mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-23 21:36:09 +03:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: mirror:b48021c5e625586c844d11691a39ffbaa0be0a15
Branches Tags
mirror:master
..
compare: mirror:1c91ac2c3aca6f6709c7a42b8730e037ff945902
Branches Tags
mirror:master

No commits in common. "b48021c5e625586c844d11691a39ffbaa0be0a15" and "1c91ac2c3aca6f6709c7a42b8730e037ff945902" have entirely different histories.
b48021c5e6 ... 1c91ac2c3a

18 changed files with 386 additions and 216 deletions
Show Stats Expand all files Collapse all files

12
.github/workflows/check_urls.yml vendored
View File

@ -32,7 +32,6 @@ jobs:
wg="wget -t 3 -T 30 -nv -O"
gh="https://github.com/hwdsl2/setup-ipsec-vpn/raw/master"
gl="https://gitlab.com/hwdsl2/setup-ipsec-vpn/-/raw/master"
gi="https://git.io"
$wg vpnsetup.sh "$gi/vpnsetup"
@ -51,7 +50,6 @@ jobs:
$wg vpnuninstall.sh "$gi/vpnuninstall"
$wg vpnsetup2.sh "$gh/vpnsetup.sh"
$wg vpnsetup3.sh "$gl/vpnsetup.sh"
$wg vpnsetup_centos2.sh "$gh/vpnsetup_centos.sh"
$wg vpnsetup_amzn2.sh "$gh/vpnsetup_amzn.sh"
$wg vpnsetup_ubuntu2.sh "$gh/vpnsetup_ubuntu.sh"
@ -81,7 +79,6 @@ jobs:
diff vpnuninstall.sh ../extras/vpnuninstall.sh
diff vpnsetup2.sh ../vpnsetup.sh
diff vpnsetup3.sh ../vpnsetup.sh
diff vpnsetup_centos2.sh ../vpnsetup_centos.sh
diff vpnsetup_amzn2.sh ../vpnsetup_amzn.sh
diff vpnsetup_ubuntu2.sh ../vpnsetup_ubuntu.sh
@ -106,8 +103,7 @@ jobs:
$wg 3.deb "$url2/$deb3"
bl="https://bit.ly"
curl -fsSI "$bl/addvpnuser" | grep -q 'add_vpn_user.sh'
curl -fsSI "$bl/delvpnuser" | grep -q 'del_vpn_user.sh'
curl -fsSI "$bl/updatevpnusers" | grep -q 'update_vpn_users.sh'
curl -fsSI "$bl/ikev2onlymode" | grep -q 'ikev2onlymode.sh'
curl -fsSI "$bl/ikev2changeaddr" | grep -q 'ikev2changeaddr.sh'
curl -fsSI "$bl/addvpnuser" | grep -q 'add_vpn_user.sh'
curl -fsSI "$bl/delvpnuser" | grep -q 'del_vpn_user.sh'
curl -fsSI "$bl/updatevpnusers" | grep -q 'update_vpn_users.sh'
curl -fsSI "$bl/ikev2onlymode" | grep -q 'ikev2onlymode.sh'

2
README-zh.md
View File

@ -274,7 +274,7 @@ wget https://gitlab.com/hwdsl2/setup-ipsec-vpn/-/raw/master/extras/vpnupgrade.sh
## 问题和反馈
- 如果你有对本项目的建议,请提交一个 [改进建议](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose),或者欢迎提交 [Pull request](https://github.com/hwdsl2/setup-ipsec-vpn/pulls)。
- 如果你有意见或建议,请 [发送反馈](https://bit.ly/vpn-feedback) 或提交一个 [改进建议](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose),或者欢迎提交 [Pull request](https://github.com/hwdsl2/setup-ipsec-vpn/pulls)。
- 如果你发现了一个可重复的程序漏洞,请为 [IPsec VPN](https://github.com/libreswan/libreswan/issues?q=is%3Aissue) 或者 [VPN 脚本](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose) 提交一个错误报告。
- 有问题需要提问?请先搜索 [已有的 issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) 以及在 [这个 Gist](https://gist.github.com/hwdsl2/9030462#comments) 和 [我的博客](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread) 上已有的留言。
- VPN 的相关问题可在 [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) 或 [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) 邮件列表提问,或者参考这些网站:[[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup)。

2
README.md
View File

@ -274,7 +274,7 @@ See [Uninstall the VPN](docs/uninstall.md).
## Feedback & Questions
- Have a suggestion for this project? Open an [Enhancement request](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose). [Pull requests](https://github.com/hwdsl2/setup-ipsec-vpn/pulls) are also welcome.
- Have a comment or suggestion? [Send feedback](https://bit.ly/vpn-feedback) or open an [Enhancement request](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose). [Pull requests](https://github.com/hwdsl2/setup-ipsec-vpn/pulls) are also welcome.
- If you found a reproducible bug, open a bug report for the [IPsec VPN](https://github.com/libreswan/libreswan/issues?q=is%3Aissue) or for the [VPN scripts](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose).
- Got a question? Please first search [existing issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) and comments [in this Gist](https://gist.github.com/hwdsl2/9030462#comments) and [on my blog](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread).
- Ask VPN related questions on the [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) or [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) mailing list, or read these wikis: [[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup).

141
extras/add_vpn_user.sh
View File

@ -28,57 +28,67 @@ EOF
}
add_vpn_user() {
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo bash $0'"
fi
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
|| [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo bash $0'"
fi
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
|| [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then
cat 1>&2 <<'EOF'
Error: Your must first set up the IPsec VPN server before adding VPN users.
See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF
exit 1
fi
command -v openssl >/dev/null 2>&1 || exiterr "'openssl' not found. Abort."
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
exit 1
fi
command -v openssl >/dev/null 2>&1 || exiterr "'openssl' not found. Abort."
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
cat 1>&2 <<EOF
Usage: sudo bash $0 'username_to_add' 'password'
sudo bash $0 'username_to_update' 'new_password'
You may also run this script interactively without arguments.
EOF
exit 1
fi
VPN_USER=$1
VPN_PASSWORD=$2
if [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
show_intro
echo
echo "List of existing VPN usernames:"
cut -f1 -d : /etc/ipsec.d/passwd | LC_ALL=C sort
echo
echo "Enter the VPN username you want to add or update."
read -rp "Username: " VPN_USER
if [ -z "$VPN_USER" ]; then
echo "Abort. No changes were made." >&2
exit 1
fi
VPN_USER=$1
VPN_PASSWORD=$2
if [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
show_intro
echo
echo "List of existing VPN usernames:"
cut -f1 -d : /etc/ipsec.d/passwd | LC_ALL=C sort
echo
echo "Enter the VPN username you want to add or update."
read -rp "Username: " VPN_USER
if [ -z "$VPN_USER" ]; then
echo "Abort. No changes were made." >&2
exit 1
fi
read -rp "Password: " VPN_PASSWORD
if [ -z "$VPN_PASSWORD" ]; then
echo "Abort. No changes were made." >&2
exit 1
fi
fi
if printf '%s' "$VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN credentials must not contain non-ASCII characters."
fi
case "$VPN_USER $VPN_PASSWORD" in
*[\\\"\']*)
exiterr "VPN credentials must not contain these special characters: \\ \" '"
;;
esac
if [ -n "$1" ] && [ -n "$2" ]; then
show_intro
read -rp "Password: " VPN_PASSWORD
if [ -z "$VPN_PASSWORD" ]; then
echo "Abort. No changes were made." >&2
exit 1
fi
fi
if printf '%s' "$VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN credentials must not contain non-ASCII characters."
fi
case "$VPN_USER $VPN_PASSWORD" in
*[\\\"\']*)
exiterr "VPN credentials must not contain these special characters: \\ \" '"
;;
esac
if [ -n "$1" ] && [ -n "$2" ]; then
show_intro
fi
cat <<EOF
================================================
@ -96,35 +106,41 @@ Setup VPN clients: https://git.io/vpnclients
================================================
EOF
printf "Do you want to continue? [Y/n] "
read -r response
case $response in
[yY][eE][sS]|[yY]|'')
echo
echo "Adding or updating VPN user..."
echo
;;
*)
echo "Abort. No changes were made."
exit 1
;;
esac
# Backup config files
conf_bk "/etc/ppp/chap-secrets"
conf_bk "/etc/ipsec.d/passwd"
# Add or update VPN user
sed -i "/^\"$VPN_USER\" /d" /etc/ppp/chap-secrets
printf "Do you want to continue? [Y/n] "
read -r response
case $response in
[yY][eE][sS]|[yY]|'')
echo
echo "Adding or updating VPN user..."
echo
;;
*)
echo "Abort. No changes were made."
exit 1
;;
esac
# Backup config files
conf_bk "/etc/ppp/chap-secrets"
conf_bk "/etc/ipsec.d/passwd"
# Add or update VPN user
sed -i "/^\"$VPN_USER\" /d" /etc/ppp/chap-secrets
cat >> /etc/ppp/chap-secrets <<EOF
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF
# shellcheck disable=SC2016
sed -i '/^'"$VPN_USER"':\$1\$/d' /etc/ipsec.d/passwd
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
# shellcheck disable=SC2016
sed -i '/^'"$VPN_USER"':\$1\$/d' /etc/ipsec.d/passwd
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
cat >> /etc/ipsec.d/passwd <<EOF
$VPN_USER:$VPN_PASSWORD_ENC:xauth-psk
EOF
# Update file attributes
chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
# Update file attributes
chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
cat <<'EOF'
Done!
@ -132,6 +148,7 @@ Note: All VPN users will share the same IPsec PSK.
If you forgot the PSK, check /etc/ipsec.secrets.
EOF
}
## Defer until we have the complete script

139
extras/del_vpn_user.sh
View File

@ -25,63 +25,74 @@ EOF
}
del_vpn_user() {
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo bash $0'"
fi
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
|| [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo bash $0'"
fi
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
|| [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then
cat 1>&2 <<'EOF'
Error: Your must first set up the IPsec VPN server before deleting VPN users.
See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF
exit 1
fi
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
exit 1
fi
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
cat 1>&2 <<EOF
Usage: sudo bash $0 'username_to_delete'
You may also run this script interactively without arguments.
EOF
exit 1
fi
VPN_USER=$1
if [ -z "$VPN_USER" ]; then
show_intro
echo
echo "List of existing VPN usernames:"
cut -f1 -d : /etc/ipsec.d/passwd | LC_ALL=C sort
echo
echo "Enter the VPN username you want to delete."
read -rp "Username: " VPN_USER
if [ -z "$VPN_USER" ]; then
echo "Abort. No changes were made." >&2
exit 1
fi
VPN_USER=$1
if [ -z "$VPN_USER" ]; then
show_intro
echo
echo "List of existing VPN usernames:"
cut -f1 -d : /etc/ipsec.d/passwd | LC_ALL=C sort
echo
echo "Enter the VPN username you want to delete."
read -rp "Username: " VPN_USER
if [ -z "$VPN_USER" ]; then
echo "Abort. No changes were made." >&2
exit 1
fi
fi
if printf '%s' "$VPN_USER" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN username must not contain non-ASCII characters."
fi
case "$VPN_USER" in
*[\\\"\']*)
exiterr "VPN username must not contain these special characters: \\ \" '"
;;
esac
if [ "$(grep -c "^\"$VPN_USER\" " /etc/ppp/chap-secrets)" = "0" ] \
|| [ "$(grep -c "^$VPN_USER:\\\$1\\\$" /etc/ipsec.d/passwd)" = "0" ]; then
fi
if printf '%s' "$VPN_USER" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN username must not contain non-ASCII characters."
fi
case "$VPN_USER" in
*[\\\"\']*)
exiterr "VPN username must not contain these special characters: \\ \" '"
;;
esac
if [ "$(grep -c "^\"$VPN_USER\" " /etc/ppp/chap-secrets)" = "0" ] \
|| [ "$(grep -c "^$VPN_USER:\\\$1\\\$" /etc/ipsec.d/passwd)" = "0" ]; then
cat 1>&2 <<'EOF'
Error: The specified VPN user does not exist in /etc/ppp/chap-secrets
and/or /etc/ipsec.d/passwd.
EOF
exit 1
fi
if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = "1" ] \
|| [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = "1" ]; then
exit 1
fi
if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = "1" ] \
|| [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = "1" ]; then
cat 1>&2 <<'EOF'
Error: Could not delete the only VPN user from /etc/ppp/chap-secrets
and/or /etc/ipsec.d/passwd.
EOF
exit 1
fi
[ -n "$1" ] && show_intro
exit 1
fi
[ -n "$1" ] && show_intro
cat <<EOF
================================================
@ -93,32 +104,38 @@ Username: $VPN_USER
================================================
EOF
printf "Do you want to continue? [Y/n] "
read -r response
case $response in
[yY][eE][sS]|[yY]|'')
echo
echo "Deleting VPN user..."
echo
;;
*)
echo "Abort. No changes were made."
exit 1
;;
esac
# Backup config files
conf_bk "/etc/ppp/chap-secrets"
conf_bk "/etc/ipsec.d/passwd"
# Delete VPN user
sed -i "/^\"$VPN_USER\" /d" /etc/ppp/chap-secrets
# shellcheck disable=SC2016
sed -i '/^'"$VPN_USER"':\$1\$/d' /etc/ipsec.d/passwd
# Update file attributes
chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
printf "Do you want to continue? [Y/n] "
read -r response
case $response in
[yY][eE][sS]|[yY]|'')
echo
echo "Deleting VPN user..."
echo
;;
*)
echo "Abort. No changes were made."
exit 1
;;
esac
# Backup config files
conf_bk "/etc/ppp/chap-secrets"
conf_bk "/etc/ipsec.d/passwd"
# Delete VPN user
sed -i "/^\"$VPN_USER\" /d" /etc/ppp/chap-secrets
# shellcheck disable=SC2016
sed -i '/^'"$VPN_USER"':\$1\$/d' /etc/ipsec.d/passwd
# Update file attributes
chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
cat <<'EOF'
Done!
EOF
}
## Defer until we have the complete script

9
extras/ikev2setup.sh
View File

@ -151,14 +151,14 @@ confirm_or_abort() {
show_header() {
cat <<'EOF'
IKEv2 Script Copyright (c) 2020-2022 Lin Song 27 Apr 2022
IKEv2 Script Copyright (c) 2020-2022 Lin Song 7 Apr 2022
EOF
}
show_usage() {
if [ -n "$1" ]; then
echo "Error: $1" >&2
echo "Error: $1" >&2;
fi
show_header
cat 1>&2 <<EOF
@ -186,7 +186,7 @@ check_ikev2_exists() {
check_client_name() {
! { [ "${#1}" -gt "64" ] || printf '%s' "$1" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $1 in -*) true ;; *) false ;; esac; }
|| case $1 in -*) true;; *) false;; esac; }
}
check_cert_exists() {
@ -1271,7 +1271,8 @@ EOF
cat <<'EOF'
Next steps: Configure IKEv2 clients. See:
https://git.io/ikev2clients
https://git.io/ikev2clients
Feedback: https://bit.ly/vpn-feedback
================================================

13
extras/quickstart.sh
View File

@ -1,7 +1,8 @@
#!/bin/sh
#
# Script for automatic setup of an IPsec VPN server on Ubuntu, Debian, CentOS/RHEL,
# Quick start script to set up an IPsec VPN server on Ubuntu, Debian, CentOS/RHEL,
# Rocky Linux, AlmaLinux, Oracle Linux, Amazon Linux 2 and Alpine Linux
# Works on any dedicated server or virtual private server (VPS)
#
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
#
@ -158,15 +159,19 @@ check_creds() {
[ -n "$YOUR_IPSEC_PSK" ] && VPN_IPSEC_PSK="$YOUR_IPSEC_PSK"
[ -n "$YOUR_USERNAME" ] && VPN_USER="$YOUR_USERNAME"
[ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD"
if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then
return 0
fi
if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
fi
if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN credentials must not contain non-ASCII characters."
fi
case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
*[\\\"\']*)
exiterr "VPN credentials must not contain these special characters: \\ \" '"
@ -191,7 +196,7 @@ check_client_name() {
if [ -n "$VPN_CLIENT_NAME" ]; then
name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)"
if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $VPN_CLIENT_NAME in -*) true ;; *) false ;; esac; then
|| case $VPN_CLIENT_NAME in -*) true;; *) false;; esac; then
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
fi
fi
@ -288,7 +293,7 @@ run_setup() {
fi
}
vpnsetup() {
quickstart() {
check_root
check_vz
check_lxc
@ -305,6 +310,6 @@ vpnsetup() {
}
## Defer setup until we have the complete script
vpnsetup "$@"
quickstart "$@"
exit "$status"

159
extras/update_vpn_users.sh
View File

@ -39,46 +39,57 @@ noquotes() { printf '%s' "$1" | sed -e 's/^"\(.*\)"$/\1/' -e "s/^'\(.*\)'$/\1/";
noquotes2() { printf '%s' "$1" | sed -e 's/" "/ /g' -e "s/' '/ /g"; }
update_vpn_users() {
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo bash $0'"
fi
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
|| [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo bash $0'"
fi
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
|| [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then
cat 1>&2 <<'EOF'
Error: Your must first set up the IPsec VPN server before updating VPN users.
See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF
exit 1
fi
command -v openssl >/dev/null 2>&1 || exiterr "'openssl' not found. Abort."
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
exit 1
fi
command -v openssl >/dev/null 2>&1 || exiterr "'openssl' not found. Abort."
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
cat 1>&2 <<'EOF'
For usage information, visit https://git.io/vpnnotes, then click on Manage VPN Users.
EOF
exit 1
fi
[ -n "$YOUR_USERNAMES" ] && VPN_USERS="$YOUR_USERNAMES"
[ -n "$YOUR_PASSWORDS" ] && VPN_PASSWORDS="$YOUR_PASSWORDS"
VPN_USERS=$(noquotes "$VPN_USERS")
VPN_USERS=$(onespace "$VPN_USERS")
VPN_USERS=$(noquotes2 "$VPN_USERS")
VPN_PASSWORDS=$(noquotes "$VPN_PASSWORDS")
VPN_PASSWORDS=$(onespace "$VPN_PASSWORDS")
VPN_PASSWORDS=$(noquotes2 "$VPN_PASSWORDS")
if [ -z "$VPN_USERS" ] || [ -z "$VPN_PASSWORDS" ]; then
exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
fi
if printf '%s' "$VPN_USERS $VPN_PASSWORDS" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN credentials must not contain non-ASCII characters."
fi
case "$VPN_USERS $VPN_PASSWORDS" in
*[\\\"\']*)
exiterr "VPN credentials must not contain these special characters: \\ \" '"
;;
esac
if printf '%s' "$VPN_USERS" | tr ' ' '\n' | sort | uniq -c | grep -qv '^ *1 '; then
exiterr "VPN usernames must not contain duplicates."
fi
exit 1
fi
[ -n "$YOUR_USERNAMES" ] && VPN_USERS="$YOUR_USERNAMES"
[ -n "$YOUR_PASSWORDS" ] && VPN_PASSWORDS="$YOUR_PASSWORDS"
VPN_USERS=$(noquotes "$VPN_USERS")
VPN_USERS=$(onespace "$VPN_USERS")
VPN_USERS=$(noquotes2 "$VPN_USERS")
VPN_PASSWORDS=$(noquotes "$VPN_PASSWORDS")
VPN_PASSWORDS=$(onespace "$VPN_PASSWORDS")
VPN_PASSWORDS=$(noquotes2 "$VPN_PASSWORDS")
if [ -z "$VPN_USERS" ] || [ -z "$VPN_PASSWORDS" ]; then
exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
fi
if printf '%s' "$VPN_USERS $VPN_PASSWORDS" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN credentials must not contain non-ASCII characters."
fi
case "$VPN_USERS $VPN_PASSWORDS" in
*[\\\"\']*)
exiterr "VPN credentials must not contain these special characters: \\ \" '"
;;
esac
if printf '%s' "$VPN_USERS" | tr ' ' '\n' | sort | uniq -c | grep -qv '^ *1 '; then
exiterr "VPN usernames must not contain duplicates."
fi
cat <<'EOF'
Welcome! Use this script to update VPN user accounts for both
@ -92,17 +103,19 @@ WARNING: *ALL* existing VPN users will be removed and replaced
Updated list of VPN users (username | password):
EOF
count=1
vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1)
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -d ' ' -f 1)
while [ -n "$vpn_user" ] && [ -n "$vpn_password" ]; do
count=1
vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1)
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -d ' ' -f 1)
while [ -n "$vpn_user" ] && [ -n "$vpn_password" ]; do
cat <<EOF
$vpn_user | $vpn_password
EOF
count=$((count+1))
vpn_user=$(printf '%s' "$VPN_USERS" | cut -s -d ' ' -f "$count")
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -s -d ' ' -f "$count")
done
count=$((count+1))
vpn_user=$(printf '%s' "$VPN_USERS" | cut -s -d ' ' -f "$count")
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -s -d ' ' -f "$count")
done
cat <<'EOF'
Write these down. You'll need them to connect!
@ -113,41 +126,46 @@ Setup VPN clients: https://git.io/vpnclients
==================================================
EOF
printf "Do you want to continue? [Y/n] "
read -r response
case $response in
[yY][eE][sS]|[yY]|'')
echo
echo "Updating VPN users..."
echo
;;
*)
echo "Abort. No changes were made."
exit 1
;;
esac
# Backup and remove config files
conf_bk "/etc/ppp/chap-secrets"
conf_bk "/etc/ipsec.d/passwd"
/bin/rm -f /etc/ppp/chap-secrets /etc/ipsec.d/passwd
# Update VPN users
count=1
vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1)
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -d ' ' -f 1)
while [ -n "$vpn_user" ] && [ -n "$vpn_password" ]; do
vpn_password_enc=$(openssl passwd -1 "$vpn_password")
printf "Do you want to continue? [Y/n] "
read -r response
case $response in
[yY][eE][sS]|[yY]|'')
echo
echo "Updating VPN users..."
echo
;;
*)
echo "Abort. No changes were made."
exit 1
;;
esac
# Backup and remove config files
conf_bk "/etc/ppp/chap-secrets"
conf_bk "/etc/ipsec.d/passwd"
/bin/rm -f /etc/ppp/chap-secrets /etc/ipsec.d/passwd
# Update VPN users
count=1
vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1)
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -d ' ' -f 1)
while [ -n "$vpn_user" ] && [ -n "$vpn_password" ]; do
vpn_password_enc=$(openssl passwd -1 "$vpn_password")
cat >> /etc/ppp/chap-secrets <<EOF
"$vpn_user" l2tpd "$vpn_password" *
EOF
cat >> /etc/ipsec.d/passwd <<EOF
$vpn_user:$vpn_password_enc:xauth-psk
EOF
count=$((count+1))
vpn_user=$(printf '%s' "$VPN_USERS" | cut -s -d ' ' -f "$count")
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -s -d ' ' -f "$count")
done
# Update file attributes
chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
count=$((count+1))
vpn_user=$(printf '%s' "$VPN_USERS" | cut -s -d ' ' -f "$count")
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -s -d ' ' -f "$count")
done
# Update file attributes
chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
cat <<'EOF'
Done!
@ -155,6 +173,7 @@ Note: All VPN users will share the same IPsec PSK.
If you forgot the PSK, check /etc/ipsec.secrets.
EOF
}
## Defer until we have the complete script

2
extras/vpnuninstall.sh
View File

@ -234,6 +234,7 @@ update_iptables_rules() {
if grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
ipt_flag=1
fi
ipi='iptables -D INPUT'
ipf='iptables -D FORWARD'
ipp='iptables -t nat -D POSTROUTING'
@ -260,6 +261,7 @@ update_iptables_rules() {
$ipp -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE
$ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
iptables-save > "$IPT_FILE"
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
if [ -f "$IPT_FILE2" ]; then
conf_bk "$IPT_FILE2"

11
extras/vpnupgrade_alpine.sh
View File

@ -106,6 +106,7 @@ Note: This script will make the following changes to your VPN configuration:
Your other VPN config files will not be modified.
EOF
if [ "$SWAN_VER" != "$swan_ver_cur" ]; then
cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
@ -114,6 +115,7 @@ WARNING: Older versions of Libreswan could contain known security vulnerabilitie
EOF
fi
if [ "$swan_ver_old" = "$SWAN_VER" ]; then
cat <<EOF
Note: You already have Libreswan version $SWAN_VER installed!
@ -121,6 +123,7 @@ Note: You already have Libreswan version $SWAN_VER installed!
EOF
fi
printf "Do you want to continue? [Y/n] "
read -r response
case $response in
@ -183,6 +186,7 @@ EOF
set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
)
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
@ -211,17 +215,20 @@ update_config() {
bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
if uname -m | grep -qi '^arm'; then
if ! modprobe -q sha512; then
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2"
fi
fi
dns_state=0
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
sed -i".old-$SYS_DT" \
-e "s/^[[:space:]]\+auth=/ phase2=/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
@ -230,14 +237,17 @@ update_config() {
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi
sed -i "/ikev2=never/d" /etc/ipsec.conf
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi
@ -260,6 +270,7 @@ Libreswan $SWAN_VER has been successfully installed!
================================================
EOF
if [ "$dns_state" = "3" ]; then
cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace

10
extras/vpnupgrade_amzn.sh
View File

@ -90,6 +90,7 @@ Note: This script will make the following changes to your VPN configuration:
Your other VPN config files will not be modified.
EOF
if [ "$SWAN_VER" != "$swan_ver_cur" ]; then
cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
@ -98,6 +99,7 @@ WARNING: Older versions of Libreswan could contain known security vulnerabilitie
EOF
fi
if [ "$swan_ver_old" = "$SWAN_VER" ]; then
cat <<EOF
Note: You already have Libreswan version $SWAN_VER installed!
@ -105,6 +107,7 @@ Note: You already have Libreswan version $SWAN_VER installed!
EOF
fi
printf "Do you want to continue? [Y/n] "
read -r response
case $response in
@ -171,6 +174,7 @@ EOF
set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
)
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
@ -205,12 +209,14 @@ update_config() {
bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
dns_state=0
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
sed -i".old-$SYS_DT" \
-e "s/^[[:space:]]\+auth=/ phase2=/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
@ -219,14 +225,17 @@ update_config() {
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi
sed -i "/ikev2=never/d" /etc/ipsec.conf
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi
@ -248,6 +257,7 @@ Libreswan $SWAN_VER has been successfully installed!
================================================
EOF
if [ "$dns_state" = "3" ]; then
cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace

10
extras/vpnupgrade_centos.sh
View File

@ -116,6 +116,7 @@ Note: This script will make the following changes to your VPN configuration:
Your other VPN config files will not be modified.
EOF
if [ "$SWAN_VER" != "$swan_ver_cur" ]; then
cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
@ -124,6 +125,7 @@ WARNING: Older versions of Libreswan could contain known security vulnerabilitie
EOF
fi
if [ "$swan_ver_old" = "$SWAN_VER" ]; then
cat <<EOF
Note: You already have Libreswan version $SWAN_VER installed!
@ -131,6 +133,7 @@ Note: You already have Libreswan version $SWAN_VER installed!
EOF
fi
printf "Do you want to continue? [Y/n] "
read -r response
case $response in
@ -221,6 +224,7 @@ EOF
set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
)
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
@ -255,12 +259,14 @@ update_config() {
bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
dns_state=0
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
sed -i".old-$SYS_DT" \
-e "s/^[[:space:]]\+auth=/ phase2=/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
@ -269,14 +275,17 @@ update_config() {
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi
sed -i "/ikev2=never/d" /etc/ipsec.conf
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi
@ -298,6 +307,7 @@ Libreswan $SWAN_VER has been successfully installed!
================================================
EOF
if [ "$dns_state" = "3" ]; then
cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace

12
extras/vpnupgrade_ubuntu.sh
View File

@ -89,6 +89,7 @@ check_swan_ver() {
if [ "$SWAN_VER" = "3.32" ] && [ "$os_ver" = "11" ]; then
exiterr "Libreswan 3.32 is not supported on Debian 11."
fi
if [ "$SWAN_VER" != "3.32" ] \
&& { ! printf '%s\n%s' "4.1" "$SWAN_VER" | sort -C -V \
|| ! printf '%s\n%s' "$SWAN_VER" "$swan_ver_cur" | sort -C -V; }; then
@ -116,6 +117,7 @@ Note: This script will make the following changes to your VPN configuration:
Your other VPN config files will not be modified.
EOF
if [ "$SWAN_VER" != "$swan_ver_cur" ]; then
cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
@ -124,6 +126,7 @@ WARNING: Older versions of Libreswan could contain known security vulnerabilitie
EOF
fi
if [ "$swan_ver_old" = "$SWAN_VER" ]; then
cat <<EOF
Note: You already have Libreswan version $SWAN_VER installed!
@ -131,6 +134,7 @@ Note: You already have Libreswan version $SWAN_VER installed!
EOF
fi
printf "Do you want to continue? [Y/n] "
read -r response
case $response in
@ -213,6 +217,7 @@ EOF
set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
)
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
@ -241,17 +246,20 @@ update_config() {
bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
if uname -m | grep -qi '^arm'; then
if ! modprobe -q sha512; then
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2"
fi
fi
dns_state=0
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
sed -i".old-$SYS_DT" \
-e "s/^[[:space:]]\+auth=/ phase2=/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
@ -260,14 +268,17 @@ update_config() {
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2=/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi
sed -i "/ikev2=never/d" /etc/ipsec.conf
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi
@ -289,6 +300,7 @@ Libreswan $SWAN_VER has been successfully installed!
================================================
EOF
if [ "$dns_state" = "3" ]; then
cat <<'EOF'
IMPORTANT: You must edit /etc/ipsec.conf and replace

7
vpnsetup.sh
View File

@ -2,6 +2,7 @@
#
# Script for automatic setup of an IPsec VPN server on Ubuntu, Debian, CentOS/RHEL,
# Rocky Linux, AlmaLinux, Oracle Linux, Amazon Linux 2 and Alpine Linux
# Works on any dedicated server or virtual private server (VPS)
#
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
#
@ -158,15 +159,19 @@ check_creds() {
[ -n "$YOUR_IPSEC_PSK" ] && VPN_IPSEC_PSK="$YOUR_IPSEC_PSK"
[ -n "$YOUR_USERNAME" ] && VPN_USER="$YOUR_USERNAME"
[ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD"
if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then
return 0
fi
if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
fi
if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN credentials must not contain non-ASCII characters."
fi
case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
*[\\\"\']*)
exiterr "VPN credentials must not contain these special characters: \\ \" '"
@ -191,7 +196,7 @@ check_client_name() {
if [ -n "$VPN_CLIENT_NAME" ]; then
name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)"
if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $VPN_CLIENT_NAME in -*) true ;; *) false ;; esac; then
|| case $VPN_CLIENT_NAME in -*) true;; *) false;; esac; then
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
fi
fi

17
vpnsetup_alpine.sh
View File

@ -1,6 +1,7 @@
#!/bin/bash
#
# Script for automatic setup of an IPsec VPN server on Alpine Linux
# Works on any dedicated server or virtual private server (VPS)
#
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
#
@ -140,7 +141,7 @@ check_client_name() {
if [ -n "$VPN_CLIENT_NAME" ]; then
name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)"
if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $VPN_CLIENT_NAME in -*) true ;; *) false ;; esac; then
|| case $VPN_CLIENT_NAME in -*) true;; *) false;; esac; then
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
fi
fi
@ -284,6 +285,7 @@ EOF
create_vpn_config() {
bigecho "Creating VPN configuration..."
L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'}
L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'}
L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'}
@ -293,6 +295,7 @@ create_vpn_config() {
DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
# Create IPsec config
conf_bk "/etc/ipsec.conf"
cat > /etc/ipsec.conf <<EOF
@ -343,16 +346,19 @@ conn xauth-psk
include /etc/ipsec.d/*.conf
EOF
if uname -m | grep -qi '^arm'; then
if ! modprobe -q sha512; then
sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
fi
fi
# Specify IPsec PSK
conf_bk "/etc/ipsec.secrets"
cat > /etc/ipsec.secrets <<EOF
%any %any : PSK "$VPN_IPSEC_PSK"
EOF
# Create xl2tpd config
conf_bk "/etc/xl2tpd/xl2tpd.conf"
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
@ -369,6 +375,7 @@ name = l2tpd
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
EOF
# Set xl2tpd options
conf_bk "/etc/ppp/options.xl2tpd"
cat > /etc/ppp/options.xl2tpd <<EOF
@ -385,16 +392,19 @@ lcp-echo-interval 30
connect-delay 5000
ms-dns $DNS_SRV1
EOF
if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
cat >> /etc/ppp/options.xl2tpd <<EOF
ms-dns $DNS_SRV2
EOF
fi
# Create VPN credentials
conf_bk "/etc/ppp/chap-secrets"
cat > /etc/ppp/chap-secrets <<EOF
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF
conf_bk "/etc/ipsec.d/passwd"
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
cat > /etc/ipsec.d/passwd <<EOF
@ -437,6 +447,7 @@ update_iptables() {
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
ipt_flag=1
fi
ipi='iptables -I INPUT'
ipf='iptables -I FORWARD'
ipp='iptables -t nat -I POSTROUTING'
@ -474,6 +485,7 @@ iptables-restore < /etc/iptables.rules
exit 0
EOF
chmod +x /etc/network/if-pre-up.d/iptablesload
sed -i '1c\#!/sbin/openrc-run' /etc/init.d/ipsec
for svc in fail2ban ipsec xl2tpd; do
rc-update add "$svc" default >/dev/null
@ -483,11 +495,14 @@ EOF
start_services() {
bigecho "Starting services..."
sysctl -e -q -p
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
mkdir -p /run/pluto
service fail2ban restart >/dev/null 2>&1
service ipsec restart >/dev/null 2>&1
service xl2tpd restart >/dev/null 2>&1
mkdir -p /etc/crontabs
cron_cmd="rc-service -c ipsec zap start"
if ! grep -qs "$cron_cmd" /etc/crontabs/root; then

18
vpnsetup_amzn.sh
View File

@ -1,6 +1,7 @@
#!/bin/bash
#
# Script for automatic setup of an IPsec VPN server on Amazon Linux 2
# Works on any dedicated server or virtual private server (VPS)
#
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
#
@ -122,7 +123,7 @@ check_client_name() {
if [ -n "$VPN_CLIENT_NAME" ]; then
name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)"
if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $VPN_CLIENT_NAME in -*) true ;; *) false ;; esac; then
|| case $VPN_CLIENT_NAME in -*) true;; *) false;; esac; then
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
fi
fi
@ -286,6 +287,7 @@ EOF
create_vpn_config() {
bigecho "Creating VPN configuration..."
L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'}
L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'}
L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'}
@ -295,6 +297,7 @@ create_vpn_config() {
DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
# Create IPsec config
conf_bk "/etc/ipsec.conf"
cat > /etc/ipsec.conf <<EOF
@ -345,11 +348,13 @@ conn xauth-psk
include /etc/ipsec.d/*.conf
EOF
# Specify IPsec PSK
conf_bk "/etc/ipsec.secrets"
cat > /etc/ipsec.secrets <<EOF
%any %any : PSK "$VPN_IPSEC_PSK"
EOF
# Create xl2tpd config
conf_bk "/etc/xl2tpd/xl2tpd.conf"
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
@ -366,6 +371,7 @@ name = l2tpd
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
EOF
# Set xl2tpd options
conf_bk "/etc/ppp/options.xl2tpd"
cat > /etc/ppp/options.xl2tpd <<EOF
@ -382,16 +388,19 @@ lcp-echo-interval 30
connect-delay 5000
ms-dns $DNS_SRV1
EOF
if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
cat >> /etc/ppp/options.xl2tpd <<EOF
ms-dns $DNS_SRV2
EOF
fi
# Create VPN credentials
conf_bk "/etc/ppp/chap-secrets"
cat > /etc/ppp/chap-secrets <<EOF
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF
conf_bk "/etc/ipsec.d/passwd"
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
cat > /etc/ipsec.d/passwd <<EOF
@ -448,6 +457,7 @@ update_iptables() {
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
ipt_flag=1
fi
ipi='iptables -I INPUT'
ipf='iptables -I FORWARD'
ipp='iptables -t nat -I POSTROUTING'
@ -480,6 +490,7 @@ enable_on_boot() {
bigecho "Enabling services on boot..."
systemctl --now mask firewalld 2>/dev/null
systemctl enable iptables fail2ban 2>/dev/null
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
if [ -f /etc/rc.local ]; then
conf_bk "/etc/rc.local"
@ -500,17 +511,22 @@ EOF
start_services() {
bigecho "Starting services..."
sysctl -e -q -p
chmod +x /etc/rc.local
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
iptables-restore < "$IPT_FILE"
# Fix xl2tpd if l2tp_ppp is unavailable
if ! modprobe -q l2tp_ppp; then
sed -i '/^ExecStartPre=\//s/=/=-/' /usr/lib/systemd/system/xl2tpd.service
systemctl daemon-reload
fi
mkdir -p /run/pluto
service fail2ban restart 2>/dev/null
service ipsec restart 2>/dev/null

18
vpnsetup_centos.sh
View File

@ -2,6 +2,7 @@
#
# Script for automatic setup of an IPsec VPN server on CentOS/RHEL, Rocky Linux,
# AlmaLinux and Oracle Linux
# Works on any dedicated server or virtual private server (VPS)
#
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
#
@ -150,7 +151,7 @@ check_client_name() {
if [ -n "$VPN_CLIENT_NAME" ]; then
name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)"
if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $VPN_CLIENT_NAME in -*) true ;; *) false ;; esac; then
|| case $VPN_CLIENT_NAME in -*) true;; *) false;; esac; then
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
fi
fi
@ -357,6 +358,7 @@ EOF
create_vpn_config() {
bigecho "Creating VPN configuration..."
L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'}
L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'}
L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'}
@ -366,6 +368,7 @@ create_vpn_config() {
DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
# Create IPsec config
conf_bk "/etc/ipsec.conf"
cat > /etc/ipsec.conf <<EOF
@ -416,11 +419,13 @@ conn xauth-psk
include /etc/ipsec.d/*.conf
EOF
# Specify IPsec PSK
conf_bk "/etc/ipsec.secrets"
cat > /etc/ipsec.secrets <<EOF
%any %any : PSK "$VPN_IPSEC_PSK"
EOF
# Create xl2tpd config
conf_bk "/etc/xl2tpd/xl2tpd.conf"
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
@ -437,6 +442,7 @@ name = l2tpd
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
EOF
# Set xl2tpd options
conf_bk "/etc/ppp/options.xl2tpd"
cat > /etc/ppp/options.xl2tpd <<EOF
@ -453,16 +459,19 @@ lcp-echo-interval 30
connect-delay 5000
ms-dns $DNS_SRV1
EOF
if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
cat >> /etc/ppp/options.xl2tpd <<EOF
ms-dns $DNS_SRV2
EOF
fi
# Create VPN credentials
conf_bk "/etc/ppp/chap-secrets"
cat > /etc/ppp/chap-secrets <<EOF
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF
conf_bk "/etc/ipsec.d/passwd"
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
cat > /etc/ipsec.d/passwd <<EOF
@ -530,6 +539,7 @@ update_iptables() {
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
ipt_flag=1
fi
ipi='iptables -I INPUT'
ipf='iptables -I FORWARD'
ipp='iptables -t nat -I POSTROUTING'
@ -603,6 +613,7 @@ enable_on_boot() {
else
systemctl enable iptables fail2ban 2>/dev/null
fi
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
if [ -f /etc/rc.local ]; then
conf_bk "/etc/rc.local"
@ -623,21 +634,26 @@ EOF
start_services() {
bigecho "Starting services..."
sysctl -e -q -p
chmod +x /etc/rc.local
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
if [ "$use_nft" = "1" ]; then
nft -f "$IPT_FILE"
else
iptables-restore < "$IPT_FILE"
fi
# Fix xl2tpd if l2tp_ppp is unavailable
if ! modprobe -q l2tp_ppp; then
sed -i '/^ExecStartPre=\//s/=/=-/' /usr/lib/systemd/system/xl2tpd.service
systemctl daemon-reload
fi
mkdir -p /run/pluto
service fail2ban restart 2>/dev/null
service ipsec restart 2>/dev/null

20
vpnsetup_ubuntu.sh
View File

@ -1,6 +1,7 @@
#!/bin/bash
#
# Script for automatic setup of an IPsec VPN server on Ubuntu and Debian
# Works on any dedicated server or virtual private server (VPS)
#
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
#
@ -148,7 +149,7 @@ check_client_name() {
if [ -n "$VPN_CLIENT_NAME" ]; then
name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)"
if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $VPN_CLIENT_NAME in -*) true ;; *) false ;; esac; then
|| case $VPN_CLIENT_NAME in -*) true;; *) false;; esac; then
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
fi
fi
@ -334,6 +335,7 @@ EOF
create_vpn_config() {
bigecho "Creating VPN configuration..."
L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'}
L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'}
L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'}
@ -343,6 +345,7 @@ create_vpn_config() {
DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
# Create IPsec config
conf_bk "/etc/ipsec.conf"
cat > /etc/ipsec.conf <<EOF
@ -393,16 +396,19 @@ conn xauth-psk
include /etc/ipsec.d/*.conf
EOF
if uname -m | grep -qi '^arm'; then
if ! modprobe -q sha512; then
sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
fi
fi
# Specify IPsec PSK
conf_bk "/etc/ipsec.secrets"
cat > /etc/ipsec.secrets <<EOF
%any %any : PSK "$VPN_IPSEC_PSK"
EOF
# Create xl2tpd config
conf_bk "/etc/xl2tpd/xl2tpd.conf"
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
@ -419,6 +425,7 @@ name = l2tpd
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
EOF
# Set xl2tpd options
conf_bk "/etc/ppp/options.xl2tpd"
cat > /etc/ppp/options.xl2tpd <<EOF
@ -435,16 +442,19 @@ lcp-echo-interval 30
connect-delay 5000
ms-dns $DNS_SRV1
EOF
if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
cat >> /etc/ppp/options.xl2tpd <<EOF
ms-dns $DNS_SRV2
EOF
fi
# Create VPN credentials
conf_bk "/etc/ppp/chap-secrets"
cat > /etc/ppp/chap-secrets <<EOF
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF
conf_bk "/etc/ipsec.d/passwd"
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
cat > /etc/ipsec.d/passwd <<EOF
@ -488,6 +498,7 @@ update_iptables() {
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
ipt_flag=1
fi
ipi='iptables -I INPUT'
ipf='iptables -I FORWARD'
ipp='iptables -t nat -I POSTROUTING'
@ -513,6 +524,7 @@ update_iptables() {
$ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
iptables-save >> "$IPT_FILE"
if [ -f "$IPT_FILE2" ]; then
conf_bk "$IPT_FILE2"
/bin/cp -f "$IPT_FILE" "$IPT_FILE2"
@ -543,6 +555,7 @@ enable_on_boot() {
if [ -f "$IPT_FILE2" ] && { [ -f "$IPT_PST" ] || [ -f "$IPT_PST2" ]; }; then
ipt_load=0
fi
if [ "$ipt_load" = "1" ]; then
mkdir -p /etc/network/if-pre-up.d
cat > /etc/network/if-pre-up.d/iptablesload <<'EOF'
@ -551,6 +564,7 @@ iptables-restore < /etc/iptables.rules
exit 0
EOF
chmod +x /etc/network/if-pre-up.d/iptablesload
if [ -f /usr/sbin/netplan ]; then
mkdir -p /etc/systemd/system
cat > /etc/systemd/system/load-iptables-rules.service <<'EOF'
@ -574,10 +588,12 @@ EOF
systemctl enable load-iptables-rules 2>/dev/null
fi
fi
for svc in fail2ban ipsec xl2tpd; do
update-rc.d "$svc" enable >/dev/null 2>&1
systemctl enable "$svc" 2>/dev/null
done
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
if [ -f /etc/rc.local ]; then
conf_bk "/etc/rc.local"
@ -600,8 +616,10 @@ EOF
start_services() {
bigecho "Starting services..."
sysctl -e -q -p
chmod +x /etc/rc.local
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
mkdir -p /run/pluto
service fail2ban restart 2>/dev/null
service ipsec restart 2>/dev/null