mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-22 04:56:03 +03:00
Code Issues Projects Releases Wiki Activity

Cleanup

Browse Source
This commit is contained in:
hwdsl2 2022-09-24 18:56:27 -05:00
parent 32faed40d5
commit cc99e18123
15 changed files with 128 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
extras/del_vpn_user.sh
View File

@ -65,16 +65,16 @@ EOF
exiterr "VPN username must not contain these special characters: \\ \" '"
;;
esac
if [ "$(grep -c "^\"$VPN_USER\" " /etc/ppp/chap-secrets)" = "0" ] \
|| [ "$(grep -c "^$VPN_USER:\\\$1\\\$" /etc/ipsec.d/passwd)" = "0" ]; then
if [ "$(grep -c "^\"$VPN_USER\" " /etc/ppp/chap-secrets)" = 0 ] \
|| [ "$(grep -c "^$VPN_USER:\\\$1\\\$" /etc/ipsec.d/passwd)" = 0 ]; then
cat 1>&2 <<'EOF'
Error: The specified VPN user does not exist in /etc/ppp/chap-secrets
and/or /etc/ipsec.d/passwd.
EOF
exit 1
fi
if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = "1" ] \
|| [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = "1" ]; then
if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = 1 ] \
|| [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = 1 ]; then
cat 1>&2 <<'EOF'
Error: Could not delete the only VPN user from /etc/ppp/chap-secrets
and/or /etc/ipsec.d/passwd.

26
extras/ikev2changeaddr.sh
View File

@ -108,7 +108,6 @@ get_server_address() {
show_welcome() {
cat <<EOF
Welcome! Use this script to change this IKEv2 VPN server's address.
A new server certificate will be generated if necessary.
Current server address: $server_addr_old
@ -124,10 +123,11 @@ get_default_ip() {
}
get_server_ip() {
bigecho "Trying to auto discover IP of this server..."
use_default_ip=0
public_ip=${VPN_PUBLIC_IP:-''}
check_ip "$public_ip" || get_default_ip
check_ip "$public_ip" && return 0
check_ip "$public_ip" && { use_default_ip=1; return 0; }
bigecho "Trying to auto discover IP of this server..."
check_ip "$public_ip" || public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ipv4.icanhazip.com)
check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ip1.dynupdate.no-ip.com)
@ -147,7 +147,7 @@ enter_server_address() {
echo
;;
esac
if [ "$use_dns_name" = "1" ]; then
if [ "$use_dns_name" = 1 ]; then
read -rp "Enter the DNS name of this VPN server: " server_addr
until check_dns_name "$server_addr"; do
echo "Invalid DNS name. You must enter a fully qualified domain name (FQDN)."
@ -155,7 +155,7 @@ enter_server_address() {
done
else
get_server_ip
echo
[ "$use_default_ip" = 0 ] && echo
read -rp "Enter the IPv4 address of this VPN server: [$public_ip] " server_addr
[ -z "$server_addr" ] && server_addr="$public_ip"
until check_ip "$server_addr"; do
@ -178,7 +178,11 @@ confirm_changes() {
cat <<EOF
You are about to change this IKEv2 VPN server's address.
Read the important notes below before continuing.
*IMPORTANT* After running this script, you must manually update
the server address (and remote ID, if applicable) on any existing
IKEv2 client devices. For iOS clients, you'll need to export and
re-import client configuration using the IKEv2 helper script.
===========================================
@ -187,12 +191,6 @@ New server address: $server_addr
===========================================
*IMPORTANT*
After running this script, you must manually update the server address
(and remote ID, if applicable) on any existing IKEv2 client devices.
For iOS clients, you'll need to export and re-import client configuration
using the IKEv2 helper script.
EOF
printf "Do you want to continue? [Y/n] "
read -r response
@ -211,7 +209,7 @@ create_server_cert() {
bigecho "Server certificate '$server_addr' already exists, skipping..."
else
bigecho "Generating server certificate..."
if [ "$use_dns_name" = "1" ]; then
if [ "$use_dns_name" = 1 ]; then
certutil -z <(head -c 1024 /dev/urandom) \
-S -c "IKEv2 VPN CA" -n "$server_addr" \
-s "O=IKEv2 VPN,CN=$server_addr" \
@ -242,7 +240,7 @@ update_ikev2_conf() {
sed -i".old-$SYS_DT" \
-e "/^[[:space:]]\+leftcert=/d" \
-e "/^[[:space:]]\+leftid=/d" /etc/ipsec.d/ikev2.conf
if [ "$use_dns_name" = "1" ]; then
if [ "$use_dns_name" = 1 ]; then
sed -i "/conn ikev2-cp/a \ leftid=@$server_addr" /etc/ipsec.d/ikev2.conf
else
sed -i "/conn ikev2-cp/a \ leftid=$server_addr" /etc/ipsec.d/ikev2.conf

110
extras/ikev2setup.sh
View File

@ -211,7 +211,7 @@ check_cert_status() {
}
check_arguments() {
if [ "$use_defaults" = "1" ] && check_ikev2_exists; then
if [ "$use_defaults" = 1 ] && check_ikev2_exists; then
echo "Error: Invalid parameter '--auto'. IKEv2 is already set up on this server." >&2
echo " To manage VPN clients, re-run this script without '--auto'." >&2
echo " To change IKEv2 server address, see https://vpnsetup.net/ikev2" >&2
@ -220,37 +220,37 @@ check_arguments() {
if [ "$((add_client + export_client + list_clients + revoke_client + delete_client))" -gt 1 ]; then
show_usage "Invalid parameters. Specify only one of '--addclient', '--exportclient', '--listclients', '--revokeclient' or '--deleteclient'."
fi
if [ "$remove_ikev2" = "1" ]; then
if [ "$remove_ikev2" = 1 ]; then
if [ "$((add_client + export_client + list_clients + revoke_client + delete_client + use_defaults))" -gt 0 ]; then
show_usage "Invalid parameters. '--removeikev2' cannot be specified with other parameters."
fi
fi
if ! check_ikev2_exists; then
[ "$add_client" = "1" ] && exiterr "You must first set up IKEv2 before adding a client."
[ "$export_client" = "1" ] && exiterr "You must first set up IKEv2 before exporting a client."
[ "$list_clients" = "1" ] && exiterr "You must first set up IKEv2 before listing clients."
[ "$revoke_client" = "1" ] && exiterr "You must first set up IKEv2 before revoking a client."
[ "$delete_client" = "1" ] && exiterr "You must first set up IKEv2 before deleting a client."
[ "$remove_ikev2" = "1" ] && exiterr "Cannot remove IKEv2 because it has not been set up on this server."
[ "$add_client" = 1 ] && exiterr "You must first set up IKEv2 before adding a client."
[ "$export_client" = 1 ] && exiterr "You must first set up IKEv2 before exporting a client."
[ "$list_clients" = 1 ] && exiterr "You must first set up IKEv2 before listing clients."
[ "$revoke_client" = 1 ] && exiterr "You must first set up IKEv2 before revoking a client."
[ "$delete_client" = 1 ] && exiterr "You must first set up IKEv2 before deleting a client."
[ "$remove_ikev2" = 1 ] && exiterr "Cannot remove IKEv2 because it has not been set up on this server."
fi
if [ "$add_client" = "1" ]; then
if [ "$add_client" = 1 ]; then
if [ -z "$client_name" ] || ! check_client_name "$client_name"; then
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
elif check_cert_exists "$client_name"; then
exiterr "Invalid client name. Client '$client_name' already exists."
fi
fi
if [ "$export_client" = "1" ] || [ "$revoke_client" = "1" ] || [ "$delete_client" = "1" ]; then
if [ "$export_client" = 1 ] || [ "$revoke_client" = 1 ] || [ "$delete_client" = 1 ]; then
get_server_address
if [ -z "$client_name" ] || ! check_client_name "$client_name" \
|| [ "$client_name" = "$CA_NAME" ] || [ "$client_name" = "$server_addr" ] \
|| ! check_cert_exists "$client_name"; then
exiterr "Invalid client name, or client does not exist."
fi
if [ "$delete_client" = "0" ] && ! check_cert_status "$client_name"; then
if [ "$delete_client" = 0 ] && ! check_cert_status "$client_name"; then
printf '%s' "Error: Certificate '$client_name' " >&2
if printf '%s' "$cert_status" | grep -q "revoked"; then
if [ "$revoke_client" = "1" ]; then
if [ "$revoke_client" = 1 ]; then
echo "has already been revoked." >&2
else
echo "has been revoked." >&2
@ -370,10 +370,11 @@ get_default_ip() {
}
get_server_ip() {
bigecho2 "Trying to auto discover IP of this server..."
use_default_ip=0
public_ip=${VPN_PUBLIC_IP:-''}
check_ip "$public_ip" || get_default_ip
check_ip "$public_ip" && return 0
check_ip "$public_ip" && { use_default_ip=1; return 0; }
bigecho2 "Trying to auto discover IP of this server..."
check_ip "$public_ip" || public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ipv4.icanhazip.com)
check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ip1.dynupdate.no-ip.com)
@ -405,7 +406,7 @@ list_existing_clients() {
fi
client_count=$(printf '%s\n' "$client_names" | wc -l 2>/dev/null)
[ -z "$client_names" ] && client_count=0
if [ "$client_count" = "1" ]; then
if [ "$client_count" = 1 ]; then
printf '\n%s\n' "Total: 1 client"
elif [ -n "$client_count" ]; then
printf '\n%s\n' "Total: $client_count clients"
@ -426,7 +427,7 @@ enter_server_address() {
echo
;;
esac
if [ "$use_dns_name" = "1" ]; then
if [ "$use_dns_name" = 1 ]; then
read -rp "Enter the DNS name of this VPN server: " server_addr
until check_dns_name "$server_addr"; do
echo "Invalid DNS name. You must enter a fully qualified domain name (FQDN)."
@ -434,8 +435,7 @@ enter_server_address() {
done
else
get_server_ip
echo
echo
[ "$use_default_ip" = 0 ] && { echo; echo; }
read -rp "Enter the IPv4 address of this VPN server: [$public_ip] " server_addr
[ -z "$server_addr" ] && server_addr="$public_ip"
until check_ip "$server_addr"; do
@ -476,7 +476,7 @@ enter_client_name() {
enter_client_name_for() {
echo
list_existing_clients
if [ "$client_count" = "0" ]; then
if [ "$client_count" = 0 ]; then
echo
echo "No IKEv2 clients in the IPsec database. Nothing to $1." >&2
exit 1
@ -541,7 +541,7 @@ enter_custom_dns() {
dns_servers="8.8.8.8 8.8.4.4"
;;
esac
if [ "$use_custom_dns" = "1" ]; then
if [ "$use_custom_dns" = 1 ]; then
read -rp "Enter primary DNS server: " dns_server_1
until check_ip "$dns_server_1"; do
echo "Invalid DNS server."
@ -582,7 +582,7 @@ check_mobike_support() {
fi
fi
# Linux kernels on Ubuntu do not support MOBIKE
if [ "$in_container" = "0" ]; then
if [ "$in_container" = 0 ]; then
if [ "$os_type" = "ubuntu" ] || uname -v | grep -qi ubuntu; then
mobike_support=0
fi
@ -597,7 +597,7 @@ check_mobike_support() {
if uname -a | grep -qi synology; then
mobike_support=0
fi
if [ "$mobike_support" = "1" ]; then
if [ "$mobike_support" = 1 ]; then
bigecho2 "Checking for MOBIKE support... available"
else
bigecho2 "Checking for MOBIKE support... not available"
@ -607,7 +607,7 @@ check_mobike_support() {
select_mobike() {
echo
mobike_enable=0
if [ "$mobike_support" = "1" ]; then
if [ "$mobike_support" = 1 ]; then
cat <<'EOF'
The MOBIKE IKEv2 extension allows VPN clients to change network attachment points,
@ -642,7 +642,7 @@ check_config_password() {
}
select_config_password() {
if [ "$use_config_password" = "0" ]; then
if [ "$use_config_password" = 0 ]; then
cat <<'EOF'
IKEv2 client config files contain the client certificate, private key and CA certificate.
@ -699,13 +699,13 @@ We are ready to set up IKEv2 now. Below are the setup options you selected.
EOF
print_server_client_info
if [ "$client_validity" = "1" ]; then
if [ "$client_validity" = 1 ]; then
echo "Client cert valid for: 1 month"
else
echo "Client cert valid for: $client_validity months"
fi
if [ "$mobike_support" = "1" ]; then
if [ "$mobike_enable" = "1" ]; then
if [ "$mobike_support" = 1 ]; then
if [ "$mobike_enable" = 1 ]; then
echo "MOBIKE support: Enable"
else
echo "MOBIKE support: Disable"
@ -713,7 +713,7 @@ EOF
else
echo "MOBIKE support: Not available"
fi
if [ "$use_config_password" = "1" ]; then
if [ "$use_config_password" = 1 ]; then
echo "Protect client config: Yes"
else
echo "Protect client config: No"
@ -754,7 +754,7 @@ create_p12_password() {
}
get_p12_password() {
if [ "$use_config_password" = "0" ]; then
if [ "$use_config_password" = 0 ]; then
create_p12_password
else
p12_password=$(grep -s '^IKEV2_CONFIG_PASSWORD=.\+' "$CONF_FILE" | tail -n 1 | cut -f2- -d= | sed -e "s/^'//" -e "s/'$//")
@ -788,7 +788,7 @@ export_p12_file() {
/bin/rm -f "$client_key" "$client_crt" "$ca_crt"
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \
-legacy -name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
if [ "$use_config_password" = "0" ]; then
if [ "$use_config_password" = 0 ]; then
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \
-legacy -name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1
fi
@ -798,18 +798,18 @@ export_p12_file() {
openssl pkcs12 -in "$p12_file_enc" -out "$pem_file" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \
-name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
if [ "$use_config_password" = "0" ]; then
if [ "$use_config_password" = 0 ]; then
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \
-name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1
fi
/bin/rm -f "$pem_file"
elif [ "$use_config_password" = "0" ]; then
elif [ "$use_config_password" = 0 ]; then
pk12util -W "" -d "$CERT_DB" -n "$client_name" -o "$p12_file" >/dev/null || exit 1
fi
if [ "$use_config_password" = "1" ]; then
if [ "$use_config_password" = 1 ]; then
/bin/cp -f "$p12_file_enc" "$p12_file"
fi
if [ "$export_to_home_dir" = "1" ]; then
if [ "$export_to_home_dir" = 1 ]; then
chown "$SUDO_USER:$SUDO_USER" "$p12_file"
fi
chmod 600 "$p12_file"
@ -950,7 +950,7 @@ cat > "$mc_file" <<EOF
</dict>
<dict>
EOF
if [ "$use_config_password" = "0" ]; then
if [ "$use_config_password" = 0 ]; then
cat >> "$mc_file" <<EOF
<key>Password</key>
<string>$p12_password</string>
@ -1012,7 +1012,7 @@ $ca_base64
</dict>
</plist>
EOF
if [ "$export_to_home_dir" = "1" ]; then
if [ "$export_to_home_dir" = 1 ]; then
chown "$SUDO_USER:$SUDO_USER" "$mc_file"
fi
chmod 600 "$mc_file"
@ -1041,7 +1041,7 @@ cat > "$sswan_file" <<EOF
"esp-proposal": "aes128gcm16"
}
EOF
if [ "$export_to_home_dir" = "1" ]; then
if [ "$export_to_home_dir" = 1 ]; then
chown "$SUDO_USER:$SUDO_USER" "$sswan_file"
fi
chmod 600 "$sswan_file"
@ -1070,7 +1070,7 @@ y
N
ANSWERS
sleep 1
if [ "$use_dns_name" = "1" ]; then
if [ "$use_dns_name" = 1 ]; then
certutil -z <(head -c 1024 /dev/urandom) \
-S -c "$CA_NAME" -n "$server_addr" \
-s "O=IKEv2 VPN,CN=$server_addr" \
@ -1093,13 +1093,13 @@ ANSWERS
create_config_readme() {
readme_file="$export_dir$client_name-README.txt"
if [ "$in_container" = "0" ] && [ "$use_config_password" = "0" ] \
&& [ "$use_defaults" = "1" ] && [ ! -t 1 ] && [ ! -f "$readme_file" ]; then
if [ "$in_container" = 0 ] && [ "$use_config_password" = 0 ] \
&& [ "$use_defaults" = 1 ] && [ ! -t 1 ] && [ ! -f "$readme_file" ]; then
cat > "$readme_file" <<'EOF'
These IKEv2 client config files were created during IPsec VPN setup.
To configure IKEv2 clients, see: https://vpnsetup.net/clients
EOF
if [ "$export_to_home_dir" = "1" ]; then
if [ "$export_to_home_dir" = 1 ]; then
chown "$SUDO_USER:$SUDO_USER" "$readme_file"
fi
chmod 600 "$readme_file"
@ -1140,7 +1140,7 @@ conn ikev2-cp
salifetime=24h
encapsulation=yes
EOF
if [ "$use_dns_name" = "1" ]; then
if [ "$use_dns_name" = 1 ]; then
cat >> "$IKEV2_CONF" <<EOF
leftid=@$server_addr
EOF
@ -1158,7 +1158,7 @@ cat >> "$IKEV2_CONF" <<EOF
modecfgdns=$dns_server_1
EOF
fi
if [ "$mobike_enable" = "1" ]; then
if [ "$mobike_enable" = 1 ]; then
echo " mobike=yes" >> "$IKEV2_CONF"
else
echo " mobike=no" >> "$IKEV2_CONF"
@ -1189,7 +1189,7 @@ apply_ubuntu1804_nss_fix() {
}
restart_ipsec_service() {
if [ "$in_container" = "0" ] || { [ "$in_container" = "1" ] && service ipsec status >/dev/null 2>&1; }; then
if [ "$in_container" = 0 ] || { [ "$in_container" = 1 ] && service ipsec status >/dev/null 2>&1; }; then
bigecho2 "Restarting IPsec service..."
mkdir -p /run/pluto
service ipsec restart 2>/dev/null
@ -1281,7 +1281,7 @@ print_client_deleted() {
print_setup_complete() {
printf '\e[2K\e[1A\e[2K\r'
[ "$use_defaults" = "1" ] && printf '\e[1A\e[2K\e[1A\e[2K\e[1A\e[2K\r'
[ "$use_defaults" = 1 ] && printf '\e[1A\e[2K\e[1A\e[2K\e[1A\e[2K\r'
cat <<EOF
================================================
@ -1292,7 +1292,7 @@ EOF
}
print_client_info() {
if [ "$in_container" = "0" ]; then
if [ "$in_container" = 0 ]; then
cat <<'EOF'
Client configuration is available at:
EOF
@ -1307,7 +1307,7 @@ $export_dir$client_name.p12 (for Windows & Linux)
$export_dir$client_name.sswan (for Android)
$export_dir$client_name.mobileconfig (for iOS & macOS)
EOF
if [ "$use_config_password" = "1" ]; then
if [ "$use_config_password" = 1 ]; then
cat <<EOF
*IMPORTANT* Password for client config files:
@ -1491,7 +1491,7 @@ ikev2setup() {
check_config_password
get_export_dir
if [ "$add_client" = "1" ]; then
if [ "$add_client" = 1 ]; then
show_header
show_add_client
client_validity=120
@ -1502,7 +1502,7 @@ ikev2setup() {
exit 0
fi
if [ "$export_client" = "1" ]; then
if [ "$export_client" = 1 ]; then
show_header
show_export_client
export_client_config
@ -1511,14 +1511,14 @@ ikev2setup() {
exit 0
fi
if [ "$list_clients" = "1" ]; then
if [ "$list_clients" = 1 ]; then
show_header
list_existing_clients
echo
exit 0
fi
if [ "$revoke_client" = "1" ]; then
if [ "$revoke_client" = 1 ]; then
show_header
confirm_revoke_cert
create_crl
@ -1529,7 +1529,7 @@ ikev2setup() {
exit 0
fi
if [ "$delete_client" = "1" ]; then
if [ "$delete_client" = 1 ]; then
show_header
confirm_delete_cert
delete_client_cert
@ -1538,7 +1538,7 @@ ikev2setup() {
exit 0
fi
if [ "$remove_ikev2" = "1" ]; then
if [ "$remove_ikev2" = 1 ]; then
check_ipsec_conf
show_header
confirm_remove_ikev2
@ -1623,7 +1623,7 @@ ikev2setup() {
check_cert_exists_and_exit "$CA_NAME"
if [ "$use_defaults" = "0" ]; then
if [ "$use_defaults" = 0 ]; then
show_header
show_welcome
enter_server_address
@ -1661,7 +1661,7 @@ ikev2setup() {
fi
print_setup_complete
print_client_info
if [ "$in_container" = "0" ]; then
if [ "$in_container" = 0 ]; then
check_swan_update
fi
}

8
extras/quickstart.sh
View File

@ -127,7 +127,7 @@ EOF
fi
else
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then
if [ "$os_ver" = 8 ] || [ "$os_ver" = "jessiesid" ]; then
exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
fi
fi
@ -150,7 +150,7 @@ check_iface() {
check_wl=1
fi
fi
if [ "$check_wl" = "1" ]; then
if [ "$check_wl" = 1 ]; then
case $def_iface in
wl*)
exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
@ -208,8 +208,8 @@ wait_for_apt() {
pkg_lk=/var/lib/dpkg/lock
while fuser "$apt_lk" "$pkg_lk" >/dev/null 2>&1 \
|| lsof "$apt_lk" >/dev/null 2>&1 || lsof "$pkg_lk" >/dev/null 2>&1; do
[ "$count" = "0" ] && echo "## Waiting for apt to be available..."
[ "$count" -ge "100" ] && exiterr "Could not get apt/dpkg lock."
[ "$count" = 0 ] && echo "## Waiting for apt to be available..."
[ "$count" -ge 100 ] && exiterr "Could not get apt/dpkg lock."
count=$((count+1))
printf '%s' '.'
sleep 3

6
extras/vpnuninstall.sh
View File

@ -99,7 +99,7 @@ check_iface() {
else
check_wl=1
fi
if [ "$check_wl" = "1" ]; then
if [ "$check_wl" = 1 ]; then
case $def_iface in
wl*)
exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
@ -244,8 +244,8 @@ update_iptables_rules() {
ipf='iptables -D FORWARD'
ipp='iptables -t nat -D POSTROUTING'
res='RELATED,ESTABLISHED'
if [ "$ipt_flag" = "1" ]; then
if [ "$use_nft" = "0" ]; then
if [ "$ipt_flag" = 1 ]; then
if [ "$use_nft" = 0 ]; then
bigecho "Updating IPTables rules..."
get_vpn_subnets
iptables-save > "$IPT_FILE.old-$SYS_DT"

2
extras/vpnupgrade.sh
View File

@ -95,7 +95,7 @@ EOF
fi
else
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then
if [ "$os_ver" = 8 ] || [ "$os_ver" = "jessiesid" ]; then
exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
fi
fi

6
extras/vpnupgrade_alpine.sh
View File

@ -230,10 +230,10 @@ update_config() {
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then
if [ "$dns_state" = 1 ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then
elif [ "$dns_state" = 2 ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi
sed -i "/ikev2=never/d" /etc/ipsec.conf
@ -260,7 +260,7 @@ Libreswan $SWAN_VER has been successfully installed!
================================================
EOF
if [ "$dns_state" = "3" ]; then
if [ "$dns_state" = 3 ]; then
cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace
all occurrences of these two lines:

6
extras/vpnupgrade_amzn.sh
View File

@ -219,10 +219,10 @@ update_config() {
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then
if [ "$dns_state" = 1 ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then
elif [ "$dns_state" = 2 ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi
sed -i "/ikev2=never/d" /etc/ipsec.conf
@ -248,7 +248,7 @@ Libreswan $SWAN_VER has been successfully installed!
================================================
EOF
if [ "$dns_state" = "3" ]; then
if [ "$dns_state" = 3 ]; then
cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace
all occurrences of these two lines:

8
extras/vpnupgrade_centos.sh
View File

@ -173,7 +173,7 @@ install_pkgs_2() {
if [ "$os_type$os_ver" = "ol7" ]; then
rp2="$erp=ol7_optional_latest"
fi
if [ "$os_ver" = "7" ]; then
if [ "$os_ver" = 7 ]; then
(
set -x
yum "$rp1" "$rp2" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
@ -271,10 +271,10 @@ update_config() {
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then
if [ "$dns_state" = 1 ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then
elif [ "$dns_state" = 2 ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi
sed -i "/ikev2=never/d" /etc/ipsec.conf
@ -300,7 +300,7 @@ Libreswan $SWAN_VER has been successfully installed!
================================================
EOF
if [ "$dns_state" = "3" ]; then
if [ "$dns_state" = 3 ]; then
cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace
all occurrences of these two lines:

8
extras/vpnupgrade_ubuntu.sh
View File

@ -57,7 +57,7 @@ check_os() {
;;
esac
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then
if [ "$os_ver" = 8 ] || [ "$os_ver" = "jessiesid" ]; then
exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
fi
}
@ -260,10 +260,10 @@ update_config() {
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then
if [ "$dns_state" = 1 ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then
elif [ "$dns_state" = 2 ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi
sed -i "/ikev2=never/d" /etc/ipsec.conf
@ -289,7 +289,7 @@ Libreswan $SWAN_VER has been successfully installed!
================================================
EOF
if [ "$dns_state" = "3" ]; then
if [ "$dns_state" = 3 ]; then
cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace
all occurrences of these two lines:

8
vpnsetup.sh
View File

@ -127,7 +127,7 @@ EOF
fi
else
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then
if [ "$os_ver" = 8 ] || [ "$os_ver" = "jessiesid" ]; then
exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
fi
fi
@ -150,7 +150,7 @@ check_iface() {
check_wl=1
fi
fi
if [ "$check_wl" = "1" ]; then
if [ "$check_wl" = 1 ]; then
case $def_iface in
wl*)
exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
@ -208,8 +208,8 @@ wait_for_apt() {
pkg_lk=/var/lib/dpkg/lock
while fuser "$apt_lk" "$pkg_lk" >/dev/null 2>&1 \
|| lsof "$apt_lk" >/dev/null 2>&1 || lsof "$pkg_lk" >/dev/null 2>&1; do
[ "$count" = "0" ] && echo "## Waiting for apt to be available..."
[ "$count" -ge "100" ] && exiterr "Could not get apt/dpkg lock."
[ "$count" = 0 ] && echo "## Waiting for apt to be available..."
[ "$count" -ge 100 ] && exiterr "Could not get apt/dpkg lock."
count=$((count+1))
printf '%s' '.'
sleep 3

8
vpnsetup_alpine.sh
View File

@ -261,7 +261,7 @@ check_libreswan() {
}
get_libreswan() {
if [ "$check_result" = "0" ]; then
if [ "$check_result" = 0 ]; then
bigecho "Downloading Libreswan..."
cd /opt/src || exit 1
swan_file="libreswan-$SWAN_VER.tar.gz"
@ -279,7 +279,7 @@ get_libreswan() {
}
install_libreswan() {
if [ "$check_result" = "0" ]; then
if [ "$check_result" = 0 ]; then
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1
sed -i '28s/stdlib\.h/sys\/types.h/' include/fd.h
@ -463,7 +463,7 @@ update_iptables() {
ipf='iptables -I FORWARD'
ipp='iptables -t nat -I POSTROUTING'
res='RELATED,ESTABLISHED'
if [ "$ipt_flag" = "1" ]; then
if [ "$ipt_flag" = 1 ]; then
service fail2ban stop >/dev/null 2>&1
iptables-save > "$IPT_FILE.old-$SYS_DT"
$ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
@ -555,7 +555,7 @@ set_up_ikev2() {
skip_ikev2=1
;;
esac
if [ "$skip_ikev2" = "0" ]; then
if [ "$skip_ikev2" = 0 ]; then
sleep 1
VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \

8
vpnsetup_amzn.sh
View File

@ -275,7 +275,7 @@ check_libreswan() {
}
get_libreswan() {
if [ "$check_result" = "0" ]; then
if [ "$check_result" = 0 ]; then
bigecho "Downloading Libreswan..."
cd /opt/src || exit 1
swan_file="libreswan-$SWAN_VER.tar.gz"
@ -293,7 +293,7 @@ get_libreswan() {
}
install_libreswan() {
if [ "$check_result" = "0" ]; then
if [ "$check_result" = 0 ]; then
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1
cat > Makefile.inc.local <<'EOF'
@ -474,7 +474,7 @@ update_iptables() {
ipf='iptables -I FORWARD'
ipp='iptables -t nat -I POSTROUTING'
res='RELATED,ESTABLISHED'
if [ "$ipt_flag" = "1" ]; then
if [ "$ipt_flag" = 1 ]; then
service fail2ban stop >/dev/null 2>&1
iptables-save > "$IPT_FILE.old-$SYS_DT"
$ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
@ -572,7 +572,7 @@ set_up_ikev2() {
skip_ikev2=1
;;
esac
if [ "$skip_ikev2" = "0" ]; then
if [ "$skip_ikev2" = 0 ]; then
sleep 1
VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \

30
vpnsetup_centos.sh
View File

@ -237,9 +237,9 @@ install_vpn_pkgs_1() {
rp2="$erp=*server-*optional*"
rp3="$erp=*releases-optional*"
if [ "$os_type" = "ol" ]; then
if [ "$os_ver" = "9" ]; then
if [ "$os_ver" = 9 ]; then
rp1="$erp=ol9_developer_EPEL"
elif [ "$os_ver" = "8" ]; then
elif [ "$os_ver" = 8 ]; then
rp1="$erp=ol8_developer_EPEL"
else
rp3="$erp=ol7_optional_latest"
@ -266,7 +266,7 @@ install_vpn_pkgs_3() {
p2=libevent-devel
p3=fipscheck-devel
p4=iptables-services
if [ "$os_ver" = "7" ]; then
if [ "$os_ver" = 7 ]; then
(
set -x
yum "$rp2" "$rp3" -y -q install $p1 $p2 $p3 $p4 >/dev/null
@ -276,7 +276,7 @@ install_vpn_pkgs_3() {
set -x
yum -y -q install $p1 $p2 >/dev/null
) || exiterr2
if [ "$os_ver" = "9" ] || [ "$os_ver" = "9s" ] \
if [ "$os_ver" = 9 ] || [ "$os_ver" = 9s ] \
|| systemctl is-active --quiet firewalld \
|| systemctl is-active --quiet nftables \
|| grep -qs "hwdsl2 VPN script" /etc/sysconfig/nftables.conf; then
@ -301,7 +301,7 @@ filter = sshd
logpath = /var/log/secure
EOF
if [ "$use_nft" = "1" ]; then
if [ "$use_nft" = 1 ]; then
cat >> "$F2B_FILE" <<'EOF'
port = ssh
banaction = nftables-multiport[blocktype=drop]
@ -375,7 +375,7 @@ check_libreswan() {
}
get_libreswan() {
if [ "$check_result" = "0" ]; then
if [ "$check_result" = 0 ]; then
bigecho "Downloading Libreswan..."
cd /opt/src || exit 1
swan_file="libreswan-$SWAN_VER.tar.gz"
@ -393,7 +393,7 @@ get_libreswan() {
}
install_libreswan() {
if [ "$check_result" = "0" ]; then
if [ "$check_result" = 0 ]; then
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1
cat > Makefile.inc.local <<'EOF'
@ -573,7 +573,7 @@ EOF
update_iptables() {
bigecho "Updating IPTables rules..."
IPT_FILE=/etc/sysconfig/iptables
[ "$use_nft" = "1" ] && IPT_FILE=/etc/sysconfig/nftables.conf
[ "$use_nft" = 1 ] && IPT_FILE=/etc/sysconfig/nftables.conf
ipt_flag=0
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
ipt_flag=1
@ -584,9 +584,9 @@ update_iptables() {
res='RELATED,ESTABLISHED'
nff='nft insert rule inet firewalld'
nfn='nft insert rule inet nftables_svc'
if [ "$ipt_flag" = "1" ]; then
if [ "$ipt_flag" = 1 ]; then
service fail2ban stop >/dev/null 2>&1
if [ "$use_nft" = "1" ]; then
if [ "$use_nft" = 1 ]; then
nft list ruleset > "$IPT_FILE.old-$SYS_DT"
chmod 600 "$IPT_FILE.old-$SYS_DT"
else
@ -605,13 +605,13 @@ update_iptables() {
$ipf 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate "$res" -j ACCEPT
$ipf 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT
$ipf 7 -s "$XAUTH_NET" -o ppp+ -j ACCEPT
if [ "$use_nft" != "1" ]; then
if [ "$use_nft" != 1 ]; then
iptables -A FORWARD -j DROP
fi
$ipp -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE
$ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
if [ "$use_nft" = "1" ]; then
if [ "$use_nft" = 1 ]; then
for vport in 500 4500 1701; do
$nff filter_INPUT udp dport "$vport" accept 2>/dev/null
$nfn allow udp dport "$vport" accept 2>/dev/null
@ -660,7 +660,7 @@ enable_on_boot() {
systemctl --now mask firewalld 2>/dev/null
if [ "$os_type$os_ver" = "ol9" ]; then
systemctl enable nftables 2>/dev/null
elif [ "$use_nft" = "1" ]; then
elif [ "$use_nft" = 1 ]; then
systemctl enable nftables 2>/dev/null
systemctl enable fail2ban 2>/dev/null
else
@ -692,7 +692,7 @@ start_services() {
restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
if [ "$use_nft" = "1" ]; then
if [ "$use_nft" = 1 ]; then
nft -f "$IPT_FILE"
else
iptables-restore < "$IPT_FILE"
@ -740,7 +740,7 @@ set_up_ikev2() {
skip_ikev2=1
;;
esac
if [ "$skip_ikev2" = "0" ]; then
if [ "$skip_ikev2" = 0 ]; then
sleep 1
VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \

16
vpnsetup_ubuntu.sh
View File

@ -90,7 +90,7 @@ check_os() {
;;
esac
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then
if [ "$os_ver" = 8 ] || [ "$os_ver" = "jessiesid" ]; then
exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
fi
}
@ -194,8 +194,8 @@ wait_for_apt() {
pkg_lk=/var/lib/dpkg/lock
while fuser "$apt_lk" "$pkg_lk" >/dev/null 2>&1 \
|| lsof "$apt_lk" >/dev/null 2>&1 || lsof "$pkg_lk" >/dev/null 2>&1; do
[ "$count" = "0" ] && echo "## Waiting for apt to be available..."
[ "$count" -ge "100" ] && exiterr "Could not get apt/dpkg lock."
[ "$count" = 0 ] && echo "## Waiting for apt to be available..."
[ "$count" -ge 100 ] && exiterr "Could not get apt/dpkg lock."
count=$((count+1))
printf '%s' '.'
sleep 3
@ -312,7 +312,7 @@ check_libreswan() {
}
get_libreswan() {
if [ "$check_result" = "0" ]; then
if [ "$check_result" = 0 ]; then
bigecho "Downloading Libreswan..."
cd /opt/src || exit 1
swan_file="libreswan-$SWAN_VER.tar.gz"
@ -330,7 +330,7 @@ get_libreswan() {
}
install_libreswan() {
if [ "$check_result" = "0" ]; then
if [ "$check_result" = 0 ]; then
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1
cat > Makefile.inc.local <<'EOF'
@ -532,7 +532,7 @@ update_iptables() {
ipf='iptables -I FORWARD'
ipp='iptables -t nat -I POSTROUTING'
res='RELATED,ESTABLISHED'
if [ "$ipt_flag" = "1" ]; then
if [ "$ipt_flag" = 1 ]; then
service fail2ban stop >/dev/null 2>&1
iptables-save > "$IPT_FILE.old-$SYS_DT"
$ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
@ -583,7 +583,7 @@ enable_on_boot() {
if [ -f "$IPT_FILE2" ] && { [ -f "$IPT_PST" ] || [ -f "$IPT_PST2" ]; }; then
ipt_load=0
fi
if [ "$ipt_load" = "1" ]; then
if [ "$ipt_load" = 1 ]; then
mkdir -p /etc/network/if-pre-up.d
cat > /etc/network/if-pre-up.d/iptablesload <<'EOF'
#!/bin/sh
@ -688,7 +688,7 @@ set_up_ikev2() {
skip_ikev2=1
;;
esac
if [ "$skip_ikev2" = "0" ]; then
if [ "$skip_ikev2" = 0 ]; then
sleep 1
VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \