mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-22 04:56:03 +03:00
Code Issues Projects Releases Wiki Activity

Update VPN scripts for better security and usability

Browse Source 
- Install Fail2Ban to protect SSH server from web attacks
- Check public/private IPs against regex for the correct format
- Use printf instead of "read -r -p" for better POSIX compliance
- Other small code enhancements to the scripts
- Update README.md to add "OS update" to Installation
This commit is contained in:
hwdsl2 2016-01-12 18:28:34 -06:00
parent 7a49f9a236
commit dec1b44091
5 changed files with 159 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@ -10,7 +10,7 @@ Scripts for automatic configuration of IPsec/L2TP VPN server on Ubuntu 14.04 & 1
We will use <a href="https://libreswan.org/" target="_blank">Libreswan</a> as the IPsec server, and <a href="https://www.xelerance.com/services/software/xl2tpd/" target="_blank">xl2tpd</a> as the L2TP provider. We will use <a href="https://libreswan.org/" target="_blank">Libreswan</a> as the IPsec server, and <a href="https://www.xelerance.com/services/software/xl2tpd/" target="_blank">xl2tpd</a> as the L2TP provider.
#### <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/" target="_blank">Link to my VPN tutorial with detailed usage instructions</a> ### <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/" target="_blank">My VPN tutorial with detailed usage instructions</a>
## Features ## Features
@ -25,7 +25,7 @@ We will use <a href="https://libreswan.org/" target="_blank">Libreswan</a> as th
## Requirements ## Requirements
A newly created Amazon EC2 instance, using these AMIs: (See the link above for usage instructions) A newly created Amazon EC2 instance, using these AMIs: (See the link above for usage instructions)
- <a href="http://cloud-images.ubuntu.com/releases/trusty/release/" target="_blank">Ubuntu 14.04 (Trusty)</a> or <a href="http://cloud-images.ubuntu.com/releases/precise/release/" target="_blank">12.04 (Precise)</a> - <a href="http://cloud-images.ubuntu.com/trusty/current/" target="_blank">Ubuntu 14.04 (Trusty)</a> or <a href="http://cloud-images.ubuntu.com/precise/current/" target="_blank">12.04 (Precise)</a>
- <a href="https://wiki.debian.org/Cloud/AmazonEC2Image/Jessie" target="_blank">Debian 8 (Jessie) EC2 Images</a> - <a href="https://wiki.debian.org/Cloud/AmazonEC2Image/Jessie" target="_blank">Debian 8 (Jessie) EC2 Images</a>
- <a href="https://aws.amazon.com/marketplace/pp/B00O7WM7QW" target="_blank">CentOS 7 (x86_64) with Updates HVM</a> - <a href="https://aws.amazon.com/marketplace/pp/B00O7WM7QW" target="_blank">CentOS 7 (x86_64) with Updates HVM</a>
- <a href="https://aws.amazon.com/marketplace/pp/B00NQAYLWO" target="_blank">CentOS 6 (x86_64) with Updates HVM</a> - Does NOT have cloud-init. Run script manually via SSH. - <a href="https://aws.amazon.com/marketplace/pp/B00NQAYLWO" target="_blank">CentOS 6 (x86_64) with Updates HVM</a> - Does NOT have cloud-init. Run script manually via SSH.
@ -48,6 +48,8 @@ OpenVZ VPS users should instead use <a href="https://github.com/Nyr/openvpn-inst
### For Ubuntu and Debian: ### For Ubuntu and Debian:
First, update your system with `apt-get update && apt-get dist-upgrade` and reboot. This is optional but recommended.
```bash ```bash
wget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup.sh -O vpnsetup.sh wget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup.sh -O vpnsetup.sh
nano -w vpnsetup.sh nano -w vpnsetup.sh
@ -64,6 +66,8 @@ wget https://gist.github.com/hwdsl2/5a769b2c4436cdf02a90/raw -O vpnsetup-workaro
### For CentOS and RHEL: ### For CentOS and RHEL:
First, update your system with `yum update` and reboot. This is optional but recommended.
```bash ```bash
yum -y install wget nano yum -y install wget nano
wget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup_centos.sh -O vpnsetup_centos.sh wget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup_centos.sh -O vpnsetup_centos.sh
@ -84,12 +88,14 @@ To support multiple VPN users with different credentials, just <a href="https://
Clients are configured to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN connection is active. This setting is controlled by `ms-dns` in `/etc/ppp/options.xl2tpd`. Clients are configured to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN connection is active. This setting is controlled by `ms-dns` in `/etc/ppp/options.xl2tpd`.
If using Amazon EC2, these ports must be open in the instance's security group: **UDP ports 500 & 4500**, and **TCP port 22** (optional, for SSH). If using Amazon EC2, these ports must be open in the instance's security group: **UDP ports 500 & 4500** (for the VPN), and **TCP port 22** (optional, for SSH).
If your server uses a custom SSH port (not 22), or if you wish to allow other services through IPTables, be sure to edit the IPTables rules in the scripts before using. If your server uses a custom SSH port (not 22), or if you wish to allow other services through IPTables, be sure to edit the IPTables rules in the scripts before using.
The scripts will backup files `/etc/rc.local`, `/etc/sysctl.conf`, `/etc/iptables.rules` and `/etc/sysconfig/iptables` before overwriting them. Backups can be found under the same folder with `.old` suffix. The scripts will backup files `/etc/rc.local`, `/etc/sysctl.conf`, `/etc/iptables.rules` and `/etc/sysconfig/iptables` before overwriting them. Backups can be found under the same folder with `.old` suffix.
iPhone/iOS users: If unable to connect, try replacing `rightprotoport=17/%any` in `ipsec.conf` with `rightprotoport=17/0`.
## Copyright and license ## Copyright and license
Copyright (C) 2014&nbsp;Lin Song&nbsp;&nbsp;&nbsp;<a href="https://www.linkedin.com/in/linsongui" target="_blank"><img src="https://static.licdn.com/scds/common/u/img/webpromo/btn_profile_bluetxt_80x15.png" width="80" height="15" border="0" alt="View my profile on LinkedIn"></a> Copyright (C) 2014&nbsp;Lin Song&nbsp;&nbsp;&nbsp;<a href="https://www.linkedin.com/in/linsongui" target="_blank"><img src="https://static.licdn.com/scds/common/u/img/webpromo/btn_profile_bluetxt_80x15.png" width="80" height="15" border="0" alt="View my profile on LinkedIn"></a>

64
vpnsetup.sh
View File

@ -40,15 +40,19 @@ VPN_PASSWORD=your_very_secure_password
# IMPORTANT NOTES: # IMPORTANT NOTES:
# If you need multiple VPN users with different credentials, # For **Windows users**, a one-time registry change is required for connections
# please see: https://gist.github.com/hwdsl2/123b886f29f4c689f531 # to a VPN server behind NAT (e.g. Amazon EC2). Please see:
# For Windows users, a one-time registry change is required in order to
# connect to a VPN server behind NAT (e.g. in Amazon EC2). Please see:
# https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809 # https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
# If using Amazon EC2, these ports must be open in the security group of # To support multiple VPN users with different credentials, see:
# your VPN server: UDP ports 500 & 4500, and TCP port 22 (optional, for SSH). # https://gist.github.com/hwdsl2/123b886f29f4c689f531
# Clients are configured to use Google Public DNS when the VPN connection is active.
# This setting is controlled by "ms-dns" in /etc/ppp/options.xl2tpd.
# https://developers.google.com/speed/public-dns/
# If using Amazon EC2, these ports must be open in the instance's security group:
# UDP ports 500 & 4500 (for the VPN), and TCP port 22 (optional, for SSH).
# If your server uses a custom SSH port (not 22), or if you wish to allow other services # If your server uses a custom SSH port (not 22), or if you wish to allow other services
# through IPTables, be sure to edit the IPTables rules below before running this script. # through IPTables, be sure to edit the IPTables rules below before running this script.
@ -56,7 +60,7 @@ VPN_PASSWORD=your_very_secure_password
# This script will backup /etc/rc.local, /etc/sysctl.conf and /etc/iptables.rules # This script will backup /etc/rc.local, /etc/sysctl.conf and /etc/iptables.rules
# before overwriting them. Backups can be found under the same folder with .old suffix. # before overwriting them. Backups can be found under the same folder with .old suffix.
# iPhone/iOS users may need to replace this line in ipsec.conf: # iPhone/iOS users: In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
# "rightprotoport=17/%any" with "rightprotoport=17/0". # "rightprotoport=17/%any" with "rightprotoport=17/0".
# Create and change to working dir # Create and change to working dir
@ -91,6 +95,17 @@ PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/la
[ "$PRIVATE_IP" = "" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') [ "$PRIVATE_IP" = "" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
[ "$PRIVATE_IP" = "" ] && { echo "Could not find Private IP, please edit the VPN script manually."; exit 1; } [ "$PRIVATE_IP" = "" ] && { echo "Could not find Private IP, please edit the VPN script manually."; exit 1; }
# Check public/private IPs for correct format
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
if printf %s "$PUBLIC_IP" | grep -vEq "$IP_REGEX"; then
echo "Could not find valid Public IP, please edit the VPN script manually."
exit 1
fi
if printf %s "$PRIVATE_IP" | grep -vEq "$IP_REGEX"; then
echo "Could not find valid Private IP, please edit the VPN script manually."
exit 1
fi
# Install necessary packages # Install necessary packages
apt-get -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ apt-get -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
libcap-ng-dev libcap-ng-utils libselinux1-dev \ libcap-ng-dev libcap-ng-utils libselinux1-dev \
@ -99,15 +114,18 @@ apt-get -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
apt-get -y --no-install-recommends install xmlto apt-get -y --no-install-recommends install xmlto
apt-get -y install xl2tpd apt-get -y install xl2tpd
# Install Fail2Ban to protect SSH server
apt-get -y install fail2ban
# Compile and install Libreswan (https://libreswan.org/) # Compile and install Libreswan (https://libreswan.org/)
# To upgrade Libreswan when a newer version is available, just re-run
# these commands with the new "SWAN_VER", and then restart services with
# "service ipsec restart" and "service xl2tpd restart".
SWAN_VER=3.16 SWAN_VER=3.16
SWAN_URL=https://download.libreswan.org/libreswan-${SWAN_VER}.tar.gz SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
wget -t 3 -T 30 -qO- $SWAN_URL | tar xvz SWAN_URL="https://download.libreswan.org/${SWAN_FILE}"
[ ! -d libreswan-${SWAN_VER} ] && { echo "Could not retrieve Libreswan source files. Aborting."; exit 1; } wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
cd libreswan-${SWAN_VER} [ ! -f "$SWAN_FILE" ] && { echo "Could not retrieve Libreswan source file. Aborting."; exit 1; }
/bin/rm -rf "/opt/src/libreswan-${SWAN_VER}"
tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE"
cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source directory. Aborting."; exit 1; }
make programs && make install make programs && make install
# Prepare various config files # Prepare various config files
@ -290,8 +308,10 @@ cat > /etc/rc.local <<EOF
# bits. # bits.
# #
# By default this script does nothing. # By default this script does nothing.
/usr/sbin/service ipsec restart
/usr/sbin/service xl2tpd restart /usr/sbin/service fail2ban restart || /bin/true
/usr/sbin/service ipsec start
/usr/sbin/service xl2tpd start
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
exit 0 exit 0
EOF EOF
@ -303,9 +323,15 @@ if [ ! -f /etc/ipsec.d/cert8.db ] ; then
fi fi
/sbin/sysctl -p /sbin/sysctl -p
/bin/chmod +x /etc/rc.local
/bin/chmod +x /etc/network/if-pre-up.d/iptablesload /bin/chmod +x /etc/network/if-pre-up.d/iptablesload
/bin/chmod 600 /etc/ipsec.secrets /etc/ppp/chap-secrets /bin/chmod 600 /etc/ipsec.secrets /etc/ppp/chap-secrets
/sbin/iptables-restore < /etc/iptables.rules /sbin/iptables-restore < /etc/iptables.rules
/usr/sbin/service ipsec restart /usr/sbin/service fail2ban stop >/dev/null 2>&1
/usr/sbin/service xl2tpd restart /usr/sbin/service ipsec stop >/dev/null 2>&1
/usr/sbin/service xl2tpd stop >/dev/null 2>&1
/usr/sbin/service fail2ban start
/usr/sbin/service ipsec start
/usr/sbin/service xl2tpd start

97
vpnsetup_centos.sh
View File

@ -51,15 +51,19 @@ VPN_PASSWORD=your_very_secure_password
# IMPORTANT NOTES: # IMPORTANT NOTES:
# If you need multiple VPN users with different credentials, # For **Windows users**, a one-time registry change is required for connections
# please see: https://gist.github.com/hwdsl2/123b886f29f4c689f531 # to a VPN server behind NAT (e.g. Amazon EC2). Please see:
# For Windows users, a one-time registry change is required in order to
# connect to a VPN server behind NAT (e.g. in Amazon EC2). Please see:
# https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809 # https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
# If using Amazon EC2, these ports must be open in the security group of # To support multiple VPN users with different credentials, see:
# your VPN server: UDP ports 500 & 4500, and TCP port 22 (optional, for SSH). # https://gist.github.com/hwdsl2/123b886f29f4c689f531
# Clients are configured to use Google Public DNS when the VPN connection is active.
# This setting is controlled by "ms-dns" in /etc/ppp/options.xl2tpd.
# https://developers.google.com/speed/public-dns/
# If using Amazon EC2, these ports must be open in the instance's security group:
# UDP ports 500 & 4500 (for the VPN), and TCP port 22 (optional, for SSH).
# If your server uses a custom SSH port (not 22), or if you wish to allow other services # If your server uses a custom SSH port (not 22), or if you wish to allow other services
# through IPTables, be sure to edit the IPTables rules below before running this script. # through IPTables, be sure to edit the IPTables rules below before running this script.
@ -67,7 +71,7 @@ VPN_PASSWORD=your_very_secure_password
# This script will backup /etc/rc.local, /etc/sysctl.conf and /etc/sysconfig/iptables # This script will backup /etc/rc.local, /etc/sysctl.conf and /etc/sysconfig/iptables
# before overwriting them. Backups can be found under the same folder with .old suffix. # before overwriting them. Backups can be found under the same folder with .old suffix.
# iPhone/iOS users may need to replace this line in ipsec.conf: # iPhone/iOS users: In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
# "rightprotoport=17/%any" with "rightprotoport=17/0". # "rightprotoport=17/%any" with "rightprotoport=17/0".
# Create and change to working dir # Create and change to working dir
@ -100,6 +104,17 @@ PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/la
[ "$PRIVATE_IP" = "" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') [ "$PRIVATE_IP" = "" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
[ "$PRIVATE_IP" = "" ] && { echo "Could not find Private IP, please edit the VPN script manually."; exit 1; } [ "$PRIVATE_IP" = "" ] && { echo "Could not find Private IP, please edit the VPN script manually."; exit 1; }
# Check public/private IPs for correct format
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
if printf %s "$PUBLIC_IP" | grep -vEq "$IP_REGEX"; then
echo "Could not find valid Public IP, please edit the VPN script manually."
exit 1
fi
if printf %s "$PRIVATE_IP" | grep -vEq "$IP_REGEX"; then
echo "Could not find valid Private IP, please edit the VPN script manually."
exit 1
fi
# Add the EPEL repository # Add the EPEL repository
if grep -qs "release 6" /etc/redhat-release; then if grep -qs "release 6" /etc/redhat-release; then
EPEL_RPM="epel-release-6-8.noarch.rpm" EPEL_RPM="epel-release-6-8.noarch.rpm"
@ -111,9 +126,9 @@ else
echo "Sorry, this script only supports versions 6 and 7 of CentOS/RHEL." echo "Sorry, this script only supports versions 6 and 7 of CentOS/RHEL."
exit 1 exit 1
fi fi
wget -t 3 -T 30 -nv -O $EPEL_RPM $EPEL_URL wget -t 3 -T 30 -nv -O "$EPEL_RPM" "$EPEL_URL"
[ ! -f $EPEL_RPM ] && { echo "Could not retrieve EPEL repository RPM file. Aborting."; exit 1; } [ ! -f "$EPEL_RPM" ] && { echo "Could not retrieve EPEL repository RPM file. Aborting."; exit 1; }
rpm -ivh --force $EPEL_RPM && /bin/rm -f $EPEL_RPM rpm -ivh --force "$EPEL_RPM" && /bin/rm -f "$EPEL_RPM"
# Install necessary packages # Install necessary packages
yum -y install nss-devel nspr-devel pkgconfig pam-devel \ yum -y install nss-devel nspr-devel pkgconfig pam-devel \
@ -122,29 +137,31 @@ yum -y install nss-devel nspr-devel pkgconfig pam-devel \
fipscheck-devel unbound-devel gmp gmp-devel xmlto fipscheck-devel unbound-devel gmp gmp-devel xmlto
yum -y install ppp xl2tpd yum -y install ppp xl2tpd
# Install Fail2Ban to protect SSH server
yum -y install fail2ban
# Installed Libevent 2. Use backported version for CentOS 6. # Installed Libevent 2. Use backported version for CentOS 6.
if grep -qs "release 6" /etc/redhat-release; then if grep -qs "release 6" /etc/redhat-release; then
LE2_URL="https://people.redhat.com/pwouters/libreswan-rhel6" LE2_URL="https://people.redhat.com/pwouters/libreswan-rhel6"
RPM1="libevent2-2.0.21-1.el6.x86_64.rpm" RPM1="libevent2-2.0.21-1.el6.x86_64.rpm"
RPM2="libevent2-devel-2.0.21-1.el6.x86_64.rpm" RPM2="libevent2-devel-2.0.21-1.el6.x86_64.rpm"
wget -t 3 -T 30 -nv -O $RPM1 $LE2_URL/$RPM1 wget -t 3 -T 30 -nv -O "$RPM1" "$LE2_URL/$RPM1"
wget -t 3 -T 30 -nv -O $RPM2 $LE2_URL/$RPM2 wget -t 3 -T 30 -nv -O "$RPM2" "$LE2_URL/$RPM2"
[ ! -f $RPM1 ] || [ ! -f $RPM2 ] && { echo "Could not retrieve Libevent2 RPM file(s). Aborting."; exit 1; } [ ! -f "$RPM1" ] || [ ! -f "$RPM2" ] && { echo "Could not retrieve Libevent2 RPM file(s). Aborting."; exit 1; }
rpm -ivh --force $RPM1 $RPM2 && /bin/rm -f $RPM1 $RPM2 rpm -ivh --force "$RPM1" "$RPM2" && /bin/rm -f "$RPM1" "$RPM2"
elif grep -qs "release 7" /etc/redhat-release; then elif grep -qs "release 7" /etc/redhat-release; then
yum -y install libevent-devel yum -y install libevent-devel
fi fi
# Compile and install Libreswan (https://libreswan.org/) # Compile and install Libreswan (https://libreswan.org/)
# To upgrade Libreswan when a newer version is available, just re-run these
# commands with the new "SWAN_VER", then restore SELinux contexts using
# the commands at the end of this script, and finally restart services with
# "service ipsec restart" and "service xl2tpd restart".
SWAN_VER=3.16 SWAN_VER=3.16
SWAN_URL=https://download.libreswan.org/libreswan-${SWAN_VER}.tar.gz SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
wget -t 3 -T 30 -qO- $SWAN_URL | tar xvz SWAN_URL="https://download.libreswan.org/${SWAN_FILE}"
[ ! -d libreswan-${SWAN_VER} ] && { echo "Could not retrieve Libreswan source files. Aborting."; exit 1; } wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
cd libreswan-${SWAN_VER} [ ! -f "$SWAN_FILE" ] && { echo "Could not retrieve Libreswan source file. Aborting."; exit 1; }
/bin/rm -rf "/opt/src/libreswan-${SWAN_VER}"
tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE"
cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source directory. Aborting."; exit 1; }
make programs && make install make programs && make install
# Prepare various config files # Prepare various config files
@ -306,6 +323,25 @@ COMMIT
COMMIT COMMIT
EOF EOF
if [ ! -f /etc/fail2ban/jail.local ] ; then
cat > /etc/fail2ban/jail.local <<EOF
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
findtime = 600
maxretry = 5
backend = auto
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
EOF
fi
/bin/cp -f /etc/rc.local "/etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null /bin/cp -f /etc/rc.local "/etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
cat > /etc/rc.local <<EOF cat > /etc/rc.local <<EOF
#!/bin/sh #!/bin/sh
@ -316,8 +352,9 @@ cat > /etc/rc.local <<EOF
touch /var/lock/subsys/local touch /var/lock/subsys/local
/sbin/iptables-restore < /etc/sysconfig/iptables /sbin/iptables-restore < /etc/sysconfig/iptables
/sbin/service ipsec restart /sbin/service fail2ban restart
/sbin/service xl2tpd restart /sbin/service ipsec start
/sbin/service xl2tpd start
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
EOF EOF
@ -333,8 +370,14 @@ restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
/sbin/sysctl -p /sbin/sysctl -p
/bin/chmod +x /etc/rc.local
/bin/chmod 600 /etc/ipsec.secrets /etc/ppp/chap-secrets /bin/chmod 600 /etc/ipsec.secrets /etc/ppp/chap-secrets
/sbin/iptables-restore < /etc/sysconfig/iptables /sbin/iptables-restore < /etc/sysconfig/iptables
/sbin/service ipsec restart /sbin/service fail2ban stop >/dev/null 2>&1
/sbin/service xl2tpd restart /sbin/service ipsec stop >/dev/null 2>&1
/sbin/service xl2tpd stop >/dev/null 2>&1
/sbin/service fail2ban start
/sbin/service ipsec start
/sbin/service xl2tpd start

21
vpnupgrade_Libreswan.sh
View File

@ -10,6 +10,7 @@
# Attribution required: please include my name in any derivative and let me # Attribution required: please include my name in any derivative and let me
# know how you have improved it! # know how you have improved it!
# Check https://libreswan.org and update version number if necessary
SWAN_VER=3.16 SWAN_VER=3.16
if [ "$(lsb_release -si)" != "Ubuntu" ] && [ "$(lsb_release -si)" != "Debian" ]; then if [ "$(lsb_release -si)" != "Ubuntu" ] && [ "$(lsb_release -si)" != "Debian" ]; then
@ -34,11 +35,14 @@ if [ "$?" != "0" ]; then
exit 1 exit 1
fi fi
clear
ipsec --version 2>/dev/null | grep -qs "Libreswan ${SWAN_VER}" ipsec --version 2>/dev/null | grep -qs "Libreswan ${SWAN_VER}"
if [ "$?" = "0" ]; then if [ "$?" = "0" ]; then
echo "You already have Libreswan ${SWAN_VER} installed! " echo "You already have Libreswan ${SWAN_VER} installed! "
echo echo
read -r -p "Do you wish to continue anyway? [y/N] " response printf "Do you wish to continue anyway? [y/N] "
read -r response
case $response in case $response in
[yY][eE][sS]|[yY]) [yY][eE][sS]|[yY])
echo echo
@ -55,7 +59,8 @@ echo "This is intended for use on VPN servers with an older version of Libreswan
echo "Your existing VPN configuration files will NOT be modified." echo "Your existing VPN configuration files will NOT be modified."
echo echo
read -r -p "Do you wish to continue? [y/N] " response printf "Do you wish to continue? [y/N] "
read -r response
case $response in case $response in
[yY][eE][sS]|[yY]) [yY][eE][sS]|[yY])
echo echo
@ -86,14 +91,16 @@ apt-get -y --no-install-recommends install xmlto
apt-get -y install xl2tpd apt-get -y install xl2tpd
# Compile and install Libreswan (https://libreswan.org/) # Compile and install Libreswan (https://libreswan.org/)
SWAN_URL=https://download.libreswan.org/libreswan-${SWAN_VER}.tar.gz SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
SWAN_URL="https://download.libreswan.org/${SWAN_FILE}"
wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
[ ! -f "$SWAN_FILE" ] && { echo "Could not retrieve Libreswan source file. Aborting."; exit 1; }
/bin/rm -rf "/opt/src/libreswan-${SWAN_VER}" /bin/rm -rf "/opt/src/libreswan-${SWAN_VER}"
wget -t 3 -T 30 -qO- $SWAN_URL | tar xvz tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE"
[ ! -d libreswan-${SWAN_VER} ] && { echo "Could not retrieve Libreswan source files. Aborting."; exit 1; } cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source directory. Aborting."; exit 1; }
cd libreswan-${SWAN_VER}
make programs && make install make programs && make install
ipsec --version 2>/dev/null | grep -qs "Libreswan ${SWAN_VER}" ipsec --version 2>/dev/null | grep -qs "${SWAN_VER}"
if [ "$?" != "0" ]; then if [ "$?" != "0" ]; then
echo echo
echo "Sorry, something went wrong." echo "Sorry, something went wrong."

35
vpnupgrade_Libreswan_centos.sh
View File

@ -10,6 +10,7 @@
# Attribution required: please include my name in any derivative and let me # Attribution required: please include my name in any derivative and let me
# know how you have improved it! # know how you have improved it!
# Check https://libreswan.org and update version number if necessary
SWAN_VER=3.16 SWAN_VER=3.16
if [ ! -f /etc/redhat-release ]; then if [ ! -f /etc/redhat-release ]; then
@ -39,11 +40,14 @@ if [ "$?" != "0" ]; then
exit 1 exit 1
fi fi
clear
ipsec --version 2>/dev/null | grep -qs "Libreswan ${SWAN_VER}" ipsec --version 2>/dev/null | grep -qs "Libreswan ${SWAN_VER}"
if [ "$?" = "0" ]; then if [ "$?" = "0" ]; then
echo "You already have Libreswan ${SWAN_VER} installed! " echo "You already have Libreswan ${SWAN_VER} installed! "
echo echo
read -r -p "Do you wish to continue anyway? [y/N] " response printf "Do you wish to continue anyway? [y/N] "
read -r response
case $response in case $response in
[yY][eE][sS]|[yY]) [yY][eE][sS]|[yY])
echo echo
@ -60,7 +64,8 @@ echo "This is intended for use on VPN servers with an older version of Libreswan
echo "Your existing VPN configuration files will NOT be modified." echo "Your existing VPN configuration files will NOT be modified."
echo echo
read -r -p "Do you wish to continue? [y/N] " response printf "Do you wish to continue? [y/N] "
read -r response
case $response in case $response in
[yY][eE][sS]|[yY]) [yY][eE][sS]|[yY])
echo echo
@ -91,9 +96,9 @@ else
echo "Sorry, this script only supports versions 6 and 7 of CentOS/RHEL." echo "Sorry, this script only supports versions 6 and 7 of CentOS/RHEL."
exit 1 exit 1
fi fi
wget -t 3 -T 30 -nv -O $EPEL_RPM $EPEL_URL wget -t 3 -T 30 -nv -O "$EPEL_RPM" "$EPEL_URL"
[ ! -f $EPEL_RPM ] && { echo "Could not retrieve EPEL repository RPM file. Aborting."; exit 1; } [ ! -f "$EPEL_RPM" ] && { echo "Could not retrieve EPEL repository RPM file. Aborting."; exit 1; }
rpm -ivh --force $EPEL_RPM && /bin/rm -f $EPEL_RPM rpm -ivh --force "$EPEL_RPM" && /bin/rm -f "$EPEL_RPM"
# Install necessary packages # Install necessary packages
yum -y install nss-devel nspr-devel pkgconfig pam-devel \ yum -y install nss-devel nspr-devel pkgconfig pam-devel \
@ -107,23 +112,25 @@ if grep -qs "release 6" /etc/redhat-release; then
LE2_URL="https://people.redhat.com/pwouters/libreswan-rhel6" LE2_URL="https://people.redhat.com/pwouters/libreswan-rhel6"
RPM1="libevent2-2.0.21-1.el6.x86_64.rpm" RPM1="libevent2-2.0.21-1.el6.x86_64.rpm"
RPM2="libevent2-devel-2.0.21-1.el6.x86_64.rpm" RPM2="libevent2-devel-2.0.21-1.el6.x86_64.rpm"
wget -t 3 -T 30 -nv -O $RPM1 $LE2_URL/$RPM1 wget -t 3 -T 30 -nv -O "$RPM1" "$LE2_URL/$RPM1"
wget -t 3 -T 30 -nv -O $RPM2 $LE2_URL/$RPM2 wget -t 3 -T 30 -nv -O "$RPM2" "$LE2_URL/$RPM2"
[ ! -f $RPM1 ] || [ ! -f $RPM2 ] && { echo "Could not retrieve Libevent2 RPM file(s). Aborting."; exit 1; } [ ! -f "$RPM1" ] || [ ! -f "$RPM2" ] && { echo "Could not retrieve Libevent2 RPM file(s). Aborting."; exit 1; }
rpm -ivh --force $RPM1 $RPM2 && /bin/rm -f $RPM1 $RPM2 rpm -ivh --force "$RPM1" "$RPM2" && /bin/rm -f "$RPM1" "$RPM2"
elif grep -qs "release 7" /etc/redhat-release; then elif grep -qs "release 7" /etc/redhat-release; then
yum -y install libevent-devel yum -y install libevent-devel
fi fi
# Compile and install Libreswan (https://libreswan.org/) # Compile and install Libreswan (https://libreswan.org/)
SWAN_URL=https://download.libreswan.org/libreswan-${SWAN_VER}.tar.gz SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
SWAN_URL="https://download.libreswan.org/${SWAN_FILE}"
wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
[ ! -f "$SWAN_FILE" ] && { echo "Could not retrieve Libreswan source file. Aborting."; exit 1; }
/bin/rm -rf "/opt/src/libreswan-${SWAN_VER}" /bin/rm -rf "/opt/src/libreswan-${SWAN_VER}"
wget -t 3 -T 30 -qO- $SWAN_URL | tar xvz tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE"
[ ! -d libreswan-${SWAN_VER} ] && { echo "Could not retrieve Libreswan source files. Aborting."; exit 1; } cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source directory. Aborting."; exit 1; }
cd libreswan-${SWAN_VER}
make programs && make install make programs && make install
ipsec --version 2>/dev/null | grep -qs "Libreswan ${SWAN_VER}" ipsec --version 2>/dev/null | grep -qs "${SWAN_VER}"
if [ "$?" != "0" ]; then if [ "$?" != "0" ]; then
echo echo
echo "Sorry, something went wrong." echo "Sorry, something went wrong."