#! /bin/bash Automatically install and configure several programs needed by VPN Server. For example, xl2tpd, ppp, strongswan... And make them work well. Created

#! /bin/bash

Automatically install and configure several programs needed by

VPN Server. For example, xl2tpd, ppp, strongswan...

And make them work well.

Created by Beyan Zhang 24-9-2016.

Copyleft (c) 2016 Beyan. All left reserved.

Welcome banner.

echo -e "\npress any key to start, \c" echo -en "or \\033[31mCTRL-C\\033[0m abort." read this_is_not_used echo -e "\nPlease type \033[31mUSERNAME\033[0m, \c" echo -e "or use default [username]:\c" read username [ -z $username ] && username=username echo -e "Please type \033[31mPASSWORD\033[0m, \c" echo -e "or use default [password]:\c" read password [ -z $password ] && password=password echo -e "Please type \033[31mPSK\033[0m, \c" echo -e "or default [PSK]:\c" read psk [ -z $psk ] && psk=psk echo -e "Please type \033[31mXAUTH\033[0m, \c" echo -e "or default [xauth]:\c" read xauth [ -z $xauth ] && xauth=xauth

work place.

cd $HOME home="$HOME/vpn_install" mkdir $home 2>/dev/null cd $home

function to write log.

usage: rlog $? [action name]

function to judge weather type is 'yes' or 'no'.

return '0' for 'yes', '1' for 'no'.

function yes_or_no() { read answer while [[ ! -z $answer && $answer != 'Y' && $answer != 'y' && $answer != 'n' && $answer != 'N' ]] do echo -e "Please type 'Y/y' or 'N/n' [default: Yes]:\c" read answer; done if [[ $answer = 'y' || $answer = 'Y' || -z $answer ]]; then return 0; else return 1; fi }

function used when shell abort.

Usage: shell_abort [action]

function shell_abort() { echo -e "\n\033[31m$1 failed, installing abort!\033[0m"; echo -e "\033[31mFor more information, please check the log file \033[4m'$log_file'\033[0m!\033[0m"; rlog 1 "$1" exit; }

clear log file

rlog;

This Script is on only tested on Debian 7 i386.

Maybe Debian 8 x64, Debian 7 x86 also work well,

Turn off this item if you know what you are doing.

check_os=yes # yes or other if [ $check_os = 'yes' ]; then echo -e "\nCheck OS release..." if [[ cat /proc/version 2>/dev/null | grep -i debian ]]; then os_release="Debian cat /etc/debian_version" [[ ! -z $os_release ]] && echo "OS Release: $os_release"; else rlog -1 "May be '/proc/version' or '/etc/debian_version' is missing!" shell_abort "Check OS release" fi else echo "OS check ignore." fi rlog 0 "os Check";

network card type and ip addr.

netcard=ifconfig | grep -i ethernet | awk '{print $1}' num_of_netcard=echo "$netcard" | wc -l if [ $num_of_netcard -eq 1 ]; then echo -e "\nFind one netcard \033[31m$netcard\033[0m, make it default? [Yes/no]:\c" yes_or_no; if [ $? -eq 1 ]; then echo -e "Type your own:\c" read netcard; fi echo -e "Network card: $netcard" echo -e "Please confirm: [Yes/no]\c" yes_or_no; if [ $? -eq 1 ]; then echo -e "\033[31mPlease type again:\033[0m\c"; read netcard; echo -e "Network card: $netcard" echo -e "Please confirm: [Yes/no]\c" yes_or_no; if [ $? -eq 1 ]; then echo -e "\033[31mInstalling abort.\033[0m"; exit 2; fi fi elif [ $num_of_netcard -gt 1 ]; then echo -e "\nMore than \033[31m1\033[0m Network card detected:" for I in $( seq 1 $num_of_netcard ) do echo -e "$I \c" echo "$netcard" | sed -n ''$I'p'; done echo -e "Please make a choice \033[31m[default: 1]\033[0m:\c" read which_netcard count=1 until [[ -z $which_netcard || $which_netcard -le $num_of_netcard && $which_netcard -gt 0 ]] do echo -e "Input error, repeat:\c" read which_netcard count=$((count+1)) if [ $count -ge 5 ]; then shell_abort "Network card detect" fi done [ -z $which_netcard ] && which_netcard=1; netcard=echo "$netcard" | sed -n ''$which_netcard'p' echo -e "\nNetwork card: $netcard" # echo -e "\nNetwork card: echo "$netcard" | sed -n ''$which_netcard'p'" echo -e "Please confirm: [Yes/no]\c" yes_or_no; if [ $? -eq 1 ]; then shell_abort "Network card detect" fi else echo -e "\nNo netcard detected, type manual:\c" read netcard; echo -e "Network card: $netcard" echo -e "Please confirm: [Yes/no]\c" yes_or_no; if [ $? -eq 1 ]; then echo -e "\033[31mPlease type again:\033[0m\c"; read netcard; echo -e "Network card: $netcard" echo -e "Please confirm: [Yes/no]\c" yes_or_no; [ $? -eq 1 ] && shell_abort "Network card detect" fi fi ip_addr=ifconfig "$netcard" | grep "inet addr" | awk '{print $2}' | awk -F ":" '{print $2}' [[ $? -ne 0 || -z $ip_addr ]] && shell_abort "IP addr configure"

Network test

codename=lsb_release -c | awk '{print $2}' echo -e "\nNetwork analysis..." ping_time_debian=ping www.debian.org -c 3 -W 0.5 | grep rtt | awk -F '=' '{print $2}' | awk -F '/' '{print $2}' | awk -F '.' '{print $1}' ping_time_163=ping www.163.com -c 3 -W 0.5 | grep rtt | awk -F '=' '{print $2}' | awk -F '/' '{print $2}'| awk -F '.' '{print $1}' if [ $ping_time_debian -ge $ping_time_163 ]; then echo -e "163 open source mirror is recommended,\c" echo -e " is this what you expected [Yes/no]?\c" yes_or_no; if [ $? -eq 0 ]; then cp /etc/apt/sources.list /etc/apt/sources.list.bak 2>/dev/null cat > /etc/apt/sources.list << EOF deb http://mirrors.163.com/debian/ $codename main contrib non-free deb-src http://mirrors.163.com/debian $codename main contrib non-free deb http://mirrors.163.com/debian/ $codename-proposed-updates main contrib non-free deb-src http://mirrors.163.com/debian/ $codename-proposed-updates main contrib non-free deb http://mirrors.163.com/debian/ $codename-updates main contrib non-free deb-src http://mirrors.163.com/debian/ $codename-updates main contrib non-free deb http://mirrors.163.com/debian-security/ $codename/updates main contrib non-free deb-src http://mirrors.163.com/debian-security/ $codename/updates main contrib non-free EOF fi else echo -e "Debian official mirror is recommended, \c" echo -e "is this what you expected [Yes/no]?\c" yes_or_no; if [ $? -eq 0 ]; then cp /etc/apt/sources.list /etc/apt/sources.list.bak 2>/dev/null cat > /etc/apt/sources.list << EOF

deb http://http.us.debian.org/debian/ $codename main

deb http://http.us.debian.org/debian/ $codename main deb-src http://http.us.debian.org/debian/ $codename main deb http://security.debian.org/ $codename/updates main deb-src http://security.debian.org/ $codename/updates main

$codename-updates, previously known as 'volatile'

deb http://http.us.debian.org/debian/ $codename-updates main deb-src http://http.us.debian.org/debian/ $codename-updates main deb http://http.debian.net/debian $codename-backports main EOF fi fi

install necessary programs and library

echo -e "\nApt sources changed, updating system..." apt-get update 1>/dev/null 2>&1 [ $? -ne 0 ] && shell_abort "apt-get update" apt-get install libpam0g-dev libssl-dev
make gcc ppp xl2tpd -y 1>/dev/null 2>&1 [ $? -ne 0 ] && shell_abort "apt-get install"

download VPN-test tools

wget http://people.redhat.com/~rjones/virt-what/files/virt-what-1.15.tar.gz 1>/dev/null 2>&1 [ $? -ne 0 ] && shell_abort "Download VPN-test tools" tar -xvf virt-* 1>/dev/null 2>&1 && cd virt-* 1>/dev/null 2>&1 ./configure 1>/dev/null 2>&1
&& make 1>/dev/null 2>&1
&& make install 1>/dev/null 2>&1 vps_type=virt-what 2>/dev/null echo -e "\nVPS type: $vps_type" echo -e "Please confirm: [Yes/no]\c" yes_or_no; if [ $? -eq 1 ]; then echo -e "\nIs your VPS type OpenVZ? [Yes/no]:\c" yes_or_no; [ $? -eq 0 ] && vps_type=openvz; fi config_prrameter='' [ $vps_type = "openvz" ] && config_parameter="--enable-kernel-libipsec"

download strongswan

echo -e "\nDownload and install strongswan..." wget https://download.strongswan.org/strongswan-5.2.2.tar.gz --no-check-certificate 1>/dev/null 2>&1 [ $? -ne 0 ] && shell_abort "Download strongswan"; tar -xvf strongswan-* 1>/dev/null 2>&1 cd strongswan-* 2>/dev/null echo -e "\nConfigure strongswan..." ./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2
--enable-eap-tls --enable-eap-ttls --enable-eap-peap
--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius
--enable-xauth-eap --enable-xauth-pam --enable-dhcp
--enable-openssl --enable-addrblock --enable-unity
--enable-certexpire --enable-radattr --enable-tools
--enable-openssl --disable-gmp $config_parameter 1>/dev/null 2>&1 [ $? -ne 0 ] && shell_abort "Configure Strongswan" echo -e "\nCompile strongswan..." make 1>/dev/null 2>&1
&& make install 1>/dev/null 2>&1 [ $? -ne 0 ] && shell_abort "Compile strongswan" ipsec --version 1>/dev/null 2>&1 [ $? -ne 0 ] && shell_abort "Strongswan install"

certificate configuration

generate the private key of the CA certificate

echo -e "\nCertificate configure..." cd $home ipsec pki --gen --outform pem > ca.pem

sign CA certificate with the private key

ipsec pki --self --in ca.pem --dn "C=com, O=myvpn, CN=$ip_addr VPN CA" --ca --outform pem > ca.cert.pem

generate the private key needed by server certificate

ipsec pki --gen --outform pem > server.pem

sign server certificate with the CA sertificate

be sure the value of 'C' and 'O' is the same as the above

ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=com, O=myvpn, CN=$ip_addr" --san="$ip_addr" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem

generate the private key needed by client certificate

ipsec pki --gen --outform pem > client.pem

sign client certificate with the CA sertificate

keep the value of 'C' and 'O' the same as the above

ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=com, O=myvpn, CN=$ip_addr VPN Client" --outform pem > client.cert.pem

generate pkcs12 certificate

echo -e "You need a password for pkcs12."

make sure the value of 'caname' is the same as the one in 'ca.cert.pem'

openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "$ip_addr VPN CA" -out client.cert.p12

define configuration directory of each program

config_dir=/usr/local/etc

copy certificate to configuration directory

echo -e "\nCopy certificate..." cp -r ca.cert.pem $config_dir/ipsec.d/cacerts/ cp -r server.cert.pem $config_dir/ipsec.d/certs/ cp -r server.pem $config_dir/ipsec.d/private cp -r client.cert.pem $config_dir/ipsec.d/certs cp -r client.pem $config_dir/ipsec.d/private echo -e "\nConfig ipsec, please wait." cp -av $config_dir/ipsec.conf $config_dir/ipsec.conf.bak 1>/dev/null 2>&1 cat > $config_dir/ipsec.conf << EOF config setup uniqueids=never conn iOS_cert keyexchange=ikev1 # strongswan version >= 5.0.2, compatible with iOS 6.0,6.0.1 fragmentation=yes left=%defaultroute leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=pubkey rightauth2=xauth rightsourceip=10.31.2.0/24 rightcert=client.cert.pem auto=add conn android_xauth_psk keyexchange=ikev1 left=%defaultroute leftauth=psk leftsubnet=0.0.0.0/0 right=%any rightauth=psk rightauth2=xauth rightsourceip=10.31.2.0/24 auto=add conn networkmanager-strongswan keyexchange=ikev2 left=%defaultroute leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=pubkey rightsourceip=10.31.2.0/24 rightcert=client.cert.pem auto=add conn windows7 keyexchange=ikev2 ike=aes256-sha1-modp1024! rekey=no left=%defaultroute leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=eap-mschapv2 rightsourceip=10.31.2.0/24 rightsendcert=never eap_identity=%any auto=add

compatible with xl2tp

conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret #pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=%defaultroute leftprotoport=17/1701 right=%any rightprotoport=17/%any dpddelay=40 dpdtimeout=130 dpdaction=clear EOF echo -e "\nConfigure Strongswan..." cp -av $config_dir/strongswan.conf
$config_dir/strongswan.conf.bak 1>/dev/null 2>&1 cat > $config_dir/strongswan.conf << EOF charon { load_modular = yes duplicheck.enable = no compress = yes plugins { include strongswan.d/charon/*.conf } dns1 = 8.8.8.8 dns2 = 8.8.4.4 nbns1 = 8.8.8.8 nbns2 = 8.8.4.4 } include strongswan.d/*.conf EOF echo -e "\nConfigure ipsec secrets..." cp -av $config_dir/ipsec.secrets
$config_dir/ipsec.secrets.bak 1>/dev/nul 2>&1 cat > $config_dir/ipsec.secrets << EOF : RSA server.pem : PSK "$psk" : XAUTH "$xauth" $username %any: EAP "$password" EOF echo -e "\nAdd PPP user..." cp -av /etc/ppp/chap-secrets
/etc/ppp/chap-secrets.bak 1>/dev/null 2>&1 cat > /etc/ppp/chap-secrets << EOF $username * "$password" * EOF echo -e "\nConfigure xl2tpd..." cp -av /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf 1>/dev/null 2>&1 cat > /etc/xl2tpd/xl2tpd.conf << EOF [global] ipsec saref = yes [lns default] ip range = 192.168.1.2-192.168.1.254 local ip = 192.168.1.1 refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes EOF echo -e "\nConfigure PPP..." cp -av /etc/ppp/options.xl2tpd
/etc/ppp/options.xl2tpd.bak 1>/dev/null 2>&1 cat > /etc/ppp/options.xl2tpd << EOF require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4 EOF echo -e "\nConfigure ip forward..." echo 1 > /proc/sys/net/ipv4/ip_forward echo "echo 1 > /proc/sys/net/ipv4/ip_forward" >> /etc/rc.local echo "ipsec start" >> /etc/rc.local echo -e "\nConfigure iptables..." iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -s 10.31.0.0/24 -j ACCEPT iptables -A FORWARD -s 10.31.1.0/24 -j ACCEPT iptables -A FORWARD -s 10.31.2.0/24 -j ACCEPT iptables -A INPUT -i $netcard -p esp -j ACCEPT iptables -A INPUT -i $netcard -p udp --dport 500 -j ACCEPT iptables -A INPUT -i $netcard -p tcp --dport 500 -j ACCEPT iptables -A INPUT -i $netcard -p udp --dport 4500 -j ACCEPT iptables -A INPUT -i $netcard -p udp --dport 1701 -j ACCEPT iptables -A INPUT -i $netcard -p tcp --dport 1723 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o $netcard -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $netcard -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $netcard -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $netcard -j MASQUERADE iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p udp --dport 4500 -j ACCEPT iptables --table nat --append POSTROUTING --jump MASQUERADE iptables-save > /etc/iptables.rules cat > /etc/network/if-up.d/iptables << EOF #! /bin/bash iptables-restore < /etc/iptables.rules EOF chmod +x /etc/network/if-up.d/iptables 1>/dev/null 2>&1 echo -e "\nInstalling finished." echo -e "\nIP:\t\t\033[31m$ip_addr\033[0m" echo -e "USERNAME:\t\033[31m$username\033[0m" echo -e "PASSWORD:\t\033[31m$password\033[0m" echo -e "PSK:\t\t\033[31m$psk\033[0m" echo -e "XAUTH:\t\t\033[31m$xauth\033[0m" echo -e "\nCertificate directory: \033[31m$home\033[0m" echo -e "IOS 9+, please install '\033[31mca.cert.pem\033[0m' \c" echo -e "and '\033[31mclient.cert.p12\033[0m', \c" echo -e "then add VPN use IPSec." echo -e "Other OS, please search the internet." echo -e "\nEnjoy youself!" Download