LiittleCookie/vpn-install
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

ipsec client files generating; config fixes

Browse Source
This commit is contained in:
bedefaced 2017-08-18 18:47:41 +03:00 committed by bedefaced
parent 12f998e0b6
commit 1b484cf3c4
10 changed files with 195 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
ipsec/adduser.sh
View File

@ -8,40 +8,94 @@ if [[ ! -e $CHAPSECRETS ]] || [[ ! -r $CHAPSECRETS ]] || [[ ! -w $CHAPSECRETS ]]
exit 1 exit 1
fi fi
if [[ $# -gt 0 ]]; then ADDUSER="no"
LOGIN="$1" ANSUSER="yes"
fi
while [[ -z "$LOGIN" ]]; while [ "$ANSUSER" != "$ADDUSER" ];
do do
read -p "Enter name: " LOGIN
done
unset PASSWORD if [[ $# -gt 0 ]]; then
LOGIN="$1"
while [[ -z "$PASSWORD" ]];
do
read -p "Enter password: " PASSWORD
echo
done
$DIR/checkuser.sh $LOGIN
if [[ $? -eq 0 ]]; then
NOTREM="no"
read -p "User '$LOGIN' already exists. Do you want to remove existing user? [no] " ANSREM
: ${ANSREM:=$NOTREM}
if [ "$NOTREM" == "$ANSREM" ]; then
exit 1
else
$DIR/deluser.sh $LOGIN
# to avoid dublicate message
echo -e "$LOGIN\t *\t $PASSWORD\t *" >> $CHAPSECRETS
exit 0
fi fi
fi
echo -e "$LOGIN\t *\t $PASSWORD\t *" >> $CHAPSECRETS while [[ -z "$LOGIN" ]];
do
read -p "Enter name: " LOGIN
done
echo "$CHAPSECRETS updated!" unset PASSWORD
while [[ -z "$PASSWORD" ]];
do
read -p "Enter password: " PASSWORD
echo
done
DELETED=0
$DIR/checkuser.sh $LOGIN
if [[ $? -eq 0 ]]; then
NOTREM="no"
read -p "User '$LOGIN' already exists. Do you want to remove existing user? [no] " ANSREM
: ${ANSREM:=$NOTREM}
if [ "$NOTREM" == "$ANSREM" ]; then
exit 1
else
$DIR/deluser.sh $LOGIN
DELETED=1
fi
fi
echo -e "$LOGIN\t *\t $PASSWORD\t *" >> $CHAPSECRETS
if [ $DELETED -eq 0 ]; then
echo "$CHAPSECRETS updated!"
fi
PSK=$(sed -n "s/^[^#]\+[[:space:]]\+PSK[[:space:]]\+\"\(.\+\)\"/\1/p" $SECRETSFILE)
STARTDIR=$(pwd)
mkdir "$STARTDIR/$LOGIN"
DISTFILE=$STARTDIR/$LOGIN/setup.sh
cp -rf setup.sh.dist "$DISTFILE"
sed -i -e "s@_PSK_@$PSK@g" "$DISTFILE"
sed -i -e "s@_SERVERLOCALIP_@$LOCALPREFIX.0.1@g" "$DISTFILE"
DISTFILE=$STARTDIR/$LOGIN/ipsec.conf
cp -rf ipsec.conf.dist "$DISTFILE"
sed -i -e "s@LEFTIP@%any@g" "$DISTFILE"
sed -i -e "s@LEFTPORT@%any@g" "$DISTFILE"
sed -i -e "s@RIGHTIP@$IP@g" "$DISTFILE"
sed -i -e "s@RIGHTPORT@1701@g" "$DISTFILE"
DISTFILE=$STARTDIR/$LOGIN/xl2tpd.conf
cp -rf client-xl2tpd.conf.dist "$DISTFILE"
sed -i -e "s@REMOTEIP@$IP@g" "$DISTFILE"
DISTFILE=$STARTDIR/$LOGIN/options.xl2tpd
cp -rf client-options.xl2tpd.dist "$DISTFILE"
sed -i -e "s@_LOGIN_@$LOGIN@g" "$DISTFILE"
sed -i -e "s@_PASSWORD_@$PASSWORD@g" "$DISTFILE"
cp -rf connect.sh.dist "$STARTDIR/$LOGIN/connect.sh"
cp -rf disconnect.sh.dist "$STARTDIR/$LOGIN/disconnect.sh"
chmod +x "$STARTDIR/$LOGIN/setup.sh" "$STARTDIR/$LOGIN/connect.sh" "$STARTDIR/$LOGIN/disconnect.sh"
USERNAME=${SUDO_USER:-$USER}
chown -R $USERNAME:$USERNAME $STARTDIR/$LOGIN/
echo
echo "Created directory $STARTDIR/$LOGIN with client-side installation file."
if [[ $# -eq 0 ]]; then
echo
read -p "Would you want add another user? [no] " ANSUSER
: ${ANSUSER:=$ADDUSER}
else
ANSUSER=$ADDUSER
fi
done

17
ipsec/client-options.xl2tpd.dist Normal file
View File

@ -0,0 +1,17 @@
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
replacedefaultroute
usepeerdns
debug
lock
connect-delay 5000
name "_LOGIN_"
password "_PASSWORD_"

5
ipsec/client-xl2tpd.conf.dist Normal file
View File

@ -0,0 +1,5 @@
[lac L2TP-PSK-NAT]
lns = REMOTEIP
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

14
ipsec/connect.sh.dist Normal file
View File

@ -0,0 +1,14 @@
#!/usr/bin/env bash
set -e
if [[ "$EUID" -ne 0 ]]; then
echo "Sorry, you need to run this as root"
exit 1
fi
ipsec up L2TP-PSK-NAT
sleep 2
echo "c L2TP-PSK-NAT" > /var/run/xl2tpd/l2tp-control
sleep 2

14
ipsec/disconnect.sh.dist Normal file
View File

@ -0,0 +1,14 @@
#!/usr/bin/env bash
set -e
if [[ "$EUID" -ne 0 ]]; then
echo "Sorry, you need to run this as root"
exit 1
fi
echo "d L2TP-PSK-NAT" > /var/run/xl2tpd/l2tp-control
sleep 2
ipsec down L2TP-PSK-NAT
sleep 2

25
ipsec/install.sh
View File

@ -12,23 +12,6 @@ echo
echo "Installing strongSwan and xl2tp server..." echo "Installing strongSwan and xl2tp server..."
apt-get install strongswan xl2tpd cron iptables procps apt-get install strongswan xl2tpd cron iptables procps
ADDUSER="no"
ANSUSER="yes"
echo
echo "Configuring VPN users..."
while [ "$ANSUSER" != "$ADDUSER" ];
do
$DIR/adduser.sh
read -p "Would you want add another user? [no] " ANSUSER
: ${ANSUSER:=$ADDUSER}
done
echo
echo "Configuring PSK..."
$DIR/psk.sh
echo echo
echo "Configuring routing..." echo "Configuring routing..."
$DIR/sysctl.sh $DIR/sysctl.sh
@ -52,6 +35,14 @@ echo
echo "Configuring DNS parameters..." echo "Configuring DNS parameters..."
$DIR/dns.sh $DIR/dns.sh
echo
echo "Configuring PSK..."
$DIR/psk.sh
echo
echo "Configuring VPN users..."
$DIR/adduser.sh
echo echo
echo "Adding cron jobs..." echo "Adding cron jobs..."
yes | cp -rf $DIR/checkserver.sh $CHECKSERVER yes | cp -rf $DIR/checkserver.sh $CHECKSERVER

15
ipsec/ipsec.conf.dist
View File

@ -7,15 +7,14 @@ conn L2TP-PSK-NAT
rekey=no rekey=no
ikelifetime=8h ikelifetime=8h
keylife=1h keylife=1h
ike=aes256-sha1,aes128-sha1,3des-sha1
esp=aes256-sha1-modp2048
keylife=1h
type=transport type=transport
left=PUBLICIP left=LEFTIP
leftprotoport=17/1701 leftprotoport=17/LEFTPORT
right=%any right=RIGHTIP
rightprotoport=17/%any rightprotoport=17/RIGHTPORT
dpddelay=30 dpddelay=30
dpdtimeout=120 dpdtimeout=120
dpdaction=clear dpdaction=clear
keyexchange=ikev2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!

10
ipsec/iptables-setup.sh
View File

@ -39,11 +39,17 @@ read -p "Your external IP is $IP. Is this IP static? [yes] " ANSIP
if [ "$STATIC" == "$ANSIP" ]; then if [ "$STATIC" == "$ANSIP" ]; then
# SNAT # SNAT
sed -i -e "s@PUBLICIP@$IP@g" $IPSECCONFIG sed -i -e "s@LEFTIP@$IP@g" $IPSECCONFIG
sed -i -e "s@LEFTPORT@1701@g" $IPSECCONFIG
sed -i -e "s@RIGHTIP@%any@g" $IPSECCONFIG
sed -i -e "s@RIGHTPORT@%any@g" $IPSECCONFIG
eval iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP $COMMENT eval iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP $COMMENT
else else
# MASQUERADE # MASQUERADE
sed -i -e "s@PUBLICIP@%$GATE@g" $IPSECCONFIG sed -i -e "s@LEFTIP@%$GATE@g" $IPSECCONFIG
sed -i -e "s@LEFTPORT@1701@g" $IPSECCONFIG
sed -i -e "s@RIGHTIP@%any@g" $IPSECCONFIG
sed -i -e "s@RIGHTPORT@%any@g" $IPSECCONFIG
eval iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE $COMMENT eval iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE $COMMENT
fi fi

2
ipsec/psk.sh
View File

@ -19,6 +19,6 @@ done
# comment existing PSK # comment existing PSK
sed -i -e "/[[:space:]]\+PSK[[:space:]]\+/s/^/# /" $SECRETSFILE sed -i -e "/[[:space:]]\+PSK[[:space:]]\+/s/^/# /" $SECRETSFILE
echo "%any %any : PSK \"$PSK\"" >> $SECRETSFILE echo -e "\n%any %any : PSK \"$PSK\"" >> $SECRETSFILE
echo "$SECRETSFILE updated!" echo "$SECRETSFILE updated!"

36
ipsec/setup.sh.dist Normal file
View File

@ -0,0 +1,36 @@
#!/usr/bin/env bash
PSK=_PSK_
SERVERLOCALIP=_SERVERLOCALIP_
XL2TPDFILE=/etc/xl2tpd/xl2tpd.conf
IPSECFILE=/etc/ipsec.conf
OPTIONSXL2TPD=/etc/ppp/options.xl2tpd
IPSECRETS=/etc/ipsec.secrets
set -e
if [[ "$EUID" -ne 0 ]]; then
echo "Sorry, you need to run this as root"
exit 1
fi
DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
echo
echo "Installing necessary packets..."
apt-get install strongswan xl2tpd
echo
echo "Installing configuration files..."
yes | cp -rf $DIR/ipsec.conf $IPSECFILE
yes | cp -rf $DIR/xl2tpd.conf $XL2TPDFILE
yes | cp -rf $DIR/options.xl2tpd $OPTIONSXL2TPD
echo -e "\n$SERVERLOCALIP %any : PSK \"$PSK\"" >> $IPSECRETS
echo "$IPSECRETS updated!"
service strongswan restart
service xl2tpd restart