IPsec/L2TP

1. #!/bin/sh
2. # Setup Simple IPSec/L2TP VPN server for Ubuntu and Debian
3. #
4. # Copyright (C) 2014-2015 Phil Plückthun <phil@plckthn.me>
5. # Copyright (C) 2015 Edwin Ang <edwin@theroyalstudent.com> for hotfixes
6. # Based on the work of Lin Song (Copyright 2014)
7. # Based on the work of Viljo Viitanen (Setup Simple PPTP VPN server for Ubuntu and Debian)
8. # Based on the work of Thomas Sarlandie (Copyright 2012)
9. #
10. # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
11. # Unported License: http://creativecommons.org/licenses/by-sa/3.0/
12.  
13. if [ `id -u` -ne 0 ]
14. then
15. echo "Please start this script with root privileges!"
16. echo "Try again with sudo."
17. exit 0
18. fi
19.  
20. lsb_release -c | grep trusty > /dev/null
21. if [ "$?" = "1" ]
22. then
23. echo "This script was designed to run on Ubuntu 14.04 Trusty!"
24. echo "Do you wish to continue anyway?"
25. while true; do
26. read -p "" yn
27. case $yn in
28. [Yy]* ) break;;
29. [Nn]* ) exit 0;;
30. * ) echo "Please answer with Yes or No [y|n].";;
31. esac
32. done
33. echo ""
34. fi
35.  
36. echo "This script will install an IPSec/L2TP VPN Server"
37. echo "Do you wish to continue?"
38.  
39. while true; do
40. read -p "" yn
41. case $yn in
42. [Yy]* ) break;;
43. [Nn]* ) exit 0;;
44. * ) echo "Please answer with Yes or No [y|n].";;
45. esac
46. done
47.  
48. echo ""
49.  
50. # Generate a random key
51. generateKey () {
52. P1=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
53. P2=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
54. P3=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
55. P4=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
56. IPSEC_PSK="$P1$P2$P3$P4"
57. }
58.  
59. echo "The VPN needs a private PSK key."
60. echo "Do you wish to set it yourself?"
61. echo "(Otherwise a random key is generated)"
62. while true; do
63. read -p "" yn
64. case $yn in
65. [Yy]* ) echo ""; echo "Enter your preferred key:"; read -p "" IPSEC_PSK; break;;
66. [Nn]* ) generateKey; break;;
67. * ) echo "Please answer with Yes or No [y|n].";;
68. esac
69. done
70.  
71. echo ""
72. echo "The key you chose is: '$IPSEC_PSK'."
73. echo "Please save it, because you'll need it to connect!"
74. echo ""
75.  
76. read -p "Please enter your preferred username [vpn]: " VPN_USER
77.  
78. if [ "$VPN_USER" = "" ]
79. then
80. VPN_USER="vpn"
81. fi
82.  
83. echo ""
84.  
85. while true; do
86. stty_orig=`stty -g`
87. stty -echo
88. read -p "Please enter your preferred password: " VPN_PASSWORD
89. if [ "x$VPN_PASSWORD" = "x" ]
90. then
91. echo "Please enter a valid password!"
92. else
93. stty $stty_orig
94. break
95. fi
96. done
97.  
98. echo ""
99. echo ""
100.  
101. echo "Making sure that apt-get is updated and wget is installed..."
102. echo ""
103.  
104. apt-get update > /dev/null
105.  
106. if [ `sudo dpkg-query -l | grep wget | wc -l` = 0 ] ; then
107. apt-get install wget -y > /dev/null
108. fi
109.  
110. echo "What type of connection will you be using this VPN server on?"
111. echo "Enter the corresponding number for:"
112. echo "4) IPv4"
113. echo "6) IPv6"
114.  
115. while true; do
116. read -p "" yn
117. case $yn in
118. [4]* ) PUBLICIP=`wget -q -O - http://ipv4.wtfismyip.com/text`; break;;
119. [6]* ) PUBLICIP=`wget -q -O - http://ipv6.wtfismyip.com/text`; break;;
120. * ) echo "Please answer with 4 or 6 [4|6].";;
121. esac
122. done
123.  
124. if [ "x$PUBLICIP" = "x" ]
125. then
126. echo "Your server's external IP address could not be detected!"
127. echo "Please enter the IP yourself:"
128. read -p "" PUBLICIP
129. else
130. echo "Detected your server's external IP address: $PUBLICIP"
131. fi
132.  
133. PRIVATEIP=$(ip addr | awk '/inet/ && /eth0/{sub(/\/.*$/,"",$2); print $2}')
134. IPADDRESS=$PUBLICIP
135.  
136. echo ""
137. echo "Are you on Amazon EC2?"
138. echo "If you answer no to this and you are on EC2, clients will be unable to connect to your VPN."
139. echo "This is needed because EC2 puts your instance behind one-to-one NAT, and using the public IP in the config causes incoming connections to fail with auth failures."
140. while true; do
141. read -p "" yn
142. case $yn in
143. [Yy]* ) IPADDRESS=$PRIVATEIP; break;;
144. [Nn]* ) break;;
145. * ) echo "Please answer with Yes or No [y|n].";;
146. esac
147. done
148.  
149. echo "The IP address that will be used in the config is $IPADDRESS"
150.  
151. echo ""
152. echo "============================================================"
153. echo ""
154.  
155. echo "Installing necessary dependencies..."
156.  
157. apt-get install libnss3-dev libnspr4-dev pkg-config libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev libnss3-tools libevent-dev xmlto -y > /dev/null
158.  
159. if [ "$?" = "1" ]
160. then
161. echo "An unexpected error occured!"
162. exit 0
163. fi
164.  
165. echo "Installing XL2TPD..."
166. apt-get install xl2tpd -y > /dev/null
167.  
168. if [ "$?" = "1" ]
169. then
170. echo "An unexpected error occured!"
171. exit 0
172. fi
173.  
174. # Compile and install Libreswan
175. mkdir -p /opt/src
176. cd /opt/src
177. echo "Downloading LibreSwan's source..."
178. wget -qO- https://download.libreswan.org/libreswan-3.15.tar.gz | tar xvz > /dev/null
179. cd libreswan-3.15
180. echo "Compiling LibreSwan..."
181. make programs > /dev/null
182. echo "Installing LibreSwan..."
183. make install > /dev/null
184.  
185. echo "Preparing various configuration files..."
186.  
187. echo "/etc/ipsec.conf"
188.  
189. cat > /etc/ipsec.conf <<EOF
190. version 2.0
191. config setup
192. dumpdir=/var/run/pluto/
193. nat_traversal=yes
194. virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
195. oe=off
196. protostack=netkey
197. nhelpers=0
198. interfaces=%defaultroute
199. conn vpnpsk
200. connaddrfamily=ipv4
201. auto=add
202. left=$IPADDRESS
203. leftid=$IPADDRESS
204. leftsubnet=$IPADDRESS/32
205. leftnexthop=%defaultroute
206. leftprotoport=17/1701
207. rightprotoport=17/%any
208. right=%any
209. rightsubnetwithin=0.0.0.0/0
210. forceencaps=yes
211. authby=secret
212. pfs=no
213. type=transport
214. auth=esp
215. ike=3des-sha1,aes-sha1
216. phase2alg=3des-sha1,aes-sha1
217. rekey=no
218. keyingtries=5
219. dpddelay=30
220. dpdtimeout=120
221. dpdaction=clear
222. EOF
223.  
224. echo "/etc/ipsec.secrets"
225.  
226. if [ -f /etc/ipsec.secrets ];
227. then
228. cp -f /etc/ipsec.secrets /etc/ipsec.secrets.old
229. echo "Backup /etc/ipsec.secrets -> /etc/ipsec.secrets.old"
230. fi
231.  
232. cat > /etc/ipsec.secrets <<EOF
233. $IPADDRESS %any : PSK "$IPSEC_PSK"
234. EOF
235.  
236. echo "/etc/xl2tpd/xl2tpd.conf"
237.  
238. cat > /etc/xl2tpd/xl2tpd.conf <<EOF
239. [global]
240. port = 1701
241. ;debug avp = yes
242. ;debug network = yes
243. ;debug state = yes
244. ;debug tunnel = yes
245. [lns default]
246. ip range = 10.10.10.2-10.10.10.254
247. local ip = 10.10.10.1
248. require chap = yes
249. refuse pap = yes
250. require authentication = yes
251. name = l2tpd
252. ;ppp debug = yes
253. pppoptfile = /etc/ppp/options.xl2tpd
254. length bit = yes
255. EOF
256.  
257. echo "/etc/ppp/options.xl2tpd"
258.  
259. cat > /etc/ppp/options.xl2tpd <<EOF
260. ipcp-accept-local
261. ipcp-accept-remote
262. ms-dns 8.8.8.8
263. ms-dns 8.8.4.4
264. noccp
265. auth
266. crtscts
267. idle 1800
268. mtu 1280
269. mru 1280
270. lock
271. lcp-echo-failure 10
272. lcp-echo-interval 60
273. connect-delay 5000
274. EOF
275.  
276. echo "/etc/ppp/chap-secrets"
277.  
278. if [ -f /etc/ppp/chap-secrets ];
279. then
280. cp -f /etc/ppp/chap-secrets /etc/ppp/chap-secrets.old
281. echo "Backup /etc/ppp/chap-secrets -> /etc/ppp/chap-secrets.old"
282. fi
283.  
284. cat > /etc/ppp/chap-secrets <<EOF
285. # Secrets for authentication using CHAP
286. # client server secret IP addresses
287. "$VPN_USER" "*" "$VPN_PASSWORD" "*"
288. EOF
289.  
290. echo "/etc/init.d/ipsec-assist"
291.  
292. cat > /etc/init.d/ipsec-assist <<'EOF'
293. #!/bin/sh
294. ### BEGIN INIT INFO
295. # Provides:
296. # Required-Start: $remote_fs $syslog
297. # Required-Stop: $remote_fs $syslog
298. # Default-Start: 2 3 4 5
299. # Default-Stop: 0 1 6
300. # Short-Description: Service that starts up XL2TPD and IPSEC
301. # Description: Service that starts up XL2TPD and IPSEC
302. ### END INIT INFO
303. # Author: Phil Plückthun <phil@plckthn.me>
304.  
305. # Copyright (C) 2014-2015 Phil Plückthun <phil@plckthn.me>
306. # Built upon https://help.ubuntu.com/community/L2TPServer
307.  
308. case "$1" in
309. start)
310. echo "Starting up the goodness of IPSec and XL2TPD"
311. iptables --table nat --append POSTROUTING --jump MASQUERADE
312. echo 1 > /proc/sys/net/ipv4/ip_forward
313. for each in /proc/sys/net/ipv4/conf/*
314. do
315. echo 0 > $each/accept_redirects
316. echo 0 > $each/send_redirects
317. done
318. /usr/sbin/service ipsec start
319. /usr/sbin/service xl2tpd start
320. ;;
321. stop)
322. echo "Stopping IPSec and XL2TPD"
323. iptables --table nat --flush
324. echo 0 > /proc/sys/net/ipv4/ip_forward
325. /usr/sbin/service ipsec stop
326. /usr/sbin/service xl2tpd stop
327. ;;
328. restart)
329. echo "Restarting IPSec and XL2TPD"
330. iptables --table nat --append POSTROUTING --jump MASQUERADE
331. echo 1 > /proc/sys/net/ipv4/ip_forward
332. for each in /proc/sys/net/ipv4/conf/*
333. do
334. echo 0 > $each/accept_redirects
335. echo 0 > $each/send_redirects
336. done
337. /usr/sbin/service ipsec restart
338. /usr/sbin/service xl2tpd restart
339. ;;
340. esac
341.  
342. exit 0
343. EOF
344.  
345. chmod 755 /etc/init.d/ipsec-assist
346.  
347. echo "Applying settings..."
348.  
349. if [ ! -f /etc/ipsec.d/cert8.db ] ; then
350. echo > /var/tmp/libreswan-nss-pwd
351. /usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d > /dev/null
352. /bin/rm -f /var/tmp/libreswan-nss-pwd
353. fi
354.  
355. /sbin/sysctl -p > /dev/null
356.  
357. echo "Disabling the IPSec and XL2TP auto start..."
358.  
359. /usr/sbin/service ipsec stop
360. /usr/sbin/service xl2tpd stop
361.  
362. update-rc.d -f xl2tpd remove
363. update-rc.d -f ipsec remove
364.  
365. echo "Adding the new auto start..."
366.  
367. update-rc.d ipsec-assist defaults
368.  
369. echo "Starting up the VPN..."
370.  
371. /usr/sbin/service ipsec-assist start
372.  
373. echo "Done."
374. echo ""
375.  
376. echo "============================================================"
377. echo "Host: $PUBLICIP (Or a domain pointing to your server)"
378. echo "IPSec PSK Key: $IPSEC_PSK"
379. echo "Username: $VPN_USER"
380. echo "Password: ********"
381. echo "============================================================"
382.  
383. echo "Your VPN server password is hidden. Would you like to reveal it?"
384. while true; do
385. read -p "" yn
386. case $yn in
387. [Yy]* ) clear; break;;
388. [Nn]* ) exit 0;;
389. * ) echo "Please answer with Yes or No [y|n].";;
390. esac
391. done
392.  
393. echo "============================================================"
394. echo "Host: $PUBLICIP (Or a domain pointing to your server)"
395. echo "IPSec PSK Key: $IPSEC_PSK"
396. echo "Username: $VPN_USER"
397. echo "Password: $VPN_PASSWORD"
398. echo "============================================================"
399.  
400. echo "Note:"
401. echo "* Before connecting with a Windows client, please see: http://support.microsoft.com/kb/926179"
402. echo "* Ports 1701, 500 and 4500 must be opened for the VPN to work!"
403. echo "* If you plan to keep the VPN server generated with this script on the internet for a long time (a day or more), consider securing it to possible attacks!"
404.  
405. sleep 1
406. exit 0