This commit is contained in:
hwdsl2
parent
5f4585f781
commit
c55bec7b7d
34
vpnsetup.sh
34
vpnsetup.sh
@ -22,7 +22,7 @@
|
|||||||
# Attribution required: please include my name in any derivative and let me
|
# Attribution required: please include my name in any derivative and let me
|
||||||
# know how you have improved it!
|
# know how you have improved it!
|
||||||
|
|
||||||
if [[ "`uname`" == "Darwin" ]]; then
|
if [[ "$(uname)" == "Darwin" ]]; then
|
||||||
echo "DO NOT run this script on your Mac! It should only be run on a newly-created EC2 instance"
|
echo "DO NOT run this script on your Mac! It should only be run on a newly-created EC2 instance"
|
||||||
echo "or other dedicated server / VPS, after you have modified it to set the three variables below."
|
echo "or other dedicated server / VPS, after you have modified it to set the three variables below."
|
||||||
echo "Please see detailed instructions at the URLs in the comments."
|
echo "Please see detailed instructions at the URLs in the comments."
|
||||||
@ -37,6 +37,12 @@ VPN_PASSWORD=your_very_secure_password
|
|||||||
# Note: If you need multiple VPN users with different credentials,
|
# Note: If you need multiple VPN users with different credentials,
|
||||||
# please see: https://gist.github.com/hwdsl2/123b886f29f4c689f531
|
# please see: https://gist.github.com/hwdsl2/123b886f29f4c689f531
|
||||||
|
|
||||||
|
# In Amazon EC2, those two variables will be found automatically.
|
||||||
|
# For all other servers, you MUST replace them with the actual IPs!
|
||||||
|
# If your server only has a public IP, use that IP on both lines.
|
||||||
|
PRIVATE_IP=$(wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4')
|
||||||
|
PUBLIC_IP=$(wget -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4')
|
||||||
|
|
||||||
# Install necessary packages
|
# Install necessary packages
|
||||||
apt-get update
|
apt-get update
|
||||||
apt-get install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
|
apt-get install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
|
||||||
@ -51,15 +57,11 @@ apt-get install xl2tpd -y
|
|||||||
# "service ipsec restart" and "service xl2tpd restart".
|
# "service ipsec restart" and "service xl2tpd restart".
|
||||||
mkdir -p /opt/src
|
mkdir -p /opt/src
|
||||||
cd /opt/src
|
cd /opt/src
|
||||||
wget -qO- https://download.libreswan.org/libreswan-3.11.tar.gz | tar xvz
|
wget -qO- https://download.libreswan.org/libreswan-3.12.tar.gz | tar xvz
|
||||||
cd libreswan-3.11
|
cd libreswan-3.12
|
||||||
make programs
|
make programs
|
||||||
make install
|
make install
|
||||||
|
|
||||||
# Those two variables will be found automatically
|
|
||||||
PRIVATE_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4'`
|
|
||||||
PUBLIC_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4'`
|
|
||||||
|
|
||||||
# Prepare various config files
|
# Prepare various config files
|
||||||
cat > /etc/ipsec.conf <<EOF
|
cat > /etc/ipsec.conf <<EOF
|
||||||
version 2.0
|
version 2.0
|
||||||
@ -147,7 +149,7 @@ cat > /etc/ppp/chap-secrets <<EOF
|
|||||||
$VPN_USER l2tpd $VPN_PASSWORD *
|
$VPN_USER l2tpd $VPN_PASSWORD *
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
/bin/cp -f /etc/sysctl.conf /etc/sysctl.conf.old
|
/bin/cp -f /etc/sysctl.conf /etc/sysctl.conf.old-$(date +%Y-%m-%d-%H:%M:%S)
|
||||||
cat > /etc/sysctl.conf <<EOF
|
cat > /etc/sysctl.conf <<EOF
|
||||||
kernel.sysrq = 0
|
kernel.sysrq = 0
|
||||||
kernel.core_uses_pid = 1
|
kernel.core_uses_pid = 1
|
||||||
@ -180,14 +182,13 @@ net.ipv4.tcp_rmem= 10240 87380 12582912
|
|||||||
net.ipv4.tcp_wmem= 10240 87380 12582912
|
net.ipv4.tcp_wmem= 10240 87380 12582912
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
/bin/cp -f /etc/iptables.rules /etc/iptables.rules.old
|
/bin/cp -f /etc/iptables.rules /etc/iptables.rules.old-$(date +%Y-%m-%d-%H:%M:%S)
|
||||||
cat > /etc/iptables.rules <<EOF
|
cat > /etc/iptables.rules <<EOF
|
||||||
*filter
|
*filter
|
||||||
:INPUT ACCEPT [0:0]
|
:INPUT ACCEPT [0:0]
|
||||||
:FORWARD ACCEPT [0:0]
|
:FORWARD ACCEPT [0:0]
|
||||||
:OUTPUT ACCEPT [0:0]
|
:OUTPUT ACCEPT [0:0]
|
||||||
:ICMPALL - [0:0]
|
:ICMPALL - [0:0]
|
||||||
:ZREJ - [0:0]
|
|
||||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
-A INPUT -i lo -j ACCEPT
|
-A INPUT -i lo -j ACCEPT
|
||||||
@ -197,26 +198,25 @@ cat > /etc/iptables.rules <<EOF
|
|||||||
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
|
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
|
||||||
-A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
|
-A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
|
||||||
-A INPUT -p udp --dport 1701 -j DROP
|
-A INPUT -p udp --dport 1701 -j DROP
|
||||||
-A INPUT -j ZREJ
|
-A INPUT -j DROP
|
||||||
|
-A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
-A FORWARD -i ppp+ -o eth+ -j ACCEPT
|
-A FORWARD -i ppp+ -o eth+ -j ACCEPT
|
||||||
-A FORWARD -j ZREJ
|
-A FORWARD -j DROP
|
||||||
-A ICMPALL -p icmp --fragment -j DROP
|
-A ICMPALL -p icmp -f -j DROP
|
||||||
-A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
|
-A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
|
||||||
-A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
|
-A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
|
||||||
-A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
|
-A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
|
||||||
-A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
|
-A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
|
||||||
-A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
|
-A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
|
||||||
-A ICMPALL -p icmp -j DROP
|
-A ICMPALL -p icmp -j DROP
|
||||||
-A ZREJ -p tcp -j REJECT --reject-with tcp-reset
|
|
||||||
-A ZREJ -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
||||||
-A ZREJ -j REJECT --reject-with icmp-proto-unreachable
|
|
||||||
COMMIT
|
COMMIT
|
||||||
*nat
|
*nat
|
||||||
:PREROUTING ACCEPT [0:0]
|
:PREROUTING ACCEPT [0:0]
|
||||||
:INPUT ACCEPT [0:0]
|
:INPUT ACCEPT [0:0]
|
||||||
:OUTPUT ACCEPT [0:0]
|
:OUTPUT ACCEPT [0:0]
|
||||||
:POSTROUTING ACCEPT [0:0]
|
:POSTROUTING ACCEPT [0:0]
|
||||||
|
-A POSTROUTING -s 192.168.42.0/24 -o eth+ -m policy --dir out --pol ipsec -j ACCEPT
|
||||||
-A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source ${PRIVATE_IP}
|
-A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source ${PRIVATE_IP}
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
@ -227,7 +227,7 @@ cat > /etc/network/if-pre-up.d/iptablesload <<EOF
|
|||||||
exit 0
|
exit 0
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
/bin/cp -f /etc/rc.local /etc/rc.local.old
|
/bin/cp -f /etc/rc.local /etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)
|
||||||
cat > /etc/rc.local <<EOF
|
cat > /etc/rc.local <<EOF
|
||||||
#!/bin/sh -e
|
#!/bin/sh -e
|
||||||
#
|
#
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user