Compare commits
No commits in common. "b48021c5e625586c844d11691a39ffbaa0be0a15" and "1c91ac2c3aca6f6709c7a42b8730e037ff945902" have entirely different histories.
b48021c5e6
...
1c91ac2c3a
4
.github/workflows/check_urls.yml
vendored
4
.github/workflows/check_urls.yml
vendored
@ -32,7 +32,6 @@ jobs:
|
|||||||
|
|
||||||
wg="wget -t 3 -T 30 -nv -O"
|
wg="wget -t 3 -T 30 -nv -O"
|
||||||
gh="https://github.com/hwdsl2/setup-ipsec-vpn/raw/master"
|
gh="https://github.com/hwdsl2/setup-ipsec-vpn/raw/master"
|
||||||
gl="https://gitlab.com/hwdsl2/setup-ipsec-vpn/-/raw/master"
|
|
||||||
gi="https://git.io"
|
gi="https://git.io"
|
||||||
|
|
||||||
$wg vpnsetup.sh "$gi/vpnsetup"
|
$wg vpnsetup.sh "$gi/vpnsetup"
|
||||||
@ -51,7 +50,6 @@ jobs:
|
|||||||
$wg vpnuninstall.sh "$gi/vpnuninstall"
|
$wg vpnuninstall.sh "$gi/vpnuninstall"
|
||||||
|
|
||||||
$wg vpnsetup2.sh "$gh/vpnsetup.sh"
|
$wg vpnsetup2.sh "$gh/vpnsetup.sh"
|
||||||
$wg vpnsetup3.sh "$gl/vpnsetup.sh"
|
|
||||||
$wg vpnsetup_centos2.sh "$gh/vpnsetup_centos.sh"
|
$wg vpnsetup_centos2.sh "$gh/vpnsetup_centos.sh"
|
||||||
$wg vpnsetup_amzn2.sh "$gh/vpnsetup_amzn.sh"
|
$wg vpnsetup_amzn2.sh "$gh/vpnsetup_amzn.sh"
|
||||||
$wg vpnsetup_ubuntu2.sh "$gh/vpnsetup_ubuntu.sh"
|
$wg vpnsetup_ubuntu2.sh "$gh/vpnsetup_ubuntu.sh"
|
||||||
@ -81,7 +79,6 @@ jobs:
|
|||||||
diff vpnuninstall.sh ../extras/vpnuninstall.sh
|
diff vpnuninstall.sh ../extras/vpnuninstall.sh
|
||||||
|
|
||||||
diff vpnsetup2.sh ../vpnsetup.sh
|
diff vpnsetup2.sh ../vpnsetup.sh
|
||||||
diff vpnsetup3.sh ../vpnsetup.sh
|
|
||||||
diff vpnsetup_centos2.sh ../vpnsetup_centos.sh
|
diff vpnsetup_centos2.sh ../vpnsetup_centos.sh
|
||||||
diff vpnsetup_amzn2.sh ../vpnsetup_amzn.sh
|
diff vpnsetup_amzn2.sh ../vpnsetup_amzn.sh
|
||||||
diff vpnsetup_ubuntu2.sh ../vpnsetup_ubuntu.sh
|
diff vpnsetup_ubuntu2.sh ../vpnsetup_ubuntu.sh
|
||||||
@ -110,4 +107,3 @@ jobs:
|
|||||||
curl -fsSI "$bl/delvpnuser" | grep -q 'del_vpn_user.sh'
|
curl -fsSI "$bl/delvpnuser" | grep -q 'del_vpn_user.sh'
|
||||||
curl -fsSI "$bl/updatevpnusers" | grep -q 'update_vpn_users.sh'
|
curl -fsSI "$bl/updatevpnusers" | grep -q 'update_vpn_users.sh'
|
||||||
curl -fsSI "$bl/ikev2onlymode" | grep -q 'ikev2onlymode.sh'
|
curl -fsSI "$bl/ikev2onlymode" | grep -q 'ikev2onlymode.sh'
|
||||||
curl -fsSI "$bl/ikev2changeaddr" | grep -q 'ikev2changeaddr.sh'
|
|
||||||
|
@ -274,7 +274,7 @@ wget https://gitlab.com/hwdsl2/setup-ipsec-vpn/-/raw/master/extras/vpnupgrade.sh
|
|||||||
|
|
||||||
## 问题和反馈
|
## 问题和反馈
|
||||||
|
|
||||||
- 如果你有对本项目的建议,请提交一个 [改进建议](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose),或者欢迎提交 [Pull request](https://github.com/hwdsl2/setup-ipsec-vpn/pulls)。
|
- 如果你有意见或建议,请 [发送反馈](https://bit.ly/vpn-feedback) 或提交一个 [改进建议](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose),或者欢迎提交 [Pull request](https://github.com/hwdsl2/setup-ipsec-vpn/pulls)。
|
||||||
- 如果你发现了一个可重复的程序漏洞,请为 [IPsec VPN](https://github.com/libreswan/libreswan/issues?q=is%3Aissue) 或者 [VPN 脚本](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose) 提交一个错误报告。
|
- 如果你发现了一个可重复的程序漏洞,请为 [IPsec VPN](https://github.com/libreswan/libreswan/issues?q=is%3Aissue) 或者 [VPN 脚本](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose) 提交一个错误报告。
|
||||||
- 有问题需要提问?请先搜索 [已有的 issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) 以及在 [这个 Gist](https://gist.github.com/hwdsl2/9030462#comments) 和 [我的博客](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread) 上已有的留言。
|
- 有问题需要提问?请先搜索 [已有的 issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) 以及在 [这个 Gist](https://gist.github.com/hwdsl2/9030462#comments) 和 [我的博客](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread) 上已有的留言。
|
||||||
- VPN 的相关问题可在 [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) 或 [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) 邮件列表提问,或者参考这些网站:[[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup)。
|
- VPN 的相关问题可在 [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) 或 [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) 邮件列表提问,或者参考这些网站:[[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup)。
|
||||||
|
@ -274,7 +274,7 @@ See [Uninstall the VPN](docs/uninstall.md).
|
|||||||
|
|
||||||
## Feedback & Questions
|
## Feedback & Questions
|
||||||
|
|
||||||
- Have a suggestion for this project? Open an [Enhancement request](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose). [Pull requests](https://github.com/hwdsl2/setup-ipsec-vpn/pulls) are also welcome.
|
- Have a comment or suggestion? [Send feedback](https://bit.ly/vpn-feedback) or open an [Enhancement request](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose). [Pull requests](https://github.com/hwdsl2/setup-ipsec-vpn/pulls) are also welcome.
|
||||||
- If you found a reproducible bug, open a bug report for the [IPsec VPN](https://github.com/libreswan/libreswan/issues?q=is%3Aissue) or for the [VPN scripts](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose).
|
- If you found a reproducible bug, open a bug report for the [IPsec VPN](https://github.com/libreswan/libreswan/issues?q=is%3Aissue) or for the [VPN scripts](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose).
|
||||||
- Got a question? Please first search [existing issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) and comments [in this Gist](https://gist.github.com/hwdsl2/9030462#comments) and [on my blog](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread).
|
- Got a question? Please first search [existing issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) and comments [in this Gist](https://gist.github.com/hwdsl2/9030462#comments) and [on my blog](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread).
|
||||||
- Ask VPN related questions on the [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) or [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) mailing list, or read these wikis: [[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup).
|
- Ask VPN related questions on the [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) or [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) mailing list, or read these wikis: [[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup).
|
||||||
|
@ -28,9 +28,11 @@ EOF
|
|||||||
}
|
}
|
||||||
|
|
||||||
add_vpn_user() {
|
add_vpn_user() {
|
||||||
|
|
||||||
if [ "$(id -u)" != 0 ]; then
|
if [ "$(id -u)" != 0 ]; then
|
||||||
exiterr "Script must be run as root. Try 'sudo bash $0'"
|
exiterr "Script must be run as root. Try 'sudo bash $0'"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
|
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
|
||||||
|| [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then
|
|| [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then
|
||||||
cat 1>&2 <<'EOF'
|
cat 1>&2 <<'EOF'
|
||||||
@ -39,7 +41,9 @@ Error: Your must first set up the IPsec VPN server before adding VPN users.
|
|||||||
EOF
|
EOF
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
command -v openssl >/dev/null 2>&1 || exiterr "'openssl' not found. Abort."
|
command -v openssl >/dev/null 2>&1 || exiterr "'openssl' not found. Abort."
|
||||||
|
|
||||||
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
|
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
|
||||||
cat 1>&2 <<EOF
|
cat 1>&2 <<EOF
|
||||||
Usage: sudo bash $0 'username_to_add' 'password'
|
Usage: sudo bash $0 'username_to_add' 'password'
|
||||||
@ -48,8 +52,10 @@ You may also run this script interactively without arguments.
|
|||||||
EOF
|
EOF
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
VPN_USER=$1
|
VPN_USER=$1
|
||||||
VPN_PASSWORD=$2
|
VPN_PASSWORD=$2
|
||||||
|
|
||||||
if [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
|
if [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
|
||||||
show_intro
|
show_intro
|
||||||
echo
|
echo
|
||||||
@ -68,17 +74,21 @@ EOF
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if printf '%s' "$VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
|
if printf '%s' "$VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
|
||||||
exiterr "VPN credentials must not contain non-ASCII characters."
|
exiterr "VPN credentials must not contain non-ASCII characters."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
case "$VPN_USER $VPN_PASSWORD" in
|
case "$VPN_USER $VPN_PASSWORD" in
|
||||||
*[\\\"\']*)
|
*[\\\"\']*)
|
||||||
exiterr "VPN credentials must not contain these special characters: \\ \" '"
|
exiterr "VPN credentials must not contain these special characters: \\ \" '"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
if [ -n "$1" ] && [ -n "$2" ]; then
|
if [ -n "$1" ] && [ -n "$2" ]; then
|
||||||
show_intro
|
show_intro
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
|
|
||||||
================================================
|
================================================
|
||||||
@ -96,6 +106,7 @@ Setup VPN clients: https://git.io/vpnclients
|
|||||||
================================================
|
================================================
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
printf "Do you want to continue? [Y/n] "
|
printf "Do you want to continue? [Y/n] "
|
||||||
read -r response
|
read -r response
|
||||||
case $response in
|
case $response in
|
||||||
@ -109,22 +120,27 @@ EOF
|
|||||||
exit 1
|
exit 1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# Backup config files
|
# Backup config files
|
||||||
conf_bk "/etc/ppp/chap-secrets"
|
conf_bk "/etc/ppp/chap-secrets"
|
||||||
conf_bk "/etc/ipsec.d/passwd"
|
conf_bk "/etc/ipsec.d/passwd"
|
||||||
|
|
||||||
# Add or update VPN user
|
# Add or update VPN user
|
||||||
sed -i "/^\"$VPN_USER\" /d" /etc/ppp/chap-secrets
|
sed -i "/^\"$VPN_USER\" /d" /etc/ppp/chap-secrets
|
||||||
cat >> /etc/ppp/chap-secrets <<EOF
|
cat >> /etc/ppp/chap-secrets <<EOF
|
||||||
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
|
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# shellcheck disable=SC2016
|
# shellcheck disable=SC2016
|
||||||
sed -i '/^'"$VPN_USER"':\$1\$/d' /etc/ipsec.d/passwd
|
sed -i '/^'"$VPN_USER"':\$1\$/d' /etc/ipsec.d/passwd
|
||||||
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
|
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
|
||||||
cat >> /etc/ipsec.d/passwd <<EOF
|
cat >> /etc/ipsec.d/passwd <<EOF
|
||||||
$VPN_USER:$VPN_PASSWORD_ENC:xauth-psk
|
$VPN_USER:$VPN_PASSWORD_ENC:xauth-psk
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Update file attributes
|
# Update file attributes
|
||||||
chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
||||||
|
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
Done!
|
Done!
|
||||||
|
|
||||||
@ -132,6 +148,7 @@ Note: All VPN users will share the same IPsec PSK.
|
|||||||
If you forgot the PSK, check /etc/ipsec.secrets.
|
If you forgot the PSK, check /etc/ipsec.secrets.
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
## Defer until we have the complete script
|
## Defer until we have the complete script
|
||||||
|
@ -25,9 +25,11 @@ EOF
|
|||||||
}
|
}
|
||||||
|
|
||||||
del_vpn_user() {
|
del_vpn_user() {
|
||||||
|
|
||||||
if [ "$(id -u)" != 0 ]; then
|
if [ "$(id -u)" != 0 ]; then
|
||||||
exiterr "Script must be run as root. Try 'sudo bash $0'"
|
exiterr "Script must be run as root. Try 'sudo bash $0'"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
|
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
|
||||||
|| [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then
|
|| [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then
|
||||||
cat 1>&2 <<'EOF'
|
cat 1>&2 <<'EOF'
|
||||||
@ -36,6 +38,7 @@ Error: Your must first set up the IPsec VPN server before deleting VPN users.
|
|||||||
EOF
|
EOF
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
|
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
|
||||||
cat 1>&2 <<EOF
|
cat 1>&2 <<EOF
|
||||||
Usage: sudo bash $0 'username_to_delete'
|
Usage: sudo bash $0 'username_to_delete'
|
||||||
@ -43,7 +46,9 @@ You may also run this script interactively without arguments.
|
|||||||
EOF
|
EOF
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
VPN_USER=$1
|
VPN_USER=$1
|
||||||
|
|
||||||
if [ -z "$VPN_USER" ]; then
|
if [ -z "$VPN_USER" ]; then
|
||||||
show_intro
|
show_intro
|
||||||
echo
|
echo
|
||||||
@ -57,14 +62,17 @@ EOF
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if printf '%s' "$VPN_USER" | LC_ALL=C grep -q '[^ -~]\+'; then
|
if printf '%s' "$VPN_USER" | LC_ALL=C grep -q '[^ -~]\+'; then
|
||||||
exiterr "VPN username must not contain non-ASCII characters."
|
exiterr "VPN username must not contain non-ASCII characters."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
case "$VPN_USER" in
|
case "$VPN_USER" in
|
||||||
*[\\\"\']*)
|
*[\\\"\']*)
|
||||||
exiterr "VPN username must not contain these special characters: \\ \" '"
|
exiterr "VPN username must not contain these special characters: \\ \" '"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
if [ "$(grep -c "^\"$VPN_USER\" " /etc/ppp/chap-secrets)" = "0" ] \
|
if [ "$(grep -c "^\"$VPN_USER\" " /etc/ppp/chap-secrets)" = "0" ] \
|
||||||
|| [ "$(grep -c "^$VPN_USER:\\\$1\\\$" /etc/ipsec.d/passwd)" = "0" ]; then
|
|| [ "$(grep -c "^$VPN_USER:\\\$1\\\$" /etc/ipsec.d/passwd)" = "0" ]; then
|
||||||
cat 1>&2 <<'EOF'
|
cat 1>&2 <<'EOF'
|
||||||
@ -73,6 +81,7 @@ Error: The specified VPN user does not exist in /etc/ppp/chap-secrets
|
|||||||
EOF
|
EOF
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = "1" ] \
|
if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = "1" ] \
|
||||||
|| [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = "1" ]; then
|
|| [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = "1" ]; then
|
||||||
cat 1>&2 <<'EOF'
|
cat 1>&2 <<'EOF'
|
||||||
@ -81,7 +90,9 @@ Error: Could not delete the only VPN user from /etc/ppp/chap-secrets
|
|||||||
EOF
|
EOF
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$1" ] && show_intro
|
[ -n "$1" ] && show_intro
|
||||||
|
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
|
|
||||||
================================================
|
================================================
|
||||||
@ -93,6 +104,7 @@ Username: $VPN_USER
|
|||||||
================================================
|
================================================
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
printf "Do you want to continue? [Y/n] "
|
printf "Do you want to continue? [Y/n] "
|
||||||
read -r response
|
read -r response
|
||||||
case $response in
|
case $response in
|
||||||
@ -106,19 +118,24 @@ EOF
|
|||||||
exit 1
|
exit 1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# Backup config files
|
# Backup config files
|
||||||
conf_bk "/etc/ppp/chap-secrets"
|
conf_bk "/etc/ppp/chap-secrets"
|
||||||
conf_bk "/etc/ipsec.d/passwd"
|
conf_bk "/etc/ipsec.d/passwd"
|
||||||
|
|
||||||
# Delete VPN user
|
# Delete VPN user
|
||||||
sed -i "/^\"$VPN_USER\" /d" /etc/ppp/chap-secrets
|
sed -i "/^\"$VPN_USER\" /d" /etc/ppp/chap-secrets
|
||||||
# shellcheck disable=SC2016
|
# shellcheck disable=SC2016
|
||||||
sed -i '/^'"$VPN_USER"':\$1\$/d' /etc/ipsec.d/passwd
|
sed -i '/^'"$VPN_USER"':\$1\$/d' /etc/ipsec.d/passwd
|
||||||
|
|
||||||
# Update file attributes
|
# Update file attributes
|
||||||
chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
||||||
|
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
Done!
|
Done!
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
## Defer until we have the complete script
|
## Defer until we have the complete script
|
||||||
|
@ -151,14 +151,14 @@ confirm_or_abort() {
|
|||||||
show_header() {
|
show_header() {
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
|
|
||||||
IKEv2 Script Copyright (c) 2020-2022 Lin Song 27 Apr 2022
|
IKEv2 Script Copyright (c) 2020-2022 Lin Song 7 Apr 2022
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
show_usage() {
|
show_usage() {
|
||||||
if [ -n "$1" ]; then
|
if [ -n "$1" ]; then
|
||||||
echo "Error: $1" >&2
|
echo "Error: $1" >&2;
|
||||||
fi
|
fi
|
||||||
show_header
|
show_header
|
||||||
cat 1>&2 <<EOF
|
cat 1>&2 <<EOF
|
||||||
@ -1272,6 +1272,7 @@ cat <<'EOF'
|
|||||||
|
|
||||||
Next steps: Configure IKEv2 clients. See:
|
Next steps: Configure IKEv2 clients. See:
|
||||||
https://git.io/ikev2clients
|
https://git.io/ikev2clients
|
||||||
|
Feedback: https://bit.ly/vpn-feedback
|
||||||
|
|
||||||
================================================
|
================================================
|
||||||
|
|
||||||
|
@ -1,7 +1,8 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
#
|
#
|
||||||
# Script for automatic setup of an IPsec VPN server on Ubuntu, Debian, CentOS/RHEL,
|
# Quick start script to set up an IPsec VPN server on Ubuntu, Debian, CentOS/RHEL,
|
||||||
# Rocky Linux, AlmaLinux, Oracle Linux, Amazon Linux 2 and Alpine Linux
|
# Rocky Linux, AlmaLinux, Oracle Linux, Amazon Linux 2 and Alpine Linux
|
||||||
|
# Works on any dedicated server or virtual private server (VPS)
|
||||||
#
|
#
|
||||||
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
|
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
|
||||||
#
|
#
|
||||||
@ -158,15 +159,19 @@ check_creds() {
|
|||||||
[ -n "$YOUR_IPSEC_PSK" ] && VPN_IPSEC_PSK="$YOUR_IPSEC_PSK"
|
[ -n "$YOUR_IPSEC_PSK" ] && VPN_IPSEC_PSK="$YOUR_IPSEC_PSK"
|
||||||
[ -n "$YOUR_USERNAME" ] && VPN_USER="$YOUR_USERNAME"
|
[ -n "$YOUR_USERNAME" ] && VPN_USER="$YOUR_USERNAME"
|
||||||
[ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD"
|
[ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD"
|
||||||
|
|
||||||
if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then
|
if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
|
if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
|
||||||
exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
|
exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
|
if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
|
||||||
exiterr "VPN credentials must not contain non-ASCII characters."
|
exiterr "VPN credentials must not contain non-ASCII characters."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
|
case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
|
||||||
*[\\\"\']*)
|
*[\\\"\']*)
|
||||||
exiterr "VPN credentials must not contain these special characters: \\ \" '"
|
exiterr "VPN credentials must not contain these special characters: \\ \" '"
|
||||||
@ -288,7 +293,7 @@ run_setup() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
vpnsetup() {
|
quickstart() {
|
||||||
check_root
|
check_root
|
||||||
check_vz
|
check_vz
|
||||||
check_lxc
|
check_lxc
|
||||||
@ -305,6 +310,6 @@ vpnsetup() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
## Defer setup until we have the complete script
|
## Defer setup until we have the complete script
|
||||||
vpnsetup "$@"
|
quickstart "$@"
|
||||||
|
|
||||||
exit "$status"
|
exit "$status"
|
||||||
|
@ -39,9 +39,11 @@ noquotes() { printf '%s' "$1" | sed -e 's/^"\(.*\)"$/\1/' -e "s/^'\(.*\)'$/\1/";
|
|||||||
noquotes2() { printf '%s' "$1" | sed -e 's/" "/ /g' -e "s/' '/ /g"; }
|
noquotes2() { printf '%s' "$1" | sed -e 's/" "/ /g' -e "s/' '/ /g"; }
|
||||||
|
|
||||||
update_vpn_users() {
|
update_vpn_users() {
|
||||||
|
|
||||||
if [ "$(id -u)" != 0 ]; then
|
if [ "$(id -u)" != 0 ]; then
|
||||||
exiterr "Script must be run as root. Try 'sudo bash $0'"
|
exiterr "Script must be run as root. Try 'sudo bash $0'"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
|
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
|
||||||
|| [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then
|
|| [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then
|
||||||
cat 1>&2 <<'EOF'
|
cat 1>&2 <<'EOF'
|
||||||
@ -50,35 +52,44 @@ Error: Your must first set up the IPsec VPN server before updating VPN users.
|
|||||||
EOF
|
EOF
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
command -v openssl >/dev/null 2>&1 || exiterr "'openssl' not found. Abort."
|
command -v openssl >/dev/null 2>&1 || exiterr "'openssl' not found. Abort."
|
||||||
|
|
||||||
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
|
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
|
||||||
cat 1>&2 <<'EOF'
|
cat 1>&2 <<'EOF'
|
||||||
For usage information, visit https://git.io/vpnnotes, then click on Manage VPN Users.
|
For usage information, visit https://git.io/vpnnotes, then click on Manage VPN Users.
|
||||||
EOF
|
EOF
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$YOUR_USERNAMES" ] && VPN_USERS="$YOUR_USERNAMES"
|
[ -n "$YOUR_USERNAMES" ] && VPN_USERS="$YOUR_USERNAMES"
|
||||||
[ -n "$YOUR_PASSWORDS" ] && VPN_PASSWORDS="$YOUR_PASSWORDS"
|
[ -n "$YOUR_PASSWORDS" ] && VPN_PASSWORDS="$YOUR_PASSWORDS"
|
||||||
|
|
||||||
VPN_USERS=$(noquotes "$VPN_USERS")
|
VPN_USERS=$(noquotes "$VPN_USERS")
|
||||||
VPN_USERS=$(onespace "$VPN_USERS")
|
VPN_USERS=$(onespace "$VPN_USERS")
|
||||||
VPN_USERS=$(noquotes2 "$VPN_USERS")
|
VPN_USERS=$(noquotes2 "$VPN_USERS")
|
||||||
VPN_PASSWORDS=$(noquotes "$VPN_PASSWORDS")
|
VPN_PASSWORDS=$(noquotes "$VPN_PASSWORDS")
|
||||||
VPN_PASSWORDS=$(onespace "$VPN_PASSWORDS")
|
VPN_PASSWORDS=$(onespace "$VPN_PASSWORDS")
|
||||||
VPN_PASSWORDS=$(noquotes2 "$VPN_PASSWORDS")
|
VPN_PASSWORDS=$(noquotes2 "$VPN_PASSWORDS")
|
||||||
|
|
||||||
if [ -z "$VPN_USERS" ] || [ -z "$VPN_PASSWORDS" ]; then
|
if [ -z "$VPN_USERS" ] || [ -z "$VPN_PASSWORDS" ]; then
|
||||||
exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
|
exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if printf '%s' "$VPN_USERS $VPN_PASSWORDS" | LC_ALL=C grep -q '[^ -~]\+'; then
|
if printf '%s' "$VPN_USERS $VPN_PASSWORDS" | LC_ALL=C grep -q '[^ -~]\+'; then
|
||||||
exiterr "VPN credentials must not contain non-ASCII characters."
|
exiterr "VPN credentials must not contain non-ASCII characters."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
case "$VPN_USERS $VPN_PASSWORDS" in
|
case "$VPN_USERS $VPN_PASSWORDS" in
|
||||||
*[\\\"\']*)
|
*[\\\"\']*)
|
||||||
exiterr "VPN credentials must not contain these special characters: \\ \" '"
|
exiterr "VPN credentials must not contain these special characters: \\ \" '"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
if printf '%s' "$VPN_USERS" | tr ' ' '\n' | sort | uniq -c | grep -qv '^ *1 '; then
|
if printf '%s' "$VPN_USERS" | tr ' ' '\n' | sort | uniq -c | grep -qv '^ *1 '; then
|
||||||
exiterr "VPN usernames must not contain duplicates."
|
exiterr "VPN usernames must not contain duplicates."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
|
|
||||||
Welcome! Use this script to update VPN user accounts for both
|
Welcome! Use this script to update VPN user accounts for both
|
||||||
@ -92,6 +103,7 @@ WARNING: *ALL* existing VPN users will be removed and replaced
|
|||||||
Updated list of VPN users (username | password):
|
Updated list of VPN users (username | password):
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
count=1
|
count=1
|
||||||
vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1)
|
vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1)
|
||||||
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -d ' ' -f 1)
|
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -d ' ' -f 1)
|
||||||
@ -103,6 +115,7 @@ EOF
|
|||||||
vpn_user=$(printf '%s' "$VPN_USERS" | cut -s -d ' ' -f "$count")
|
vpn_user=$(printf '%s' "$VPN_USERS" | cut -s -d ' ' -f "$count")
|
||||||
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -s -d ' ' -f "$count")
|
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -s -d ' ' -f "$count")
|
||||||
done
|
done
|
||||||
|
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
|
|
||||||
Write these down. You'll need them to connect!
|
Write these down. You'll need them to connect!
|
||||||
@ -113,6 +126,7 @@ Setup VPN clients: https://git.io/vpnclients
|
|||||||
==================================================
|
==================================================
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
printf "Do you want to continue? [Y/n] "
|
printf "Do you want to continue? [Y/n] "
|
||||||
read -r response
|
read -r response
|
||||||
case $response in
|
case $response in
|
||||||
@ -126,10 +140,12 @@ EOF
|
|||||||
exit 1
|
exit 1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# Backup and remove config files
|
# Backup and remove config files
|
||||||
conf_bk "/etc/ppp/chap-secrets"
|
conf_bk "/etc/ppp/chap-secrets"
|
||||||
conf_bk "/etc/ipsec.d/passwd"
|
conf_bk "/etc/ipsec.d/passwd"
|
||||||
/bin/rm -f /etc/ppp/chap-secrets /etc/ipsec.d/passwd
|
/bin/rm -f /etc/ppp/chap-secrets /etc/ipsec.d/passwd
|
||||||
|
|
||||||
# Update VPN users
|
# Update VPN users
|
||||||
count=1
|
count=1
|
||||||
vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1)
|
vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1)
|
||||||
@ -146,8 +162,10 @@ EOF
|
|||||||
vpn_user=$(printf '%s' "$VPN_USERS" | cut -s -d ' ' -f "$count")
|
vpn_user=$(printf '%s' "$VPN_USERS" | cut -s -d ' ' -f "$count")
|
||||||
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -s -d ' ' -f "$count")
|
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -s -d ' ' -f "$count")
|
||||||
done
|
done
|
||||||
|
|
||||||
# Update file attributes
|
# Update file attributes
|
||||||
chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
||||||
|
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
Done!
|
Done!
|
||||||
|
|
||||||
@ -155,6 +173,7 @@ Note: All VPN users will share the same IPsec PSK.
|
|||||||
If you forgot the PSK, check /etc/ipsec.secrets.
|
If you forgot the PSK, check /etc/ipsec.secrets.
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
## Defer until we have the complete script
|
## Defer until we have the complete script
|
||||||
|
@ -234,6 +234,7 @@ update_iptables_rules() {
|
|||||||
if grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
|
if grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
|
||||||
ipt_flag=1
|
ipt_flag=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ipi='iptables -D INPUT'
|
ipi='iptables -D INPUT'
|
||||||
ipf='iptables -D FORWARD'
|
ipf='iptables -D FORWARD'
|
||||||
ipp='iptables -t nat -D POSTROUTING'
|
ipp='iptables -t nat -D POSTROUTING'
|
||||||
@ -260,6 +261,7 @@ update_iptables_rules() {
|
|||||||
$ipp -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE
|
$ipp -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE
|
||||||
$ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
|
$ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
|
||||||
iptables-save > "$IPT_FILE"
|
iptables-save > "$IPT_FILE"
|
||||||
|
|
||||||
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
|
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
|
||||||
if [ -f "$IPT_FILE2" ]; then
|
if [ -f "$IPT_FILE2" ]; then
|
||||||
conf_bk "$IPT_FILE2"
|
conf_bk "$IPT_FILE2"
|
||||||
|
@ -106,6 +106,7 @@ Note: This script will make the following changes to your VPN configuration:
|
|||||||
Your other VPN config files will not be modified.
|
Your other VPN config files will not be modified.
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ "$SWAN_VER" != "$swan_ver_cur" ]; then
|
if [ "$SWAN_VER" != "$swan_ver_cur" ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
|
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
|
||||||
@ -114,6 +115,7 @@ WARNING: Older versions of Libreswan could contain known security vulnerabilitie
|
|||||||
|
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$swan_ver_old" = "$SWAN_VER" ]; then
|
if [ "$swan_ver_old" = "$SWAN_VER" ]; then
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
Note: You already have Libreswan version $SWAN_VER installed!
|
Note: You already have Libreswan version $SWAN_VER installed!
|
||||||
@ -121,6 +123,7 @@ Note: You already have Libreswan version $SWAN_VER installed!
|
|||||||
|
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
printf "Do you want to continue? [Y/n] "
|
printf "Do you want to continue? [Y/n] "
|
||||||
read -r response
|
read -r response
|
||||||
case $response in
|
case $response in
|
||||||
@ -183,6 +186,7 @@ EOF
|
|||||||
set -x
|
set -x
|
||||||
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
|
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
|
||||||
)
|
)
|
||||||
|
|
||||||
cd /opt/src || exit 1
|
cd /opt/src || exit 1
|
||||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||||
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
|
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
|
||||||
@ -211,17 +215,20 @@ update_config() {
|
|||||||
bigecho "Updating VPN configuration..."
|
bigecho "Updating VPN configuration..."
|
||||||
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
||||||
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
||||||
|
|
||||||
if uname -m | grep -qi '^arm'; then
|
if uname -m | grep -qi '^arm'; then
|
||||||
if ! modprobe -q sha512; then
|
if ! modprobe -q sha512; then
|
||||||
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2"
|
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
dns_state=0
|
dns_state=0
|
||||||
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||||
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||||
[ -n "$DNS_SRV1" ] && dns_state=2
|
[ -n "$DNS_SRV1" ] && dns_state=2
|
||||||
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
|
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
|
||||||
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
|
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
|
||||||
|
|
||||||
sed -i".old-$SYS_DT" \
|
sed -i".old-$SYS_DT" \
|
||||||
-e "s/^[[:space:]]\+auth=/ phase2=/" \
|
-e "s/^[[:space:]]\+auth=/ phase2=/" \
|
||||||
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
|
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
|
||||||
@ -230,14 +237,17 @@ update_config() {
|
|||||||
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
|
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
|
||||||
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
|
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
|
||||||
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
|
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
|
||||||
|
|
||||||
if [ "$dns_state" = "1" ]; then
|
if [ "$dns_state" = "1" ]; then
|
||||||
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
|
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
|
||||||
-e "/modecfgdns2=/d" /etc/ipsec.conf
|
-e "/modecfgdns2=/d" /etc/ipsec.conf
|
||||||
elif [ "$dns_state" = "2" ]; then
|
elif [ "$dns_state" = "2" ]; then
|
||||||
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
|
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
|
||||||
fi
|
fi
|
||||||
|
|
||||||
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
||||||
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
|
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
|
||||||
|
|
||||||
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
|
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
|
||||||
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
|
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
|
||||||
fi
|
fi
|
||||||
@ -260,6 +270,7 @@ Libreswan $SWAN_VER has been successfully installed!
|
|||||||
================================================
|
================================================
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ "$dns_state" = "3" ]; then
|
if [ "$dns_state" = "3" ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
IMPORTANT: You must edit /etc/ipsec.conf and replace
|
IMPORTANT: You must edit /etc/ipsec.conf and replace
|
||||||
|
@ -90,6 +90,7 @@ Note: This script will make the following changes to your VPN configuration:
|
|||||||
Your other VPN config files will not be modified.
|
Your other VPN config files will not be modified.
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ "$SWAN_VER" != "$swan_ver_cur" ]; then
|
if [ "$SWAN_VER" != "$swan_ver_cur" ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
|
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
|
||||||
@ -98,6 +99,7 @@ WARNING: Older versions of Libreswan could contain known security vulnerabilitie
|
|||||||
|
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$swan_ver_old" = "$SWAN_VER" ]; then
|
if [ "$swan_ver_old" = "$SWAN_VER" ]; then
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
Note: You already have Libreswan version $SWAN_VER installed!
|
Note: You already have Libreswan version $SWAN_VER installed!
|
||||||
@ -105,6 +107,7 @@ Note: You already have Libreswan version $SWAN_VER installed!
|
|||||||
|
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
printf "Do you want to continue? [Y/n] "
|
printf "Do you want to continue? [Y/n] "
|
||||||
read -r response
|
read -r response
|
||||||
case $response in
|
case $response in
|
||||||
@ -171,6 +174,7 @@ EOF
|
|||||||
set -x
|
set -x
|
||||||
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
|
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
|
||||||
)
|
)
|
||||||
|
|
||||||
cd /opt/src || exit 1
|
cd /opt/src || exit 1
|
||||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||||
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
|
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
|
||||||
@ -205,12 +209,14 @@ update_config() {
|
|||||||
bigecho "Updating VPN configuration..."
|
bigecho "Updating VPN configuration..."
|
||||||
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
||||||
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
||||||
|
|
||||||
dns_state=0
|
dns_state=0
|
||||||
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||||
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||||
[ -n "$DNS_SRV1" ] && dns_state=2
|
[ -n "$DNS_SRV1" ] && dns_state=2
|
||||||
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
|
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
|
||||||
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
|
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
|
||||||
|
|
||||||
sed -i".old-$SYS_DT" \
|
sed -i".old-$SYS_DT" \
|
||||||
-e "s/^[[:space:]]\+auth=/ phase2=/" \
|
-e "s/^[[:space:]]\+auth=/ phase2=/" \
|
||||||
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
|
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
|
||||||
@ -219,14 +225,17 @@ update_config() {
|
|||||||
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
|
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
|
||||||
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
|
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
|
||||||
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
|
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
|
||||||
|
|
||||||
if [ "$dns_state" = "1" ]; then
|
if [ "$dns_state" = "1" ]; then
|
||||||
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
|
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
|
||||||
-e "/modecfgdns2=/d" /etc/ipsec.conf
|
-e "/modecfgdns2=/d" /etc/ipsec.conf
|
||||||
elif [ "$dns_state" = "2" ]; then
|
elif [ "$dns_state" = "2" ]; then
|
||||||
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
|
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
|
||||||
fi
|
fi
|
||||||
|
|
||||||
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
||||||
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
|
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
|
||||||
|
|
||||||
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
|
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
|
||||||
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
|
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
|
||||||
fi
|
fi
|
||||||
@ -248,6 +257,7 @@ Libreswan $SWAN_VER has been successfully installed!
|
|||||||
================================================
|
================================================
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ "$dns_state" = "3" ]; then
|
if [ "$dns_state" = "3" ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
IMPORTANT: You must edit /etc/ipsec.conf and replace
|
IMPORTANT: You must edit /etc/ipsec.conf and replace
|
||||||
|
@ -116,6 +116,7 @@ Note: This script will make the following changes to your VPN configuration:
|
|||||||
Your other VPN config files will not be modified.
|
Your other VPN config files will not be modified.
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ "$SWAN_VER" != "$swan_ver_cur" ]; then
|
if [ "$SWAN_VER" != "$swan_ver_cur" ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
|
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
|
||||||
@ -124,6 +125,7 @@ WARNING: Older versions of Libreswan could contain known security vulnerabilitie
|
|||||||
|
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$swan_ver_old" = "$SWAN_VER" ]; then
|
if [ "$swan_ver_old" = "$SWAN_VER" ]; then
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
Note: You already have Libreswan version $SWAN_VER installed!
|
Note: You already have Libreswan version $SWAN_VER installed!
|
||||||
@ -131,6 +133,7 @@ Note: You already have Libreswan version $SWAN_VER installed!
|
|||||||
|
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
printf "Do you want to continue? [Y/n] "
|
printf "Do you want to continue? [Y/n] "
|
||||||
read -r response
|
read -r response
|
||||||
case $response in
|
case $response in
|
||||||
@ -221,6 +224,7 @@ EOF
|
|||||||
set -x
|
set -x
|
||||||
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
|
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
|
||||||
)
|
)
|
||||||
|
|
||||||
cd /opt/src || exit 1
|
cd /opt/src || exit 1
|
||||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||||
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
|
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
|
||||||
@ -255,12 +259,14 @@ update_config() {
|
|||||||
bigecho "Updating VPN configuration..."
|
bigecho "Updating VPN configuration..."
|
||||||
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
||||||
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
||||||
|
|
||||||
dns_state=0
|
dns_state=0
|
||||||
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||||
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||||
[ -n "$DNS_SRV1" ] && dns_state=2
|
[ -n "$DNS_SRV1" ] && dns_state=2
|
||||||
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
|
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
|
||||||
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
|
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
|
||||||
|
|
||||||
sed -i".old-$SYS_DT" \
|
sed -i".old-$SYS_DT" \
|
||||||
-e "s/^[[:space:]]\+auth=/ phase2=/" \
|
-e "s/^[[:space:]]\+auth=/ phase2=/" \
|
||||||
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
|
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
|
||||||
@ -269,14 +275,17 @@ update_config() {
|
|||||||
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
|
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
|
||||||
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
|
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
|
||||||
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
|
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
|
||||||
|
|
||||||
if [ "$dns_state" = "1" ]; then
|
if [ "$dns_state" = "1" ]; then
|
||||||
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
|
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
|
||||||
-e "/modecfgdns2=/d" /etc/ipsec.conf
|
-e "/modecfgdns2=/d" /etc/ipsec.conf
|
||||||
elif [ "$dns_state" = "2" ]; then
|
elif [ "$dns_state" = "2" ]; then
|
||||||
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
|
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
|
||||||
fi
|
fi
|
||||||
|
|
||||||
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
||||||
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
|
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
|
||||||
|
|
||||||
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
|
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
|
||||||
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
|
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
|
||||||
fi
|
fi
|
||||||
@ -298,6 +307,7 @@ Libreswan $SWAN_VER has been successfully installed!
|
|||||||
================================================
|
================================================
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ "$dns_state" = "3" ]; then
|
if [ "$dns_state" = "3" ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
IMPORTANT: You must edit /etc/ipsec.conf and replace
|
IMPORTANT: You must edit /etc/ipsec.conf and replace
|
||||||
|
@ -89,6 +89,7 @@ check_swan_ver() {
|
|||||||
if [ "$SWAN_VER" = "3.32" ] && [ "$os_ver" = "11" ]; then
|
if [ "$SWAN_VER" = "3.32" ] && [ "$os_ver" = "11" ]; then
|
||||||
exiterr "Libreswan 3.32 is not supported on Debian 11."
|
exiterr "Libreswan 3.32 is not supported on Debian 11."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$SWAN_VER" != "3.32" ] \
|
if [ "$SWAN_VER" != "3.32" ] \
|
||||||
&& { ! printf '%s\n%s' "4.1" "$SWAN_VER" | sort -C -V \
|
&& { ! printf '%s\n%s' "4.1" "$SWAN_VER" | sort -C -V \
|
||||||
|| ! printf '%s\n%s' "$SWAN_VER" "$swan_ver_cur" | sort -C -V; }; then
|
|| ! printf '%s\n%s' "$SWAN_VER" "$swan_ver_cur" | sort -C -V; }; then
|
||||||
@ -116,6 +117,7 @@ Note: This script will make the following changes to your VPN configuration:
|
|||||||
Your other VPN config files will not be modified.
|
Your other VPN config files will not be modified.
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ "$SWAN_VER" != "$swan_ver_cur" ]; then
|
if [ "$SWAN_VER" != "$swan_ver_cur" ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
|
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
|
||||||
@ -124,6 +126,7 @@ WARNING: Older versions of Libreswan could contain known security vulnerabilitie
|
|||||||
|
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$swan_ver_old" = "$SWAN_VER" ]; then
|
if [ "$swan_ver_old" = "$SWAN_VER" ]; then
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
Note: You already have Libreswan version $SWAN_VER installed!
|
Note: You already have Libreswan version $SWAN_VER installed!
|
||||||
@ -131,6 +134,7 @@ Note: You already have Libreswan version $SWAN_VER installed!
|
|||||||
|
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
printf "Do you want to continue? [Y/n] "
|
printf "Do you want to continue? [Y/n] "
|
||||||
read -r response
|
read -r response
|
||||||
case $response in
|
case $response in
|
||||||
@ -213,6 +217,7 @@ EOF
|
|||||||
set -x
|
set -x
|
||||||
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
|
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
|
||||||
)
|
)
|
||||||
|
|
||||||
cd /opt/src || exit 1
|
cd /opt/src || exit 1
|
||||||
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
|
||||||
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
|
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
|
||||||
@ -241,17 +246,20 @@ update_config() {
|
|||||||
bigecho "Updating VPN configuration..."
|
bigecho "Updating VPN configuration..."
|
||||||
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
||||||
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
||||||
|
|
||||||
if uname -m | grep -qi '^arm'; then
|
if uname -m | grep -qi '^arm'; then
|
||||||
if ! modprobe -q sha512; then
|
if ! modprobe -q sha512; then
|
||||||
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2"
|
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
dns_state=0
|
dns_state=0
|
||||||
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||||
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||||
[ -n "$DNS_SRV1" ] && dns_state=2
|
[ -n "$DNS_SRV1" ] && dns_state=2
|
||||||
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
|
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
|
||||||
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
|
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
|
||||||
|
|
||||||
sed -i".old-$SYS_DT" \
|
sed -i".old-$SYS_DT" \
|
||||||
-e "s/^[[:space:]]\+auth=/ phase2=/" \
|
-e "s/^[[:space:]]\+auth=/ phase2=/" \
|
||||||
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
|
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
|
||||||
@ -260,14 +268,17 @@ update_config() {
|
|||||||
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
|
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
|
||||||
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
|
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
|
||||||
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
|
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf
|
||||||
|
|
||||||
if [ "$dns_state" = "1" ]; then
|
if [ "$dns_state" = "1" ]; then
|
||||||
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
|
sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
|
||||||
-e "/modecfgdns2=/d" /etc/ipsec.conf
|
-e "/modecfgdns2=/d" /etc/ipsec.conf
|
||||||
elif [ "$dns_state" = "2" ]; then
|
elif [ "$dns_state" = "2" ]; then
|
||||||
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
|
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
|
||||||
fi
|
fi
|
||||||
|
|
||||||
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
||||||
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
|
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
|
||||||
|
|
||||||
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
|
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
|
||||||
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
|
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
|
||||||
fi
|
fi
|
||||||
@ -289,6 +300,7 @@ Libreswan $SWAN_VER has been successfully installed!
|
|||||||
================================================
|
================================================
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ "$dns_state" = "3" ]; then
|
if [ "$dns_state" = "3" ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
IMPORTANT: You must edit /etc/ipsec.conf and replace
|
IMPORTANT: You must edit /etc/ipsec.conf and replace
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
#
|
#
|
||||||
# Script for automatic setup of an IPsec VPN server on Ubuntu, Debian, CentOS/RHEL,
|
# Script for automatic setup of an IPsec VPN server on Ubuntu, Debian, CentOS/RHEL,
|
||||||
# Rocky Linux, AlmaLinux, Oracle Linux, Amazon Linux 2 and Alpine Linux
|
# Rocky Linux, AlmaLinux, Oracle Linux, Amazon Linux 2 and Alpine Linux
|
||||||
|
# Works on any dedicated server or virtual private server (VPS)
|
||||||
#
|
#
|
||||||
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
|
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
|
||||||
#
|
#
|
||||||
@ -158,15 +159,19 @@ check_creds() {
|
|||||||
[ -n "$YOUR_IPSEC_PSK" ] && VPN_IPSEC_PSK="$YOUR_IPSEC_PSK"
|
[ -n "$YOUR_IPSEC_PSK" ] && VPN_IPSEC_PSK="$YOUR_IPSEC_PSK"
|
||||||
[ -n "$YOUR_USERNAME" ] && VPN_USER="$YOUR_USERNAME"
|
[ -n "$YOUR_USERNAME" ] && VPN_USER="$YOUR_USERNAME"
|
||||||
[ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD"
|
[ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD"
|
||||||
|
|
||||||
if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then
|
if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
|
if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
|
||||||
exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
|
exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
|
if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
|
||||||
exiterr "VPN credentials must not contain non-ASCII characters."
|
exiterr "VPN credentials must not contain non-ASCII characters."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
|
case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
|
||||||
*[\\\"\']*)
|
*[\\\"\']*)
|
||||||
exiterr "VPN credentials must not contain these special characters: \\ \" '"
|
exiterr "VPN credentials must not contain these special characters: \\ \" '"
|
||||||
|
@ -1,6 +1,7 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
#
|
#
|
||||||
# Script for automatic setup of an IPsec VPN server on Alpine Linux
|
# Script for automatic setup of an IPsec VPN server on Alpine Linux
|
||||||
|
# Works on any dedicated server or virtual private server (VPS)
|
||||||
#
|
#
|
||||||
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
|
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
|
||||||
#
|
#
|
||||||
@ -284,6 +285,7 @@ EOF
|
|||||||
|
|
||||||
create_vpn_config() {
|
create_vpn_config() {
|
||||||
bigecho "Creating VPN configuration..."
|
bigecho "Creating VPN configuration..."
|
||||||
|
|
||||||
L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'}
|
L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'}
|
||||||
L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'}
|
L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'}
|
||||||
L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'}
|
L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'}
|
||||||
@ -293,6 +295,7 @@ create_vpn_config() {
|
|||||||
DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
|
DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
|
||||||
DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
|
DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
|
||||||
[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
|
[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
|
||||||
|
|
||||||
# Create IPsec config
|
# Create IPsec config
|
||||||
conf_bk "/etc/ipsec.conf"
|
conf_bk "/etc/ipsec.conf"
|
||||||
cat > /etc/ipsec.conf <<EOF
|
cat > /etc/ipsec.conf <<EOF
|
||||||
@ -343,16 +346,19 @@ conn xauth-psk
|
|||||||
|
|
||||||
include /etc/ipsec.d/*.conf
|
include /etc/ipsec.d/*.conf
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if uname -m | grep -qi '^arm'; then
|
if uname -m | grep -qi '^arm'; then
|
||||||
if ! modprobe -q sha512; then
|
if ! modprobe -q sha512; then
|
||||||
sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
|
sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Specify IPsec PSK
|
# Specify IPsec PSK
|
||||||
conf_bk "/etc/ipsec.secrets"
|
conf_bk "/etc/ipsec.secrets"
|
||||||
cat > /etc/ipsec.secrets <<EOF
|
cat > /etc/ipsec.secrets <<EOF
|
||||||
%any %any : PSK "$VPN_IPSEC_PSK"
|
%any %any : PSK "$VPN_IPSEC_PSK"
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Create xl2tpd config
|
# Create xl2tpd config
|
||||||
conf_bk "/etc/xl2tpd/xl2tpd.conf"
|
conf_bk "/etc/xl2tpd/xl2tpd.conf"
|
||||||
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
|
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
|
||||||
@ -369,6 +375,7 @@ name = l2tpd
|
|||||||
pppoptfile = /etc/ppp/options.xl2tpd
|
pppoptfile = /etc/ppp/options.xl2tpd
|
||||||
length bit = yes
|
length bit = yes
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Set xl2tpd options
|
# Set xl2tpd options
|
||||||
conf_bk "/etc/ppp/options.xl2tpd"
|
conf_bk "/etc/ppp/options.xl2tpd"
|
||||||
cat > /etc/ppp/options.xl2tpd <<EOF
|
cat > /etc/ppp/options.xl2tpd <<EOF
|
||||||
@ -385,16 +392,19 @@ lcp-echo-interval 30
|
|||||||
connect-delay 5000
|
connect-delay 5000
|
||||||
ms-dns $DNS_SRV1
|
ms-dns $DNS_SRV1
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
|
if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
|
||||||
cat >> /etc/ppp/options.xl2tpd <<EOF
|
cat >> /etc/ppp/options.xl2tpd <<EOF
|
||||||
ms-dns $DNS_SRV2
|
ms-dns $DNS_SRV2
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Create VPN credentials
|
# Create VPN credentials
|
||||||
conf_bk "/etc/ppp/chap-secrets"
|
conf_bk "/etc/ppp/chap-secrets"
|
||||||
cat > /etc/ppp/chap-secrets <<EOF
|
cat > /etc/ppp/chap-secrets <<EOF
|
||||||
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
|
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
conf_bk "/etc/ipsec.d/passwd"
|
conf_bk "/etc/ipsec.d/passwd"
|
||||||
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
|
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
|
||||||
cat > /etc/ipsec.d/passwd <<EOF
|
cat > /etc/ipsec.d/passwd <<EOF
|
||||||
@ -437,6 +447,7 @@ update_iptables() {
|
|||||||
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
|
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
|
||||||
ipt_flag=1
|
ipt_flag=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ipi='iptables -I INPUT'
|
ipi='iptables -I INPUT'
|
||||||
ipf='iptables -I FORWARD'
|
ipf='iptables -I FORWARD'
|
||||||
ipp='iptables -t nat -I POSTROUTING'
|
ipp='iptables -t nat -I POSTROUTING'
|
||||||
@ -474,6 +485,7 @@ iptables-restore < /etc/iptables.rules
|
|||||||
exit 0
|
exit 0
|
||||||
EOF
|
EOF
|
||||||
chmod +x /etc/network/if-pre-up.d/iptablesload
|
chmod +x /etc/network/if-pre-up.d/iptablesload
|
||||||
|
|
||||||
sed -i '1c\#!/sbin/openrc-run' /etc/init.d/ipsec
|
sed -i '1c\#!/sbin/openrc-run' /etc/init.d/ipsec
|
||||||
for svc in fail2ban ipsec xl2tpd; do
|
for svc in fail2ban ipsec xl2tpd; do
|
||||||
rc-update add "$svc" default >/dev/null
|
rc-update add "$svc" default >/dev/null
|
||||||
@ -483,11 +495,14 @@ EOF
|
|||||||
start_services() {
|
start_services() {
|
||||||
bigecho "Starting services..."
|
bigecho "Starting services..."
|
||||||
sysctl -e -q -p
|
sysctl -e -q -p
|
||||||
|
|
||||||
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
||||||
|
|
||||||
mkdir -p /run/pluto
|
mkdir -p /run/pluto
|
||||||
service fail2ban restart >/dev/null 2>&1
|
service fail2ban restart >/dev/null 2>&1
|
||||||
service ipsec restart >/dev/null 2>&1
|
service ipsec restart >/dev/null 2>&1
|
||||||
service xl2tpd restart >/dev/null 2>&1
|
service xl2tpd restart >/dev/null 2>&1
|
||||||
|
|
||||||
mkdir -p /etc/crontabs
|
mkdir -p /etc/crontabs
|
||||||
cron_cmd="rc-service -c ipsec zap start"
|
cron_cmd="rc-service -c ipsec zap start"
|
||||||
if ! grep -qs "$cron_cmd" /etc/crontabs/root; then
|
if ! grep -qs "$cron_cmd" /etc/crontabs/root; then
|
||||||
|
@ -1,6 +1,7 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
#
|
#
|
||||||
# Script for automatic setup of an IPsec VPN server on Amazon Linux 2
|
# Script for automatic setup of an IPsec VPN server on Amazon Linux 2
|
||||||
|
# Works on any dedicated server or virtual private server (VPS)
|
||||||
#
|
#
|
||||||
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
|
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
|
||||||
#
|
#
|
||||||
@ -286,6 +287,7 @@ EOF
|
|||||||
|
|
||||||
create_vpn_config() {
|
create_vpn_config() {
|
||||||
bigecho "Creating VPN configuration..."
|
bigecho "Creating VPN configuration..."
|
||||||
|
|
||||||
L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'}
|
L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'}
|
||||||
L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'}
|
L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'}
|
||||||
L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'}
|
L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'}
|
||||||
@ -295,6 +297,7 @@ create_vpn_config() {
|
|||||||
DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
|
DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
|
||||||
DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
|
DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
|
||||||
[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
|
[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
|
||||||
|
|
||||||
# Create IPsec config
|
# Create IPsec config
|
||||||
conf_bk "/etc/ipsec.conf"
|
conf_bk "/etc/ipsec.conf"
|
||||||
cat > /etc/ipsec.conf <<EOF
|
cat > /etc/ipsec.conf <<EOF
|
||||||
@ -345,11 +348,13 @@ conn xauth-psk
|
|||||||
|
|
||||||
include /etc/ipsec.d/*.conf
|
include /etc/ipsec.d/*.conf
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Specify IPsec PSK
|
# Specify IPsec PSK
|
||||||
conf_bk "/etc/ipsec.secrets"
|
conf_bk "/etc/ipsec.secrets"
|
||||||
cat > /etc/ipsec.secrets <<EOF
|
cat > /etc/ipsec.secrets <<EOF
|
||||||
%any %any : PSK "$VPN_IPSEC_PSK"
|
%any %any : PSK "$VPN_IPSEC_PSK"
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Create xl2tpd config
|
# Create xl2tpd config
|
||||||
conf_bk "/etc/xl2tpd/xl2tpd.conf"
|
conf_bk "/etc/xl2tpd/xl2tpd.conf"
|
||||||
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
|
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
|
||||||
@ -366,6 +371,7 @@ name = l2tpd
|
|||||||
pppoptfile = /etc/ppp/options.xl2tpd
|
pppoptfile = /etc/ppp/options.xl2tpd
|
||||||
length bit = yes
|
length bit = yes
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Set xl2tpd options
|
# Set xl2tpd options
|
||||||
conf_bk "/etc/ppp/options.xl2tpd"
|
conf_bk "/etc/ppp/options.xl2tpd"
|
||||||
cat > /etc/ppp/options.xl2tpd <<EOF
|
cat > /etc/ppp/options.xl2tpd <<EOF
|
||||||
@ -382,16 +388,19 @@ lcp-echo-interval 30
|
|||||||
connect-delay 5000
|
connect-delay 5000
|
||||||
ms-dns $DNS_SRV1
|
ms-dns $DNS_SRV1
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
|
if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
|
||||||
cat >> /etc/ppp/options.xl2tpd <<EOF
|
cat >> /etc/ppp/options.xl2tpd <<EOF
|
||||||
ms-dns $DNS_SRV2
|
ms-dns $DNS_SRV2
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Create VPN credentials
|
# Create VPN credentials
|
||||||
conf_bk "/etc/ppp/chap-secrets"
|
conf_bk "/etc/ppp/chap-secrets"
|
||||||
cat > /etc/ppp/chap-secrets <<EOF
|
cat > /etc/ppp/chap-secrets <<EOF
|
||||||
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
|
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
conf_bk "/etc/ipsec.d/passwd"
|
conf_bk "/etc/ipsec.d/passwd"
|
||||||
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
|
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
|
||||||
cat > /etc/ipsec.d/passwd <<EOF
|
cat > /etc/ipsec.d/passwd <<EOF
|
||||||
@ -448,6 +457,7 @@ update_iptables() {
|
|||||||
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
|
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
|
||||||
ipt_flag=1
|
ipt_flag=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ipi='iptables -I INPUT'
|
ipi='iptables -I INPUT'
|
||||||
ipf='iptables -I FORWARD'
|
ipf='iptables -I FORWARD'
|
||||||
ipp='iptables -t nat -I POSTROUTING'
|
ipp='iptables -t nat -I POSTROUTING'
|
||||||
@ -480,6 +490,7 @@ enable_on_boot() {
|
|||||||
bigecho "Enabling services on boot..."
|
bigecho "Enabling services on boot..."
|
||||||
systemctl --now mask firewalld 2>/dev/null
|
systemctl --now mask firewalld 2>/dev/null
|
||||||
systemctl enable iptables fail2ban 2>/dev/null
|
systemctl enable iptables fail2ban 2>/dev/null
|
||||||
|
|
||||||
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
|
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
|
||||||
if [ -f /etc/rc.local ]; then
|
if [ -f /etc/rc.local ]; then
|
||||||
conf_bk "/etc/rc.local"
|
conf_bk "/etc/rc.local"
|
||||||
@ -500,17 +511,22 @@ EOF
|
|||||||
start_services() {
|
start_services() {
|
||||||
bigecho "Starting services..."
|
bigecho "Starting services..."
|
||||||
sysctl -e -q -p
|
sysctl -e -q -p
|
||||||
|
|
||||||
chmod +x /etc/rc.local
|
chmod +x /etc/rc.local
|
||||||
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
||||||
|
|
||||||
restorecon /etc/ipsec.d/*db 2>/dev/null
|
restorecon /etc/ipsec.d/*db 2>/dev/null
|
||||||
restorecon /usr/local/sbin -Rv 2>/dev/null
|
restorecon /usr/local/sbin -Rv 2>/dev/null
|
||||||
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
|
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
|
||||||
|
|
||||||
iptables-restore < "$IPT_FILE"
|
iptables-restore < "$IPT_FILE"
|
||||||
|
|
||||||
# Fix xl2tpd if l2tp_ppp is unavailable
|
# Fix xl2tpd if l2tp_ppp is unavailable
|
||||||
if ! modprobe -q l2tp_ppp; then
|
if ! modprobe -q l2tp_ppp; then
|
||||||
sed -i '/^ExecStartPre=\//s/=/=-/' /usr/lib/systemd/system/xl2tpd.service
|
sed -i '/^ExecStartPre=\//s/=/=-/' /usr/lib/systemd/system/xl2tpd.service
|
||||||
systemctl daemon-reload
|
systemctl daemon-reload
|
||||||
fi
|
fi
|
||||||
|
|
||||||
mkdir -p /run/pluto
|
mkdir -p /run/pluto
|
||||||
service fail2ban restart 2>/dev/null
|
service fail2ban restart 2>/dev/null
|
||||||
service ipsec restart 2>/dev/null
|
service ipsec restart 2>/dev/null
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
#
|
#
|
||||||
# Script for automatic setup of an IPsec VPN server on CentOS/RHEL, Rocky Linux,
|
# Script for automatic setup of an IPsec VPN server on CentOS/RHEL, Rocky Linux,
|
||||||
# AlmaLinux and Oracle Linux
|
# AlmaLinux and Oracle Linux
|
||||||
|
# Works on any dedicated server or virtual private server (VPS)
|
||||||
#
|
#
|
||||||
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
|
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
|
||||||
#
|
#
|
||||||
@ -357,6 +358,7 @@ EOF
|
|||||||
|
|
||||||
create_vpn_config() {
|
create_vpn_config() {
|
||||||
bigecho "Creating VPN configuration..."
|
bigecho "Creating VPN configuration..."
|
||||||
|
|
||||||
L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'}
|
L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'}
|
||||||
L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'}
|
L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'}
|
||||||
L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'}
|
L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'}
|
||||||
@ -366,6 +368,7 @@ create_vpn_config() {
|
|||||||
DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
|
DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
|
||||||
DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
|
DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
|
||||||
[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
|
[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
|
||||||
|
|
||||||
# Create IPsec config
|
# Create IPsec config
|
||||||
conf_bk "/etc/ipsec.conf"
|
conf_bk "/etc/ipsec.conf"
|
||||||
cat > /etc/ipsec.conf <<EOF
|
cat > /etc/ipsec.conf <<EOF
|
||||||
@ -416,11 +419,13 @@ conn xauth-psk
|
|||||||
|
|
||||||
include /etc/ipsec.d/*.conf
|
include /etc/ipsec.d/*.conf
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Specify IPsec PSK
|
# Specify IPsec PSK
|
||||||
conf_bk "/etc/ipsec.secrets"
|
conf_bk "/etc/ipsec.secrets"
|
||||||
cat > /etc/ipsec.secrets <<EOF
|
cat > /etc/ipsec.secrets <<EOF
|
||||||
%any %any : PSK "$VPN_IPSEC_PSK"
|
%any %any : PSK "$VPN_IPSEC_PSK"
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Create xl2tpd config
|
# Create xl2tpd config
|
||||||
conf_bk "/etc/xl2tpd/xl2tpd.conf"
|
conf_bk "/etc/xl2tpd/xl2tpd.conf"
|
||||||
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
|
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
|
||||||
@ -437,6 +442,7 @@ name = l2tpd
|
|||||||
pppoptfile = /etc/ppp/options.xl2tpd
|
pppoptfile = /etc/ppp/options.xl2tpd
|
||||||
length bit = yes
|
length bit = yes
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Set xl2tpd options
|
# Set xl2tpd options
|
||||||
conf_bk "/etc/ppp/options.xl2tpd"
|
conf_bk "/etc/ppp/options.xl2tpd"
|
||||||
cat > /etc/ppp/options.xl2tpd <<EOF
|
cat > /etc/ppp/options.xl2tpd <<EOF
|
||||||
@ -453,16 +459,19 @@ lcp-echo-interval 30
|
|||||||
connect-delay 5000
|
connect-delay 5000
|
||||||
ms-dns $DNS_SRV1
|
ms-dns $DNS_SRV1
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
|
if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
|
||||||
cat >> /etc/ppp/options.xl2tpd <<EOF
|
cat >> /etc/ppp/options.xl2tpd <<EOF
|
||||||
ms-dns $DNS_SRV2
|
ms-dns $DNS_SRV2
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Create VPN credentials
|
# Create VPN credentials
|
||||||
conf_bk "/etc/ppp/chap-secrets"
|
conf_bk "/etc/ppp/chap-secrets"
|
||||||
cat > /etc/ppp/chap-secrets <<EOF
|
cat > /etc/ppp/chap-secrets <<EOF
|
||||||
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
|
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
conf_bk "/etc/ipsec.d/passwd"
|
conf_bk "/etc/ipsec.d/passwd"
|
||||||
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
|
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
|
||||||
cat > /etc/ipsec.d/passwd <<EOF
|
cat > /etc/ipsec.d/passwd <<EOF
|
||||||
@ -530,6 +539,7 @@ update_iptables() {
|
|||||||
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
|
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
|
||||||
ipt_flag=1
|
ipt_flag=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ipi='iptables -I INPUT'
|
ipi='iptables -I INPUT'
|
||||||
ipf='iptables -I FORWARD'
|
ipf='iptables -I FORWARD'
|
||||||
ipp='iptables -t nat -I POSTROUTING'
|
ipp='iptables -t nat -I POSTROUTING'
|
||||||
@ -603,6 +613,7 @@ enable_on_boot() {
|
|||||||
else
|
else
|
||||||
systemctl enable iptables fail2ban 2>/dev/null
|
systemctl enable iptables fail2ban 2>/dev/null
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
|
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
|
||||||
if [ -f /etc/rc.local ]; then
|
if [ -f /etc/rc.local ]; then
|
||||||
conf_bk "/etc/rc.local"
|
conf_bk "/etc/rc.local"
|
||||||
@ -623,21 +634,26 @@ EOF
|
|||||||
start_services() {
|
start_services() {
|
||||||
bigecho "Starting services..."
|
bigecho "Starting services..."
|
||||||
sysctl -e -q -p
|
sysctl -e -q -p
|
||||||
|
|
||||||
chmod +x /etc/rc.local
|
chmod +x /etc/rc.local
|
||||||
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
||||||
|
|
||||||
restorecon /etc/ipsec.d/*db 2>/dev/null
|
restorecon /etc/ipsec.d/*db 2>/dev/null
|
||||||
restorecon /usr/local/sbin -Rv 2>/dev/null
|
restorecon /usr/local/sbin -Rv 2>/dev/null
|
||||||
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
|
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
|
||||||
|
|
||||||
if [ "$use_nft" = "1" ]; then
|
if [ "$use_nft" = "1" ]; then
|
||||||
nft -f "$IPT_FILE"
|
nft -f "$IPT_FILE"
|
||||||
else
|
else
|
||||||
iptables-restore < "$IPT_FILE"
|
iptables-restore < "$IPT_FILE"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Fix xl2tpd if l2tp_ppp is unavailable
|
# Fix xl2tpd if l2tp_ppp is unavailable
|
||||||
if ! modprobe -q l2tp_ppp; then
|
if ! modprobe -q l2tp_ppp; then
|
||||||
sed -i '/^ExecStartPre=\//s/=/=-/' /usr/lib/systemd/system/xl2tpd.service
|
sed -i '/^ExecStartPre=\//s/=/=-/' /usr/lib/systemd/system/xl2tpd.service
|
||||||
systemctl daemon-reload
|
systemctl daemon-reload
|
||||||
fi
|
fi
|
||||||
|
|
||||||
mkdir -p /run/pluto
|
mkdir -p /run/pluto
|
||||||
service fail2ban restart 2>/dev/null
|
service fail2ban restart 2>/dev/null
|
||||||
service ipsec restart 2>/dev/null
|
service ipsec restart 2>/dev/null
|
||||||
|
@ -1,6 +1,7 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
#
|
#
|
||||||
# Script for automatic setup of an IPsec VPN server on Ubuntu and Debian
|
# Script for automatic setup of an IPsec VPN server on Ubuntu and Debian
|
||||||
|
# Works on any dedicated server or virtual private server (VPS)
|
||||||
#
|
#
|
||||||
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
|
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
|
||||||
#
|
#
|
||||||
@ -334,6 +335,7 @@ EOF
|
|||||||
|
|
||||||
create_vpn_config() {
|
create_vpn_config() {
|
||||||
bigecho "Creating VPN configuration..."
|
bigecho "Creating VPN configuration..."
|
||||||
|
|
||||||
L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'}
|
L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'}
|
||||||
L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'}
|
L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'}
|
||||||
L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'}
|
L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'}
|
||||||
@ -343,6 +345,7 @@ create_vpn_config() {
|
|||||||
DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
|
DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
|
||||||
DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
|
DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
|
||||||
[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
|
[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
|
||||||
|
|
||||||
# Create IPsec config
|
# Create IPsec config
|
||||||
conf_bk "/etc/ipsec.conf"
|
conf_bk "/etc/ipsec.conf"
|
||||||
cat > /etc/ipsec.conf <<EOF
|
cat > /etc/ipsec.conf <<EOF
|
||||||
@ -393,16 +396,19 @@ conn xauth-psk
|
|||||||
|
|
||||||
include /etc/ipsec.d/*.conf
|
include /etc/ipsec.d/*.conf
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if uname -m | grep -qi '^arm'; then
|
if uname -m | grep -qi '^arm'; then
|
||||||
if ! modprobe -q sha512; then
|
if ! modprobe -q sha512; then
|
||||||
sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
|
sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Specify IPsec PSK
|
# Specify IPsec PSK
|
||||||
conf_bk "/etc/ipsec.secrets"
|
conf_bk "/etc/ipsec.secrets"
|
||||||
cat > /etc/ipsec.secrets <<EOF
|
cat > /etc/ipsec.secrets <<EOF
|
||||||
%any %any : PSK "$VPN_IPSEC_PSK"
|
%any %any : PSK "$VPN_IPSEC_PSK"
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Create xl2tpd config
|
# Create xl2tpd config
|
||||||
conf_bk "/etc/xl2tpd/xl2tpd.conf"
|
conf_bk "/etc/xl2tpd/xl2tpd.conf"
|
||||||
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
|
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
|
||||||
@ -419,6 +425,7 @@ name = l2tpd
|
|||||||
pppoptfile = /etc/ppp/options.xl2tpd
|
pppoptfile = /etc/ppp/options.xl2tpd
|
||||||
length bit = yes
|
length bit = yes
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Set xl2tpd options
|
# Set xl2tpd options
|
||||||
conf_bk "/etc/ppp/options.xl2tpd"
|
conf_bk "/etc/ppp/options.xl2tpd"
|
||||||
cat > /etc/ppp/options.xl2tpd <<EOF
|
cat > /etc/ppp/options.xl2tpd <<EOF
|
||||||
@ -435,16 +442,19 @@ lcp-echo-interval 30
|
|||||||
connect-delay 5000
|
connect-delay 5000
|
||||||
ms-dns $DNS_SRV1
|
ms-dns $DNS_SRV1
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
|
if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
|
||||||
cat >> /etc/ppp/options.xl2tpd <<EOF
|
cat >> /etc/ppp/options.xl2tpd <<EOF
|
||||||
ms-dns $DNS_SRV2
|
ms-dns $DNS_SRV2
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Create VPN credentials
|
# Create VPN credentials
|
||||||
conf_bk "/etc/ppp/chap-secrets"
|
conf_bk "/etc/ppp/chap-secrets"
|
||||||
cat > /etc/ppp/chap-secrets <<EOF
|
cat > /etc/ppp/chap-secrets <<EOF
|
||||||
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
|
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
conf_bk "/etc/ipsec.d/passwd"
|
conf_bk "/etc/ipsec.d/passwd"
|
||||||
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
|
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
|
||||||
cat > /etc/ipsec.d/passwd <<EOF
|
cat > /etc/ipsec.d/passwd <<EOF
|
||||||
@ -488,6 +498,7 @@ update_iptables() {
|
|||||||
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
|
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
|
||||||
ipt_flag=1
|
ipt_flag=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ipi='iptables -I INPUT'
|
ipi='iptables -I INPUT'
|
||||||
ipf='iptables -I FORWARD'
|
ipf='iptables -I FORWARD'
|
||||||
ipp='iptables -t nat -I POSTROUTING'
|
ipp='iptables -t nat -I POSTROUTING'
|
||||||
@ -513,6 +524,7 @@ update_iptables() {
|
|||||||
$ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
|
$ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
|
||||||
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
|
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
|
||||||
iptables-save >> "$IPT_FILE"
|
iptables-save >> "$IPT_FILE"
|
||||||
|
|
||||||
if [ -f "$IPT_FILE2" ]; then
|
if [ -f "$IPT_FILE2" ]; then
|
||||||
conf_bk "$IPT_FILE2"
|
conf_bk "$IPT_FILE2"
|
||||||
/bin/cp -f "$IPT_FILE" "$IPT_FILE2"
|
/bin/cp -f "$IPT_FILE" "$IPT_FILE2"
|
||||||
@ -543,6 +555,7 @@ enable_on_boot() {
|
|||||||
if [ -f "$IPT_FILE2" ] && { [ -f "$IPT_PST" ] || [ -f "$IPT_PST2" ]; }; then
|
if [ -f "$IPT_FILE2" ] && { [ -f "$IPT_PST" ] || [ -f "$IPT_PST2" ]; }; then
|
||||||
ipt_load=0
|
ipt_load=0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$ipt_load" = "1" ]; then
|
if [ "$ipt_load" = "1" ]; then
|
||||||
mkdir -p /etc/network/if-pre-up.d
|
mkdir -p /etc/network/if-pre-up.d
|
||||||
cat > /etc/network/if-pre-up.d/iptablesload <<'EOF'
|
cat > /etc/network/if-pre-up.d/iptablesload <<'EOF'
|
||||||
@ -551,6 +564,7 @@ iptables-restore < /etc/iptables.rules
|
|||||||
exit 0
|
exit 0
|
||||||
EOF
|
EOF
|
||||||
chmod +x /etc/network/if-pre-up.d/iptablesload
|
chmod +x /etc/network/if-pre-up.d/iptablesload
|
||||||
|
|
||||||
if [ -f /usr/sbin/netplan ]; then
|
if [ -f /usr/sbin/netplan ]; then
|
||||||
mkdir -p /etc/systemd/system
|
mkdir -p /etc/systemd/system
|
||||||
cat > /etc/systemd/system/load-iptables-rules.service <<'EOF'
|
cat > /etc/systemd/system/load-iptables-rules.service <<'EOF'
|
||||||
@ -574,10 +588,12 @@ EOF
|
|||||||
systemctl enable load-iptables-rules 2>/dev/null
|
systemctl enable load-iptables-rules 2>/dev/null
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
for svc in fail2ban ipsec xl2tpd; do
|
for svc in fail2ban ipsec xl2tpd; do
|
||||||
update-rc.d "$svc" enable >/dev/null 2>&1
|
update-rc.d "$svc" enable >/dev/null 2>&1
|
||||||
systemctl enable "$svc" 2>/dev/null
|
systemctl enable "$svc" 2>/dev/null
|
||||||
done
|
done
|
||||||
|
|
||||||
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
|
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
|
||||||
if [ -f /etc/rc.local ]; then
|
if [ -f /etc/rc.local ]; then
|
||||||
conf_bk "/etc/rc.local"
|
conf_bk "/etc/rc.local"
|
||||||
@ -600,8 +616,10 @@ EOF
|
|||||||
start_services() {
|
start_services() {
|
||||||
bigecho "Starting services..."
|
bigecho "Starting services..."
|
||||||
sysctl -e -q -p
|
sysctl -e -q -p
|
||||||
|
|
||||||
chmod +x /etc/rc.local
|
chmod +x /etc/rc.local
|
||||||
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
||||||
|
|
||||||
mkdir -p /run/pluto
|
mkdir -p /run/pluto
|
||||||
service fail2ban restart 2>/dev/null
|
service fail2ban restart 2>/dev/null
|
||||||
service ipsec restart 2>/dev/null
|
service ipsec restart 2>/dev/null
|
||||||
|
Loading…
Reference in New Issue
Block a user