API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 21st, 2018
311
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.35 KB | None | 0 0
raw download clone embed print report
  1. # cat vpnsetup.sh
  2. #! /bin/bash
  3. PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
  4. export PATH
  5. #===============================================================================================
  6. # System Required: CentOS6.x/7 (32bit/64bit) or Ubuntu
  7. # Description: Install IKEV2 VPN for CentOS and Ubuntu
  8. # Author: quericy
  9. # Intro: https://quericy.me/blog/699
  10. #===============================================================================================
  11.  
  12. clear
  13. VER=1.2.0
  14. echo "#############################################################"
  15. echo "# Install IKEV2 VPN for CentOS6.x/7 (32bit/64bit) or Ubuntu or Debian7/8.*"
  16. echo "# Intro: https://quericy.me/blog/699"
  17. echo "#"
  18. echo "# Author:quericy"
  19. echo "#"
  20. echo "# Version:$VER"
  21. echo "#############################################################"
  22. echo ""
  23.  
  24. SERVER_IP='198.199.117.127'
  25. SERVER_KEY='uvgqTEs9Zm3JVwLd'
  26. SERVER_ADS='NO'
  27. CRE_DOMAIN='01faf38365151f8d966bf5960242fb9e.com'
  28. PLATFORM='iOS'
  29.  
  30. if [ -n "$1" ];then
  31. SERVER_IP=$1
  32. fi
  33.  
  34. if [ -n "$2" ];then
  35. SERVER_KEY=$2
  36. fi
  37.  
  38. if [ -n "$3" ];then
  39. SERVER_ADS=$3
  40. fi
  41.  
  42. if [ -n "$4" ];then
  43. CRE_DOMAIN=$4
  44. fi
  45.  
  46. if [ -n "$5" ];then
  47. PLATFORM=$5
  48. fi
  49.  
  50.  
  51. __INTERACTIVE=""
  52. if [ -t 1 ] ; then
  53. __INTERACTIVE="1"
  54. fi
  55.  
  56. __green(){
  57. if [ "$__INTERACTIVE" ] ; then
  58. printf '\033[1;31;32m'
  59. fi
  60. printf -- "$1"
  61. if [ "$__INTERACTIVE" ] ; then
  62. printf '\033[0m'
  63. fi
  64. }
  65.  
  66. __red(){
  67. if [ "$__INTERACTIVE" ] ; then
  68. printf '\033[1;31;40m'
  69. fi
  70. printf -- "$1"
  71. if [ "$__INTERACTIVE" ] ; then
  72. printf '\033[0m'
  73. fi
  74. }
  75.  
  76. __yellow(){
  77. if [ "$__INTERACTIVE" ] ; then
  78. printf '\033[1;31;33m'
  79. fi
  80. printf -- "$1"
  81. if [ "$__INTERACTIVE" ] ; then
  82. printf '\033[0m'
  83. fi
  84. }
  85.  
  86. # Install IKEV2
  87. function install_ikev2(){
  88. rootness
  89. disable_selinux
  90. get_system
  91. yum_install
  92. get_my_ip
  93. pre_install
  94. download_files
  95. setup_strongswan
  96. import_cert
  97. configure_ipsec
  98. configure_strongswan
  99. configure_secrets
  100. SNAT_set
  101. iptables_check
  102. ads_block
  103. ipsec restart
  104. service_install
  105. success_info
  106. }
  107.  
  108. # Make sure only root can run our script
  109. function rootness(){
  110. if [[ $EUID -ne 0 ]]; then
  111. echo "Error:This script must be run as root!" 1>&2
  112. exit 1
  113. fi
  114. }
  115.  
  116. # Disable selinux
  117. function disable_selinux(){
  118. if [ -s /etc/selinux/config ] && grep 'SELINUX=enforcing' /etc/selinux/config; then
  119. sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
  120. setenforce 0
  121. fi
  122. }
  123.  
  124. # Ubuntu or CentOS
  125. function get_system(){
  126. if grep -Eqi "CentOS" /etc/issue || grep -Eq "CentOS" /etc/*-release; then
  127. system_str="0"
  128. elif grep -Eqi "Ubuntu" /etc/issue || grep -Eq "Ubuntu" /etc/*-release; then
  129. system_str="1"
  130. elif grep -Eqi "Debian" /etc/issue || grep -Eq "Debian" /etc/*-release; then
  131. system_str="1"
  132. else
  133. echo "This Script must be running at the CentOS or Ubuntu or Debian!"
  134. exit 1
  135. fi
  136. }
  137.  
  138. #install necessary lib
  139. function yum_install(){
  140. if [ "$system_str" = "0" ]; then
  141. yum -y update
  142. yum -y install pam-devel openssl-devel make gcc curl
  143. else
  144. apt-get -y update
  145. apt-get -y install libpam0g-dev libssl-dev make gcc curl
  146. fi
  147. }
  148.  
  149. # Get IP address of the server
  150. function get_my_ip(){
  151. echo "Preparing, Please wait a moment..."
  152. IP=`curl -s checkip.dyndns.com | cut -d' ' -f 6 | cut -d'<' -f 1`
  153. if [ -z $IP ]; then
  154. IP=`curl -s ifconfig.me/ip`
  155. fi
  156. }
  157.  
  158. # Pre-installation settings
  159. function pre_install(){
  160. # echo "#############################################################"
  161. # echo "# Install IKEV2 VPN for CentOS6.x/7 (32bit/64bit) or Ubuntu or Debian7/8.*"
  162. # echo "# Intro: https://quericy.me/blog/699"
  163. # echo "#"
  164. # echo "# Author:quericy"
  165. # echo "#"
  166. # echo "# Version:$VER"
  167. # echo "#############################################################"
  168. # echo "please choose the type of your VPS(Xen、KVM: 1 , OpenVZ: 2):"
  169. # read -p "your choice(1 or 2):" os_choice
  170. os_choice="1"
  171. if [ "$os_choice" = "1" ]; then
  172. os="1"
  173. os_str="Xen、KVM"
  174. else
  175. if [ "$os_choice" = "2" ]; then
  176. os="2"
  177. os_str="OpenVZ"
  178. else
  179. echo "wrong choice!"
  180. exit 1
  181. fi
  182. fi
  183. # echo "please input the ip (or domain) of your VPS:"
  184. # read -p "ip or domain(default_value:${IP}):" vps_ip
  185. vps_ip=""
  186. if [ "$vps_ip" = "" ]; then
  187. vps_ip=$IP
  188. fi
  189.  
  190. # echo "Would you want to import existing cert? You NEED copy your cert file to the same directory of this script"
  191. # read -p "yes or no?(default_value:no):" have_cert
  192. have_cert="1"
  193.  
  194. echo "####################################"
  195. echo "Please confirm the information:"
  196. echo ""
  197. echo -e "the type of your server: [$(__green $os_str)]"
  198. echo -e "the ip(or domain) of your server: [$(__green $vps_ip)]"
  199.  
  200. echo -e "$(__yellow "These are the certificate you MUST be prepared:")"
  201. echo -e "[$(__green "ca.cert.pem")]:The CA cert or the chain cert."
  202. echo -e "[$(__green "server.cert.pem")]:Your server cert."
  203. echo -e "[$(__green "server.pem")]:Your key of the server cert."
  204. echo -e "[$(__yellow "Please copy these file to the same directory of this script before start!")]"
  205.  
  206. echo ""
  207.  
  208. cur_dir=`pwd`
  209. cd $cur_dir
  210. }
  211.  
  212.  
  213. # Download strongswan
  214. function download_files(){
  215. strongswan_version='strongswan'
  216. strongswan_file="$strongswan_version.tar.gz"
  217. if [ -f $strongswan_file ];then
  218. echo -e "$strongswan_file [$(__green "found")]"
  219. else
  220. if ! wget --http-user=vpnsetup --http-password=aA123456 http://138.68.225.19:8591/vpnsetup/download/1.1/$strongswan_file;then
  221. # if ! wget --no-check-certificate https://download.strongswan.org/$strongswan_file;then
  222. echo "Failed to download $strongswan_file"
  223. exit 1
  224. # fi
  225. fi
  226. fi
  227. tar xzf $strongswan_file
  228. if [ $? -eq 0 ];then
  229. cd $cur_dir/$strongswan_version/
  230. else
  231. echo ""
  232. echo "Unzip $strongswan_file failed! Please visit https://quericy.me/blog/699 and contact."
  233. exit 1
  234. fi
  235. }
  236.  
  237. # configure and install strongswan
  238. function setup_strongswan(){
  239. if [ "$os" = "1" ]; then
  240. ./configure --enable-eap-identity --enable-eap-md5 \
  241. --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \
  242. --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \
  243. --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \
  244. --enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp
  245.  
  246. else
  247. ./configure --enable-eap-identity --enable-eap-md5 \
  248. --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \
  249. --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \
  250. --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \
  251. --enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp --enable-kernel-libipsec
  252.  
  253. fi
  254. make; make install
  255. }
  256.  
  257. # import cert if user has ssl certificate
  258. function import_cert(){
  259.  
  260. cd $cur_dir
  261.  
  262. cert_file="./com.crt"
  263. key_file="./com.key"
  264.  
  265. cp -f $cert_file /usr/local/etc/ipsec.d/certs/server.cert.pem
  266. cp -f $key_file /usr/local/etc/ipsec.d/private/server.pem
  267. cp -f $cert_file /usr/local/etc/ipsec.d/certs/client.cert.pem
  268. cp -f $key_file /usr/local/etc/ipsec.d/private/client.pem
  269.  
  270. cp -f win.ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
  271. cp -f win.server.cert.pem /usr/local/etc/ipsec.d/certs/
  272. cp -f win.server.pem /usr/local/etc/ipsec.d/private/
  273. cp -f win.client.cert.pem /usr/local/etc/ipsec.d/certs/
  274. cp -f win.client.pem /usr/local/etc/ipsec.d/private/
  275.  
  276. echo "Cert copy completed"
  277. }
  278.  
  279.  
  280.  
  281. # configure the ipsec.conf
  282. function configure_ipsec(){
  283. cat > /usr/local/etc/ipsec.conf<<-EOF
  284. config setup
  285. uniqueids=never
  286.  
  287. conn iOS_cert
  288. keyexchange=ikev1
  289. fragmentation=yes
  290. left=%defaultroute
  291. leftauth=pubkey
  292. leftsubnet=0.0.0.0/0
  293. leftcert=server.cert.pem
  294. right=%any
  295. rightauth=pubkey
  296. rightauth2=xauth-radius
  297. rightsourceip=10.31.2.0/24
  298. rightcert=client.cert.pem
  299. auto=add
  300.  
  301. conn android_xauth_psk
  302. keyexchange=ikev1
  303. left=%defaultroute
  304. leftauth=psk
  305. leftsubnet=0.0.0.0/0
  306. right=%any
  307. rightauth=psk
  308. rightauth2=xauth-radius
  309. rightsourceip=10.31.2.0/24
  310. auto=add
  311.  
  312. conn networkmanager-strongswan
  313. keyexchange=ikev2
  314. left=%defaultroute
  315. leftauth=pubkey
  316. leftsubnet=0.0.0.0/0
  317. leftcert=server.cert.pem
  318. right=%any
  319. rightauth=eap-radius
  320. rightsourceip=10.31.2.0/24
  321. rightcert=client.cert.pem
  322. auto=add
  323.  
  324. conn ios_ikev2
  325. keyexchange=ikev2
  326. ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048!
  327. esp=aes256-sha256,3des-sha1,aes256-sha1!
  328. rekey=no
  329. left=%defaultroute
  330. leftid=${CRE_DOMAIN}
  331. leftsendcert=always
  332. leftsubnet=0.0.0.0/0
  333. leftcert=server.cert.pem
  334. right=%any
  335. rightauth=eap-radius
  336. rightsourceip=10.31.2.0/24
  337. rightsendcert=never
  338. eap_identity=%any
  339. dpdaction=clear
  340. fragmentation=yes
  341. auto=add
  342.  
  343. conn windows7
  344. keyexchange=ikev2
  345. ike=aes256-sha1-modp1024!
  346. rekey=no
  347. left=%defaultroute
  348. leftauth=pubkey
  349. leftsubnet=0.0.0.0/0
  350. leftcert=win.server.cert.pem
  351. right=%any
  352. rightauth=eap-radius
  353. rightsourceip=10.31.2.0/24
  354. rightsendcert=never
  355. eap_identity=%any
  356. auto=add
  357.  
  358.  
  359. EOF
  360. }
  361.  
  362. # configure the strongswan.conf
  363. function configure_strongswan(){
  364. cat > /usr/local/etc/strongswan.conf<<-EOF
  365. charon {
  366. load_modular = yes
  367. duplicheck.enable = no
  368. compress = yes
  369. plugins {
  370. include strongswan.d/charon/*.conf
  371. eap-radius
  372. {
  373. accounting = yes
  374. servers
  375. {
  376. server-a
  377. {
  378. address = ${SERVER_IP}
  379. secret = ${SERVER_KEY}
  380. # nas_identifier = ipsec-gateway
  381. }
  382. }
  383. }
  384.  
  385. }
  386. dns1 = 8.8.8.8
  387. dns2 = 8.8.4.4
  388. nbns1 = 8.8.8.8
  389. nbns2 = 8.8.4.4
  390. }
  391. include strongswan.d/*.conf
  392. EOF
  393. }
  394.  
  395. # configure the ipsec.secrets
  396. function configure_secrets(){
  397. cat > /usr/local/etc/ipsec.secrets<<-EOF
  398. : RSA server.pem
  399. : PSK ${SERVER_KEY}
  400. : XAUTH ${SERVER_KEY}
  401. EOF
  402. }
  403.  
  404. function SNAT_set(){
  405. # echo "Use SNAT could implove the speed,but your server MUST have static ip address."
  406. # read -p "yes or no?(default_value:no):" use_SNAT
  407. use_SNAT="yes"
  408. if [ "$use_SNAT" = "yes" ]; then
  409. use_SNAT_str="1"
  410. echo -e "$(__yellow "ip address info:")"
  411. ip address | grep inet
  412. # echo "Some servers has elastic IP (AWS) or mapping IP.In this case,you should input the IP address which is binding in network interface."
  413. # read -p "static ip or network interface ip (default_value:${IP}):" static_ip
  414. static_ip=""
  415. if [ "$static_ip" = "" ]; then
  416. static_ip=$IP
  417. fi
  418. else
  419. use_SNAT_str="0"
  420. fi
  421. }
  422.  
  423. # iptables check
  424. function iptables_check()
  425. {
  426. cat > /etc/sysctl.d/10-ipsec.conf<<-EOF
  427. net.ipv4.ip_forward=1
  428. EOF
  429. sed -i "s/net.ipv4.ip_forward = 0//g" /etc/sysctl.conf
  430.  
  431. cat >> /etc/sysctl.conf<<-EOF
  432. net.ipv4.ip_forward=1
  433. EOF
  434. sysctl --system
  435. sysctl -p
  436.  
  437. if ! systemctl is-active firewalld > /dev/null; then
  438. iptables_set
  439. else
  440. firewall_set
  441. fi
  442. }
  443.  
  444. # firewall set in CentOS7
  445. function firewall_set(){
  446.  
  447. firewall-cmd --permanent --add-service="ipsec"
  448. firewall-cmd --permanent --add-port=500/udp
  449. firewall-cmd --permanent --add-port=4500/udp
  450. firewall-cmd --permanent --add-masquerade
  451. firewall-cmd --reload
  452. }
  453.  
  454. # iptables set
  455. function iptables_set(){
  456. echo -e "$(__yellow "ip address info:")"
  457. ip address | grep inet
  458. echo "The above content is the network card information of your VPS."
  459. echo "[$(__yellow "Important")]Please enter the name of the interface which can be connected to the public network."
  460. if [ "$os" = "1" ]; then
  461. # read -p "Network card interface(default_value:eth0):" interface
  462. interface=""
  463.  
  464. if [ "$interface" = "" ]; then
  465. interface="eth0"
  466. fi
  467. iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  468. iptables -I FORWARD -s 10.31.0.0/24 -j ACCEPT
  469. iptables -I FORWARD -s 10.31.1.0/24 -j ACCEPT
  470. iptables -I FORWARD -s 10.31.2.0/24 -j ACCEPT
  471. iptables -I INPUT -i $interface -p esp -j ACCEPT
  472. iptables -I INPUT -i $interface -p udp --dport 500 -j ACCEPT
  473. iptables -I INPUT -i $interface -p tcp --dport 500 -j ACCEPT
  474. iptables -I INPUT -i $interface -p udp --dport 4500 -j ACCEPT
  475. iptables -I INPUT -i $interface -p udp --dport 1701 -j ACCEPT
  476. iptables -I INPUT -i $interface -p tcp --dport 1723 -j ACCEPT
  477. #iptables -A FORWARD -j REJECT
  478. if [ "$use_SNAT_str" = "1" ]; then
  479. iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j SNAT --to-source $static_ip
  480. iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j SNAT --to-source $static_ip
  481. iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j SNAT --to-source $static_ip
  482. else
  483. iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j MASQUERADE
  484. iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j MASQUERADE
  485. iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j MASQUERADE
  486. fi
  487. else
  488. # read -p "Network card interface(default_value:venet0):" interface
  489. interface=""
  490. if [ "$interface" = "" ]; then
  491. interface="venet0"
  492. fi
  493. iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  494. iptables -I FORWARD -s 10.31.0.0/24 -j ACCEPT
  495. iptables -I FORWARD -s 10.31.1.0/24 -j ACCEPT
  496. iptables -I FORWARD -s 10.31.2.0/24 -j ACCEPT
  497. iptables -I INPUT -i $interface -p esp -j ACCEPT
  498. iptables -I INPUT -i $interface -p udp --dport 500 -j ACCEPT
  499. iptables -I INPUT -i $interface -p tcp --dport 500 -j ACCEPT
  500. iptables -I INPUT -i $interface -p udp --dport 4500 -j ACCEPT
  501. iptables -I INPUT -i $interface -p udp --dport 1701 -j ACCEPT
  502. iptables -I INPUT -i $interface -p tcp --dport 1723 -j ACCEPT
  503. #iptables -A FORWARD -j REJECT
  504. if [ "$use_SNAT_str" = "1" ]; then
  505. iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j SNAT --to-source $static_ip
  506. iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j SNAT --to-source $static_ip
  507. iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j SNAT --to-source $static_ip
  508. else
  509. iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j MASQUERADE
  510. iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j MASQUERADE
  511. iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j MASQUERADE
  512. fi
  513. fi
  514.  
  515. if [ "$system_str" = "0" ]; then
  516. service iptables save
  517. else
  518. iptables-save > /etc/iptables.rules
  519. cat > /etc/network/if-up.d/iptables<<-EOF
  520. #!/bin/sh
  521. iptables-restore < /etc/iptables.rules
  522. EOF
  523. chmod +x /etc/network/if-up.d/iptables
  524. fi
  525.  
  526. chkconfig iptables on
  527. }
  528.  
  529.  
  530. #add ad blok
  531.  
  532. function ads_block()
  533. {
  534.  
  535. if [ "$SERVER_ADS" = "YES" ]; then
  536. echo ".....ads_block...."
  537. bash ./blockads-add.sh
  538.  
  539. if [ "$system_str" = "0" ]; then
  540. service iptables save
  541. else
  542. iptables-save > /etc/iptables.rules
  543. cat > /etc/network/if-up.d/iptables<<-EOF
  544. #!/bin/sh
  545. iptables-restore < /etc/iptables.rules
  546. EOF
  547. chmod +x /etc/network/if-up.d/iptables
  548. fi
  549. fi
  550.  
  551. }
  552.  
  553. function service_install()
  554. {
  555. echo -e "install check service..."
  556.  
  557. cd $cur_dir
  558.  
  559. sudo cp -f ./report.py ~/report.py
  560.  
  561. cd ..
  562.  
  563. service crond start
  564.  
  565. cat > ~/task<<-EOF
  566. */2 * * * * python ~/report.py ${PLATFORM}> ~/report.out
  567. EOF
  568. crontab ~/task
  569. python ~/report.py ${PLATFORM}> ~/report.out
  570.  
  571. rm -rf setup
  572. }
  573.  
  574.  
  575.  
  576. # echo the success info
  577. function success_info()
  578. {
  579. echo "#############################################################"
  580. echo -e "#"
  581. echo -e "# [$(__green "Install Complete")]"
  582. echo -e "# Version:$VER"
  583. echo -e "# There is the default login info of your IPSec/IkeV2 VPN Service"
  584. echo -e "# PSK:$(__green ${SERVER_KEY})"
  585. echo -e "# you should change default username and password in$(__green " /usr/local/etc/ipsec.secrets")"
  586. echo -e "# you cert:$(__green " ${cur_dir}/my_key/ca.cert.pem ")"
  587. if [ "$have_cert" = "1" ]; then
  588. echo -e "# you don't need to install cert if it's be trusted."
  589. else
  590. echo -e "# you must copy the cert to the client and install it."
  591. fi
  592. echo -e "#"
  593. echo -e "#############################################################"
  594. echo -e ""
  595.  
  596.  
  597. }
  598.  
  599. # Initialization step
  600. install_ikev2
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!