1
0
mirror of synced 2024-11-22 21:16:02 +03:00
setup-ipsec-vpn/.github/workflows/cron.yml
2021-04-26 00:08:16 -05:00

665 lines
20 KiB
YAML

#
# Copyright (C) 2020-2021 Lin Song <linsongui@gmail.com>
#
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
# Unported License: http://creativecommons.org/licenses/by-sa/3.0/
#
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
name: vpn test cron
on:
schedule:
- cron: '25 2 * * 0,4'
jobs:
test_set_1:
runs-on: ubuntu-20.04
if: github.repository_owner == 'hwdsl2'
strategy:
matrix:
os_version: ["centos:8", "centos:8s", "centos:7", "amazonlinux:2"]
fail-fast: false
env:
OS_VERSION: ${{ matrix.os_version }}
steps:
- name: Build
run: |
mkdir -p "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}"
cd "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}"
cat > run.sh <<'EOF'
#!/bin/bash
set -e
trap 'catch $? $LINENO' ERR
catch() {
echo "Error $1 occurred on line $2."
cat -n -- "$0" | tail -n+"$(($2 - 3))" | head -n7
exit 1
}
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
yum -y update
yum -y -q install wget rsyslog
systemctl start rsyslog
if [ "$1" = "centos" ]; then
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-centos
else
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-amzn
fi
else
export DEBIAN_FRONTEND=noninteractive
apt-get -yq update
apt-get -yq dist-upgrade
apt-get -yq install wget rsyslog
service rsyslog start
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup
fi
sed -i '/swan_ver_url/s/^/#/' vpnsetup.sh
sh vpnsetup.sh
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
systemctl start ipsec
systemctl start xl2tpd
sleep 5
systemctl restart fail2ban
else
sleep 5
service fail2ban restart
fi
sleep 5
netstat -anpu | grep pluto
netstat -anpu | grep xl2tpd
iptables -nL
iptables -nL | grep -q '192\.168\.42\.0/24'
iptables -nL -t nat
iptables -nL -t nat | grep -q '192\.168\.43\.0/24'
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
grep pluto /var/log/secure
grep xl2tpd /var/log/messages
else
grep pluto /var/log/auth.log
grep xl2tpd /var/log/syslog
fi
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
cat /var/log/fail2ban.log
grep -E "Jail '(sshd?|ssh-iptables)' started" /var/log/fail2ban.log
VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \
VPN_USER='your_vpn_username' \
VPN_PASSWORD='your_vpn_password' \
VPN_DNS_SRV1='1.1.1.1' \
VPN_DNS_SRV2='1.0.0.1' \
sh vpnsetup.sh
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
systemctl restart ipsec
fi
sleep 10
grep -q "your_ipsec_pre_shared_key" /etc/ipsec.secrets
grep -q "your_vpn_username" /etc/ppp/chap-secrets
grep -q "your_vpn_password" /etc/ppp/chap-secrets
grep -q "your_vpn_username" /etc/ipsec.d/passwd
grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.conf
grep -q 'ms-dns 1.1.1.1' /etc/ppp/options.xl2tpd
grep -q 'ms-dns 1.0.0.1' /etc/ppp/options.xl2tpd
wget -t 3 -T 30 -nv -O ikev2.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/ikev2setup.sh # hwdsl2
sed -i '/swan_ver_latest=/s/^/#/' ikev2.sh
bash ikev2.sh <<ANSWERS
y
ANSWERS
ls -ld /etc/ipsec.d/vpnclient.mobileconfig
ls -ld /etc/ipsec.d/vpnclient.sswan
ls -ld /etc/ipsec.d/vpnclient.p12
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
systemctl restart ipsec
sleep 10
grep pluto /var/log/secure | tail -n 20
else
sleep 10
grep pluto /var/log/auth.log | tail -n 20
fi
ipsec status
ipsec status | grep -q ikev2-cp
bash ikev2.sh <<ANSWERS
1
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
rm -f /etc/ipsec.d/vpnclient2*
bash ikev2.sh <<ANSWERS
2
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
bash ikev2.sh <<ANSWERS
4
y
ANSWERS
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
systemctl restart ipsec
fi
sleep 10
ls -ld /etc/ipsec.d/ikev2.conf && exit 1
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp && exit 1
certutil -L -d sql:/etc/ipsec.d
rm -f /etc/ipsec.d/vpnclient*
VPN_CLIENT_NAME=vpnclient1 \
VPN_DNS_NAME=vpn.example.com \
VPN_DNS_SRV1=1.1.1.1 \
VPN_DNS_SRV2=1.0.0.1 \
bash ikev2.sh --auto
grep -q 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf
grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.d/ikev2.conf
ls -ld /etc/ipsec.d/vpnclient1.mobileconfig
ls -ld /etc/ipsec.d/vpnclient1.sswan
ls -ld /etc/ipsec.d/vpnclient1.p12
grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.mobileconfig
grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.sswan
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
systemctl restart ipsec
sleep 10
grep pluto /var/log/secure | tail -n 20
else
sleep 10
grep pluto /var/log/auth.log | tail -n 20
fi
ipsec status
ipsec status | grep -q ikev2-cp
bash ikev2.sh --addclient vpnclient2
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
rm -f /etc/ipsec.d/vpnclient2*
bash ikev2.sh --exportclient vpnclient2
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
sed -i '/pluto/d' /var/log/secure
pkill -HUP rsyslog
if [ "$1" = "centos" ]; then
wget -t 3 -T 30 -nv -O vpnup.sh https://git.io/vpnupgrade-centos
else
wget -t 3 -T 30 -nv -O vpnup.sh https://git.io/vpnupgrade-amzn
fi
else
sed -i '/pluto/d' /var/log/auth.log
pkill -HUP rsyslog
wget -t 3 -T 30 -nv -O vpnup.sh https://git.io/vpnupgrade
fi
sed -i '/swan_ver_url/s/^/#/' vpnup.sh
sed -i 's/^SWAN_VER=.*/SWAN_VER=3.32/' vpnup.sh
sh vpnup.sh <<ANSWERS
y
ANSWERS
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
systemctl restart ipsec
sleep 10
grep pluto /var/log/secure
else
sleep 10
grep pluto /var/log/auth.log
fi
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
sed -i '/pluto/d' /var/log/secure
pkill -HUP rsyslog
else
sed -i '/pluto/d' /var/log/auth.log
pkill -HUP rsyslog
fi
sed -i 's/^SWAN_VER=.*/SWAN_VER=4.1/' vpnup.sh
sh vpnup.sh <<ANSWERS
y
ANSWERS
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
systemctl restart ipsec
sleep 10
grep pluto /var/log/secure
else
sleep 10
grep pluto /var/log/auth.log
fi
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
sed -i '/pluto/d' /var/log/secure
pkill -HUP rsyslog
else
sed -i '/pluto/d' /var/log/auth.log
pkill -HUP rsyslog
fi
sed -i 's/^SWAN_VER=.*/SWAN_VER=4.2/' vpnup.sh
sh vpnup.sh <<ANSWERS
y
ANSWERS
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
systemctl restart ipsec
sleep 10
grep pluto /var/log/secure
else
sleep 10
grep pluto /var/log/auth.log
fi
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
sed -i '/pluto/d' /var/log/secure
pkill -HUP rsyslog
else
sed -i '/pluto/d' /var/log/auth.log
pkill -HUP rsyslog
fi
sed -i 's/^SWAN_VER=.*/SWAN_VER=4.3/' vpnup.sh
sh vpnup.sh <<ANSWERS
y
ANSWERS
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
systemctl restart ipsec
sleep 10
grep pluto /var/log/secure
else
sleep 10
grep pluto /var/log/auth.log
fi
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
sed -i '/pluto/d' /var/log/secure
pkill -HUP rsyslog
else
sed -i '/pluto/d' /var/log/auth.log
pkill -HUP rsyslog
fi
sed -i 's/^SWAN_VER=.*/SWAN_VER=4.4/' vpnup.sh
sh vpnup.sh <<ANSWERS
y
ANSWERS
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
systemctl restart ipsec
sleep 10
grep pluto /var/log/secure
else
sleep 10
grep pluto /var/log/auth.log
fi
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
bash ikev2.sh --removeikev2 <<ANSWERS
y
ANSWERS
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
systemctl restart ipsec
fi
sleep 10
ls -ld /etc/ipsec.d/ikev2.conf && exit 1
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp && exit 1
certutil -L -d sql:/etc/ipsec.d
ls -ld vpnsetup.sh
ls -ld ikev2.sh
ls -ld vpnup.sh
exit 0
EOF
if [ "$OS_VERSION" = "centos:8s" ]; then
echo "FROM quay.io/centos/centos:stream8" > Dockerfile
else
echo "FROM $OS_VERSION" > Dockerfile
fi
cat >> Dockerfile <<'EOF'
ENV container docker
WORKDIR /opt/src
RUN if command -v amazon-linux-extras; then amazon-linux-extras install -y kernel-ng; fi
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ "$i" = \
systemd-tmpfiles-setup.service ] || rm -f "$i"; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*; \
rm -f /etc/systemd/system/*.wants/*; \
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*; \
rm -f /lib/systemd/system/anaconda.target.wants/*;
COPY ./run.sh /opt/src/run.sh
RUN chmod 755 /opt/src/run.sh
VOLUME [ "/sys/fs/cgroup" ]
CMD ["/sbin/init"]
EOF
cat Dockerfile
cat run.sh
docker build -t "${OS_VERSION//:}-test" .
- name: Test
if: success()
run: |
docker run -d --name "${OS_VERSION//:}-test-1" -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
--privileged "${OS_VERSION//:}-test"
sleep 10
docker exec "${OS_VERSION//:}-test-1" /opt/src/run.sh "${OS_VERSION::6}"
- name: Clear
if: always()
run: |
rm -rf "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}"
docker rm -f "${OS_VERSION//:}-test-1" || true
docker rmi "${OS_VERSION//:}-test" || true
test_set_2:
runs-on: ubuntu-20.04
if: github.repository_owner == 'hwdsl2'
strategy:
matrix:
os_version: ["ubuntu:20.04", "ubuntu:18.04", "debian:10", "debian:9"]
fail-fast: false
container:
image: ${{ matrix.os_version }}
options: --privileged -v /lib/modules:/lib/modules:ro
steps:
- name: Test
run: |
mkdir -p /opt/src
cd /opt/src
echo "# hwdsl2" > run.sh
export DEBIAN_FRONTEND=noninteractive
apt-get -yq update
apt-get -yq dist-upgrade
apt-get -yq install wget rsyslog
service rsyslog start
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup
sed -i '/swan_ver_url/s/^/#/' vpnsetup.sh
sh vpnsetup.sh
sleep 5
service fail2ban restart
sleep 5
netstat -anpu | grep pluto
netstat -anpu | grep xl2tpd
iptables -nL
iptables -nL | grep -q '192\.168\.42\.0/24'
iptables -nL -t nat
iptables -nL -t nat | grep -q '192\.168\.43\.0/24'
grep pluto /var/log/auth.log
grep xl2tpd /var/log/syslog
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
cat /var/log/fail2ban.log
grep -E "Jail '(sshd?|ssh-iptables)' started" /var/log/fail2ban.log
VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \
VPN_USER='your_vpn_username' \
VPN_PASSWORD='your_vpn_password' \
VPN_DNS_SRV1='1.1.1.1' \
VPN_DNS_SRV2='1.0.0.1' \
sh vpnsetup.sh
sleep 10
grep -q "your_ipsec_pre_shared_key" /etc/ipsec.secrets
grep -q "your_vpn_username" /etc/ppp/chap-secrets
grep -q "your_vpn_password" /etc/ppp/chap-secrets
grep -q "your_vpn_username" /etc/ipsec.d/passwd
grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.conf
grep -q 'ms-dns 1.1.1.1' /etc/ppp/options.xl2tpd
grep -q 'ms-dns 1.0.0.1' /etc/ppp/options.xl2tpd
wget -t 3 -T 30 -nv -O ikev2.sh https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/extras/ikev2setup.sh
sed -i '/swan_ver_latest=/s/^/#/' ikev2.sh
bash ikev2.sh <<ANSWERS
y
ANSWERS
ls -ld /etc/ipsec.d/vpnclient.mobileconfig
ls -ld /etc/ipsec.d/vpnclient.sswan
ls -ld /etc/ipsec.d/vpnclient.p12
sleep 10
grep pluto /var/log/auth.log | tail -n 20
ipsec status
ipsec status | grep -q ikev2-cp
bash ikev2.sh <<ANSWERS
1
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
rm -f /etc/ipsec.d/vpnclient2*
bash ikev2.sh <<ANSWERS
2
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
bash ikev2.sh <<ANSWERS
4
y
ANSWERS
sleep 10
ls -ld /etc/ipsec.d/ikev2.conf && exit 1
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp && exit 1
certutil -L -d sql:/etc/ipsec.d
rm -f /etc/ipsec.d/vpnclient*
VPN_CLIENT_NAME=vpnclient1 \
VPN_DNS_NAME=vpn.example.com \
VPN_DNS_SRV1=1.1.1.1 \
VPN_DNS_SRV2=1.0.0.1 \
bash ikev2.sh --auto
grep -q 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf
grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.d/ikev2.conf
ls -ld /etc/ipsec.d/vpnclient1.mobileconfig
ls -ld /etc/ipsec.d/vpnclient1.sswan
ls -ld /etc/ipsec.d/vpnclient1.p12
grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.mobileconfig
grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.sswan
sleep 10
grep pluto /var/log/auth.log | tail -n 20
ipsec status
ipsec status | grep -q ikev2-cp
bash ikev2.sh --addclient vpnclient2
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
rm -f /etc/ipsec.d/vpnclient2*
bash ikev2.sh --exportclient vpnclient2
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
sed -i '/pluto/d' /var/log/auth.log
pkill -HUP rsyslog
wget -t 3 -T 30 -nv -O vpnup.sh https://git.io/vpnupgrade
sed -i '/swan_ver_url/s/^/#/' vpnup.sh
sed -i 's/^SWAN_VER=.*/SWAN_VER=3.32/' vpnup.sh
sh vpnup.sh <<ANSWERS
y
ANSWERS
sleep 10
grep pluto /var/log/auth.log
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
sed -i '/pluto/d' /var/log/auth.log
pkill -HUP rsyslog
sed -i 's/^SWAN_VER=.*/SWAN_VER=4.1/' vpnup.sh
sh vpnup.sh <<ANSWERS
y
ANSWERS
sleep 10
grep pluto /var/log/auth.log
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
sed -i '/pluto/d' /var/log/auth.log
pkill -HUP rsyslog
sed -i 's/^SWAN_VER=.*/SWAN_VER=4.2/' vpnup.sh
sh vpnup.sh <<ANSWERS
y
ANSWERS
sleep 10
grep pluto /var/log/auth.log
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
sed -i '/pluto/d' /var/log/auth.log
pkill -HUP rsyslog
sed -i 's/^SWAN_VER=.*/SWAN_VER=4.3/' vpnup.sh
sh vpnup.sh <<ANSWERS
y
ANSWERS
sleep 10
grep pluto /var/log/auth.log
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
sed -i '/pluto/d' /var/log/auth.log
pkill -HUP rsyslog
sed -i 's/^SWAN_VER=.*/SWAN_VER=4.4/' vpnup.sh
sh vpnup.sh <<ANSWERS
y
ANSWERS
sleep 10
grep pluto /var/log/auth.log
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
bash ikev2.sh --removeikev2 <<ANSWERS
y
ANSWERS
sleep 10
ls -ld /etc/ipsec.d/ikev2.conf && exit 1
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp && exit 1
certutil -L -d sql:/etc/ipsec.d
ls -ld vpnsetup.sh
ls -ld ikev2.sh
ls -ld vpnup.sh