1
0
mirror of synced 2024-11-30 08:36:04 +03:00
setup-ipsec-vpn/.github/workflows/main.yml
2021-01-19 01:42:13 -06:00

450 lines
13 KiB
YAML

name: vpn test
on:
push:
branches: [master]
paths:
- '**.sh'
- '.github/workflows/main.yml'
schedule:
- cron: '25 2 * * 0,4'
jobs:
shellcheck:
runs-on: ubuntu-20.04
if: github.repository_owner == 'hwdsl2' && github.event_name == 'push'
steps:
- uses: actions/checkout@v2
with:
persist-credentials: false
- name: Check
if: success()
run: |
if [ ! -x /usr/bin/shellcheck ]; then
export DEBIAN_FRONTEND=noninteractive
sudo apt-get -yq update
sudo apt-get -yq install shellcheck
fi
cd "$GITHUB_WORKSPACE"
pwd
ls -ld vpnsetup.sh
export SHELLCHECK_OPTS="-e SC1091,SC1117"
shellcheck --version
shopt -s globstar
ls -ld -- **/*.sh
shellcheck **/*.sh
test_set_1:
runs-on: ubuntu-20.04
if: github.repository_owner == 'hwdsl2'
strategy:
matrix:
os_version: ["centos:8", "centos:7", "amazonlinux:2", "ubuntu:16.04"]
fail-fast: false
env:
OS_VERSION: ${{ matrix.os_version }}
EVENT_NAME: ${{ github.event_name }}
steps:
- name: Build
run: |
if [ "$EVENT_NAME" = "push" ]; then
echo "Waiting 60 seconds..."
sleep 60
fi
mkdir -p "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}"
cd "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}"
cat > run.sh <<'EOF'
#!/bin/bash
set -e
trap 'catch $? $LINENO' ERR
catch() {
echo "Error $1 occurred on line $2."
cat -n -- "$0" | tail -n+"$(($2 - 3))" | head -n7
exit 1
}
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
yum -y update
yum -y -q install wget rsyslog
systemctl start rsyslog
if [ "$1" = "centos" ]; then
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-centos
else
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-amzn
fi
else
export DEBIAN_FRONTEND=noninteractive
apt-get -yq update
apt-get -yq dist-upgrade
apt-get -yq install wget rsyslog
service rsyslog start
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup
fi
sed -i '/swan_ver_url/s/^/#/' vpnsetup.sh
sh vpnsetup.sh
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
systemctl start ipsec
systemctl start xl2tpd
sleep 5
systemctl restart fail2ban
else
sleep 5
service fail2ban restart
fi
sleep 5
netstat -anpu | grep pluto
netstat -anpu | grep xl2tpd
iptables -nL
iptables -nL | grep -q '192\.168\.42\.0/24'
iptables -nL -t nat
iptables -nL -t nat | grep -q '192\.168\.43\.0/24'
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
grep pluto /var/log/secure
grep xl2tpd /var/log/messages
else
grep pluto /var/log/auth.log
grep xl2tpd /var/log/syslog
fi
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
cat /var/log/fail2ban.log
grep -E "Jail '(sshd?|ssh-iptables)' started" /var/log/fail2ban.log
VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \
VPN_USER='your_vpn_username' \
VPN_PASSWORD='your_vpn_password' \
sh vpnsetup.sh
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
systemctl restart ipsec
fi
sleep 10
grep "your_ipsec_pre_shared_key" /etc/ipsec.secrets
grep "your_vpn_username" /etc/ppp/chap-secrets
grep "your_vpn_password" /etc/ppp/chap-secrets
grep "your_vpn_username" /etc/ipsec.d/passwd
wget -t 3 -T 30 -nv -O ikev2.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/ikev2setup.sh # hwdsl2
sed -i '/swan_ver_latest=/s/^/#/' ikev2.sh
bash ikev2.sh <<ANSWERS
y
ANSWERS
ls -ld /etc/ipsec.d/vpnclient-*.mobileconfig
ls -ld /etc/ipsec.d/vpnclient-*.p12
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
systemctl restart ipsec
sleep 10
grep pluto /var/log/secure | tail -n 20
else
sleep 10
grep pluto /var/log/auth.log | tail -n 20
fi
ipsec status
ipsec status | grep -q ikev2-cp
bash ikev2.sh <<ANSWERS
1
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2-*.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2-*.p12
rm -f /etc/ipsec.d/vpnclient2-*
bash ikev2.sh <<ANSWERS
2
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2-*.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2-*.p12
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
sed -i '/pluto/d' /var/log/secure
pkill -HUP rsyslog
if [ "$1" = "centos" ]; then
wget -t 3 -T 30 -nv -O vpnupgrade.sh https://git.io/vpnupgrade-centos
else
wget -t 3 -T 30 -nv -O vpnupgrade.sh https://git.io/vpnupgrade-amzn
fi
else
sed -i '/pluto/d' /var/log/auth.log
pkill -HUP rsyslog
wget -t 3 -T 30 -nv -O vpnupgrade.sh https://git.io/vpnupgrade
fi
sed -i '/swan_ver_url/s/^/#/' vpnupgrade.sh
sed -i '/^SWAN_VER=/s/4.1/3.32/' vpnupgrade.sh
sh vpnupgrade.sh <<ANSWERS
y
ANSWERS
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
systemctl restart ipsec
sleep 10
grep pluto /var/log/secure
else
sleep 10
grep pluto /var/log/auth.log
fi
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
sed -i '/pluto/d' /var/log/secure
pkill -HUP rsyslog
else
sed -i '/pluto/d' /var/log/auth.log
pkill -HUP rsyslog
fi
sed -i '/^SWAN_VER=/s/3.32/4.1/' vpnupgrade.sh
sh vpnupgrade.sh <<ANSWERS
y
ANSWERS
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
systemctl restart ipsec
sleep 10
grep pluto /var/log/secure
else
sleep 10
grep pluto /var/log/auth.log
fi
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
bash ikev2.sh <<ANSWERS
3
y
ANSWERS
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
systemctl restart ipsec
fi
sleep 10
! ls -ld /etc/ipsec.d/ikev2.conf
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
! ipsec status | grep -q ikev2-cp
certutil -L -d sql:/etc/ipsec.d
ls -ld vpnsetup.sh
ls -ld ikev2.sh
ls -ld vpnupgrade.sh
exit 0
EOF
cat > Dockerfile <<EOF
FROM $OS_VERSION
EOF
cat >> Dockerfile <<'EOF'
ENV container docker
WORKDIR /opt/src
RUN if command -v amazon-linux-extras; then amazon-linux-extras install -y kernel-ng; fi
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ "$i" = \
systemd-tmpfiles-setup.service ] || rm -f "$i"; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*; \
rm -f /etc/systemd/system/*.wants/*; \
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*; \
rm -f /lib/systemd/system/anaconda.target.wants/*;
COPY ./run.sh /opt/src/run.sh
RUN chmod 755 /opt/src/run.sh
VOLUME [ "/sys/fs/cgroup" ]
CMD ["/sbin/init"]
EOF
cat Dockerfile
cat run.sh
docker build -t "${OS_VERSION//:}-test" .
- name: Test
if: success()
run: |
docker run -d --name "${OS_VERSION//:}-test-1" -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
--privileged "${OS_VERSION//:}-test"
sleep 10
docker exec "${OS_VERSION//:}-test-1" /opt/src/run.sh "${OS_VERSION::6}"
- name: Clear
if: always()
run: |
rm -rf "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}"
docker rm -f "${OS_VERSION//:}-test-1" || true
docker rmi "${OS_VERSION//:}-test" || true
test_set_2:
runs-on: ubuntu-20.04
if: github.repository_owner == 'hwdsl2'
strategy:
matrix:
os_version: ["ubuntu:20.04", "ubuntu:18.04", "debian:10", "debian:9"]
fail-fast: false
container:
image: ${{ matrix.os_version }}
env:
EVENT_NAME: ${{ github.event_name }}
options: --privileged -v /lib/modules:/lib/modules:ro
steps:
- name: Test
run: |
if [ "$EVENT_NAME" = "push" ]; then
echo "Waiting 60 seconds..."
sleep 60
fi
mkdir -p /opt/src
cd /opt/src
echo "# hwdsl2" > run.sh
export DEBIAN_FRONTEND=noninteractive
apt-get -yq update
apt-get -yq dist-upgrade
apt-get -yq install wget rsyslog
service rsyslog start
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup
sed -i '/swan_ver_url/s/^/#/' vpnsetup.sh
sh vpnsetup.sh
sleep 5
service fail2ban restart
sleep 5
netstat -anpu | grep pluto
netstat -anpu | grep xl2tpd
iptables -nL
iptables -nL | grep -q '192\.168\.42\.0/24'
iptables -nL -t nat
iptables -nL -t nat | grep -q '192\.168\.43\.0/24'
grep pluto /var/log/auth.log
grep xl2tpd /var/log/syslog
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
cat /var/log/fail2ban.log
grep -E "Jail '(sshd?|ssh-iptables)' started" /var/log/fail2ban.log
VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \
VPN_USER='your_vpn_username' \
VPN_PASSWORD='your_vpn_password' \
sh vpnsetup.sh
sleep 10
grep "your_ipsec_pre_shared_key" /etc/ipsec.secrets
grep "your_vpn_username" /etc/ppp/chap-secrets
grep "your_vpn_password" /etc/ppp/chap-secrets
grep "your_vpn_username" /etc/ipsec.d/passwd
wget -t 3 -T 30 -nv -O ikev2.sh https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/extras/ikev2setup.sh
sed -i '/swan_ver_latest=/s/^/#/' ikev2.sh
bash ikev2.sh --auto
ls -ld /etc/ipsec.d/vpnclient-*.mobileconfig
ls -ld /etc/ipsec.d/vpnclient-*.p12
sleep 10
grep pluto /var/log/auth.log | tail -n 20
ipsec status
ipsec status | grep -q ikev2-cp
bash ikev2.sh <<ANSWERS
1
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2-*.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2-*.p12
rm -f /etc/ipsec.d/vpnclient2-*
bash ikev2.sh <<ANSWERS
2
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2-*.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2-*.p12
sed -i '/pluto/d' /var/log/auth.log
pkill -HUP rsyslog
wget -t 3 -T 30 -nv -O vpnupgrade.sh https://git.io/vpnupgrade
sed -i '/swan_ver_url/s/^/#/' vpnupgrade.sh
sed -i '/^SWAN_VER=/s/4.1/3.32/' vpnupgrade.sh
sh vpnupgrade.sh <<ANSWERS
y
ANSWERS
sleep 10
grep pluto /var/log/auth.log
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
sed -i '/pluto/d' /var/log/auth.log
pkill -HUP rsyslog
sed -i '/^SWAN_VER=/s/3.32/4.1/' vpnupgrade.sh
sh vpnupgrade.sh <<ANSWERS
y
ANSWERS
sleep 10
grep pluto /var/log/auth.log
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
bash ikev2.sh <<ANSWERS
3
y
ANSWERS
! ls -ld /etc/ipsec.d/ikev2.conf
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
! ipsec status | grep -q ikev2-cp
certutil -L -d sql:/etc/ipsec.d
ls -ld vpnsetup.sh
ls -ld ikev2.sh
ls -ld vpnupgrade.sh