1
0
mirror of synced 2024-11-25 06:16:07 +03:00
This commit is contained in:
hwdsl2 2022-09-24 18:56:27 -05:00
parent 32faed40d5
commit cc99e18123
15 changed files with 128 additions and 130 deletions

View File

@ -65,16 +65,16 @@ EOF
exiterr "VPN username must not contain these special characters: \\ \" '" exiterr "VPN username must not contain these special characters: \\ \" '"
;; ;;
esac esac
if [ "$(grep -c "^\"$VPN_USER\" " /etc/ppp/chap-secrets)" = "0" ] \ if [ "$(grep -c "^\"$VPN_USER\" " /etc/ppp/chap-secrets)" = 0 ] \
|| [ "$(grep -c "^$VPN_USER:\\\$1\\\$" /etc/ipsec.d/passwd)" = "0" ]; then || [ "$(grep -c "^$VPN_USER:\\\$1\\\$" /etc/ipsec.d/passwd)" = 0 ]; then
cat 1>&2 <<'EOF' cat 1>&2 <<'EOF'
Error: The specified VPN user does not exist in /etc/ppp/chap-secrets Error: The specified VPN user does not exist in /etc/ppp/chap-secrets
and/or /etc/ipsec.d/passwd. and/or /etc/ipsec.d/passwd.
EOF EOF
exit 1 exit 1
fi fi
if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = "1" ] \ if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = 1 ] \
|| [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = "1" ]; then || [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = 1 ]; then
cat 1>&2 <<'EOF' cat 1>&2 <<'EOF'
Error: Could not delete the only VPN user from /etc/ppp/chap-secrets Error: Could not delete the only VPN user from /etc/ppp/chap-secrets
and/or /etc/ipsec.d/passwd. and/or /etc/ipsec.d/passwd.

View File

@ -108,7 +108,6 @@ get_server_address() {
show_welcome() { show_welcome() {
cat <<EOF cat <<EOF
Welcome! Use this script to change this IKEv2 VPN server's address. Welcome! Use this script to change this IKEv2 VPN server's address.
A new server certificate will be generated if necessary.
Current server address: $server_addr_old Current server address: $server_addr_old
@ -124,10 +123,11 @@ get_default_ip() {
} }
get_server_ip() { get_server_ip() {
bigecho "Trying to auto discover IP of this server..." use_default_ip=0
public_ip=${VPN_PUBLIC_IP:-''} public_ip=${VPN_PUBLIC_IP:-''}
check_ip "$public_ip" || get_default_ip check_ip "$public_ip" || get_default_ip
check_ip "$public_ip" && return 0 check_ip "$public_ip" && { use_default_ip=1; return 0; }
bigecho "Trying to auto discover IP of this server..."
check_ip "$public_ip" || public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) check_ip "$public_ip" || public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ipv4.icanhazip.com) check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ipv4.icanhazip.com)
check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ip1.dynupdate.no-ip.com) check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ip1.dynupdate.no-ip.com)
@ -147,7 +147,7 @@ enter_server_address() {
echo echo
;; ;;
esac esac
if [ "$use_dns_name" = "1" ]; then if [ "$use_dns_name" = 1 ]; then
read -rp "Enter the DNS name of this VPN server: " server_addr read -rp "Enter the DNS name of this VPN server: " server_addr
until check_dns_name "$server_addr"; do until check_dns_name "$server_addr"; do
echo "Invalid DNS name. You must enter a fully qualified domain name (FQDN)." echo "Invalid DNS name. You must enter a fully qualified domain name (FQDN)."
@ -155,7 +155,7 @@ enter_server_address() {
done done
else else
get_server_ip get_server_ip
echo [ "$use_default_ip" = 0 ] && echo
read -rp "Enter the IPv4 address of this VPN server: [$public_ip] " server_addr read -rp "Enter the IPv4 address of this VPN server: [$public_ip] " server_addr
[ -z "$server_addr" ] && server_addr="$public_ip" [ -z "$server_addr" ] && server_addr="$public_ip"
until check_ip "$server_addr"; do until check_ip "$server_addr"; do
@ -178,7 +178,11 @@ confirm_changes() {
cat <<EOF cat <<EOF
You are about to change this IKEv2 VPN server's address. You are about to change this IKEv2 VPN server's address.
Read the important notes below before continuing.
*IMPORTANT* After running this script, you must manually update
the server address (and remote ID, if applicable) on any existing
IKEv2 client devices. For iOS clients, you'll need to export and
re-import client configuration using the IKEv2 helper script.
=========================================== ===========================================
@ -187,12 +191,6 @@ New server address: $server_addr
=========================================== ===========================================
*IMPORTANT*
After running this script, you must manually update the server address
(and remote ID, if applicable) on any existing IKEv2 client devices.
For iOS clients, you'll need to export and re-import client configuration
using the IKEv2 helper script.
EOF EOF
printf "Do you want to continue? [Y/n] " printf "Do you want to continue? [Y/n] "
read -r response read -r response
@ -211,7 +209,7 @@ create_server_cert() {
bigecho "Server certificate '$server_addr' already exists, skipping..." bigecho "Server certificate '$server_addr' already exists, skipping..."
else else
bigecho "Generating server certificate..." bigecho "Generating server certificate..."
if [ "$use_dns_name" = "1" ]; then if [ "$use_dns_name" = 1 ]; then
certutil -z <(head -c 1024 /dev/urandom) \ certutil -z <(head -c 1024 /dev/urandom) \
-S -c "IKEv2 VPN CA" -n "$server_addr" \ -S -c "IKEv2 VPN CA" -n "$server_addr" \
-s "O=IKEv2 VPN,CN=$server_addr" \ -s "O=IKEv2 VPN,CN=$server_addr" \
@ -242,7 +240,7 @@ update_ikev2_conf() {
sed -i".old-$SYS_DT" \ sed -i".old-$SYS_DT" \
-e "/^[[:space:]]\+leftcert=/d" \ -e "/^[[:space:]]\+leftcert=/d" \
-e "/^[[:space:]]\+leftid=/d" /etc/ipsec.d/ikev2.conf -e "/^[[:space:]]\+leftid=/d" /etc/ipsec.d/ikev2.conf
if [ "$use_dns_name" = "1" ]; then if [ "$use_dns_name" = 1 ]; then
sed -i "/conn ikev2-cp/a \ leftid=@$server_addr" /etc/ipsec.d/ikev2.conf sed -i "/conn ikev2-cp/a \ leftid=@$server_addr" /etc/ipsec.d/ikev2.conf
else else
sed -i "/conn ikev2-cp/a \ leftid=$server_addr" /etc/ipsec.d/ikev2.conf sed -i "/conn ikev2-cp/a \ leftid=$server_addr" /etc/ipsec.d/ikev2.conf

View File

@ -211,7 +211,7 @@ check_cert_status() {
} }
check_arguments() { check_arguments() {
if [ "$use_defaults" = "1" ] && check_ikev2_exists; then if [ "$use_defaults" = 1 ] && check_ikev2_exists; then
echo "Error: Invalid parameter '--auto'. IKEv2 is already set up on this server." >&2 echo "Error: Invalid parameter '--auto'. IKEv2 is already set up on this server." >&2
echo " To manage VPN clients, re-run this script without '--auto'." >&2 echo " To manage VPN clients, re-run this script without '--auto'." >&2
echo " To change IKEv2 server address, see https://vpnsetup.net/ikev2" >&2 echo " To change IKEv2 server address, see https://vpnsetup.net/ikev2" >&2
@ -220,37 +220,37 @@ check_arguments() {
if [ "$((add_client + export_client + list_clients + revoke_client + delete_client))" -gt 1 ]; then if [ "$((add_client + export_client + list_clients + revoke_client + delete_client))" -gt 1 ]; then
show_usage "Invalid parameters. Specify only one of '--addclient', '--exportclient', '--listclients', '--revokeclient' or '--deleteclient'." show_usage "Invalid parameters. Specify only one of '--addclient', '--exportclient', '--listclients', '--revokeclient' or '--deleteclient'."
fi fi
if [ "$remove_ikev2" = "1" ]; then if [ "$remove_ikev2" = 1 ]; then
if [ "$((add_client + export_client + list_clients + revoke_client + delete_client + use_defaults))" -gt 0 ]; then if [ "$((add_client + export_client + list_clients + revoke_client + delete_client + use_defaults))" -gt 0 ]; then
show_usage "Invalid parameters. '--removeikev2' cannot be specified with other parameters." show_usage "Invalid parameters. '--removeikev2' cannot be specified with other parameters."
fi fi
fi fi
if ! check_ikev2_exists; then if ! check_ikev2_exists; then
[ "$add_client" = "1" ] && exiterr "You must first set up IKEv2 before adding a client." [ "$add_client" = 1 ] && exiterr "You must first set up IKEv2 before adding a client."
[ "$export_client" = "1" ] && exiterr "You must first set up IKEv2 before exporting a client." [ "$export_client" = 1 ] && exiterr "You must first set up IKEv2 before exporting a client."
[ "$list_clients" = "1" ] && exiterr "You must first set up IKEv2 before listing clients." [ "$list_clients" = 1 ] && exiterr "You must first set up IKEv2 before listing clients."
[ "$revoke_client" = "1" ] && exiterr "You must first set up IKEv2 before revoking a client." [ "$revoke_client" = 1 ] && exiterr "You must first set up IKEv2 before revoking a client."
[ "$delete_client" = "1" ] && exiterr "You must first set up IKEv2 before deleting a client." [ "$delete_client" = 1 ] && exiterr "You must first set up IKEv2 before deleting a client."
[ "$remove_ikev2" = "1" ] && exiterr "Cannot remove IKEv2 because it has not been set up on this server." [ "$remove_ikev2" = 1 ] && exiterr "Cannot remove IKEv2 because it has not been set up on this server."
fi fi
if [ "$add_client" = "1" ]; then if [ "$add_client" = 1 ]; then
if [ -z "$client_name" ] || ! check_client_name "$client_name"; then if [ -z "$client_name" ] || ! check_client_name "$client_name"; then
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'." exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
elif check_cert_exists "$client_name"; then elif check_cert_exists "$client_name"; then
exiterr "Invalid client name. Client '$client_name' already exists." exiterr "Invalid client name. Client '$client_name' already exists."
fi fi
fi fi
if [ "$export_client" = "1" ] || [ "$revoke_client" = "1" ] || [ "$delete_client" = "1" ]; then if [ "$export_client" = 1 ] || [ "$revoke_client" = 1 ] || [ "$delete_client" = 1 ]; then
get_server_address get_server_address
if [ -z "$client_name" ] || ! check_client_name "$client_name" \ if [ -z "$client_name" ] || ! check_client_name "$client_name" \
|| [ "$client_name" = "$CA_NAME" ] || [ "$client_name" = "$server_addr" ] \ || [ "$client_name" = "$CA_NAME" ] || [ "$client_name" = "$server_addr" ] \
|| ! check_cert_exists "$client_name"; then || ! check_cert_exists "$client_name"; then
exiterr "Invalid client name, or client does not exist." exiterr "Invalid client name, or client does not exist."
fi fi
if [ "$delete_client" = "0" ] && ! check_cert_status "$client_name"; then if [ "$delete_client" = 0 ] && ! check_cert_status "$client_name"; then
printf '%s' "Error: Certificate '$client_name' " >&2 printf '%s' "Error: Certificate '$client_name' " >&2
if printf '%s' "$cert_status" | grep -q "revoked"; then if printf '%s' "$cert_status" | grep -q "revoked"; then
if [ "$revoke_client" = "1" ]; then if [ "$revoke_client" = 1 ]; then
echo "has already been revoked." >&2 echo "has already been revoked." >&2
else else
echo "has been revoked." >&2 echo "has been revoked." >&2
@ -370,10 +370,11 @@ get_default_ip() {
} }
get_server_ip() { get_server_ip() {
bigecho2 "Trying to auto discover IP of this server..." use_default_ip=0
public_ip=${VPN_PUBLIC_IP:-''} public_ip=${VPN_PUBLIC_IP:-''}
check_ip "$public_ip" || get_default_ip check_ip "$public_ip" || get_default_ip
check_ip "$public_ip" && return 0 check_ip "$public_ip" && { use_default_ip=1; return 0; }
bigecho2 "Trying to auto discover IP of this server..."
check_ip "$public_ip" || public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) check_ip "$public_ip" || public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ipv4.icanhazip.com) check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ipv4.icanhazip.com)
check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ip1.dynupdate.no-ip.com) check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ip1.dynupdate.no-ip.com)
@ -405,7 +406,7 @@ list_existing_clients() {
fi fi
client_count=$(printf '%s\n' "$client_names" | wc -l 2>/dev/null) client_count=$(printf '%s\n' "$client_names" | wc -l 2>/dev/null)
[ -z "$client_names" ] && client_count=0 [ -z "$client_names" ] && client_count=0
if [ "$client_count" = "1" ]; then if [ "$client_count" = 1 ]; then
printf '\n%s\n' "Total: 1 client" printf '\n%s\n' "Total: 1 client"
elif [ -n "$client_count" ]; then elif [ -n "$client_count" ]; then
printf '\n%s\n' "Total: $client_count clients" printf '\n%s\n' "Total: $client_count clients"
@ -426,7 +427,7 @@ enter_server_address() {
echo echo
;; ;;
esac esac
if [ "$use_dns_name" = "1" ]; then if [ "$use_dns_name" = 1 ]; then
read -rp "Enter the DNS name of this VPN server: " server_addr read -rp "Enter the DNS name of this VPN server: " server_addr
until check_dns_name "$server_addr"; do until check_dns_name "$server_addr"; do
echo "Invalid DNS name. You must enter a fully qualified domain name (FQDN)." echo "Invalid DNS name. You must enter a fully qualified domain name (FQDN)."
@ -434,8 +435,7 @@ enter_server_address() {
done done
else else
get_server_ip get_server_ip
echo [ "$use_default_ip" = 0 ] && { echo; echo; }
echo
read -rp "Enter the IPv4 address of this VPN server: [$public_ip] " server_addr read -rp "Enter the IPv4 address of this VPN server: [$public_ip] " server_addr
[ -z "$server_addr" ] && server_addr="$public_ip" [ -z "$server_addr" ] && server_addr="$public_ip"
until check_ip "$server_addr"; do until check_ip "$server_addr"; do
@ -476,7 +476,7 @@ enter_client_name() {
enter_client_name_for() { enter_client_name_for() {
echo echo
list_existing_clients list_existing_clients
if [ "$client_count" = "0" ]; then if [ "$client_count" = 0 ]; then
echo echo
echo "No IKEv2 clients in the IPsec database. Nothing to $1." >&2 echo "No IKEv2 clients in the IPsec database. Nothing to $1." >&2
exit 1 exit 1
@ -541,7 +541,7 @@ enter_custom_dns() {
dns_servers="8.8.8.8 8.8.4.4" dns_servers="8.8.8.8 8.8.4.4"
;; ;;
esac esac
if [ "$use_custom_dns" = "1" ]; then if [ "$use_custom_dns" = 1 ]; then
read -rp "Enter primary DNS server: " dns_server_1 read -rp "Enter primary DNS server: " dns_server_1
until check_ip "$dns_server_1"; do until check_ip "$dns_server_1"; do
echo "Invalid DNS server." echo "Invalid DNS server."
@ -582,7 +582,7 @@ check_mobike_support() {
fi fi
fi fi
# Linux kernels on Ubuntu do not support MOBIKE # Linux kernels on Ubuntu do not support MOBIKE
if [ "$in_container" = "0" ]; then if [ "$in_container" = 0 ]; then
if [ "$os_type" = "ubuntu" ] || uname -v | grep -qi ubuntu; then if [ "$os_type" = "ubuntu" ] || uname -v | grep -qi ubuntu; then
mobike_support=0 mobike_support=0
fi fi
@ -597,7 +597,7 @@ check_mobike_support() {
if uname -a | grep -qi synology; then if uname -a | grep -qi synology; then
mobike_support=0 mobike_support=0
fi fi
if [ "$mobike_support" = "1" ]; then if [ "$mobike_support" = 1 ]; then
bigecho2 "Checking for MOBIKE support... available" bigecho2 "Checking for MOBIKE support... available"
else else
bigecho2 "Checking for MOBIKE support... not available" bigecho2 "Checking for MOBIKE support... not available"
@ -607,7 +607,7 @@ check_mobike_support() {
select_mobike() { select_mobike() {
echo echo
mobike_enable=0 mobike_enable=0
if [ "$mobike_support" = "1" ]; then if [ "$mobike_support" = 1 ]; then
cat <<'EOF' cat <<'EOF'
The MOBIKE IKEv2 extension allows VPN clients to change network attachment points, The MOBIKE IKEv2 extension allows VPN clients to change network attachment points,
@ -642,7 +642,7 @@ check_config_password() {
} }
select_config_password() { select_config_password() {
if [ "$use_config_password" = "0" ]; then if [ "$use_config_password" = 0 ]; then
cat <<'EOF' cat <<'EOF'
IKEv2 client config files contain the client certificate, private key and CA certificate. IKEv2 client config files contain the client certificate, private key and CA certificate.
@ -699,13 +699,13 @@ We are ready to set up IKEv2 now. Below are the setup options you selected.
EOF EOF
print_server_client_info print_server_client_info
if [ "$client_validity" = "1" ]; then if [ "$client_validity" = 1 ]; then
echo "Client cert valid for: 1 month" echo "Client cert valid for: 1 month"
else else
echo "Client cert valid for: $client_validity months" echo "Client cert valid for: $client_validity months"
fi fi
if [ "$mobike_support" = "1" ]; then if [ "$mobike_support" = 1 ]; then
if [ "$mobike_enable" = "1" ]; then if [ "$mobike_enable" = 1 ]; then
echo "MOBIKE support: Enable" echo "MOBIKE support: Enable"
else else
echo "MOBIKE support: Disable" echo "MOBIKE support: Disable"
@ -713,7 +713,7 @@ EOF
else else
echo "MOBIKE support: Not available" echo "MOBIKE support: Not available"
fi fi
if [ "$use_config_password" = "1" ]; then if [ "$use_config_password" = 1 ]; then
echo "Protect client config: Yes" echo "Protect client config: Yes"
else else
echo "Protect client config: No" echo "Protect client config: No"
@ -754,7 +754,7 @@ create_p12_password() {
} }
get_p12_password() { get_p12_password() {
if [ "$use_config_password" = "0" ]; then if [ "$use_config_password" = 0 ]; then
create_p12_password create_p12_password
else else
p12_password=$(grep -s '^IKEV2_CONFIG_PASSWORD=.\+' "$CONF_FILE" | tail -n 1 | cut -f2- -d= | sed -e "s/^'//" -e "s/'$//") p12_password=$(grep -s '^IKEV2_CONFIG_PASSWORD=.\+' "$CONF_FILE" | tail -n 1 | cut -f2- -d= | sed -e "s/^'//" -e "s/'$//")
@ -788,7 +788,7 @@ export_p12_file() {
/bin/rm -f "$client_key" "$client_crt" "$ca_crt" /bin/rm -f "$client_key" "$client_crt" "$ca_crt"
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \ openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \
-legacy -name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1 -legacy -name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
if [ "$use_config_password" = "0" ]; then if [ "$use_config_password" = 0 ]; then
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \ openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \
-legacy -name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1 -legacy -name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1
fi fi
@ -798,18 +798,18 @@ export_p12_file() {
openssl pkcs12 -in "$p12_file_enc" -out "$pem_file" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1 openssl pkcs12 -in "$p12_file_enc" -out "$pem_file" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \ openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \
-name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1 -name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
if [ "$use_config_password" = "0" ]; then if [ "$use_config_password" = 0 ]; then
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \ openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \
-name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1 -name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1
fi fi
/bin/rm -f "$pem_file" /bin/rm -f "$pem_file"
elif [ "$use_config_password" = "0" ]; then elif [ "$use_config_password" = 0 ]; then
pk12util -W "" -d "$CERT_DB" -n "$client_name" -o "$p12_file" >/dev/null || exit 1 pk12util -W "" -d "$CERT_DB" -n "$client_name" -o "$p12_file" >/dev/null || exit 1
fi fi
if [ "$use_config_password" = "1" ]; then if [ "$use_config_password" = 1 ]; then
/bin/cp -f "$p12_file_enc" "$p12_file" /bin/cp -f "$p12_file_enc" "$p12_file"
fi fi
if [ "$export_to_home_dir" = "1" ]; then if [ "$export_to_home_dir" = 1 ]; then
chown "$SUDO_USER:$SUDO_USER" "$p12_file" chown "$SUDO_USER:$SUDO_USER" "$p12_file"
fi fi
chmod 600 "$p12_file" chmod 600 "$p12_file"
@ -950,7 +950,7 @@ cat > "$mc_file" <<EOF
</dict> </dict>
<dict> <dict>
EOF EOF
if [ "$use_config_password" = "0" ]; then if [ "$use_config_password" = 0 ]; then
cat >> "$mc_file" <<EOF cat >> "$mc_file" <<EOF
<key>Password</key> <key>Password</key>
<string>$p12_password</string> <string>$p12_password</string>
@ -1012,7 +1012,7 @@ $ca_base64
</dict> </dict>
</plist> </plist>
EOF EOF
if [ "$export_to_home_dir" = "1" ]; then if [ "$export_to_home_dir" = 1 ]; then
chown "$SUDO_USER:$SUDO_USER" "$mc_file" chown "$SUDO_USER:$SUDO_USER" "$mc_file"
fi fi
chmod 600 "$mc_file" chmod 600 "$mc_file"
@ -1041,7 +1041,7 @@ cat > "$sswan_file" <<EOF
"esp-proposal": "aes128gcm16" "esp-proposal": "aes128gcm16"
} }
EOF EOF
if [ "$export_to_home_dir" = "1" ]; then if [ "$export_to_home_dir" = 1 ]; then
chown "$SUDO_USER:$SUDO_USER" "$sswan_file" chown "$SUDO_USER:$SUDO_USER" "$sswan_file"
fi fi
chmod 600 "$sswan_file" chmod 600 "$sswan_file"
@ -1070,7 +1070,7 @@ y
N N
ANSWERS ANSWERS
sleep 1 sleep 1
if [ "$use_dns_name" = "1" ]; then if [ "$use_dns_name" = 1 ]; then
certutil -z <(head -c 1024 /dev/urandom) \ certutil -z <(head -c 1024 /dev/urandom) \
-S -c "$CA_NAME" -n "$server_addr" \ -S -c "$CA_NAME" -n "$server_addr" \
-s "O=IKEv2 VPN,CN=$server_addr" \ -s "O=IKEv2 VPN,CN=$server_addr" \
@ -1093,13 +1093,13 @@ ANSWERS
create_config_readme() { create_config_readme() {
readme_file="$export_dir$client_name-README.txt" readme_file="$export_dir$client_name-README.txt"
if [ "$in_container" = "0" ] && [ "$use_config_password" = "0" ] \ if [ "$in_container" = 0 ] && [ "$use_config_password" = 0 ] \
&& [ "$use_defaults" = "1" ] && [ ! -t 1 ] && [ ! -f "$readme_file" ]; then && [ "$use_defaults" = 1 ] && [ ! -t 1 ] && [ ! -f "$readme_file" ]; then
cat > "$readme_file" <<'EOF' cat > "$readme_file" <<'EOF'
These IKEv2 client config files were created during IPsec VPN setup. These IKEv2 client config files were created during IPsec VPN setup.
To configure IKEv2 clients, see: https://vpnsetup.net/clients To configure IKEv2 clients, see: https://vpnsetup.net/clients
EOF EOF
if [ "$export_to_home_dir" = "1" ]; then if [ "$export_to_home_dir" = 1 ]; then
chown "$SUDO_USER:$SUDO_USER" "$readme_file" chown "$SUDO_USER:$SUDO_USER" "$readme_file"
fi fi
chmod 600 "$readme_file" chmod 600 "$readme_file"
@ -1140,7 +1140,7 @@ conn ikev2-cp
salifetime=24h salifetime=24h
encapsulation=yes encapsulation=yes
EOF EOF
if [ "$use_dns_name" = "1" ]; then if [ "$use_dns_name" = 1 ]; then
cat >> "$IKEV2_CONF" <<EOF cat >> "$IKEV2_CONF" <<EOF
leftid=@$server_addr leftid=@$server_addr
EOF EOF
@ -1158,7 +1158,7 @@ cat >> "$IKEV2_CONF" <<EOF
modecfgdns=$dns_server_1 modecfgdns=$dns_server_1
EOF EOF
fi fi
if [ "$mobike_enable" = "1" ]; then if [ "$mobike_enable" = 1 ]; then
echo " mobike=yes" >> "$IKEV2_CONF" echo " mobike=yes" >> "$IKEV2_CONF"
else else
echo " mobike=no" >> "$IKEV2_CONF" echo " mobike=no" >> "$IKEV2_CONF"
@ -1189,7 +1189,7 @@ apply_ubuntu1804_nss_fix() {
} }
restart_ipsec_service() { restart_ipsec_service() {
if [ "$in_container" = "0" ] || { [ "$in_container" = "1" ] && service ipsec status >/dev/null 2>&1; }; then if [ "$in_container" = 0 ] || { [ "$in_container" = 1 ] && service ipsec status >/dev/null 2>&1; }; then
bigecho2 "Restarting IPsec service..." bigecho2 "Restarting IPsec service..."
mkdir -p /run/pluto mkdir -p /run/pluto
service ipsec restart 2>/dev/null service ipsec restart 2>/dev/null
@ -1281,7 +1281,7 @@ print_client_deleted() {
print_setup_complete() { print_setup_complete() {
printf '\e[2K\e[1A\e[2K\r' printf '\e[2K\e[1A\e[2K\r'
[ "$use_defaults" = "1" ] && printf '\e[1A\e[2K\e[1A\e[2K\e[1A\e[2K\r' [ "$use_defaults" = 1 ] && printf '\e[1A\e[2K\e[1A\e[2K\e[1A\e[2K\r'
cat <<EOF cat <<EOF
================================================ ================================================
@ -1292,7 +1292,7 @@ EOF
} }
print_client_info() { print_client_info() {
if [ "$in_container" = "0" ]; then if [ "$in_container" = 0 ]; then
cat <<'EOF' cat <<'EOF'
Client configuration is available at: Client configuration is available at:
EOF EOF
@ -1307,7 +1307,7 @@ $export_dir$client_name.p12 (for Windows & Linux)
$export_dir$client_name.sswan (for Android) $export_dir$client_name.sswan (for Android)
$export_dir$client_name.mobileconfig (for iOS & macOS) $export_dir$client_name.mobileconfig (for iOS & macOS)
EOF EOF
if [ "$use_config_password" = "1" ]; then if [ "$use_config_password" = 1 ]; then
cat <<EOF cat <<EOF
*IMPORTANT* Password for client config files: *IMPORTANT* Password for client config files:
@ -1491,7 +1491,7 @@ ikev2setup() {
check_config_password check_config_password
get_export_dir get_export_dir
if [ "$add_client" = "1" ]; then if [ "$add_client" = 1 ]; then
show_header show_header
show_add_client show_add_client
client_validity=120 client_validity=120
@ -1502,7 +1502,7 @@ ikev2setup() {
exit 0 exit 0
fi fi
if [ "$export_client" = "1" ]; then if [ "$export_client" = 1 ]; then
show_header show_header
show_export_client show_export_client
export_client_config export_client_config
@ -1511,14 +1511,14 @@ ikev2setup() {
exit 0 exit 0
fi fi
if [ "$list_clients" = "1" ]; then if [ "$list_clients" = 1 ]; then
show_header show_header
list_existing_clients list_existing_clients
echo echo
exit 0 exit 0
fi fi
if [ "$revoke_client" = "1" ]; then if [ "$revoke_client" = 1 ]; then
show_header show_header
confirm_revoke_cert confirm_revoke_cert
create_crl create_crl
@ -1529,7 +1529,7 @@ ikev2setup() {
exit 0 exit 0
fi fi
if [ "$delete_client" = "1" ]; then if [ "$delete_client" = 1 ]; then
show_header show_header
confirm_delete_cert confirm_delete_cert
delete_client_cert delete_client_cert
@ -1538,7 +1538,7 @@ ikev2setup() {
exit 0 exit 0
fi fi
if [ "$remove_ikev2" = "1" ]; then if [ "$remove_ikev2" = 1 ]; then
check_ipsec_conf check_ipsec_conf
show_header show_header
confirm_remove_ikev2 confirm_remove_ikev2
@ -1623,7 +1623,7 @@ ikev2setup() {
check_cert_exists_and_exit "$CA_NAME" check_cert_exists_and_exit "$CA_NAME"
if [ "$use_defaults" = "0" ]; then if [ "$use_defaults" = 0 ]; then
show_header show_header
show_welcome show_welcome
enter_server_address enter_server_address
@ -1661,7 +1661,7 @@ ikev2setup() {
fi fi
print_setup_complete print_setup_complete
print_client_info print_client_info
if [ "$in_container" = "0" ]; then if [ "$in_container" = 0 ]; then
check_swan_update check_swan_update
fi fi
} }

View File

@ -127,7 +127,7 @@ EOF
fi fi
else else
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9') os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then if [ "$os_ver" = 8 ] || [ "$os_ver" = "jessiesid" ]; then
exiterr "Debian 8 or Ubuntu < 16.04 is not supported." exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
fi fi
fi fi
@ -150,7 +150,7 @@ check_iface() {
check_wl=1 check_wl=1
fi fi
fi fi
if [ "$check_wl" = "1" ]; then if [ "$check_wl" = 1 ]; then
case $def_iface in case $def_iface in
wl*) wl*)
exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
@ -208,8 +208,8 @@ wait_for_apt() {
pkg_lk=/var/lib/dpkg/lock pkg_lk=/var/lib/dpkg/lock
while fuser "$apt_lk" "$pkg_lk" >/dev/null 2>&1 \ while fuser "$apt_lk" "$pkg_lk" >/dev/null 2>&1 \
|| lsof "$apt_lk" >/dev/null 2>&1 || lsof "$pkg_lk" >/dev/null 2>&1; do || lsof "$apt_lk" >/dev/null 2>&1 || lsof "$pkg_lk" >/dev/null 2>&1; do
[ "$count" = "0" ] && echo "## Waiting for apt to be available..." [ "$count" = 0 ] && echo "## Waiting for apt to be available..."
[ "$count" -ge "100" ] && exiterr "Could not get apt/dpkg lock." [ "$count" -ge 100 ] && exiterr "Could not get apt/dpkg lock."
count=$((count+1)) count=$((count+1))
printf '%s' '.' printf '%s' '.'
sleep 3 sleep 3

View File

@ -99,7 +99,7 @@ check_iface() {
else else
check_wl=1 check_wl=1
fi fi
if [ "$check_wl" = "1" ]; then if [ "$check_wl" = 1 ]; then
case $def_iface in case $def_iface in
wl*) wl*)
exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
@ -244,8 +244,8 @@ update_iptables_rules() {
ipf='iptables -D FORWARD' ipf='iptables -D FORWARD'
ipp='iptables -t nat -D POSTROUTING' ipp='iptables -t nat -D POSTROUTING'
res='RELATED,ESTABLISHED' res='RELATED,ESTABLISHED'
if [ "$ipt_flag" = "1" ]; then if [ "$ipt_flag" = 1 ]; then
if [ "$use_nft" = "0" ]; then if [ "$use_nft" = 0 ]; then
bigecho "Updating IPTables rules..." bigecho "Updating IPTables rules..."
get_vpn_subnets get_vpn_subnets
iptables-save > "$IPT_FILE.old-$SYS_DT" iptables-save > "$IPT_FILE.old-$SYS_DT"

View File

@ -95,7 +95,7 @@ EOF
fi fi
else else
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9') os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then if [ "$os_ver" = 8 ] || [ "$os_ver" = "jessiesid" ]; then
exiterr "Debian 8 or Ubuntu < 16.04 is not supported." exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
fi fi
fi fi

View File

@ -230,10 +230,10 @@ update_config() {
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \ -e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \ -e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf -e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then if [ "$dns_state" = 1 ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf -e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then elif [ "$dns_state" = 2 ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi fi
sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/ikev2=never/d" /etc/ipsec.conf
@ -260,7 +260,7 @@ Libreswan $SWAN_VER has been successfully installed!
================================================ ================================================
EOF EOF
if [ "$dns_state" = "3" ]; then if [ "$dns_state" = 3 ]; then
cat <<'EOF' cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace IMPORTANT: You must edit /etc/ipsec.conf and replace
all occurrences of these two lines: all occurrences of these two lines:

View File

@ -219,10 +219,10 @@ update_config() {
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \ -e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \ -e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf -e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then if [ "$dns_state" = 1 ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf -e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then elif [ "$dns_state" = 2 ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi fi
sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/ikev2=never/d" /etc/ipsec.conf
@ -248,7 +248,7 @@ Libreswan $SWAN_VER has been successfully installed!
================================================ ================================================
EOF EOF
if [ "$dns_state" = "3" ]; then if [ "$dns_state" = 3 ]; then
cat <<'EOF' cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace IMPORTANT: You must edit /etc/ipsec.conf and replace
all occurrences of these two lines: all occurrences of these two lines:

View File

@ -173,7 +173,7 @@ install_pkgs_2() {
if [ "$os_type$os_ver" = "ol7" ]; then if [ "$os_type$os_ver" = "ol7" ]; then
rp2="$erp=ol7_optional_latest" rp2="$erp=ol7_optional_latest"
fi fi
if [ "$os_ver" = "7" ]; then if [ "$os_ver" = 7 ]; then
( (
set -x set -x
yum "$rp1" "$rp2" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null yum "$rp1" "$rp2" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
@ -271,10 +271,10 @@ update_config() {
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \ -e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \ -e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf -e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then if [ "$dns_state" = 1 ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf -e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then elif [ "$dns_state" = 2 ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi fi
sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/ikev2=never/d" /etc/ipsec.conf
@ -300,7 +300,7 @@ Libreswan $SWAN_VER has been successfully installed!
================================================ ================================================
EOF EOF
if [ "$dns_state" = "3" ]; then if [ "$dns_state" = 3 ]; then
cat <<'EOF' cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace IMPORTANT: You must edit /etc/ipsec.conf and replace
all occurrences of these two lines: all occurrences of these two lines:

View File

@ -57,7 +57,7 @@ check_os() {
;; ;;
esac esac
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9') os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then if [ "$os_ver" = 8 ] || [ "$os_ver" = "jessiesid" ]; then
exiterr "Debian 8 or Ubuntu < 16.04 is not supported." exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
fi fi
} }
@ -260,10 +260,10 @@ update_config() {
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \ -e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \ -e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf -e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then if [ "$dns_state" = 1 ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf -e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then elif [ "$dns_state" = 2 ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi fi
sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/ikev2=never/d" /etc/ipsec.conf
@ -289,7 +289,7 @@ Libreswan $SWAN_VER has been successfully installed!
================================================ ================================================
EOF EOF
if [ "$dns_state" = "3" ]; then if [ "$dns_state" = 3 ]; then
cat <<'EOF' cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace IMPORTANT: You must edit /etc/ipsec.conf and replace
all occurrences of these two lines: all occurrences of these two lines:

View File

@ -127,7 +127,7 @@ EOF
fi fi
else else
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9') os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then if [ "$os_ver" = 8 ] || [ "$os_ver" = "jessiesid" ]; then
exiterr "Debian 8 or Ubuntu < 16.04 is not supported." exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
fi fi
fi fi
@ -150,7 +150,7 @@ check_iface() {
check_wl=1 check_wl=1
fi fi
fi fi
if [ "$check_wl" = "1" ]; then if [ "$check_wl" = 1 ]; then
case $def_iface in case $def_iface in
wl*) wl*)
exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
@ -208,8 +208,8 @@ wait_for_apt() {
pkg_lk=/var/lib/dpkg/lock pkg_lk=/var/lib/dpkg/lock
while fuser "$apt_lk" "$pkg_lk" >/dev/null 2>&1 \ while fuser "$apt_lk" "$pkg_lk" >/dev/null 2>&1 \
|| lsof "$apt_lk" >/dev/null 2>&1 || lsof "$pkg_lk" >/dev/null 2>&1; do || lsof "$apt_lk" >/dev/null 2>&1 || lsof "$pkg_lk" >/dev/null 2>&1; do
[ "$count" = "0" ] && echo "## Waiting for apt to be available..." [ "$count" = 0 ] && echo "## Waiting for apt to be available..."
[ "$count" -ge "100" ] && exiterr "Could not get apt/dpkg lock." [ "$count" -ge 100 ] && exiterr "Could not get apt/dpkg lock."
count=$((count+1)) count=$((count+1))
printf '%s' '.' printf '%s' '.'
sleep 3 sleep 3

View File

@ -261,7 +261,7 @@ check_libreswan() {
} }
get_libreswan() { get_libreswan() {
if [ "$check_result" = "0" ]; then if [ "$check_result" = 0 ]; then
bigecho "Downloading Libreswan..." bigecho "Downloading Libreswan..."
cd /opt/src || exit 1 cd /opt/src || exit 1
swan_file="libreswan-$SWAN_VER.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
@ -279,7 +279,7 @@ get_libreswan() {
} }
install_libreswan() { install_libreswan() {
if [ "$check_result" = "0" ]; then if [ "$check_result" = 0 ]; then
bigecho "Compiling and installing Libreswan, please wait..." bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1 cd "libreswan-$SWAN_VER" || exit 1
sed -i '28s/stdlib\.h/sys\/types.h/' include/fd.h sed -i '28s/stdlib\.h/sys\/types.h/' include/fd.h
@ -463,7 +463,7 @@ update_iptables() {
ipf='iptables -I FORWARD' ipf='iptables -I FORWARD'
ipp='iptables -t nat -I POSTROUTING' ipp='iptables -t nat -I POSTROUTING'
res='RELATED,ESTABLISHED' res='RELATED,ESTABLISHED'
if [ "$ipt_flag" = "1" ]; then if [ "$ipt_flag" = 1 ]; then
service fail2ban stop >/dev/null 2>&1 service fail2ban stop >/dev/null 2>&1
iptables-save > "$IPT_FILE.old-$SYS_DT" iptables-save > "$IPT_FILE.old-$SYS_DT"
$ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP $ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
@ -555,7 +555,7 @@ set_up_ikev2() {
skip_ikev2=1 skip_ikev2=1
;; ;;
esac esac
if [ "$skip_ikev2" = "0" ]; then if [ "$skip_ikev2" = 0 ]; then
sleep 1 sleep 1
VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \ VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \ VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \

View File

@ -275,7 +275,7 @@ check_libreswan() {
} }
get_libreswan() { get_libreswan() {
if [ "$check_result" = "0" ]; then if [ "$check_result" = 0 ]; then
bigecho "Downloading Libreswan..." bigecho "Downloading Libreswan..."
cd /opt/src || exit 1 cd /opt/src || exit 1
swan_file="libreswan-$SWAN_VER.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
@ -293,7 +293,7 @@ get_libreswan() {
} }
install_libreswan() { install_libreswan() {
if [ "$check_result" = "0" ]; then if [ "$check_result" = 0 ]; then
bigecho "Compiling and installing Libreswan, please wait..." bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1 cd "libreswan-$SWAN_VER" || exit 1
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
@ -474,7 +474,7 @@ update_iptables() {
ipf='iptables -I FORWARD' ipf='iptables -I FORWARD'
ipp='iptables -t nat -I POSTROUTING' ipp='iptables -t nat -I POSTROUTING'
res='RELATED,ESTABLISHED' res='RELATED,ESTABLISHED'
if [ "$ipt_flag" = "1" ]; then if [ "$ipt_flag" = 1 ]; then
service fail2ban stop >/dev/null 2>&1 service fail2ban stop >/dev/null 2>&1
iptables-save > "$IPT_FILE.old-$SYS_DT" iptables-save > "$IPT_FILE.old-$SYS_DT"
$ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP $ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
@ -572,7 +572,7 @@ set_up_ikev2() {
skip_ikev2=1 skip_ikev2=1
;; ;;
esac esac
if [ "$skip_ikev2" = "0" ]; then if [ "$skip_ikev2" = 0 ]; then
sleep 1 sleep 1
VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \ VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \ VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \

View File

@ -237,9 +237,9 @@ install_vpn_pkgs_1() {
rp2="$erp=*server-*optional*" rp2="$erp=*server-*optional*"
rp3="$erp=*releases-optional*" rp3="$erp=*releases-optional*"
if [ "$os_type" = "ol" ]; then if [ "$os_type" = "ol" ]; then
if [ "$os_ver" = "9" ]; then if [ "$os_ver" = 9 ]; then
rp1="$erp=ol9_developer_EPEL" rp1="$erp=ol9_developer_EPEL"
elif [ "$os_ver" = "8" ]; then elif [ "$os_ver" = 8 ]; then
rp1="$erp=ol8_developer_EPEL" rp1="$erp=ol8_developer_EPEL"
else else
rp3="$erp=ol7_optional_latest" rp3="$erp=ol7_optional_latest"
@ -266,7 +266,7 @@ install_vpn_pkgs_3() {
p2=libevent-devel p2=libevent-devel
p3=fipscheck-devel p3=fipscheck-devel
p4=iptables-services p4=iptables-services
if [ "$os_ver" = "7" ]; then if [ "$os_ver" = 7 ]; then
( (
set -x set -x
yum "$rp2" "$rp3" -y -q install $p1 $p2 $p3 $p4 >/dev/null yum "$rp2" "$rp3" -y -q install $p1 $p2 $p3 $p4 >/dev/null
@ -276,7 +276,7 @@ install_vpn_pkgs_3() {
set -x set -x
yum -y -q install $p1 $p2 >/dev/null yum -y -q install $p1 $p2 >/dev/null
) || exiterr2 ) || exiterr2
if [ "$os_ver" = "9" ] || [ "$os_ver" = "9s" ] \ if [ "$os_ver" = 9 ] || [ "$os_ver" = 9s ] \
|| systemctl is-active --quiet firewalld \ || systemctl is-active --quiet firewalld \
|| systemctl is-active --quiet nftables \ || systemctl is-active --quiet nftables \
|| grep -qs "hwdsl2 VPN script" /etc/sysconfig/nftables.conf; then || grep -qs "hwdsl2 VPN script" /etc/sysconfig/nftables.conf; then
@ -301,7 +301,7 @@ filter = sshd
logpath = /var/log/secure logpath = /var/log/secure
EOF EOF
if [ "$use_nft" = "1" ]; then if [ "$use_nft" = 1 ]; then
cat >> "$F2B_FILE" <<'EOF' cat >> "$F2B_FILE" <<'EOF'
port = ssh port = ssh
banaction = nftables-multiport[blocktype=drop] banaction = nftables-multiport[blocktype=drop]
@ -375,7 +375,7 @@ check_libreswan() {
} }
get_libreswan() { get_libreswan() {
if [ "$check_result" = "0" ]; then if [ "$check_result" = 0 ]; then
bigecho "Downloading Libreswan..." bigecho "Downloading Libreswan..."
cd /opt/src || exit 1 cd /opt/src || exit 1
swan_file="libreswan-$SWAN_VER.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
@ -393,7 +393,7 @@ get_libreswan() {
} }
install_libreswan() { install_libreswan() {
if [ "$check_result" = "0" ]; then if [ "$check_result" = 0 ]; then
bigecho "Compiling and installing Libreswan, please wait..." bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1 cd "libreswan-$SWAN_VER" || exit 1
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
@ -573,7 +573,7 @@ EOF
update_iptables() { update_iptables() {
bigecho "Updating IPTables rules..." bigecho "Updating IPTables rules..."
IPT_FILE=/etc/sysconfig/iptables IPT_FILE=/etc/sysconfig/iptables
[ "$use_nft" = "1" ] && IPT_FILE=/etc/sysconfig/nftables.conf [ "$use_nft" = 1 ] && IPT_FILE=/etc/sysconfig/nftables.conf
ipt_flag=0 ipt_flag=0
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
ipt_flag=1 ipt_flag=1
@ -584,9 +584,9 @@ update_iptables() {
res='RELATED,ESTABLISHED' res='RELATED,ESTABLISHED'
nff='nft insert rule inet firewalld' nff='nft insert rule inet firewalld'
nfn='nft insert rule inet nftables_svc' nfn='nft insert rule inet nftables_svc'
if [ "$ipt_flag" = "1" ]; then if [ "$ipt_flag" = 1 ]; then
service fail2ban stop >/dev/null 2>&1 service fail2ban stop >/dev/null 2>&1
if [ "$use_nft" = "1" ]; then if [ "$use_nft" = 1 ]; then
nft list ruleset > "$IPT_FILE.old-$SYS_DT" nft list ruleset > "$IPT_FILE.old-$SYS_DT"
chmod 600 "$IPT_FILE.old-$SYS_DT" chmod 600 "$IPT_FILE.old-$SYS_DT"
else else
@ -605,13 +605,13 @@ update_iptables() {
$ipf 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate "$res" -j ACCEPT $ipf 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate "$res" -j ACCEPT
$ipf 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT $ipf 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT
$ipf 7 -s "$XAUTH_NET" -o ppp+ -j ACCEPT $ipf 7 -s "$XAUTH_NET" -o ppp+ -j ACCEPT
if [ "$use_nft" != "1" ]; then if [ "$use_nft" != 1 ]; then
iptables -A FORWARD -j DROP iptables -A FORWARD -j DROP
fi fi
$ipp -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE $ipp -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE
$ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE $ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
if [ "$use_nft" = "1" ]; then if [ "$use_nft" = 1 ]; then
for vport in 500 4500 1701; do for vport in 500 4500 1701; do
$nff filter_INPUT udp dport "$vport" accept 2>/dev/null $nff filter_INPUT udp dport "$vport" accept 2>/dev/null
$nfn allow udp dport "$vport" accept 2>/dev/null $nfn allow udp dport "$vport" accept 2>/dev/null
@ -660,7 +660,7 @@ enable_on_boot() {
systemctl --now mask firewalld 2>/dev/null systemctl --now mask firewalld 2>/dev/null
if [ "$os_type$os_ver" = "ol9" ]; then if [ "$os_type$os_ver" = "ol9" ]; then
systemctl enable nftables 2>/dev/null systemctl enable nftables 2>/dev/null
elif [ "$use_nft" = "1" ]; then elif [ "$use_nft" = 1 ]; then
systemctl enable nftables 2>/dev/null systemctl enable nftables 2>/dev/null
systemctl enable fail2ban 2>/dev/null systemctl enable fail2ban 2>/dev/null
else else
@ -692,7 +692,7 @@ start_services() {
restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
if [ "$use_nft" = "1" ]; then if [ "$use_nft" = 1 ]; then
nft -f "$IPT_FILE" nft -f "$IPT_FILE"
else else
iptables-restore < "$IPT_FILE" iptables-restore < "$IPT_FILE"
@ -740,7 +740,7 @@ set_up_ikev2() {
skip_ikev2=1 skip_ikev2=1
;; ;;
esac esac
if [ "$skip_ikev2" = "0" ]; then if [ "$skip_ikev2" = 0 ]; then
sleep 1 sleep 1
VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \ VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \ VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \

View File

@ -90,7 +90,7 @@ check_os() {
;; ;;
esac esac
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9') os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then if [ "$os_ver" = 8 ] || [ "$os_ver" = "jessiesid" ]; then
exiterr "Debian 8 or Ubuntu < 16.04 is not supported." exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
fi fi
} }
@ -194,8 +194,8 @@ wait_for_apt() {
pkg_lk=/var/lib/dpkg/lock pkg_lk=/var/lib/dpkg/lock
while fuser "$apt_lk" "$pkg_lk" >/dev/null 2>&1 \ while fuser "$apt_lk" "$pkg_lk" >/dev/null 2>&1 \
|| lsof "$apt_lk" >/dev/null 2>&1 || lsof "$pkg_lk" >/dev/null 2>&1; do || lsof "$apt_lk" >/dev/null 2>&1 || lsof "$pkg_lk" >/dev/null 2>&1; do
[ "$count" = "0" ] && echo "## Waiting for apt to be available..." [ "$count" = 0 ] && echo "## Waiting for apt to be available..."
[ "$count" -ge "100" ] && exiterr "Could not get apt/dpkg lock." [ "$count" -ge 100 ] && exiterr "Could not get apt/dpkg lock."
count=$((count+1)) count=$((count+1))
printf '%s' '.' printf '%s' '.'
sleep 3 sleep 3
@ -312,7 +312,7 @@ check_libreswan() {
} }
get_libreswan() { get_libreswan() {
if [ "$check_result" = "0" ]; then if [ "$check_result" = 0 ]; then
bigecho "Downloading Libreswan..." bigecho "Downloading Libreswan..."
cd /opt/src || exit 1 cd /opt/src || exit 1
swan_file="libreswan-$SWAN_VER.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
@ -330,7 +330,7 @@ get_libreswan() {
} }
install_libreswan() { install_libreswan() {
if [ "$check_result" = "0" ]; then if [ "$check_result" = 0 ]; then
bigecho "Compiling and installing Libreswan, please wait..." bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1 cd "libreswan-$SWAN_VER" || exit 1
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
@ -532,7 +532,7 @@ update_iptables() {
ipf='iptables -I FORWARD' ipf='iptables -I FORWARD'
ipp='iptables -t nat -I POSTROUTING' ipp='iptables -t nat -I POSTROUTING'
res='RELATED,ESTABLISHED' res='RELATED,ESTABLISHED'
if [ "$ipt_flag" = "1" ]; then if [ "$ipt_flag" = 1 ]; then
service fail2ban stop >/dev/null 2>&1 service fail2ban stop >/dev/null 2>&1
iptables-save > "$IPT_FILE.old-$SYS_DT" iptables-save > "$IPT_FILE.old-$SYS_DT"
$ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP $ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
@ -583,7 +583,7 @@ enable_on_boot() {
if [ -f "$IPT_FILE2" ] && { [ -f "$IPT_PST" ] || [ -f "$IPT_PST2" ]; }; then if [ -f "$IPT_FILE2" ] && { [ -f "$IPT_PST" ] || [ -f "$IPT_PST2" ]; }; then
ipt_load=0 ipt_load=0
fi fi
if [ "$ipt_load" = "1" ]; then if [ "$ipt_load" = 1 ]; then
mkdir -p /etc/network/if-pre-up.d mkdir -p /etc/network/if-pre-up.d
cat > /etc/network/if-pre-up.d/iptablesload <<'EOF' cat > /etc/network/if-pre-up.d/iptablesload <<'EOF'
#!/bin/sh #!/bin/sh
@ -688,7 +688,7 @@ set_up_ikev2() {
skip_ikev2=1 skip_ikev2=1
;; ;;
esac esac
if [ "$skip_ikev2" = "0" ]; then if [ "$skip_ikev2" = 0 ]; then
sleep 1 sleep 1
VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \ VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \ VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \