2015-03-27 13:27:33 +08:00
|
|
|
#!/bin/bash
|
|
|
|
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
|
|
|
|
export PATH
|
2016-04-18 21:31:07 +09:00
|
|
|
#=======================================================================#
|
|
|
|
# System Required: CentOS/RadHat 6+ / Debian 7+ / Ubuntu 12+ #
|
|
|
|
# Description: Auto Install L2TP VPN #
|
|
|
|
# Author: Teddysun <i@teddysun.com> #
|
2016-04-18 23:31:36 +09:00
|
|
|
# Intro: https://teddysun.com/448.html #
|
2016-04-18 21:31:07 +09:00
|
|
|
#=======================================================================#
|
|
|
|
cur_dir=`pwd`
|
2015-03-27 13:27:33 +08:00
|
|
|
|
2016-04-18 21:31:07 +09:00
|
|
|
libevent2_rpm_filename="libevent2-2.0.22-1.el6.x86_64.rpm"
|
|
|
|
libevent2_devel_rpm_filename="libevent2-devel-2.0.22-1.el6.x86_64.rpm"
|
|
|
|
libreswan_filename="libreswan-3.17"
|
2015-03-27 13:27:33 +08:00
|
|
|
|
2016-04-18 21:31:07 +09:00
|
|
|
rootness(){
|
|
|
|
if [[ $EUID -ne 0 ]]; then
|
|
|
|
echo "Error:This script must be run as root!" 1>&2
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
}
|
2015-03-27 13:27:33 +08:00
|
|
|
|
2016-04-18 21:31:07 +09:00
|
|
|
tunavailable(){
|
|
|
|
if [[ ! -e /dev/net/tun ]]; then
|
|
|
|
echo "Error:TUN/TAP is not available!" 1>&2
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
}
|
2015-03-27 13:27:33 +08:00
|
|
|
|
2016-04-18 21:31:07 +09:00
|
|
|
disable_selinux(){
|
|
|
|
if [ -s /etc/selinux/config ] && grep 'SELINUX=enforcing' /etc/selinux/config; then
|
|
|
|
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
|
|
|
|
setenforce 0
|
2015-03-27 13:27:33 +08:00
|
|
|
fi
|
2016-04-18 21:31:07 +09:00
|
|
|
}
|
2015-03-27 13:27:33 +08:00
|
|
|
|
2016-04-18 21:31:07 +09:00
|
|
|
get_opsy(){
|
|
|
|
[ -f /etc/os-release ] && awk -F'[= "]' '/PRETTY_NAME/{print $3,$4,$5}' /etc/os-release && return
|
|
|
|
[ -f /etc/lsb-release ] && awk -F'[="]+' '/DESCRIPTION/{print $2}' /etc/lsb-release && return
|
|
|
|
[ -f /etc/redhat-release ] && awk '{print ($1,$3~/^[0-9]/?$3:$4)}' /etc/redhat-release && return
|
|
|
|
}
|
|
|
|
|
|
|
|
get_os_info(){
|
|
|
|
IP=$( ip addr | egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | egrep -v "^192\.168|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[0-2]\.|^10\.|^127\.|^255\.|^0\." | head -n 1 )
|
|
|
|
if [ -z ${IP} ]; then
|
|
|
|
IP=$( wget -qO- -t1 -T2 ipv4.icanhazip.com )
|
|
|
|
fi
|
|
|
|
local cname=$( awk -F: '/model name/ {name=$2} END {print name}' /proc/cpuinfo | sed 's/^[ \t]*//;s/[ \t]*$//' )
|
|
|
|
local cores=$( awk -F: '/model name/ {core++} END {print core}' /proc/cpuinfo )
|
|
|
|
local freq=$( awk -F: '/cpu MHz/ {freq=$2} END {print freq}' /proc/cpuinfo | sed 's/^[ \t]*//;s/[ \t]*$//' )
|
|
|
|
local tram=$( free -m | awk '/Mem/ {print $2}' )
|
|
|
|
local swap=$( free -m | awk '/Swap/ {print $2}' )
|
|
|
|
local up=$( awk '{a=$1/86400;b=($1%86400)/3600;c=($1%3600)/60;d=$1%60} {printf("%ddays, %d:%d:%d\n",a,b,c,d)}' /proc/uptime )
|
|
|
|
local opsy=$( get_opsy )
|
|
|
|
local arch=$( uname -m )
|
|
|
|
local lbit=$( getconf LONG_BIT )
|
|
|
|
local host=$( hostname )
|
|
|
|
local kern=$( uname -r )
|
|
|
|
|
|
|
|
echo "########## System Information ##########"
|
|
|
|
echo ""
|
|
|
|
echo "CPU model : ${cname}"
|
|
|
|
echo "Number of cores : ${cores}"
|
|
|
|
echo "CPU frequency : ${freq} MHz"
|
|
|
|
echo "Total amount of ram : ${tram} MB"
|
|
|
|
echo "Total amount of swap : ${swap} MB"
|
|
|
|
echo "System uptime : ${up}"
|
|
|
|
echo "OS : ${opsy}"
|
|
|
|
echo "Arch : ${arch} (${lbit} Bit)"
|
|
|
|
echo "Kernel : ${kern}"
|
|
|
|
echo "Hostname : ${host}"
|
|
|
|
echo "IPv4 address : ${IP}"
|
|
|
|
echo ""
|
|
|
|
echo "########################################"
|
|
|
|
}
|
|
|
|
|
|
|
|
check_sys(){
|
|
|
|
local checkType=$1
|
|
|
|
local value=$2
|
|
|
|
|
|
|
|
local release=''
|
|
|
|
local systemPackage=''
|
|
|
|
|
|
|
|
if [[ -f /etc/redhat-release ]];then
|
|
|
|
release="centos"
|
|
|
|
systemPackage="yum"
|
|
|
|
elif cat /etc/issue | grep -q -E -i "debian";then
|
|
|
|
release="debian"
|
|
|
|
systemPackage="apt"
|
|
|
|
elif cat /etc/issue | grep -q -E -i "ubuntu";then
|
|
|
|
release="ubuntu"
|
|
|
|
systemPackage="apt"
|
|
|
|
elif cat /etc/issue | grep -q -E -i "centos|red hat|redhat";then
|
|
|
|
release="centos"
|
|
|
|
systemPackage="yum"
|
|
|
|
elif cat /proc/version | grep -q -E -i "debian";then
|
|
|
|
release="debian"
|
|
|
|
systemPackage="apt"
|
|
|
|
elif cat /proc/version | grep -q -E -i "ubuntu";then
|
|
|
|
release="ubuntu"
|
|
|
|
systemPackage="apt"
|
|
|
|
elif cat /proc/version | grep -q -E -i "centos|red hat|redhat";then
|
|
|
|
release="centos"
|
|
|
|
systemPackage="yum"
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [[ ${checkType} == "sysRelease" ]]; then
|
|
|
|
if [ "$value" == "$release" ];then
|
|
|
|
return 0
|
|
|
|
else
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
elif [[ ${checkType} == "packageManager" ]]; then
|
|
|
|
if [ "$value" == "$systemPackage" ];then
|
|
|
|
return 0
|
|
|
|
else
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
rand() {
|
|
|
|
index=0
|
|
|
|
str=""
|
|
|
|
for i in {a..z}; do arr[index]=${i}; index=`expr ${index} + 1`; done
|
|
|
|
for i in {A..Z}; do arr[index]=${i}; index=`expr ${index} + 1`; done
|
|
|
|
for i in {0..9}; do arr[index]=${i}; index=`expr ${index} + 1`; done
|
|
|
|
for i in {1..10}; do str="$str${arr[$RANDOM%$index]}"; done
|
|
|
|
echo ${str}
|
|
|
|
}
|
|
|
|
|
2016-04-19 23:27:56 +09:00
|
|
|
is_64bit(){
|
|
|
|
if [ `getconf WORD_BIT` = '32' ] && [ `getconf LONG_BIT` = '64' ] ; then
|
|
|
|
return 0
|
|
|
|
else
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2016-04-18 21:31:07 +09:00
|
|
|
download_file(){
|
|
|
|
local download_root_url="http://lamp.teddysun.com/files"
|
|
|
|
|
|
|
|
if [ -s ${1} ]; then
|
|
|
|
echo "$1 [found]"
|
|
|
|
else
|
|
|
|
echo "$1 not found!!!download now..."
|
|
|
|
if ! wget -c -t3 -T60 ${download_root_url}/${1};then
|
|
|
|
echo "Failed to download $1, please download it to ${cur_dir} directory manually and try again."
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
versionget(){
|
|
|
|
if [[ -s /etc/redhat-release ]];then
|
|
|
|
grep -oE "[0-9.]+" /etc/redhat-release
|
|
|
|
else
|
|
|
|
grep -oE "[0-9.]+" /etc/issue
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
centosversion(){
|
|
|
|
if check_sys sysRelease centos;then
|
|
|
|
local code=${1}
|
|
|
|
local version="`versionget`"
|
|
|
|
local main_ver=${version%%.*}
|
|
|
|
if [ ${main_ver} == ${code} ];then
|
|
|
|
return 0
|
|
|
|
else
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2016-04-19 23:27:56 +09:00
|
|
|
debianversion(){
|
|
|
|
if check_sys sysRelease debian;then
|
|
|
|
local version=$( get_opsy )
|
|
|
|
local code=${1}
|
|
|
|
local main_ver=$( echo ${version} | sed 's/[^0-9]//g')
|
|
|
|
if [ ${main_ver} == ${code} ];then
|
|
|
|
return 0
|
|
|
|
else
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2016-04-18 21:31:07 +09:00
|
|
|
version_check(){
|
|
|
|
if check_sys packageManager yum; then
|
|
|
|
if centosversion 5; then
|
|
|
|
echo "Error:Not support CentOS 5, Please change your OS and try again."
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
preinstall_l2tp(){
|
|
|
|
|
|
|
|
echo
|
|
|
|
echo "Please input IP-Range:"
|
|
|
|
read -p "(Default Range: 192.168.18):" iprange
|
|
|
|
[ -z ${iprange} ] && iprange="192.168.18"
|
|
|
|
|
|
|
|
echo "Please input PSK:"
|
|
|
|
read -p "(Default PSK: teddysun.com):" mypsk
|
|
|
|
[ -z ${mypsk} ] && mypsk="teddysun.com"
|
|
|
|
|
|
|
|
echo "Please input Username:"
|
|
|
|
read -p "(Default Username: teddysun):" username
|
|
|
|
[ -z ${username} ] && username="teddysun"
|
2015-03-27 13:27:33 +08:00
|
|
|
|
2016-04-18 21:31:07 +09:00
|
|
|
password=`rand`
|
|
|
|
echo "Please input ${username}'s password:"
|
|
|
|
read -p "(Default Password: ${password}):" tmppassword
|
|
|
|
[ ! -z ${tmppassword} ] && password=${tmppassword}
|
|
|
|
|
|
|
|
get_char(){
|
|
|
|
SAVEDSTTY=`stty -g`
|
|
|
|
stty -echo
|
|
|
|
stty cbreak
|
|
|
|
dd if=/dev/tty bs=1 count=1 2> /dev/null
|
|
|
|
stty -raw
|
|
|
|
stty echo
|
|
|
|
stty $SAVEDSTTY
|
|
|
|
}
|
|
|
|
echo
|
|
|
|
echo "ServerIP:${IP}"
|
|
|
|
echo "Server Local IP:${iprange}.1"
|
|
|
|
echo "Client Remote IP Range:${iprange}.2-${iprange}.254"
|
|
|
|
echo "PSK:${mypsk}"
|
|
|
|
echo
|
|
|
|
echo "Press any key to start...or Press Ctrl+c to cancel"
|
|
|
|
char=`get_char`
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
install_l2tp(){
|
|
|
|
|
|
|
|
mknod /dev/random c 1 9
|
|
|
|
|
|
|
|
if check_sys packageManager apt;then
|
|
|
|
apt-get -y update
|
2016-04-19 23:27:56 +09:00
|
|
|
|
|
|
|
if debianversion 7;then
|
|
|
|
if is_64bit;then
|
|
|
|
local libnspr4_filename1="libnspr4_4.10.7-1_amd64.deb"
|
|
|
|
local libnspr4_filename2="libnspr4-0d_4.10.7-1_amd64.deb"
|
|
|
|
local libnspr4_filename3="libnspr4-dev_4.10.7-1_amd64.deb"
|
|
|
|
local libnspr4_filename4="libnspr4-dbg_4.10.7-1_amd64.deb"
|
|
|
|
local libnss3_filename1="libnss3_3.17.2-1.1_amd64.deb"
|
|
|
|
local libnss3_filename2="libnss3-1d_3.17.2-1.1_amd64.deb"
|
|
|
|
local libnss3_filename3="libnss3-tools_3.17.2-1.1_amd64.deb"
|
|
|
|
local libnss3_filename4="libnss3-dev_3.17.2-1.1_amd64.deb"
|
|
|
|
local libnss3_filename5="libnss3-dbg_3.17.2-1.1_amd64.deb"
|
|
|
|
else
|
|
|
|
local libnspr4_filename1="libnspr4_4.10.7-1_i386.deb"
|
|
|
|
local libnspr4_filename2="libnspr4-0d_4.10.7-1_i386.deb"
|
|
|
|
local libnspr4_filename3="libnspr4-dev_4.10.7-1_i386.deb"
|
|
|
|
local libnspr4_filename4="libnspr4-dbg_4.10.7-1_i386.deb"
|
|
|
|
local libnss3_filename1="libnss3_3.17.2-1.1_i386.deb"
|
|
|
|
local libnss3_filename2="libnss3-1d_3.17.2-1.1_i386.deb"
|
|
|
|
local libnss3_filename3="libnss3-tools_3.17.2-1.1_i386.deb"
|
|
|
|
local libnss3_filename4="libnss3-dev_3.17.2-1.1_i386.deb"
|
|
|
|
local libnss3_filename5="libnss3-dbg_3.17.2-1.1_i386.deb"
|
|
|
|
fi
|
2016-04-25 21:35:12 +09:00
|
|
|
[ ! -d ${cur_dir}/l2tp ] && mkdir -p ${cur_dir}/l2tp && cd ${cur_dir}/l2tp
|
2016-04-19 23:27:56 +09:00
|
|
|
download_file "${libnspr4_filename1}"
|
|
|
|
download_file "${libnspr4_filename2}"
|
|
|
|
download_file "${libnspr4_filename3}"
|
|
|
|
download_file "${libnspr4_filename4}"
|
|
|
|
download_file "${libnss3_filename1}"
|
|
|
|
download_file "${libnss3_filename2}"
|
|
|
|
download_file "${libnss3_filename3}"
|
|
|
|
download_file "${libnss3_filename4}"
|
|
|
|
download_file "${libnss3_filename5}"
|
|
|
|
dpkg -i ${libnspr4_filename1} ${libnspr4_filename2} ${libnspr4_filename3} ${libnspr4_filename4}
|
|
|
|
dpkg -i ${libnss3_filename1} ${libnss3_filename2} ${libnss3_filename3} ${libnss3_filename4} ${libnss3_filename5}
|
2016-04-25 21:35:12 +09:00
|
|
|
apt-get -y install wget gcc ppp flex bison make pkg-config libpam0g-dev libcap-ng-dev libcap-ng-utils libunbound-dev libevent-dev libcurl4-nss-dev
|
2016-04-19 23:27:56 +09:00
|
|
|
else
|
2016-04-25 21:35:12 +09:00
|
|
|
apt-get -y install wget gcc ppp flex bison make python libnss3-dev libnspr4-dev pkg-config libpam0g-dev libcap-ng-dev libcap-ng-utils libunbound-dev libnss3-tools libevent-dev libcurl4-nss-dev
|
2016-04-19 23:27:56 +09:00
|
|
|
fi
|
2016-04-18 21:31:07 +09:00
|
|
|
apt-get -y --no-install-recommends install xmlto
|
|
|
|
apt-get -y install xl2tpd
|
|
|
|
compile_install
|
|
|
|
elif check_sys packageManager yum; then
|
|
|
|
if centosversion 7; then
|
|
|
|
yum -y install epel-release
|
|
|
|
yum -y install ppp libreswan xl2tpd
|
|
|
|
yum_install
|
|
|
|
elif centosversion 6; then
|
|
|
|
yum -y install epel-release
|
|
|
|
yum -y install gcc gcc-c++ ppp iptables make gmp-devel xmlto bison flex libpcap-devel lsof
|
|
|
|
yum -y install xl2tpd curl-devel nss-devel nspr-devel pkgconfig pam-devel unbound-devel libcap-ng-devel
|
|
|
|
compile_install
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
compile_install(){
|
|
|
|
|
|
|
|
[ ! -d ${cur_dir}/l2tp ] && mkdir -p ${cur_dir}/l2tp
|
|
|
|
cd ${cur_dir}/l2tp
|
|
|
|
download_file "${libreswan_filename}.tar.gz"
|
|
|
|
tar -zxf ${libreswan_filename}.tar.gz
|
|
|
|
|
|
|
|
if centosversion 6; then
|
|
|
|
download_file "${libevent2_rpm_filename}"
|
|
|
|
download_file "${libevent2_devel_rpm_filename}"
|
|
|
|
rpm -ivh --force ${libevent2_rpm_filename} ${libevent2_devel_rpm_filename}
|
|
|
|
fi
|
|
|
|
|
|
|
|
cd ${cur_dir}/l2tp/${libreswan_filename}
|
|
|
|
echo "WERROR_CFLAGS =" > Makefile.inc.local
|
|
|
|
make programs && make install
|
|
|
|
|
|
|
|
/usr/local/sbin/ipsec --version >/dev/null 2>&1
|
|
|
|
if [ $? -ne 0 ];then
|
|
|
|
echo "${libreswan_filename} install failed."
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
cat > /etc/ipsec.conf<<EOF
|
2015-03-27 13:27:33 +08:00
|
|
|
config setup
|
|
|
|
nat_traversal=yes
|
|
|
|
protostack=netkey
|
2016-04-18 21:31:07 +09:00
|
|
|
oe=off
|
|
|
|
interfaces="%defaultroute"
|
|
|
|
dumpdir=/var/run/pluto/
|
|
|
|
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
|
2015-03-27 13:27:33 +08:00
|
|
|
|
|
|
|
conn L2TP-PSK-NAT
|
|
|
|
rightsubnet=vhost:%priv
|
|
|
|
also=L2TP-PSK-noNAT
|
|
|
|
|
|
|
|
conn L2TP-PSK-noNAT
|
|
|
|
authby=secret
|
|
|
|
pfs=no
|
|
|
|
auto=add
|
|
|
|
keyingtries=3
|
|
|
|
rekey=no
|
|
|
|
ikelifetime=8h
|
|
|
|
keylife=1h
|
|
|
|
type=transport
|
2016-04-18 21:31:07 +09:00
|
|
|
left=${IP}
|
|
|
|
leftid=${IP}
|
2015-03-27 13:27:33 +08:00
|
|
|
leftprotoport=17/1701
|
|
|
|
right=%any
|
|
|
|
rightprotoport=17/%any
|
2016-04-18 21:31:07 +09:00
|
|
|
dpddelay=40
|
|
|
|
dpdtimeout=130
|
|
|
|
dpdaction=clear
|
2015-03-27 13:27:33 +08:00
|
|
|
EOF
|
2016-04-18 21:31:07 +09:00
|
|
|
|
|
|
|
cat > /etc/ipsec.secrets<<EOF
|
|
|
|
${IP} %any: PSK "${mypsk}"
|
2015-03-27 13:27:33 +08:00
|
|
|
EOF
|
2016-04-18 21:31:07 +09:00
|
|
|
|
|
|
|
cat > /etc/xl2tpd/xl2tpd.conf<<EOF
|
2015-03-27 13:27:33 +08:00
|
|
|
[global]
|
2016-04-18 21:31:07 +09:00
|
|
|
listen-addr = ${IP}
|
2015-03-27 13:27:33 +08:00
|
|
|
[lns default]
|
2016-04-18 21:31:07 +09:00
|
|
|
ip range = ${iprange}.2-${iprange}.254
|
|
|
|
local ip = ${iprange}.1
|
|
|
|
require chap = yes
|
2015-03-27 13:27:33 +08:00
|
|
|
refuse pap = yes
|
|
|
|
require authentication = yes
|
2016-04-18 21:31:07 +09:00
|
|
|
name = LinuxVPNserver
|
2015-03-27 13:27:33 +08:00
|
|
|
ppp debug = yes
|
|
|
|
pppoptfile = /etc/ppp/options.xl2tpd
|
|
|
|
length bit = yes
|
|
|
|
EOF
|
2016-04-18 21:31:07 +09:00
|
|
|
|
|
|
|
cat > /etc/ppp/options.xl2tpd<<EOF
|
|
|
|
ipcp-accept-local
|
|
|
|
ipcp-accept-remote
|
2015-03-27 13:27:33 +08:00
|
|
|
require-mschap-v2
|
|
|
|
ms-dns 8.8.8.8
|
|
|
|
ms-dns 8.8.4.4
|
2016-04-18 21:31:07 +09:00
|
|
|
noccp
|
2015-03-27 13:27:33 +08:00
|
|
|
auth
|
|
|
|
crtscts
|
|
|
|
hide-password
|
2016-04-18 21:31:07 +09:00
|
|
|
idle 1800
|
|
|
|
mtu 1410
|
|
|
|
mru 1410
|
|
|
|
nodefaultroute
|
2015-03-27 13:27:33 +08:00
|
|
|
name l2tpd
|
2016-04-18 21:31:07 +09:00
|
|
|
debug
|
|
|
|
lock
|
2015-03-27 13:27:33 +08:00
|
|
|
proxyarp
|
2016-04-18 21:31:07 +09:00
|
|
|
connect-delay 5000
|
2015-03-27 13:27:33 +08:00
|
|
|
EOF
|
|
|
|
|
2016-04-18 21:31:07 +09:00
|
|
|
rm -f /etc/ppp/chap-secrets
|
|
|
|
cat > /etc/ppp/chap-secrets<<EOF
|
|
|
|
# Secrets for authentication using CHAP
|
|
|
|
# client server secret IP addresses
|
|
|
|
${username} l2tpd ${password} *
|
|
|
|
EOF
|
|
|
|
|
|
|
|
cp -pf /etc/sysctl.conf /etc/sysctl.conf.bak
|
|
|
|
|
|
|
|
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
|
|
|
|
|
|
|
|
for each in `ls /proc/sys/net/ipv4/conf/`
|
|
|
|
do
|
|
|
|
echo "net.ipv4.conf.${each}.accept_source_route=0" >> /etc/sysctl.conf
|
|
|
|
echo "net.ipv4.conf.${each}.accept_redirects=0" >> /etc/sysctl.conf
|
|
|
|
echo "net.ipv4.conf.${each}.send_redirects=0" >> /etc/sysctl.conf
|
|
|
|
echo "net.ipv4.conf.${each}.rp_filter=0" >> /etc/sysctl.conf
|
|
|
|
done
|
|
|
|
sysctl -p
|
|
|
|
|
|
|
|
if centosversion 6; then
|
|
|
|
[ -f /etc/sysconfig/iptables ] && cp -pf /etc/sysconfig/iptables /etc/sysconfig/iptables.old.`date +%Y%m%d`
|
|
|
|
|
|
|
|
if [ "`/sbin/iptables-save | grep -c '^\-'`" = "0" ]; then
|
|
|
|
cat > /etc/sysconfig/iptables <<EOF
|
|
|
|
# Added by L2TP VPN script
|
|
|
|
*filter
|
|
|
|
:INPUT ACCEPT [0:0]
|
|
|
|
:FORWARD ACCEPT [0:0]
|
|
|
|
:OUTPUT ACCEPT [0:0]
|
|
|
|
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
-A INPUT -p icmp -j ACCEPT
|
|
|
|
-A INPUT -i lo -j ACCEPT
|
|
|
|
-A INPUT -p tcp --dport 22 -j ACCEPT
|
|
|
|
-A INPUT -p udp -m multiport --dports 500,4500,1701 -j ACCEPT
|
|
|
|
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
-A FORWARD -s ${iprange}.0/24 -j ACCEPT
|
|
|
|
COMMIT
|
|
|
|
*nat
|
|
|
|
:PREROUTING ACCEPT [0:0]
|
|
|
|
:OUTPUT ACCEPT [0:0]
|
|
|
|
:POSTROUTING ACCEPT [0:0]
|
|
|
|
-A POSTROUTING -s ${iprange}.0/24 -j SNAT --to-source ${IP}
|
|
|
|
COMMIT
|
|
|
|
EOF
|
|
|
|
else
|
|
|
|
iptables -I INPUT -p udp -m multiport --dports 500,4500,1701 -j ACCEPT
|
|
|
|
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
iptables -I FORWARD -s ${iprange}.0/24 -j ACCEPT
|
|
|
|
iptables -t nat -A POSTROUTING -s ${iprange}.0/24 -j SNAT --to-source ${IP}
|
|
|
|
/etc/init.d/iptables save
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ ! -f /etc/ipsec.d/cert9.db ]; then
|
|
|
|
echo > /var/tmp/libreswan-nss-pwd
|
|
|
|
certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
|
|
|
|
rm -f /var/tmp/libreswan-nss-pwd
|
|
|
|
fi
|
|
|
|
|
|
|
|
chkconfig --add iptables
|
|
|
|
chkconfig iptables on
|
|
|
|
chkconfig --add ipsec
|
|
|
|
chkconfig ipsec on
|
|
|
|
chkconfig --add xl2tpd
|
|
|
|
chkconfig xl2tpd on
|
|
|
|
|
|
|
|
/etc/init.d/iptables restart
|
2016-04-18 23:31:36 +09:00
|
|
|
/etc/init.d/ipsec start
|
2016-04-18 21:31:07 +09:00
|
|
|
/etc/init.d/xl2tpd start
|
|
|
|
|
|
|
|
else
|
|
|
|
[ -f /etc/iptables.rules ] && cp -pf /etc/iptables.rules /etc/iptables.rules.old.`date +%Y%m%d`
|
|
|
|
|
|
|
|
if [ "`/sbin/iptables-save | grep -c '^\-'`" = "0" ]; then
|
|
|
|
cat > /etc/iptables.rules <<EOF
|
|
|
|
# Added by L2TP VPN script
|
|
|
|
*filter
|
|
|
|
:INPUT ACCEPT [0:0]
|
|
|
|
:FORWARD ACCEPT [0:0]
|
|
|
|
:OUTPUT ACCEPT [0:0]
|
|
|
|
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
-A INPUT -p icmp -j ACCEPT
|
|
|
|
-A INPUT -i lo -j ACCEPT
|
|
|
|
-A INPUT -p tcp --dport 22 -j ACCEPT
|
|
|
|
-A INPUT -p udp -m multiport --dports 500,4500,1701 -j ACCEPT
|
|
|
|
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
-A FORWARD -s ${iprange}.0/24 -j ACCEPT
|
|
|
|
COMMIT
|
|
|
|
*nat
|
|
|
|
:PREROUTING ACCEPT [0:0]
|
|
|
|
:OUTPUT ACCEPT [0:0]
|
|
|
|
:POSTROUTING ACCEPT [0:0]
|
|
|
|
-A POSTROUTING -s ${iprange}.0/24 -j SNAT --to-source ${IP}
|
|
|
|
COMMIT
|
2015-03-27 13:27:33 +08:00
|
|
|
EOF
|
2016-04-18 21:31:07 +09:00
|
|
|
else
|
|
|
|
iptables -I INPUT -p udp -m multiport --dports 500,4500,1701 -j ACCEPT
|
|
|
|
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
iptables -I FORWARD -s ${iprange}.0/24 -j ACCEPT
|
|
|
|
iptables -t nat -A POSTROUTING -s ${iprange}.0/24 -j SNAT --to-source ${IP}
|
|
|
|
/sbin/iptables-save > /etc/iptables.rules
|
|
|
|
fi
|
|
|
|
|
|
|
|
cat > /etc/network/if-up.d/iptables <<EOF
|
|
|
|
#!/bin/sh
|
|
|
|
/sbin/iptables-restore < /etc/iptables.rules
|
|
|
|
EOF
|
|
|
|
chmod +x /etc/network/if-up.d/iptables
|
|
|
|
|
|
|
|
if [ ! -f /etc/ipsec.d/cert9.db ]; then
|
|
|
|
echo > /var/tmp/libreswan-nss-pwd
|
|
|
|
certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
|
|
|
|
rm -f /var/tmp/libreswan-nss-pwd
|
|
|
|
fi
|
|
|
|
|
|
|
|
update-rc.d xl2tpd defaults
|
|
|
|
cp -f /etc/rc.local /etc/rc.local.old.`date +%Y%m%d`
|
|
|
|
sed --follow-symlinks -i -e '/^exit 0/d' /etc/rc.local
|
|
|
|
cat >> /etc/rc.local <<EOF
|
|
|
|
|
|
|
|
# Added by L2TP VPN script
|
|
|
|
/usr/sbin/service ipsec start
|
|
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
2015-03-27 13:27:33 +08:00
|
|
|
exit 0
|
2016-04-18 21:31:07 +09:00
|
|
|
EOF
|
|
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
|
|
|
|
|
/sbin/iptables-restore < /etc/iptables.rules
|
2016-04-19 23:27:56 +09:00
|
|
|
/usr/sbin/service ipsec start
|
2016-04-18 21:31:07 +09:00
|
|
|
/usr/sbin/service xl2tpd restart
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
yum_install(){
|
|
|
|
|
|
|
|
rm -f /etc/ipsec.conf
|
|
|
|
cat > /etc/ipsec.conf<<EOF
|
|
|
|
config setup
|
|
|
|
nat_traversal=yes
|
|
|
|
protostack=netkey
|
|
|
|
oe=off
|
|
|
|
interfaces="%defaultroute"
|
|
|
|
dumpdir=/var/run/pluto/
|
|
|
|
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
|
|
|
|
|
|
|
|
conn L2TP-PSK-NAT
|
|
|
|
rightsubnet=vhost:%priv
|
|
|
|
also=L2TP-PSK-noNAT
|
|
|
|
|
|
|
|
conn L2TP-PSK-noNAT
|
|
|
|
authby=secret
|
|
|
|
pfs=no
|
|
|
|
auto=add
|
|
|
|
keyingtries=3
|
|
|
|
rekey=no
|
|
|
|
ikelifetime=8h
|
|
|
|
keylife=1h
|
|
|
|
type=transport
|
|
|
|
left=${IP}
|
|
|
|
leftid=${IP}
|
|
|
|
leftprotoport=17/1701
|
|
|
|
right=%any
|
|
|
|
rightprotoport=17/%any
|
|
|
|
dpddelay=40
|
|
|
|
dpdtimeout=130
|
|
|
|
dpdaction=clear
|
|
|
|
EOF
|
|
|
|
rm -f /etc/ipsec.secrets
|
|
|
|
cat > /etc/ipsec.secrets<<EOF
|
|
|
|
${IP} %any: PSK "${mypsk}"
|
|
|
|
EOF
|
|
|
|
rm -f /etc/xl2tpd/xl2tpd.conf
|
|
|
|
cat > /etc/xl2tpd/xl2tpd.conf<<EOF
|
|
|
|
[global]
|
|
|
|
listen-addr = ${IP}
|
|
|
|
[lns default]
|
|
|
|
ip range = ${iprange}.2-${iprange}.254
|
|
|
|
local ip = ${iprange}.1
|
|
|
|
require chap = yes
|
|
|
|
refuse pap = yes
|
|
|
|
require authentication = yes
|
|
|
|
name = LinuxVPNserver
|
|
|
|
ppp debug = yes
|
|
|
|
pppoptfile = /etc/ppp/options.xl2tpd
|
|
|
|
length bit = yes
|
|
|
|
EOF
|
|
|
|
rm -f /etc/ppp/options.xl2tpd
|
|
|
|
cat > /etc/ppp/options.xl2tpd<<EOF
|
|
|
|
ipcp-accept-local
|
|
|
|
ipcp-accept-remote
|
|
|
|
require-mschap-v2
|
|
|
|
ms-dns 8.8.8.8
|
|
|
|
ms-dns 8.8.4.4
|
|
|
|
noccp
|
|
|
|
auth
|
|
|
|
crtscts
|
|
|
|
hide-password
|
|
|
|
idle 1800
|
|
|
|
mtu 1410
|
|
|
|
mru 1410
|
|
|
|
nodefaultroute
|
|
|
|
name l2tpd
|
|
|
|
debug
|
|
|
|
lock
|
|
|
|
proxyarp
|
|
|
|
connect-delay 5000
|
|
|
|
EOF
|
|
|
|
rm -f /etc/ppp/chap-secrets
|
|
|
|
cat > /etc/ppp/chap-secrets<<EOF
|
|
|
|
# Secrets for authentication using CHAP
|
|
|
|
# client server secret IP addresses
|
|
|
|
${username} l2tpd ${password} *
|
|
|
|
EOF
|
|
|
|
|
|
|
|
cp -pf /etc/sysctl.conf /etc/sysctl.conf.bak
|
|
|
|
|
|
|
|
echo "# Added by L2TP VPN" >> /etc/sysctl.conf
|
|
|
|
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
|
|
|
|
echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
|
|
|
|
echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.conf
|
|
|
|
echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> /etc/sysctl.conf
|
|
|
|
|
|
|
|
for each in `ls /proc/sys/net/ipv4/conf/`
|
|
|
|
do
|
|
|
|
echo "net.ipv4.conf.${each}.accept_source_route=0" >> /etc/sysctl.conf
|
|
|
|
echo "net.ipv4.conf.${each}.accept_redirects=0" >> /etc/sysctl.conf
|
|
|
|
echo "net.ipv4.conf.${each}.send_redirects=0" >> /etc/sysctl.conf
|
|
|
|
echo "net.ipv4.conf.${each}.rp_filter=0" >> /etc/sysctl.conf
|
|
|
|
done
|
|
|
|
sysctl -p
|
|
|
|
|
|
|
|
cat > /usr/lib/firewalld/services/xl2tpd.xml<<EOF
|
|
|
|
<?xml version="1.0" encoding="utf-8"?>
|
|
|
|
<service>
|
|
|
|
<short>xl2tpd</short>
|
|
|
|
<description>L2TP IPSec</description>
|
|
|
|
<port protocol="udp" port="4500"/>
|
|
|
|
<port protocol="udp" port="1701"/>
|
|
|
|
</service>
|
|
|
|
EOF
|
|
|
|
systemctl status firewalld > /dev/null 2>&1
|
|
|
|
if [ $? -eq 0 ];then
|
|
|
|
firewall-cmd --permanent --add-service=ipsec
|
|
|
|
firewall-cmd --permanent --add-service=xl2tpd
|
|
|
|
firewall-cmd --permanent --add-masquerade
|
|
|
|
firewall-cmd --reload
|
|
|
|
else
|
|
|
|
echo "Firewalld looks like not running, try to start..."
|
|
|
|
systemctl start firewalld
|
|
|
|
if [ $? -eq 0 ];then
|
|
|
|
echo "Firewalld start success..."
|
|
|
|
firewall-cmd --permanent --add-service=ipsec
|
|
|
|
firewall-cmd --permanent --add-service=xl2tpd
|
|
|
|
firewall-cmd --permanent --add-masquerade
|
|
|
|
firewall-cmd --reload
|
|
|
|
else
|
|
|
|
echo "Try to start firewalld failed. please enable port 500 4500 manually if necessary."
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
systemctl enable ipsec
|
|
|
|
systemctl enable xl2tpd
|
|
|
|
systemctl restart ipsec
|
|
|
|
systemctl restart xl2tpd
|
|
|
|
echo "confirm ipsec status..."
|
|
|
|
systemctl -a | grep ipsec
|
|
|
|
echo "confirm xl2tpd status..."
|
|
|
|
systemctl -a | grep xl2tpd
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
finally(){
|
|
|
|
|
|
|
|
cd ${cur_dir}
|
|
|
|
rm -fr ${cur_dir}/l2tp
|
|
|
|
|
2016-04-18 23:31:36 +09:00
|
|
|
echo "Please wait a moment..."
|
2016-04-18 21:31:07 +09:00
|
|
|
sleep 5
|
|
|
|
ipsec verify
|
|
|
|
echo
|
|
|
|
echo "###############################################################"
|
|
|
|
echo "# Auto Install L2TP VPN for your Server #"
|
|
|
|
echo "# System Required: CentOS/RadHat 6+ / Debian 7+ / Ubuntu 12+ #"
|
2016-04-18 23:31:36 +09:00
|
|
|
echo "# Intro: https://teddysun.com/448.html #"
|
2016-04-18 21:31:07 +09:00
|
|
|
echo "# Author: Teddysun <i@teddysun.com> #"
|
|
|
|
echo "###############################################################"
|
2016-04-18 23:31:36 +09:00
|
|
|
echo "If there are no [FAILED] above, then you can connect to your"
|
2016-04-18 21:31:07 +09:00
|
|
|
echo "L2TP VPN Server with the default Username/Password is below:"
|
|
|
|
echo
|
2016-04-19 11:57:06 +09:00
|
|
|
echo "ServerIP:${IP}"
|
|
|
|
echo "PSK:${mypsk}"
|
|
|
|
echo "Username:${username}"
|
|
|
|
echo "Password:${password}"
|
2016-04-18 21:31:07 +09:00
|
|
|
echo
|
2016-04-18 23:31:36 +09:00
|
|
|
echo "If you want to add users, please modify"
|
|
|
|
echo "/etc/ppp/chap-secrets and add it."
|
|
|
|
echo "Welcome to visit https://teddysun.com/448.html"
|
2016-04-18 21:31:07 +09:00
|
|
|
echo "Enjoy it!"
|
2016-04-18 23:31:36 +09:00
|
|
|
echo
|
2016-04-18 21:31:07 +09:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
l2tp(){
|
|
|
|
clear
|
|
|
|
echo
|
|
|
|
echo "###############################################################"
|
|
|
|
echo "# Auto Install L2TP VPN for your Server #"
|
|
|
|
echo "# System Required: CentOS/RadHat 6+ / Debian 7+ / Ubuntu 12+ #"
|
2016-04-18 23:31:36 +09:00
|
|
|
echo "# Intro: https://teddysun.com/448.html #"
|
2016-04-18 21:31:07 +09:00
|
|
|
echo "# Author: Teddysun <i@teddysun.com> #"
|
|
|
|
echo "###############################################################"
|
|
|
|
echo
|
|
|
|
rootness
|
|
|
|
tunavailable
|
|
|
|
disable_selinux
|
|
|
|
version_check
|
|
|
|
get_os_info
|
|
|
|
preinstall_l2tp
|
|
|
|
install_l2tp
|
|
|
|
finally
|
|
|
|
}
|
|
|
|
|
2016-05-09 16:36:19 +09:00
|
|
|
list_users(){
|
|
|
|
if [ ! -f /etc/ppp/chap-secrets ];then
|
|
|
|
echo "Error: /etc/ppp/chap-secrets file not found."
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
echo "========== Users List =========="
|
|
|
|
grep -v "^#" /etc/ppp/chap-secrets | awk '{print $1}'
|
|
|
|
echo "================================"
|
|
|
|
}
|
|
|
|
|
|
|
|
add_user(){
|
|
|
|
while :
|
|
|
|
do
|
|
|
|
read -p "Please input your Username:" user
|
|
|
|
if [ -z ${user} ]; then
|
|
|
|
echo "Username can not be empty"
|
|
|
|
else
|
|
|
|
grep -w "${user}" /etc/ppp/chap-secrets >/dev/null 2>&1
|
|
|
|
if [ $? -eq 0 ];then
|
|
|
|
echo "Username (${user}) already exists. Please re-enter your username."
|
|
|
|
else
|
|
|
|
break
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
pass=`rand`
|
|
|
|
echo "Please input ${user}'s password:"
|
|
|
|
read -p "(Default Password: ${pass}):" tmppass
|
|
|
|
[ ! -z ${tmppass} ] && pass=${tmppass}
|
|
|
|
echo "${user} l2tpd ${pass} *" >> /etc/ppp/chap-secrets
|
|
|
|
echo "Username (${user}) add completed."
|
|
|
|
}
|
|
|
|
|
|
|
|
del_user(){
|
|
|
|
while :
|
|
|
|
do
|
|
|
|
read -p "Please input Username you want to delete it:" user
|
|
|
|
if [ -z ${user} ]; then
|
|
|
|
echo "Username can not be empty"
|
|
|
|
else
|
|
|
|
grep -w "${user}" /etc/ppp/chap-secrets >/dev/null 2>&1
|
|
|
|
if [ $? -eq 0 ];then
|
|
|
|
break
|
|
|
|
else
|
|
|
|
echo "Username (${user}) is not exists. Please re-enter your username."
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
sed -i "/^\<${user}\>/d" /etc/ppp/chap-secrets
|
|
|
|
echo "Username (${user}) delete completed."
|
|
|
|
}
|
|
|
|
|
|
|
|
# Main process
|
|
|
|
action=$1
|
|
|
|
[ -z ${action} ] && action=install
|
|
|
|
|
|
|
|
case ${action} in
|
|
|
|
install)
|
|
|
|
rm -f /root/l2tp.log
|
|
|
|
l2tp 2>&1 | tee -a /root/l2tp.log
|
|
|
|
;;
|
|
|
|
-l|--list)
|
|
|
|
list_users
|
|
|
|
;;
|
|
|
|
-a|--add)
|
|
|
|
add_user
|
|
|
|
;;
|
|
|
|
-d|--del)
|
|
|
|
del_user
|
|
|
|
;;
|
|
|
|
-h|--help)
|
|
|
|
echo "Usage: `basename $0` Install L2TP VPN Server"
|
|
|
|
echo " `basename $0` -l,--list List all users"
|
|
|
|
echo " `basename $0` -a,--add Add a user"
|
|
|
|
echo " `basename $0` -d,--del Delete a user"
|
|
|
|
echo " `basename $0` -h,--help Print this help information"
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
echo "Usage: `basename $0` [-l,--list|-a,--add|-d,--del|-h,--help]" && exit
|
|
|
|
;;
|
|
|
|
esac
|