mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-24 05:46:09 +03:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: mirror:0d4934c4397fa32faad89e46475660f159a212f3
Branches Tags
mirror:master
...
compare: mirror:24bc89149a1dcc11c1671a9034bdd5f7f3c1fc6b
Branches Tags
mirror:master

2 Commits
0d4934c439 ... 24bc89149a

Author SHA1 Message Date
hwdsl2
24bc89149a Update docs 2022-10-16 00:50:54 -05:00
hwdsl2
3dc675ba37 Add client validity option 
- For IKEv2 mode, add a new variable VPN_CLIENT_VALIDITY for specifying
  the client certificate validity period (in months). Must be an integer
  between 1 and 120. Default value is 120. Users can define it as an
  environment variable when setting up IKEv2 in auto mode, or when
  adding a new IKEv2 client using "--addclient".
 2022-10-16 00:45:45 -05:00
9 changed files with 46 additions and 14 deletions
Show Stats Expand all files Collapse all files

5
README-zh.md
View File

@ -239,14 +239,15 @@ sudo ikev2.sh
|客户端的 DNS 服务器 |Google Public DNS | VPN_DNS_SRV1, VPN_DNS_SRV2 | ✅ | |客户端的 DNS 服务器 |Google Public DNS | VPN_DNS_SRV1, VPN_DNS_SRV2 | ✅ |
|保护客户端配置文件 |no | VPN_PROTECT_CONFIG=yes | ✅ | |保护客户端配置文件 |no | VPN_PROTECT_CONFIG=yes | ✅ |
|启用/禁用 MOBIKE |如果系统支持则启用 | ❌ | ✅ | |启用/禁用 MOBIKE |如果系统支持则启用 | ❌ | ✅ |
|客户端证书有效期 | 10 年120 个月)| | ✅ | |客户端证书有效期 | 10 年120 个月)| VPN_CLIENT_VALIDITY\*\*\*\* | ✅ |
| CA 和服务器证书有效期 | 10 年120 个月)| ❌ | ❌ | | CA 和服务器证书有效期 | 10 年120 个月)| ❌ | ❌ |
| CA 证书名称 | IKEv2 VPN CA | ❌ | ❌ | | CA 证书名称 | IKEv2 VPN CA | ❌ | ❌ |
|证书密钥长度 | 3072 bits | ❌ | ❌ | |证书密钥长度 | 3072 bits | ❌ | ❌ |
\* 这些 IKEv2 参数适用于 IKEv2 模式。 \* 这些 IKEv2 参数适用于 IKEv2 模式。
\*\* 在运行 vpn(setup).sh 时,或者在自动模式下配置 IKEv2 时 (`sudo ikev2.sh --auto`) 将这些定义为环境变量。 \*\* 在运行 vpn(setup).sh 时,或者在自动模式下配置 IKEv2 时 (`sudo ikev2.sh --auto`) 将这些定义为环境变量。
\*\*\* 可以在交互式配置 IKEv2 期间自定义 (`sudo ikev2.sh`)。参见上面的选项 2。 \*\*\* 可以在交互式配置 IKEv2 期间自定义 (`sudo ikev2.sh`)。参见上面的选项 2。
\*\*\*\* 使用 `VPN_CLIENT_VALIDITY` 定义客户端证书的有效期(单位:月)。它必须是 1 到 120 之间的整数。
除了这些参数,高级用户还可以在安装时 [自定义 VPN 子网](docs/advanced-usage-zh.md#自定义-vpn-子网)。 除了这些参数,高级用户还可以在安装时 [自定义 VPN 子网](docs/advanced-usage-zh.md#自定义-vpn-子网)。
</details> </details>

5
README.md
View File

@ -239,14 +239,15 @@ For reference: List of IKEv1 and IKEv2 parameters.
| DNS servers for clients | Google Public DNS | VPN_DNS_SRV1, VPN_DNS_SRV2 | ✅ | | DNS servers for clients | Google Public DNS | VPN_DNS_SRV1, VPN_DNS_SRV2 | ✅ |
| Protect client config files | no | VPN_PROTECT_CONFIG=yes | ✅ | | Protect client config files | no | VPN_PROTECT_CONFIG=yes | ✅ |
| Enable/Disable MOBIKE | Enable if supported | ❌ | ✅ | | Enable/Disable MOBIKE | Enable if supported | ❌ | ✅ |
| Client cert validity | 10 years (120 months) | | ✅ | | Client cert validity | 10 years (120 months) | VPN_CLIENT_VALIDITY\*\*\*\* | ✅ |
| CA & server cert validity | 10 years (120 months) | ❌ | ❌ | | CA & server cert validity | 10 years (120 months) | ❌ | ❌ |
| CA certificate name | IKEv2 VPN CA | ❌ | ❌ | | CA certificate name | IKEv2 VPN CA | ❌ | ❌ |
| Certificate key size | 3072 bits | ❌ | ❌ | | Certificate key size | 3072 bits | ❌ | ❌ |
\* These IKEv2 parameters are for IKEv2 mode. \* These IKEv2 parameters are for IKEv2 mode.
\*\* Define these as environment variables when running vpn(setup).sh, or when setting up IKEv2 in auto mode (`sudo ikev2.sh --auto`). \*\* Define these as environment variables when running vpn(setup).sh, or when setting up IKEv2 in auto mode (`sudo ikev2.sh --auto`).
\*\*\* Can be customized during interactive IKEv2 setup (`sudo ikev2.sh`). Refer to option 2 above. \*\*\* Can be customized during interactive IKEv2 setup (`sudo ikev2.sh`). Refer to option 2 above.
\*\*\*\* Use `VPN_CLIENT_VALIDITY` to specify the client cert validity period in months. Must be an integer between 1 and 120.
In addition to these parameters, advanced users can also [customize VPN subnets](docs/advanced-usage.md#customize-vpn-subnets) during VPN setup. In addition to these parameters, advanced users can also [customize VPN subnets](docs/advanced-usage.md#customize-vpn-subnets) during VPN setup.
</details> </details>

44
extras/ikev2setup.sh
View File

@ -157,7 +157,7 @@ confirm_or_abort() {
show_header() { show_header() {
cat <<'EOF' cat <<'EOF'
IKEv2 Script Copyright (c) 2020-2022 Lin Song 24 Sept 2022 IKEv2 Script Copyright (c) 2020-2022 Lin Song 16 Oct 2022
EOF EOF
} }
@ -278,6 +278,11 @@ check_custom_dns() {
fi fi
} }
check_client_validity() {
! { printf '%s' "$1" | LC_ALL=C grep -q '[^0-9]\+' || [ "$1" -lt "1" ] \
|| [ "$1" -gt "120" ] || [ "$1" != "$((10#$1))" ]; }
}
check_and_set_client_name() { check_and_set_client_name() {
if [ -n "$VPN_CLIENT_NAME" ]; then if [ -n "$VPN_CLIENT_NAME" ]; then
client_name="$VPN_CLIENT_NAME" client_name="$VPN_CLIENT_NAME"
@ -289,6 +294,22 @@ check_and_set_client_name() {
check_cert_exists "$client_name" && exiterr "Client '$client_name' already exists." check_cert_exists "$client_name" && exiterr "Client '$client_name' already exists."
} }
check_and_set_client_validity() {
if [ -n "$VPN_CLIENT_VALIDITY" ]; then
client_validity="$VPN_CLIENT_VALIDITY"
if ! check_client_validity "$client_validity"; then
cat <<EOF
WARNING: Invalid client cert validity period. Must be an integer between 1 and 120.
Falling back to default validity (120 months).
EOF
VPN_CLIENT_VALIDITY=""
client_validity=120
fi
else
client_validity=120
fi
}
set_server_address() { set_server_address() {
if [ -n "$VPN_DNS_NAME" ]; then if [ -n "$VPN_DNS_NAME" ]; then
use_dns_name=1 use_dns_name=1
@ -331,14 +352,19 @@ EOF
show_start_setup() { show_start_setup() {
op_text=default op_text=default
if [ -n "$VPN_DNS_NAME" ] || [ -n "$VPN_CLIENT_NAME" ] \ if [ -n "$VPN_DNS_NAME" ] || [ -n "$VPN_CLIENT_NAME" ] \
|| [ -n "$VPN_DNS_SRV1" ] || [ -n "$VPN_PROTECT_CONFIG" ]; then || [ -n "$VPN_DNS_SRV1" ] || [ -n "$VPN_PROTECT_CONFIG" ] \
|| [ -n "$VPN_CLIENT_VALIDITY" ]; then
op_text=custom op_text=custom
fi fi
bigecho "Starting IKEv2 setup in auto mode, using $op_text options." bigecho "Starting IKEv2 setup in auto mode, using $op_text options."
} }
show_add_client() { show_add_client() {
bigecho "Adding a new IKEv2 client '$client_name', using default options." op_text=default
if [ -n "$VPN_CLIENT_VALIDITY" ]; then
op_text=custom
fi
bigecho "Adding a new IKEv2 client '$client_name', using $op_text options."
} }
show_export_client() { show_export_client() {
@ -514,13 +540,11 @@ enter_client_name_for() {
enter_client_validity() { enter_client_validity() {
echo echo
echo "Specify the validity period (in months) for this client certificate." echo "Specify the validity period (in months) for this client certificate."
read -rp "Enter a number between 1 and 120: [120] " client_validity read -rp "Enter an integer between 1 and 120: [120] " client_validity
[ -z "$client_validity" ] && client_validity=120 [ -z "$client_validity" ] && client_validity=120
while printf '%s' "$client_validity" | LC_ALL=C grep -q '[^0-9]\+' \ while ! check_client_validity "$client_validity"; do
|| [ "$client_validity" -lt "1" ] || [ "$client_validity" -gt "120" ] \
|| [ "$client_validity" != "$((10#$client_validity))" ]; do
echo "Invalid validity period." echo "Invalid validity period."
read -rp "Enter a number between 1 and 120: [120] " client_validity read -rp "Enter an integer between 1 and 120: [120] " client_validity
[ -z "$client_validity" ] && client_validity=120 [ -z "$client_validity" ] && client_validity=120
done done
} }
@ -1492,9 +1516,9 @@ ikev2setup() {
get_export_dir get_export_dir
if [ "$add_client" = 1 ]; then if [ "$add_client" = 1 ]; then
check_and_set_client_validity
show_header show_header
show_add_client show_add_client
client_validity=120
create_client_cert create_client_cert
export_client_config export_client_config
print_client_added print_client_added
@ -1639,7 +1663,7 @@ ikev2setup() {
check_server_dns_name check_server_dns_name
check_custom_dns check_custom_dns
check_and_set_client_name check_and_set_client_name
client_validity=120 check_and_set_client_validity
show_header show_header
show_start_setup show_start_setup
set_server_address set_server_address

1
extras/quickstart.sh
View File

@ -274,6 +274,7 @@ run_setup() {
VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \ VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \
VPN_DNS_NAME="$VPN_DNS_NAME" VPN_CLIENT_NAME="$VPN_CLIENT_NAME" \ VPN_DNS_NAME="$VPN_DNS_NAME" VPN_CLIENT_NAME="$VPN_CLIENT_NAME" \
VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \ VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \
VPN_CLIENT_VALIDITY="$VPN_CLIENT_VALIDITY" \
VPN_SKIP_IKEV2="$VPN_SKIP_IKEV2" \ VPN_SKIP_IKEV2="$VPN_SKIP_IKEV2" \
/bin/bash "$tmpdir/vpn.sh" || status=1 /bin/bash "$tmpdir/vpn.sh" || status=1
else else

1
vpnsetup.sh
View File

@ -274,6 +274,7 @@ run_setup() {
VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \ VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \
VPN_DNS_NAME="$VPN_DNS_NAME" VPN_CLIENT_NAME="$VPN_CLIENT_NAME" \ VPN_DNS_NAME="$VPN_DNS_NAME" VPN_CLIENT_NAME="$VPN_CLIENT_NAME" \
VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \ VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \
VPN_CLIENT_VALIDITY="$VPN_CLIENT_VALIDITY" \
VPN_SKIP_IKEV2="$VPN_SKIP_IKEV2" \ VPN_SKIP_IKEV2="$VPN_SKIP_IKEV2" \
/bin/bash "$tmpdir/vpn.sh" || status=1 /bin/bash "$tmpdir/vpn.sh" || status=1
else else

1
vpnsetup_alpine.sh
View File

@ -557,6 +557,7 @@ set_up_ikev2() {
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \ VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \
VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \ VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \
VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \ VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \
VPN_CLIENT_VALIDITY="$VPN_CLIENT_VALIDITY" \
/bin/bash /opt/src/ikev2.sh --auto || status=1 /bin/bash /opt/src/ikev2.sh --auto || status=1
fi fi
elif [ -s /opt/src/ikev2.sh ]; then elif [ -s /opt/src/ikev2.sh ]; then

1
vpnsetup_amzn.sh
View File

@ -575,6 +575,7 @@ set_up_ikev2() {
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \ VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \
VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \ VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \
VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \ VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \
VPN_CLIENT_VALIDITY="$VPN_CLIENT_VALIDITY" \
/bin/bash /opt/src/ikev2.sh --auto || status=1 /bin/bash /opt/src/ikev2.sh --auto || status=1
fi fi
elif [ -s /opt/src/ikev2.sh ]; then elif [ -s /opt/src/ikev2.sh ]; then

1
vpnsetup_centos.sh
View File

@ -749,6 +749,7 @@ set_up_ikev2() {
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \ VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \
VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \ VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \
VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \ VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \
VPN_CLIENT_VALIDITY="$VPN_CLIENT_VALIDITY" \
/bin/bash /opt/src/ikev2.sh --auto || status=1 /bin/bash /opt/src/ikev2.sh --auto || status=1
fi fi
elif [ -s /opt/src/ikev2.sh ]; then elif [ -s /opt/src/ikev2.sh ]; then

1
vpnsetup_ubuntu.sh
View File

@ -692,6 +692,7 @@ set_up_ikev2() {
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \ VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \
VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \ VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \
VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \ VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \
VPN_CLIENT_VALIDITY="$VPN_CLIENT_VALIDITY" \
/bin/bash /opt/src/ikev2.sh --auto || status=1 /bin/bash /opt/src/ikev2.sh --auto || status=1
fi fi
elif [ -s /opt/src/ikev2.sh ]; then elif [ -s /opt/src/ikev2.sh ]; then