mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-23 21:36:09 +03:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: mirror:1c91ac2c3aca6f6709c7a42b8730e037ff945902
Branches Tags
mirror:master
...
compare: mirror:b48021c5e625586c844d11691a39ffbaa0be0a15
Branches Tags
mirror:master

3 Commits
1c91ac2c3a ... b48021c5e6

Author SHA1 Message Date
hwdsl2
b48021c5e6 Update tests 2022-04-27 00:35:48 -05:00
hwdsl2
b2626dc921 Cleanup 2022-04-27 00:05:45 -05:00
hwdsl2
39f1e272a0 Update docs 2022-04-26 23:49:01 -05:00
18 changed files with 216 additions and 386 deletions
Show Stats Expand all files Collapse all files

4
.github/workflows/check_urls.yml vendored
View File

@ -32,6 +32,7 @@ jobs:
wg="wget -t 3 -T 30 -nv -O" wg="wget -t 3 -T 30 -nv -O"
gh="https://github.com/hwdsl2/setup-ipsec-vpn/raw/master" gh="https://github.com/hwdsl2/setup-ipsec-vpn/raw/master"
gl="https://gitlab.com/hwdsl2/setup-ipsec-vpn/-/raw/master"
gi="https://git.io" gi="https://git.io"
$wg vpnsetup.sh "$gi/vpnsetup" $wg vpnsetup.sh "$gi/vpnsetup"
@ -50,6 +51,7 @@ jobs:
$wg vpnuninstall.sh "$gi/vpnuninstall" $wg vpnuninstall.sh "$gi/vpnuninstall"
$wg vpnsetup2.sh "$gh/vpnsetup.sh" $wg vpnsetup2.sh "$gh/vpnsetup.sh"
$wg vpnsetup3.sh "$gl/vpnsetup.sh"
$wg vpnsetup_centos2.sh "$gh/vpnsetup_centos.sh" $wg vpnsetup_centos2.sh "$gh/vpnsetup_centos.sh"
$wg vpnsetup_amzn2.sh "$gh/vpnsetup_amzn.sh" $wg vpnsetup_amzn2.sh "$gh/vpnsetup_amzn.sh"
$wg vpnsetup_ubuntu2.sh "$gh/vpnsetup_ubuntu.sh" $wg vpnsetup_ubuntu2.sh "$gh/vpnsetup_ubuntu.sh"
@ -79,6 +81,7 @@ jobs:
diff vpnuninstall.sh ../extras/vpnuninstall.sh diff vpnuninstall.sh ../extras/vpnuninstall.sh
diff vpnsetup2.sh ../vpnsetup.sh diff vpnsetup2.sh ../vpnsetup.sh
diff vpnsetup3.sh ../vpnsetup.sh
diff vpnsetup_centos2.sh ../vpnsetup_centos.sh diff vpnsetup_centos2.sh ../vpnsetup_centos.sh
diff vpnsetup_amzn2.sh ../vpnsetup_amzn.sh diff vpnsetup_amzn2.sh ../vpnsetup_amzn.sh
diff vpnsetup_ubuntu2.sh ../vpnsetup_ubuntu.sh diff vpnsetup_ubuntu2.sh ../vpnsetup_ubuntu.sh
@ -107,3 +110,4 @@ jobs:
curl -fsSI "$bl/delvpnuser" | grep -q 'del_vpn_user.sh' curl -fsSI "$bl/delvpnuser" | grep -q 'del_vpn_user.sh'
curl -fsSI "$bl/updatevpnusers" | grep -q 'update_vpn_users.sh' curl -fsSI "$bl/updatevpnusers" | grep -q 'update_vpn_users.sh'
curl -fsSI "$bl/ikev2onlymode" | grep -q 'ikev2onlymode.sh' curl -fsSI "$bl/ikev2onlymode" | grep -q 'ikev2onlymode.sh'
curl -fsSI "$bl/ikev2changeaddr" | grep -q 'ikev2changeaddr.sh'

2
README-zh.md
View File

@ -274,7 +274,7 @@ wget https://gitlab.com/hwdsl2/setup-ipsec-vpn/-/raw/master/extras/vpnupgrade.sh
## 问题和反馈 ## 问题和反馈
- 如果你有意见或建议,请 [发送反馈](https://bit.ly/vpn-feedback) 或提交一个 [改进建议](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose),或者欢迎提交 [Pull request](https://github.com/hwdsl2/setup-ipsec-vpn/pulls)。 - 如果你有对本项目的建议,请提交一个 [改进建议](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose),或者欢迎提交 [Pull request](https://github.com/hwdsl2/setup-ipsec-vpn/pulls)。
- 如果你发现了一个可重复的程序漏洞,请为 [IPsec VPN](https://github.com/libreswan/libreswan/issues?q=is%3Aissue) 或者 [VPN 脚本](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose) 提交一个错误报告。 - 如果你发现了一个可重复的程序漏洞,请为 [IPsec VPN](https://github.com/libreswan/libreswan/issues?q=is%3Aissue) 或者 [VPN 脚本](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose) 提交一个错误报告。
- 有问题需要提问?请先搜索 [已有的 issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) 以及在 [这个 Gist](https://gist.github.com/hwdsl2/9030462#comments) 和 [我的博客](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread) 上已有的留言。 - 有问题需要提问?请先搜索 [已有的 issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) 以及在 [这个 Gist](https://gist.github.com/hwdsl2/9030462#comments) 和 [我的博客](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread) 上已有的留言。
- VPN 的相关问题可在 [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) 或 [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) 邮件列表提问,或者参考这些网站:[[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup)。 - VPN 的相关问题可在 [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) 或 [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) 邮件列表提问,或者参考这些网站:[[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup)。

2
README.md
View File

@ -274,7 +274,7 @@ See [Uninstall the VPN](docs/uninstall.md).
## Feedback & Questions ## Feedback & Questions
- Have a comment or suggestion? [Send feedback](https://bit.ly/vpn-feedback) or open an [Enhancement request](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose). [Pull requests](https://github.com/hwdsl2/setup-ipsec-vpn/pulls) are also welcome. - Have a suggestion for this project? Open an [Enhancement request](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose). [Pull requests](https://github.com/hwdsl2/setup-ipsec-vpn/pulls) are also welcome.
- If you found a reproducible bug, open a bug report for the [IPsec VPN](https://github.com/libreswan/libreswan/issues?q=is%3Aissue) or for the [VPN scripts](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose). - If you found a reproducible bug, open a bug report for the [IPsec VPN](https://github.com/libreswan/libreswan/issues?q=is%3Aissue) or for the [VPN scripts](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose).
- Got a question? Please first search [existing issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) and comments [in this Gist](https://gist.github.com/hwdsl2/9030462#comments) and [on my blog](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread). - Got a question? Please first search [existing issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) and comments [in this Gist](https://gist.github.com/hwdsl2/9030462#comments) and [on my blog](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread).
- Ask VPN related questions on the [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) or [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) mailing list, or read these wikis: [[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup). - Ask VPN related questions on the [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) or [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) mailing list, or read these wikis: [[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup).

79
extras/add_vpn_user.sh
View File

@ -28,35 +28,29 @@ EOF
} }
add_vpn_user() { add_vpn_user() {
if [ "$(id -u)" != 0 ]; then
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo bash $0'" exiterr "Script must be run as root. Try 'sudo bash $0'"
fi fi
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
|| [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then || [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then
cat 1>&2 <<'EOF' cat 1>&2 <<'EOF'
Error: Your must first set up the IPsec VPN server before adding VPN users. Error: Your must first set up the IPsec VPN server before adding VPN users.
See: https://github.com/hwdsl2/setup-ipsec-vpn See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF EOF
exit 1 exit 1
fi fi
command -v openssl >/dev/null 2>&1 || exiterr "'openssl' not found. Abort."
command -v openssl >/dev/null 2>&1 || exiterr "'openssl' not found. Abort." if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
cat 1>&2 <<EOF cat 1>&2 <<EOF
Usage: sudo bash $0 'username_to_add' 'password' Usage: sudo bash $0 'username_to_add' 'password'
sudo bash $0 'username_to_update' 'new_password' sudo bash $0 'username_to_update' 'new_password'
You may also run this script interactively without arguments. You may also run this script interactively without arguments.
EOF EOF
exit 1 exit 1
fi fi
VPN_USER=$1
VPN_USER=$1 VPN_PASSWORD=$2
VPN_PASSWORD=$2 if [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
if [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
show_intro show_intro
echo echo
echo "List of existing VPN usernames:" echo "List of existing VPN usernames:"
@ -73,22 +67,18 @@ if [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
echo "Abort. No changes were made." >&2 echo "Abort. No changes were made." >&2
exit 1 exit 1
fi fi
fi fi
if printf '%s' "$VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
if printf '%s' "$VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN credentials must not contain non-ASCII characters." exiterr "VPN credentials must not contain non-ASCII characters."
fi fi
case "$VPN_USER $VPN_PASSWORD" in
case "$VPN_USER $VPN_PASSWORD" in
*[\\\"\']*) *[\\\"\']*)
exiterr "VPN credentials must not contain these special characters: \\ \" '" exiterr "VPN credentials must not contain these special characters: \\ \" '"
;; ;;
esac esac
if [ -n "$1" ] && [ -n "$2" ]; then
if [ -n "$1" ] && [ -n "$2" ]; then
show_intro show_intro
fi fi
cat <<EOF cat <<EOF
================================================ ================================================
@ -106,10 +96,9 @@ Setup VPN clients: https://git.io/vpnclients
================================================ ================================================
EOF EOF
printf "Do you want to continue? [Y/n] "
printf "Do you want to continue? [Y/n] " read -r response
read -r response case $response in
case $response in
[yY][eE][sS]|[yY]|'') [yY][eE][sS]|[yY]|'')
echo echo
echo "Adding or updating VPN user..." echo "Adding or updating VPN user..."
@ -119,28 +108,23 @@ case $response in
echo "Abort. No changes were made." echo "Abort. No changes were made."
exit 1 exit 1
;; ;;
esac esac
# Backup config files
# Backup config files conf_bk "/etc/ppp/chap-secrets"
conf_bk "/etc/ppp/chap-secrets" conf_bk "/etc/ipsec.d/passwd"
conf_bk "/etc/ipsec.d/passwd" # Add or update VPN user
sed -i "/^\"$VPN_USER\" /d" /etc/ppp/chap-secrets
# Add or update VPN user
sed -i "/^\"$VPN_USER\" /d" /etc/ppp/chap-secrets
cat >> /etc/ppp/chap-secrets <<EOF cat >> /etc/ppp/chap-secrets <<EOF
"$VPN_USER" l2tpd "$VPN_PASSWORD" * "$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF EOF
# shellcheck disable=SC2016
# shellcheck disable=SC2016 sed -i '/^'"$VPN_USER"':\$1\$/d' /etc/ipsec.d/passwd
sed -i '/^'"$VPN_USER"':\$1\$/d' /etc/ipsec.d/passwd VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
cat >> /etc/ipsec.d/passwd <<EOF cat >> /etc/ipsec.d/passwd <<EOF
$VPN_USER:$VPN_PASSWORD_ENC:xauth-psk $VPN_USER:$VPN_PASSWORD_ENC:xauth-psk
EOF EOF
# Update file attributes
# Update file attributes chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
cat <<'EOF' cat <<'EOF'
Done! Done!
@ -148,7 +132,6 @@ Note: All VPN users will share the same IPsec PSK.
If you forgot the PSK, check /etc/ipsec.secrets. If you forgot the PSK, check /etc/ipsec.secrets.
EOF EOF
} }
## Defer until we have the complete script ## Defer until we have the complete script

79
extras/del_vpn_user.sh
View File

@ -25,31 +25,26 @@ EOF
} }
del_vpn_user() { del_vpn_user() {
if [ "$(id -u)" != 0 ]; then
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo bash $0'" exiterr "Script must be run as root. Try 'sudo bash $0'"
fi fi
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
|| [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then || [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then
cat 1>&2 <<'EOF' cat 1>&2 <<'EOF'
Error: Your must first set up the IPsec VPN server before deleting VPN users. Error: Your must first set up the IPsec VPN server before deleting VPN users.
See: https://github.com/hwdsl2/setup-ipsec-vpn See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF EOF
exit 1 exit 1
fi fi
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
cat 1>&2 <<EOF cat 1>&2 <<EOF
Usage: sudo bash $0 'username_to_delete' Usage: sudo bash $0 'username_to_delete'
You may also run this script interactively without arguments. You may also run this script interactively without arguments.
EOF EOF
exit 1 exit 1
fi fi
VPN_USER=$1
VPN_USER=$1 if [ -z "$VPN_USER" ]; then
if [ -z "$VPN_USER" ]; then
show_intro show_intro
echo echo
echo "List of existing VPN usernames:" echo "List of existing VPN usernames:"
@ -61,38 +56,32 @@ if [ -z "$VPN_USER" ]; then
echo "Abort. No changes were made." >&2 echo "Abort. No changes were made." >&2
exit 1 exit 1
fi fi
fi fi
if printf '%s' "$VPN_USER" | LC_ALL=C grep -q '[^ -~]\+'; then
if printf '%s' "$VPN_USER" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN username must not contain non-ASCII characters." exiterr "VPN username must not contain non-ASCII characters."
fi fi
case "$VPN_USER" in
case "$VPN_USER" in
*[\\\"\']*) *[\\\"\']*)
exiterr "VPN username must not contain these special characters: \\ \" '" exiterr "VPN username must not contain these special characters: \\ \" '"
;; ;;
esac esac
if [ "$(grep -c "^\"$VPN_USER\" " /etc/ppp/chap-secrets)" = "0" ] \
if [ "$(grep -c "^\"$VPN_USER\" " /etc/ppp/chap-secrets)" = "0" ] \
|| [ "$(grep -c "^$VPN_USER:\\\$1\\\$" /etc/ipsec.d/passwd)" = "0" ]; then || [ "$(grep -c "^$VPN_USER:\\\$1\\\$" /etc/ipsec.d/passwd)" = "0" ]; then
cat 1>&2 <<'EOF' cat 1>&2 <<'EOF'
Error: The specified VPN user does not exist in /etc/ppp/chap-secrets Error: The specified VPN user does not exist in /etc/ppp/chap-secrets
and/or /etc/ipsec.d/passwd. and/or /etc/ipsec.d/passwd.
EOF EOF
exit 1 exit 1
fi fi
if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = "1" ] \
if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = "1" ] \
|| [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = "1" ]; then || [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = "1" ]; then
cat 1>&2 <<'EOF' cat 1>&2 <<'EOF'
Error: Could not delete the only VPN user from /etc/ppp/chap-secrets Error: Could not delete the only VPN user from /etc/ppp/chap-secrets
and/or /etc/ipsec.d/passwd. and/or /etc/ipsec.d/passwd.
EOF EOF
exit 1 exit 1
fi fi
[ -n "$1" ] && show_intro
[ -n "$1" ] && show_intro
cat <<EOF cat <<EOF
================================================ ================================================
@ -104,10 +93,9 @@ Username: $VPN_USER
================================================ ================================================
EOF EOF
printf "Do you want to continue? [Y/n] "
printf "Do you want to continue? [Y/n] " read -r response
read -r response case $response in
case $response in
[yY][eE][sS]|[yY]|'') [yY][eE][sS]|[yY]|'')
echo echo
echo "Deleting VPN user..." echo "Deleting VPN user..."
@ -117,25 +105,20 @@ case $response in
echo "Abort. No changes were made." echo "Abort. No changes were made."
exit 1 exit 1
;; ;;
esac esac
# Backup config files
# Backup config files conf_bk "/etc/ppp/chap-secrets"
conf_bk "/etc/ppp/chap-secrets" conf_bk "/etc/ipsec.d/passwd"
conf_bk "/etc/ipsec.d/passwd" # Delete VPN user
sed -i "/^\"$VPN_USER\" /d" /etc/ppp/chap-secrets
# Delete VPN user # shellcheck disable=SC2016
sed -i "/^\"$VPN_USER\" /d" /etc/ppp/chap-secrets sed -i '/^'"$VPN_USER"':\$1\$/d' /etc/ipsec.d/passwd
# shellcheck disable=SC2016 # Update file attributes
sed -i '/^'"$VPN_USER"':\$1\$/d' /etc/ipsec.d/passwd chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
# Update file attributes
chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
cat <<'EOF' cat <<'EOF'
Done! Done!
EOF EOF
} }
## Defer until we have the complete script ## Defer until we have the complete script

9
extras/ikev2setup.sh
View File

@ -151,14 +151,14 @@ confirm_or_abort() {
show_header() { show_header() {
cat <<'EOF' cat <<'EOF'
IKEv2 Script Copyright (c) 2020-2022 Lin Song 7 Apr 2022 IKEv2 Script Copyright (c) 2020-2022 Lin Song 27 Apr 2022
EOF EOF
} }
show_usage() { show_usage() {
if [ -n "$1" ]; then if [ -n "$1" ]; then
echo "Error: $1" >&2; echo "Error: $1" >&2
fi fi
show_header show_header
cat 1>&2 <<EOF cat 1>&2 <<EOF
@ -186,7 +186,7 @@ check_ikev2_exists() {
check_client_name() { check_client_name() {
! { [ "${#1}" -gt "64" ] || printf '%s' "$1" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ ! { [ "${#1}" -gt "64" ] || printf '%s' "$1" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $1 in -*) true;; *) false;; esac; } || case $1 in -*) true ;; *) false ;; esac; }
} }
check_cert_exists() { check_cert_exists() {
@ -1271,8 +1271,7 @@ EOF
cat <<'EOF' cat <<'EOF'
Next steps: Configure IKEv2 clients. See: Next steps: Configure IKEv2 clients. See:
https://git.io/ikev2clients https://git.io/ikev2clients
Feedback: https://bit.ly/vpn-feedback
================================================ ================================================

13
extras/quickstart.sh
View File

@ -1,8 +1,7 @@
#!/bin/sh #!/bin/sh
# #
# Quick start script to set up an IPsec VPN server on Ubuntu, Debian, CentOS/RHEL, # Script for automatic setup of an IPsec VPN server on Ubuntu, Debian, CentOS/RHEL,
# Rocky Linux, AlmaLinux, Oracle Linux, Amazon Linux 2 and Alpine Linux # Rocky Linux, AlmaLinux, Oracle Linux, Amazon Linux 2 and Alpine Linux
# Works on any dedicated server or virtual private server (VPS)
# #
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
# #
@ -159,19 +158,15 @@ check_creds() {
[ -n "$YOUR_IPSEC_PSK" ] && VPN_IPSEC_PSK="$YOUR_IPSEC_PSK" [ -n "$YOUR_IPSEC_PSK" ] && VPN_IPSEC_PSK="$YOUR_IPSEC_PSK"
[ -n "$YOUR_USERNAME" ] && VPN_USER="$YOUR_USERNAME" [ -n "$YOUR_USERNAME" ] && VPN_USER="$YOUR_USERNAME"
[ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD" [ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD"
if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then
return 0 return 0
fi fi
if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
exiterr "All VPN credentials must be specified. Edit the script and re-enter them." exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
fi fi
if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN credentials must not contain non-ASCII characters." exiterr "VPN credentials must not contain non-ASCII characters."
fi fi
case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
*[\\\"\']*) *[\\\"\']*)
exiterr "VPN credentials must not contain these special characters: \\ \" '" exiterr "VPN credentials must not contain these special characters: \\ \" '"
@ -196,7 +191,7 @@ check_client_name() {
if [ -n "$VPN_CLIENT_NAME" ]; then if [ -n "$VPN_CLIENT_NAME" ]; then
name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)" name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)"
if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $VPN_CLIENT_NAME in -*) true;; *) false;; esac; then || case $VPN_CLIENT_NAME in -*) true ;; *) false ;; esac; then
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'." exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
fi fi
fi fi
@ -293,7 +288,7 @@ run_setup() {
fi fi
} }
quickstart() { vpnsetup() {
check_root check_root
check_vz check_vz
check_lxc check_lxc
@ -310,6 +305,6 @@ quickstart() {
} }
## Defer setup until we have the complete script ## Defer setup until we have the complete script
quickstart "$@" vpnsetup "$@"
exit "$status" exit "$status"

107
extras/update_vpn_users.sh
View File

@ -39,57 +39,46 @@ noquotes() { printf '%s' "$1" | sed -e 's/^"\(.*\)"$/\1/' -e "s/^'\(.*\)'$/\1/";
noquotes2() { printf '%s' "$1" | sed -e 's/" "/ /g' -e "s/' '/ /g"; } noquotes2() { printf '%s' "$1" | sed -e 's/" "/ /g' -e "s/' '/ /g"; }
update_vpn_users() { update_vpn_users() {
if [ "$(id -u)" != 0 ]; then
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo bash $0'" exiterr "Script must be run as root. Try 'sudo bash $0'"
fi fi
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
|| [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then || [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then
cat 1>&2 <<'EOF' cat 1>&2 <<'EOF'
Error: Your must first set up the IPsec VPN server before updating VPN users. Error: Your must first set up the IPsec VPN server before updating VPN users.
See: https://github.com/hwdsl2/setup-ipsec-vpn See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF EOF
exit 1 exit 1
fi fi
command -v openssl >/dev/null 2>&1 || exiterr "'openssl' not found. Abort."
command -v openssl >/dev/null 2>&1 || exiterr "'openssl' not found. Abort." if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
cat 1>&2 <<'EOF' cat 1>&2 <<'EOF'
For usage information, visit https://git.io/vpnnotes, then click on Manage VPN Users. For usage information, visit https://git.io/vpnnotes, then click on Manage VPN Users.
EOF EOF
exit 1 exit 1
fi fi
[ -n "$YOUR_USERNAMES" ] && VPN_USERS="$YOUR_USERNAMES"
[ -n "$YOUR_USERNAMES" ] && VPN_USERS="$YOUR_USERNAMES" [ -n "$YOUR_PASSWORDS" ] && VPN_PASSWORDS="$YOUR_PASSWORDS"
[ -n "$YOUR_PASSWORDS" ] && VPN_PASSWORDS="$YOUR_PASSWORDS" VPN_USERS=$(noquotes "$VPN_USERS")
VPN_USERS=$(onespace "$VPN_USERS")
VPN_USERS=$(noquotes "$VPN_USERS") VPN_USERS=$(noquotes2 "$VPN_USERS")
VPN_USERS=$(onespace "$VPN_USERS") VPN_PASSWORDS=$(noquotes "$VPN_PASSWORDS")
VPN_USERS=$(noquotes2 "$VPN_USERS") VPN_PASSWORDS=$(onespace "$VPN_PASSWORDS")
VPN_PASSWORDS=$(noquotes "$VPN_PASSWORDS") VPN_PASSWORDS=$(noquotes2 "$VPN_PASSWORDS")
VPN_PASSWORDS=$(onespace "$VPN_PASSWORDS") if [ -z "$VPN_USERS" ] || [ -z "$VPN_PASSWORDS" ]; then
VPN_PASSWORDS=$(noquotes2 "$VPN_PASSWORDS")
if [ -z "$VPN_USERS" ] || [ -z "$VPN_PASSWORDS" ]; then
exiterr "All VPN credentials must be specified. Edit the script and re-enter them." exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
fi fi
if printf '%s' "$VPN_USERS $VPN_PASSWORDS" | LC_ALL=C grep -q '[^ -~]\+'; then
if printf '%s' "$VPN_USERS $VPN_PASSWORDS" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN credentials must not contain non-ASCII characters." exiterr "VPN credentials must not contain non-ASCII characters."
fi fi
case "$VPN_USERS $VPN_PASSWORDS" in
case "$VPN_USERS $VPN_PASSWORDS" in
*[\\\"\']*) *[\\\"\']*)
exiterr "VPN credentials must not contain these special characters: \\ \" '" exiterr "VPN credentials must not contain these special characters: \\ \" '"
;; ;;
esac esac
if printf '%s' "$VPN_USERS" | tr ' ' '\n' | sort | uniq -c | grep -qv '^ *1 '; then
if printf '%s' "$VPN_USERS" | tr ' ' '\n' | sort | uniq -c | grep -qv '^ *1 '; then
exiterr "VPN usernames must not contain duplicates." exiterr "VPN usernames must not contain duplicates."
fi fi
cat <<'EOF' cat <<'EOF'
Welcome! Use this script to update VPN user accounts for both Welcome! Use this script to update VPN user accounts for both
@ -103,19 +92,17 @@ WARNING: *ALL* existing VPN users will be removed and replaced
Updated list of VPN users (username | password): Updated list of VPN users (username | password):
EOF EOF
count=1
count=1 vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1)
vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1) vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -d ' ' -f 1)
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -d ' ' -f 1) while [ -n "$vpn_user" ] && [ -n "$vpn_password" ]; do
while [ -n "$vpn_user" ] && [ -n "$vpn_password" ]; do
cat <<EOF cat <<EOF
$vpn_user | $vpn_password $vpn_user | $vpn_password
EOF EOF
count=$((count+1)) count=$((count+1))
vpn_user=$(printf '%s' "$VPN_USERS" | cut -s -d ' ' -f "$count") vpn_user=$(printf '%s' "$VPN_USERS" | cut -s -d ' ' -f "$count")
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -s -d ' ' -f "$count") vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -s -d ' ' -f "$count")
done done
cat <<'EOF' cat <<'EOF'
Write these down. You'll need them to connect! Write these down. You'll need them to connect!
@ -126,10 +113,9 @@ Setup VPN clients: https://git.io/vpnclients
================================================== ==================================================
EOF EOF
printf "Do you want to continue? [Y/n] "
printf "Do you want to continue? [Y/n] " read -r response
read -r response case $response in
case $response in
[yY][eE][sS]|[yY]|'') [yY][eE][sS]|[yY]|'')
echo echo
echo "Updating VPN users..." echo "Updating VPN users..."
@ -139,18 +125,16 @@ case $response in
echo "Abort. No changes were made." echo "Abort. No changes were made."
exit 1 exit 1
;; ;;
esac esac
# Backup and remove config files
# Backup and remove config files conf_bk "/etc/ppp/chap-secrets"
conf_bk "/etc/ppp/chap-secrets" conf_bk "/etc/ipsec.d/passwd"
conf_bk "/etc/ipsec.d/passwd" /bin/rm -f /etc/ppp/chap-secrets /etc/ipsec.d/passwd
/bin/rm -f /etc/ppp/chap-secrets /etc/ipsec.d/passwd # Update VPN users
count=1
# Update VPN users vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1)
count=1 vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -d ' ' -f 1)
vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1) while [ -n "$vpn_user" ] && [ -n "$vpn_password" ]; do
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -d ' ' -f 1)
while [ -n "$vpn_user" ] && [ -n "$vpn_password" ]; do
vpn_password_enc=$(openssl passwd -1 "$vpn_password") vpn_password_enc=$(openssl passwd -1 "$vpn_password")
cat >> /etc/ppp/chap-secrets <<EOF cat >> /etc/ppp/chap-secrets <<EOF
"$vpn_user" l2tpd "$vpn_password" * "$vpn_user" l2tpd "$vpn_password" *
@ -161,11 +145,9 @@ EOF
count=$((count+1)) count=$((count+1))
vpn_user=$(printf '%s' "$VPN_USERS" | cut -s -d ' ' -f "$count") vpn_user=$(printf '%s' "$VPN_USERS" | cut -s -d ' ' -f "$count")
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -s -d ' ' -f "$count") vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -s -d ' ' -f "$count")
done done
# Update file attributes
# Update file attributes chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
cat <<'EOF' cat <<'EOF'
Done! Done!
@ -173,7 +155,6 @@ Note: All VPN users will share the same IPsec PSK.
If you forgot the PSK, check /etc/ipsec.secrets. If you forgot the PSK, check /etc/ipsec.secrets.
EOF EOF
} }
## Defer until we have the complete script ## Defer until we have the complete script

2
extras/vpnuninstall.sh
View File

@ -234,7 +234,6 @@ update_iptables_rules() {
if grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then if grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
ipt_flag=1 ipt_flag=1
fi fi
ipi='iptables -D INPUT' ipi='iptables -D INPUT'
ipf='iptables -D FORWARD' ipf='iptables -D FORWARD'
ipp='iptables -t nat -D POSTROUTING' ipp='iptables -t nat -D POSTROUTING'
@ -261,7 +260,6 @@ update_iptables_rules() {
$ipp -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE $ipp -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE
$ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE $ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
iptables-save > "$IPT_FILE" iptables-save > "$IPT_FILE"
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
if [ -f "$IPT_FILE2" ]; then if [ -f "$IPT_FILE2" ]; then
conf_bk "$IPT_FILE2" conf_bk "$IPT_FILE2"

11
extras/vpnupgrade_alpine.sh
View File

@ -106,7 +106,6 @@ Note: This script will make the following changes to your VPN configuration:
Your other VPN config files will not be modified. Your other VPN config files will not be modified.
EOF EOF
if [ "$SWAN_VER" != "$swan_ver_cur" ]; then if [ "$SWAN_VER" != "$swan_ver_cur" ]; then
cat <<'EOF' cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities. WARNING: Older versions of Libreswan could contain known security vulnerabilities.
@ -115,7 +114,6 @@ WARNING: Older versions of Libreswan could contain known security vulnerabilitie
EOF EOF
fi fi
if [ "$swan_ver_old" = "$SWAN_VER" ]; then if [ "$swan_ver_old" = "$SWAN_VER" ]; then
cat <<EOF cat <<EOF
Note: You already have Libreswan version $SWAN_VER installed! Note: You already have Libreswan version $SWAN_VER installed!
@ -123,7 +121,6 @@ Note: You already have Libreswan version $SWAN_VER installed!
EOF EOF
fi fi
printf "Do you want to continue? [Y/n] " printf "Do you want to continue? [Y/n] "
read -r response read -r response
case $response in case $response in
@ -186,7 +183,6 @@ EOF
set -x set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
) )
cd /opt/src || exit 1 cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
@ -215,20 +211,17 @@ update_config() {
bigecho "Updating VPN configuration..." bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2" PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
if uname -m | grep -qi '^arm'; then if uname -m | grep -qi '^arm'; then
if ! modprobe -q sha512; then if ! modprobe -q sha512; then
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2" PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2"
fi fi
fi fi
dns_state=0 dns_state=0
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2 [ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3 [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
sed -i".old-$SYS_DT" \ sed -i".old-$SYS_DT" \
-e "s/^[[:space:]]\+auth=/ phase2=/" \ -e "s/^[[:space:]]\+auth=/ phase2=/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
@ -237,17 +230,14 @@ update_config() {
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \ -e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \ -e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf -e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then if [ "$dns_state" = "1" ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf -e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then elif [ "$dns_state" = "2" ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi fi
sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/ikev2=never/d" /etc/ipsec.conf
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi fi
@ -270,7 +260,6 @@ Libreswan $SWAN_VER has been successfully installed!
================================================ ================================================
EOF EOF
if [ "$dns_state" = "3" ]; then if [ "$dns_state" = "3" ]; then
cat <<'EOF' cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace IMPORTANT: You must edit /etc/ipsec.conf and replace

10
extras/vpnupgrade_amzn.sh
View File

@ -90,7 +90,6 @@ Note: This script will make the following changes to your VPN configuration:
Your other VPN config files will not be modified. Your other VPN config files will not be modified.
EOF EOF
if [ "$SWAN_VER" != "$swan_ver_cur" ]; then if [ "$SWAN_VER" != "$swan_ver_cur" ]; then
cat <<'EOF' cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities. WARNING: Older versions of Libreswan could contain known security vulnerabilities.
@ -99,7 +98,6 @@ WARNING: Older versions of Libreswan could contain known security vulnerabilitie
EOF EOF
fi fi
if [ "$swan_ver_old" = "$SWAN_VER" ]; then if [ "$swan_ver_old" = "$SWAN_VER" ]; then
cat <<EOF cat <<EOF
Note: You already have Libreswan version $SWAN_VER installed! Note: You already have Libreswan version $SWAN_VER installed!
@ -107,7 +105,6 @@ Note: You already have Libreswan version $SWAN_VER installed!
EOF EOF
fi fi
printf "Do you want to continue? [Y/n] " printf "Do you want to continue? [Y/n] "
read -r response read -r response
case $response in case $response in
@ -174,7 +171,6 @@ EOF
set -x set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
) )
cd /opt/src || exit 1 cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
@ -209,14 +205,12 @@ update_config() {
bigecho "Updating VPN configuration..." bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2" PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
dns_state=0 dns_state=0
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2 [ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3 [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
sed -i".old-$SYS_DT" \ sed -i".old-$SYS_DT" \
-e "s/^[[:space:]]\+auth=/ phase2=/" \ -e "s/^[[:space:]]\+auth=/ phase2=/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
@ -225,17 +219,14 @@ update_config() {
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \ -e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \ -e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf -e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then if [ "$dns_state" = "1" ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf -e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then elif [ "$dns_state" = "2" ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi fi
sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/ikev2=never/d" /etc/ipsec.conf
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi fi
@ -257,7 +248,6 @@ Libreswan $SWAN_VER has been successfully installed!
================================================ ================================================
EOF EOF
if [ "$dns_state" = "3" ]; then if [ "$dns_state" = "3" ]; then
cat <<'EOF' cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace IMPORTANT: You must edit /etc/ipsec.conf and replace

10
extras/vpnupgrade_centos.sh
View File

@ -116,7 +116,6 @@ Note: This script will make the following changes to your VPN configuration:
Your other VPN config files will not be modified. Your other VPN config files will not be modified.
EOF EOF
if [ "$SWAN_VER" != "$swan_ver_cur" ]; then if [ "$SWAN_VER" != "$swan_ver_cur" ]; then
cat <<'EOF' cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities. WARNING: Older versions of Libreswan could contain known security vulnerabilities.
@ -125,7 +124,6 @@ WARNING: Older versions of Libreswan could contain known security vulnerabilitie
EOF EOF
fi fi
if [ "$swan_ver_old" = "$SWAN_VER" ]; then if [ "$swan_ver_old" = "$SWAN_VER" ]; then
cat <<EOF cat <<EOF
Note: You already have Libreswan version $SWAN_VER installed! Note: You already have Libreswan version $SWAN_VER installed!
@ -133,7 +131,6 @@ Note: You already have Libreswan version $SWAN_VER installed!
EOF EOF
fi fi
printf "Do you want to continue? [Y/n] " printf "Do you want to continue? [Y/n] "
read -r response read -r response
case $response in case $response in
@ -224,7 +221,6 @@ EOF
set -x set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
) )
cd /opt/src || exit 1 cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
@ -259,14 +255,12 @@ update_config() {
bigecho "Updating VPN configuration..." bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2" PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
dns_state=0 dns_state=0
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2 [ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3 [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
sed -i".old-$SYS_DT" \ sed -i".old-$SYS_DT" \
-e "s/^[[:space:]]\+auth=/ phase2=/" \ -e "s/^[[:space:]]\+auth=/ phase2=/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
@ -275,17 +269,14 @@ update_config() {
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \ -e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \ -e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf -e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then if [ "$dns_state" = "1" ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf -e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then elif [ "$dns_state" = "2" ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi fi
sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/ikev2=never/d" /etc/ipsec.conf
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi fi
@ -307,7 +298,6 @@ Libreswan $SWAN_VER has been successfully installed!
================================================ ================================================
EOF EOF
if [ "$dns_state" = "3" ]; then if [ "$dns_state" = "3" ]; then
cat <<'EOF' cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace IMPORTANT: You must edit /etc/ipsec.conf and replace

12
extras/vpnupgrade_ubuntu.sh
View File

@ -89,7 +89,6 @@ check_swan_ver() {
if [ "$SWAN_VER" = "3.32" ] && [ "$os_ver" = "11" ]; then if [ "$SWAN_VER" = "3.32" ] && [ "$os_ver" = "11" ]; then
exiterr "Libreswan 3.32 is not supported on Debian 11." exiterr "Libreswan 3.32 is not supported on Debian 11."
fi fi
if [ "$SWAN_VER" != "3.32" ] \ if [ "$SWAN_VER" != "3.32" ] \
&& { ! printf '%s\n%s' "4.1" "$SWAN_VER" | sort -C -V \ && { ! printf '%s\n%s' "4.1" "$SWAN_VER" | sort -C -V \
|| ! printf '%s\n%s' "$SWAN_VER" "$swan_ver_cur" | sort -C -V; }; then || ! printf '%s\n%s' "$SWAN_VER" "$swan_ver_cur" | sort -C -V; }; then
@ -117,7 +116,6 @@ Note: This script will make the following changes to your VPN configuration:
Your other VPN config files will not be modified. Your other VPN config files will not be modified.
EOF EOF
if [ "$SWAN_VER" != "$swan_ver_cur" ]; then if [ "$SWAN_VER" != "$swan_ver_cur" ]; then
cat <<'EOF' cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities. WARNING: Older versions of Libreswan could contain known security vulnerabilities.
@ -126,7 +124,6 @@ WARNING: Older versions of Libreswan could contain known security vulnerabilitie
EOF EOF
fi fi
if [ "$swan_ver_old" = "$SWAN_VER" ]; then if [ "$swan_ver_old" = "$SWAN_VER" ]; then
cat <<EOF cat <<EOF
Note: You already have Libreswan version $SWAN_VER installed! Note: You already have Libreswan version $SWAN_VER installed!
@ -134,7 +131,6 @@ Note: You already have Libreswan version $SWAN_VER installed!
EOF EOF
fi fi
printf "Do you want to continue? [Y/n] " printf "Do you want to continue? [Y/n] "
read -r response read -r response
case $response in case $response in
@ -217,7 +213,6 @@ EOF
set -x set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
) )
cd /opt/src || exit 1 cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
@ -246,20 +241,17 @@ update_config() {
bigecho "Updating VPN configuration..." bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2" PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
if uname -m | grep -qi '^arm'; then if uname -m | grep -qi '^arm'; then
if ! modprobe -q sha512; then if ! modprobe -q sha512; then
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2" PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2"
fi fi
fi fi
dns_state=0 dns_state=0
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2 [ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3 [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
sed -i".old-$SYS_DT" \ sed -i".old-$SYS_DT" \
-e "s/^[[:space:]]\+auth=/ phase2=/" \ -e "s/^[[:space:]]\+auth=/ phase2=/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
@ -268,17 +260,14 @@ update_config() {
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \ -e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \ -e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf -e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then if [ "$dns_state" = "1" ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf -e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then elif [ "$dns_state" = "2" ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi fi
sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/ikev2=never/d" /etc/ipsec.conf
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi fi
@ -300,7 +289,6 @@ Libreswan $SWAN_VER has been successfully installed!
================================================ ================================================
EOF EOF
if [ "$dns_state" = "3" ]; then if [ "$dns_state" = "3" ]; then
cat <<'EOF' cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace IMPORTANT: You must edit /etc/ipsec.conf and replace

7
vpnsetup.sh
View File

@ -2,7 +2,6 @@
# #
# Script for automatic setup of an IPsec VPN server on Ubuntu, Debian, CentOS/RHEL, # Script for automatic setup of an IPsec VPN server on Ubuntu, Debian, CentOS/RHEL,
# Rocky Linux, AlmaLinux, Oracle Linux, Amazon Linux 2 and Alpine Linux # Rocky Linux, AlmaLinux, Oracle Linux, Amazon Linux 2 and Alpine Linux
# Works on any dedicated server or virtual private server (VPS)
# #
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
# #
@ -159,19 +158,15 @@ check_creds() {
[ -n "$YOUR_IPSEC_PSK" ] && VPN_IPSEC_PSK="$YOUR_IPSEC_PSK" [ -n "$YOUR_IPSEC_PSK" ] && VPN_IPSEC_PSK="$YOUR_IPSEC_PSK"
[ -n "$YOUR_USERNAME" ] && VPN_USER="$YOUR_USERNAME" [ -n "$YOUR_USERNAME" ] && VPN_USER="$YOUR_USERNAME"
[ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD" [ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD"
if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then
return 0 return 0
fi fi
if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
exiterr "All VPN credentials must be specified. Edit the script and re-enter them." exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
fi fi
if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN credentials must not contain non-ASCII characters." exiterr "VPN credentials must not contain non-ASCII characters."
fi fi
case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
*[\\\"\']*) *[\\\"\']*)
exiterr "VPN credentials must not contain these special characters: \\ \" '" exiterr "VPN credentials must not contain these special characters: \\ \" '"
@ -196,7 +191,7 @@ check_client_name() {
if [ -n "$VPN_CLIENT_NAME" ]; then if [ -n "$VPN_CLIENT_NAME" ]; then
name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)" name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)"
if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $VPN_CLIENT_NAME in -*) true;; *) false;; esac; then || case $VPN_CLIENT_NAME in -*) true ;; *) false ;; esac; then
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'." exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
fi fi
fi fi

17
vpnsetup_alpine.sh
View File

@ -1,7 +1,6 @@
#!/bin/bash #!/bin/bash
# #
# Script for automatic setup of an IPsec VPN server on Alpine Linux # Script for automatic setup of an IPsec VPN server on Alpine Linux
# Works on any dedicated server or virtual private server (VPS)
# #
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
# #
@ -141,7 +140,7 @@ check_client_name() {
if [ -n "$VPN_CLIENT_NAME" ]; then if [ -n "$VPN_CLIENT_NAME" ]; then
name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)" name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)"
if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $VPN_CLIENT_NAME in -*) true;; *) false;; esac; then || case $VPN_CLIENT_NAME in -*) true ;; *) false ;; esac; then
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'." exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
fi fi
fi fi
@ -285,7 +284,6 @@ EOF
create_vpn_config() { create_vpn_config() {
bigecho "Creating VPN configuration..." bigecho "Creating VPN configuration..."
L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'} L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'}
L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'} L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'}
L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'} L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'}
@ -295,7 +293,6 @@ create_vpn_config() {
DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\"" DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1" [ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
# Create IPsec config # Create IPsec config
conf_bk "/etc/ipsec.conf" conf_bk "/etc/ipsec.conf"
cat > /etc/ipsec.conf <<EOF cat > /etc/ipsec.conf <<EOF
@ -346,19 +343,16 @@ conn xauth-psk
include /etc/ipsec.d/*.conf include /etc/ipsec.d/*.conf
EOF EOF
if uname -m | grep -qi '^arm'; then if uname -m | grep -qi '^arm'; then
if ! modprobe -q sha512; then if ! modprobe -q sha512; then
sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
fi fi
fi fi
# Specify IPsec PSK # Specify IPsec PSK
conf_bk "/etc/ipsec.secrets" conf_bk "/etc/ipsec.secrets"
cat > /etc/ipsec.secrets <<EOF cat > /etc/ipsec.secrets <<EOF
%any %any : PSK "$VPN_IPSEC_PSK" %any %any : PSK "$VPN_IPSEC_PSK"
EOF EOF
# Create xl2tpd config # Create xl2tpd config
conf_bk "/etc/xl2tpd/xl2tpd.conf" conf_bk "/etc/xl2tpd/xl2tpd.conf"
cat > /etc/xl2tpd/xl2tpd.conf <<EOF cat > /etc/xl2tpd/xl2tpd.conf <<EOF
@ -375,7 +369,6 @@ name = l2tpd
pppoptfile = /etc/ppp/options.xl2tpd pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes length bit = yes
EOF EOF
# Set xl2tpd options # Set xl2tpd options
conf_bk "/etc/ppp/options.xl2tpd" conf_bk "/etc/ppp/options.xl2tpd"
cat > /etc/ppp/options.xl2tpd <<EOF cat > /etc/ppp/options.xl2tpd <<EOF
@ -392,19 +385,16 @@ lcp-echo-interval 30
connect-delay 5000 connect-delay 5000
ms-dns $DNS_SRV1 ms-dns $DNS_SRV1
EOF EOF
if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
cat >> /etc/ppp/options.xl2tpd <<EOF cat >> /etc/ppp/options.xl2tpd <<EOF
ms-dns $DNS_SRV2 ms-dns $DNS_SRV2
EOF EOF
fi fi
# Create VPN credentials # Create VPN credentials
conf_bk "/etc/ppp/chap-secrets" conf_bk "/etc/ppp/chap-secrets"
cat > /etc/ppp/chap-secrets <<EOF cat > /etc/ppp/chap-secrets <<EOF
"$VPN_USER" l2tpd "$VPN_PASSWORD" * "$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF EOF
conf_bk "/etc/ipsec.d/passwd" conf_bk "/etc/ipsec.d/passwd"
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD") VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
cat > /etc/ipsec.d/passwd <<EOF cat > /etc/ipsec.d/passwd <<EOF
@ -447,7 +437,6 @@ update_iptables() {
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
ipt_flag=1 ipt_flag=1
fi fi
ipi='iptables -I INPUT' ipi='iptables -I INPUT'
ipf='iptables -I FORWARD' ipf='iptables -I FORWARD'
ipp='iptables -t nat -I POSTROUTING' ipp='iptables -t nat -I POSTROUTING'
@ -485,7 +474,6 @@ iptables-restore < /etc/iptables.rules
exit 0 exit 0
EOF EOF
chmod +x /etc/network/if-pre-up.d/iptablesload chmod +x /etc/network/if-pre-up.d/iptablesload
sed -i '1c\#!/sbin/openrc-run' /etc/init.d/ipsec sed -i '1c\#!/sbin/openrc-run' /etc/init.d/ipsec
for svc in fail2ban ipsec xl2tpd; do for svc in fail2ban ipsec xl2tpd; do
rc-update add "$svc" default >/dev/null rc-update add "$svc" default >/dev/null
@ -495,14 +483,11 @@ EOF
start_services() { start_services() {
bigecho "Starting services..." bigecho "Starting services..."
sysctl -e -q -p sysctl -e -q -p
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
mkdir -p /run/pluto mkdir -p /run/pluto
service fail2ban restart >/dev/null 2>&1 service fail2ban restart >/dev/null 2>&1
service ipsec restart >/dev/null 2>&1 service ipsec restart >/dev/null 2>&1
service xl2tpd restart >/dev/null 2>&1 service xl2tpd restart >/dev/null 2>&1
mkdir -p /etc/crontabs mkdir -p /etc/crontabs
cron_cmd="rc-service -c ipsec zap start" cron_cmd="rc-service -c ipsec zap start"
if ! grep -qs "$cron_cmd" /etc/crontabs/root; then if ! grep -qs "$cron_cmd" /etc/crontabs/root; then

18
vpnsetup_amzn.sh
View File

@ -1,7 +1,6 @@
#!/bin/bash #!/bin/bash
# #
# Script for automatic setup of an IPsec VPN server on Amazon Linux 2 # Script for automatic setup of an IPsec VPN server on Amazon Linux 2
# Works on any dedicated server or virtual private server (VPS)
# #
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
# #
@ -123,7 +122,7 @@ check_client_name() {
if [ -n "$VPN_CLIENT_NAME" ]; then if [ -n "$VPN_CLIENT_NAME" ]; then
name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)" name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)"
if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $VPN_CLIENT_NAME in -*) true;; *) false;; esac; then || case $VPN_CLIENT_NAME in -*) true ;; *) false ;; esac; then
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'." exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
fi fi
fi fi
@ -287,7 +286,6 @@ EOF
create_vpn_config() { create_vpn_config() {
bigecho "Creating VPN configuration..." bigecho "Creating VPN configuration..."
L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'} L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'}
L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'} L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'}
L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'} L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'}
@ -297,7 +295,6 @@ create_vpn_config() {
DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\"" DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1" [ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
# Create IPsec config # Create IPsec config
conf_bk "/etc/ipsec.conf" conf_bk "/etc/ipsec.conf"
cat > /etc/ipsec.conf <<EOF cat > /etc/ipsec.conf <<EOF
@ -348,13 +345,11 @@ conn xauth-psk
include /etc/ipsec.d/*.conf include /etc/ipsec.d/*.conf
EOF EOF
# Specify IPsec PSK # Specify IPsec PSK
conf_bk "/etc/ipsec.secrets" conf_bk "/etc/ipsec.secrets"
cat > /etc/ipsec.secrets <<EOF cat > /etc/ipsec.secrets <<EOF
%any %any : PSK "$VPN_IPSEC_PSK" %any %any : PSK "$VPN_IPSEC_PSK"
EOF EOF
# Create xl2tpd config # Create xl2tpd config
conf_bk "/etc/xl2tpd/xl2tpd.conf" conf_bk "/etc/xl2tpd/xl2tpd.conf"
cat > /etc/xl2tpd/xl2tpd.conf <<EOF cat > /etc/xl2tpd/xl2tpd.conf <<EOF
@ -371,7 +366,6 @@ name = l2tpd
pppoptfile = /etc/ppp/options.xl2tpd pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes length bit = yes
EOF EOF
# Set xl2tpd options # Set xl2tpd options
conf_bk "/etc/ppp/options.xl2tpd" conf_bk "/etc/ppp/options.xl2tpd"
cat > /etc/ppp/options.xl2tpd <<EOF cat > /etc/ppp/options.xl2tpd <<EOF
@ -388,19 +382,16 @@ lcp-echo-interval 30
connect-delay 5000 connect-delay 5000
ms-dns $DNS_SRV1 ms-dns $DNS_SRV1
EOF EOF
if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
cat >> /etc/ppp/options.xl2tpd <<EOF cat >> /etc/ppp/options.xl2tpd <<EOF
ms-dns $DNS_SRV2 ms-dns $DNS_SRV2
EOF EOF
fi fi
# Create VPN credentials # Create VPN credentials
conf_bk "/etc/ppp/chap-secrets" conf_bk "/etc/ppp/chap-secrets"
cat > /etc/ppp/chap-secrets <<EOF cat > /etc/ppp/chap-secrets <<EOF
"$VPN_USER" l2tpd "$VPN_PASSWORD" * "$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF EOF
conf_bk "/etc/ipsec.d/passwd" conf_bk "/etc/ipsec.d/passwd"
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD") VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
cat > /etc/ipsec.d/passwd <<EOF cat > /etc/ipsec.d/passwd <<EOF
@ -457,7 +448,6 @@ update_iptables() {
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
ipt_flag=1 ipt_flag=1
fi fi
ipi='iptables -I INPUT' ipi='iptables -I INPUT'
ipf='iptables -I FORWARD' ipf='iptables -I FORWARD'
ipp='iptables -t nat -I POSTROUTING' ipp='iptables -t nat -I POSTROUTING'
@ -490,7 +480,6 @@ enable_on_boot() {
bigecho "Enabling services on boot..." bigecho "Enabling services on boot..."
systemctl --now mask firewalld 2>/dev/null systemctl --now mask firewalld 2>/dev/null
systemctl enable iptables fail2ban 2>/dev/null systemctl enable iptables fail2ban 2>/dev/null
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
if [ -f /etc/rc.local ]; then if [ -f /etc/rc.local ]; then
conf_bk "/etc/rc.local" conf_bk "/etc/rc.local"
@ -511,22 +500,17 @@ EOF
start_services() { start_services() {
bigecho "Starting services..." bigecho "Starting services..."
sysctl -e -q -p sysctl -e -q -p
chmod +x /etc/rc.local chmod +x /etc/rc.local
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
iptables-restore < "$IPT_FILE" iptables-restore < "$IPT_FILE"
# Fix xl2tpd if l2tp_ppp is unavailable # Fix xl2tpd if l2tp_ppp is unavailable
if ! modprobe -q l2tp_ppp; then if ! modprobe -q l2tp_ppp; then
sed -i '/^ExecStartPre=\//s/=/=-/' /usr/lib/systemd/system/xl2tpd.service sed -i '/^ExecStartPre=\//s/=/=-/' /usr/lib/systemd/system/xl2tpd.service
systemctl daemon-reload systemctl daemon-reload
fi fi
mkdir -p /run/pluto mkdir -p /run/pluto
service fail2ban restart 2>/dev/null service fail2ban restart 2>/dev/null
service ipsec restart 2>/dev/null service ipsec restart 2>/dev/null

18
vpnsetup_centos.sh
View File

@ -2,7 +2,6 @@
# #
# Script for automatic setup of an IPsec VPN server on CentOS/RHEL, Rocky Linux, # Script for automatic setup of an IPsec VPN server on CentOS/RHEL, Rocky Linux,
# AlmaLinux and Oracle Linux # AlmaLinux and Oracle Linux
# Works on any dedicated server or virtual private server (VPS)
# #
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
# #
@ -151,7 +150,7 @@ check_client_name() {
if [ -n "$VPN_CLIENT_NAME" ]; then if [ -n "$VPN_CLIENT_NAME" ]; then
name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)" name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)"
if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $VPN_CLIENT_NAME in -*) true;; *) false;; esac; then || case $VPN_CLIENT_NAME in -*) true ;; *) false ;; esac; then
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'." exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
fi fi
fi fi
@ -358,7 +357,6 @@ EOF
create_vpn_config() { create_vpn_config() {
bigecho "Creating VPN configuration..." bigecho "Creating VPN configuration..."
L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'} L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'}
L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'} L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'}
L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'} L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'}
@ -368,7 +366,6 @@ create_vpn_config() {
DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\"" DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1" [ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
# Create IPsec config # Create IPsec config
conf_bk "/etc/ipsec.conf" conf_bk "/etc/ipsec.conf"
cat > /etc/ipsec.conf <<EOF cat > /etc/ipsec.conf <<EOF
@ -419,13 +416,11 @@ conn xauth-psk
include /etc/ipsec.d/*.conf include /etc/ipsec.d/*.conf
EOF EOF
# Specify IPsec PSK # Specify IPsec PSK
conf_bk "/etc/ipsec.secrets" conf_bk "/etc/ipsec.secrets"
cat > /etc/ipsec.secrets <<EOF cat > /etc/ipsec.secrets <<EOF
%any %any : PSK "$VPN_IPSEC_PSK" %any %any : PSK "$VPN_IPSEC_PSK"
EOF EOF
# Create xl2tpd config # Create xl2tpd config
conf_bk "/etc/xl2tpd/xl2tpd.conf" conf_bk "/etc/xl2tpd/xl2tpd.conf"
cat > /etc/xl2tpd/xl2tpd.conf <<EOF cat > /etc/xl2tpd/xl2tpd.conf <<EOF
@ -442,7 +437,6 @@ name = l2tpd
pppoptfile = /etc/ppp/options.xl2tpd pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes length bit = yes
EOF EOF
# Set xl2tpd options # Set xl2tpd options
conf_bk "/etc/ppp/options.xl2tpd" conf_bk "/etc/ppp/options.xl2tpd"
cat > /etc/ppp/options.xl2tpd <<EOF cat > /etc/ppp/options.xl2tpd <<EOF
@ -459,19 +453,16 @@ lcp-echo-interval 30
connect-delay 5000 connect-delay 5000
ms-dns $DNS_SRV1 ms-dns $DNS_SRV1
EOF EOF
if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
cat >> /etc/ppp/options.xl2tpd <<EOF cat >> /etc/ppp/options.xl2tpd <<EOF
ms-dns $DNS_SRV2 ms-dns $DNS_SRV2
EOF EOF
fi fi
# Create VPN credentials # Create VPN credentials
conf_bk "/etc/ppp/chap-secrets" conf_bk "/etc/ppp/chap-secrets"
cat > /etc/ppp/chap-secrets <<EOF cat > /etc/ppp/chap-secrets <<EOF
"$VPN_USER" l2tpd "$VPN_PASSWORD" * "$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF EOF
conf_bk "/etc/ipsec.d/passwd" conf_bk "/etc/ipsec.d/passwd"
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD") VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
cat > /etc/ipsec.d/passwd <<EOF cat > /etc/ipsec.d/passwd <<EOF
@ -539,7 +530,6 @@ update_iptables() {
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
ipt_flag=1 ipt_flag=1
fi fi
ipi='iptables -I INPUT' ipi='iptables -I INPUT'
ipf='iptables -I FORWARD' ipf='iptables -I FORWARD'
ipp='iptables -t nat -I POSTROUTING' ipp='iptables -t nat -I POSTROUTING'
@ -613,7 +603,6 @@ enable_on_boot() {
else else
systemctl enable iptables fail2ban 2>/dev/null systemctl enable iptables fail2ban 2>/dev/null
fi fi
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
if [ -f /etc/rc.local ]; then if [ -f /etc/rc.local ]; then
conf_bk "/etc/rc.local" conf_bk "/etc/rc.local"
@ -634,26 +623,21 @@ EOF
start_services() { start_services() {
bigecho "Starting services..." bigecho "Starting services..."
sysctl -e -q -p sysctl -e -q -p
chmod +x /etc/rc.local chmod +x /etc/rc.local
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
if [ "$use_nft" = "1" ]; then if [ "$use_nft" = "1" ]; then
nft -f "$IPT_FILE" nft -f "$IPT_FILE"
else else
iptables-restore < "$IPT_FILE" iptables-restore < "$IPT_FILE"
fi fi
# Fix xl2tpd if l2tp_ppp is unavailable # Fix xl2tpd if l2tp_ppp is unavailable
if ! modprobe -q l2tp_ppp; then if ! modprobe -q l2tp_ppp; then
sed -i '/^ExecStartPre=\//s/=/=-/' /usr/lib/systemd/system/xl2tpd.service sed -i '/^ExecStartPre=\//s/=/=-/' /usr/lib/systemd/system/xl2tpd.service
systemctl daemon-reload systemctl daemon-reload
fi fi
mkdir -p /run/pluto mkdir -p /run/pluto
service fail2ban restart 2>/dev/null service fail2ban restart 2>/dev/null
service ipsec restart 2>/dev/null service ipsec restart 2>/dev/null

20
vpnsetup_ubuntu.sh
View File

@ -1,7 +1,6 @@
#!/bin/bash #!/bin/bash
# #
# Script for automatic setup of an IPsec VPN server on Ubuntu and Debian # Script for automatic setup of an IPsec VPN server on Ubuntu and Debian
# Works on any dedicated server or virtual private server (VPS)
# #
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
# #
@ -149,7 +148,7 @@ check_client_name() {
if [ -n "$VPN_CLIENT_NAME" ]; then if [ -n "$VPN_CLIENT_NAME" ]; then
name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)" name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)"
if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $VPN_CLIENT_NAME in -*) true;; *) false;; esac; then || case $VPN_CLIENT_NAME in -*) true ;; *) false ;; esac; then
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'." exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
fi fi
fi fi
@ -335,7 +334,6 @@ EOF
create_vpn_config() { create_vpn_config() {
bigecho "Creating VPN configuration..." bigecho "Creating VPN configuration..."
L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'} L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'}
L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'} L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'}
L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'} L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'}
@ -345,7 +343,6 @@ create_vpn_config() {
DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\"" DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1" [ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
# Create IPsec config # Create IPsec config
conf_bk "/etc/ipsec.conf" conf_bk "/etc/ipsec.conf"
cat > /etc/ipsec.conf <<EOF cat > /etc/ipsec.conf <<EOF
@ -396,19 +393,16 @@ conn xauth-psk
include /etc/ipsec.d/*.conf include /etc/ipsec.d/*.conf
EOF EOF
if uname -m | grep -qi '^arm'; then if uname -m | grep -qi '^arm'; then
if ! modprobe -q sha512; then if ! modprobe -q sha512; then
sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
fi fi
fi fi
# Specify IPsec PSK # Specify IPsec PSK
conf_bk "/etc/ipsec.secrets" conf_bk "/etc/ipsec.secrets"
cat > /etc/ipsec.secrets <<EOF cat > /etc/ipsec.secrets <<EOF
%any %any : PSK "$VPN_IPSEC_PSK" %any %any : PSK "$VPN_IPSEC_PSK"
EOF EOF
# Create xl2tpd config # Create xl2tpd config
conf_bk "/etc/xl2tpd/xl2tpd.conf" conf_bk "/etc/xl2tpd/xl2tpd.conf"
cat > /etc/xl2tpd/xl2tpd.conf <<EOF cat > /etc/xl2tpd/xl2tpd.conf <<EOF
@ -425,7 +419,6 @@ name = l2tpd
pppoptfile = /etc/ppp/options.xl2tpd pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes length bit = yes
EOF EOF
# Set xl2tpd options # Set xl2tpd options
conf_bk "/etc/ppp/options.xl2tpd" conf_bk "/etc/ppp/options.xl2tpd"
cat > /etc/ppp/options.xl2tpd <<EOF cat > /etc/ppp/options.xl2tpd <<EOF
@ -442,19 +435,16 @@ lcp-echo-interval 30
connect-delay 5000 connect-delay 5000
ms-dns $DNS_SRV1 ms-dns $DNS_SRV1
EOF EOF
if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
cat >> /etc/ppp/options.xl2tpd <<EOF cat >> /etc/ppp/options.xl2tpd <<EOF
ms-dns $DNS_SRV2 ms-dns $DNS_SRV2
EOF EOF
fi fi
# Create VPN credentials # Create VPN credentials
conf_bk "/etc/ppp/chap-secrets" conf_bk "/etc/ppp/chap-secrets"
cat > /etc/ppp/chap-secrets <<EOF cat > /etc/ppp/chap-secrets <<EOF
"$VPN_USER" l2tpd "$VPN_PASSWORD" * "$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF EOF
conf_bk "/etc/ipsec.d/passwd" conf_bk "/etc/ipsec.d/passwd"
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD") VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
cat > /etc/ipsec.d/passwd <<EOF cat > /etc/ipsec.d/passwd <<EOF
@ -498,7 +488,6 @@ update_iptables() {
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
ipt_flag=1 ipt_flag=1
fi fi
ipi='iptables -I INPUT' ipi='iptables -I INPUT'
ipf='iptables -I FORWARD' ipf='iptables -I FORWARD'
ipp='iptables -t nat -I POSTROUTING' ipp='iptables -t nat -I POSTROUTING'
@ -524,7 +513,6 @@ update_iptables() {
$ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE $ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
iptables-save >> "$IPT_FILE" iptables-save >> "$IPT_FILE"
if [ -f "$IPT_FILE2" ]; then if [ -f "$IPT_FILE2" ]; then
conf_bk "$IPT_FILE2" conf_bk "$IPT_FILE2"
/bin/cp -f "$IPT_FILE" "$IPT_FILE2" /bin/cp -f "$IPT_FILE" "$IPT_FILE2"
@ -555,7 +543,6 @@ enable_on_boot() {
if [ -f "$IPT_FILE2" ] && { [ -f "$IPT_PST" ] || [ -f "$IPT_PST2" ]; }; then if [ -f "$IPT_FILE2" ] && { [ -f "$IPT_PST" ] || [ -f "$IPT_PST2" ]; }; then
ipt_load=0 ipt_load=0
fi fi
if [ "$ipt_load" = "1" ]; then if [ "$ipt_load" = "1" ]; then
mkdir -p /etc/network/if-pre-up.d mkdir -p /etc/network/if-pre-up.d
cat > /etc/network/if-pre-up.d/iptablesload <<'EOF' cat > /etc/network/if-pre-up.d/iptablesload <<'EOF'
@ -564,7 +551,6 @@ iptables-restore < /etc/iptables.rules
exit 0 exit 0
EOF EOF
chmod +x /etc/network/if-pre-up.d/iptablesload chmod +x /etc/network/if-pre-up.d/iptablesload
if [ -f /usr/sbin/netplan ]; then if [ -f /usr/sbin/netplan ]; then
mkdir -p /etc/systemd/system mkdir -p /etc/systemd/system
cat > /etc/systemd/system/load-iptables-rules.service <<'EOF' cat > /etc/systemd/system/load-iptables-rules.service <<'EOF'
@ -588,12 +574,10 @@ EOF
systemctl enable load-iptables-rules 2>/dev/null systemctl enable load-iptables-rules 2>/dev/null
fi fi
fi fi
for svc in fail2ban ipsec xl2tpd; do for svc in fail2ban ipsec xl2tpd; do
update-rc.d "$svc" enable >/dev/null 2>&1 update-rc.d "$svc" enable >/dev/null 2>&1
systemctl enable "$svc" 2>/dev/null systemctl enable "$svc" 2>/dev/null
done done
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
if [ -f /etc/rc.local ]; then if [ -f /etc/rc.local ]; then
conf_bk "/etc/rc.local" conf_bk "/etc/rc.local"
@ -616,10 +600,8 @@ EOF
start_services() { start_services() {
bigecho "Starting services..." bigecho "Starting services..."
sysctl -e -q -p sysctl -e -q -p
chmod +x /etc/rc.local chmod +x /etc/rc.local
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
mkdir -p /run/pluto mkdir -p /run/pluto
service fail2ban restart 2>/dev/null service fail2ban restart 2>/dev/null
service ipsec restart 2>/dev/null service ipsec restart 2>/dev/null