ver was installed successfully! "
|
echo "Libreswan $SWAN_VER was installed successfully! "
|
||||||
echo
|
echo
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
## Defer setup until we have the complete script
|
||||||
|
vpnupgrade "$@"
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
@ -11,37 +11,39 @@
|
|||||||
# know how you have improved it!
|
# know how you have improved it!
|
||||||
|
|
||||||
# Check https://libreswan.org for the latest version
|
# Check https://libreswan.org for the latest version
|
||||||
swan_ver=3.21
|
SWAN_VER=3.22
|
||||||
|
|
||||||
### DO NOT edit below this line ###
|
### DO NOT edit below this line ###
|
||||||
|
|
||||||
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||||
|
|
||||||
exiterr() { echo "Error: $1" >&2; exit 1; }
|
exiterr() { echo "Error: $1" >&2; exit 1; }
|
||||||
exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; }
|
exiterr2() { exiterr "'yum install' failed."; }
|
||||||
|
|
||||||
|
vpnupgrade() {
|
||||||
|
|
||||||
if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then
|
if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then
|
||||||
exiterr "This script only supports CentOS/RHEL 6 and 7."
|
exiterr "This script only supports CentOS/RHEL 6 and 7."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f /proc/user_beancounters ]; then
|
if [ -f /proc/user_beancounters ]; then
|
||||||
exiterr "This script does not support OpenVZ VPS."
|
exiterr "OpenVZ VPS is not supported."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$(id -u)" != 0 ]; then
|
if [ "$(id -u)" != 0 ]; then
|
||||||
exiterr "Script must be run as root. Try 'sudo sh $0'"
|
exiterr "Script must be run as root. Try 'sudo sh $0'"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$swan_ver" ]; then
|
if [ -z "$SWAN_VER" ]; then
|
||||||
exiterr "Libreswan version 'swan_ver' not specified."
|
exiterr "Libreswan version 'SWAN_VER' not specified."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then
|
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then
|
||||||
exiterr "This script requires Libreswan already installed."
|
exiterr "This script requires Libreswan already installed."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then
|
if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
|
||||||
echo "You already have Libreswan version $swan_ver installed! "
|
echo "You already have Libreswan version $SWAN_VER installed! "
|
||||||
echo "If you continue, the same version will be re-installed."
|
echo "If you continue, the same version will be re-installed."
|
||||||
echo
|
echo
|
||||||
printf "Do you wish to continue anyway? [y/N] "
|
printf "Do you wish to continue anyway? [y/N] "
|
||||||
@ -60,7 +62,7 @@ fi
|
|||||||
clear
|
clear
|
||||||
|
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
Welcome! This script will build and install Libreswan $swan_ver on your server.
|
Welcome! This script will build and install Libreswan $SWAN_VER on your server.
|
||||||
Additional packages required for Libreswan compilation will also be installed.
|
Additional packages required for Libreswan compilation will also be installed.
|
||||||
|
|
||||||
This is intended for use on servers running an older version of Libreswan.
|
This is intended for use on servers running an older version of Libreswan.
|
||||||
@ -113,43 +115,48 @@ cd /opt/src || exiterr "Cannot enter /opt/src."
|
|||||||
yum -y install wget || exiterr2
|
yum -y install wget || exiterr2
|
||||||
|
|
||||||
# Add the EPEL repository
|
# Add the EPEL repository
|
||||||
yum -y install epel-release || exiterr2
|
epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm"
|
||||||
|
yum -y install epel-release || yum -y install "$epel_url" || exiterr2
|
||||||
|
|
||||||
# Install necessary packages
|
# Install necessary packages
|
||||||
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
|
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
|
||||||
libcap-ng-devel libselinux-devel \
|
libcap-ng-devel libselinux-devel curl-devel \
|
||||||
curl-devel flex bison gcc make \
|
flex bison gcc make || exiterr2
|
||||||
fipscheck-devel unbound-devel xmlto || exiterr2
|
|
||||||
|
|
||||||
# Install libevent2 and systemd-devel
|
OPT1='--enablerepo=*server-optional*'
|
||||||
|
OPT2='--enablerepo=*releases-optional*'
|
||||||
if grep -qs "release 6" /etc/redhat-release; then
|
if grep -qs "release 6" /etc/redhat-release; then
|
||||||
yum -y remove libevent-devel
|
yum -y remove libevent-devel
|
||||||
yum -y install libevent2-devel || exiterr2
|
yum "$OPT1" "$OPT2" -y install libevent2-devel fipscheck-devel || exiterr2
|
||||||
else
|
else
|
||||||
yum -y install libevent-devel systemd-devel || exiterr2
|
yum -y install systemd-devel || exiterr2
|
||||||
|
yum "$OPT1" "$OPT2" -y install libevent-devel fipscheck-devel || exiterr2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Compile and install Libreswan
|
# Compile and install Libreswan
|
||||||
swan_file="libreswan-$swan_ver.tar.gz"
|
swan_file="libreswan-$SWAN_VER.tar.gz"
|
||||||
swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz"
|
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
|
||||||
swan_url2="https://download.libreswan.org/$swan_file"
|
swan_url2="https://download.libreswan.org/$swan_file"
|
||||||
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
|
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
|
||||||
exiterr "Cannot download Libreswan source."
|
exiterr "Cannot download Libreswan source."
|
||||||
fi
|
fi
|
||||||
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
|
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||||
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
|
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
|
||||||
cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir."
|
cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir."
|
||||||
|
[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
|
||||||
cat > Makefile.inc.local <<'EOF'
|
cat > Makefile.inc.local <<'EOF'
|
||||||
WERROR_CFLAGS =
|
WERROR_CFLAGS =
|
||||||
USE_DNSSEC = false
|
USE_DNSSEC = false
|
||||||
EOF
|
EOF
|
||||||
make -s programs && make -s install
|
NPROCS="$(grep -c ^processor /proc/cpuinfo)"
|
||||||
|
[ -z "$NPROCS" ] && NPROCS=1
|
||||||
|
make "-j$((NPROCS+1))" -s base && make -s install-base
|
||||||
|
|
||||||
# Verify the install and clean up
|
# Verify the install and clean up
|
||||||
cd /opt/src || exiterr "Cannot enter /opt/src."
|
cd /opt/src || exiterr "Cannot enter /opt/src."
|
||||||
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
|
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||||
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then
|
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
|
||||||
exiterr "Libreswan $swan_ver failed to build."
|
exiterr "Libreswan $SWAN_VER failed to build."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Restore SELinux contexts
|
# Restore SELinux contexts
|
||||||
@ -160,7 +167,7 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
|
|||||||
# Update ipsec.conf for Libreswan 3.19 and newer
|
# Update ipsec.conf for Libreswan 3.19 and newer
|
||||||
IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
|
IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
|
||||||
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
|
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
|
||||||
sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
|
sed -i".old-$(date +%F-%T)" \
|
||||||
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \
|
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \
|
||||||
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \
|
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \
|
||||||
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \
|
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \
|
||||||
@ -170,7 +177,12 @@ sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
|
|||||||
service ipsec restart
|
service ipsec restart
|
||||||
|
|
||||||
echo
|
echo
|
||||||
echo "Libreswan $swan_ver was installed successfully! "
|
echo "Libreswan $SWAN_VER was installed successfully! "
|
||||||
echo
|
echo
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
## Defer setup until we have the complete script
|
||||||
|
vpnupgrade "$@"
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
169
vpnsetup.sh
169
vpnsetup.sh
@ -22,7 +22,7 @@
|
|||||||
# Define your own values for these variables
|
# Define your own values for these variables
|
||||||
# - IPsec pre-shared key, VPN username and password
|
# - IPsec pre-shared key, VPN username and password
|
||||||
# - All values MUST be placed inside 'single quotes'
|
# - All values MUST be placed inside 'single quotes'
|
||||||
# - DO NOT use these characters within values: \ " '
|
# - DO NOT use these special characters within values: \ " '
|
||||||
|
|
||||||
YOUR_IPSEC_PSK=''
|
YOUR_IPSEC_PSK=''
|
||||||
YOUR_USERNAME=''
|
YOUR_USERNAME=''
|
||||||
@ -34,71 +34,64 @@ YOUR_PASSWORD=''
|
|||||||
# =====================================================
|
# =====================================================
|
||||||
|
|
||||||
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||||
SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"; export SYS_DT
|
SYS_DT="$(date +%F-%T)"
|
||||||
|
|
||||||
exiterr() { echo "Error: $1" >&2; exit 1; }
|
exiterr() { echo "Error: $1" >&2; exit 1; }
|
||||||
exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; }
|
exiterr2() { exiterr "'apt-get install' failed."; }
|
||||||
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
|
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
|
||||||
bigecho() { echo; echo "## $1"; echo; }
|
bigecho() { echo; echo "## $1"; echo; }
|
||||||
|
|
||||||
check_ip() {
|
check_ip() {
|
||||||
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
|
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
|
||||||
printf %s "$1" | tr -d '\n' | grep -Eq "$IP_REGEX"
|
printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
vpnsetup() {
|
||||||
|
|
||||||
os_type="$(lsb_release -si 2>/dev/null)"
|
os_type="$(lsb_release -si 2>/dev/null)"
|
||||||
if [ -z "$os_type" ]; then
|
if [ -z "$os_type" ]; then
|
||||||
[ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")"
|
[ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")"
|
||||||
[ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")"
|
[ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")"
|
||||||
fi
|
fi
|
||||||
if ! printf %s "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then
|
if ! printf '%s' "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then
|
||||||
exiterr "This script only supports Ubuntu/Debian."
|
exiterr "This script only supports Ubuntu and Debian."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then
|
if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then
|
||||||
exiterr "This script does not support Debian 7 (Wheezy)."
|
exiterr "Debian 7 is not supported."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f /proc/user_beancounters ]; then
|
if [ -f /proc/user_beancounters ]; then
|
||||||
echo "Error: This script does not support OpenVZ VPS." >&2
|
exiterr "OpenVZ VPS is not supported. Try OpenVPN: github.com/Nyr/openvpn-install"
|
||||||
echo "Try OpenVPN: https://github.com/Nyr/openvpn-install" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$(id -u)" != 0 ]; then
|
if [ "$(id -u)" != 0 ]; then
|
||||||
exiterr "Script must be run as root. Try 'sudo sh $0'"
|
exiterr "Script must be run as root. Try 'sudo sh $0'"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
NET_IFACE=${VPN_NET_IFACE:-'eth0'}
|
net_iface=${VPN_NET_IFACE:-'eth0'}
|
||||||
DEF_IFACE="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')"
|
def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')"
|
||||||
[ -z "$DEF_IFACE" ] && DEF_IFACE="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')"
|
[ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')"
|
||||||
|
|
||||||
if_state1=$(cat "/sys/class/net/$DEF_IFACE/operstate" 2>/dev/null)
|
def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null)
|
||||||
if [ -z "$VPN_NET_IFACE" ] && [ -n "$if_state1" ] && [ "$if_state1" != "down" ]; then
|
if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then
|
||||||
if ! grep -qs raspbian /etc/os-release; then
|
if ! grep -qs raspbian /etc/os-release; then
|
||||||
case "$DEF_IFACE" in
|
case "$def_iface" in
|
||||||
wl*)
|
wl*)
|
||||||
cat 1>&2 <<EOF
|
exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
|
||||||
Error: Default network interface '$DEF_IFACE' detected.
|
|
||||||
>> DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! <<
|
|
||||||
If you are certain that this script is running on a server, re-run it with:
|
|
||||||
sudo VPN_NET_IFACE="$DEF_IFACE" sh "$0"
|
|
||||||
EOF
|
|
||||||
exit 1
|
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
NET_IFACE="$DEF_IFACE"
|
net_iface="$def_iface"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if_state2=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null)
|
net_iface_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null)
|
||||||
if [ -z "$if_state2" ] || [ "$if_state2" = "down" ] || [ "$NET_IFACE" = "lo" ]; then
|
if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface" = "lo" ]; then
|
||||||
printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2
|
printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2
|
||||||
if [ -z "$VPN_NET_IFACE" ]; then
|
if [ -z "$VPN_NET_IFACE" ]; then
|
||||||
cat 1>&2 <<EOF
|
cat 1>&2 <<EOF
|
||||||
Unable to detect your server's default network interface.
|
Unable to detect the default network interface. Manually re-run this script with:
|
||||||
You may manually re-run this script with:
|
sudo VPN_NET_IFACE="your_default_interface_name" sh "$0"
|
||||||
sudo VPN_NET_IFACE="your_default_network_interface" sh "$0"
|
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
exit 1
|
exit 1
|
||||||
@ -119,13 +112,13 @@ if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
|
|||||||
exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
|
exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if printf %s "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
|
if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
|
||||||
exiterr "VPN credentials must not contain non-ASCII characters."
|
exiterr "VPN credentials must not contain non-ASCII characters."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
|
case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
|
||||||
*[\\\"\']*)
|
*[\\\"\']*)
|
||||||
exiterr "VPN credentials must not contain the following characters: \\ \" '"
|
exiterr "VPN credentials must not contain these special characters: \\ \" '"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -137,19 +130,28 @@ cd /opt/src || exiterr "Cannot enter /opt/src."
|
|||||||
|
|
||||||
bigecho "Populating apt-get cache..."
|
bigecho "Populating apt-get cache..."
|
||||||
|
|
||||||
|
# Wait up to 60s for apt/dpkg lock
|
||||||
|
count=0
|
||||||
|
while fuser /var/lib/apt/lists/lock /var/lib/dpkg/lock >/dev/null 2>&1; do
|
||||||
|
[ "$count" -ge "20" ] && exiterr "Cannot get apt/dpkg lock."
|
||||||
|
count=$((count+1))
|
||||||
|
printf '%s' '.'
|
||||||
|
sleep 3
|
||||||
|
done
|
||||||
|
|
||||||
export DEBIAN_FRONTEND=noninteractive
|
export DEBIAN_FRONTEND=noninteractive
|
||||||
apt-get -yq update || exiterr "'apt-get update' failed."
|
apt-get -yq update || exiterr "'apt-get update' failed."
|
||||||
|
|
||||||
bigecho "Installing packages required for setup..."
|
bigecho "Installing packages required for setup..."
|
||||||
|
|
||||||
apt-get -yq install wget dnsutils openssl || exiterr2
|
apt-get -yq install wget dnsutils openssl \
|
||||||
apt-get -yq install iproute gawk grep sed net-tools || exiterr2
|
iproute gawk grep sed net-tools || exiterr2
|
||||||
|
|
||||||
bigecho "Trying to auto discover IP of this server..."
|
bigecho "Trying to auto discover IP of this server..."
|
||||||
|
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
In case the script hangs here for more than a few minutes,
|
In case the script hangs here for more than a few minutes,
|
||||||
use Ctrl-C to interrupt. Then edit it and manually enter IP.
|
press Ctrl-C to abort. Then edit it and manually enter IP.
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# In case auto IP discovery fails, enter server's public IP here.
|
# In case auto IP discovery fails, enter server's public IP here.
|
||||||
@ -160,16 +162,14 @@ PUBLIC_IP=${VPN_PUBLIC_IP:-''}
|
|||||||
|
|
||||||
# Check IP for correct format
|
# Check IP for correct format
|
||||||
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
|
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
|
||||||
check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter it."
|
check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it."
|
||||||
|
|
||||||
bigecho "Installing packages required for the VPN..."
|
bigecho "Installing packages required for the VPN..."
|
||||||
|
|
||||||
apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
|
apt-get -yq install libnss3-dev libnspr4-dev pkg-config \
|
||||||
libcap-ng-dev libcap-ng-utils libselinux1-dev \
|
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
|
||||||
libcurl4-nss-dev flex bison gcc make \
|
libcurl4-nss-dev flex bison gcc make libnss3-tools \
|
||||||
libunbound-dev libnss3-tools libevent-dev || exiterr2
|
libevent-dev ppp xl2tpd || exiterr2
|
||||||
apt-get -yq --no-install-recommends install xmlto || exiterr2
|
|
||||||
apt-get -yq install ppp xl2tpd || exiterr2
|
|
||||||
|
|
||||||
bigecho "Installing Fail2Ban to protect SSH..."
|
bigecho "Installing Fail2Ban to protect SSH..."
|
||||||
|
|
||||||
@ -177,16 +177,21 @@ apt-get -yq install fail2ban || exiterr2
|
|||||||
|
|
||||||
bigecho "Compiling and installing Libreswan..."
|
bigecho "Compiling and installing Libreswan..."
|
||||||
|
|
||||||
swan_ver=3.21
|
if ! grep -qs raspbian /etc/os-release; then
|
||||||
swan_file="libreswan-$swan_ver.tar.gz"
|
SWAN_VER=3.22
|
||||||
swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz"
|
else
|
||||||
|
SWAN_VER=3.21
|
||||||
|
fi
|
||||||
|
swan_file="libreswan-$SWAN_VER.tar.gz"
|
||||||
|
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
|
||||||
swan_url2="https://download.libreswan.org/$swan_file"
|
swan_url2="https://download.libreswan.org/$swan_file"
|
||||||
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
|
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
|
||||||
exiterr "Cannot download Libreswan source."
|
exiterr "Cannot download Libreswan source."
|
||||||
fi
|
fi
|
||||||
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
|
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||||
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
|
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
|
||||||
cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir."
|
cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir."
|
||||||
|
[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
|
||||||
cat > Makefile.inc.local <<'EOF'
|
cat > Makefile.inc.local <<'EOF'
|
||||||
WERROR_CFLAGS =
|
WERROR_CFLAGS =
|
||||||
USE_DNSSEC = false
|
USE_DNSSEC = false
|
||||||
@ -194,13 +199,15 @@ EOF
|
|||||||
if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
|
if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
|
||||||
apt-get -yq install libsystemd-dev || exiterr2
|
apt-get -yq install libsystemd-dev || exiterr2
|
||||||
fi
|
fi
|
||||||
make -s programs && make -s install
|
NPROCS="$(grep -c ^processor /proc/cpuinfo)"
|
||||||
|
[ -z "$NPROCS" ] && NPROCS=1
|
||||||
|
make "-j$((NPROCS+1))" -s base && make -s install-base
|
||||||
|
|
||||||
# Verify the install and clean up
|
# Verify the install and clean up
|
||||||
cd /opt/src || exiterr "Cannot enter /opt/src."
|
cd /opt/src || exiterr "Cannot enter /opt/src."
|
||||||
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
|
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||||
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then
|
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
|
||||||
exiterr "Libreswan $swan_ver failed to build."
|
exiterr "Libreswan $SWAN_VER failed to build."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
bigecho "Creating VPN configuration..."
|
bigecho "Creating VPN configuration..."
|
||||||
@ -219,9 +226,8 @@ cat > /etc/ipsec.conf <<EOF
|
|||||||
version 2.0
|
version 2.0
|
||||||
|
|
||||||
config setup
|
config setup
|
||||||
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET
|
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET
|
||||||
protostack=netkey
|
protostack=netkey
|
||||||
nhelpers=0
|
|
||||||
interfaces=%defaultroute
|
interfaces=%defaultroute
|
||||||
uniqueids=no
|
uniqueids=no
|
||||||
|
|
||||||
@ -273,6 +279,11 @@ if grep -qs 'Raspbian GNU/Linux 9' /etc/os-release; then
|
|||||||
check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf
|
check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Remove unsupported ESP algorithm on Raspbian
|
||||||
|
if grep -qs raspbian /etc/os-release; then
|
||||||
|
sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
|
||||||
|
fi
|
||||||
|
|
||||||
# Specify IPsec PSK
|
# Specify IPsec PSK
|
||||||
conf_bk "/etc/ipsec.secrets"
|
conf_bk "/etc/ipsec.secrets"
|
||||||
cat > /etc/ipsec.secrets <<EOF
|
cat > /etc/ipsec.secrets <<EOF
|
||||||
@ -317,8 +328,6 @@ EOF
|
|||||||
# Create VPN credentials
|
# Create VPN credentials
|
||||||
conf_bk "/etc/ppp/chap-secrets"
|
conf_bk "/etc/ppp/chap-secrets"
|
||||||
cat > /etc/ppp/chap-secrets <<EOF
|
cat > /etc/ppp/chap-secrets <<EOF
|
||||||
# Secrets for authentication using CHAP
|
|
||||||
# client server secret IP addresses
|
|
||||||
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
|
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
@ -332,30 +341,32 @@ bigecho "Updating sysctl settings..."
|
|||||||
|
|
||||||
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
|
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
|
||||||
conf_bk "/etc/sysctl.conf"
|
conf_bk "/etc/sysctl.conf"
|
||||||
|
if [ "$(getconf LONG_BIT)" = "64" ]; then
|
||||||
|
SHM_MAX=68719476736
|
||||||
|
SHM_ALL=4294967296
|
||||||
|
else
|
||||||
|
SHM_MAX=4294967295
|
||||||
|
SHM_ALL=268435456
|
||||||
|
fi
|
||||||
cat >> /etc/sysctl.conf <<EOF
|
cat >> /etc/sysctl.conf <<EOF
|
||||||
|
|
||||||
# Added by hwdsl2 VPN script
|
# Added by hwdsl2 VPN script
|
||||||
kernel.msgmnb = 65536
|
kernel.msgmnb = 65536
|
||||||
kernel.msgmax = 65536
|
kernel.msgmax = 65536
|
||||||
kernel.shmmax = 68719476736
|
kernel.shmmax = $SHM_MAX
|
||||||
kernel.shmall = 4294967296
|
kernel.shmall = $SHM_ALL
|
||||||
|
|
||||||
net.ipv4.ip_forward = 1
|
net.ipv4.ip_forward = 1
|
||||||
net.ipv4.tcp_syncookies = 1
|
|
||||||
net.ipv4.conf.all.accept_source_route = 0
|
net.ipv4.conf.all.accept_source_route = 0
|
||||||
net.ipv4.conf.default.accept_source_route = 0
|
|
||||||
net.ipv4.conf.all.accept_redirects = 0
|
net.ipv4.conf.all.accept_redirects = 0
|
||||||
net.ipv4.conf.default.accept_redirects = 0
|
|
||||||
net.ipv4.conf.all.send_redirects = 0
|
net.ipv4.conf.all.send_redirects = 0
|
||||||
net.ipv4.conf.default.send_redirects = 0
|
|
||||||
net.ipv4.conf.lo.send_redirects = 0
|
|
||||||
net.ipv4.conf.$NET_IFACE.send_redirects = 0
|
|
||||||
net.ipv4.conf.all.rp_filter = 0
|
net.ipv4.conf.all.rp_filter = 0
|
||||||
|
net.ipv4.conf.default.accept_source_route = 0
|
||||||
|
net.ipv4.conf.default.accept_redirects = 0
|
||||||
|
net.ipv4.conf.default.send_redirects = 0
|
||||||
net.ipv4.conf.default.rp_filter = 0
|
net.ipv4.conf.default.rp_filter = 0
|
||||||
net.ipv4.conf.lo.rp_filter = 0
|
net.ipv4.conf.$net_iface.send_redirects = 0
|
||||||
net.ipv4.conf.$NET_IFACE.rp_filter = 0
|
net.ipv4.conf.$net_iface.rp_filter = 0
|
||||||
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
|
||||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
|
||||||
|
|
||||||
net.core.wmem_max = 12582912
|
net.core.wmem_max = 12582912
|
||||||
net.core.rmem_max = 12582912
|
net.core.rmem_max = 12582912
|
||||||
@ -370,8 +381,8 @@ bigecho "Updating IPTables rules..."
|
|||||||
ipt_flag=0
|
ipt_flag=0
|
||||||
IPT_FILE="/etc/iptables.rules"
|
IPT_FILE="/etc/iptables.rules"
|
||||||
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \
|
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \
|
||||||
|| ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null \
|
|| ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE 2>/dev/null \
|
||||||
|| ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then
|
|| ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then
|
||||||
ipt_flag=1
|
ipt_flag=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -386,17 +397,17 @@ if [ "$ipt_flag" = "1" ]; then
|
|||||||
iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
|
iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
|
||||||
iptables -I INPUT 6 -p udp --dport 1701 -j DROP
|
iptables -I INPUT 6 -p udp --dport 1701 -j DROP
|
||||||
iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
|
iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
|
||||||
iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
iptables -I FORWARD 2 -i "$net_iface" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
iptables -I FORWARD 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT
|
iptables -I FORWARD 3 -i ppp+ -o "$net_iface" -j ACCEPT
|
||||||
iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT
|
iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT
|
||||||
iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
iptables -I FORWARD 5 -i "$net_iface" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT
|
iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$net_iface" -j ACCEPT
|
||||||
# Uncomment if you wish to disallow traffic between VPN clients themselves
|
# Uncomment if you wish to disallow traffic between VPN clients themselves
|
||||||
# iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP
|
# iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP
|
||||||
# iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP
|
# iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP
|
||||||
iptables -A FORWARD -j DROP
|
iptables -A FORWARD -j DROP
|
||||||
iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE
|
iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE
|
||||||
iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
|
iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE
|
||||||
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
|
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
|
||||||
iptables-save >> "$IPT_FILE"
|
iptables-save >> "$IPT_FILE"
|
||||||
|
|
||||||
@ -434,6 +445,7 @@ cat >> /etc/rc.local <<'EOF'
|
|||||||
(sleep 15
|
(sleep 15
|
||||||
service ipsec restart
|
service ipsec restart
|
||||||
service xl2tpd restart
|
service xl2tpd restart
|
||||||
|
[ -f "/usr/sbin/netplan" ] && iptables-restore < /etc/iptables.rules
|
||||||
echo 1 > /proc/sys/net/ipv4/ip_forward)&
|
echo 1 > /proc/sys/net/ipv4/ip_forward)&
|
||||||
exit 0
|
exit 0
|
||||||
EOF
|
EOF
|
||||||
@ -478,4 +490,9 @@ Setup VPN clients: https://git.io/vpnclients
|
|||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
## Defer setup until we have the complete script
|
||||||
|
vpnsetup "$@"
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# Define your own values for these variables
|
# Define your own values for these variables
|
||||||
# - IPsec pre-shared key, VPN username and password
|
# - IPsec pre-shared key, VPN username and password
|
||||||
# - All values MUST be placed inside 'single quotes'
|
# - All values MUST be placed inside 'single quotes'
|
||||||
# - DO NOT use these characters within values: \ " '
|
# - DO NOT use these special characters within values: \ " '
|
||||||
|
|
||||||
YOUR_IPSEC_PSK=''
|
YOUR_IPSEC_PSK=''
|
||||||
YOUR_USERNAME=''
|
YOUR_USERNAME=''
|
||||||
@ -34,62 +34,55 @@ YOUR_PASSWORD=''
|
|||||||
# =====================================================
|
# =====================================================
|
||||||
|
|
||||||
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||||
SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"; export SYS_DT
|
SYS_DT="$(date +%F-%T)"
|
||||||
|
|
||||||
exiterr() { echo "Error: $1" >&2; exit 1; }
|
exiterr() { echo "Error: $1" >&2; exit 1; }
|
||||||
exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; }
|
exiterr2() { exiterr "'yum install' failed."; }
|
||||||
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
|
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
|
||||||
bigecho() { echo; echo "## $1"; echo; }
|
bigecho() { echo; echo "## $1"; echo; }
|
||||||
|
|
||||||
check_ip() {
|
check_ip() {
|
||||||
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
|
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
|
||||||
printf %s "$1" | tr -d '\n' | grep -Eq "$IP_REGEX"
|
printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
vpnsetup() {
|
||||||
|
|
||||||
if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then
|
if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then
|
||||||
exiterr "This script only supports CentOS/RHEL 6 and 7."
|
exiterr "This script only supports CentOS/RHEL 6 and 7."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f /proc/user_beancounters ]; then
|
if [ -f /proc/user_beancounters ]; then
|
||||||
echo "Error: This script does not support OpenVZ VPS." >&2
|
exiterr "OpenVZ VPS is not supported. Try OpenVPN: github.com/Nyr/openvpn-install"
|
||||||
echo "Try OpenVPN: https://github.com/Nyr/openvpn-install" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$(id -u)" != 0 ]; then
|
if [ "$(id -u)" != 0 ]; then
|
||||||
exiterr "Script must be run as root. Try 'sudo sh $0'"
|
exiterr "Script must be run as root. Try 'sudo sh $0'"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
NET_IFACE=${VPN_NET_IFACE:-'eth0'}
|
net_iface=${VPN_NET_IFACE:-'eth0'}
|
||||||
DEF_IFACE="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')"
|
def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')"
|
||||||
[ -z "$DEF_IFACE" ] && DEF_IFACE="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')"
|
[ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')"
|
||||||
|
|
||||||
if_state1=$(cat "/sys/class/net/$DEF_IFACE/operstate" 2>/dev/null)
|
def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null)
|
||||||
if [ -z "$VPN_NET_IFACE" ] && [ -n "$if_state1" ] && [ "$if_state1" != "down" ]; then
|
if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then
|
||||||
if ! grep -qs raspbian /etc/os-release; then
|
if ! grep -qs raspbian /etc/os-release; then
|
||||||
case "$DEF_IFACE" in
|
case "$def_iface" in
|
||||||
wl*)
|
wl*)
|
||||||
cat 1>&2 <<EOF
|
exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
|
||||||
Error: Default network interface '$DEF_IFACE' detected.
|
|
||||||
>> DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! <<
|
|
||||||
If you are certain that this script is running on a server, re-run it with:
|
|
||||||
sudo VPN_NET_IFACE="$DEF_IFACE" sh "$0"
|
|
||||||
EOF
|
|
||||||
exit 1
|
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
NET_IFACE="$DEF_IFACE"
|
net_iface="$def_iface"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if_state2=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null)
|
net_iface_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null)
|
||||||
if [ -z "$if_state2" ] || [ "$if_state2" = "down" ] || [ "$NET_IFACE" = "lo" ]; then
|
if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface" = "lo" ]; then
|
||||||
printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2
|
printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2
|
||||||
if [ -z "$VPN_NET_IFACE" ]; then
|
if [ -z "$VPN_NET_IFACE" ]; then
|
||||||
cat 1>&2 <<EOF
|
cat 1>&2 <<EOF
|
||||||
Unable to detect your server's default network interface.
|
Unable to detect the default network interface. Manually re-run this script with:
|
||||||
You may manually re-run this script with:
|
sudo VPN_NET_IFACE="your_default_interface_name" sh "$0"
|
||||||
sudo VPN_NET_IFACE="your_default_network_interface" sh "$0"
|
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
exit 1
|
exit 1
|
||||||
@ -110,13 +103,13 @@ if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
|
|||||||
exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
|
exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if printf %s "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
|
if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
|
||||||
exiterr "VPN credentials must not contain non-ASCII characters."
|
exiterr "VPN credentials must not contain non-ASCII characters."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
|
case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
|
||||||
*[\\\"\']*)
|
*[\\\"\']*)
|
||||||
exiterr "VPN credentials must not contain the following characters: \\ \" '"
|
exiterr "VPN credentials must not contain these special characters: \\ \" '"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -128,14 +121,14 @@ cd /opt/src || exiterr "Cannot enter /opt/src."
|
|||||||
|
|
||||||
bigecho "Installing packages required for setup..."
|
bigecho "Installing packages required for setup..."
|
||||||
|
|
||||||
yum -y install wget bind-utils openssl || exiterr2
|
yum -y install wget bind-utils openssl \
|
||||||
yum -y install iproute gawk grep sed net-tools || exiterr2
|
iproute gawk grep sed net-tools || exiterr2
|
||||||
|
|
||||||
bigecho "Trying to auto discover IP of this server..."
|
bigecho "Trying to auto discover IP of this server..."
|
||||||
|
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
In case the script hangs here for more than a few minutes,
|
In case the script hangs here for more than a few minutes,
|
||||||
use Ctrl-C to interrupt. Then edit it and manually enter IP.
|
press Ctrl-C to abort. Then edit it and manually enter IP.
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# In case auto IP discovery fails, enter server's public IP here.
|
# In case auto IP discovery fails, enter server's public IP here.
|
||||||
@ -146,26 +139,27 @@ PUBLIC_IP=${VPN_PUBLIC_IP:-''}
|
|||||||
|
|
||||||
# Check IP for correct format
|
# Check IP for correct format
|
||||||
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
|
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
|
||||||
check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter it."
|
check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it."
|
||||||
|
|
||||||
bigecho "Adding the EPEL repository..."
|
bigecho "Adding the EPEL repository..."
|
||||||
|
|
||||||
yum -y install epel-release || exiterr2
|
epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm"
|
||||||
|
yum -y install epel-release || yum -y install "$epel_url" || exiterr2
|
||||||
|
|
||||||
bigecho "Installing packages required for the VPN..."
|
bigecho "Installing packages required for the VPN..."
|
||||||
|
|
||||||
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
|
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
|
||||||
libcap-ng-devel libselinux-devel \
|
libcap-ng-devel libselinux-devel curl-devel \
|
||||||
curl-devel flex bison gcc make \
|
flex bison gcc make ppp xl2tpd || exiterr2
|
||||||
fipscheck-devel unbound-devel xmlto || exiterr2
|
|
||||||
yum -y install ppp xl2tpd || exiterr2
|
|
||||||
|
|
||||||
|
OPT1='--enablerepo=*server-optional*'
|
||||||
|
OPT2='--enablerepo=*releases-optional*'
|
||||||
if grep -qs "release 6" /etc/redhat-release; then
|
if grep -qs "release 6" /etc/redhat-release; then
|
||||||
yum -y remove libevent-devel
|
yum -y remove libevent-devel
|
||||||
yum -y install libevent2-devel || exiterr2
|
yum "$OPT1" "$OPT2" -y install libevent2-devel fipscheck-devel || exiterr2
|
||||||
else
|
else
|
||||||
yum -y install libevent-devel systemd-devel || exiterr2
|
yum -y install systemd-devel iptables-services || exiterr2
|
||||||
yum -y install iptables-services || exiterr2
|
yum "$OPT1" "$OPT2" -y install libevent-devel fipscheck-devel || exiterr2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
bigecho "Installing Fail2Ban to protect SSH..."
|
bigecho "Installing Fail2Ban to protect SSH..."
|
||||||
@ -174,27 +168,30 @@ yum -y install fail2ban || exiterr2
|
|||||||
|
|
||||||
bigecho "Compiling and installing Libreswan..."
|
bigecho "Compiling and installing Libreswan..."
|
||||||
|
|
||||||
swan_ver=3.21
|
SWAN_VER=3.22
|
||||||
swan_file="libreswan-$swan_ver.tar.gz"
|
swan_file="libreswan-$SWAN_VER.tar.gz"
|
||||||
swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz"
|
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
|
||||||
swan_url2="https://download.libreswan.org/$swan_file"
|
swan_url2="https://download.libreswan.org/$swan_file"
|
||||||
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
|
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
|
||||||
exiterr "Cannot download Libreswan source."
|
exiterr "Cannot download Libreswan source."
|
||||||
fi
|
fi
|
||||||
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
|
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||||
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
|
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
|
||||||
cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir."
|
cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir."
|
||||||
|
[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
|
||||||
cat > Makefile.inc.local <<'EOF'
|
cat > Makefile.inc.local <<'EOF'
|
||||||
WERROR_CFLAGS =
|
WERROR_CFLAGS =
|
||||||
USE_DNSSEC = false
|
USE_DNSSEC = false
|
||||||
EOF
|
EOF
|
||||||
make -s programs && make -s install
|
NPROCS="$(grep -c ^processor /proc/cpuinfo)"
|
||||||
|
[ -z "$NPROCS" ] && NPROCS=1
|
||||||
|
make "-j$((NPROCS+1))" -s base && make -s install-base
|
||||||
|
|
||||||
# Verify the install and clean up
|
# Verify the install and clean up
|
||||||
cd /opt/src || exiterr "Cannot enter /opt/src."
|
cd /opt/src || exiterr "Cannot enter /opt/src."
|
||||||
/bin/rm -rf "/opt/src/libreswan-$swan_ver"
|
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||||
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then
|
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
|
||||||
exiterr "Libreswan $swan_ver failed to build."
|
exiterr "Libreswan $SWAN_VER failed to build."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
bigecho "Creating VPN configuration..."
|
bigecho "Creating VPN configuration..."
|
||||||
@ -213,9 +210,8 @@ cat > /etc/ipsec.conf <<EOF
|
|||||||
version 2.0
|
version 2.0
|
||||||
|
|
||||||
config setup
|
config setup
|
||||||
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET
|
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET
|
||||||
protostack=netkey
|
protostack=netkey
|
||||||
nhelpers=0
|
|
||||||
interfaces=%defaultroute
|
interfaces=%defaultroute
|
||||||
uniqueids=no
|
uniqueids=no
|
||||||
|
|
||||||
@ -305,8 +301,6 @@ EOF
|
|||||||
# Create VPN credentials
|
# Create VPN credentials
|
||||||
conf_bk "/etc/ppp/chap-secrets"
|
conf_bk "/etc/ppp/chap-secrets"
|
||||||
cat > /etc/ppp/chap-secrets <<EOF
|
cat > /etc/ppp/chap-secrets <<EOF
|
||||||
# Secrets for authentication using CHAP
|
|
||||||
# client server secret IP addresses
|
|
||||||
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
|
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
@ -320,30 +314,32 @@ bigecho "Updating sysctl settings..."
|
|||||||
|
|
||||||
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
|
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
|
||||||
conf_bk "/etc/sysctl.conf"
|
conf_bk "/etc/sysctl.conf"
|
||||||
|
if [ "$(getconf LONG_BIT)" = "64" ]; then
|
||||||
|
SHM_MAX=68719476736
|
||||||
|
SHM_ALL=4294967296
|
||||||
|
else
|
||||||
|
SHM_MAX=4294967295
|
||||||
|
SHM_ALL=268435456
|
||||||
|
fi
|
||||||
cat >> /etc/sysctl.conf <<EOF
|
cat >> /etc/sysctl.conf <<EOF
|
||||||
|
|
||||||
# Added by hwdsl2 VPN script
|
# Added by hwdsl2 VPN script
|
||||||
kernel.msgmnb = 65536
|
kernel.msgmnb = 65536
|
||||||
kernel.msgmax = 65536
|
kernel.msgmax = 65536
|
||||||
kernel.shmmax = 68719476736
|
kernel.shmmax = $SHM_MAX
|
||||||
kernel.shmall = 4294967296
|
kernel.shmall = $SHM_ALL
|
||||||
|
|
||||||
net.ipv4.ip_forward = 1
|
net.ipv4.ip_forward = 1
|
||||||
net.ipv4.tcp_syncookies = 1
|
|
||||||
net.ipv4.conf.all.accept_source_route = 0
|
net.ipv4.conf.all.accept_source_route = 0
|
||||||
net.ipv4.conf.default.accept_source_route = 0
|
|
||||||
net.ipv4.conf.all.accept_redirects = 0
|
net.ipv4.conf.all.accept_redirects = 0
|
||||||
net.ipv4.conf.default.accept_redirects = 0
|
|
||||||
net.ipv4.conf.all.send_redirects = 0
|
net.ipv4.conf.all.send_redirects = 0
|
||||||
net.ipv4.conf.default.send_redirects = 0
|
|
||||||
net.ipv4.conf.lo.send_redirects = 0
|
|
||||||
net.ipv4.conf.$NET_IFACE.send_redirects = 0
|
|
||||||
net.ipv4.conf.all.rp_filter = 0
|
net.ipv4.conf.all.rp_filter = 0
|
||||||
|
net.ipv4.conf.default.accept_source_route = 0
|
||||||
|
net.ipv4.conf.default.accept_redirects = 0
|
||||||
|
net.ipv4.conf.default.send_redirects = 0
|
||||||
net.ipv4.conf.default.rp_filter = 0
|
net.ipv4.conf.default.rp_filter = 0
|
||||||
net.ipv4.conf.lo.rp_filter = 0
|
net.ipv4.conf.$net_iface.send_redirects = 0
|
||||||
net.ipv4.conf.$NET_IFACE.rp_filter = 0
|
net.ipv4.conf.$net_iface.rp_filter = 0
|
||||||
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
|
||||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
|
||||||
|
|
||||||
net.core.wmem_max = 12582912
|
net.core.wmem_max = 12582912
|
||||||
net.core.rmem_max = 12582912
|
net.core.rmem_max = 12582912
|
||||||
@ -358,8 +354,8 @@ bigecho "Updating IPTables rules..."
|
|||||||
ipt_flag=0
|
ipt_flag=0
|
||||||
IPT_FILE="/etc/sysconfig/iptables"
|
IPT_FILE="/etc/sysconfig/iptables"
|
||||||
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \
|
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \
|
||||||
|| ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null \
|
|| ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE 2>/dev/null \
|
||||||
|| ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then
|
|| ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then
|
||||||
ipt_flag=1
|
ipt_flag=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -374,17 +370,17 @@ if [ "$ipt_flag" = "1" ]; then
|
|||||||
iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
|
iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
|
||||||
iptables -I INPUT 6 -p udp --dport 1701 -j DROP
|
iptables -I INPUT 6 -p udp --dport 1701 -j DROP
|
||||||
iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
|
iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
|
||||||
iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
iptables -I FORWARD 2 -i "$net_iface" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
iptables -I FORWARD 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT
|
iptables -I FORWARD 3 -i ppp+ -o "$net_iface" -j ACCEPT
|
||||||
iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT
|
iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT
|
||||||
iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
iptables -I FORWARD 5 -i "$net_iface" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT
|
iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$net_iface" -j ACCEPT
|
||||||
# Uncomment if you wish to disallow traffic between VPN clients themselves
|
# Uncomment if you wish to disallow traffic between VPN clients themselves
|
||||||
# iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP
|
# iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP
|
||||||
# iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP
|
# iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP
|
||||||
iptables -A FORWARD -j DROP
|
iptables -A FORWARD -j DROP
|
||||||
iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE
|
iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE
|
||||||
iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
|
iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE
|
||||||
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
|
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
|
||||||
iptables-save >> "$IPT_FILE"
|
iptables-save >> "$IPT_FILE"
|
||||||
fi
|
fi
|
||||||
@ -444,11 +440,10 @@ chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
|||||||
# Apply new IPTables rules
|
# Apply new IPTables rules
|
||||||
iptables-restore < "$IPT_FILE"
|
iptables-restore < "$IPT_FILE"
|
||||||
|
|
||||||
# Fix xl2tpd on CentOS 7 for providers such as Linode,
|
# Fix xl2tpd on CentOS 7, if kernel module "l2tp_ppp" is unavailable
|
||||||
# where kernel module "l2tp_ppp" is unavailable
|
|
||||||
if grep -qs "release 7" /etc/redhat-release; then
|
if grep -qs "release 7" /etc/redhat-release; then
|
||||||
if ! modprobe -q l2tp_ppp; then
|
if ! modprobe -q l2tp_ppp; then
|
||||||
sed -i '/ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service
|
sed -i '/^ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service
|
||||||
systemctl daemon-reload
|
systemctl daemon-reload
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -481,4 +476,9 @@ Setup VPN clients: https://git.io/vpnclients
|
|||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
## Defer setup until we have the complete script
|
||||||
|
vpnsetup "$@"
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
Loading…
Reference in New Issue
Block a user