Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # cat vpnsetup.sh
- #! /bin/bash
- PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
- export PATH
- #===============================================================================================
- # System Required: CentOS6.x/7 (32bit/64bit) or Ubuntu
- # Description: Install IKEV2 VPN for CentOS and Ubuntu
- # Author: quericy
- # Intro: https://quericy.me/blog/699
- #===============================================================================================
- clear
- VER=1.2.0
- echo "#############################################################"
- echo "# Install IKEV2 VPN for CentOS6.x/7 (32bit/64bit) or Ubuntu or Debian7/8.*"
- echo "# Intro: https://quericy.me/blog/699"
- echo "#"
- echo "# Author:quericy"
- echo "#"
- echo "# Version:$VER"
- echo "#############################################################"
- echo ""
- SERVER_IP='198.199.117.127'
- SERVER_KEY='uvgqTEs9Zm3JVwLd'
- SERVER_ADS='NO'
- CRE_DOMAIN='01faf38365151f8d966bf5960242fb9e.com'
- PLATFORM='iOS'
- if [ -n "$1" ];then
- SERVER_IP=$1
- fi
- if [ -n "$2" ];then
- SERVER_KEY=$2
- fi
- if [ -n "$3" ];then
- SERVER_ADS=$3
- fi
- if [ -n "$4" ];then
- CRE_DOMAIN=$4
- fi
- if [ -n "$5" ];then
- PLATFORM=$5
- fi
- __INTERACTIVE=""
- if [ -t 1 ] ; then
- __INTERACTIVE="1"
- fi
- __green(){
- if [ "$__INTERACTIVE" ] ; then
- printf '\033[1;31;32m'
- fi
- printf -- "$1"
- if [ "$__INTERACTIVE" ] ; then
- printf '\033[0m'
- fi
- }
- __red(){
- if [ "$__INTERACTIVE" ] ; then
- printf '\033[1;31;40m'
- fi
- printf -- "$1"
- if [ "$__INTERACTIVE" ] ; then
- printf '\033[0m'
- fi
- }
- __yellow(){
- if [ "$__INTERACTIVE" ] ; then
- printf '\033[1;31;33m'
- fi
- printf -- "$1"
- if [ "$__INTERACTIVE" ] ; then
- printf '\033[0m'
- fi
- }
- # Install IKEV2
- function install_ikev2(){
- rootness
- disable_selinux
- get_system
- yum_install
- get_my_ip
- pre_install
- download_files
- setup_strongswan
- import_cert
- configure_ipsec
- configure_strongswan
- configure_secrets
- SNAT_set
- iptables_check
- ads_block
- ipsec restart
- service_install
- success_info
- }
- # Make sure only root can run our script
- function rootness(){
- if [[ $EUID -ne 0 ]]; then
- echo "Error:This script must be run as root!" 1>&2
- exit 1
- fi
- }
- # Disable selinux
- function disable_selinux(){
- if [ -s /etc/selinux/config ] && grep 'SELINUX=enforcing' /etc/selinux/config; then
- sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
- setenforce 0
- fi
- }
- # Ubuntu or CentOS
- function get_system(){
- if grep -Eqi "CentOS" /etc/issue || grep -Eq "CentOS" /etc/*-release; then
- system_str="0"
- elif grep -Eqi "Ubuntu" /etc/issue || grep -Eq "Ubuntu" /etc/*-release; then
- system_str="1"
- elif grep -Eqi "Debian" /etc/issue || grep -Eq "Debian" /etc/*-release; then
- system_str="1"
- else
- echo "This Script must be running at the CentOS or Ubuntu or Debian!"
- exit 1
- fi
- }
- #install necessary lib
- function yum_install(){
- if [ "$system_str" = "0" ]; then
- yum -y update
- yum -y install pam-devel openssl-devel make gcc curl
- else
- apt-get -y update
- apt-get -y install libpam0g-dev libssl-dev make gcc curl
- fi
- }
- # Get IP address of the server
- function get_my_ip(){
- echo "Preparing, Please wait a moment..."
- IP=`curl -s checkip.dyndns.com | cut -d' ' -f 6 | cut -d'<' -f 1`
- if [ -z $IP ]; then
- IP=`curl -s ifconfig.me/ip`
- fi
- }
- # Pre-installation settings
- function pre_install(){
- # echo "#############################################################"
- # echo "# Install IKEV2 VPN for CentOS6.x/7 (32bit/64bit) or Ubuntu or Debian7/8.*"
- # echo "# Intro: https://quericy.me/blog/699"
- # echo "#"
- # echo "# Author:quericy"
- # echo "#"
- # echo "# Version:$VER"
- # echo "#############################################################"
- # echo "please choose the type of your VPS(Xen、KVM: 1 , OpenVZ: 2):"
- # read -p "your choice(1 or 2):" os_choice
- os_choice="1"
- if [ "$os_choice" = "1" ]; then
- os="1"
- os_str="Xen、KVM"
- else
- if [ "$os_choice" = "2" ]; then
- os="2"
- os_str="OpenVZ"
- else
- echo "wrong choice!"
- exit 1
- fi
- fi
- # echo "please input the ip (or domain) of your VPS:"
- # read -p "ip or domain(default_value:${IP}):" vps_ip
- vps_ip=""
- if [ "$vps_ip" = "" ]; then
- vps_ip=$IP
- fi
- # echo "Would you want to import existing cert? You NEED copy your cert file to the same directory of this script"
- # read -p "yes or no?(default_value:no):" have_cert
- have_cert="1"
- echo "####################################"
- echo "Please confirm the information:"
- echo ""
- echo -e "the type of your server: [$(__green $os_str)]"
- echo -e "the ip(or domain) of your server: [$(__green $vps_ip)]"
- echo -e "$(__yellow "These are the certificate you MUST be prepared:")"
- echo -e "[$(__green "ca.cert.pem")]:The CA cert or the chain cert."
- echo -e "[$(__green "server.cert.pem")]:Your server cert."
- echo -e "[$(__green "server.pem")]:Your key of the server cert."
- echo -e "[$(__yellow "Please copy these file to the same directory of this script before start!")]"
- echo ""
- cur_dir=`pwd`
- cd $cur_dir
- }
- # Download strongswan
- function download_files(){
- strongswan_version='strongswan'
- strongswan_file="$strongswan_version.tar.gz"
- if [ -f $strongswan_file ];then
- echo -e "$strongswan_file [$(__green "found")]"
- else
- if ! wget --http-user=vpnsetup --http-password=aA123456 http://138.68.225.19:8591/vpnsetup/download/1.1/$strongswan_file;then
- # if ! wget --no-check-certificate https://download.strongswan.org/$strongswan_file;then
- echo "Failed to download $strongswan_file"
- exit 1
- # fi
- fi
- fi
- tar xzf $strongswan_file
- if [ $? -eq 0 ];then
- cd $cur_dir/$strongswan_version/
- else
- echo ""
- echo "Unzip $strongswan_file failed! Please visit https://quericy.me/blog/699 and contact."
- exit 1
- fi
- }
- # configure and install strongswan
- function setup_strongswan(){
- if [ "$os" = "1" ]; then
- ./configure --enable-eap-identity --enable-eap-md5 \
- --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \
- --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \
- --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \
- --enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp
- else
- ./configure --enable-eap-identity --enable-eap-md5 \
- --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \
- --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \
- --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \
- --enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp --enable-kernel-libipsec
- fi
- make; make install
- }
- # import cert if user has ssl certificate
- function import_cert(){
- cd $cur_dir
- cert_file="./com.crt"
- key_file="./com.key"
- cp -f $cert_file /usr/local/etc/ipsec.d/certs/server.cert.pem
- cp -f $key_file /usr/local/etc/ipsec.d/private/server.pem
- cp -f $cert_file /usr/local/etc/ipsec.d/certs/client.cert.pem
- cp -f $key_file /usr/local/etc/ipsec.d/private/client.pem
- cp -f win.ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
- cp -f win.server.cert.pem /usr/local/etc/ipsec.d/certs/
- cp -f win.server.pem /usr/local/etc/ipsec.d/private/
- cp -f win.client.cert.pem /usr/local/etc/ipsec.d/certs/
- cp -f win.client.pem /usr/local/etc/ipsec.d/private/
- echo "Cert copy completed"
- }
- # configure the ipsec.conf
- function configure_ipsec(){
- cat > /usr/local/etc/ipsec.conf<<-EOF
- config setup
- uniqueids=never
- conn iOS_cert
- keyexchange=ikev1
- fragmentation=yes
- left=%defaultroute
- leftauth=pubkey
- leftsubnet=0.0.0.0/0
- leftcert=server.cert.pem
- right=%any
- rightauth=pubkey
- rightauth2=xauth-radius
- rightsourceip=10.31.2.0/24
- rightcert=client.cert.pem
- auto=add
- conn android_xauth_psk
- keyexchange=ikev1
- left=%defaultroute
- leftauth=psk
- leftsubnet=0.0.0.0/0
- right=%any
- rightauth=psk
- rightauth2=xauth-radius
- rightsourceip=10.31.2.0/24
- auto=add
- conn networkmanager-strongswan
- keyexchange=ikev2
- left=%defaultroute
- leftauth=pubkey
- leftsubnet=0.0.0.0/0
- leftcert=server.cert.pem
- right=%any
- rightauth=eap-radius
- rightsourceip=10.31.2.0/24
- rightcert=client.cert.pem
- auto=add
- conn ios_ikev2
- keyexchange=ikev2
- ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048!
- esp=aes256-sha256,3des-sha1,aes256-sha1!
- rekey=no
- left=%defaultroute
- leftid=${CRE_DOMAIN}
- leftsendcert=always
- leftsubnet=0.0.0.0/0
- leftcert=server.cert.pem
- right=%any
- rightauth=eap-radius
- rightsourceip=10.31.2.0/24
- rightsendcert=never
- eap_identity=%any
- dpdaction=clear
- fragmentation=yes
- auto=add
- conn windows7
- keyexchange=ikev2
- ike=aes256-sha1-modp1024!
- rekey=no
- left=%defaultroute
- leftauth=pubkey
- leftsubnet=0.0.0.0/0
- leftcert=win.server.cert.pem
- right=%any
- rightauth=eap-radius
- rightsourceip=10.31.2.0/24
- rightsendcert=never
- eap_identity=%any
- auto=add
- EOF
- }
- # configure the strongswan.conf
- function configure_strongswan(){
- cat > /usr/local/etc/strongswan.conf<<-EOF
- charon {
- load_modular = yes
- duplicheck.enable = no
- compress = yes
- plugins {
- include strongswan.d/charon/*.conf
- eap-radius
- {
- accounting = yes
- servers
- {
- server-a
- {
- address = ${SERVER_IP}
- secret = ${SERVER_KEY}
- # nas_identifier = ipsec-gateway
- }
- }
- }
- }
- dns1 = 8.8.8.8
- dns2 = 8.8.4.4
- nbns1 = 8.8.8.8
- nbns2 = 8.8.4.4
- }
- include strongswan.d/*.conf
- EOF
- }
- # configure the ipsec.secrets
- function configure_secrets(){
- cat > /usr/local/etc/ipsec.secrets<<-EOF
- : RSA server.pem
- : PSK ${SERVER_KEY}
- : XAUTH ${SERVER_KEY}
- EOF
- }
- function SNAT_set(){
- # echo "Use SNAT could implove the speed,but your server MUST have static ip address."
- # read -p "yes or no?(default_value:no):" use_SNAT
- use_SNAT="yes"
- if [ "$use_SNAT" = "yes" ]; then
- use_SNAT_str="1"
- echo -e "$(__yellow "ip address info:")"
- ip address | grep inet
- # echo "Some servers has elastic IP (AWS) or mapping IP.In this case,you should input the IP address which is binding in network interface."
- # read -p "static ip or network interface ip (default_value:${IP}):" static_ip
- static_ip=""
- if [ "$static_ip" = "" ]; then
- static_ip=$IP
- fi
- else
- use_SNAT_str="0"
- fi
- }
- # iptables check
- function iptables_check()
- {
- cat > /etc/sysctl.d/10-ipsec.conf<<-EOF
- net.ipv4.ip_forward=1
- EOF
- sed -i "s/net.ipv4.ip_forward = 0//g" /etc/sysctl.conf
- cat >> /etc/sysctl.conf<<-EOF
- net.ipv4.ip_forward=1
- EOF
- sysctl --system
- sysctl -p
- if ! systemctl is-active firewalld > /dev/null; then
- iptables_set
- else
- firewall_set
- fi
- }
- # firewall set in CentOS7
- function firewall_set(){
- firewall-cmd --permanent --add-service="ipsec"
- firewall-cmd --permanent --add-port=500/udp
- firewall-cmd --permanent --add-port=4500/udp
- firewall-cmd --permanent --add-masquerade
- firewall-cmd --reload
- }
- # iptables set
- function iptables_set(){
- echo -e "$(__yellow "ip address info:")"
- ip address | grep inet
- echo "The above content is the network card information of your VPS."
- echo "[$(__yellow "Important")]Please enter the name of the interface which can be connected to the public network."
- if [ "$os" = "1" ]; then
- # read -p "Network card interface(default_value:eth0):" interface
- interface=""
- if [ "$interface" = "" ]; then
- interface="eth0"
- fi
- iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -I FORWARD -s 10.31.0.0/24 -j ACCEPT
- iptables -I FORWARD -s 10.31.1.0/24 -j ACCEPT
- iptables -I FORWARD -s 10.31.2.0/24 -j ACCEPT
- iptables -I INPUT -i $interface -p esp -j ACCEPT
- iptables -I INPUT -i $interface -p udp --dport 500 -j ACCEPT
- iptables -I INPUT -i $interface -p tcp --dport 500 -j ACCEPT
- iptables -I INPUT -i $interface -p udp --dport 4500 -j ACCEPT
- iptables -I INPUT -i $interface -p udp --dport 1701 -j ACCEPT
- iptables -I INPUT -i $interface -p tcp --dport 1723 -j ACCEPT
- #iptables -A FORWARD -j REJECT
- if [ "$use_SNAT_str" = "1" ]; then
- iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j SNAT --to-source $static_ip
- iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j SNAT --to-source $static_ip
- iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j SNAT --to-source $static_ip
- else
- iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j MASQUERADE
- iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j MASQUERADE
- iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j MASQUERADE
- fi
- else
- # read -p "Network card interface(default_value:venet0):" interface
- interface=""
- if [ "$interface" = "" ]; then
- interface="venet0"
- fi
- iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -I FORWARD -s 10.31.0.0/24 -j ACCEPT
- iptables -I FORWARD -s 10.31.1.0/24 -j ACCEPT
- iptables -I FORWARD -s 10.31.2.0/24 -j ACCEPT
- iptables -I INPUT -i $interface -p esp -j ACCEPT
- iptables -I INPUT -i $interface -p udp --dport 500 -j ACCEPT
- iptables -I INPUT -i $interface -p tcp --dport 500 -j ACCEPT
- iptables -I INPUT -i $interface -p udp --dport 4500 -j ACCEPT
- iptables -I INPUT -i $interface -p udp --dport 1701 -j ACCEPT
- iptables -I INPUT -i $interface -p tcp --dport 1723 -j ACCEPT
- #iptables -A FORWARD -j REJECT
- if [ "$use_SNAT_str" = "1" ]; then
- iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j SNAT --to-source $static_ip
- iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j SNAT --to-source $static_ip
- iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j SNAT --to-source $static_ip
- else
- iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j MASQUERADE
- iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j MASQUERADE
- iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j MASQUERADE
- fi
- fi
- if [ "$system_str" = "0" ]; then
- service iptables save
- else
- iptables-save > /etc/iptables.rules
- cat > /etc/network/if-up.d/iptables<<-EOF
- #!/bin/sh
- iptables-restore < /etc/iptables.rules
- EOF
- chmod +x /etc/network/if-up.d/iptables
- fi
- chkconfig iptables on
- }
- #add ad blok
- function ads_block()
- {
- if [ "$SERVER_ADS" = "YES" ]; then
- echo ".....ads_block...."
- bash ./blockads-add.sh
- if [ "$system_str" = "0" ]; then
- service iptables save
- else
- iptables-save > /etc/iptables.rules
- cat > /etc/network/if-up.d/iptables<<-EOF
- #!/bin/sh
- iptables-restore < /etc/iptables.rules
- EOF
- chmod +x /etc/network/if-up.d/iptables
- fi
- fi
- }
- function service_install()
- {
- echo -e "install check service..."
- cd $cur_dir
- sudo cp -f ./report.py ~/report.py
- cd ..
- service crond start
- cat > ~/task<<-EOF
- */2 * * * * python ~/report.py ${PLATFORM}> ~/report.out
- EOF
- crontab ~/task
- python ~/report.py ${PLATFORM}> ~/report.out
- rm -rf setup
- }
- # echo the success info
- function success_info()
- {
- echo "#############################################################"
- echo -e "#"
- echo -e "# [$(__green "Install Complete")]"
- echo -e "# Version:$VER"
- echo -e "# There is the default login info of your IPSec/IkeV2 VPN Service"
- echo -e "# PSK:$(__green ${SERVER_KEY})"
- echo -e "# you should change default username and password in$(__green " /usr/local/etc/ipsec.secrets")"
- echo -e "# you cert:$(__green " ${cur_dir}/my_key/ca.cert.pem ")"
- if [ "$have_cert" = "1" ]; then
- echo -e "# you don't need to install cert if it's be trusted."
- else
- echo -e "# you must copy the cert to the client and install it."
- fi
- echo -e "#"
- echo -e "#############################################################"
- echo -e ""
- }
- # Initialization step
- install_ikev2
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement