daily pastebin goal
70%
SHARE
TWEET

Untitled

a guest Jan 25th, 2016 59 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/sh
  2. #------------------------------------------------------------
  3. # Please define your own values for these variables
  4. # - All values MUST be quoted using 'single quotes'
  5. # - DO NOT use these characters inside values:  \ " '
  6.  
  7. IPSEC_PSK='your_ipsec_pre_shared_key'
  8. VPN_USER='your_vpn_username'
  9. VPN_PASSWORD='your_very_secure_password'
  10.  
  11. # ------------------------------------------------------------
  12.  
  13. if [ "$(uname)" = "Darwin" ]; then
  14.   echo 'DO NOT run this script on your Mac! It should only be run on a dedicated server / VPS'
  15.   echo 'or a newly-created EC2 instance, after you have modified it to set the variables above.'
  16.   exit 1
  17. fi
  18.  
  19. if [ ! -f /etc/redhat-release ]; then
  20.   echo "Looks like you aren't running this script on a CentOS/RHEL system."
  21.   exit 1
  22. fi
  23.  
  24. if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then
  25.   echo "This script only supports versions 6 and 7 of CentOS/RHEL."
  26.   exit 1
  27. fi
  28.  
  29. if [ "$(uname -m)" != "x86_64" ]; then
  30.   echo "This script only supports 64-bit CentOS/RHEL."
  31.   exit 1
  32. fi
  33.  
  34. if [ -f "/proc/user_beancounters" ]; then
  35.   echo "This script does NOT support OpenVZ VPS."
  36.   echo "Try Nyr's OpenVPN script: https://github.com/Nyr/openvpn-install"
  37.   exit 1
  38. fi
  39.  
  40. if [ "$(id -u)" != 0 ]; then
  41.   echo "Sorry, you need to run this script as root."
  42.   exit 1
  43. fi
  44.  
  45. if [ ! -f /sys/class/net/eth0/operstate ]; then
  46.   echo "Network interface 'eth0' is not available. Aborting."
  47.   echo
  48.   echo "CentOS 7 users should change interfaces to use old naming convention"
  49.   echo "before running this script. See: https://wiki.centos.org/FAQ/CentOS7"
  50.   exit 1
  51. fi
  52.  
  53. if [ -z "$IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
  54.   echo "VPN credentials cannot be empty, please edit the VPN script."
  55.   exit 1
  56. fi
  57.  
  58. # Create and change to working dir
  59. mkdir -p /opt/src
  60. cd /opt/src || { echo "Failed to change working directory to /opt/src. Aborting."; exit 1; }
  61.  
  62. # Install Wget and dig (bind-utils)
  63. yum -y install wget bind-utils
  64.  
  65. echo
  66. echo 'Please wait... Trying to find Public/Private IP of this server.'
  67. echo
  68. echo 'If the script hangs here for more than a few minutes, press Ctrl-C to interrupt,'
  69. echo 'then edit and comment out the next two lines PUBLIC_IP= and PRIVATE_IP=, or replace'
  70. echo 'them with actual IPs. If your server only has a public IP, put it on both lines.'
  71. echo
  72.  
  73. # In Amazon EC2, these two variables will be found automatically.
  74. # For all other servers, you may replace them with the actual IPs,
  75. # or comment out and let the script auto-detect in the next section.
  76. # If your server only has a public IP, put it on both lines.
  77. PUBLIC_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4')
  78. PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4')
  79.  
  80. # Attempt to find server IPs for non-EC2 servers
  81. [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
  82. [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
  83. [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipecho.net/plain)
  84. [ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
  85. [ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
  86.  
  87. # Check IPs for correct format
  88. IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
  89. if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then
  90.   echo "Cannot find valid Public IP, please edit the VPN script manually."
  91.   exit 1
  92. fi
  93. if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then
  94.   echo "Cannot find valid Private IP, please edit the VPN script manually."
  95.   exit 1
  96. fi
  97.  
  98. # Add the EPEL repository
  99. if grep -qs "release 6" /etc/redhat-release; then
  100.   EPEL_RPM="epel-release-6-8.noarch.rpm"
  101.   EPEL_URL="http://download.fedoraproject.org/pub/epel/6/x86_64/$EPEL_RPM"
  102. elif grep -qs "release 7" /etc/redhat-release; then
  103.   EPEL_RPM="epel-release-7-5.noarch.rpm"
  104.   EPEL_URL="http://download.fedoraproject.org/pub/epel/7/x86_64/e/$EPEL_RPM"
  105. fi
  106. wget -t 3 -T 30 -nv -O "$EPEL_RPM" "$EPEL_URL"
  107. [ ! -f "$EPEL_RPM" ] && { echo "Cannot retrieve EPEL repo RPM file. Aborting."; exit 1; }
  108. rpm -ivh --force "$EPEL_RPM" && /bin/rm -f "$EPEL_RPM"
  109.  
  110. # Install necessary packages
  111. yum -y install nss-devel nspr-devel pkgconfig pam-devel \
  112.     libcap-ng-devel libselinux-devel \
  113.     curl-devel gmp-devel flex bison gcc make \
  114.     fipscheck-devel unbound-devel gmp gmp-devel xmlto
  115. yum -y install ppp xl2tpd
  116.  
  117. # Install Fail2Ban to protect SSH server
  118. yum -y install fail2ban
  119.  
  120. # Install IP6Tables for CentOS/RHEL 6
  121. if grep -qs "release 6" /etc/redhat-release; then
  122.   yum -y install iptables-ipv6
  123. fi
  124.  
  125. # Installed Libevent2. Use backported version for CentOS 6.
  126. if grep -qs "release 6" /etc/redhat-release; then
  127.   LE2_URL="https://download.libreswan.org/binaries/rhel/6/x86_64"
  128.   RPM1="libevent2-2.0.22-1.el6.x86_64.rpm"
  129.   RPM2="libevent2-devel-2.0.22-1.el6.x86_64.rpm"
  130.   wget -t 3 -T 30 -nv -O "$RPM1" "$LE2_URL/$RPM1"
  131.   wget -t 3 -T 30 -nv -O "$RPM2" "$LE2_URL/$RPM2"
  132.   [ ! -f "$RPM1" ] || [ ! -f "$RPM2" ] && { echo "Cannot retrieve Libevent2 RPM file(s). Aborting."; exit 1; }
  133.   rpm -ivh --force "$RPM1" "$RPM2" && /bin/rm -f "$RPM1" "$RPM2"
  134. elif grep -qs "release 7" /etc/redhat-release; then
  135.   yum -y install libevent-devel
  136. fi
  137.  
  138. # Compile and install Libreswan
  139. SWAN_VER=3.16
  140. SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
  141. SWAN_URL="https://download.libreswan.org/${SWAN_FILE}"
  142. wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
  143. [ ! -f "$SWAN_FILE" ] && { echo "Cannot retrieve Libreswan source file. Aborting."; exit 1; }
  144. /bin/rm -rf "/opt/src/libreswan-${SWAN_VER}"
  145. tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE"
  146. cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source dir. Aborting."; exit 1; }
  147. make programs && make install
  148.  
  149. # Check if the install was successful
  150. /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "${SWAN_VER}"
  151. [ "$?" != "0" ] && { echo "Sorry, Libreswan ${SWAN_VER} failed to compile or install. Aborting."; exit 1; }
  152.  
  153. # Prepare various config files
  154. # Create IPsec (Libreswan) configuration
  155. SYS_DT="$(/bin/date +%Y-%m-%d-%H:%M:%S)"
  156. /bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-${SYS_DT}" 2>/dev/null
  157. cat > /etc/ipsec.conf <<EOF
  158. version 2.0
  159. config setup
  160.   dumpdir=/var/run/pluto/
  161.   nat_traversal=yes
  162.   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
  163.   oe=off
  164.   protostack=netkey
  165.   nhelpers=0
  166.   interfaces=%defaultroute
  167. conn vpnpsk
  168.   connaddrfamily=ipv4
  169.   auto=add
  170.   left=$PRIVATE_IP
  171.   leftid=$PUBLIC_IP
  172.   leftsubnet=$PRIVATE_IP/32
  173.   leftnexthop=%defaultroute
  174.   leftprotoport=17/1701
  175.   rightprotoport=17/%any
  176.   right=%any
  177.   rightsubnetwithin=0.0.0.0/0
  178.   forceencaps=yes
  179.   authby=secret
  180.   pfs=no
  181.   type=transport
  182.   auth=esp
  183.   ike=3des-sha1,aes-sha1
  184.   phase2alg=3des-sha1,aes-sha1
  185.   rekey=no
  186.   keyingtries=5
  187.   dpddelay=30
  188.   dpdtimeout=120
  189.   dpdaction=clear
  190. EOF
  191.  
  192. # Specify IPsec PSK
  193. /bin/cp -f /etc/ipsec.secrets "/etc/ipsec.secrets.old-${SYS_DT}" 2>/dev/null
  194. cat > /etc/ipsec.secrets <<EOF
  195. $PUBLIC_IP  %any  : PSK "$IPSEC_PSK"
  196. EOF
  197.  
  198. # Create xl2tpd config
  199. /bin/cp -f /etc/xl2tpd/xl2tpd.conf "/etc/xl2tpd/xl2tpd.conf.old-${SYS_DT}" 2>/dev/null
  200. cat > /etc/xl2tpd/xl2tpd.conf <<EOF
  201. [global]
  202. port = 1701
  203. ;debug avp = yes
  204. ;debug network = yes
  205. ;debug state = yes
  206. ;debug tunnel = yes
  207. [lns default]
  208. ip range = 192.168.42.10-192.168.42.250
  209. local ip = 192.168.42.1
  210. require chap = yes
  211. refuse pap = yes
  212. require authentication = yes
  213. name = l2tpd
  214. ;ppp debug = yes
  215. pppoptfile = /etc/ppp/options.xl2tpd
  216. length bit = yes
  217. EOF
  218.  
  219. # Specify xl2tpd options
  220. /bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-${SYS_DT}" 2>/dev/null
  221. cat > /etc/ppp/options.xl2tpd <<EOF
  222. ipcp-accept-local
  223. ipcp-accept-remote
  224. ms-dns 8.8.8.8
  225. ms-dns 8.8.4.4
  226. noccp
  227. auth
  228. crtscts
  229. idle 1800
  230. mtu 1280
  231. mru 1280
  232. lock
  233. lcp-echo-failure 10
  234. lcp-echo-interval 60
  235. connect-delay 5000
  236. EOF
  237.  
  238. # Create VPN credentials
  239. /bin/cp -f /etc/ppp/chap-secrets "/etc/ppp/chap-secrets.old-${SYS_DT}" 2>/dev/null
  240. cat > /etc/ppp/chap-secrets <<EOF
  241. # Secrets for authentication using CHAP
  242. # client  server  secret  IP addresses
  243. "$VPN_USER" l2tpd "$VPN_PASSWORD" *
  244. EOF
  245.  
  246. # Update sysctl settings for VPN and performance
  247. if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
  248. /bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-${SYS_DT}" 2>/dev/null
  249. cat >> /etc/sysctl.conf <<EOF
  250. # Modify Kernel variables for stability
  251. kernel.msgmnb = 65536
  252. kernel.msgmax = 65536
  253. kernel.shmmax = 68719476736
  254. kernel.shmall = 4294967296
  255. net.ipv4.ip_forward = 1
  256. net.ipv4.tcp_syncookies = 1
  257. net.ipv4.conf.all.accept_source_route = 0
  258. net.ipv4.conf.default.accept_source_route = 0
  259. net.ipv4.conf.all.accept_redirects = 0
  260. net.ipv4.conf.default.accept_redirects = 0
  261. net.ipv4.conf.all.send_redirects = 0
  262. net.ipv4.conf.default.send_redirects = 0
  263. net.ipv4.conf.lo.send_redirects = 0
  264. net.ipv4.conf.eth0.send_redirects = 0
  265. net.ipv4.conf.all.rp_filter = 0
  266. net.ipv4.conf.default.rp_filter = 0
  267. net.ipv4.conf.lo.rp_filter = 0
  268. net.ipv4.conf.eth0.rp_filter = 0
  269. net.ipv4.icmp_echo_ignore_broadcasts = 1
  270. net.ipv4.icmp_ignore_bogus_error_responses = 1
  271. net.core.wmem_max = 12582912
  272. net.core.rmem_max = 12582912
  273. net.ipv4.tcp_rmem = 10240 87380 12582912
  274. net.ipv4.tcp_wmem = 10240 87380 12582912
  275. EOF
  276. fi
  277.  
  278. # Create basic IPTables rules. First check if there are existing IPTables rules loaded.
  279. # 1. If IPTables is "empty", write out the new set of rules below.
  280. # 2. If *not* empty, insert new rules and save them together with existing ones.
  281. if ! grep -qs "VPN_RULES" /etc/sysconfig/iptables; then
  282. /bin/cp -f /etc/sysconfig/iptables "/etc/sysconfig/iptables.old-${SYS_DT}" 2>/dev/null
  283. /sbin/service fail2ban stop >/dev/null 2>&1
  284. if [ "$(/sbin/iptables-save | grep -c '^\-')" = "0" ]; then
  285. cat > /etc/sysconfig/iptables <<EOF
  286. # VPN_RULES
  287. *filter
  288. :INPUT ACCEPT [0:0]
  289. :FORWARD ACCEPT [0:0]
  290. :OUTPUT ACCEPT [0:0]
  291. :ICMPALL - [0:0]
  292. -A INPUT -m conntrack --ctstate INVALID -j DROP
  293. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  294. -A INPUT -i lo -j ACCEPT
  295. -A INPUT -d 127.0.0.0/8 -j REJECT
  296. -A INPUT -p icmp --icmp-type 255 -j ICMPALL
  297. -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
  298. -A INPUT -p tcp --dport 22 -j ACCEPT
  299. -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
  300. -A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
  301. -A INPUT -p udp --dport 1701 -j DROP
  302. -A INPUT -j DROP
  303. -A FORWARD -m conntrack --ctstate INVALID -j DROP
  304. -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  305. -A FORWARD -i ppp+ -o eth+ -j ACCEPT
  306. # If you wish to allow traffic between VPN clients themselves, uncomment this line:
  307. # -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
  308. -A FORWARD -j DROP
  309. -A ICMPALL -p icmp -f -j DROP
  310. -A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
  311. -A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
  312. -A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
  313. -A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
  314. -A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
  315. -A ICMPALL -p icmp -j DROP
  316. COMMIT
  317. *nat
  318. :PREROUTING ACCEPT [0:0]
  319. :OUTPUT ACCEPT [0:0]
  320. :POSTROUTING ACCEPT [0:0]
  321. -A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}"
  322. COMMIT
  323. EOF
  324.  
  325. else
  326.  
  327. iptables -I INPUT 1 -p udp -m multiport --dports 500,4500 -j ACCEPT
  328. iptables -I INPUT 2 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
  329. iptables -I INPUT 3 -p udp --dport 1701 -j DROP
  330. iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
  331. iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  332. iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT
  333. # iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
  334. iptables -A FORWARD -j DROP
  335. iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}"
  336.  
  337. echo "# Modified by VPN_RULES_SCRIPT" > /etc/sysconfig/iptables
  338. /sbin/iptables-save >> /etc/sysconfig/iptables
  339. fi
  340. fi
  341.  
  342. # Create basic IP6Tables (IPv6) rules
  343. if ! grep -qs "VPN_RULES" /etc/sysconfig/ip6tables; then
  344. /bin/cp -f /etc/sysconfig/ip6tables "/etc/sysconfig/ip6tables.old-${SYS_DT}" 2>/dev/null
  345. cat > /etc/sysconfig/ip6tables <<EOF
  346. # Added by VPN_RULES
  347. *filter
  348. :INPUT ACCEPT [0:0]
  349. :FORWARD DROP [0:0]
  350. :OUTPUT ACCEPT [0:0]
  351. -A INPUT -i lo -j ACCEPT
  352. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  353. -A INPUT -m rt --rt-type 0 -j DROP
  354. -A INPUT -s fe80::/10 -j ACCEPT
  355. -A INPUT -p ipv6-icmp -j ACCEPT
  356. -A INPUT -j DROP
  357. COMMIT
  358. EOF
  359. fi
  360.  
  361. # Create basic Fail2Ban rules if not already exist
  362. if [ ! -f /etc/fail2ban/jail.local ] ; then
  363. cat > /etc/fail2ban/jail.local <<EOF
  364. [DEFAULT]
  365. ignoreip = 127.0.0.1/8
  366. bantime  = 600
  367. findtime  = 600
  368. maxretry = 5
  369. backend = auto
  370. [ssh-iptables]
  371. enabled  = true
  372. filter   = sshd
  373. action   = iptables[name=SSH, port=ssh, protocol=tcp]
  374. logpath  = /var/log/secure
  375. EOF
  376. fi
  377.  
  378. # Update rc.local to start services at boot
  379. if ! grep -qs "VPN_RULES" /etc/rc.local; then
  380. /bin/cp -f /etc/rc.local "/etc/rc.local.old-${SYS_DT}" 2>/dev/null
  381. cat >> /etc/rc.local <<EOF
  382. # Added by VPN_RULES_SCRIPT
  383. /sbin/iptables-restore < /etc/sysconfig/iptables
  384. /sbin/ip6tables-restore < /etc/sysconfig/ip6tables
  385. /sbin/service fail2ban restart
  386. /sbin/service ipsec start
  387. /sbin/service xl2tpd start
  388. echo 1 > /proc/sys/net/ipv4/ip_forward
  389. EOF
  390. fi
  391.  
  392. # Initialize Libreswan DB
  393. if [ ! -f /etc/ipsec.d/cert8.db ] ; then
  394.    echo > /var/tmp/libreswan-nss-pwd
  395.    /usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
  396.    /bin/rm -f /var/tmp/libreswan-nss-pwd
  397. fi
  398.  
  399. # Restore SELinux contexts
  400. /sbin/restorecon /etc/ipsec.d/*db 2>/dev/null
  401. /sbin/restorecon /usr/local/sbin -Rv 2>/dev/null
  402. /sbin/restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
  403.  
  404. # Reload sysctl.conf
  405. /sbin/sysctl -p
  406.  
  407. # Update file attributes
  408. /bin/chmod +x /etc/rc.local
  409. /bin/chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets*
  410.  
  411. # Apply new IPTables rules
  412. /sbin/iptables-restore < /etc/sysconfig/iptables
  413. /sbin/ip6tables-restore < /etc/sysconfig/ip6tables
  414.  
  415. # Restart services
  416. /sbin/service fail2ban stop >/dev/null 2>&1
  417. /sbin/service ipsec stop >/dev/null 2>&1
  418. /sbin/service xl2tpd stop >/dev/null 2>&1
  419. /sbin/service fail2ban start
  420. /sbin/service ipsec start
  421. /sbin/service xl2tpd start
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top