mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-21 20:46:10 +03:00
Code Issues Projects Releases Wiki Activity

Update VPN scripts for better security and usability

Browse Source 
- Install Fail2Ban to protect SSH server from web attacks
- Check public/private IPs against regex for the correct format
- Use printf instead of "read -r -p" for better POSIX compliance
- Other small code enhancements to the scripts
- Update README.md to add "OS update" to Installation
This commit is contained in:
hwdsl2 2016-01-12 18:28:34 -06:00
parent 7a49f9a236
commit dec1b44091
5 changed files with 159 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@ -10,7 +10,7 @@ Scripts for automatic configuration of IPsec/L2TP VPN server on Ubuntu 14.04 & 1
We will use <a href="https://libreswan.org/" target="_blank">Libreswan</a> as the IPsec server, and <a href="https://www.xelerance.com/services/software/xl2tpd/" target="_blank">xl2tpd</a> as the L2TP provider.
#### <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/" target="_blank">Link to my VPN tutorial with detailed usage instructions</a>
### <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/" target="_blank">My VPN tutorial with detailed usage instructions</a>
## Features
@ -25,7 +25,7 @@ We will use <a href="https://libreswan.org/" target="_blank">Libreswan</a> as th
## Requirements
A newly created Amazon EC2 instance, using these AMIs: (See the link above for usage instructions)
- <a href="http://cloud-images.ubuntu.com/releases/trusty/release/" target="_blank">Ubuntu 14.04 (Trusty)</a> or <a href="http://cloud-images.ubuntu.com/releases/precise/release/" target="_blank">12.04 (Precise)</a>
- <a href="http://cloud-images.ubuntu.com/trusty/current/" target="_blank">Ubuntu 14.04 (Trusty)</a> or <a href="http://cloud-images.ubuntu.com/precise/current/" target="_blank">12.04 (Precise)</a>
- <a href="https://wiki.debian.org/Cloud/AmazonEC2Image/Jessie" target="_blank">Debian 8 (Jessie) EC2 Images</a>
- <a href="https://aws.amazon.com/marketplace/pp/B00O7WM7QW" target="_blank">CentOS 7 (x86_64) with Updates HVM</a>
- <a href="https://aws.amazon.com/marketplace/pp/B00NQAYLWO" target="_blank">CentOS 6 (x86_64) with Updates HVM</a> - Does NOT have cloud-init. Run script manually via SSH.
@ -48,6 +48,8 @@ OpenVZ VPS users should instead use <a href="https://github.com/Nyr/openvpn-inst
### For Ubuntu and Debian:
First, update your system with `apt-get update && apt-get dist-upgrade` and reboot. This is optional but recommended.
```bash
wget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup.sh -O vpnsetup.sh
nano -w vpnsetup.sh
@ -64,6 +66,8 @@ wget https://gist.github.com/hwdsl2/5a769b2c4436cdf02a90/raw -O vpnsetup-workaro
### For CentOS and RHEL:
First, update your system with `yum update` and reboot. This is optional but recommended.
```bash
yum -y install wget nano
wget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup_centos.sh -O vpnsetup_centos.sh
@ -84,12 +88,14 @@ To support multiple VPN users with different credentials, just <a href="https://
Clients are configured to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN connection is active. This setting is controlled by `ms-dns` in `/etc/ppp/options.xl2tpd`.
If using Amazon EC2, these ports must be open in the instance's security group: **UDP ports 500 & 4500**, and **TCP port 22** (optional, for SSH).
If using Amazon EC2, these ports must be open in the instance's security group: **UDP ports 500 & 4500** (for the VPN), and **TCP port 22** (optional, for SSH).
If your server uses a custom SSH port (not 22), or if you wish to allow other services through IPTables, be sure to edit the IPTables rules in the scripts before using.
The scripts will backup files `/etc/rc.local`, `/etc/sysctl.conf`, `/etc/iptables.rules` and `/etc/sysconfig/iptables` before overwriting them. Backups can be found under the same folder with `.old` suffix.
iPhone/iOS users: If unable to connect, try replacing `rightprotoport=17/%any` in `ipsec.conf` with `rightprotoport=17/0`.
## Copyright and license
Copyright (C) 2014&nbsp;Lin Song&nbsp;&nbsp;&nbsp;<a href="https://www.linkedin.com/in/linsongui" target="_blank"><img src="https://static.licdn.com/scds/common/u/img/webpromo/btn_profile_bluetxt_80x15.png" width="80" height="15" border="0" alt="View my profile on LinkedIn"></a>

64
vpnsetup.sh
View File

@ -40,15 +40,19 @@ VPN_PASSWORD=your_very_secure_password
# IMPORTANT NOTES:
# If you need multiple VPN users with different credentials,
# please see: https://gist.github.com/hwdsl2/123b886f29f4c689f531
# For Windows users, a one-time registry change is required in order to
# connect to a VPN server behind NAT (e.g. in Amazon EC2). Please see:
# For **Windows users**, a one-time registry change is required for connections
# to a VPN server behind NAT (e.g. Amazon EC2). Please see:
# https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
# If using Amazon EC2, these ports must be open in the security group of
# your VPN server: UDP ports 500 & 4500, and TCP port 22 (optional, for SSH).
# To support multiple VPN users with different credentials, see:
# https://gist.github.com/hwdsl2/123b886f29f4c689f531
# Clients are configured to use Google Public DNS when the VPN connection is active.
# This setting is controlled by "ms-dns" in /etc/ppp/options.xl2tpd.
# https://developers.google.com/speed/public-dns/
# If using Amazon EC2, these ports must be open in the instance's security group:
# UDP ports 500 & 4500 (for the VPN), and TCP port 22 (optional, for SSH).
# If your server uses a custom SSH port (not 22), or if you wish to allow other services
# through IPTables, be sure to edit the IPTables rules below before running this script.
@ -56,7 +60,7 @@ VPN_PASSWORD=your_very_secure_password
# This script will backup /etc/rc.local, /etc/sysctl.conf and /etc/iptables.rules
# before overwriting them. Backups can be found under the same folder with .old suffix.
# iPhone/iOS users may need to replace this line in ipsec.conf:
# iPhone/iOS users: In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
# "rightprotoport=17/%any" with "rightprotoport=17/0".
# Create and change to working dir
@ -91,6 +95,17 @@ PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/la
[ "$PRIVATE_IP" = "" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
[ "$PRIVATE_IP" = "" ] && { echo "Could not find Private IP, please edit the VPN script manually."; exit 1; }
# Check public/private IPs for correct format
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
if printf %s "$PUBLIC_IP" | grep -vEq "$IP_REGEX"; then
echo "Could not find valid Public IP, please edit the VPN script manually."
exit 1
fi
if printf %s "$PRIVATE_IP" | grep -vEq "$IP_REGEX"; then
echo "Could not find valid Private IP, please edit the VPN script manually."
exit 1
fi
# Install necessary packages
apt-get -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
libcap-ng-dev libcap-ng-utils libselinux1-dev \
@ -99,15 +114,18 @@ apt-get -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
apt-get -y --no-install-recommends install xmlto
apt-get -y install xl2tpd
# Install Fail2Ban to protect SSH server
apt-get -y install fail2ban
# Compile and install Libreswan (https://libreswan.org/)
# To upgrade Libreswan when a newer version is available, just re-run
# these commands with the new "SWAN_VER", and then restart services with
# "service ipsec restart" and "service xl2tpd restart".
SWAN_VER=3.16
SWAN_URL=https://download.libreswan.org/libreswan-${SWAN_VER}.tar.gz
wget -t 3 -T 30 -qO- $SWAN_URL | tar xvz
[ ! -d libreswan-${SWAN_VER} ] && { echo "Could not retrieve Libreswan source files. Aborting."; exit 1; }
cd libreswan-${SWAN_VER}
SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
SWAN_URL="https://download.libreswan.org/${SWAN_FILE}"
wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
[ ! -f "$SWAN_FILE" ] && { echo "Could not retrieve Libreswan source file. Aborting."; exit 1; }
/bin/rm -rf "/opt/src/libreswan-${SWAN_VER}"
tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE"
cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source directory. Aborting."; exit 1; }
make programs && make install
# Prepare various config files
@ -290,8 +308,10 @@ cat > /etc/rc.local <<EOF
# bits.
#
# By default this script does nothing.
/usr/sbin/service ipsec restart
/usr/sbin/service xl2tpd restart
/usr/sbin/service fail2ban restart || /bin/true
/usr/sbin/service ipsec start
/usr/sbin/service xl2tpd start
echo 1 > /proc/sys/net/ipv4/ip_forward
exit 0
EOF
@ -303,9 +323,15 @@ if [ ! -f /etc/ipsec.d/cert8.db ] ; then
fi
/sbin/sysctl -p
/bin/chmod +x /etc/rc.local
/bin/chmod +x /etc/network/if-pre-up.d/iptablesload
/bin/chmod 600 /etc/ipsec.secrets /etc/ppp/chap-secrets
/sbin/iptables-restore < /etc/iptables.rules
/usr/sbin/service ipsec restart
/usr/sbin/service xl2tpd restart
/usr/sbin/service fail2ban stop >/dev/null 2>&1
/usr/sbin/service ipsec stop >/dev/null 2>&1
/usr/sbin/service xl2tpd stop >/dev/null 2>&1
/usr/sbin/service fail2ban start
/usr/sbin/service ipsec start
/usr/sbin/service xl2tpd start

97
vpnsetup_centos.sh
View File

@ -51,15 +51,19 @@ VPN_PASSWORD=your_very_secure_password
# IMPORTANT NOTES:
# If you need multiple VPN users with different credentials,
# please see: https://gist.github.com/hwdsl2/123b886f29f4c689f531
# For Windows users, a one-time registry change is required in order to
# connect to a VPN server behind NAT (e.g. in Amazon EC2). Please see:
# For **Windows users**, a one-time registry change is required for connections
# to a VPN server behind NAT (e.g. Amazon EC2). Please see:
# https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
# If using Amazon EC2, these ports must be open in the security group of
# your VPN server: UDP ports 500 & 4500, and TCP port 22 (optional, for SSH).
# To support multiple VPN users with different credentials, see:
# https://gist.github.com/hwdsl2/123b886f29f4c689f531
# Clients are configured to use Google Public DNS when the VPN connection is active.
# This setting is controlled by "ms-dns" in /etc/ppp/options.xl2tpd.
# https://developers.google.com/speed/public-dns/
# If using Amazon EC2, these ports must be open in the instance's security group:
# UDP ports 500 & 4500 (for the VPN), and TCP port 22 (optional, for SSH).
# If your server uses a custom SSH port (not 22), or if you wish to allow other services
# through IPTables, be sure to edit the IPTables rules below before running this script.
@ -67,7 +71,7 @@ VPN_PASSWORD=your_very_secure_password
# This script will backup /etc/rc.local, /etc/sysctl.conf and /etc/sysconfig/iptables
# before overwriting them. Backups can be found under the same folder with .old suffix.
# iPhone/iOS users may need to replace this line in ipsec.conf:
# iPhone/iOS users: In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
# "rightprotoport=17/%any" with "rightprotoport=17/0".
# Create and change to working dir
@ -100,6 +104,17 @@ PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/la
[ "$PRIVATE_IP" = "" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
[ "$PRIVATE_IP" = "" ] && { echo "Could not find Private IP, please edit the VPN script manually."; exit 1; }
# Check public/private IPs for correct format
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
if printf %s "$PUBLIC_IP" | grep -vEq "$IP_REGEX"; then
echo "Could not find valid Public IP, please edit the VPN script manually."
exit 1
fi
if printf %s "$PRIVATE_IP" | grep -vEq "$IP_REGEX"; then
echo "Could not find valid Private IP, please edit the VPN script manually."
exit 1
fi
# Add the EPEL repository
if grep -qs "release 6" /etc/redhat-release; then
EPEL_RPM="epel-release-6-8.noarch.rpm"
@ -111,9 +126,9 @@ else
echo "Sorry, this script only supports versions 6 and 7 of CentOS/RHEL."
exit 1
fi
wget -t 3 -T 30 -nv -O $EPEL_RPM $EPEL_URL
[ ! -f $EPEL_RPM ] && { echo "Could not retrieve EPEL repository RPM file. Aborting."; exit 1; }
rpm -ivh --force $EPEL_RPM && /bin/rm -f $EPEL_RPM
wget -t 3 -T 30 -nv -O "$EPEL_RPM" "$EPEL_URL"
[ ! -f "$EPEL_RPM" ] && { echo "Could not retrieve EPEL repository RPM file. Aborting."; exit 1; }
rpm -ivh --force "$EPEL_RPM" && /bin/rm -f "$EPEL_RPM"
# Install necessary packages
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
@ -122,29 +137,31 @@ yum -y install nss-devel nspr-devel pkgconfig pam-devel \
fipscheck-devel unbound-devel gmp gmp-devel xmlto
yum -y install ppp xl2tpd
# Install Fail2Ban to protect SSH server
yum -y install fail2ban
# Installed Libevent 2. Use backported version for CentOS 6.
if grep -qs "release 6" /etc/redhat-release; then
LE2_URL="https://people.redhat.com/pwouters/libreswan-rhel6"
RPM1="libevent2-2.0.21-1.el6.x86_64.rpm"
RPM2="libevent2-devel-2.0.21-1.el6.x86_64.rpm"
wget -t 3 -T 30 -nv -O $RPM1 $LE2_URL/$RPM1
wget -t 3 -T 30 -nv -O $RPM2 $LE2_URL/$RPM2
[ ! -f $RPM1 ] || [ ! -f $RPM2 ] && { echo "Could not retrieve Libevent2 RPM file(s). Aborting."; exit 1; }
rpm -ivh --force $RPM1 $RPM2 && /bin/rm -f $RPM1 $RPM2
wget -t 3 -T 30 -nv -O "$RPM1" "$LE2_URL/$RPM1"
wget -t 3 -T 30 -nv -O "$RPM2" "$LE2_URL/$RPM2"
[ ! -f "$RPM1" ] || [ ! -f "$RPM2" ] && { echo "Could not retrieve Libevent2 RPM file(s). Aborting."; exit 1; }
rpm -ivh --force "$RPM1" "$RPM2" && /bin/rm -f "$RPM1" "$RPM2"
elif grep -qs "release 7" /etc/redhat-release; then
yum -y install libevent-devel
fi
# Compile and install Libreswan (https://libreswan.org/)
# To upgrade Libreswan when a newer version is available, just re-run these
# commands with the new "SWAN_VER", then restore SELinux contexts using
# the commands at the end of this script, and finally restart services with
# "service ipsec restart" and "service xl2tpd restart".
SWAN_VER=3.16
SWAN_URL=https://download.libreswan.org/libreswan-${SWAN_VER}.tar.gz
wget -t 3 -T 30 -qO- $SWAN_URL | tar xvz
[ ! -d libreswan-${SWAN_VER} ] && { echo "Could not retrieve Libreswan source files. Aborting."; exit 1; }
cd libreswan-${SWAN_VER}
SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
SWAN_URL="https://download.libreswan.org/${SWAN_FILE}"
wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
[ ! -f "$SWAN_FILE" ] && { echo "Could not retrieve Libreswan source file. Aborting."; exit 1; }
/bin/rm -rf "/opt/src/libreswan-${SWAN_VER}"
tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE"
cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source directory. Aborting."; exit 1; }
make programs && make install
# Prepare various config files
@ -306,6 +323,25 @@ COMMIT
COMMIT
EOF
if [ ! -f /etc/fail2ban/jail.local ] ; then
cat > /etc/fail2ban/jail.local <<EOF
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
findtime = 600
maxretry = 5
backend = auto
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
EOF
fi
/bin/cp -f /etc/rc.local "/etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/rc.local <<EOF
#!/bin/sh
@ -316,8 +352,9 @@ cat > /etc/rc.local <<EOF
touch /var/lock/subsys/local
/sbin/iptables-restore < /etc/sysconfig/iptables
/sbin/service ipsec restart
/sbin/service xl2tpd restart
/sbin/service fail2ban restart
/sbin/service ipsec start
/sbin/service xl2tpd start
echo 1 > /proc/sys/net/ipv4/ip_forward
EOF
@ -333,8 +370,14 @@ restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
/sbin/sysctl -p
/bin/chmod +x /etc/rc.local
/bin/chmod 600 /etc/ipsec.secrets /etc/ppp/chap-secrets
/sbin/iptables-restore < /etc/sysconfig/iptables
/sbin/service ipsec restart
/sbin/service xl2tpd restart
/sbin/service fail2ban stop >/dev/null 2>&1
/sbin/service ipsec stop >/dev/null 2>&1
/sbin/service xl2tpd stop >/dev/null 2>&1
/sbin/service fail2ban start
/sbin/service ipsec start
/sbin/service xl2tpd start

21
vpnupgrade_Libreswan.sh
View File

@ -10,6 +10,7 @@
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
# Check https://libreswan.org and update version number if necessary
SWAN_VER=3.16
if [ "$(lsb_release -si)" != "Ubuntu" ] && [ "$(lsb_release -si)" != "Debian" ]; then
@ -34,11 +35,14 @@ if [ "$?" != "0" ]; then
exit 1
fi
clear
ipsec --version 2>/dev/null | grep -qs "Libreswan ${SWAN_VER}"
if [ "$?" = "0" ]; then
echo "You already have Libreswan ${SWAN_VER} installed! "
echo
read -r -p "Do you wish to continue anyway? [y/N] " response
printf "Do you wish to continue anyway? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
echo
@ -55,7 +59,8 @@ echo "This is intended for use on VPN servers with an older version of Libreswan
echo "Your existing VPN configuration files will NOT be modified."
echo
read -r -p "Do you wish to continue? [y/N] " response
printf "Do you wish to continue? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
echo
@ -86,14 +91,16 @@ apt-get -y --no-install-recommends install xmlto
apt-get -y install xl2tpd
# Compile and install Libreswan (https://libreswan.org/)
SWAN_URL=https://download.libreswan.org/libreswan-${SWAN_VER}.tar.gz
SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
SWAN_URL="https://download.libreswan.org/${SWAN_FILE}"
wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
[ ! -f "$SWAN_FILE" ] && { echo "Could not retrieve Libreswan source file. Aborting."; exit 1; }
/bin/rm -rf "/opt/src/libreswan-${SWAN_VER}"
wget -t 3 -T 30 -qO- $SWAN_URL | tar xvz
[ ! -d libreswan-${SWAN_VER} ] && { echo "Could not retrieve Libreswan source files. Aborting."; exit 1; }
cd libreswan-${SWAN_VER}
tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE"
cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source directory. Aborting."; exit 1; }
make programs && make install
ipsec --version 2>/dev/null | grep -qs "Libreswan ${SWAN_VER}"
ipsec --version 2>/dev/null | grep -qs "${SWAN_VER}"
if [ "$?" != "0" ]; then
echo
echo "Sorry, something went wrong."

35
vpnupgrade_Libreswan_centos.sh
View File

@ -10,6 +10,7 @@
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
# Check https://libreswan.org and update version number if necessary
SWAN_VER=3.16
if [ ! -f /etc/redhat-release ]; then
@ -39,11 +40,14 @@ if [ "$?" != "0" ]; then
exit 1
fi
clear
ipsec --version 2>/dev/null | grep -qs "Libreswan ${SWAN_VER}"
if [ "$?" = "0" ]; then
echo "You already have Libreswan ${SWAN_VER} installed! "
echo
read -r -p "Do you wish to continue anyway? [y/N] " response
printf "Do you wish to continue anyway? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
echo
@ -60,7 +64,8 @@ echo "This is intended for use on VPN servers with an older version of Libreswan
echo "Your existing VPN configuration files will NOT be modified."
echo
read -r -p "Do you wish to continue? [y/N] " response
printf "Do you wish to continue? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
echo
@ -91,9 +96,9 @@ else
echo "Sorry, this script only supports versions 6 and 7 of CentOS/RHEL."
exit 1
fi
wget -t 3 -T 30 -nv -O $EPEL_RPM $EPEL_URL
[ ! -f $EPEL_RPM ] && { echo "Could not retrieve EPEL repository RPM file. Aborting."; exit 1; }
rpm -ivh --force $EPEL_RPM && /bin/rm -f $EPEL_RPM
wget -t 3 -T 30 -nv -O "$EPEL_RPM" "$EPEL_URL"
[ ! -f "$EPEL_RPM" ] && { echo "Could not retrieve EPEL repository RPM file. Aborting."; exit 1; }
rpm -ivh --force "$EPEL_RPM" && /bin/rm -f "$EPEL_RPM"
# Install necessary packages
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
@ -107,23 +112,25 @@ if grep -qs "release 6" /etc/redhat-release; then
LE2_URL="https://people.redhat.com/pwouters/libreswan-rhel6"
RPM1="libevent2-2.0.21-1.el6.x86_64.rpm"
RPM2="libevent2-devel-2.0.21-1.el6.x86_64.rpm"
wget -t 3 -T 30 -nv -O $RPM1 $LE2_URL/$RPM1
wget -t 3 -T 30 -nv -O $RPM2 $LE2_URL/$RPM2
[ ! -f $RPM1 ] || [ ! -f $RPM2 ] && { echo "Could not retrieve Libevent2 RPM file(s). Aborting."; exit 1; }
rpm -ivh --force $RPM1 $RPM2 && /bin/rm -f $RPM1 $RPM2
wget -t 3 -T 30 -nv -O "$RPM1" "$LE2_URL/$RPM1"
wget -t 3 -T 30 -nv -O "$RPM2" "$LE2_URL/$RPM2"
[ ! -f "$RPM1" ] || [ ! -f "$RPM2" ] && { echo "Could not retrieve Libevent2 RPM file(s). Aborting."; exit 1; }
rpm -ivh --force "$RPM1" "$RPM2" && /bin/rm -f "$RPM1" "$RPM2"
elif grep -qs "release 7" /etc/redhat-release; then
yum -y install libevent-devel
fi
# Compile and install Libreswan (https://libreswan.org/)
SWAN_URL=https://download.libreswan.org/libreswan-${SWAN_VER}.tar.gz
SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
SWAN_URL="https://download.libreswan.org/${SWAN_FILE}"
wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
[ ! -f "$SWAN_FILE" ] && { echo "Could not retrieve Libreswan source file. Aborting."; exit 1; }
/bin/rm -rf "/opt/src/libreswan-${SWAN_VER}"
wget -t 3 -T 30 -qO- $SWAN_URL | tar xvz
[ ! -d libreswan-${SWAN_VER} ] && { echo "Could not retrieve Libreswan source files. Aborting."; exit 1; }
cd libreswan-${SWAN_VER}
tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE"
cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source directory. Aborting."; exit 1; }
make programs && make install
ipsec --version 2>/dev/null | grep -qs "Libreswan ${SWAN_VER}"
ipsec --version 2>/dev/null | grep -qs "${SWAN_VER}"
if [ "$?" != "0" ]; then
echo
echo "Sorry, something went wrong."