diff --git a/README.md b/README.md
index 0b927fd..c96abf7 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ Scripts for automatic configuration of IPsec/L2TP VPN server on Ubuntu 14.04 & 1
We will use Libreswan as the IPsec server, and xl2tpd as the L2TP provider.
-#### Link to my VPN tutorial with detailed usage instructions
+### My VPN tutorial with detailed usage instructions
## Features
@@ -25,7 +25,7 @@ We will use Libreswan as th
## Requirements
A newly created Amazon EC2 instance, using these AMIs: (See the link above for usage instructions)
-- Ubuntu 14.04 (Trusty) or 12.04 (Precise)
+- Ubuntu 14.04 (Trusty) or 12.04 (Precise)
- Debian 8 (Jessie) EC2 Images
- CentOS 7 (x86_64) with Updates HVM
- CentOS 6 (x86_64) with Updates HVM - Does NOT have cloud-init. Run script manually via SSH.
@@ -48,6 +48,8 @@ OpenVZ VPS users should instead use Google Public DNS when the VPN connection is active. This setting is controlled by `ms-dns` in `/etc/ppp/options.xl2tpd`.
-If using Amazon EC2, these ports must be open in the instance's security group: **UDP ports 500 & 4500**, and **TCP port 22** (optional, for SSH).
+If using Amazon EC2, these ports must be open in the instance's security group: **UDP ports 500 & 4500** (for the VPN), and **TCP port 22** (optional, for SSH).
If your server uses a custom SSH port (not 22), or if you wish to allow other services through IPTables, be sure to edit the IPTables rules in the scripts before using.
The scripts will backup files `/etc/rc.local`, `/etc/sysctl.conf`, `/etc/iptables.rules` and `/etc/sysconfig/iptables` before overwriting them. Backups can be found under the same folder with `.old` suffix.
+iPhone/iOS users: If unable to connect, try replacing `rightprotoport=17/%any` in `ipsec.conf` with `rightprotoport=17/0`.
+
## Copyright and license
Copyright (C) 2014 Lin Song
diff --git a/vpnsetup.sh b/vpnsetup.sh
index ea19e02..17b9e35 100644
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -40,15 +40,19 @@ VPN_PASSWORD=your_very_secure_password
# IMPORTANT NOTES:
-# If you need multiple VPN users with different credentials,
-# please see: https://gist.github.com/hwdsl2/123b886f29f4c689f531
-
-# For Windows users, a one-time registry change is required in order to
-# connect to a VPN server behind NAT (e.g. in Amazon EC2). Please see:
+# For **Windows users**, a one-time registry change is required for connections
+# to a VPN server behind NAT (e.g. Amazon EC2). Please see:
# https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
-# If using Amazon EC2, these ports must be open in the security group of
-# your VPN server: UDP ports 500 & 4500, and TCP port 22 (optional, for SSH).
+# To support multiple VPN users with different credentials, see:
+# https://gist.github.com/hwdsl2/123b886f29f4c689f531
+
+# Clients are configured to use Google Public DNS when the VPN connection is active.
+# This setting is controlled by "ms-dns" in /etc/ppp/options.xl2tpd.
+# https://developers.google.com/speed/public-dns/
+
+# If using Amazon EC2, these ports must be open in the instance's security group:
+# UDP ports 500 & 4500 (for the VPN), and TCP port 22 (optional, for SSH).
# If your server uses a custom SSH port (not 22), or if you wish to allow other services
# through IPTables, be sure to edit the IPTables rules below before running this script.
@@ -56,7 +60,7 @@ VPN_PASSWORD=your_very_secure_password
# This script will backup /etc/rc.local, /etc/sysctl.conf and /etc/iptables.rules
# before overwriting them. Backups can be found under the same folder with .old suffix.
-# iPhone/iOS users may need to replace this line in ipsec.conf:
+# iPhone/iOS users: In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
# "rightprotoport=17/%any" with "rightprotoport=17/0".
# Create and change to working dir
@@ -91,6 +95,17 @@ PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/la
[ "$PRIVATE_IP" = "" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
[ "$PRIVATE_IP" = "" ] && { echo "Could not find Private IP, please edit the VPN script manually."; exit 1; }
+# Check public/private IPs for correct format
+IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
+if printf %s "$PUBLIC_IP" | grep -vEq "$IP_REGEX"; then
+ echo "Could not find valid Public IP, please edit the VPN script manually."
+ exit 1
+fi
+if printf %s "$PRIVATE_IP" | grep -vEq "$IP_REGEX"; then
+ echo "Could not find valid Private IP, please edit the VPN script manually."
+ exit 1
+fi
+
# Install necessary packages
apt-get -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
libcap-ng-dev libcap-ng-utils libselinux1-dev \
@@ -99,15 +114,18 @@ apt-get -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
apt-get -y --no-install-recommends install xmlto
apt-get -y install xl2tpd
+# Install Fail2Ban to protect SSH server
+apt-get -y install fail2ban
+
# Compile and install Libreswan (https://libreswan.org/)
-# To upgrade Libreswan when a newer version is available, just re-run
-# these commands with the new "SWAN_VER", and then restart services with
-# "service ipsec restart" and "service xl2tpd restart".
SWAN_VER=3.16
-SWAN_URL=https://download.libreswan.org/libreswan-${SWAN_VER}.tar.gz
-wget -t 3 -T 30 -qO- $SWAN_URL | tar xvz
-[ ! -d libreswan-${SWAN_VER} ] && { echo "Could not retrieve Libreswan source files. Aborting."; exit 1; }
-cd libreswan-${SWAN_VER}
+SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
+SWAN_URL="https://download.libreswan.org/${SWAN_FILE}"
+wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
+[ ! -f "$SWAN_FILE" ] && { echo "Could not retrieve Libreswan source file. Aborting."; exit 1; }
+/bin/rm -rf "/opt/src/libreswan-${SWAN_VER}"
+tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE"
+cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source directory. Aborting."; exit 1; }
make programs && make install
# Prepare various config files
@@ -290,8 +308,10 @@ cat > /etc/rc.local < /proc/sys/net/ipv4/ip_forward
exit 0
EOF
@@ -303,9 +323,15 @@ if [ ! -f /etc/ipsec.d/cert8.db ] ; then
fi
/sbin/sysctl -p
+/bin/chmod +x /etc/rc.local
/bin/chmod +x /etc/network/if-pre-up.d/iptablesload
/bin/chmod 600 /etc/ipsec.secrets /etc/ppp/chap-secrets
/sbin/iptables-restore < /etc/iptables.rules
-/usr/sbin/service ipsec restart
-/usr/sbin/service xl2tpd restart
+/usr/sbin/service fail2ban stop >/dev/null 2>&1
+/usr/sbin/service ipsec stop >/dev/null 2>&1
+/usr/sbin/service xl2tpd stop >/dev/null 2>&1
+
+/usr/sbin/service fail2ban start
+/usr/sbin/service ipsec start
+/usr/sbin/service xl2tpd start
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index f6cd82a..fbd0e9c 100644
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -51,15 +51,19 @@ VPN_PASSWORD=your_very_secure_password
# IMPORTANT NOTES:
-# If you need multiple VPN users with different credentials,
-# please see: https://gist.github.com/hwdsl2/123b886f29f4c689f531
-
-# For Windows users, a one-time registry change is required in order to
-# connect to a VPN server behind NAT (e.g. in Amazon EC2). Please see:
+# For **Windows users**, a one-time registry change is required for connections
+# to a VPN server behind NAT (e.g. Amazon EC2). Please see:
# https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
-# If using Amazon EC2, these ports must be open in the security group of
-# your VPN server: UDP ports 500 & 4500, and TCP port 22 (optional, for SSH).
+# To support multiple VPN users with different credentials, see:
+# https://gist.github.com/hwdsl2/123b886f29f4c689f531
+
+# Clients are configured to use Google Public DNS when the VPN connection is active.
+# This setting is controlled by "ms-dns" in /etc/ppp/options.xl2tpd.
+# https://developers.google.com/speed/public-dns/
+
+# If using Amazon EC2, these ports must be open in the instance's security group:
+# UDP ports 500 & 4500 (for the VPN), and TCP port 22 (optional, for SSH).
# If your server uses a custom SSH port (not 22), or if you wish to allow other services
# through IPTables, be sure to edit the IPTables rules below before running this script.
@@ -67,7 +71,7 @@ VPN_PASSWORD=your_very_secure_password
# This script will backup /etc/rc.local, /etc/sysctl.conf and /etc/sysconfig/iptables
# before overwriting them. Backups can be found under the same folder with .old suffix.
-# iPhone/iOS users may need to replace this line in ipsec.conf:
+# iPhone/iOS users: In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
# "rightprotoport=17/%any" with "rightprotoport=17/0".
# Create and change to working dir
@@ -100,6 +104,17 @@ PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/la
[ "$PRIVATE_IP" = "" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
[ "$PRIVATE_IP" = "" ] && { echo "Could not find Private IP, please edit the VPN script manually."; exit 1; }
+# Check public/private IPs for correct format
+IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
+if printf %s "$PUBLIC_IP" | grep -vEq "$IP_REGEX"; then
+ echo "Could not find valid Public IP, please edit the VPN script manually."
+ exit 1
+fi
+if printf %s "$PRIVATE_IP" | grep -vEq "$IP_REGEX"; then
+ echo "Could not find valid Private IP, please edit the VPN script manually."
+ exit 1
+fi
+
# Add the EPEL repository
if grep -qs "release 6" /etc/redhat-release; then
EPEL_RPM="epel-release-6-8.noarch.rpm"
@@ -111,9 +126,9 @@ else
echo "Sorry, this script only supports versions 6 and 7 of CentOS/RHEL."
exit 1
fi
-wget -t 3 -T 30 -nv -O $EPEL_RPM $EPEL_URL
-[ ! -f $EPEL_RPM ] && { echo "Could not retrieve EPEL repository RPM file. Aborting."; exit 1; }
-rpm -ivh --force $EPEL_RPM && /bin/rm -f $EPEL_RPM
+wget -t 3 -T 30 -nv -O "$EPEL_RPM" "$EPEL_URL"
+[ ! -f "$EPEL_RPM" ] && { echo "Could not retrieve EPEL repository RPM file. Aborting."; exit 1; }
+rpm -ivh --force "$EPEL_RPM" && /bin/rm -f "$EPEL_RPM"
# Install necessary packages
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
@@ -122,29 +137,31 @@ yum -y install nss-devel nspr-devel pkgconfig pam-devel \
fipscheck-devel unbound-devel gmp gmp-devel xmlto
yum -y install ppp xl2tpd
+# Install Fail2Ban to protect SSH server
+yum -y install fail2ban
+
# Installed Libevent 2. Use backported version for CentOS 6.
if grep -qs "release 6" /etc/redhat-release; then
LE2_URL="https://people.redhat.com/pwouters/libreswan-rhel6"
RPM1="libevent2-2.0.21-1.el6.x86_64.rpm"
RPM2="libevent2-devel-2.0.21-1.el6.x86_64.rpm"
- wget -t 3 -T 30 -nv -O $RPM1 $LE2_URL/$RPM1
- wget -t 3 -T 30 -nv -O $RPM2 $LE2_URL/$RPM2
- [ ! -f $RPM1 ] || [ ! -f $RPM2 ] && { echo "Could not retrieve Libevent2 RPM file(s). Aborting."; exit 1; }
- rpm -ivh --force $RPM1 $RPM2 && /bin/rm -f $RPM1 $RPM2
+ wget -t 3 -T 30 -nv -O "$RPM1" "$LE2_URL/$RPM1"
+ wget -t 3 -T 30 -nv -O "$RPM2" "$LE2_URL/$RPM2"
+ [ ! -f "$RPM1" ] || [ ! -f "$RPM2" ] && { echo "Could not retrieve Libevent2 RPM file(s). Aborting."; exit 1; }
+ rpm -ivh --force "$RPM1" "$RPM2" && /bin/rm -f "$RPM1" "$RPM2"
elif grep -qs "release 7" /etc/redhat-release; then
yum -y install libevent-devel
fi
# Compile and install Libreswan (https://libreswan.org/)
-# To upgrade Libreswan when a newer version is available, just re-run these
-# commands with the new "SWAN_VER", then restore SELinux contexts using
-# the commands at the end of this script, and finally restart services with
-# "service ipsec restart" and "service xl2tpd restart".
SWAN_VER=3.16
-SWAN_URL=https://download.libreswan.org/libreswan-${SWAN_VER}.tar.gz
-wget -t 3 -T 30 -qO- $SWAN_URL | tar xvz
-[ ! -d libreswan-${SWAN_VER} ] && { echo "Could not retrieve Libreswan source files. Aborting."; exit 1; }
-cd libreswan-${SWAN_VER}
+SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
+SWAN_URL="https://download.libreswan.org/${SWAN_FILE}"
+wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
+[ ! -f "$SWAN_FILE" ] && { echo "Could not retrieve Libreswan source file. Aborting."; exit 1; }
+/bin/rm -rf "/opt/src/libreswan-${SWAN_VER}"
+tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE"
+cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source directory. Aborting."; exit 1; }
make programs && make install
# Prepare various config files
@@ -306,6 +323,25 @@ COMMIT
COMMIT
EOF
+if [ ! -f /etc/fail2ban/jail.local ] ; then
+
+cat > /etc/fail2ban/jail.local </dev/null
cat > /etc/rc.local < /etc/rc.local < /proc/sys/net/ipv4/ip_forward
EOF
@@ -333,8 +370,14 @@ restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
/sbin/sysctl -p
+/bin/chmod +x /etc/rc.local
/bin/chmod 600 /etc/ipsec.secrets /etc/ppp/chap-secrets
/sbin/iptables-restore < /etc/sysconfig/iptables
-/sbin/service ipsec restart
-/sbin/service xl2tpd restart
+/sbin/service fail2ban stop >/dev/null 2>&1
+/sbin/service ipsec stop >/dev/null 2>&1
+/sbin/service xl2tpd stop >/dev/null 2>&1
+
+/sbin/service fail2ban start
+/sbin/service ipsec start
+/sbin/service xl2tpd start
diff --git a/vpnupgrade_Libreswan.sh b/vpnupgrade_Libreswan.sh
index 925ebea..512fa30 100644
--- a/vpnupgrade_Libreswan.sh
+++ b/vpnupgrade_Libreswan.sh
@@ -10,6 +10,7 @@
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
+# Check https://libreswan.org and update version number if necessary
SWAN_VER=3.16
if [ "$(lsb_release -si)" != "Ubuntu" ] && [ "$(lsb_release -si)" != "Debian" ]; then
@@ -34,11 +35,14 @@ if [ "$?" != "0" ]; then
exit 1
fi
+clear
+
ipsec --version 2>/dev/null | grep -qs "Libreswan ${SWAN_VER}"
if [ "$?" = "0" ]; then
echo "You already have Libreswan ${SWAN_VER} installed! "
echo
- read -r -p "Do you wish to continue anyway? [y/N] " response
+ printf "Do you wish to continue anyway? [y/N] "
+ read -r response
case $response in
[yY][eE][sS]|[yY])
echo
@@ -55,7 +59,8 @@ echo "This is intended for use on VPN servers with an older version of Libreswan
echo "Your existing VPN configuration files will NOT be modified."
echo
-read -r -p "Do you wish to continue? [y/N] " response
+printf "Do you wish to continue? [y/N] "
+read -r response
case $response in
[yY][eE][sS]|[yY])
echo
@@ -86,14 +91,16 @@ apt-get -y --no-install-recommends install xmlto
apt-get -y install xl2tpd
# Compile and install Libreswan (https://libreswan.org/)
-SWAN_URL=https://download.libreswan.org/libreswan-${SWAN_VER}.tar.gz
+SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
+SWAN_URL="https://download.libreswan.org/${SWAN_FILE}"
+wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
+[ ! -f "$SWAN_FILE" ] && { echo "Could not retrieve Libreswan source file. Aborting."; exit 1; }
/bin/rm -rf "/opt/src/libreswan-${SWAN_VER}"
-wget -t 3 -T 30 -qO- $SWAN_URL | tar xvz
-[ ! -d libreswan-${SWAN_VER} ] && { echo "Could not retrieve Libreswan source files. Aborting."; exit 1; }
-cd libreswan-${SWAN_VER}
+tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE"
+cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source directory. Aborting."; exit 1; }
make programs && make install
-ipsec --version 2>/dev/null | grep -qs "Libreswan ${SWAN_VER}"
+ipsec --version 2>/dev/null | grep -qs "${SWAN_VER}"
if [ "$?" != "0" ]; then
echo
echo "Sorry, something went wrong."
diff --git a/vpnupgrade_Libreswan_centos.sh b/vpnupgrade_Libreswan_centos.sh
index 891d766..0d7225c 100644
--- a/vpnupgrade_Libreswan_centos.sh
+++ b/vpnupgrade_Libreswan_centos.sh
@@ -10,6 +10,7 @@
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
+# Check https://libreswan.org and update version number if necessary
SWAN_VER=3.16
if [ ! -f /etc/redhat-release ]; then
@@ -39,11 +40,14 @@ if [ "$?" != "0" ]; then
exit 1
fi
+clear
+
ipsec --version 2>/dev/null | grep -qs "Libreswan ${SWAN_VER}"
if [ "$?" = "0" ]; then
echo "You already have Libreswan ${SWAN_VER} installed! "
echo
- read -r -p "Do you wish to continue anyway? [y/N] " response
+ printf "Do you wish to continue anyway? [y/N] "
+ read -r response
case $response in
[yY][eE][sS]|[yY])
echo
@@ -60,7 +64,8 @@ echo "This is intended for use on VPN servers with an older version of Libreswan
echo "Your existing VPN configuration files will NOT be modified."
echo
-read -r -p "Do you wish to continue? [y/N] " response
+printf "Do you wish to continue? [y/N] "
+read -r response
case $response in
[yY][eE][sS]|[yY])
echo
@@ -91,9 +96,9 @@ else
echo "Sorry, this script only supports versions 6 and 7 of CentOS/RHEL."
exit 1
fi
-wget -t 3 -T 30 -nv -O $EPEL_RPM $EPEL_URL
-[ ! -f $EPEL_RPM ] && { echo "Could not retrieve EPEL repository RPM file. Aborting."; exit 1; }
-rpm -ivh --force $EPEL_RPM && /bin/rm -f $EPEL_RPM
+wget -t 3 -T 30 -nv -O "$EPEL_RPM" "$EPEL_URL"
+[ ! -f "$EPEL_RPM" ] && { echo "Could not retrieve EPEL repository RPM file. Aborting."; exit 1; }
+rpm -ivh --force "$EPEL_RPM" && /bin/rm -f "$EPEL_RPM"
# Install necessary packages
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
@@ -107,23 +112,25 @@ if grep -qs "release 6" /etc/redhat-release; then
LE2_URL="https://people.redhat.com/pwouters/libreswan-rhel6"
RPM1="libevent2-2.0.21-1.el6.x86_64.rpm"
RPM2="libevent2-devel-2.0.21-1.el6.x86_64.rpm"
- wget -t 3 -T 30 -nv -O $RPM1 $LE2_URL/$RPM1
- wget -t 3 -T 30 -nv -O $RPM2 $LE2_URL/$RPM2
- [ ! -f $RPM1 ] || [ ! -f $RPM2 ] && { echo "Could not retrieve Libevent2 RPM file(s). Aborting."; exit 1; }
- rpm -ivh --force $RPM1 $RPM2 && /bin/rm -f $RPM1 $RPM2
+ wget -t 3 -T 30 -nv -O "$RPM1" "$LE2_URL/$RPM1"
+ wget -t 3 -T 30 -nv -O "$RPM2" "$LE2_URL/$RPM2"
+ [ ! -f "$RPM1" ] || [ ! -f "$RPM2" ] && { echo "Could not retrieve Libevent2 RPM file(s). Aborting."; exit 1; }
+ rpm -ivh --force "$RPM1" "$RPM2" && /bin/rm -f "$RPM1" "$RPM2"
elif grep -qs "release 7" /etc/redhat-release; then
yum -y install libevent-devel
fi
# Compile and install Libreswan (https://libreswan.org/)
-SWAN_URL=https://download.libreswan.org/libreswan-${SWAN_VER}.tar.gz
+SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
+SWAN_URL="https://download.libreswan.org/${SWAN_FILE}"
+wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
+[ ! -f "$SWAN_FILE" ] && { echo "Could not retrieve Libreswan source file. Aborting."; exit 1; }
/bin/rm -rf "/opt/src/libreswan-${SWAN_VER}"
-wget -t 3 -T 30 -qO- $SWAN_URL | tar xvz
-[ ! -d libreswan-${SWAN_VER} ] && { echo "Could not retrieve Libreswan source files. Aborting."; exit 1; }
-cd libreswan-${SWAN_VER}
+tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE"
+cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source directory. Aborting."; exit 1; }
make programs && make install
-ipsec --version 2>/dev/null | grep -qs "Libreswan ${SWAN_VER}"
+ipsec --version 2>/dev/null | grep -qs "${SWAN_VER}"
if [ "$?" != "0" ]; then
echo
echo "Sorry, something went wrong."