daily pastebin goal
49%
SHARE
TWEET

Untitled

a guest Jan 25th, 2016 82 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/sh
  2. #------------------------------------------------------------
  3. # Please define your own values for these variables
  4. # - All values MUST be quoted using 'single quotes'
  5. # - DO NOT use these characters inside values:  \ " '
  6.  
  7. IPSEC_PSK='your_ipsec_pre_shared_key'
  8. VPN_USER='your_vpn_username'
  9. VPN_PASSWORD='your_very_secure_password'
  10.  
  11. # Be sure to read *important notes* at the URL below:
  12. # https://github.com/hwdsl2/setup-ipsec-vpn#important-notes
  13.  
  14. # ------------------------------------------------------------
  15.  
  16. if [ "$(uname)" = "Darwin" ]; then
  17.   echo 'DO NOT run this script on your Mac! It should only be run on a dedicated server / VPS'
  18.   echo 'or a newly-created EC2 instance, after you have modified it to set the variables above.'
  19.   exit 1
  20. fi
  21.  
  22. if [ ! -f /etc/redhat-release ]; then
  23.   echo "Looks like you aren't running this script on a CentOS/RHEL system."
  24.   exit 1
  25. fi
  26.  
  27. if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then
  28.   echo "This script only supports versions 6 and 7 of CentOS/RHEL."
  29.   exit 1
  30. fi
  31.  
  32. if [ "$(uname -m)" != "x86_64" ]; then
  33.   echo "This script only supports 64-bit CentOS/RHEL."
  34.   exit 1
  35. fi
  36.  
  37. if [ -f "/proc/user_beancounters" ]; then
  38.   echo "This script does NOT support OpenVZ VPS."
  39.   echo "Try Nyr's OpenVPN script: https://github.com/Nyr/openvpn-install"
  40.   exit 1
  41. fi
  42.  
  43. if [ "$(id -u)" != 0 ]; then
  44.   echo "Sorry, you need to run this script as root."
  45.   exit 1
  46. fi
  47.  
  48. if [ ! -f /sys/class/net/eth0/operstate ]; then
  49.   echo "Network interface 'eth0' is not available. Aborting."
  50.   echo
  51.   echo "CentOS 7 users should change interfaces to use old naming convention"
  52.   echo "before running this script. See: https://wiki.centos.org/FAQ/CentOS7"
  53.   exit 1
  54. fi
  55.  
  56. if [ -z "$IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
  57.   echo "VPN credentials cannot be empty, please edit the VPN script."
  58.   exit 1
  59. fi
  60.  
  61. # Create and change to working dir
  62. mkdir -p /opt/src
  63. cd /opt/src || { echo "Failed to change working directory to /opt/src. Aborting."; exit 1; }
  64.  
  65. # Install Wget and dig (bind-utils)
  66. yum -y install wget bind-utils
  67.  
  68. echo
  69. echo 'Please wait... Trying to find Public/Private IP of this server.'
  70. echo
  71. echo 'If the script hangs here for more than a few minutes, press Ctrl-C to interrupt,'
  72. echo 'then edit and comment out the next two lines PUBLIC_IP= and PRIVATE_IP=, or replace'
  73. echo 'them with actual IPs. If your server only has a public IP, put it on both lines.'
  74. echo
  75.  
  76. # In Amazon EC2, these two variables will be found automatically.
  77. # For all other servers, you may replace them with the actual IPs,
  78. # or comment out and let the script auto-detect in the next section.
  79. # If your server only has a public IP, put it on both lines.
  80. PUBLIC_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4')
  81. PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4')
  82.  
  83. # Attempt to find server IPs for non-EC2 servers
  84. [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
  85. [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
  86. [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipecho.net/plain)
  87. [ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
  88. [ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
  89.  
  90. # Check IPs for correct format
  91. IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
  92. if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then
  93.   echo "Cannot find valid Public IP, please edit the VPN script manually."
  94.   exit 1
  95. fi
  96. if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then
  97.   echo "Cannot find valid Private IP, please edit the VPN script manually."
  98.   exit 1
  99. fi
  100.  
  101. # Add the EPEL repository
  102. if grep -qs "release 6" /etc/redhat-release; then
  103.   EPEL_RPM="epel-release-6-8.noarch.rpm"
  104.   EPEL_URL="http://download.fedoraproject.org/pub/epel/6/x86_64/$EPEL_RPM"
  105. elif grep -qs "release 7" /etc/redhat-release; then
  106.   EPEL_RPM="epel-release-7-5.noarch.rpm"
  107.   EPEL_URL="http://download.fedoraproject.org/pub/epel/7/x86_64/e/$EPEL_RPM"
  108. fi
  109. wget -t 3 -T 30 -nv -O "$EPEL_RPM" "$EPEL_URL"
  110. [ ! -f "$EPEL_RPM" ] && { echo "Cannot retrieve EPEL repo RPM file. Aborting."; exit 1; }
  111. rpm -ivh --force "$EPEL_RPM" && /bin/rm -f "$EPEL_RPM"
  112.  
  113. # Install necessary packages
  114. yum -y install nss-devel nspr-devel pkgconfig pam-devel \
  115.     libcap-ng-devel libselinux-devel \
  116.     curl-devel gmp-devel flex bison gcc make \
  117.     fipscheck-devel unbound-devel gmp gmp-devel xmlto
  118. yum -y install ppp xl2tpd
  119.  
  120. # Install Fail2Ban to protect SSH server
  121. yum -y install fail2ban
  122.  
  123. # Install IP6Tables for CentOS/RHEL 6
  124. if grep -qs "release 6" /etc/redhat-release; then
  125.   yum -y install iptables-ipv6
  126. fi
  127.  
  128. # Installed Libevent2. Use backported version for CentOS 6.
  129. if grep -qs "release 6" /etc/redhat-release; then
  130.   LE2_URL="https://download.libreswan.org/binaries/rhel/6/x86_64"
  131.   RPM1="libevent2-2.0.22-1.el6.x86_64.rpm"
  132.   RPM2="libevent2-devel-2.0.22-1.el6.x86_64.rpm"
  133.   wget -t 3 -T 30 -nv -O "$RPM1" "$LE2_URL/$RPM1"
  134.   wget -t 3 -T 30 -nv -O "$RPM2" "$LE2_URL/$RPM2"
  135.   [ ! -f "$RPM1" ] || [ ! -f "$RPM2" ] && { echo "Cannot retrieve Libevent2 RPM file(s). Aborting."; exit 1; }
  136.   rpm -ivh --force "$RPM1" "$RPM2" && /bin/rm -f "$RPM1" "$RPM2"
  137. elif grep -qs "release 7" /etc/redhat-release; then
  138.   yum -y install libevent-devel
  139. fi
  140.  
  141. # Compile and install Libreswan
  142. SWAN_VER=3.16
  143. SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
  144. SWAN_URL="https://download.libreswan.org/${SWAN_FILE}"
  145. wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
  146. [ ! -f "$SWAN_FILE" ] && { echo "Cannot retrieve Libreswan source file. Aborting."; exit 1; }
  147. /bin/rm -rf "/opt/src/libreswan-${SWAN_VER}"
  148. tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE"
  149. cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source dir. Aborting."; exit 1; }
  150. make programs && make install
  151.  
  152. # Check if the install was successful
  153. /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "${SWAN_VER}"
  154. [ "$?" != "0" ] && { echo "Sorry, Libreswan ${SWAN_VER} failed to compile or install. Aborting."; exit 1; }
  155.  
  156. # Prepare various config files
  157. # Create IPsec (Libreswan) configuration
  158. SYS_DT="$(/bin/date +%Y-%m-%d-%H:%M:%S)"
  159. /bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-${SYS_DT}" 2>/dev/null
  160. cat > /etc/ipsec.conf <<EOF
  161. version 2.0
  162. config setup
  163.   dumpdir=/var/run/pluto/
  164.   nat_traversal=yes
  165.   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
  166.   oe=off
  167.   protostack=netkey
  168.   nhelpers=0
  169.   interfaces=%defaultroute
  170. conn vpnpsk
  171.   connaddrfamily=ipv4
  172.   auto=add
  173.   left=$PRIVATE_IP
  174.   leftid=$PUBLIC_IP
  175.   leftsubnet=$PRIVATE_IP/32
  176.   leftnexthop=%defaultroute
  177.   leftprotoport=17/1701
  178.   rightprotoport=17/%any
  179.   right=%any
  180.   rightsubnetwithin=0.0.0.0/0
  181.   forceencaps=yes
  182.   authby=secret
  183.   pfs=no
  184.   type=transport
  185.   auth=esp
  186.   ike=3des-sha1,aes-sha1
  187.   phase2alg=3des-sha1,aes-sha1
  188.   rekey=no
  189.   keyingtries=5
  190.   dpddelay=30
  191.   dpdtimeout=120
  192.   dpdaction=clear
  193. EOF
  194.  
  195. # Specify IPsec PSK
  196. /bin/cp -f /etc/ipsec.secrets "/etc/ipsec.secrets.old-${SYS_DT}" 2>/dev/null
  197. cat > /etc/ipsec.secrets <<EOF
  198. $PUBLIC_IP  %any  : PSK "$IPSEC_PSK"
  199. EOF
  200.  
  201. # Create xl2tpd config
  202. /bin/cp -f /etc/xl2tpd/xl2tpd.conf "/etc/xl2tpd/xl2tpd.conf.old-${SYS_DT}" 2>/dev/null
  203. cat > /etc/xl2tpd/xl2tpd.conf <<EOF
  204. [global]
  205. port = 1701
  206. ;debug avp = yes
  207. ;debug network = yes
  208. ;debug state = yes
  209. ;debug tunnel = yes
  210. [lns default]
  211. ip range = 192.168.42.10-192.168.42.250
  212. local ip = 192.168.42.1
  213. require chap = yes
  214. refuse pap = yes
  215. require authentication = yes
  216. name = l2tpd
  217. ;ppp debug = yes
  218. pppoptfile = /etc/ppp/options.xl2tpd
  219. length bit = yes
  220. EOF
  221.  
  222. # Specify xl2tpd options
  223. /bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-${SYS_DT}" 2>/dev/null
  224. cat > /etc/ppp/options.xl2tpd <<EOF
  225. ipcp-accept-local
  226. ipcp-accept-remote
  227. ms-dns 8.8.8.8
  228. ms-dns 8.8.4.4
  229. noccp
  230. auth
  231. crtscts
  232. idle 1800
  233. mtu 1280
  234. mru 1280
  235. lock
  236. lcp-echo-failure 10
  237. lcp-echo-interval 60
  238. connect-delay 5000
  239. EOF
  240.  
  241. # Create VPN credentials
  242. /bin/cp -f /etc/ppp/chap-secrets "/etc/ppp/chap-secrets.old-${SYS_DT}" 2>/dev/null
  243. cat > /etc/ppp/chap-secrets <<EOF
  244. # Secrets for authentication using CHAP
  245. # client  server  secret  IP addresses
  246. "$VPN_USER" l2tpd "$VPN_PASSWORD" *
  247. EOF
  248.  
  249. # Update sysctl settings for VPN and performance
  250. if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
  251. /bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-${SYS_DT}" 2>/dev/null
  252. cat >> /etc/sysctl.conf <<EOF
  253. # Modify Kernel variables for stability
  254. kernel.msgmnb = 65536
  255. kernel.msgmax = 65536
  256. kernel.shmmax = 68719476736
  257. kernel.shmall = 4294967296
  258. net.ipv4.ip_forward = 1
  259. net.ipv4.tcp_syncookies = 1
  260. net.ipv4.conf.all.accept_source_route = 0
  261. net.ipv4.conf.default.accept_source_route = 0
  262. net.ipv4.conf.all.accept_redirects = 0
  263. net.ipv4.conf.default.accept_redirects = 0
  264. net.ipv4.conf.all.send_redirects = 0
  265. net.ipv4.conf.default.send_redirects = 0
  266. net.ipv4.conf.lo.send_redirects = 0
  267. net.ipv4.conf.eth0.send_redirects = 0
  268. net.ipv4.conf.all.rp_filter = 0
  269. net.ipv4.conf.default.rp_filter = 0
  270. net.ipv4.conf.lo.rp_filter = 0
  271. net.ipv4.conf.eth0.rp_filter = 0
  272. net.ipv4.icmp_echo_ignore_broadcasts = 1
  273. net.ipv4.icmp_ignore_bogus_error_responses = 1
  274. net.core.wmem_max = 12582912
  275. net.core.rmem_max = 12582912
  276. net.ipv4.tcp_rmem = 10240 87380 12582912
  277. net.ipv4.tcp_wmem = 10240 87380 12582912
  278. EOF
  279. fi
  280.  
  281. # Create basic IPTables rules. First check if there are existing IPTables rules loaded.
  282. # 1. If IPTables is "empty", write out the new set of rules below.
  283. # 2. If *not* empty, insert new rules and save them together with existing ones.
  284. if ! grep -qs "VPN_RULES" /etc/sysconfig/iptables; then
  285. /bin/cp -f /etc/sysconfig/iptables "/etc/sysconfig/iptables.old-${SYS_DT}" 2>/dev/null
  286. /sbin/service fail2ban stop >/dev/null 2>&1
  287. if [ "$(/sbin/iptables-save | grep -c '^\-')" = "0" ]; then
  288. cat > /etc/sysconfig/iptables <<EOF
  289. # VPN_RULES
  290. *filter
  291. :INPUT ACCEPT [0:0]
  292. :FORWARD ACCEPT [0:0]
  293. :OUTPUT ACCEPT [0:0]
  294. :ICMPALL - [0:0]
  295. -A INPUT -m conntrack --ctstate INVALID -j DROP
  296. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  297. -A INPUT -i lo -j ACCEPT
  298. -A INPUT -d 127.0.0.0/8 -j REJECT
  299. -A INPUT -p icmp --icmp-type 255 -j ICMPALL
  300. -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
  301. -A INPUT -p tcp --dport 22 -j ACCEPT
  302. -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
  303. -A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
  304. -A INPUT -p udp --dport 1701 -j DROP
  305. -A INPUT -j DROP
  306. -A FORWARD -m conntrack --ctstate INVALID -j DROP
  307. -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  308. -A FORWARD -i ppp+ -o eth+ -j ACCEPT
  309. # If you wish to allow traffic between VPN clients themselves, uncomment this line:
  310. # -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
  311. -A FORWARD -j DROP
  312. -A ICMPALL -p icmp -f -j DROP
  313. -A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
  314. -A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
  315. -A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
  316. -A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
  317. -A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
  318. -A ICMPALL -p icmp -j DROP
  319. COMMIT
  320. *nat
  321. :PREROUTING ACCEPT [0:0]
  322. :OUTPUT ACCEPT [0:0]
  323. :POSTROUTING ACCEPT [0:0]
  324. -A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}"
  325. COMMIT
  326. EOF
  327.  
  328. else
  329.  
  330. iptables -I INPUT 1 -p udp -m multiport --dports 500,4500 -j ACCEPT
  331. iptables -I INPUT 2 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
  332. iptables -I INPUT 3 -p udp --dport 1701 -j DROP
  333. iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
  334. iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  335. iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT
  336. # iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
  337. iptables -A FORWARD -j DROP
  338. iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}"
  339.  
  340. echo "# Modified by VPN_RULES_SCRIPT" > /etc/sysconfig/iptables
  341. /sbin/iptables-save >> /etc/sysconfig/iptables
  342. fi
  343. fi
  344.  
  345. # Create basic IP6Tables (IPv6) rules
  346. if ! grep -qs "VPN_RULES" /etc/sysconfig/ip6tables; then
  347. /bin/cp -f /etc/sysconfig/ip6tables "/etc/sysconfig/ip6tables.old-${SYS_DT}" 2>/dev/null
  348. cat > /etc/sysconfig/ip6tables <<EOF
  349. # Added by VPN_RULES
  350. *filter
  351. :INPUT ACCEPT [0:0]
  352. :FORWARD DROP [0:0]
  353. :OUTPUT ACCEPT [0:0]
  354. -A INPUT -i lo -j ACCEPT
  355. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  356. -A INPUT -m rt --rt-type 0 -j DROP
  357. -A INPUT -s fe80::/10 -j ACCEPT
  358. -A INPUT -p ipv6-icmp -j ACCEPT
  359. -A INPUT -j DROP
  360. COMMIT
  361. EOF
  362. fi
  363.  
  364. # Create basic Fail2Ban rules if not already exist
  365. if [ ! -f /etc/fail2ban/jail.local ] ; then
  366. cat > /etc/fail2ban/jail.local <<EOF
  367. [DEFAULT]
  368. ignoreip = 127.0.0.1/8
  369. bantime  = 600
  370. findtime  = 600
  371. maxretry = 5
  372. backend = auto
  373. [ssh-iptables]
  374. enabled  = true
  375. filter   = sshd
  376. action   = iptables[name=SSH, port=ssh, protocol=tcp]
  377. logpath  = /var/log/secure
  378. EOF
  379. fi
  380.  
  381. # Update rc.local to start services at boot
  382. if ! grep -qs "VPN_RULES" /etc/rc.local; then
  383. /bin/cp -f /etc/rc.local "/etc/rc.local.old-${SYS_DT}" 2>/dev/null
  384. cat >> /etc/rc.local <<EOF
  385. # Added by VPN_RULES_SCRIPT
  386. /sbin/iptables-restore < /etc/sysconfig/iptables
  387. /sbin/ip6tables-restore < /etc/sysconfig/ip6tables
  388. /sbin/service fail2ban restart
  389. /sbin/service ipsec start
  390. /sbin/service xl2tpd start
  391. echo 1 > /proc/sys/net/ipv4/ip_forward
  392. EOF
  393. fi
  394.  
  395. # Initialize Libreswan DB
  396. if [ ! -f /etc/ipsec.d/cert8.db ] ; then
  397.    echo > /var/tmp/libreswan-nss-pwd
  398.    /usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
  399.    /bin/rm -f /var/tmp/libreswan-nss-pwd
  400. fi
  401.  
  402. # Restore SELinux contexts
  403. /sbin/restorecon /etc/ipsec.d/*db 2>/dev/null
  404. /sbin/restorecon /usr/local/sbin -Rv 2>/dev/null
  405. /sbin/restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
  406.  
  407. # Reload sysctl.conf
  408. /sbin/sysctl -p
  409.  
  410. # Update file attributes
  411. /bin/chmod +x /etc/rc.local
  412. /bin/chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets*
  413.  
  414. # Apply new IPTables rules
  415. /sbin/iptables-restore < /etc/sysconfig/iptables
  416. /sbin/ip6tables-restore < /etc/sysconfig/ip6tables
  417.  
  418. # Restart services
  419. /sbin/service fail2ban stop >/dev/null 2>&1
  420. /sbin/service ipsec stop >/dev/null 2>&1
  421. /sbin/service xl2tpd stop >/dev/null 2>&1
  422. /sbin/service fail2ban start
  423. /sbin/service ipsec start
  424. /sbin/service xl2tpd start
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top