diff --git a/ipsec/adduser.sh b/ipsec/adduser.sh index 5eefe55..7f20c35 100755 --- a/ipsec/adduser.sh +++ b/ipsec/adduser.sh @@ -8,40 +8,94 @@ if [[ ! -e $CHAPSECRETS ]] || [[ ! -r $CHAPSECRETS ]] || [[ ! -w $CHAPSECRETS ]] exit 1 fi -if [[ $# -gt 0 ]]; then - LOGIN="$1" -fi +ADDUSER="no" +ANSUSER="yes" -while [[ -z "$LOGIN" ]]; +while [ "$ANSUSER" != "$ADDUSER" ]; do - read -p "Enter name: " LOGIN -done -unset PASSWORD - -while [[ -z "$PASSWORD" ]]; -do - read -p "Enter password: " PASSWORD - echo -done - -$DIR/checkuser.sh $LOGIN - -if [[ $? -eq 0 ]]; then - NOTREM="no" - read -p "User '$LOGIN' already exists. Do you want to remove existing user? [no] " ANSREM - : ${ANSREM:=$NOTREM} - - if [ "$NOTREM" == "$ANSREM" ]; then - exit 1 - else - $DIR/deluser.sh $LOGIN - # to avoid dublicate message - echo -e "$LOGIN\t *\t $PASSWORD\t *" >> $CHAPSECRETS - exit 0 + if [[ $# -gt 0 ]]; then + LOGIN="$1" fi -fi -echo -e "$LOGIN\t *\t $PASSWORD\t *" >> $CHAPSECRETS + while [[ -z "$LOGIN" ]]; + do + read -p "Enter name: " LOGIN + done -echo "$CHAPSECRETS updated!" + unset PASSWORD + + while [[ -z "$PASSWORD" ]]; + do + read -p "Enter password: " PASSWORD + echo + done + + DELETED=0 + + $DIR/checkuser.sh $LOGIN + + if [[ $? -eq 0 ]]; then + NOTREM="no" + read -p "User '$LOGIN' already exists. Do you want to remove existing user? [no] " ANSREM + : ${ANSREM:=$NOTREM} + + if [ "$NOTREM" == "$ANSREM" ]; then + exit 1 + else + $DIR/deluser.sh $LOGIN + DELETED=1 + fi + fi + + echo -e "$LOGIN\t *\t $PASSWORD\t *" >> $CHAPSECRETS + + if [ $DELETED -eq 0 ]; then + echo "$CHAPSECRETS updated!" + fi + + PSK=$(sed -n "s/^[^#]\+[[:space:]]\+PSK[[:space:]]\+\"\(.\+\)\"/\1/p" $SECRETSFILE) + + STARTDIR=$(pwd) + + mkdir "$STARTDIR/$LOGIN" + DISTFILE=$STARTDIR/$LOGIN/setup.sh + cp -rf setup.sh.dist "$DISTFILE" + sed -i -e "s@_PSK_@$PSK@g" "$DISTFILE" + sed -i -e "s@_SERVERLOCALIP_@$LOCALPREFIX.0.1@g" "$DISTFILE" + + DISTFILE=$STARTDIR/$LOGIN/ipsec.conf + cp -rf ipsec.conf.dist "$DISTFILE" + sed -i -e "s@LEFTIP@%any@g" "$DISTFILE" + sed -i -e "s@LEFTPORT@%any@g" "$DISTFILE" + sed -i -e "s@RIGHTIP@$IP@g" "$DISTFILE" + sed -i -e "s@RIGHTPORT@1701@g" "$DISTFILE" + + DISTFILE=$STARTDIR/$LOGIN/xl2tpd.conf + cp -rf client-xl2tpd.conf.dist "$DISTFILE" + sed -i -e "s@REMOTEIP@$IP@g" "$DISTFILE" + + DISTFILE=$STARTDIR/$LOGIN/options.xl2tpd + cp -rf client-options.xl2tpd.dist "$DISTFILE" + sed -i -e "s@_LOGIN_@$LOGIN@g" "$DISTFILE" + sed -i -e "s@_PASSWORD_@$PASSWORD@g" "$DISTFILE" + + cp -rf connect.sh.dist "$STARTDIR/$LOGIN/connect.sh" + cp -rf disconnect.sh.dist "$STARTDIR/$LOGIN/disconnect.sh" + + chmod +x "$STARTDIR/$LOGIN/setup.sh" "$STARTDIR/$LOGIN/connect.sh" "$STARTDIR/$LOGIN/disconnect.sh" + + USERNAME=${SUDO_USER:-$USER} + chown -R $USERNAME:$USERNAME $STARTDIR/$LOGIN/ + echo + echo "Created directory $STARTDIR/$LOGIN with client-side installation file." + + + if [[ $# -eq 0 ]]; then + echo + read -p "Would you want add another user? [no] " ANSUSER + : ${ANSUSER:=$ADDUSER} + else + ANSUSER=$ADDUSER + fi +done diff --git a/ipsec/client-options.xl2tpd.dist b/ipsec/client-options.xl2tpd.dist new file mode 100644 index 0000000..1724221 --- /dev/null +++ b/ipsec/client-options.xl2tpd.dist @@ -0,0 +1,17 @@ +ipcp-accept-local +ipcp-accept-remote +refuse-eap +require-mschap-v2 +noccp +noauth +idle 1800 +mtu 1410 +mru 1410 +defaultroute +replacedefaultroute +usepeerdns +debug +lock +connect-delay 5000 +name "_LOGIN_" +password "_PASSWORD_" diff --git a/ipsec/client-xl2tpd.conf.dist b/ipsec/client-xl2tpd.conf.dist new file mode 100644 index 0000000..932ecc3 --- /dev/null +++ b/ipsec/client-xl2tpd.conf.dist @@ -0,0 +1,5 @@ +[lac L2TP-PSK-NAT] +lns = REMOTEIP +ppp debug = no +pppoptfile = /etc/ppp/options.xl2tpd +length bit = yes diff --git a/ipsec/connect.sh.dist b/ipsec/connect.sh.dist new file mode 100644 index 0000000..d0cbd6d --- /dev/null +++ b/ipsec/connect.sh.dist @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +set -e + + +if [[ "$EUID" -ne 0 ]]; then + echo "Sorry, you need to run this as root" + exit 1 +fi + +ipsec up L2TP-PSK-NAT +sleep 2 +echo "c L2TP-PSK-NAT" > /var/run/xl2tpd/l2tp-control +sleep 2 diff --git a/ipsec/disconnect.sh.dist b/ipsec/disconnect.sh.dist new file mode 100644 index 0000000..b4ae449 --- /dev/null +++ b/ipsec/disconnect.sh.dist @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +set -e + + +if [[ "$EUID" -ne 0 ]]; then + echo "Sorry, you need to run this as root" + exit 1 +fi + +echo "d L2TP-PSK-NAT" > /var/run/xl2tpd/l2tp-control +sleep 2 +ipsec down L2TP-PSK-NAT +sleep 2 diff --git a/ipsec/install.sh b/ipsec/install.sh index 6d19bc3..da34381 100755 --- a/ipsec/install.sh +++ b/ipsec/install.sh @@ -12,23 +12,6 @@ echo echo "Installing strongSwan and xl2tp server..." apt-get install strongswan xl2tpd cron iptables procps -ADDUSER="no" -ANSUSER="yes" - -echo -echo "Configuring VPN users..." -while [ "$ANSUSER" != "$ADDUSER" ]; -do - $DIR/adduser.sh - - read -p "Would you want add another user? [no] " ANSUSER - : ${ANSUSER:=$ADDUSER} -done - -echo -echo "Configuring PSK..." -$DIR/psk.sh - echo echo "Configuring routing..." $DIR/sysctl.sh @@ -52,6 +35,14 @@ echo echo "Configuring DNS parameters..." $DIR/dns.sh +echo +echo "Configuring PSK..." +$DIR/psk.sh + +echo +echo "Configuring VPN users..." +$DIR/adduser.sh + echo echo "Adding cron jobs..." yes | cp -rf $DIR/checkserver.sh $CHECKSERVER diff --git a/ipsec/ipsec.conf.dist b/ipsec/ipsec.conf.dist index 25fc480..697dd52 100644 --- a/ipsec/ipsec.conf.dist +++ b/ipsec/ipsec.conf.dist @@ -7,15 +7,14 @@ conn L2TP-PSK-NAT rekey=no ikelifetime=8h keylife=1h - ike=aes256-sha1,aes128-sha1,3des-sha1 - esp=aes256-sha1-modp2048 - keylife=1h type=transport - left=PUBLICIP - leftprotoport=17/1701 - right=%any - rightprotoport=17/%any + left=LEFTIP + leftprotoport=17/LEFTPORT + right=RIGHTIP + rightprotoport=17/RIGHTPORT dpddelay=30 dpdtimeout=120 dpdaction=clear - + keyexchange=ikev2 + ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024! + esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1! diff --git a/ipsec/iptables-setup.sh b/ipsec/iptables-setup.sh index ddf3883..200ec95 100755 --- a/ipsec/iptables-setup.sh +++ b/ipsec/iptables-setup.sh @@ -39,11 +39,17 @@ read -p "Your external IP is $IP. Is this IP static? [yes] " ANSIP if [ "$STATIC" == "$ANSIP" ]; then # SNAT - sed -i -e "s@PUBLICIP@$IP@g" $IPSECCONFIG + sed -i -e "s@LEFTIP@$IP@g" $IPSECCONFIG + sed -i -e "s@LEFTPORT@1701@g" $IPSECCONFIG + sed -i -e "s@RIGHTIP@%any@g" $IPSECCONFIG + sed -i -e "s@RIGHTPORT@%any@g" $IPSECCONFIG eval iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP $COMMENT else # MASQUERADE - sed -i -e "s@PUBLICIP@%$GATE@g" $IPSECCONFIG + sed -i -e "s@LEFTIP@%$GATE@g" $IPSECCONFIG + sed -i -e "s@LEFTPORT@1701@g" $IPSECCONFIG + sed -i -e "s@RIGHTIP@%any@g" $IPSECCONFIG + sed -i -e "s@RIGHTPORT@%any@g" $IPSECCONFIG eval iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE $COMMENT fi diff --git a/ipsec/psk.sh b/ipsec/psk.sh index 1444e98..8405d8a 100755 --- a/ipsec/psk.sh +++ b/ipsec/psk.sh @@ -19,6 +19,6 @@ done # comment existing PSK sed -i -e "/[[:space:]]\+PSK[[:space:]]\+/s/^/# /" $SECRETSFILE -echo "%any %any : PSK \"$PSK\"" >> $SECRETSFILE +echo -e "\n%any %any : PSK \"$PSK\"" >> $SECRETSFILE echo "$SECRETSFILE updated!" diff --git a/ipsec/setup.sh.dist b/ipsec/setup.sh.dist new file mode 100644 index 0000000..750c9bf --- /dev/null +++ b/ipsec/setup.sh.dist @@ -0,0 +1,36 @@ +#!/usr/bin/env bash + +PSK=_PSK_ +SERVERLOCALIP=_SERVERLOCALIP_ + +XL2TPDFILE=/etc/xl2tpd/xl2tpd.conf +IPSECFILE=/etc/ipsec.conf +OPTIONSXL2TPD=/etc/ppp/options.xl2tpd +IPSECRETS=/etc/ipsec.secrets + +set -e + +if [[ "$EUID" -ne 0 ]]; then + echo "Sorry, you need to run this as root" + exit 1 +fi + +DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) + +echo +echo "Installing necessary packets..." + +apt-get install strongswan xl2tpd + +echo +echo "Installing configuration files..." +yes | cp -rf $DIR/ipsec.conf $IPSECFILE +yes | cp -rf $DIR/xl2tpd.conf $XL2TPDFILE +yes | cp -rf $DIR/options.xl2tpd $OPTIONSXL2TPD + +echo -e "\n$SERVERLOCALIP %any : PSK \"$PSK\"" >> $IPSECRETS + +echo "$IPSECRETS updated!" + +service strongswan restart +service xl2tpd restart