mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-02-16 20:13:19 +03:00
Code Issues Projects Releases Wiki Activity

Update comments in the VPN scripts

Browse Source
This commit is contained in:
hwdsl2 2016-01-17 15:39:08 -06:00
parent be2695732d
commit d82d6d00b3
2 changed files with 64 additions and 116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
vpnsetup.sh
View File

@ -26,41 +26,12 @@ fi
# Please define your own values for these variables # Please define your own values for these variables
# Escape *all* non-alphanumeric characters with a backslash (or 3 backslashes for \ and "). # Escape *all* non-alphanumeric characters with a backslash (or 3 backslashes for \ and ").
# Examples: \ --> \\\\, " --> \\\", ' --> \', $ --> \$, ` --> \`, [space] --> \[space] # Examples: \ --> \\\\, " --> \\\", ' --> \', $ --> \$, ` --> \`, [space] --> \[space]
IPSEC_PSK=your_very_secure_key IPSEC_PSK=your_very_secure_key
VPN_USER=your_username VPN_USER=your_username
VPN_PASSWORD=your_very_secure_password VPN_PASSWORD=your_very_secure_password
# ----------------- # IMPORTANT: Be sure to read important notes at the URL below:
# IMPORTANT NOTES # https://github.com/hwdsl2/setup-ipsec-vpn#important-notes
# -----------------
# To support multiple VPN users with different credentials, just edit a few lines below.
# See: https://gist.github.com/hwdsl2/123b886f29f4c689f531
# For **Windows users**, a one-time registry change is required if the VPN server
# and/or client is behind NAT (e.g. home router). Refer to "Error 809" on this page:
# https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
# **Android 6.0 users**: Edit /etc/ipsec.conf and append ",aes256-sha2_256" to the end of
# both "ike=" and "phase2alg=", then add a new line "sha2-truncbug=yes". Must start lines
# with two spaces. Finally, run "service ipsec restart".
# **iPhone/iOS users**: In iOS settings, choose L2TP (instead of IPSec) for the VPN type.
# In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
# "rightprotoport=17/%any" with "rightprotoport=17/0". Then restart "ipsec" service.
# Clients are configured to use "Google Public DNS" when the VPN connection is active.
# This setting is controlled by "ms-dns" in /etc/ppp/options.xl2tpd.
# If using Amazon EC2, these ports must be open in the instance's security group:
# UDP ports 500 & 4500 (for the VPN), and TCP port 22 (optional, for SSH).
# If your server uses a custom SSH port (not 22), or if you wish to allow other services
# through IPTables, be sure to edit the IPTables rules below before running this script.
# This script will backup your existing configuration files before overwriting them.
# Backups can be found in the same folder as the original, with .old-date/time suffix.
if [ "$(lsb_release -si)" != "Ubuntu" ] && [ "$(lsb_release -si)" != "Debian" ]; then if [ "$(lsb_release -si)" != "Ubuntu" ] && [ "$(lsb_release -si)" != "Debian" ]; then
echo "Looks like you aren't running this script on a Ubuntu or Debian system." echo "Looks like you aren't running this script on a Ubuntu or Debian system."
@ -79,9 +50,10 @@ if [ "$(id -u)" != 0 ]; then
fi fi
# Check for empty VPN variables # Check for empty VPN variables
[ -z "$IPSEC_PSK" ] && { echo "'IPSEC_PSK' cannot be empty. Please edit the VPN script."; exit 1; } if [ -z "$IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
[ -z "$VPN_USER" ] && { echo "'VPN_USER' cannot be empty. Please edit the VPN script."; exit 1; } echo "Sorry, the VPN credentials cannot be empty. Please re-edit the VPN script."
[ -z "$VPN_PASSWORD" ] && { echo "'VPN_PASSWORD' cannot be empty. Please edit the VPN script."; exit 1; } exit 1
fi
# Create and change to working dir # Create and change to working dir
mkdir -p /opt/src mkdir -p /opt/src
@ -93,29 +65,28 @@ apt-get -y update
apt-get -y install wget dnsutils sed nano apt-get -y install wget dnsutils sed nano
echo echo
echo 'Please wait... Trying to find Public IP and Private IP of this server.' echo 'Please wait... Trying to find Public/Private IP of this server.'
echo echo
echo 'If the script hangs here for more than a few minutes, press Ctrl-C to interrupt,' echo 'If the script hangs here for more than a few minutes, press Ctrl-C to interrupt,'
echo 'then edit it and comment out the next two lines PUBLIC_IP= and PRIVATE_IP= ,' echo 'then edit and comment out the next two lines PUBLIC_IP= and PRIVATE_IP=, or replace'
echo 'OR replace them with the actual IPs. If your server only has a public IP,' echo 'them with actual IPs. If your server only has a public IP, put it on both lines.'
echo 'put that public IP on both lines.'
echo echo
# In Amazon EC2, these two variables will be found automatically. # In Amazon EC2, these two variables will be found automatically.
# For all other servers, you may replace them with the actual IPs, # For all other servers, you may replace them with the actual IPs,
# or comment out and let the script auto-detect in the next section. # or comment out and let the script auto-detect in the next section.
# If your server only has a public IP, put that public IP on both lines. # If your server only has a public IP, put it on both lines.
PUBLIC_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4') PUBLIC_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4')
PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4') PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4')
# Attempt to find server IPs automatically for non-EC2 servers # Attempt to find server IPs for non-EC2 servers
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com) [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipecho.net/plain) [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipecho.net/plain)
[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') [ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') [ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
# Check public/private IPs for correct format # Check IPs for correct format
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
if printf %s "$PUBLIC_IP" | grep -vEq "$IP_REGEX"; then if printf %s "$PUBLIC_IP" | grep -vEq "$IP_REGEX"; then
echo "Could not find valid Public IP, please edit the VPN script manually." echo "Could not find valid Public IP, please edit the VPN script manually."
@ -149,6 +120,7 @@ cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source directory
make programs && make install make programs && make install
# Prepare various config files # Prepare various config files
# Create Libreswan configuration
/bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/ipsec.conf <<EOF cat > /etc/ipsec.conf <<EOF
version 2.0 version 2.0
@ -187,11 +159,13 @@ conn vpnpsk
dpdaction=clear dpdaction=clear
EOF EOF
# Specify IPsec PSK
/bin/cp -f /etc/ipsec.secrets "/etc/ipsec.secrets.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/ipsec.secrets "/etc/ipsec.secrets.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/ipsec.secrets <<EOF cat > /etc/ipsec.secrets <<EOF
$PUBLIC_IP %any : PSK "$IPSEC_PSK" $PUBLIC_IP %any : PSK "$IPSEC_PSK"
EOF EOF
# Create xl2tpd config
/bin/cp -f /etc/xl2tpd/xl2tpd.conf "/etc/xl2tpd/xl2tpd.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/xl2tpd/xl2tpd.conf "/etc/xl2tpd/xl2tpd.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/xl2tpd/xl2tpd.conf <<EOF cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[global] [global]
@ -214,6 +188,7 @@ pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes length bit = yes
EOF EOF
# Specify xl2tpd options
/bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/ppp/options.xl2tpd <<EOF cat > /etc/ppp/options.xl2tpd <<EOF
ipcp-accept-local ipcp-accept-local
@ -232,16 +207,16 @@ lcp-echo-interval 60
connect-delay 5000 connect-delay 5000
EOF EOF
# Create VPN credentials
/bin/cp -f /etc/ppp/chap-secrets "/etc/ppp/chap-secrets.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/ppp/chap-secrets "/etc/ppp/chap-secrets.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/ppp/chap-secrets <<EOF cat > /etc/ppp/chap-secrets <<EOF
# Secrets for authentication using CHAP # Secrets for authentication using CHAP
# client server secret IP addresses # client server secret IP addresses
"$VPN_USER" l2tpd "$VPN_PASSWORD" * "$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF EOF
# Update sysctl settings for VPN and better performance
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
/bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat >> /etc/sysctl.conf <<EOF cat >> /etc/sysctl.conf <<EOF
@ -278,15 +253,15 @@ net.core.rmem_max = 12582912
net.ipv4.tcp_rmem = 10240 87380 12582912 net.ipv4.tcp_rmem = 10240 87380 12582912
net.ipv4.tcp_wmem = 10240 87380 12582912 net.ipv4.tcp_wmem = 10240 87380 12582912
EOF EOF
fi fi
# Create basic IPTables rules. First, check if there are existing IPTables rules loaded.
# 1. If IPTables is "empty", write out the new set of rules below.
# 2. If *not* empty, insert new rules and save them together with existing ones.
if ! grep -qs "hwdsl2 VPN script" /etc/iptables.rules; then if ! grep -qs "hwdsl2 VPN script" /etc/iptables.rules; then
/bin/cp -f /etc/iptables.rules "/etc/iptables.rules.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/iptables.rules "/etc/iptables.rules.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
/usr/sbin/service fail2ban stop >/dev/null 2>&1 /usr/sbin/service fail2ban stop >/dev/null 2>&1
if [ "$(/sbin/iptables-save | grep -c '^\-')" = "0" ]; then if [ "$(/sbin/iptables-save | grep -c '^\-')" = "0" ]; then
cat > /etc/iptables.rules <<EOF cat > /etc/iptables.rules <<EOF
# Added by hwdsl2 VPN script # Added by hwdsl2 VPN script
*filter *filter
@ -333,24 +308,20 @@ else
iptables -I INPUT 1 -p udp -m multiport --dports 500,4500 -j ACCEPT iptables -I INPUT 1 -p udp -m multiport --dports 500,4500 -j ACCEPT
iptables -I INPUT 2 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT iptables -I INPUT 2 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
iptables -I INPUT 3 -p udp --dport 1701 -j DROP iptables -I INPUT 3 -p udp --dport 1701 -j DROP
iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT
# If you wish to allow traffic between VPN clients themselves, uncomment this line:
# iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT # iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
iptables -A FORWARD -j DROP iptables -A FORWARD -j DROP
iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}" iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}"
/sbin/iptables-save > /etc/iptables.rules echo "# Modified by hwdsl2 VPN script" > /etc/iptables.rules
echo "# Modified by hwdsl2 VPN script" >> /etc/iptables.rules /sbin/iptables-save >> /etc/iptables.rules
fi fi
fi fi
# Create basic IP6Tables rules
if ! grep -qs "hwdsl2 VPN script" /etc/ip6tables.rules; then if ! grep -qs "hwdsl2 VPN script" /etc/ip6tables.rules; then
/bin/cp -f /etc/ip6tables.rules "/etc/ip6tables.rules.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/ip6tables.rules "/etc/ip6tables.rules.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/ip6tables.rules <<EOF cat > /etc/ip6tables.rules <<EOF
# Added by hwdsl2 VPN script # Added by hwdsl2 VPN script
@ -366,9 +337,9 @@ cat > /etc/ip6tables.rules <<EOF
-A INPUT -j DROP -A INPUT -j DROP
COMMIT COMMIT
EOF EOF
fi fi
# Load IPTables rules at system boot
cat > /etc/network/if-pre-up.d/iptablesload <<EOF cat > /etc/network/if-pre-up.d/iptablesload <<EOF
#!/bin/sh #!/bin/sh
/sbin/iptables-restore < /etc/iptables.rules /sbin/iptables-restore < /etc/iptables.rules
@ -381,8 +352,8 @@ cat > /etc/network/if-pre-up.d/ip6tablesload <<EOF
exit 0 exit 0
EOF EOF
# Update rc.local to start services at system boot
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
/bin/cp -f /etc/rc.local "/etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/rc.local "/etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
/bin/sed --follow-symlinks -i -e '/^exit 0/d' /etc/rc.local /bin/sed --follow-symlinks -i -e '/^exit 0/d' /etc/rc.local
cat >> /etc/rc.local <<EOF cat >> /etc/rc.local <<EOF
@ -394,28 +365,32 @@ cat >> /etc/rc.local <<EOF
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
exit 0 exit 0
EOF EOF
fi fi
# Initialize Libreswan database
if [ ! -f /etc/ipsec.d/cert8.db ] ; then if [ ! -f /etc/ipsec.d/cert8.db ] ; then
echo > /var/tmp/libreswan-nss-pwd echo > /var/tmp/libreswan-nss-pwd
/usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d /usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
/bin/rm -f /var/tmp/libreswan-nss-pwd /bin/rm -f /var/tmp/libreswan-nss-pwd
fi fi
# Reload sysctl.conf settings
/sbin/sysctl -p /sbin/sysctl -p
# Update attributes of various files
/bin/chmod +x /etc/rc.local /bin/chmod +x /etc/rc.local
/bin/chmod +x /etc/network/if-pre-up.d/iptablesload /bin/chmod +x /etc/network/if-pre-up.d/iptablesload
/bin/chmod +x /etc/network/if-pre-up.d/ip6tablesload /bin/chmod +x /etc/network/if-pre-up.d/ip6tablesload
/bin/chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /bin/chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets*
# Apply new IPTables rules
/sbin/iptables-restore < /etc/iptables.rules /sbin/iptables-restore < /etc/iptables.rules
/sbin/ip6tables-restore < /etc/ip6tables.rules /sbin/ip6tables-restore < /etc/ip6tables.rules
# Restart services
/usr/sbin/service fail2ban stop >/dev/null 2>&1 /usr/sbin/service fail2ban stop >/dev/null 2>&1
/usr/sbin/service ipsec stop >/dev/null 2>&1 /usr/sbin/service ipsec stop >/dev/null 2>&1
/usr/sbin/service xl2tpd stop >/dev/null 2>&1 /usr/sbin/service xl2tpd stop >/dev/null 2>&1
/usr/sbin/service fail2ban start /usr/sbin/service fail2ban start
/usr/sbin/service ipsec start /usr/sbin/service ipsec start
/usr/sbin/service xl2tpd start /usr/sbin/service xl2tpd start

91
vpnsetup_centos.sh
View File

@ -25,41 +25,12 @@ fi
# Please define your own values for these variables # Please define your own values for these variables
# Escape *all* non-alphanumeric characters with a backslash (or 3 backslashes for \ and "). # Escape *all* non-alphanumeric characters with a backslash (or 3 backslashes for \ and ").
# Examples: \ --> \\\\, " --> \\\", ' --> \', $ --> \$, ` --> \`, [space] --> \[space] # Examples: \ --> \\\\, " --> \\\", ' --> \', $ --> \$, ` --> \`, [space] --> \[space]
IPSEC_PSK=your_very_secure_key IPSEC_PSK=your_very_secure_key
VPN_USER=your_username VPN_USER=your_username
VPN_PASSWORD=your_very_secure_password VPN_PASSWORD=your_very_secure_password
# ----------------- # IMPORTANT: Be sure to read important notes at the URL below:
# IMPORTANT NOTES # https://github.com/hwdsl2/setup-ipsec-vpn#important-notes
# -----------------
# To support multiple VPN users with different credentials, just edit a few lines below.
# See: https://gist.github.com/hwdsl2/123b886f29f4c689f531
# For **Windows users**, a one-time registry change is required if the VPN server
# and/or client is behind NAT (e.g. home router). Refer to "Error 809" on this page:
# https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
# **Android 6.0 users**: Edit /etc/ipsec.conf and append ",aes256-sha2_256" to the end of
# both "ike=" and "phase2alg=", then add a new line "sha2-truncbug=yes". Must start lines
# with two spaces. Finally, run "service ipsec restart".
# **iPhone/iOS users**: In iOS settings, choose L2TP (instead of IPSec) for the VPN type.
# In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
# "rightprotoport=17/%any" with "rightprotoport=17/0". Then restart "ipsec" service.
# Clients are configured to use "Google Public DNS" when the VPN connection is active.
# This setting is controlled by "ms-dns" in /etc/ppp/options.xl2tpd.
# If using Amazon EC2, these ports must be open in the instance's security group:
# UDP ports 500 & 4500 (for the VPN), and TCP port 22 (optional, for SSH).
# If your server uses a custom SSH port (not 22), or if you wish to allow other services
# through IPTables, be sure to edit the IPTables rules below before running this script.
# This script will backup your existing configuration files before overwriting them.
# Backups can be found in the same folder as the original, with .old-date/time suffix.
if [ ! -f /etc/redhat-release ]; then if [ ! -f /etc/redhat-release ]; then
echo "Looks like you aren't running this script on a CentOS/RHEL system." echo "Looks like you aren't running this script on a CentOS/RHEL system."
@ -88,9 +59,10 @@ if [ "$(id -u)" != 0 ]; then
fi fi
# Check for empty VPN variables # Check for empty VPN variables
[ -z "$IPSEC_PSK" ] && { echo "'IPSEC_PSK' cannot be empty. Please edit the VPN script."; exit 1; } if [ -z "$IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
[ -z "$VPN_USER" ] && { echo "'VPN_USER' cannot be empty. Please edit the VPN script."; exit 1; } echo "Sorry, the VPN credentials cannot be empty. Please re-edit the VPN script."
[ -z "$VPN_PASSWORD" ] && { echo "'VPN_PASSWORD' cannot be empty. Please edit the VPN script."; exit 1; } exit 1
fi
# Create and change to working dir # Create and change to working dir
mkdir -p /opt/src mkdir -p /opt/src
@ -100,29 +72,28 @@ cd /opt/src || { echo "Failed to change working directory to /opt/src. Aborting.
yum -y install wget bind-utils nano yum -y install wget bind-utils nano
echo echo
echo 'Please wait... Trying to find Public IP and Private IP of this server.' echo 'Please wait... Trying to find Public/Private IP of this server.'
echo echo
echo 'If the script hangs here for more than a few minutes, press Ctrl-C to interrupt,' echo 'If the script hangs here for more than a few minutes, press Ctrl-C to interrupt,'
echo 'then edit it and comment out the next two lines PUBLIC_IP= and PRIVATE_IP= ,' echo 'then edit and comment out the next two lines PUBLIC_IP= and PRIVATE_IP=, or replace'
echo 'OR replace them with the actual IPs. If your server only has a public IP,' echo 'them with actual IPs. If your server only has a public IP, put it on both lines.'
echo 'put that public IP on both lines.'
echo echo
# In Amazon EC2, these two variables will be found automatically. # In Amazon EC2, these two variables will be found automatically.
# For all other servers, you may replace them with the actual IPs, # For all other servers, you may replace them with the actual IPs,
# or comment out and let the script auto-detect in the next section. # or comment out and let the script auto-detect in the next section.
# If your server only has a public IP, put that public IP on both lines. # If your server only has a public IP, put it on both lines.
PUBLIC_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4') PUBLIC_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4')
PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4') PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4')
# Attempt to find server IPs automatically for non-EC2 servers # Attempt to find server IPs for non-EC2 servers
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com) [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipecho.net/plain) [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipecho.net/plain)
[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') [ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') [ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
# Check public/private IPs for correct format # Check IPs for correct format
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
if printf %s "$PUBLIC_IP" | grep -vEq "$IP_REGEX"; then if printf %s "$PUBLIC_IP" | grep -vEq "$IP_REGEX"; then
echo "Could not find valid Public IP, please edit the VPN script manually." echo "Could not find valid Public IP, please edit the VPN script manually."
@ -188,6 +159,7 @@ cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source directory
make programs && make install make programs && make install
# Prepare various config files # Prepare various config files
# Create Libreswan configuration
/bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/ipsec.conf <<EOF cat > /etc/ipsec.conf <<EOF
version 2.0 version 2.0
@ -226,11 +198,13 @@ conn vpnpsk
dpdaction=clear dpdaction=clear
EOF EOF
# Specify IPsec PSK
/bin/cp -f /etc/ipsec.secrets "/etc/ipsec.secrets.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/ipsec.secrets "/etc/ipsec.secrets.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/ipsec.secrets <<EOF cat > /etc/ipsec.secrets <<EOF
$PUBLIC_IP %any : PSK "$IPSEC_PSK" $PUBLIC_IP %any : PSK "$IPSEC_PSK"
EOF EOF
# Create xl2tpd config
/bin/cp -f /etc/xl2tpd/xl2tpd.conf "/etc/xl2tpd/xl2tpd.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/xl2tpd/xl2tpd.conf "/etc/xl2tpd/xl2tpd.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/xl2tpd/xl2tpd.conf <<EOF cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[global] [global]
@ -253,6 +227,7 @@ pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes length bit = yes
EOF EOF
# Specify xl2tpd options
/bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/ppp/options.xl2tpd <<EOF cat > /etc/ppp/options.xl2tpd <<EOF
ipcp-accept-local ipcp-accept-local
@ -271,16 +246,16 @@ lcp-echo-interval 60
connect-delay 5000 connect-delay 5000
EOF EOF
# Create VPN credentials
/bin/cp -f /etc/ppp/chap-secrets "/etc/ppp/chap-secrets.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/ppp/chap-secrets "/etc/ppp/chap-secrets.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/ppp/chap-secrets <<EOF cat > /etc/ppp/chap-secrets <<EOF
# Secrets for authentication using CHAP # Secrets for authentication using CHAP
# client server secret IP addresses # client server secret IP addresses
"$VPN_USER" l2tpd "$VPN_PASSWORD" * "$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF EOF
# Update sysctl settings for VPN and better performance
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
/bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat >> /etc/sysctl.conf <<EOF cat >> /etc/sysctl.conf <<EOF
@ -317,15 +292,15 @@ net.core.rmem_max = 12582912
net.ipv4.tcp_rmem = 10240 87380 12582912 net.ipv4.tcp_rmem = 10240 87380 12582912
net.ipv4.tcp_wmem = 10240 87380 12582912 net.ipv4.tcp_wmem = 10240 87380 12582912
EOF EOF
fi fi
# Create basic IPTables rules. First, check if there are existing IPTables rules loaded.
# 1. If IPTables is "empty", write out the new set of rules below.
# 2. If *not* empty, insert new rules and save them together with existing ones.
if ! grep -qs "hwdsl2 VPN script" /etc/sysconfig/iptables; then if ! grep -qs "hwdsl2 VPN script" /etc/sysconfig/iptables; then
/bin/cp -f /etc/sysconfig/iptables "/etc/sysconfig/iptables.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/sysconfig/iptables "/etc/sysconfig/iptables.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
/sbin/service fail2ban stop >/dev/null 2>&1 /sbin/service fail2ban stop >/dev/null 2>&1
if [ "$(/sbin/iptables-save | grep -c '^\-')" = "0" ]; then if [ "$(/sbin/iptables-save | grep -c '^\-')" = "0" ]; then
cat > /etc/sysconfig/iptables <<EOF cat > /etc/sysconfig/iptables <<EOF
# Added by hwdsl2 VPN script # Added by hwdsl2 VPN script
*filter *filter
@ -371,24 +346,20 @@ else
iptables -I INPUT 1 -p udp -m multiport --dports 500,4500 -j ACCEPT iptables -I INPUT 1 -p udp -m multiport --dports 500,4500 -j ACCEPT
iptables -I INPUT 2 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT iptables -I INPUT 2 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
iptables -I INPUT 3 -p udp --dport 1701 -j DROP iptables -I INPUT 3 -p udp --dport 1701 -j DROP
iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT
# If you wish to allow traffic between VPN clients themselves, uncomment this line:
# iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT # iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
iptables -A FORWARD -j DROP iptables -A FORWARD -j DROP
iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}" iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}"
/sbin/iptables-save > /etc/sysconfig/iptables echo "# Modified by hwdsl2 VPN script" > /etc/sysconfig/iptables
echo "# Modified by hwdsl2 VPN script" >> /etc/sysconfig/iptables /sbin/iptables-save >> /etc/sysconfig/iptables
fi fi
fi fi
# Create basic IP6Tables rules
if ! grep -qs "hwdsl2 VPN script" /etc/sysconfig/ip6tables; then if ! grep -qs "hwdsl2 VPN script" /etc/sysconfig/ip6tables; then
/bin/cp -f /etc/sysconfig/ip6tables "/etc/sysconfig/ip6tables.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/sysconfig/ip6tables "/etc/sysconfig/ip6tables.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/sysconfig/ip6tables <<EOF cat > /etc/sysconfig/ip6tables <<EOF
# Added by hwdsl2 VPN script # Added by hwdsl2 VPN script
@ -404,11 +375,10 @@ cat > /etc/sysconfig/ip6tables <<EOF
-A INPUT -j DROP -A INPUT -j DROP
COMMIT COMMIT
EOF EOF
fi fi
# Create basic Fail2Ban rules if not already exist
if [ ! -f /etc/fail2ban/jail.local ] ; then if [ ! -f /etc/fail2ban/jail.local ] ; then
cat > /etc/fail2ban/jail.local <<EOF cat > /etc/fail2ban/jail.local <<EOF
[DEFAULT] [DEFAULT]
ignoreip = 127.0.0.1/8 ignoreip = 127.0.0.1/8
@ -423,11 +393,10 @@ filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp] action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure logpath = /var/log/secure
EOF EOF
fi fi
# Update rc.local to start services at system boot
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
/bin/cp -f /etc/rc.local "/etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/rc.local "/etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat >> /etc/rc.local <<EOF cat >> /etc/rc.local <<EOF
@ -439,9 +408,9 @@ cat >> /etc/rc.local <<EOF
/sbin/service xl2tpd start /sbin/service xl2tpd start
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
EOF EOF
fi fi
# Initialize Libreswan database
if [ ! -f /etc/ipsec.d/cert8.db ] ; then if [ ! -f /etc/ipsec.d/cert8.db ] ; then
echo > /var/tmp/libreswan-nss-pwd echo > /var/tmp/libreswan-nss-pwd
/usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d /usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
@ -453,17 +422,21 @@ restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Reload sysctl.conf settings
/sbin/sysctl -p /sbin/sysctl -p
# Update attributes of various files
/bin/chmod +x /etc/rc.local /bin/chmod +x /etc/rc.local
/bin/chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /bin/chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets*
# Apply new IPTables rules
/sbin/iptables-restore < /etc/sysconfig/iptables /sbin/iptables-restore < /etc/sysconfig/iptables
/sbin/ip6tables-restore < /etc/sysconfig/ip6tables /sbin/ip6tables-restore < /etc/sysconfig/ip6tables
# Restart services
/sbin/service fail2ban stop >/dev/null 2>&1 /sbin/service fail2ban stop >/dev/null 2>&1
/sbin/service ipsec stop >/dev/null 2>&1 /sbin/service ipsec stop >/dev/null 2>&1
/sbin/service xl2tpd stop >/dev/null 2>&1 /sbin/service xl2tpd stop >/dev/null 2>&1
/sbin/service fail2ban start /sbin/service fail2ban start
/sbin/service ipsec start /sbin/service ipsec start
/sbin/service xl2tpd start /sbin/service xl2tpd start