Reduce output verbosity and clean up
This commit is contained in:
parent
1190f608d4
commit
f38f8a7a36
@ -19,7 +19,7 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
|
||||
os_type="$(lsb_release -si 2>/dev/null)"
|
||||
if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ]; then
|
||||
echo "This script only supports Ubuntu or Debian systems."
|
||||
echo "This script only supports Ubuntu/Debian."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
@ -92,15 +92,15 @@ cd /opt/src || exit 1
|
||||
|
||||
# Update package index and install Wget
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get -y update
|
||||
apt-get -y install wget
|
||||
apt-get -yqq update
|
||||
apt-get -yqq install wget
|
||||
|
||||
# Install necessary packages
|
||||
apt-get -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
|
||||
apt-get -yqq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
|
||||
libcap-ng-dev libcap-ng-utils libselinux1-dev \
|
||||
libcurl4-nss-dev flex bison gcc make \
|
||||
libunbound-dev libnss3-tools libevent-dev
|
||||
apt-get -y --no-install-recommends install xmlto
|
||||
apt-get -yqq --no-install-recommends install xmlto
|
||||
|
||||
# Compile and install Libreswan
|
||||
SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
|
||||
@ -108,18 +108,18 @@ SWAN_URL="https://download.libreswan.org/$SWAN_FILE"
|
||||
wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
|
||||
[ "$?" != "0" ] && { echo "Cannot download Libreswan source. Aborting."; exit 1; }
|
||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||
tar xvzf "$SWAN_FILE" && /bin/rm -f "$SWAN_FILE"
|
||||
tar xzf "$SWAN_FILE" && /bin/rm -f "$SWAN_FILE"
|
||||
cd "libreswan-$SWAN_VER" || { echo "Cannot enter Libreswan source dir. Aborting."; exit 1; }
|
||||
# Workaround for Libreswan compile issues
|
||||
cat > Makefile.inc.local <<EOF
|
||||
WERROR_CFLAGS =
|
||||
EOF
|
||||
make programs && make install
|
||||
make -s programs && make -s install
|
||||
|
||||
# Restart IPsec service
|
||||
service ipsec restart
|
||||
|
||||
# Check if Libreswan install was successful
|
||||
# Verify the install
|
||||
/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$SWAN_VER"
|
||||
[ "$?" != "0" ] && { echo; echo "Libreswan $SWAN_VER failed to build. Aborting."; exit 1; }
|
||||
|
||||
|
@ -18,7 +18,7 @@ SWAN_VER=3.17
|
||||
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
|
||||
if [ ! -f /etc/redhat-release ]; then
|
||||
echo "This script only supports CentOS or RHEL systems."
|
||||
echo "This script only supports CentOS/RHEL."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
@ -106,7 +106,7 @@ yum -y install nss-devel nspr-devel pkgconfig pam-devel \
|
||||
curl-devel flex bison gcc make \
|
||||
fipscheck-devel unbound-devel xmlto
|
||||
|
||||
# Installed Libevent2. Use backported version for CentOS 6.
|
||||
# Installed Libevent2
|
||||
if grep -qs "release 6" /etc/redhat-release; then
|
||||
LE2_URL=https://download.libreswan.org/binaries/rhel/6/x86_64
|
||||
RPM1=libevent2-2.0.22-1.el6.x86_64.rpm
|
||||
@ -126,13 +126,13 @@ SWAN_URL="https://download.libreswan.org/$SWAN_FILE"
|
||||
wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
|
||||
[ "$?" != "0" ] && { echo "Cannot download Libreswan source. Aborting."; exit 1; }
|
||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||
tar xvzf "$SWAN_FILE" && /bin/rm -f "$SWAN_FILE"
|
||||
tar xzf "$SWAN_FILE" && /bin/rm -f "$SWAN_FILE"
|
||||
cd "libreswan-$SWAN_VER" || { echo "Cannot enter Libreswan source dir. Aborting."; exit 1; }
|
||||
# Workaround for Libreswan compile issues
|
||||
cat > Makefile.inc.local <<EOF
|
||||
WERROR_CFLAGS =
|
||||
EOF
|
||||
make programs && make install
|
||||
make -s programs && make -s install
|
||||
|
||||
# Restore SELinux contexts
|
||||
restorecon /etc/ipsec.d/*db 2>/dev/null
|
||||
@ -142,7 +142,7 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
|
||||
# Restart IPsec service
|
||||
service ipsec restart
|
||||
|
||||
# Check if Libreswan install was successful
|
||||
# Verify the install
|
||||
/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$SWAN_VER"
|
||||
[ "$?" != "0" ] && { echo; echo "Libreswan $SWAN_VER failed to build. Aborting."; exit 1; }
|
||||
|
||||
|
66
vpnsetup.sh
66
vpnsetup.sh
@ -40,13 +40,13 @@ fi
|
||||
|
||||
os_type="$(lsb_release -si 2>/dev/null)"
|
||||
if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ]; then
|
||||
echo "This script only supports Ubuntu or Debian systems."
|
||||
echo "This script only supports Ubuntu/Debian."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -f /proc/user_beancounters ]; then
|
||||
echo "This script does NOT support OpenVZ VPS."
|
||||
echo "Try alternative: https://github.com/Nyr/openvpn-install"
|
||||
echo "Try: https://github.com/Nyr/openvpn-install"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
@ -57,6 +57,9 @@ fi
|
||||
|
||||
if [ ! -f /sys/class/net/eth0/operstate ]; then
|
||||
echo "Network interface 'eth0' is not available. Aborting."
|
||||
echo
|
||||
echo "Run 'cat /proc/net/dev' to find the name of the active network interface,"
|
||||
echo "then search and replace ALL 'eth0' and 'eth+' in this script with that name."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
@ -67,21 +70,23 @@ if [ -z "$IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then
|
||||
fi
|
||||
|
||||
if [ -z "$IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
|
||||
echo "VPN credentials cannot be empty. Edit the script and re-enter."
|
||||
echo "VPN credentials cannot be empty. Edit the script and re-enter them."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "VPN setup in progress... Please be patient."
|
||||
|
||||
# Create and change to working dir
|
||||
mkdir -p /opt/src
|
||||
cd /opt/src || exit 1
|
||||
|
||||
# Update package index
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get -y update
|
||||
apt-get -yqq update
|
||||
|
||||
# Make sure basic commands exist
|
||||
apt-get -y install wget dnsutils openssl
|
||||
apt-get -y install iproute gawk grep sed net-tools
|
||||
apt-get -yqq install wget dnsutils openssl
|
||||
apt-get -yqq install iproute gawk grep sed net-tools
|
||||
|
||||
if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then
|
||||
echo
|
||||
@ -101,7 +106,7 @@ echo 'use Ctrl-C to interrupt. Then edit it and manually enter IPs.'
|
||||
echo
|
||||
|
||||
# In Amazon EC2, these two variables will be retrieved from metadata.
|
||||
# For all other servers, replace them with actual IPs (or comment out).
|
||||
# For all other servers, replace them with actual IPs or comment out.
|
||||
# If your server only has a public IP, put that IP on both lines.
|
||||
PUBLIC_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4')
|
||||
PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4')
|
||||
@ -109,31 +114,30 @@ PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/la
|
||||
# Try to find IPs for non-EC2 servers
|
||||
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
|
||||
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
|
||||
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipecho.net/plain)
|
||||
[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
|
||||
[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
|
||||
|
||||
# Check IPs for correct format
|
||||
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
|
||||
if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then
|
||||
echo "Cannot find valid public IP. Edit the script and manually enter."
|
||||
echo "Cannot find valid public IP. Edit the script and manually enter IPs."
|
||||
exit 1
|
||||
fi
|
||||
if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then
|
||||
echo "Cannot find valid private IP. Edit the script and manually enter."
|
||||
echo "Cannot find valid private IP. Edit the script and manually enter IPs."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Install necessary packages
|
||||
apt-get -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
|
||||
apt-get -yqq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
|
||||
libcap-ng-dev libcap-ng-utils libselinux1-dev \
|
||||
libcurl4-nss-dev flex bison gcc make \
|
||||
libunbound-dev libnss3-tools libevent-dev
|
||||
apt-get -y --no-install-recommends install xmlto
|
||||
apt-get -y install xl2tpd
|
||||
apt-get -yqq --no-install-recommends install xmlto
|
||||
apt-get -yqq install xl2tpd
|
||||
|
||||
# Install Fail2Ban to protect SSH
|
||||
apt-get -y install fail2ban
|
||||
apt-get -yqq install fail2ban
|
||||
|
||||
# Compile and install Libreswan
|
||||
SWAN_VER=3.17
|
||||
@ -142,19 +146,18 @@ SWAN_URL="https://download.libreswan.org/$SWAN_FILE"
|
||||
wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
|
||||
[ "$?" != "0" ] && { echo "Cannot download Libreswan source. Aborting."; exit 1; }
|
||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||
tar xvzf "$SWAN_FILE" && /bin/rm -f "$SWAN_FILE"
|
||||
tar xzf "$SWAN_FILE" && /bin/rm -f "$SWAN_FILE"
|
||||
cd "libreswan-$SWAN_VER" || { echo "Cannot enter Libreswan source dir. Aborting."; exit 1; }
|
||||
# Workaround for Libreswan compile issues
|
||||
cat > Makefile.inc.local <<EOF
|
||||
WERROR_CFLAGS =
|
||||
EOF
|
||||
make programs && make install
|
||||
make -s programs && make -s install
|
||||
|
||||
# Check if Libreswan install was successful
|
||||
# Verify the install
|
||||
/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$SWAN_VER"
|
||||
[ "$?" != "0" ] && { echo; echo "Libreswan $SWAN_VER failed to build. Aborting."; exit 1; }
|
||||
|
||||
# Prepare various config files
|
||||
# Create IPsec (Libreswan) config
|
||||
SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"
|
||||
/bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$SYS_DT" 2>/dev/null
|
||||
@ -235,7 +238,7 @@ pppoptfile = /etc/ppp/options.xl2tpd
|
||||
length bit = yes
|
||||
EOF
|
||||
|
||||
# Specify xl2tpd options
|
||||
# Set xl2tpd options
|
||||
/bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-$SYS_DT" 2>/dev/null
|
||||
cat > /etc/ppp/options.xl2tpd <<EOF
|
||||
ipcp-accept-local
|
||||
@ -266,7 +269,7 @@ EOF
|
||||
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
|
||||
echo "${VPN_USER}:${VPN_PASSWORD_ENC}:xauth-psk" > /etc/ipsec.d/passwd
|
||||
|
||||
# Update sysctl settings for VPN and performance
|
||||
# Update sysctl settings
|
||||
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
|
||||
/bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$SYS_DT" 2>/dev/null
|
||||
cat >> /etc/sysctl.conf <<EOF
|
||||
@ -301,9 +304,9 @@ net.ipv4.tcp_wmem = 10240 87380 12582912
|
||||
EOF
|
||||
fi
|
||||
|
||||
# Create basic IPTables rules. First check if there are existing rules.
|
||||
# 1. If IPTables is "empty", write out the new set of rules.
|
||||
# 2. If *not* empty, insert new rules and save them together with existing ones.
|
||||
# Create basic IPTables rules. First check for existing rules.
|
||||
# - If IPTables is "empty", simply write out the new rules.
|
||||
# - If *not* empty, insert new rules and save them with existing ones.
|
||||
if ! grep -qs "hwdsl2 VPN script" /etc/iptables.rules; then
|
||||
/bin/cp -f /etc/iptables.rules "/etc/iptables.rules.old-$SYS_DT" 2>/dev/null
|
||||
service fail2ban stop >/dev/null 2>&1
|
||||
@ -330,7 +333,7 @@ cat > /etc/iptables.rules <<EOF
|
||||
-A FORWARD -i ppp+ -o eth+ -j ACCEPT
|
||||
-A FORWARD -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
-A FORWARD -s 192.168.43.0/24 -o eth+ -j ACCEPT
|
||||
# If you wish to allow traffic between VPN clients themselves, uncomment these lines:
|
||||
# To allow traffic between VPN clients themselves, uncomment these lines:
|
||||
# -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
|
||||
# -A FORWARD -s 192.168.43.0/24 -d 192.168.43.0/24 -j ACCEPT
|
||||
-A FORWARD -j DROP
|
||||
@ -371,7 +374,7 @@ if [ -f /etc/iptables/rules.v4 ]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
# Create basic IP6Tables (IPv6) rules
|
||||
# Create basic IPv6 rules
|
||||
if ! grep -qs "hwdsl2 VPN script" /etc/ip6tables.rules; then
|
||||
/bin/cp -f /etc/ip6tables.rules "/etc/ip6tables.rules.old-$SYS_DT" 2>/dev/null
|
||||
cat > /etc/ip6tables.rules <<EOF
|
||||
@ -407,7 +410,7 @@ ip6tables-restore < /etc/ip6tables.rules
|
||||
exit 0
|
||||
EOF
|
||||
|
||||
# Update rc.local to start services at boot
|
||||
# Start services at boot
|
||||
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
|
||||
/bin/cp -f /etc/rc.local "/etc/rc.local.old-$SYS_DT" 2>/dev/null
|
||||
sed --follow-symlinks -i -e '/^exit 0/d' /etc/rc.local
|
||||
@ -430,7 +433,7 @@ if [ ! -f /etc/ipsec.d/cert8.db ] ; then
|
||||
fi
|
||||
|
||||
# Reload sysctl.conf
|
||||
sysctl -p
|
||||
sysctl -q -p
|
||||
|
||||
# Update file attributes
|
||||
chmod +x /etc/rc.local
|
||||
@ -443,12 +446,9 @@ iptables-restore < /etc/iptables.rules
|
||||
ip6tables-restore < /etc/ip6tables.rules >/dev/null 2>&1
|
||||
|
||||
# Restart services
|
||||
service fail2ban stop >/dev/null 2>&1
|
||||
service ipsec stop >/dev/null 2>&1
|
||||
service xl2tpd stop >/dev/null 2>&1
|
||||
service fail2ban start
|
||||
service ipsec start
|
||||
service xl2tpd start
|
||||
service fail2ban restart
|
||||
service ipsec restart
|
||||
service xl2tpd restart
|
||||
|
||||
echo
|
||||
echo '================================================'
|
||||
|
@ -39,7 +39,7 @@ if [ "$(uname)" = "Darwin" ]; then
|
||||
fi
|
||||
|
||||
if [ ! -f /etc/redhat-release ]; then
|
||||
echo "This script only supports CentOS or RHEL systems."
|
||||
echo "This script only supports CentOS/RHEL."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
@ -55,7 +55,7 @@ fi
|
||||
|
||||
if [ -f /proc/user_beancounters ]; then
|
||||
echo "This script does NOT support OpenVZ VPS."
|
||||
echo "Try alternative: https://github.com/Nyr/openvpn-install"
|
||||
echo "Try: https://github.com/Nyr/openvpn-install"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
@ -67,8 +67,8 @@ fi
|
||||
if [ ! -f /sys/class/net/eth0/operstate ]; then
|
||||
echo "Network interface 'eth0' is not available. Aborting."
|
||||
echo
|
||||
echo "CentOS 7 users should change interfaces to use old naming convention"
|
||||
echo "before running this script. See: https://wiki.centos.org/FAQ/CentOS7"
|
||||
echo "Run 'cat /proc/net/dev' to find the name of the active network interface,"
|
||||
echo "then search and replace ALL 'eth0' and 'eth+' in this script with that name."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
@ -79,10 +79,12 @@ if [ -z "$IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then
|
||||
fi
|
||||
|
||||
if [ -z "$IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
|
||||
echo "VPN credentials cannot be empty. Edit the script and re-enter."
|
||||
echo "VPN credentials cannot be empty. Edit the script and re-enter them."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "VPN setup in progress... Please be patient."
|
||||
|
||||
# Create and change to working dir
|
||||
mkdir -p /opt/src
|
||||
cd /opt/src || exit 1
|
||||
@ -99,7 +101,7 @@ echo 'use Ctrl-C to interrupt. Then edit it and manually enter IPs.'
|
||||
echo
|
||||
|
||||
# In Amazon EC2, these two variables will be retrieved from metadata.
|
||||
# For all other servers, replace them with actual IPs (or comment out).
|
||||
# For all other servers, replace them with actual IPs or comment out.
|
||||
# If your server only has a public IP, put that IP on both lines.
|
||||
PUBLIC_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4')
|
||||
PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4')
|
||||
@ -107,18 +109,17 @@ PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/la
|
||||
# Try to find IPs for non-EC2 servers
|
||||
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
|
||||
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
|
||||
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipecho.net/plain)
|
||||
[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
|
||||
[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
|
||||
|
||||
# Check IPs for correct format
|
||||
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
|
||||
if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then
|
||||
echo "Cannot find valid public IP. Edit the script and manually enter."
|
||||
echo "Cannot find valid public IP. Edit the script and manually enter IPs."
|
||||
exit 1
|
||||
fi
|
||||
if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then
|
||||
echo "Cannot find valid private IP. Edit the script and manually enter."
|
||||
echo "Cannot find valid private IP. Edit the script and manually enter IPs."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
@ -137,12 +138,12 @@ yum -y install ppp xl2tpd
|
||||
# Install Fail2Ban to protect SSH
|
||||
yum -y install fail2ban
|
||||
|
||||
# Install IP6Tables for CentOS/RHEL 6
|
||||
# Install IP6Tables
|
||||
if grep -qs "release 6" /etc/redhat-release; then
|
||||
yum -y install iptables-ipv6
|
||||
fi
|
||||
|
||||
# Installed Libevent2. Use backported version for CentOS 6.
|
||||
# Installed Libevent2
|
||||
if grep -qs "release 6" /etc/redhat-release; then
|
||||
LE2_URL=https://download.libreswan.org/binaries/rhel/6/x86_64
|
||||
RPM1=libevent2-2.0.22-1.el6.x86_64.rpm
|
||||
@ -163,19 +164,18 @@ SWAN_URL="https://download.libreswan.org/$SWAN_FILE"
|
||||
wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
|
||||
[ "$?" != "0" ] && { echo "Cannot download Libreswan source. Aborting."; exit 1; }
|
||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||
tar xvzf "$SWAN_FILE" && /bin/rm -f "$SWAN_FILE"
|
||||
tar xzf "$SWAN_FILE" && /bin/rm -f "$SWAN_FILE"
|
||||
cd "libreswan-$SWAN_VER" || { echo "Cannot enter Libreswan source dir. Aborting."; exit 1; }
|
||||
# Workaround for Libreswan compile issues
|
||||
cat > Makefile.inc.local <<EOF
|
||||
WERROR_CFLAGS =
|
||||
EOF
|
||||
make programs && make install
|
||||
make -s programs && make -s install
|
||||
|
||||
# Check if Libreswan install was successful
|
||||
# Verify the install
|
||||
/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$SWAN_VER"
|
||||
[ "$?" != "0" ] && { echo; echo "Libreswan $SWAN_VER failed to build. Aborting."; exit 1; }
|
||||
|
||||
# Prepare various config files
|
||||
# Create IPsec (Libreswan) config
|
||||
SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"
|
||||
/bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$SYS_DT" 2>/dev/null
|
||||
@ -256,7 +256,7 @@ pppoptfile = /etc/ppp/options.xl2tpd
|
||||
length bit = yes
|
||||
EOF
|
||||
|
||||
# Specify xl2tpd options
|
||||
# Set xl2tpd options
|
||||
/bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-$SYS_DT" 2>/dev/null
|
||||
cat > /etc/ppp/options.xl2tpd <<EOF
|
||||
ipcp-accept-local
|
||||
@ -287,7 +287,7 @@ EOF
|
||||
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
|
||||
echo "${VPN_USER}:${VPN_PASSWORD_ENC}:xauth-psk" > /etc/ipsec.d/passwd
|
||||
|
||||
# Update sysctl settings for VPN and performance
|
||||
# Update sysctl settings
|
||||
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
|
||||
/bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$SYS_DT" 2>/dev/null
|
||||
cat >> /etc/sysctl.conf <<EOF
|
||||
@ -322,9 +322,9 @@ net.ipv4.tcp_wmem = 10240 87380 12582912
|
||||
EOF
|
||||
fi
|
||||
|
||||
# Create basic IPTables rules. First check if there are existing rules.
|
||||
# 1. If IPTables is "empty", write out the new set of rules.
|
||||
# 2. If *not* empty, insert new rules and save them together with existing ones.
|
||||
# Create basic IPTables rules. First check for existing rules.
|
||||
# - If IPTables is "empty", simply write out the new rules.
|
||||
# - If *not* empty, insert new rules and save them with existing ones.
|
||||
if ! grep -qs "hwdsl2 VPN script" /etc/sysconfig/iptables; then
|
||||
/bin/cp -f /etc/sysconfig/iptables "/etc/sysconfig/iptables.old-$SYS_DT" 2>/dev/null
|
||||
service fail2ban stop >/dev/null 2>&1
|
||||
@ -351,7 +351,7 @@ cat > /etc/sysconfig/iptables <<EOF
|
||||
-A FORWARD -i ppp+ -o eth+ -j ACCEPT
|
||||
-A FORWARD -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
-A FORWARD -s 192.168.43.0/24 -o eth+ -j ACCEPT
|
||||
# If you wish to allow traffic between VPN clients themselves, uncomment these lines:
|
||||
# To allow traffic between VPN clients themselves, uncomment these lines:
|
||||
# -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
|
||||
# -A FORWARD -s 192.168.43.0/24 -d 192.168.43.0/24 -j ACCEPT
|
||||
-A FORWARD -j DROP
|
||||
@ -386,7 +386,7 @@ iptables-save >> /etc/sysconfig/iptables
|
||||
fi
|
||||
fi
|
||||
|
||||
# Create basic IP6Tables (IPv6) rules
|
||||
# Create basic IPv6 rules
|
||||
if ! grep -qs "hwdsl2 VPN script" /etc/sysconfig/ip6tables; then
|
||||
/bin/cp -f /etc/sysconfig/ip6tables "/etc/sysconfig/ip6tables.old-$SYS_DT" 2>/dev/null
|
||||
cat > /etc/sysconfig/ip6tables <<EOF
|
||||
@ -405,7 +405,7 @@ COMMIT
|
||||
EOF
|
||||
fi
|
||||
|
||||
# Create basic Fail2Ban rules if not present
|
||||
# Create basic Fail2Ban rules
|
||||
if [ ! -f /etc/fail2ban/jail.local ] ; then
|
||||
cat > /etc/fail2ban/jail.local <<EOF
|
||||
[DEFAULT]
|
||||
@ -423,7 +423,7 @@ logpath = /var/log/secure
|
||||
EOF
|
||||
fi
|
||||
|
||||
# Update rc.local to start services at boot
|
||||
# Start services at boot
|
||||
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
|
||||
/bin/cp -f /etc/rc.local "/etc/rc.local.old-$SYS_DT" 2>/dev/null
|
||||
cat >> /etc/rc.local <<EOF
|
||||
@ -451,7 +451,7 @@ restorecon /usr/local/sbin -Rv 2>/dev/null
|
||||
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
|
||||
|
||||
# Reload sysctl.conf
|
||||
sysctl -p
|
||||
sysctl -q -p
|
||||
|
||||
# Update file attributes
|
||||
chmod +x /etc/rc.local
|
||||
@ -462,12 +462,9 @@ iptables-restore < /etc/sysconfig/iptables
|
||||
ip6tables-restore < /etc/sysconfig/ip6tables >/dev/null 2>&1
|
||||
|
||||
# Restart services
|
||||
service fail2ban stop >/dev/null 2>&1
|
||||
service ipsec stop >/dev/null 2>&1
|
||||
service xl2tpd stop >/dev/null 2>&1
|
||||
service fail2ban start
|
||||
service ipsec start
|
||||
service xl2tpd start
|
||||
service fail2ban restart
|
||||
service ipsec restart
|
||||
service xl2tpd restart
|
||||
|
||||
echo
|
||||
echo '================================================'
|
||||
|
Loading…
x
Reference in New Issue
Block a user