ipsec.sh 7.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289
  1. #!/bin/bash
  2. # Debian 9 & 10 64bit
  3. # Ubuntu 18.04 & 20.04 bit
  4. # Centos 7 & 8 64bit
  5. # By daorakle
  6. # ==================================================
  7. VPN_IPSEC_PSK='myvpn'
  8. NET_IFACE=$(ip -o $NET_IFACE -4 route show to default | awk '{print $5}');
  9. export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
  10. source /etc/os-release
  11. OS=$ID
  12. ver=$VERSION_ID
  13. bigecho() { echo; echo "## $1"; echo; }
  14. bigecho "VPN setup in progress... Please be patient."
  15. # Create and change to working dir
  16. mkdir -p /opt/src
  17. cd /opt/src
  18. bigecho "Trying to auto discover IP of this server..."
  19. PUBLIC_IP=$(wget -qO- icanhazip.com);
  20. bigecho "Installing packages required for the VPN..."
  21. if [[ ${OS} == "centos" ]]; then
  22. epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm"
  23. yum -y install epel-release || yum -y install "$epel_url"
  24. bigecho "Installing packages required for the VPN..."
  25. REPO1='--enablerepo=epel'
  26. REPO2='--enablerepo=*server-*optional*'
  27. REPO3='--enablerepo=*releases-optional*'
  28. REPO4='--enablerepo=PowerTools'
  29. yum -y install nss-devel nspr-devel pkgconfig pam-devel \
  30. libcap-ng-devel libselinux-devel curl-devel nss-tools \
  31. flex bison gcc make ppp
  32. yum "$REPO1" -y install xl2tpd
  33. if [[ $ver == '7' ]]; then
  34. yum -y install systemd-devel iptables-services
  35. yum "$REPO2" "$REPO3" -y install libevent-devel fipscheck-devel
  36. elif [[ $ver == '8' ]]; then
  37. yum "$REPO4" -y install systemd-devel libevent-devel fipscheck-devel
  38. fi
  39. else
  40. apt install openssl iptables iptables-persistent -y
  41. apt-get -y install libnss3-dev libnspr4-dev pkg-config \
  42. libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
  43. libcurl4-nss-dev flex bison gcc make libnss3-tools \
  44. libevent-dev ppp xl2tpd pptpd
  45. fi
  46. bigecho "Compiling and installing Libreswan..."
  47. SWAN_VER=3.32
  48. swan_file="libreswan-$SWAN_VER.tar.gz"
  49. swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
  50. swan_url2="https://download.libreswan.org/$swan_file"
  51. if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
  52. exit 1
  53. fi
  54. /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
  55. tar xzf "$swan_file" && /bin/rm -f "$swan_file"
  56. cd "libreswan-$SWAN_VER" || exit 1
  57. cat > Makefile.inc.local <<'EOF'
  58. WERROR_CFLAGS = -w
  59. USE_DNSSEC = false
  60. USE_DH2 = true
  61. USE_DH31 = false
  62. USE_NSS_AVA_COPY = true
  63. USE_NSS_IPSEC_PROFILE = false
  64. USE_GLIBC_KERN_FLIP_HEADERS = true
  65. EOF
  66. if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
  67. echo "USE_XFRM_INTERFACE_IFLA_HEADER = true" >> Makefile.inc.local
  68. fi
  69. if [[ ${OS} == "debian" ]]; then
  70. if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
  71. apt-get -y install libsystemd-dev
  72. fi
  73. elif [[ ${OS} == "ubuntu" ]]; then
  74. if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
  75. apt-get -y install libsystemd-dev
  76. fi
  77. fi
  78. NPROCS=$(grep -c ^processor /proc/cpuinfo)
  79. [ -z "$NPROCS" ] && NPROCS=1
  80. make "-j$((NPROCS+1))" -s base && make -s install-base
  81. cd /opt/src || exit 1
  82. /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
  83. if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
  84. exiterr "Libreswan $SWAN_VER failed to build."
  85. fi
  86. bigecho "Creating VPN configuration..."
  87. L2TP_NET=192.168.42.0/24
  88. L2TP_LOCAL=192.168.42.1
  89. L2TP_POOL=192.168.42.10-192.168.42.250
  90. XAUTH_NET=192.168.43.0/24
  91. XAUTH_POOL=192.168.43.10-192.168.43.250
  92. DNS_SRV1=8.8.8.8
  93. DNS_SRV2=8.8.4.4
  94. DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
  95. [ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
  96. # Create IPsec config
  97. cat > /etc/ipsec.conf <<EOF
  98. version 2.0
  99. config setup
  100. virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET
  101. protostack=netkey
  102. interfaces=%defaultroute
  103. uniqueids=no
  104. conn shared
  105. left=%defaultroute
  106. leftid=$PUBLIC_IP
  107. right=%any
  108. encapsulation=yes
  109. authby=secret
  110. pfs=no
  111. rekey=no
  112. keyingtries=5
  113. dpddelay=30
  114. dpdtimeout=120
  115. dpdaction=clear
  116. ikev2=never
  117. ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
  118. phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
  119. sha2-truncbug=no
  120. conn l2tp-psk
  121. auto=add
  122. leftprotoport=17/1701
  123. rightprotoport=17/%any
  124. type=transport
  125. phase2=esp
  126. also=shared
  127. conn xauth-psk
  128. auto=add
  129. leftsubnet=0.0.0.0/0
  130. rightaddresspool=$XAUTH_POOL
  131. modecfgdns=$DNS_SRVS
  132. leftxauthserver=yes
  133. rightxauthclient=yes
  134. leftmodecfgserver=yes
  135. rightmodecfgclient=yes
  136. modecfgpull=yes
  137. xauthby=file
  138. ike-frag=yes
  139. cisco-unity=yes
  140. also=shared
  141. include /etc/ipsec.d/*.conf
  142. EOF
  143. if uname -m | grep -qi '^arm'; then
  144. if ! modprobe -q sha512; then
  145. sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
  146. fi
  147. fi
  148. # Specify IPsec PSK
  149. cat > /etc/ipsec.secrets <<EOF
  150. %any %any : PSK "$VPN_IPSEC_PSK"
  151. EOF
  152. # Create xl2tpd config
  153. cat > /etc/xl2tpd/xl2tpd.conf <<EOF
  154. [global]
  155. port = 1701
  156. [lns default]
  157. ip range = $L2TP_POOL
  158. local ip = $L2TP_LOCAL
  159. require chap = yes
  160. refuse pap = yes
  161. require authentication = yes
  162. name = l2tpd
  163. pppoptfile = /etc/ppp/options.xl2tpd
  164. length bit = yes
  165. EOF
  166. # Set xl2tpd options
  167. cat > /etc/ppp/options.xl2tpd <<EOF
  168. +mschap-v2
  169. ipcp-accept-local
  170. ipcp-accept-remote
  171. noccp
  172. auth
  173. mtu 1280
  174. mru 1280
  175. proxyarp
  176. lcp-echo-failure 4
  177. lcp-echo-interval 30
  178. connect-delay 5000
  179. ms-dns $DNS_SRV1
  180. EOF
  181. if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
  182. cat >> /etc/ppp/options.xl2tpd <<EOF
  183. ms-dns $DNS_SRV2
  184. EOF
  185. fi
  186. # Create VPN credentials
  187. cat > /etc/ppp/chap-secrets <<EOF
  188. "$VPN_USER" l2tpd "$VPN_PASSWORD" *
  189. EOF
  190. VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
  191. cat > /etc/ipsec.d/passwd <<EOF
  192. $VPN_USER:$VPN_PASSWORD_ENC:xauth-psk
  193. EOF
  194. # Create PPTP config
  195. cat >/etc/pptpd.conf <<END
  196. option /etc/ppp/options.pptpd
  197. logwtmp
  198. localip 192.168.41.1
  199. remoteip 192.168.41.10-100
  200. END
  201. cat >/etc/ppp/options.pptpd <<END
  202. name pptpd
  203. refuse-pap
  204. refuse-chap
  205. refuse-mschap
  206. require-mschap-v2
  207. require-mppe-128
  208. ms-dns 8.8.8.8
  209. ms-dns 8.8.4.4
  210. proxyarp
  211. lock
  212. nobsdcomp
  213. novj
  214. novjccomp
  215. nologfd
  216. END
  217. bigecho "Updating IPTables rules..."
  218. service fail2ban stop >/dev/null 2>&1
  219. iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o $NET_IFACE -j MASQUERADE
  220. iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o $NET_IFACE -j MASQUERADE
  221. iptables -t nat -I POSTROUTING -s 192.168.41.0/24 -o $NET_IFACE -j MASQUERADE
  222. if [[ ${OS} == "centos" ]]; then
  223. service iptables save
  224. iptables-restore < /etc/sysconfig/iptables
  225. else
  226. iptables-save > /etc/iptables.up.rules
  227. iptables-restore -t < /etc/iptables.up.rules
  228. netfilter-persistent save
  229. netfilter-persistent reload
  230. fi
  231. bigecho "Enabling services on boot..."
  232. systemctl enable xl2tpd
  233. systemctl enable ipsec
  234. systemctl enable pptpd
  235. for svc in fail2ban ipsec xl2tpd; do
  236. update-rc.d "$svc" enable >/dev/null 2>&1
  237. systemctl enable "$svc" 2>/dev/null
  238. done
  239. bigecho "Starting services..."
  240. sysctl -e -q -p
  241. chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
  242. mkdir -p /run/pluto
  243. service fail2ban restart 2>/dev/null
  244. service ipsec restart 2>/dev/null
  245. service xl2tpd restart 2>/dev/null
  246. wget -O /usr/bin/add-l2tp https://raw.githubusercontent.com/senowahyu62/freesc/main/add-l2tp.sh && chmod +x /usr/bin/add-l2tp
  247. wget -O /usr/bin/del-l2tp https://raw.githubusercontent.com/senowahyu62/freesc/main/del-l2tp.sh && chmod +x /usr/bin/del-l2tp
  248. wget -O /usr/bin/add-pptp https://raw.githubusercontent.com/senowahyu62/freesc/main/add-pptp.sh && chmod +x /usr/bin/add-pptp
  249. wget -O /usr/bin/del-pptp https://raw.githubusercontent.com/senowahyu62/freesc/main/del-pptp.sh && chmod +x /usr/bin/del-pptp
  250. wget -O /usr/bin/renew-pptp https://raw.githubusercontent.com/senowahyu62/freesc/main/renew-pptp.sh && chmod +x /usr/bin/renew-pptp
  251. wget -O /usr/bin/renew-l2tp https://raw.githubusercontent.com/senowahyu62/freesc/main/renew-l2tp.sh && chmod +x /usr/bin/renew-l2tp
  252. touch /var/lib/premium-script/data-user-l2tp
  253. touch /var/lib/premium-script/data-user-pptp
  254. rm -f /root/ipsec.sh