Improve VPN setup

- Continue VPN setup (instead of exiting) if fail2ban fails to install.
2024-11-21 20:46:10 +03:00 · 2022-09-09 23:53:13 -05:00 · 2022-09-09 23:53:13 -05:00 · c5df950ea2
commit c5df950ea2
parent 098a6b4e5d
4 changed files with 49 additions and 50 deletions
--- a/vpnsetup_alpine.sh
+++ b/vpnsetup_alpine.sh
@ -194,7 +194,7 @@ install_fail2ban() {
  (
    set -x
    apk add -U -q fail2ban
-  ) || exiterr2
+  )
 }

 get_helper_scripts() {
@ -487,7 +487,7 @@ EOF
  chmod +x /etc/network/if-pre-up.d/iptablesload
  sed -i '1c\#!/sbin/openrc-run' /etc/init.d/ipsec
  for svc in fail2ban ipsec xl2tpd; do
-    rc-update add "$svc" default >/dev/null
+    rc-update add "$svc" default >/dev/null 2>&1
  done
 }

--- a/vpnsetup_amzn.sh
+++ b/vpnsetup_amzn.sh
@ -189,12 +189,26 @@ install_vpn_pkgs_2() {
  ) || exiterr2
 }

+create_f2b_config() {
+  F2B_FILE=/etc/fail2ban/jail.local
+  if [ ! -f "$F2B_FILE" ]; then
+    bigecho "Creating basic Fail2Ban rules..."
+cat > "$F2B_FILE" <<'EOF'
+[ssh-iptables]
+enabled = true
+filter = sshd
+logpath = /var/log/secure
+action = iptables[name=SSH, port=ssh, protocol=tcp]
+EOF
+  fi
+}
+
 install_fail2ban() {
  bigecho "Installing Fail2Ban to protect SSH..."
  (
    set -x
    yum --enablerepo=epel -y -q install fail2ban >/dev/null
-  ) || exiterr2
+  ) && create_f2b_config
 }

 get_helper_scripts() {
@ -410,20 +424,6 @@ $VPN_USER:$VPN_PASSWORD_ENC:xauth-psk
 EOF
 }

-create_f2b_config() {
-  F2B_FILE=/etc/fail2ban/jail.local
-  if [ ! -f "$F2B_FILE" ]; then
-    bigecho "Creating basic Fail2Ban rules..."
-cat > "$F2B_FILE" <<'EOF'
-[ssh-iptables]
-enabled = true
-filter = sshd
-logpath = /var/log/secure
-action = iptables[name=SSH, port=ssh, protocol=tcp]
-EOF
-  fi
-}
-
 update_sysctl() {
  bigecho "Updating sysctl settings..."
  if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
@ -490,7 +490,8 @@ update_iptables() {
 enable_on_boot() {
  bigecho "Enabling services on boot..."
  systemctl --now mask firewalld 2>/dev/null
-  systemctl enable iptables fail2ban 2>/dev/null
+  systemctl enable iptables 2>/dev/null
+  systemctl enable fail2ban 2>/dev/null
  if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
    if [ -f /etc/rc.local ]; then
      conf_bk "/etc/rc.local"
@ -606,7 +607,6 @@ vpnsetup() {
  get_libreswan
  install_libreswan
  create_vpn_config
-  create_f2b_config
  update_sysctl
  update_iptables
  enable_on_boot
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@ -279,12 +279,36 @@ install_vpn_pkgs_3() {
  fi
 }

+create_f2b_config() {
+  F2B_FILE=/etc/fail2ban/jail.local
+  if [ ! -f "$F2B_FILE" ]; then
+    bigecho "Creating basic Fail2Ban rules..."
+cat > "$F2B_FILE" <<'EOF'
+[ssh-iptables]
+enabled = true
+filter = sshd
+logpath = /var/log/secure
+EOF
+
+    if [ "$use_nft" = "1" ]; then
+cat >> "$F2B_FILE" <<'EOF'
+port = ssh
+banaction = nftables-multiport[blocktype=drop]
+EOF
+    else
+cat >> "$F2B_FILE" <<'EOF'
+action = iptables[name=SSH, port=ssh, protocol=tcp]
+EOF
+    fi
+  fi
+}
+
 install_fail2ban() {
  bigecho "Installing Fail2Ban to protect SSH..."
  (
    set -x
    yum "$rp1" -y -q install fail2ban >/dev/null
-  ) || exiterr2
+  ) && create_f2b_config
 }

 get_helper_scripts() {
@ -500,30 +524,6 @@ $VPN_USER:$VPN_PASSWORD_ENC:xauth-psk
 EOF
 }

-create_f2b_config() {
-  F2B_FILE=/etc/fail2ban/jail.local
-  if [ ! -f "$F2B_FILE" ]; then
-    bigecho "Creating basic Fail2Ban rules..."
-cat > "$F2B_FILE" <<'EOF'
-[ssh-iptables]
-enabled = true
-filter = sshd
-logpath = /var/log/secure
-EOF
-
-    if [ "$use_nft" = "1" ]; then
-cat >> "$F2B_FILE" <<'EOF'
-port = ssh
-banaction = nftables-multiport[blocktype=drop]
-EOF
-    else
-cat >> "$F2B_FILE" <<'EOF'
-action = iptables[name=SSH, port=ssh, protocol=tcp]
-EOF
-    fi
-  fi
-}
-
 update_sysctl() {
  bigecho "Updating sysctl settings..."
  if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
@ -650,9 +650,11 @@ enable_on_boot() {
  if [ "$os_type$os_ver" = "ol9" ]; then
    systemctl enable nftables 2>/dev/null
  elif [ "$use_nft" = "1" ]; then
-    systemctl enable nftables fail2ban 2>/dev/null
+    systemctl enable nftables 2>/dev/null
+    systemctl enable fail2ban 2>/dev/null
  else
-    systemctl enable iptables fail2ban 2>/dev/null
+    systemctl enable iptables 2>/dev/null
+    systemctl enable fail2ban 2>/dev/null
  fi
  if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
    if [ -f /etc/rc.local ]; then
@ -778,9 +780,6 @@ vpnsetup() {
  get_libreswan
  install_libreswan
  create_vpn_config
-  if [ "$os_type$os_ver" != "ol9" ]; then
-    create_f2b_config
-  fi
  update_sysctl
  update_iptables
  fix_nss_config
--- a/vpnsetup_ubuntu.sh
+++ b/vpnsetup_ubuntu.sh
@ -245,7 +245,7 @@ install_fail2ban() {
  (
    set -x
    apt-get -yqq install fail2ban >/dev/null
-  ) || exiterr2
+  )
 }

 get_helper_scripts() {