Cleanup
This commit is contained in:
parent
32faed40d5
commit
cc99e18123
@ -65,16 +65,16 @@ EOF
|
|||||||
exiterr "VPN username must not contain these special characters: \\ \" '"
|
exiterr "VPN username must not contain these special characters: \\ \" '"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
if [ "$(grep -c "^\"$VPN_USER\" " /etc/ppp/chap-secrets)" = "0" ] \
|
if [ "$(grep -c "^\"$VPN_USER\" " /etc/ppp/chap-secrets)" = 0 ] \
|
||||||
|| [ "$(grep -c "^$VPN_USER:\\\$1\\\$" /etc/ipsec.d/passwd)" = "0" ]; then
|
|| [ "$(grep -c "^$VPN_USER:\\\$1\\\$" /etc/ipsec.d/passwd)" = 0 ]; then
|
||||||
cat 1>&2 <<'EOF'
|
cat 1>&2 <<'EOF'
|
||||||
Error: The specified VPN user does not exist in /etc/ppp/chap-secrets
|
Error: The specified VPN user does not exist in /etc/ppp/chap-secrets
|
||||||
and/or /etc/ipsec.d/passwd.
|
and/or /etc/ipsec.d/passwd.
|
||||||
EOF
|
EOF
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = "1" ] \
|
if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = 1 ] \
|
||||||
|| [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = "1" ]; then
|
|| [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = 1 ]; then
|
||||||
cat 1>&2 <<'EOF'
|
cat 1>&2 <<'EOF'
|
||||||
Error: Could not delete the only VPN user from /etc/ppp/chap-secrets
|
Error: Could not delete the only VPN user from /etc/ppp/chap-secrets
|
||||||
and/or /etc/ipsec.d/passwd.
|
and/or /etc/ipsec.d/passwd.
|
||||||
|
@ -108,7 +108,6 @@ get_server_address() {
|
|||||||
show_welcome() {
|
show_welcome() {
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
Welcome! Use this script to change this IKEv2 VPN server's address.
|
Welcome! Use this script to change this IKEv2 VPN server's address.
|
||||||
A new server certificate will be generated if necessary.
|
|
||||||
|
|
||||||
Current server address: $server_addr_old
|
Current server address: $server_addr_old
|
||||||
|
|
||||||
@ -124,10 +123,11 @@ get_default_ip() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
get_server_ip() {
|
get_server_ip() {
|
||||||
bigecho "Trying to auto discover IP of this server..."
|
use_default_ip=0
|
||||||
public_ip=${VPN_PUBLIC_IP:-''}
|
public_ip=${VPN_PUBLIC_IP:-''}
|
||||||
check_ip "$public_ip" || get_default_ip
|
check_ip "$public_ip" || get_default_ip
|
||||||
check_ip "$public_ip" && return 0
|
check_ip "$public_ip" && { use_default_ip=1; return 0; }
|
||||||
|
bigecho "Trying to auto discover IP of this server..."
|
||||||
check_ip "$public_ip" || public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
|
check_ip "$public_ip" || public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
|
||||||
check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ipv4.icanhazip.com)
|
check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ipv4.icanhazip.com)
|
||||||
check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ip1.dynupdate.no-ip.com)
|
check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ip1.dynupdate.no-ip.com)
|
||||||
@ -147,7 +147,7 @@ enter_server_address() {
|
|||||||
echo
|
echo
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
if [ "$use_dns_name" = "1" ]; then
|
if [ "$use_dns_name" = 1 ]; then
|
||||||
read -rp "Enter the DNS name of this VPN server: " server_addr
|
read -rp "Enter the DNS name of this VPN server: " server_addr
|
||||||
until check_dns_name "$server_addr"; do
|
until check_dns_name "$server_addr"; do
|
||||||
echo "Invalid DNS name. You must enter a fully qualified domain name (FQDN)."
|
echo "Invalid DNS name. You must enter a fully qualified domain name (FQDN)."
|
||||||
@ -155,7 +155,7 @@ enter_server_address() {
|
|||||||
done
|
done
|
||||||
else
|
else
|
||||||
get_server_ip
|
get_server_ip
|
||||||
echo
|
[ "$use_default_ip" = 0 ] && echo
|
||||||
read -rp "Enter the IPv4 address of this VPN server: [$public_ip] " server_addr
|
read -rp "Enter the IPv4 address of this VPN server: [$public_ip] " server_addr
|
||||||
[ -z "$server_addr" ] && server_addr="$public_ip"
|
[ -z "$server_addr" ] && server_addr="$public_ip"
|
||||||
until check_ip "$server_addr"; do
|
until check_ip "$server_addr"; do
|
||||||
@ -178,7 +178,11 @@ confirm_changes() {
|
|||||||
cat <<EOF
|
cat <<EOF
|
||||||
|
|
||||||
You are about to change this IKEv2 VPN server's address.
|
You are about to change this IKEv2 VPN server's address.
|
||||||
Read the important notes below before continuing.
|
|
||||||
|
*IMPORTANT* After running this script, you must manually update
|
||||||
|
the server address (and remote ID, if applicable) on any existing
|
||||||
|
IKEv2 client devices. For iOS clients, you'll need to export and
|
||||||
|
re-import client configuration using the IKEv2 helper script.
|
||||||
|
|
||||||
===========================================
|
===========================================
|
||||||
|
|
||||||
@ -187,12 +191,6 @@ New server address: $server_addr
|
|||||||
|
|
||||||
===========================================
|
===========================================
|
||||||
|
|
||||||
*IMPORTANT*
|
|
||||||
After running this script, you must manually update the server address
|
|
||||||
(and remote ID, if applicable) on any existing IKEv2 client devices.
|
|
||||||
For iOS clients, you'll need to export and re-import client configuration
|
|
||||||
using the IKEv2 helper script.
|
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
printf "Do you want to continue? [Y/n] "
|
printf "Do you want to continue? [Y/n] "
|
||||||
read -r response
|
read -r response
|
||||||
@ -211,7 +209,7 @@ create_server_cert() {
|
|||||||
bigecho "Server certificate '$server_addr' already exists, skipping..."
|
bigecho "Server certificate '$server_addr' already exists, skipping..."
|
||||||
else
|
else
|
||||||
bigecho "Generating server certificate..."
|
bigecho "Generating server certificate..."
|
||||||
if [ "$use_dns_name" = "1" ]; then
|
if [ "$use_dns_name" = 1 ]; then
|
||||||
certutil -z <(head -c 1024 /dev/urandom) \
|
certutil -z <(head -c 1024 /dev/urandom) \
|
||||||
-S -c "IKEv2 VPN CA" -n "$server_addr" \
|
-S -c "IKEv2 VPN CA" -n "$server_addr" \
|
||||||
-s "O=IKEv2 VPN,CN=$server_addr" \
|
-s "O=IKEv2 VPN,CN=$server_addr" \
|
||||||
@ -242,7 +240,7 @@ update_ikev2_conf() {
|
|||||||
sed -i".old-$SYS_DT" \
|
sed -i".old-$SYS_DT" \
|
||||||
-e "/^[[:space:]]\+leftcert=/d" \
|
-e "/^[[:space:]]\+leftcert=/d" \
|
||||||
-e "/^[[:space:]]\+leftid=/d" /etc/ipsec.d/ikev2.conf
|
-e "/^[[:space:]]\+leftid=/d" /etc/ipsec.d/ikev2.conf
|
||||||
if [ "$use_dns_name" = "1" ]; then
|
if [ "$use_dns_name" = 1 ]; then
|
||||||
sed -i "/conn ikev2-cp/a \ leftid=@$server_addr" /etc/ipsec.d/ikev2.conf
|
sed -i "/conn ikev2-cp/a \ leftid=@$server_addr" /etc/ipsec.d/ikev2.conf
|
||||||
else
|
else
|
||||||
sed -i "/conn ikev2-cp/a \ leftid=$server_addr" /etc/ipsec.d/ikev2.conf
|
sed -i "/conn ikev2-cp/a \ leftid=$server_addr" /etc/ipsec.d/ikev2.conf
|
||||||
|
@ -211,7 +211,7 @@ check_cert_status() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
check_arguments() {
|
check_arguments() {
|
||||||
if [ "$use_defaults" = "1" ] && check_ikev2_exists; then
|
if [ "$use_defaults" = 1 ] && check_ikev2_exists; then
|
||||||
echo "Error: Invalid parameter '--auto'. IKEv2 is already set up on this server." >&2
|
echo "Error: Invalid parameter '--auto'. IKEv2 is already set up on this server." >&2
|
||||||
echo " To manage VPN clients, re-run this script without '--auto'." >&2
|
echo " To manage VPN clients, re-run this script without '--auto'." >&2
|
||||||
echo " To change IKEv2 server address, see https://vpnsetup.net/ikev2" >&2
|
echo " To change IKEv2 server address, see https://vpnsetup.net/ikev2" >&2
|
||||||
@ -220,37 +220,37 @@ check_arguments() {
|
|||||||
if [ "$((add_client + export_client + list_clients + revoke_client + delete_client))" -gt 1 ]; then
|
if [ "$((add_client + export_client + list_clients + revoke_client + delete_client))" -gt 1 ]; then
|
||||||
show_usage "Invalid parameters. Specify only one of '--addclient', '--exportclient', '--listclients', '--revokeclient' or '--deleteclient'."
|
show_usage "Invalid parameters. Specify only one of '--addclient', '--exportclient', '--listclients', '--revokeclient' or '--deleteclient'."
|
||||||
fi
|
fi
|
||||||
if [ "$remove_ikev2" = "1" ]; then
|
if [ "$remove_ikev2" = 1 ]; then
|
||||||
if [ "$((add_client + export_client + list_clients + revoke_client + delete_client + use_defaults))" -gt 0 ]; then
|
if [ "$((add_client + export_client + list_clients + revoke_client + delete_client + use_defaults))" -gt 0 ]; then
|
||||||
show_usage "Invalid parameters. '--removeikev2' cannot be specified with other parameters."
|
show_usage "Invalid parameters. '--removeikev2' cannot be specified with other parameters."
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if ! check_ikev2_exists; then
|
if ! check_ikev2_exists; then
|
||||||
[ "$add_client" = "1" ] && exiterr "You must first set up IKEv2 before adding a client."
|
[ "$add_client" = 1 ] && exiterr "You must first set up IKEv2 before adding a client."
|
||||||
[ "$export_client" = "1" ] && exiterr "You must first set up IKEv2 before exporting a client."
|
[ "$export_client" = 1 ] && exiterr "You must first set up IKEv2 before exporting a client."
|
||||||
[ "$list_clients" = "1" ] && exiterr "You must first set up IKEv2 before listing clients."
|
[ "$list_clients" = 1 ] && exiterr "You must first set up IKEv2 before listing clients."
|
||||||
[ "$revoke_client" = "1" ] && exiterr "You must first set up IKEv2 before revoking a client."
|
[ "$revoke_client" = 1 ] && exiterr "You must first set up IKEv2 before revoking a client."
|
||||||
[ "$delete_client" = "1" ] && exiterr "You must first set up IKEv2 before deleting a client."
|
[ "$delete_client" = 1 ] && exiterr "You must first set up IKEv2 before deleting a client."
|
||||||
[ "$remove_ikev2" = "1" ] && exiterr "Cannot remove IKEv2 because it has not been set up on this server."
|
[ "$remove_ikev2" = 1 ] && exiterr "Cannot remove IKEv2 because it has not been set up on this server."
|
||||||
fi
|
fi
|
||||||
if [ "$add_client" = "1" ]; then
|
if [ "$add_client" = 1 ]; then
|
||||||
if [ -z "$client_name" ] || ! check_client_name "$client_name"; then
|
if [ -z "$client_name" ] || ! check_client_name "$client_name"; then
|
||||||
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
|
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
|
||||||
elif check_cert_exists "$client_name"; then
|
elif check_cert_exists "$client_name"; then
|
||||||
exiterr "Invalid client name. Client '$client_name' already exists."
|
exiterr "Invalid client name. Client '$client_name' already exists."
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ "$export_client" = "1" ] || [ "$revoke_client" = "1" ] || [ "$delete_client" = "1" ]; then
|
if [ "$export_client" = 1 ] || [ "$revoke_client" = 1 ] || [ "$delete_client" = 1 ]; then
|
||||||
get_server_address
|
get_server_address
|
||||||
if [ -z "$client_name" ] || ! check_client_name "$client_name" \
|
if [ -z "$client_name" ] || ! check_client_name "$client_name" \
|
||||||
|| [ "$client_name" = "$CA_NAME" ] || [ "$client_name" = "$server_addr" ] \
|
|| [ "$client_name" = "$CA_NAME" ] || [ "$client_name" = "$server_addr" ] \
|
||||||
|| ! check_cert_exists "$client_name"; then
|
|| ! check_cert_exists "$client_name"; then
|
||||||
exiterr "Invalid client name, or client does not exist."
|
exiterr "Invalid client name, or client does not exist."
|
||||||
fi
|
fi
|
||||||
if [ "$delete_client" = "0" ] && ! check_cert_status "$client_name"; then
|
if [ "$delete_client" = 0 ] && ! check_cert_status "$client_name"; then
|
||||||
printf '%s' "Error: Certificate '$client_name' " >&2
|
printf '%s' "Error: Certificate '$client_name' " >&2
|
||||||
if printf '%s' "$cert_status" | grep -q "revoked"; then
|
if printf '%s' "$cert_status" | grep -q "revoked"; then
|
||||||
if [ "$revoke_client" = "1" ]; then
|
if [ "$revoke_client" = 1 ]; then
|
||||||
echo "has already been revoked." >&2
|
echo "has already been revoked." >&2
|
||||||
else
|
else
|
||||||
echo "has been revoked." >&2
|
echo "has been revoked." >&2
|
||||||
@ -370,10 +370,11 @@ get_default_ip() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
get_server_ip() {
|
get_server_ip() {
|
||||||
bigecho2 "Trying to auto discover IP of this server..."
|
use_default_ip=0
|
||||||
public_ip=${VPN_PUBLIC_IP:-''}
|
public_ip=${VPN_PUBLIC_IP:-''}
|
||||||
check_ip "$public_ip" || get_default_ip
|
check_ip "$public_ip" || get_default_ip
|
||||||
check_ip "$public_ip" && return 0
|
check_ip "$public_ip" && { use_default_ip=1; return 0; }
|
||||||
|
bigecho2 "Trying to auto discover IP of this server..."
|
||||||
check_ip "$public_ip" || public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
|
check_ip "$public_ip" || public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
|
||||||
check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ipv4.icanhazip.com)
|
check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ipv4.icanhazip.com)
|
||||||
check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ip1.dynupdate.no-ip.com)
|
check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ip1.dynupdate.no-ip.com)
|
||||||
@ -405,7 +406,7 @@ list_existing_clients() {
|
|||||||
fi
|
fi
|
||||||
client_count=$(printf '%s\n' "$client_names" | wc -l 2>/dev/null)
|
client_count=$(printf '%s\n' "$client_names" | wc -l 2>/dev/null)
|
||||||
[ -z "$client_names" ] && client_count=0
|
[ -z "$client_names" ] && client_count=0
|
||||||
if [ "$client_count" = "1" ]; then
|
if [ "$client_count" = 1 ]; then
|
||||||
printf '\n%s\n' "Total: 1 client"
|
printf '\n%s\n' "Total: 1 client"
|
||||||
elif [ -n "$client_count" ]; then
|
elif [ -n "$client_count" ]; then
|
||||||
printf '\n%s\n' "Total: $client_count clients"
|
printf '\n%s\n' "Total: $client_count clients"
|
||||||
@ -426,7 +427,7 @@ enter_server_address() {
|
|||||||
echo
|
echo
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
if [ "$use_dns_name" = "1" ]; then
|
if [ "$use_dns_name" = 1 ]; then
|
||||||
read -rp "Enter the DNS name of this VPN server: " server_addr
|
read -rp "Enter the DNS name of this VPN server: " server_addr
|
||||||
until check_dns_name "$server_addr"; do
|
until check_dns_name "$server_addr"; do
|
||||||
echo "Invalid DNS name. You must enter a fully qualified domain name (FQDN)."
|
echo "Invalid DNS name. You must enter a fully qualified domain name (FQDN)."
|
||||||
@ -434,8 +435,7 @@ enter_server_address() {
|
|||||||
done
|
done
|
||||||
else
|
else
|
||||||
get_server_ip
|
get_server_ip
|
||||||
echo
|
[ "$use_default_ip" = 0 ] && { echo; echo; }
|
||||||
echo
|
|
||||||
read -rp "Enter the IPv4 address of this VPN server: [$public_ip] " server_addr
|
read -rp "Enter the IPv4 address of this VPN server: [$public_ip] " server_addr
|
||||||
[ -z "$server_addr" ] && server_addr="$public_ip"
|
[ -z "$server_addr" ] && server_addr="$public_ip"
|
||||||
until check_ip "$server_addr"; do
|
until check_ip "$server_addr"; do
|
||||||
@ -476,7 +476,7 @@ enter_client_name() {
|
|||||||
enter_client_name_for() {
|
enter_client_name_for() {
|
||||||
echo
|
echo
|
||||||
list_existing_clients
|
list_existing_clients
|
||||||
if [ "$client_count" = "0" ]; then
|
if [ "$client_count" = 0 ]; then
|
||||||
echo
|
echo
|
||||||
echo "No IKEv2 clients in the IPsec database. Nothing to $1." >&2
|
echo "No IKEv2 clients in the IPsec database. Nothing to $1." >&2
|
||||||
exit 1
|
exit 1
|
||||||
@ -541,7 +541,7 @@ enter_custom_dns() {
|
|||||||
dns_servers="8.8.8.8 8.8.4.4"
|
dns_servers="8.8.8.8 8.8.4.4"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
if [ "$use_custom_dns" = "1" ]; then
|
if [ "$use_custom_dns" = 1 ]; then
|
||||||
read -rp "Enter primary DNS server: " dns_server_1
|
read -rp "Enter primary DNS server: " dns_server_1
|
||||||
until check_ip "$dns_server_1"; do
|
until check_ip "$dns_server_1"; do
|
||||||
echo "Invalid DNS server."
|
echo "Invalid DNS server."
|
||||||
@ -582,7 +582,7 @@ check_mobike_support() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
# Linux kernels on Ubuntu do not support MOBIKE
|
# Linux kernels on Ubuntu do not support MOBIKE
|
||||||
if [ "$in_container" = "0" ]; then
|
if [ "$in_container" = 0 ]; then
|
||||||
if [ "$os_type" = "ubuntu" ] || uname -v | grep -qi ubuntu; then
|
if [ "$os_type" = "ubuntu" ] || uname -v | grep -qi ubuntu; then
|
||||||
mobike_support=0
|
mobike_support=0
|
||||||
fi
|
fi
|
||||||
@ -597,7 +597,7 @@ check_mobike_support() {
|
|||||||
if uname -a | grep -qi synology; then
|
if uname -a | grep -qi synology; then
|
||||||
mobike_support=0
|
mobike_support=0
|
||||||
fi
|
fi
|
||||||
if [ "$mobike_support" = "1" ]; then
|
if [ "$mobike_support" = 1 ]; then
|
||||||
bigecho2 "Checking for MOBIKE support... available"
|
bigecho2 "Checking for MOBIKE support... available"
|
||||||
else
|
else
|
||||||
bigecho2 "Checking for MOBIKE support... not available"
|
bigecho2 "Checking for MOBIKE support... not available"
|
||||||
@ -607,7 +607,7 @@ check_mobike_support() {
|
|||||||
select_mobike() {
|
select_mobike() {
|
||||||
echo
|
echo
|
||||||
mobike_enable=0
|
mobike_enable=0
|
||||||
if [ "$mobike_support" = "1" ]; then
|
if [ "$mobike_support" = 1 ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
|
|
||||||
The MOBIKE IKEv2 extension allows VPN clients to change network attachment points,
|
The MOBIKE IKEv2 extension allows VPN clients to change network attachment points,
|
||||||
@ -642,7 +642,7 @@ check_config_password() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
select_config_password() {
|
select_config_password() {
|
||||||
if [ "$use_config_password" = "0" ]; then
|
if [ "$use_config_password" = 0 ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
|
|
||||||
IKEv2 client config files contain the client certificate, private key and CA certificate.
|
IKEv2 client config files contain the client certificate, private key and CA certificate.
|
||||||
@ -699,13 +699,13 @@ We are ready to set up IKEv2 now. Below are the setup options you selected.
|
|||||||
|
|
||||||
EOF
|
EOF
|
||||||
print_server_client_info
|
print_server_client_info
|
||||||
if [ "$client_validity" = "1" ]; then
|
if [ "$client_validity" = 1 ]; then
|
||||||
echo "Client cert valid for: 1 month"
|
echo "Client cert valid for: 1 month"
|
||||||
else
|
else
|
||||||
echo "Client cert valid for: $client_validity months"
|
echo "Client cert valid for: $client_validity months"
|
||||||
fi
|
fi
|
||||||
if [ "$mobike_support" = "1" ]; then
|
if [ "$mobike_support" = 1 ]; then
|
||||||
if [ "$mobike_enable" = "1" ]; then
|
if [ "$mobike_enable" = 1 ]; then
|
||||||
echo "MOBIKE support: Enable"
|
echo "MOBIKE support: Enable"
|
||||||
else
|
else
|
||||||
echo "MOBIKE support: Disable"
|
echo "MOBIKE support: Disable"
|
||||||
@ -713,7 +713,7 @@ EOF
|
|||||||
else
|
else
|
||||||
echo "MOBIKE support: Not available"
|
echo "MOBIKE support: Not available"
|
||||||
fi
|
fi
|
||||||
if [ "$use_config_password" = "1" ]; then
|
if [ "$use_config_password" = 1 ]; then
|
||||||
echo "Protect client config: Yes"
|
echo "Protect client config: Yes"
|
||||||
else
|
else
|
||||||
echo "Protect client config: No"
|
echo "Protect client config: No"
|
||||||
@ -754,7 +754,7 @@ create_p12_password() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
get_p12_password() {
|
get_p12_password() {
|
||||||
if [ "$use_config_password" = "0" ]; then
|
if [ "$use_config_password" = 0 ]; then
|
||||||
create_p12_password
|
create_p12_password
|
||||||
else
|
else
|
||||||
p12_password=$(grep -s '^IKEV2_CONFIG_PASSWORD=.\+' "$CONF_FILE" | tail -n 1 | cut -f2- -d= | sed -e "s/^'//" -e "s/'$//")
|
p12_password=$(grep -s '^IKEV2_CONFIG_PASSWORD=.\+' "$CONF_FILE" | tail -n 1 | cut -f2- -d= | sed -e "s/^'//" -e "s/'$//")
|
||||||
@ -788,7 +788,7 @@ export_p12_file() {
|
|||||||
/bin/rm -f "$client_key" "$client_crt" "$ca_crt"
|
/bin/rm -f "$client_key" "$client_crt" "$ca_crt"
|
||||||
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \
|
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \
|
||||||
-legacy -name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
|
-legacy -name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
|
||||||
if [ "$use_config_password" = "0" ]; then
|
if [ "$use_config_password" = 0 ]; then
|
||||||
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \
|
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \
|
||||||
-legacy -name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1
|
-legacy -name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1
|
||||||
fi
|
fi
|
||||||
@ -798,18 +798,18 @@ export_p12_file() {
|
|||||||
openssl pkcs12 -in "$p12_file_enc" -out "$pem_file" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
|
openssl pkcs12 -in "$p12_file_enc" -out "$pem_file" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
|
||||||
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \
|
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \
|
||||||
-name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
|
-name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
|
||||||
if [ "$use_config_password" = "0" ]; then
|
if [ "$use_config_password" = 0 ]; then
|
||||||
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \
|
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \
|
||||||
-name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1
|
-name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1
|
||||||
fi
|
fi
|
||||||
/bin/rm -f "$pem_file"
|
/bin/rm -f "$pem_file"
|
||||||
elif [ "$use_config_password" = "0" ]; then
|
elif [ "$use_config_password" = 0 ]; then
|
||||||
pk12util -W "" -d "$CERT_DB" -n "$client_name" -o "$p12_file" >/dev/null || exit 1
|
pk12util -W "" -d "$CERT_DB" -n "$client_name" -o "$p12_file" >/dev/null || exit 1
|
||||||
fi
|
fi
|
||||||
if [ "$use_config_password" = "1" ]; then
|
if [ "$use_config_password" = 1 ]; then
|
||||||
/bin/cp -f "$p12_file_enc" "$p12_file"
|
/bin/cp -f "$p12_file_enc" "$p12_file"
|
||||||
fi
|
fi
|
||||||
if [ "$export_to_home_dir" = "1" ]; then
|
if [ "$export_to_home_dir" = 1 ]; then
|
||||||
chown "$SUDO_USER:$SUDO_USER" "$p12_file"
|
chown "$SUDO_USER:$SUDO_USER" "$p12_file"
|
||||||
fi
|
fi
|
||||||
chmod 600 "$p12_file"
|
chmod 600 "$p12_file"
|
||||||
@ -950,7 +950,7 @@ cat > "$mc_file" <<EOF
|
|||||||
</dict>
|
</dict>
|
||||||
<dict>
|
<dict>
|
||||||
EOF
|
EOF
|
||||||
if [ "$use_config_password" = "0" ]; then
|
if [ "$use_config_password" = 0 ]; then
|
||||||
cat >> "$mc_file" <<EOF
|
cat >> "$mc_file" <<EOF
|
||||||
<key>Password</key>
|
<key>Password</key>
|
||||||
<string>$p12_password</string>
|
<string>$p12_password</string>
|
||||||
@ -1012,7 +1012,7 @@ $ca_base64
|
|||||||
</dict>
|
</dict>
|
||||||
</plist>
|
</plist>
|
||||||
EOF
|
EOF
|
||||||
if [ "$export_to_home_dir" = "1" ]; then
|
if [ "$export_to_home_dir" = 1 ]; then
|
||||||
chown "$SUDO_USER:$SUDO_USER" "$mc_file"
|
chown "$SUDO_USER:$SUDO_USER" "$mc_file"
|
||||||
fi
|
fi
|
||||||
chmod 600 "$mc_file"
|
chmod 600 "$mc_file"
|
||||||
@ -1041,7 +1041,7 @@ cat > "$sswan_file" <<EOF
|
|||||||
"esp-proposal": "aes128gcm16"
|
"esp-proposal": "aes128gcm16"
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
if [ "$export_to_home_dir" = "1" ]; then
|
if [ "$export_to_home_dir" = 1 ]; then
|
||||||
chown "$SUDO_USER:$SUDO_USER" "$sswan_file"
|
chown "$SUDO_USER:$SUDO_USER" "$sswan_file"
|
||||||
fi
|
fi
|
||||||
chmod 600 "$sswan_file"
|
chmod 600 "$sswan_file"
|
||||||
@ -1070,7 +1070,7 @@ y
|
|||||||
N
|
N
|
||||||
ANSWERS
|
ANSWERS
|
||||||
sleep 1
|
sleep 1
|
||||||
if [ "$use_dns_name" = "1" ]; then
|
if [ "$use_dns_name" = 1 ]; then
|
||||||
certutil -z <(head -c 1024 /dev/urandom) \
|
certutil -z <(head -c 1024 /dev/urandom) \
|
||||||
-S -c "$CA_NAME" -n "$server_addr" \
|
-S -c "$CA_NAME" -n "$server_addr" \
|
||||||
-s "O=IKEv2 VPN,CN=$server_addr" \
|
-s "O=IKEv2 VPN,CN=$server_addr" \
|
||||||
@ -1093,13 +1093,13 @@ ANSWERS
|
|||||||
|
|
||||||
create_config_readme() {
|
create_config_readme() {
|
||||||
readme_file="$export_dir$client_name-README.txt"
|
readme_file="$export_dir$client_name-README.txt"
|
||||||
if [ "$in_container" = "0" ] && [ "$use_config_password" = "0" ] \
|
if [ "$in_container" = 0 ] && [ "$use_config_password" = 0 ] \
|
||||||
&& [ "$use_defaults" = "1" ] && [ ! -t 1 ] && [ ! -f "$readme_file" ]; then
|
&& [ "$use_defaults" = 1 ] && [ ! -t 1 ] && [ ! -f "$readme_file" ]; then
|
||||||
cat > "$readme_file" <<'EOF'
|
cat > "$readme_file" <<'EOF'
|
||||||
These IKEv2 client config files were created during IPsec VPN setup.
|
These IKEv2 client config files were created during IPsec VPN setup.
|
||||||
To configure IKEv2 clients, see: https://vpnsetup.net/clients
|
To configure IKEv2 clients, see: https://vpnsetup.net/clients
|
||||||
EOF
|
EOF
|
||||||
if [ "$export_to_home_dir" = "1" ]; then
|
if [ "$export_to_home_dir" = 1 ]; then
|
||||||
chown "$SUDO_USER:$SUDO_USER" "$readme_file"
|
chown "$SUDO_USER:$SUDO_USER" "$readme_file"
|
||||||
fi
|
fi
|
||||||
chmod 600 "$readme_file"
|
chmod 600 "$readme_file"
|
||||||
@ -1140,7 +1140,7 @@ conn ikev2-cp
|
|||||||
salifetime=24h
|
salifetime=24h
|
||||||
encapsulation=yes
|
encapsulation=yes
|
||||||
EOF
|
EOF
|
||||||
if [ "$use_dns_name" = "1" ]; then
|
if [ "$use_dns_name" = 1 ]; then
|
||||||
cat >> "$IKEV2_CONF" <<EOF
|
cat >> "$IKEV2_CONF" <<EOF
|
||||||
leftid=@$server_addr
|
leftid=@$server_addr
|
||||||
EOF
|
EOF
|
||||||
@ -1158,7 +1158,7 @@ cat >> "$IKEV2_CONF" <<EOF
|
|||||||
modecfgdns=$dns_server_1
|
modecfgdns=$dns_server_1
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
if [ "$mobike_enable" = "1" ]; then
|
if [ "$mobike_enable" = 1 ]; then
|
||||||
echo " mobike=yes" >> "$IKEV2_CONF"
|
echo " mobike=yes" >> "$IKEV2_CONF"
|
||||||
else
|
else
|
||||||
echo " mobike=no" >> "$IKEV2_CONF"
|
echo " mobike=no" >> "$IKEV2_CONF"
|
||||||
@ -1189,7 +1189,7 @@ apply_ubuntu1804_nss_fix() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
restart_ipsec_service() {
|
restart_ipsec_service() {
|
||||||
if [ "$in_container" = "0" ] || { [ "$in_container" = "1" ] && service ipsec status >/dev/null 2>&1; }; then
|
if [ "$in_container" = 0 ] || { [ "$in_container" = 1 ] && service ipsec status >/dev/null 2>&1; }; then
|
||||||
bigecho2 "Restarting IPsec service..."
|
bigecho2 "Restarting IPsec service..."
|
||||||
mkdir -p /run/pluto
|
mkdir -p /run/pluto
|
||||||
service ipsec restart 2>/dev/null
|
service ipsec restart 2>/dev/null
|
||||||
@ -1281,7 +1281,7 @@ print_client_deleted() {
|
|||||||
|
|
||||||
print_setup_complete() {
|
print_setup_complete() {
|
||||||
printf '\e[2K\e[1A\e[2K\r'
|
printf '\e[2K\e[1A\e[2K\r'
|
||||||
[ "$use_defaults" = "1" ] && printf '\e[1A\e[2K\e[1A\e[2K\e[1A\e[2K\r'
|
[ "$use_defaults" = 1 ] && printf '\e[1A\e[2K\e[1A\e[2K\e[1A\e[2K\r'
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
================================================
|
================================================
|
||||||
|
|
||||||
@ -1292,7 +1292,7 @@ EOF
|
|||||||
}
|
}
|
||||||
|
|
||||||
print_client_info() {
|
print_client_info() {
|
||||||
if [ "$in_container" = "0" ]; then
|
if [ "$in_container" = 0 ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
Client configuration is available at:
|
Client configuration is available at:
|
||||||
EOF
|
EOF
|
||||||
@ -1307,7 +1307,7 @@ $export_dir$client_name.p12 (for Windows & Linux)
|
|||||||
$export_dir$client_name.sswan (for Android)
|
$export_dir$client_name.sswan (for Android)
|
||||||
$export_dir$client_name.mobileconfig (for iOS & macOS)
|
$export_dir$client_name.mobileconfig (for iOS & macOS)
|
||||||
EOF
|
EOF
|
||||||
if [ "$use_config_password" = "1" ]; then
|
if [ "$use_config_password" = 1 ]; then
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
|
|
||||||
*IMPORTANT* Password for client config files:
|
*IMPORTANT* Password for client config files:
|
||||||
@ -1491,7 +1491,7 @@ ikev2setup() {
|
|||||||
check_config_password
|
check_config_password
|
||||||
get_export_dir
|
get_export_dir
|
||||||
|
|
||||||
if [ "$add_client" = "1" ]; then
|
if [ "$add_client" = 1 ]; then
|
||||||
show_header
|
show_header
|
||||||
show_add_client
|
show_add_client
|
||||||
client_validity=120
|
client_validity=120
|
||||||
@ -1502,7 +1502,7 @@ ikev2setup() {
|
|||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$export_client" = "1" ]; then
|
if [ "$export_client" = 1 ]; then
|
||||||
show_header
|
show_header
|
||||||
show_export_client
|
show_export_client
|
||||||
export_client_config
|
export_client_config
|
||||||
@ -1511,14 +1511,14 @@ ikev2setup() {
|
|||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$list_clients" = "1" ]; then
|
if [ "$list_clients" = 1 ]; then
|
||||||
show_header
|
show_header
|
||||||
list_existing_clients
|
list_existing_clients
|
||||||
echo
|
echo
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$revoke_client" = "1" ]; then
|
if [ "$revoke_client" = 1 ]; then
|
||||||
show_header
|
show_header
|
||||||
confirm_revoke_cert
|
confirm_revoke_cert
|
||||||
create_crl
|
create_crl
|
||||||
@ -1529,7 +1529,7 @@ ikev2setup() {
|
|||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$delete_client" = "1" ]; then
|
if [ "$delete_client" = 1 ]; then
|
||||||
show_header
|
show_header
|
||||||
confirm_delete_cert
|
confirm_delete_cert
|
||||||
delete_client_cert
|
delete_client_cert
|
||||||
@ -1538,7 +1538,7 @@ ikev2setup() {
|
|||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$remove_ikev2" = "1" ]; then
|
if [ "$remove_ikev2" = 1 ]; then
|
||||||
check_ipsec_conf
|
check_ipsec_conf
|
||||||
show_header
|
show_header
|
||||||
confirm_remove_ikev2
|
confirm_remove_ikev2
|
||||||
@ -1623,7 +1623,7 @@ ikev2setup() {
|
|||||||
|
|
||||||
check_cert_exists_and_exit "$CA_NAME"
|
check_cert_exists_and_exit "$CA_NAME"
|
||||||
|
|
||||||
if [ "$use_defaults" = "0" ]; then
|
if [ "$use_defaults" = 0 ]; then
|
||||||
show_header
|
show_header
|
||||||
show_welcome
|
show_welcome
|
||||||
enter_server_address
|
enter_server_address
|
||||||
@ -1661,7 +1661,7 @@ ikev2setup() {
|
|||||||
fi
|
fi
|
||||||
print_setup_complete
|
print_setup_complete
|
||||||
print_client_info
|
print_client_info
|
||||||
if [ "$in_container" = "0" ]; then
|
if [ "$in_container" = 0 ]; then
|
||||||
check_swan_update
|
check_swan_update
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -127,7 +127,7 @@ EOF
|
|||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
|
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
|
||||||
if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then
|
if [ "$os_ver" = 8 ] || [ "$os_ver" = "jessiesid" ]; then
|
||||||
exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
|
exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -150,7 +150,7 @@ check_iface() {
|
|||||||
check_wl=1
|
check_wl=1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ "$check_wl" = "1" ]; then
|
if [ "$check_wl" = 1 ]; then
|
||||||
case $def_iface in
|
case $def_iface in
|
||||||
wl*)
|
wl*)
|
||||||
exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
|
exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
|
||||||
@ -208,8 +208,8 @@ wait_for_apt() {
|
|||||||
pkg_lk=/var/lib/dpkg/lock
|
pkg_lk=/var/lib/dpkg/lock
|
||||||
while fuser "$apt_lk" "$pkg_lk" >/dev/null 2>&1 \
|
while fuser "$apt_lk" "$pkg_lk" >/dev/null 2>&1 \
|
||||||
|| lsof "$apt_lk" >/dev/null 2>&1 || lsof "$pkg_lk" >/dev/null 2>&1; do
|
|| lsof "$apt_lk" >/dev/null 2>&1 || lsof "$pkg_lk" >/dev/null 2>&1; do
|
||||||
[ "$count" = "0" ] && echo "## Waiting for apt to be available..."
|
[ "$count" = 0 ] && echo "## Waiting for apt to be available..."
|
||||||
[ "$count" -ge "100" ] && exiterr "Could not get apt/dpkg lock."
|
[ "$count" -ge 100 ] && exiterr "Could not get apt/dpkg lock."
|
||||||
count=$((count+1))
|
count=$((count+1))
|
||||||
printf '%s' '.'
|
printf '%s' '.'
|
||||||
sleep 3
|
sleep 3
|
||||||
|
@ -99,7 +99,7 @@ check_iface() {
|
|||||||
else
|
else
|
||||||
check_wl=1
|
check_wl=1
|
||||||
fi
|
fi
|
||||||
if [ "$check_wl" = "1" ]; then
|
if [ "$check_wl" = 1 ]; then
|
||||||
case $def_iface in
|
case $def_iface in
|
||||||
wl*)
|
wl*)
|
||||||
exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
|
exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
|
||||||
@ -244,8 +244,8 @@ update_iptables_rules() {
|
|||||||
ipf='iptables -D FORWARD'
|
ipf='iptables -D FORWARD'
|
||||||
ipp='iptables -t nat -D POSTROUTING'
|
ipp='iptables -t nat -D POSTROUTING'
|
||||||
res='RELATED,ESTABLISHED'
|
res='RELATED,ESTABLISHED'
|
||||||
if [ "$ipt_flag" = "1" ]; then
|
if [ "$ipt_flag" = 1 ]; then
|
||||||
if [ "$use_nft" = "0" ]; then
|
if [ "$use_nft" = 0 ]; then
|
||||||
bigecho "Updating IPTables rules..."
|
bigecho "Updating IPTables rules..."
|
||||||
get_vpn_subnets
|
get_vpn_subnets
|
||||||
iptables-save > "$IPT_FILE.old-$SYS_DT"
|
iptables-save > "$IPT_FILE.old-$SYS_DT"
|
||||||
|
@ -95,7 +95,7 @@ EOF
|
|||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
|
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
|
||||||
if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then
|
if [ "$os_ver" = 8 ] || [ "$os_ver" = "jessiesid" ]; then
|
||||||
exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
|
exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -230,10 +230,10 @@ update_config() {
|
|||||||
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
|
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
|
||||||
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
|
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
|
||||||
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
|
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
|
||||||
if [ "$dns_state" = "1" ]; then
|
if [ "$dns_state" = 1 ]; then
|
||||||
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
|
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
|
||||||
-e "/modecfgdns2=/d" /etc/ipsec.conf
|
-e "/modecfgdns2=/d" /etc/ipsec.conf
|
||||||
elif [ "$dns_state" = "2" ]; then
|
elif [ "$dns_state" = 2 ]; then
|
||||||
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
|
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
|
||||||
fi
|
fi
|
||||||
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
||||||
@ -260,7 +260,7 @@ Libreswan $SWAN_VER has been successfully installed!
|
|||||||
================================================
|
================================================
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
if [ "$dns_state" = "3" ]; then
|
if [ "$dns_state" = 3 ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
IMPORTANT: You must edit /etc/ipsec.conf and replace
|
IMPORTANT: You must edit /etc/ipsec.conf and replace
|
||||||
all occurrences of these two lines:
|
all occurrences of these two lines:
|
||||||
|
@ -219,10 +219,10 @@ update_config() {
|
|||||||
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
|
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
|
||||||
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
|
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
|
||||||
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
|
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
|
||||||
if [ "$dns_state" = "1" ]; then
|
if [ "$dns_state" = 1 ]; then
|
||||||
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
|
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
|
||||||
-e "/modecfgdns2=/d" /etc/ipsec.conf
|
-e "/modecfgdns2=/d" /etc/ipsec.conf
|
||||||
elif [ "$dns_state" = "2" ]; then
|
elif [ "$dns_state" = 2 ]; then
|
||||||
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
|
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
|
||||||
fi
|
fi
|
||||||
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
||||||
@ -248,7 +248,7 @@ Libreswan $SWAN_VER has been successfully installed!
|
|||||||
================================================
|
================================================
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
if [ "$dns_state" = "3" ]; then
|
if [ "$dns_state" = 3 ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
IMPORTANT: You must edit /etc/ipsec.conf and replace
|
IMPORTANT: You must edit /etc/ipsec.conf and replace
|
||||||
all occurrences of these two lines:
|
all occurrences of these two lines:
|
||||||
|
@ -173,7 +173,7 @@ install_pkgs_2() {
|
|||||||
if [ "$os_type$os_ver" = "ol7" ]; then
|
if [ "$os_type$os_ver" = "ol7" ]; then
|
||||||
rp2="$erp=ol7_optional_latest"
|
rp2="$erp=ol7_optional_latest"
|
||||||
fi
|
fi
|
||||||
if [ "$os_ver" = "7" ]; then
|
if [ "$os_ver" = 7 ]; then
|
||||||
(
|
(
|
||||||
set -x
|
set -x
|
||||||
yum "$rp1" "$rp2" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
|
yum "$rp1" "$rp2" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
|
||||||
@ -271,10 +271,10 @@ update_config() {
|
|||||||
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
|
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
|
||||||
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
|
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
|
||||||
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
|
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
|
||||||
if [ "$dns_state" = "1" ]; then
|
if [ "$dns_state" = 1 ]; then
|
||||||
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
|
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
|
||||||
-e "/modecfgdns2=/d" /etc/ipsec.conf
|
-e "/modecfgdns2=/d" /etc/ipsec.conf
|
||||||
elif [ "$dns_state" = "2" ]; then
|
elif [ "$dns_state" = 2 ]; then
|
||||||
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
|
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
|
||||||
fi
|
fi
|
||||||
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
||||||
@ -300,7 +300,7 @@ Libreswan $SWAN_VER has been successfully installed!
|
|||||||
================================================
|
================================================
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
if [ "$dns_state" = "3" ]; then
|
if [ "$dns_state" = 3 ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
IMPORTANT: You must edit /etc/ipsec.conf and replace
|
IMPORTANT: You must edit /etc/ipsec.conf and replace
|
||||||
all occurrences of these two lines:
|
all occurrences of these two lines:
|
||||||
|
@ -57,7 +57,7 @@ check_os() {
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
|
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
|
||||||
if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then
|
if [ "$os_ver" = 8 ] || [ "$os_ver" = "jessiesid" ]; then
|
||||||
exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
|
exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
@ -260,10 +260,10 @@ update_config() {
|
|||||||
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
|
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
|
||||||
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
|
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
|
||||||
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
|
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
|
||||||
if [ "$dns_state" = "1" ]; then
|
if [ "$dns_state" = 1 ]; then
|
||||||
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
|
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
|
||||||
-e "/modecfgdns2=/d" /etc/ipsec.conf
|
-e "/modecfgdns2=/d" /etc/ipsec.conf
|
||||||
elif [ "$dns_state" = "2" ]; then
|
elif [ "$dns_state" = 2 ]; then
|
||||||
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
|
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
|
||||||
fi
|
fi
|
||||||
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
||||||
@ -289,7 +289,7 @@ Libreswan $SWAN_VER has been successfully installed!
|
|||||||
================================================
|
================================================
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
if [ "$dns_state" = "3" ]; then
|
if [ "$dns_state" = 3 ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
IMPORTANT: You must edit /etc/ipsec.conf and replace
|
IMPORTANT: You must edit /etc/ipsec.conf and replace
|
||||||
all occurrences of these two lines:
|
all occurrences of these two lines:
|
||||||
|
@ -127,7 +127,7 @@ EOF
|
|||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
|
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
|
||||||
if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then
|
if [ "$os_ver" = 8 ] || [ "$os_ver" = "jessiesid" ]; then
|
||||||
exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
|
exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -150,7 +150,7 @@ check_iface() {
|
|||||||
check_wl=1
|
check_wl=1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ "$check_wl" = "1" ]; then
|
if [ "$check_wl" = 1 ]; then
|
||||||
case $def_iface in
|
case $def_iface in
|
||||||
wl*)
|
wl*)
|
||||||
exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
|
exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
|
||||||
@ -208,8 +208,8 @@ wait_for_apt() {
|
|||||||
pkg_lk=/var/lib/dpkg/lock
|
pkg_lk=/var/lib/dpkg/lock
|
||||||
while fuser "$apt_lk" "$pkg_lk" >/dev/null 2>&1 \
|
while fuser "$apt_lk" "$pkg_lk" >/dev/null 2>&1 \
|
||||||
|| lsof "$apt_lk" >/dev/null 2>&1 || lsof "$pkg_lk" >/dev/null 2>&1; do
|
|| lsof "$apt_lk" >/dev/null 2>&1 || lsof "$pkg_lk" >/dev/null 2>&1; do
|
||||||
[ "$count" = "0" ] && echo "## Waiting for apt to be available..."
|
[ "$count" = 0 ] && echo "## Waiting for apt to be available..."
|
||||||
[ "$count" -ge "100" ] && exiterr "Could not get apt/dpkg lock."
|
[ "$count" -ge 100 ] && exiterr "Could not get apt/dpkg lock."
|
||||||
count=$((count+1))
|
count=$((count+1))
|
||||||
printf '%s' '.'
|
printf '%s' '.'
|
||||||
sleep 3
|
sleep 3
|
||||||
|
@ -261,7 +261,7 @@ check_libreswan() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
get_libreswan() {
|
get_libreswan() {
|
||||||
if [ "$check_result" = "0" ]; then
|
if [ "$check_result" = 0 ]; then
|
||||||
bigecho "Downloading Libreswan..."
|
bigecho "Downloading Libreswan..."
|
||||||
cd /opt/src || exit 1
|
cd /opt/src || exit 1
|
||||||
swan_file="libreswan-$SWAN_VER.tar.gz"
|
swan_file="libreswan-$SWAN_VER.tar.gz"
|
||||||
@ -279,7 +279,7 @@ get_libreswan() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
install_libreswan() {
|
install_libreswan() {
|
||||||
if [ "$check_result" = "0" ]; then
|
if [ "$check_result" = 0 ]; then
|
||||||
bigecho "Compiling and installing Libreswan, please wait..."
|
bigecho "Compiling and installing Libreswan, please wait..."
|
||||||
cd "libreswan-$SWAN_VER" || exit 1
|
cd "libreswan-$SWAN_VER" || exit 1
|
||||||
sed -i '28s/stdlib\.h/sys\/types.h/' include/fd.h
|
sed -i '28s/stdlib\.h/sys\/types.h/' include/fd.h
|
||||||
@ -463,7 +463,7 @@ update_iptables() {
|
|||||||
ipf='iptables -I FORWARD'
|
ipf='iptables -I FORWARD'
|
||||||
ipp='iptables -t nat -I POSTROUTING'
|
ipp='iptables -t nat -I POSTROUTING'
|
||||||
res='RELATED,ESTABLISHED'
|
res='RELATED,ESTABLISHED'
|
||||||
if [ "$ipt_flag" = "1" ]; then
|
if [ "$ipt_flag" = 1 ]; then
|
||||||
service fail2ban stop >/dev/null 2>&1
|
service fail2ban stop >/dev/null 2>&1
|
||||||
iptables-save > "$IPT_FILE.old-$SYS_DT"
|
iptables-save > "$IPT_FILE.old-$SYS_DT"
|
||||||
$ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
|
$ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
|
||||||
@ -555,7 +555,7 @@ set_up_ikev2() {
|
|||||||
skip_ikev2=1
|
skip_ikev2=1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
if [ "$skip_ikev2" = "0" ]; then
|
if [ "$skip_ikev2" = 0 ]; then
|
||||||
sleep 1
|
sleep 1
|
||||||
VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \
|
VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \
|
||||||
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \
|
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \
|
||||||
|
@ -275,7 +275,7 @@ check_libreswan() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
get_libreswan() {
|
get_libreswan() {
|
||||||
if [ "$check_result" = "0" ]; then
|
if [ "$check_result" = 0 ]; then
|
||||||
bigecho "Downloading Libreswan..."
|
bigecho "Downloading Libreswan..."
|
||||||
cd /opt/src || exit 1
|
cd /opt/src || exit 1
|
||||||
swan_file="libreswan-$SWAN_VER.tar.gz"
|
swan_file="libreswan-$SWAN_VER.tar.gz"
|
||||||
@ -293,7 +293,7 @@ get_libreswan() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
install_libreswan() {
|
install_libreswan() {
|
||||||
if [ "$check_result" = "0" ]; then
|
if [ "$check_result" = 0 ]; then
|
||||||
bigecho "Compiling and installing Libreswan, please wait..."
|
bigecho "Compiling and installing Libreswan, please wait..."
|
||||||
cd "libreswan-$SWAN_VER" || exit 1
|
cd "libreswan-$SWAN_VER" || exit 1
|
||||||
cat > Makefile.inc.local <<'EOF'
|
cat > Makefile.inc.local <<'EOF'
|
||||||
@ -474,7 +474,7 @@ update_iptables() {
|
|||||||
ipf='iptables -I FORWARD'
|
ipf='iptables -I FORWARD'
|
||||||
ipp='iptables -t nat -I POSTROUTING'
|
ipp='iptables -t nat -I POSTROUTING'
|
||||||
res='RELATED,ESTABLISHED'
|
res='RELATED,ESTABLISHED'
|
||||||
if [ "$ipt_flag" = "1" ]; then
|
if [ "$ipt_flag" = 1 ]; then
|
||||||
service fail2ban stop >/dev/null 2>&1
|
service fail2ban stop >/dev/null 2>&1
|
||||||
iptables-save > "$IPT_FILE.old-$SYS_DT"
|
iptables-save > "$IPT_FILE.old-$SYS_DT"
|
||||||
$ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
|
$ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
|
||||||
@ -572,7 +572,7 @@ set_up_ikev2() {
|
|||||||
skip_ikev2=1
|
skip_ikev2=1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
if [ "$skip_ikev2" = "0" ]; then
|
if [ "$skip_ikev2" = 0 ]; then
|
||||||
sleep 1
|
sleep 1
|
||||||
VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \
|
VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \
|
||||||
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \
|
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \
|
||||||
|
@ -237,9 +237,9 @@ install_vpn_pkgs_1() {
|
|||||||
rp2="$erp=*server-*optional*"
|
rp2="$erp=*server-*optional*"
|
||||||
rp3="$erp=*releases-optional*"
|
rp3="$erp=*releases-optional*"
|
||||||
if [ "$os_type" = "ol" ]; then
|
if [ "$os_type" = "ol" ]; then
|
||||||
if [ "$os_ver" = "9" ]; then
|
if [ "$os_ver" = 9 ]; then
|
||||||
rp1="$erp=ol9_developer_EPEL"
|
rp1="$erp=ol9_developer_EPEL"
|
||||||
elif [ "$os_ver" = "8" ]; then
|
elif [ "$os_ver" = 8 ]; then
|
||||||
rp1="$erp=ol8_developer_EPEL"
|
rp1="$erp=ol8_developer_EPEL"
|
||||||
else
|
else
|
||||||
rp3="$erp=ol7_optional_latest"
|
rp3="$erp=ol7_optional_latest"
|
||||||
@ -266,7 +266,7 @@ install_vpn_pkgs_3() {
|
|||||||
p2=libevent-devel
|
p2=libevent-devel
|
||||||
p3=fipscheck-devel
|
p3=fipscheck-devel
|
||||||
p4=iptables-services
|
p4=iptables-services
|
||||||
if [ "$os_ver" = "7" ]; then
|
if [ "$os_ver" = 7 ]; then
|
||||||
(
|
(
|
||||||
set -x
|
set -x
|
||||||
yum "$rp2" "$rp3" -y -q install $p1 $p2 $p3 $p4 >/dev/null
|
yum "$rp2" "$rp3" -y -q install $p1 $p2 $p3 $p4 >/dev/null
|
||||||
@ -276,7 +276,7 @@ install_vpn_pkgs_3() {
|
|||||||
set -x
|
set -x
|
||||||
yum -y -q install $p1 $p2 >/dev/null
|
yum -y -q install $p1 $p2 >/dev/null
|
||||||
) || exiterr2
|
) || exiterr2
|
||||||
if [ "$os_ver" = "9" ] || [ "$os_ver" = "9s" ] \
|
if [ "$os_ver" = 9 ] || [ "$os_ver" = 9s ] \
|
||||||
|| systemctl is-active --quiet firewalld \
|
|| systemctl is-active --quiet firewalld \
|
||||||
|| systemctl is-active --quiet nftables \
|
|| systemctl is-active --quiet nftables \
|
||||||
|| grep -qs "hwdsl2 VPN script" /etc/sysconfig/nftables.conf; then
|
|| grep -qs "hwdsl2 VPN script" /etc/sysconfig/nftables.conf; then
|
||||||
@ -301,7 +301,7 @@ filter = sshd
|
|||||||
logpath = /var/log/secure
|
logpath = /var/log/secure
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ "$use_nft" = "1" ]; then
|
if [ "$use_nft" = 1 ]; then
|
||||||
cat >> "$F2B_FILE" <<'EOF'
|
cat >> "$F2B_FILE" <<'EOF'
|
||||||
port = ssh
|
port = ssh
|
||||||
banaction = nftables-multiport[blocktype=drop]
|
banaction = nftables-multiport[blocktype=drop]
|
||||||
@ -375,7 +375,7 @@ check_libreswan() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
get_libreswan() {
|
get_libreswan() {
|
||||||
if [ "$check_result" = "0" ]; then
|
if [ "$check_result" = 0 ]; then
|
||||||
bigecho "Downloading Libreswan..."
|
bigecho "Downloading Libreswan..."
|
||||||
cd /opt/src || exit 1
|
cd /opt/src || exit 1
|
||||||
swan_file="libreswan-$SWAN_VER.tar.gz"
|
swan_file="libreswan-$SWAN_VER.tar.gz"
|
||||||
@ -393,7 +393,7 @@ get_libreswan() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
install_libreswan() {
|
install_libreswan() {
|
||||||
if [ "$check_result" = "0" ]; then
|
if [ "$check_result" = 0 ]; then
|
||||||
bigecho "Compiling and installing Libreswan, please wait..."
|
bigecho "Compiling and installing Libreswan, please wait..."
|
||||||
cd "libreswan-$SWAN_VER" || exit 1
|
cd "libreswan-$SWAN_VER" || exit 1
|
||||||
cat > Makefile.inc.local <<'EOF'
|
cat > Makefile.inc.local <<'EOF'
|
||||||
@ -573,7 +573,7 @@ EOF
|
|||||||
update_iptables() {
|
update_iptables() {
|
||||||
bigecho "Updating IPTables rules..."
|
bigecho "Updating IPTables rules..."
|
||||||
IPT_FILE=/etc/sysconfig/iptables
|
IPT_FILE=/etc/sysconfig/iptables
|
||||||
[ "$use_nft" = "1" ] && IPT_FILE=/etc/sysconfig/nftables.conf
|
[ "$use_nft" = 1 ] && IPT_FILE=/etc/sysconfig/nftables.conf
|
||||||
ipt_flag=0
|
ipt_flag=0
|
||||||
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
|
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
|
||||||
ipt_flag=1
|
ipt_flag=1
|
||||||
@ -584,9 +584,9 @@ update_iptables() {
|
|||||||
res='RELATED,ESTABLISHED'
|
res='RELATED,ESTABLISHED'
|
||||||
nff='nft insert rule inet firewalld'
|
nff='nft insert rule inet firewalld'
|
||||||
nfn='nft insert rule inet nftables_svc'
|
nfn='nft insert rule inet nftables_svc'
|
||||||
if [ "$ipt_flag" = "1" ]; then
|
if [ "$ipt_flag" = 1 ]; then
|
||||||
service fail2ban stop >/dev/null 2>&1
|
service fail2ban stop >/dev/null 2>&1
|
||||||
if [ "$use_nft" = "1" ]; then
|
if [ "$use_nft" = 1 ]; then
|
||||||
nft list ruleset > "$IPT_FILE.old-$SYS_DT"
|
nft list ruleset > "$IPT_FILE.old-$SYS_DT"
|
||||||
chmod 600 "$IPT_FILE.old-$SYS_DT"
|
chmod 600 "$IPT_FILE.old-$SYS_DT"
|
||||||
else
|
else
|
||||||
@ -605,13 +605,13 @@ update_iptables() {
|
|||||||
$ipf 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate "$res" -j ACCEPT
|
$ipf 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate "$res" -j ACCEPT
|
||||||
$ipf 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT
|
$ipf 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT
|
||||||
$ipf 7 -s "$XAUTH_NET" -o ppp+ -j ACCEPT
|
$ipf 7 -s "$XAUTH_NET" -o ppp+ -j ACCEPT
|
||||||
if [ "$use_nft" != "1" ]; then
|
if [ "$use_nft" != 1 ]; then
|
||||||
iptables -A FORWARD -j DROP
|
iptables -A FORWARD -j DROP
|
||||||
fi
|
fi
|
||||||
$ipp -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE
|
$ipp -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE
|
||||||
$ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
|
$ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
|
||||||
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
|
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
|
||||||
if [ "$use_nft" = "1" ]; then
|
if [ "$use_nft" = 1 ]; then
|
||||||
for vport in 500 4500 1701; do
|
for vport in 500 4500 1701; do
|
||||||
$nff filter_INPUT udp dport "$vport" accept 2>/dev/null
|
$nff filter_INPUT udp dport "$vport" accept 2>/dev/null
|
||||||
$nfn allow udp dport "$vport" accept 2>/dev/null
|
$nfn allow udp dport "$vport" accept 2>/dev/null
|
||||||
@ -660,7 +660,7 @@ enable_on_boot() {
|
|||||||
systemctl --now mask firewalld 2>/dev/null
|
systemctl --now mask firewalld 2>/dev/null
|
||||||
if [ "$os_type$os_ver" = "ol9" ]; then
|
if [ "$os_type$os_ver" = "ol9" ]; then
|
||||||
systemctl enable nftables 2>/dev/null
|
systemctl enable nftables 2>/dev/null
|
||||||
elif [ "$use_nft" = "1" ]; then
|
elif [ "$use_nft" = 1 ]; then
|
||||||
systemctl enable nftables 2>/dev/null
|
systemctl enable nftables 2>/dev/null
|
||||||
systemctl enable fail2ban 2>/dev/null
|
systemctl enable fail2ban 2>/dev/null
|
||||||
else
|
else
|
||||||
@ -692,7 +692,7 @@ start_services() {
|
|||||||
restorecon /etc/ipsec.d/*db 2>/dev/null
|
restorecon /etc/ipsec.d/*db 2>/dev/null
|
||||||
restorecon /usr/local/sbin -Rv 2>/dev/null
|
restorecon /usr/local/sbin -Rv 2>/dev/null
|
||||||
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
|
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
|
||||||
if [ "$use_nft" = "1" ]; then
|
if [ "$use_nft" = 1 ]; then
|
||||||
nft -f "$IPT_FILE"
|
nft -f "$IPT_FILE"
|
||||||
else
|
else
|
||||||
iptables-restore < "$IPT_FILE"
|
iptables-restore < "$IPT_FILE"
|
||||||
@ -740,7 +740,7 @@ set_up_ikev2() {
|
|||||||
skip_ikev2=1
|
skip_ikev2=1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
if [ "$skip_ikev2" = "0" ]; then
|
if [ "$skip_ikev2" = 0 ]; then
|
||||||
sleep 1
|
sleep 1
|
||||||
VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \
|
VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \
|
||||||
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \
|
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \
|
||||||
|
@ -90,7 +90,7 @@ check_os() {
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
|
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
|
||||||
if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then
|
if [ "$os_ver" = 8 ] || [ "$os_ver" = "jessiesid" ]; then
|
||||||
exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
|
exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
@ -194,8 +194,8 @@ wait_for_apt() {
|
|||||||
pkg_lk=/var/lib/dpkg/lock
|
pkg_lk=/var/lib/dpkg/lock
|
||||||
while fuser "$apt_lk" "$pkg_lk" >/dev/null 2>&1 \
|
while fuser "$apt_lk" "$pkg_lk" >/dev/null 2>&1 \
|
||||||
|| lsof "$apt_lk" >/dev/null 2>&1 || lsof "$pkg_lk" >/dev/null 2>&1; do
|
|| lsof "$apt_lk" >/dev/null 2>&1 || lsof "$pkg_lk" >/dev/null 2>&1; do
|
||||||
[ "$count" = "0" ] && echo "## Waiting for apt to be available..."
|
[ "$count" = 0 ] && echo "## Waiting for apt to be available..."
|
||||||
[ "$count" -ge "100" ] && exiterr "Could not get apt/dpkg lock."
|
[ "$count" -ge 100 ] && exiterr "Could not get apt/dpkg lock."
|
||||||
count=$((count+1))
|
count=$((count+1))
|
||||||
printf '%s' '.'
|
printf '%s' '.'
|
||||||
sleep 3
|
sleep 3
|
||||||
@ -312,7 +312,7 @@ check_libreswan() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
get_libreswan() {
|
get_libreswan() {
|
||||||
if [ "$check_result" = "0" ]; then
|
if [ "$check_result" = 0 ]; then
|
||||||
bigecho "Downloading Libreswan..."
|
bigecho "Downloading Libreswan..."
|
||||||
cd /opt/src || exit 1
|
cd /opt/src || exit 1
|
||||||
swan_file="libreswan-$SWAN_VER.tar.gz"
|
swan_file="libreswan-$SWAN_VER.tar.gz"
|
||||||
@ -330,7 +330,7 @@ get_libreswan() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
install_libreswan() {
|
install_libreswan() {
|
||||||
if [ "$check_result" = "0" ]; then
|
if [ "$check_result" = 0 ]; then
|
||||||
bigecho "Compiling and installing Libreswan, please wait..."
|
bigecho "Compiling and installing Libreswan, please wait..."
|
||||||
cd "libreswan-$SWAN_VER" || exit 1
|
cd "libreswan-$SWAN_VER" || exit 1
|
||||||
cat > Makefile.inc.local <<'EOF'
|
cat > Makefile.inc.local <<'EOF'
|
||||||
@ -532,7 +532,7 @@ update_iptables() {
|
|||||||
ipf='iptables -I FORWARD'
|
ipf='iptables -I FORWARD'
|
||||||
ipp='iptables -t nat -I POSTROUTING'
|
ipp='iptables -t nat -I POSTROUTING'
|
||||||
res='RELATED,ESTABLISHED'
|
res='RELATED,ESTABLISHED'
|
||||||
if [ "$ipt_flag" = "1" ]; then
|
if [ "$ipt_flag" = 1 ]; then
|
||||||
service fail2ban stop >/dev/null 2>&1
|
service fail2ban stop >/dev/null 2>&1
|
||||||
iptables-save > "$IPT_FILE.old-$SYS_DT"
|
iptables-save > "$IPT_FILE.old-$SYS_DT"
|
||||||
$ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
|
$ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
|
||||||
@ -583,7 +583,7 @@ enable_on_boot() {
|
|||||||
if [ -f "$IPT_FILE2" ] && { [ -f "$IPT_PST" ] || [ -f "$IPT_PST2" ]; }; then
|
if [ -f "$IPT_FILE2" ] && { [ -f "$IPT_PST" ] || [ -f "$IPT_PST2" ]; }; then
|
||||||
ipt_load=0
|
ipt_load=0
|
||||||
fi
|
fi
|
||||||
if [ "$ipt_load" = "1" ]; then
|
if [ "$ipt_load" = 1 ]; then
|
||||||
mkdir -p /etc/network/if-pre-up.d
|
mkdir -p /etc/network/if-pre-up.d
|
||||||
cat > /etc/network/if-pre-up.d/iptablesload <<'EOF'
|
cat > /etc/network/if-pre-up.d/iptablesload <<'EOF'
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
@ -688,7 +688,7 @@ set_up_ikev2() {
|
|||||||
skip_ikev2=1
|
skip_ikev2=1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
if [ "$skip_ikev2" = "0" ]; then
|
if [ "$skip_ikev2" = 0 ]; then
|
||||||
sleep 1
|
sleep 1
|
||||||
VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \
|
VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \
|
||||||
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \
|
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \
|
||||||
|
Loading…
Reference in New Issue
Block a user