#! /bin/bash
#
# Automatically install and configure several programs needed by
# VPN Server. For example, xl2tpd, ppp, strongswan...
# And make them work well.
#
# Created by Beyan Zhang 24-9-2016.
# Copyleft (c) 2016 Beyan. All left reserved.
# Welcome banner.
echo -e "\npress any key to start, \c"
echo -en "or \\033[31mCTRL-C\\033[0m abort."
read this_is_not_used
echo -e "\nPlease type \033[31mUSERNAME\033[0m, \c"
echo -e "or use default [username]:\c"
read username
[ -z $username ] && username=username
echo -e "Please type \033[31mPASSWORD\033[0m, \c"
echo -e "or use default [password]:\c"
read password
[ -z $password ] && password=password
echo -e "Please type \033[31mPSK\033[0m, \c"
echo -e "or default [PSK]:\c"
read psk
[ -z $psk ] && psk=psk
echo -e "Please type \033[31mXAUTH\033[0m, \c"
echo -e "or default [xauth]:\c"
read xauth
[ -z $xauth ] && xauth=xauth
# work place.
cd $HOME
home="$HOME/vpn_install"
mkdir $home 2>/dev/null
cd $home
# function to write log.
# usage: rlog $? [action name]
function rlog()
{
log_file=$home/install.log;
log_date=`date "+%b %d %H:%M:%S"`
log_user=`whoami`
if [[ ! -z $1 ]]; then
if [ $1 -eq 0 ]; then
echo -e "$log_date $log_user execute \"$2\" \033[32m[Success]\033[0m." >> ${log_file};
elif [ $1 -gt 0 ]; then
echo -e "$log_date $log_user execute \"$2\" \033[41;37m[failed]\033[0m!" >> ${log_file};
else
echo -e "$log_date $log_user [info] \033[33m$2\033[0m" >> $log_file;
fi
else >$log_file
fi
}
# function to judge weather type is 'yes' or 'no'.
# return '0' for 'yes', '1' for 'no'.
function yes_or_no()
{
read answer
while [[ ! -z $answer && $answer != 'Y' && $answer != 'y' && $answer != 'n' && $answer != 'N' ]]
do
echo -e "Please type 'Y/y' or 'N/n' [default: Yes]:\c"
read answer;
done
if [[ $answer = 'y' || $answer = 'Y' || -z $answer ]];
then
return 0;
else
return 1;
fi
}
# function used when shell abort.
# Usage: shell_abort [action]
function shell_abort()
{
echo -e "\n\033[31m$1 failed, installing abort!\033[0m";
echo -e "\033[31mFor more information, please check the log file \033[4m'$log_file'\033[0m!\033[0m";
rlog 1 "$1"
exit;
}
# clear log file
rlog;
# This Script is on only tested on Debian 7 i386.
# Maybe Debian 8 x64, Debian 7 x86 also work well,
# Turn off this item if you know what you are doing.
check_os=yes # yes or other
if [ $check_os = 'yes' ]; then
echo -e "\nCheck OS release..."
if [[ `cat /proc/version 2>/dev/null | grep -i debian` ]]; then
os_release="Debian `cat /etc/debian_version`"
[[ ! -z $os_release ]] && echo "OS Release: $os_release";
else
rlog -1 "May be '/proc/version' or '/etc/debian_version' is missing!"
shell_abort "Check OS release"
fi
else
echo "OS check ignore."
fi
rlog 0 "os Check";
# network card type and ip addr.
netcard=`ifconfig | grep -i ethernet | awk '{print $1}'`
num_of_netcard=`echo "$netcard" | wc -l`
if [ $num_of_netcard -eq 1 ]; then
echo -e "\nFind one netcard \033[31m$netcard\033[0m, make it default? [Yes/no]:\c"
yes_or_no;
if [ $? -eq 1 ]; then
echo -e "Type your own:\c"
read netcard;
fi
echo -e "Network card: $netcard"
echo -e "Please confirm: [Yes/no]\c"
yes_or_no;
if [ $? -eq 1 ];
then
echo -e "\033[31mPlease type again:\033[0m\c";
read netcard;
echo -e "Network card: $netcard"
echo -e "Please confirm: [Yes/no]\c"
yes_or_no;
if [ $? -eq 1 ]; then
echo -e "\033[31mInstalling abort.\033[0m";
exit 2;
fi
fi
elif [ $num_of_netcard -gt 1 ]; then
echo -e "\nMore than \033[31m1\033[0m Network card detected:"
for I in $( seq 1 $num_of_netcard )
do
echo -e "$I \c"
echo "$netcard" | sed -n ''$I'p';
done
echo -e "Please make a choice \033[31m[default: 1]\033[0m:\c"
read which_netcard
count=1
until [[ -z $which_netcard || $which_netcard -le $num_of_netcard && $which_netcard -gt 0 ]]
do
echo -e "Input error, repeat:\c"
read which_netcard
count=$((count+1))
if [ $count -ge 5 ]; then
shell_abort "Network card detect"
fi
done
[ -z $which_netcard ] && which_netcard=1;
netcard=`echo "$netcard" | sed -n ''$which_netcard'p'`
echo -e "\nNetwork card: $netcard"
# echo -e "\nNetwork card: `echo "$netcard" | sed -n ''$which_netcard'p'`"
echo -e "Please confirm: [Yes/no]\c"
yes_or_no;
if [ $? -eq 1 ]; then
shell_abort "Network card detect"
fi
else
echo -e "\nNo netcard detected, type manual:\c"
read netcard;
echo -e "Network card: $netcard"
echo -e "Please confirm: [Yes/no]\c"
yes_or_no;
if [ $? -eq 1 ];
then
echo -e "\033[31mPlease type again:\033[0m\c";
read netcard;
echo -e "Network card: $netcard"
echo -e "Please confirm: [Yes/no]\c"
yes_or_no;
[ $? -eq 1 ] && shell_abort "Network card detect"
fi
fi
ip_addr=`ifconfig "$netcard" | grep "inet addr" | awk '{print $2}' | awk -F ":" '{print $2}'`
[[ $? -ne 0 || -z $ip_addr ]] && shell_abort "IP addr configure"
# Network test
codename=`lsb_release -c | awk '{print $2}'`
echo -e "\nNetwork analysis..."
ping_time_debian=`ping www.debian.org -c 3 -W 0.5 | grep rtt | awk -F '=' '{print $2}' | awk -F '/' '{print $2}' | awk -F '.' '{print $1}'`
ping_time_163=`ping www.163.com -c 3 -W 0.5 | grep rtt | awk -F '=' '{print $2}' | awk -F '/' '{print $2}'| awk -F '.' '{print $1}'`
if [ $ping_time_debian -ge $ping_time_163 ]; then
echo -e "163 open source mirror is recommended,\c"
echo -e " is this what you expected [Yes/no]?\c"
yes_or_no;
if [ $? -eq 0 ]; then
cp /etc/apt/sources.list /etc/apt/sources.list.bak 2>/dev/null
cat > /etc/apt/sources.list << EOF deb http://mirrors.163.com/debian/ $codename main contrib non-free deb-src http://mirrors.163.com/debian $codename main contrib non-free deb http://mirrors.163.com/debian/ $codename-proposed-updates main contrib non-free deb-src http://mirrors.163.com/debian/ $codename-proposed-updates main contrib non-free deb http://mirrors.163.com/debian/ $codename-updates main contrib non-free deb-src http://mirrors.163.com/debian/ $codename-updates main contrib non-free deb http://mirrors.163.com/debian-security/ $codename/updates main contrib non-free deb-src http://mirrors.163.com/debian-security/ $codename/updates main contrib non-free EOF fi else echo -e "Debian official mirror is recommended, \c" echo -e "is this what you expected [Yes/no]?\c" yes_or_no; if [ $? -eq 0 ]; then cp /etc/apt/sources.list /etc/apt/sources.list.bak 2>/dev/null
cat > /etc/apt/sources.list << EOF # deb http://http.us.debian.org/debian/ $codename main deb http://http.us.debian.org/debian/ $codename main deb-src http://http.us.debian.org/debian/ $codename main deb http://security.debian.org/ $codename/updates main deb-src http://security.debian.org/ $codename/updates main # $codename-updates, previously known as 'volatile' deb http://http.us.debian.org/debian/ $codename-updates main deb-src http://http.us.debian.org/debian/ $codename-updates main deb http://http.debian.net/debian $codename-backports main EOF fi fi # install necessary programs and library echo -e "\nApt sources changed, updating system..." apt-get update 1>/dev/null 2>&1
[ $? -ne 0 ] && shell_abort "apt-get update"
apt-get install libpam0g-dev libssl-dev \
make gcc ppp xl2tpd -y 1>/dev/null 2>&1
[ $? -ne 0 ] && shell_abort "apt-get install"
# download VPN-test tools
wget http://people.redhat.com/~rjones/virt-what/files/virt-what-1.15.tar.gz 1>/dev/null 2>&1
[ $? -ne 0 ] && shell_abort "Download VPN-test tools"
tar -xvf virt-* 1>/dev/null 2>&1 && cd virt-* 1>/dev/null 2>&1
./configure 1>/dev/null 2>&1 \
&& make 1>/dev/null 2>&1 \
&& make install 1>/dev/null 2>&1
vps_type=`virt-what 2>/dev/null`
echo -e "\nVPS type: $vps_type"
echo -e "Please confirm: [Yes/no]\c"
yes_or_no;
if [ $? -eq 1 ]; then
echo -e "\nIs your VPS type OpenVZ? [Yes/no]:\c"
yes_or_no;
[ $? -eq 0 ] && vps_type=openvz;
fi
config_prrameter=''
[ $vps_type = "openvz" ] && config_parameter="--enable-kernel-libipsec"
# download strongswan
echo -e "\nDownload and install strongswan..."
wget https://download.strongswan.org/strongswan-5.2.2.tar.gz --no-check-certificate 1>/dev/null 2>&1
[ $? -ne 0 ] && shell_abort "Download strongswan";
tar -xvf strongswan-* 1>/dev/null 2>&1
cd strongswan-* 2>/dev/null
echo -e "\nConfigure strongswan..."
./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 \
--enable-eap-tls --enable-eap-ttls --enable-eap-peap \
--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius \
--enable-xauth-eap --enable-xauth-pam --enable-dhcp \
--enable-openssl --enable-addrblock --enable-unity \
--enable-certexpire --enable-radattr --enable-tools \
--enable-openssl --disable-gmp $config_parameter 1>/dev/null 2>&1
[ $? -ne 0 ] && shell_abort "Configure Strongswan"
echo -e "\nCompile strongswan..."
make 1>/dev/null 2>&1 \
&& make install 1>/dev/null 2>&1
[ $? -ne 0 ] && shell_abort "Compile strongswan"
ipsec --version 1>/dev/null 2>&1
[ $? -ne 0 ] && shell_abort "Strongswan install"
# certificate configuration
# generate the private key of the CA certificate
echo -e "\nCertificate configure..."
cd $home
ipsec pki --gen --outform pem > ca.pem
# sign CA certificate with the private key
ipsec pki --self --in ca.pem --dn "C=com, O=myvpn, CN=$ip_addr VPN CA" --ca --outform pem > ca.cert.pem
# generate the private key needed by server certificate
ipsec pki --gen --outform pem > server.pem
# sign server certificate with the CA sertificate
# be sure the value of 'C' and 'O' is the same as the above
ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=com, O=myvpn, CN=$ip_addr" --san="$ip_addr" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
# generate the private key needed by client certificate
ipsec pki --gen --outform pem > client.pem
# sign client certificate with the CA sertificate
# keep the value of 'C' and 'O' the same as the above
ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=com, O=myvpn, CN=$ip_addr VPN Client" --outform pem > client.cert.pem
# generate pkcs12 certificate
echo -e "You need a password for pkcs12."
# make sure the value of 'caname' is the same as the one in 'ca.cert.pem'
openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "$ip_addr VPN CA" -out client.cert.p12
# define configuration directory of each program
config_dir=/usr/local/etc
# copy certificate to configuration directory
echo -e "\nCopy certificate..."
cp -r ca.cert.pem $config_dir/ipsec.d/cacerts/
cp -r server.cert.pem $config_dir/ipsec.d/certs/
cp -r server.pem $config_dir/ipsec.d/private
cp -r client.cert.pem $config_dir/ipsec.d/certs
cp -r client.pem $config_dir/ipsec.d/private
echo -e "\nConfig ipsec, please wait."
cp -av $config_dir/ipsec.conf $config_dir/ipsec.conf.bak 1>/dev/null 2>&1
cat > $config_dir/ipsec.conf << EOF config setup uniqueids=never conn iOS_cert keyexchange=ikev1 # strongswan version >= 5.0.2, compatible with iOS 6.0,6.0.1
fragmentation=yes
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=pubkey
rightauth2=xauth
rightsourceip=10.31.2.0/24
rightcert=client.cert.pem
auto=add
conn android_xauth_psk
keyexchange=ikev1
left=%defaultroute
leftauth=psk
leftsubnet=0.0.0.0/0
right=%any
rightauth=psk
rightauth2=xauth
rightsourceip=10.31.2.0/24
auto=add
conn networkmanager-strongswan
keyexchange=ikev2
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=pubkey
rightsourceip=10.31.2.0/24
rightcert=client.cert.pem
auto=add
conn windows7
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=eap-mschapv2
rightsourceip=10.31.2.0/24
rightsendcert=never
eap_identity=%any
auto=add
# compatible with xl2tp
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
#pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=40
dpdtimeout=130
dpdaction=clear
EOF
echo -e "\nConfigure Strongswan..."
cp -av $config_dir/strongswan.conf \
$config_dir/strongswan.conf.bak 1>/dev/null 2>&1
cat > $config_dir/strongswan.conf << EOF charon { load_modular = yes duplicheck.enable = no compress = yes plugins { include strongswan.d/charon/*.conf } dns1 = 8.8.8.8 dns2 = 8.8.4.4 nbns1 = 8.8.8.8 nbns2 = 8.8.4.4 } include strongswan.d/*.conf EOF echo -e "\nConfigure ipsec secrets..." cp -av $config_dir/ipsec.secrets \ $config_dir/ipsec.secrets.bak 1>/dev/nul 2>&1
cat > $config_dir/ipsec.secrets << EOF : RSA server.pem : PSK "$psk" : XAUTH "$xauth" $username %any: EAP "$password" EOF echo -e "\nAdd PPP user..." cp -av /etc/ppp/chap-secrets \ /etc/ppp/chap-secrets.bak 1>/dev/null 2>&1
cat > /etc/ppp/chap-secrets << EOF $username * "$password" * EOF echo -e "\nConfigure xl2tpd..." cp -av /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf 1>/dev/null 2>&1
cat > /etc/xl2tpd/xl2tpd.conf << EOF [global] ipsec saref = yes [lns default] ip range = 192.168.1.2-192.168.1.254 local ip = 192.168.1.1 refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes EOF echo -e "\nConfigure PPP..." cp -av /etc/ppp/options.xl2tpd \ /etc/ppp/options.xl2tpd.bak 1>/dev/null 2>&1
cat > /etc/ppp/options.xl2tpd << EOF require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4 EOF echo -e "\nConfigure ip forward..." echo 1 > /proc/sys/net/ipv4/ip_forward
echo "echo 1 > /proc/sys/net/ipv4/ip_forward" >> /etc/rc.local
echo "ipsec start" >> /etc/rc.local
echo -e "\nConfigure iptables..."
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -s 10.31.0.0/24 -j ACCEPT
iptables -A FORWARD -s 10.31.1.0/24 -j ACCEPT
iptables -A FORWARD -s 10.31.2.0/24 -j ACCEPT
iptables -A INPUT -i $netcard -p esp -j ACCEPT
iptables -A INPUT -i $netcard -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i $netcard -p tcp --dport 500 -j ACCEPT
iptables -A INPUT -i $netcard -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -i $netcard -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -i $netcard -p tcp --dport 1723 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o $netcard -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $netcard -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $netcard -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $netcard -j MASQUERADE
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables --table nat --append POSTROUTING --jump MASQUERADE
iptables-save > /etc/iptables.rules
cat > /etc/network/if-up.d/iptables << EOF
#! /bin/bash
iptables-restore < /etc/iptables.rules EOF chmod +x /etc/network/if-up.d/iptables 1>/dev/null 2>&1
echo -e "\nInstalling finished."
echo -e "\nIP:\t\t\033[31m$ip_addr\033[0m"
echo -e "USERNAME:\t\033[31m$username\033[0m"
echo -e "PASSWORD:\t\033[31m$password\033[0m"
echo -e "PSK:\t\t\033[31m$psk\033[0m"
echo -e "XAUTH:\t\t\033[31m$xauth\033[0m"
echo -e "\nCertificate directory: \033[31m$home\033[0m"
echo -e "IOS 9+, please install '\033[31mca.cert.pem\033[0m' \c"
echo -e "and '\033[31mclient.cert.p12\033[0m', \c"
echo -e "then add VPN use IPSec."
echo -e "Other OS, please search the internet."
echo -e "\nEnjoy youself!"
Download.
Set up IPSEC VPN Server with IKEv1/IKEv2/L2TP Automatically
#! /bin/bash # # Automatically install and configure several programs needed by # VPN Server. For example, xl2tpd, ppp, strongswan... # And make them work well. # # Created by Beyan Zhang 24-9-2016. # Copyleft (c) 2016 Beyan. All left reserved. # Welcome banner. echo -e "\npress any key to start, \c" echo -en "or […]