API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 16th, 2016
202
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.78 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/sh
  2. #
  3. # Script for automatic configuration of IPsec/L2TP VPN server on Ubuntu 14.04/12.04 and Debian 8.
  4. # Works on dedicated servers and any KVM- or Xen-based Virtual Private Server (VPS).
  5. # It can also be used as Amazon EC2 "user-data" with the official Ubuntu or Debian AMIs.
  6. #
  7. # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS MEANT TO BE RUN
  8. # ON YOUR DEDICATED SERVER OR VPS!
  9. #
  10. # Copyright (C) 2014-2016 Lin Song
  11. # Based on the work of Thomas Sarlandie (Copyright 2012)
  12. #
  13. # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
  14. # Unported License: http://creativecommons.org/licenses/by-sa/3.0/
  15. #
  16. # Attribution required: please include my name in any derivative and let me
  17. # know how you have improved it!
  18.  
  19. # ------------------------------------------------------------
  20.  
  21. # Please define your own values for these variables
  22. # - All values MUST be quoted using 'single quotes'
  23. # - DO NOT use these characters inside values: \ " '
  24.  
  25. IPSEC_PSK='your_ipsec_pre_shared_key'
  26. VPN_USER='your_vpn_username'
  27. VPN_PASSWORD='your_very_secure_password'
  28.  
  29. # Be sure to read *important notes* at the URL below:
  30. # https://github.com/hwdsl2/setup-ipsec-vpn#important-notes
  31.  
  32. # ------------------------------------------------------------
  33.  
  34. if [ "$(uname)" = "Darwin" ]; then
  35. echo 'DO NOT run this script on your Mac! It should only be run on a dedicated server / VPS'
  36. echo 'or a newly-created EC2 instance, after you have modified it to set the variables above.'
  37. exit 1
  38. fi
  39.  
  40. if [ "$(lsb_release -si 2>/dev/null)" != "Ubuntu" ] && [ "$(lsb_release -si 2>/dev/null)" != "Debian" ]; then
  41. echo "Looks like you aren't running this script on a Ubuntu or Debian system."
  42. exit 1
  43. fi
  44.  
  45. if [ -f /proc/user_beancounters ]; then
  46. echo "This script does NOT support OpenVZ VPS."
  47. echo "Try Nyr's OpenVPN script: https://github.com/Nyr/openvpn-install"
  48. exit 1
  49. fi
  50.  
  51. if [ "$(id -u)" != 0 ]; then
  52. echo "Sorry, you need to run this script as root."
  53. exit 1
  54. fi
  55.  
  56. if [ ! -f /sys/class/net/eth0/operstate ]; then
  57. echo "Network interface 'eth0' is not available. Aborting."
  58. exit 1
  59. fi
  60.  
  61. if [ -z "$IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
  62. echo "VPN credentials cannot be empty. Edit the script and re-enter."
  63. exit 1
  64. fi
  65.  
  66. # Create and change to working dir
  67. mkdir -p /opt/src
  68. cd /opt/src || { echo "Failed to change working dir to /opt/src. Aborting."; exit 1; }
  69.  
  70. # Update package index and install Wget and dig (dnsutils)
  71. export DEBIAN_FRONTEND=noninteractive
  72. apt-get -y update
  73. apt-get -y install wget dnsutils
  74.  
  75. echo
  76. echo 'Trying to determine Public/Private IP of this server...'
  77. echo
  78. echo 'In case the script hangs here for more than a few minutes, press Ctrl-C to interrupt.'
  79. echo 'Then edit the script and follow instructions to manually enter server IPs.'
  80. echo
  81.  
  82. # In Amazon EC2, these two variables will be retrieved from metadata.
  83. # For all other servers, you may replace them with actual IPs,
  84. # or comment them out to use auto-detection in the next section.
  85. # If your server only has a public IP, put that IP on both lines.
  86. PUBLIC_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4')
  87. PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4')
  88.  
  89. # Try to determine IPs for non-EC2 servers
  90. [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
  91. [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
  92. [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipecho.net/plain)
  93. [ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
  94. [ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
  95.  
  96. # Check IPs for correct format
  97. IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
  98. if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then
  99. echo "Cannot find valid public IP, please edit the script and manually enter."
  100. exit 1
  101. fi
  102. if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then
  103. echo "Cannot find valid private IP, please edit the script and manually enter."
  104. exit 1
  105. fi
  106.  
  107. # Install necessary packages
  108. apt-get -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
  109. libcap-ng-dev libcap-ng-utils libselinux1-dev \
  110. libcurl4-nss-dev libgmp3-dev flex bison gcc make \
  111. libunbound-dev libnss3-tools libevent-dev
  112. apt-get -y --no-install-recommends install xmlto
  113. apt-get -y install xl2tpd
  114.  
  115. # Install Fail2Ban to protect SSH
  116. apt-get -y install fail2ban
  117.  
  118. # Compile and install Libreswan
  119. SWAN_VER=3.16
  120. SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
  121. SWAN_URL="https://download.libreswan.org/$SWAN_FILE"
  122. wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
  123. [ ! -f "$SWAN_FILE" ] && { echo "Cannot retrieve Libreswan source file. Aborting."; exit 1; }
  124. /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
  125. tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE"
  126. cd "libreswan-$SWAN_VER" || { echo "Failed to enter Libreswan source dir. Aborting."; exit 1; }
  127. make programs && make install
  128.  
  129. # Check if Libreswan install was successful
  130. /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$SWAN_VER"
  131. [ "$?" != "0" ] && { echo "Sorry, Libreswan $SWAN_VER failed to build. Aborting."; exit 1; }
  132.  
  133. # Prepare various config files
  134. # Create IPsec (Libreswan) config
  135. SYS_DT="$(/bin/date +%Y-%m-%d-%H:%M:%S)"
  136. /bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$SYS_DT" 2>/dev/null
  137. cat > /etc/ipsec.conf <<EOF
  138. version 2.0
  139. config setup
  140. dumpdir=/var/run/pluto/
  141. nat_traversal=yes
  142. virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
  143. oe=off
  144. protostack=netkey
  145. nhelpers=0
  146. interfaces=%defaultroute
  147. conn vpnpsk
  148. connaddrfamily=ipv4
  149. auto=add
  150. left=$PRIVATE_IP
  151. leftid=$PUBLIC_IP
  152. leftsubnet=$PRIVATE_IP/32
  153. leftnexthop=%defaultroute
  154. leftprotoport=17/1701
  155. rightprotoport=17/%any
  156. right=%any
  157. rightsubnetwithin=0.0.0.0/0
  158. forceencaps=yes
  159. authby=secret
  160. pfs=no
  161. type=transport
  162. auth=esp
  163. ike=3des-sha1,aes-sha1
  164. phase2alg=3des-sha1,aes-sha1
  165. rekey=no
  166. keyingtries=5
  167. dpddelay=30
  168. dpdtimeout=120
  169. dpdaction=clear
  170. EOF
  171.  
  172. # Specify IPsec PSK
  173. /bin/cp -f /etc/ipsec.secrets "/etc/ipsec.secrets.old-$SYS_DT" 2>/dev/null
  174. cat > /etc/ipsec.secrets <<EOF
  175. $PUBLIC_IP %any : PSK "$IPSEC_PSK"
  176. EOF
  177.  
  178. # Create xl2tpd config
  179. /bin/cp -f /etc/xl2tpd/xl2tpd.conf "/etc/xl2tpd/xl2tpd.conf.old-$SYS_DT" 2>/dev/null
  180. cat > /etc/xl2tpd/xl2tpd.conf <<EOF
  181. [global]
  182. port = 1701
  183. ;debug avp = yes
  184. ;debug network = yes
  185. ;debug state = yes
  186. ;debug tunnel = yes
  187. [lns default]
  188. ip range = 192.168.42.10-192.168.42.250
  189. local ip = 192.168.42.1
  190. require chap = yes
  191. refuse pap = yes
  192. require authentication = yes
  193. name = l2tpd
  194. ;ppp debug = yes
  195. pppoptfile = /etc/ppp/options.xl2tpd
  196. length bit = yes
  197. EOF
  198.  
  199. # Specify xl2tpd options
  200. /bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-$SYS_DT" 2>/dev/null
  201. cat > /etc/ppp/options.xl2tpd <<EOF
  202. ipcp-accept-local
  203. ipcp-accept-remote
  204. ms-dns 8.8.8.8
  205. ms-dns 8.8.4.4
  206. noccp
  207. auth
  208. crtscts
  209. idle 1800
  210. mtu 1280
  211. mru 1280
  212. lock
  213. lcp-echo-failure 10
  214. lcp-echo-interval 60
  215. connect-delay 5000
  216. EOF
  217.  
  218. # Create VPN credentials
  219. /bin/cp -f /etc/ppp/chap-secrets "/etc/ppp/chap-secrets.old-$SYS_DT" 2>/dev/null
  220. cat > /etc/ppp/chap-secrets <<EOF
  221. # Secrets for authentication using CHAP
  222. # client server secret IP addresses
  223. "$VPN_USER" l2tpd "$VPN_PASSWORD" *
  224. EOF
  225.  
  226. # Update sysctl settings for VPN and performance
  227. if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
  228. /bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$SYS_DT" 2>/dev/null
  229. cat >> /etc/sysctl.conf <<EOF
  230. # Added by hwdsl2 VPN script
  231. kernel.msgmnb = 65536
  232. kernel.msgmax = 65536
  233. kernel.shmmax = 68719476736
  234. kernel.shmall = 4294967296
  235. net.ipv4.ip_forward = 1
  236. net.ipv4.tcp_syncookies = 1
  237. net.ipv4.conf.all.accept_source_route = 0
  238. net.ipv4.conf.default.accept_source_route = 0
  239. net.ipv4.conf.all.accept_redirects = 0
  240. net.ipv4.conf.default.accept_redirects = 0
  241. net.ipv4.conf.all.send_redirects = 0
  242. net.ipv4.conf.default.send_redirects = 0
  243. net.ipv4.conf.lo.send_redirects = 0
  244. net.ipv4.conf.eth0.send_redirects = 0
  245. net.ipv4.conf.all.rp_filter = 0
  246. net.ipv4.conf.default.rp_filter = 0
  247. net.ipv4.conf.lo.rp_filter = 0
  248. net.ipv4.conf.eth0.rp_filter = 0
  249. net.ipv4.icmp_echo_ignore_broadcasts = 1
  250. net.ipv4.icmp_ignore_bogus_error_responses = 1
  251. net.core.wmem_max = 12582912
  252. net.core.rmem_max = 12582912
  253. net.ipv4.tcp_rmem = 10240 87380 12582912
  254. net.ipv4.tcp_wmem = 10240 87380 12582912
  255. EOF
  256. fi
  257.  
  258. # Create basic IPTables rules. First check if there are existing rules.
  259. # 1. If IPTables is "empty", write out the new set of rules.
  260. # 2. If *not* empty, insert new rules and save them together with existing ones.
  261. if ! grep -qs "hwdsl2 VPN script" /etc/iptables.rules; then
  262. /bin/cp -f /etc/iptables.rules "/etc/iptables.rules.old-$SYS_DT" 2>/dev/null
  263. /usr/sbin/service fail2ban stop >/dev/null 2>&1
  264. if [ "$(/sbin/iptables-save | grep -c '^\-')" = "0" ]; then
  265. cat > /etc/iptables.rules <<EOF
  266. # Added by hwdsl2 VPN script
  267. *filter
  268. :INPUT ACCEPT [0:0]
  269. :FORWARD ACCEPT [0:0]
  270. :OUTPUT ACCEPT [0:0]
  271. :ICMPALL - [0:0]
  272. -A INPUT -m conntrack --ctstate INVALID -j DROP
  273. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  274. -A INPUT -i lo -j ACCEPT
  275. -A INPUT -d 127.0.0.0/8 -j REJECT
  276. -A INPUT -p icmp --icmp-type 255 -j ICMPALL
  277. -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
  278. -A INPUT -p tcp --dport 22 -j ACCEPT
  279. -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
  280. -A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
  281. -A INPUT -p udp --dport 1701 -j DROP
  282. -A INPUT -j DROP
  283. -A FORWARD -m conntrack --ctstate INVALID -j DROP
  284. -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  285. -A FORWARD -i ppp+ -o eth+ -j ACCEPT
  286. # If you wish to allow traffic between VPN clients themselves, uncomment this line:
  287. # -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
  288. -A FORWARD -j DROP
  289. -A ICMPALL -p icmp -f -j DROP
  290. -A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
  291. -A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
  292. -A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
  293. -A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
  294. -A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
  295. -A ICMPALL -p icmp -j DROP
  296. COMMIT
  297. *nat
  298. :PREROUTING ACCEPT [0:0]
  299. :INPUT ACCEPT [0:0]
  300. :OUTPUT ACCEPT [0:0]
  301. :POSTROUTING ACCEPT [0:0]
  302. -A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP"
  303. COMMIT
  304. EOF
  305.  
  306. else
  307.  
  308. iptables -I INPUT 1 -p udp -m multiport --dports 500,4500 -j ACCEPT
  309. iptables -I INPUT 2 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
  310. iptables -I INPUT 3 -p udp --dport 1701 -j DROP
  311. iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
  312. iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  313. iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT
  314. # iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
  315. iptables -A FORWARD -j DROP
  316. iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP"
  317.  
  318. echo "# Modified by hwdsl2 VPN script" > /etc/iptables.rules
  319. /sbin/iptables-save >> /etc/iptables.rules
  320. fi
  321. # Update rules for iptables-persistent
  322. if [ -f /etc/iptables/rules.v4 ]; then
  323. /bin/cp -f /etc/iptables/rules.v4 "/etc/iptables/rules.v4.old-$SYS_DT"
  324. /bin/cp -f /etc/iptables.rules /etc/iptables/rules.v4
  325. fi
  326. fi
  327.  
  328. # Create basic IP6Tables (IPv6) rules
  329. if ! grep -qs "hwdsl2 VPN script" /etc/ip6tables.rules; then
  330. /bin/cp -f /etc/ip6tables.rules "/etc/ip6tables.rules.old-$SYS_DT" 2>/dev/null
  331. cat > /etc/ip6tables.rules <<EOF
  332. # Added by hwdsl2 VPN script
  333. *filter
  334. :INPUT ACCEPT [0:0]
  335. :FORWARD DROP [0:0]
  336. :OUTPUT ACCEPT [0:0]
  337. -A INPUT -i lo -j ACCEPT
  338. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  339. -A INPUT -m rt --rt-type 0 -j DROP
  340. -A INPUT -s fe80::/10 -j ACCEPT
  341. -A INPUT -p ipv6-icmp -j ACCEPT
  342. -A INPUT -j DROP
  343. COMMIT
  344. EOF
  345. if [ -f /etc/iptables/rules.v6 ]; then
  346. /bin/cp -f /etc/iptables/rules.v6 "/etc/iptables/rules.v6.old-$SYS_DT"
  347. /bin/cp -f /etc/ip6tables.rules /etc/iptables/rules.v6
  348. fi
  349. fi
  350.  
  351. # Load IPTables rules at system boot
  352. cat > /etc/network/if-pre-up.d/iptablesload <<EOF
  353. #!/bin/sh
  354. /sbin/iptables-restore < /etc/iptables.rules
  355. exit 0
  356. EOF
  357.  
  358. cat > /etc/network/if-pre-up.d/ip6tablesload <<EOF
  359. #!/bin/sh
  360. /sbin/ip6tables-restore < /etc/ip6tables.rules
  361. exit 0
  362. EOF
  363.  
  364. # Update rc.local to start services at boot
  365. if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
  366. /bin/cp -f /etc/rc.local "/etc/rc.local.old-$SYS_DT" 2>/dev/null
  367. /bin/sed --follow-symlinks -i -e '/^exit 0/d' /etc/rc.local
  368. cat >> /etc/rc.local <<EOF
  369. # Added by hwdsl2 VPN script
  370. /usr/sbin/service fail2ban restart || /bin/true
  371. /usr/sbin/service ipsec start
  372. /usr/sbin/service xl2tpd start
  373. echo 1 > /proc/sys/net/ipv4/ip_forward
  374. exit 0
  375. EOF
  376. fi
  377.  
  378. # Initialize Libreswan DB
  379. if [ ! -f /etc/ipsec.d/cert8.db ] ; then
  380. echo > /var/tmp/libreswan-nss-pwd
  381. /usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
  382. /bin/rm -f /var/tmp/libreswan-nss-pwd
  383. fi
  384.  
  385. # Reload sysctl.conf
  386. /sbin/sysctl -p
  387.  
  388. # Update file attributes
  389. /bin/chmod +x /etc/rc.local
  390. /bin/chmod +x /etc/network/if-pre-up.d/iptablesload
  391. /bin/chmod +x /etc/network/if-pre-up.d/ip6tablesload
  392. /bin/chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets*
  393.  
  394. # Apply new IPTables rules
  395. /sbin/iptables-restore < /etc/iptables.rules
  396. /sbin/ip6tables-restore < /etc/ip6tables.rules >/dev/null 2>&1
  397.  
  398. # Restart services
  399. /usr/sbin/service fail2ban stop >/dev/null 2>&1
  400. /usr/sbin/service ipsec stop >/dev/null 2>&1
  401. /usr/sbin/service xl2tpd stop >/dev/null 2>&1
  402. /usr/sbin/service fail2ban start
  403. /usr/sbin/service ipsec start
  404. /usr/sbin/service xl2tpd start
  405.  
  406. echo
  407. echo 'Congratulations! IPsec/L2TP VPN server setup is complete!'
  408. exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!