Marown/setup-ipsec-vpn
1
0
Fork 0
mirror of https://github.com/hwdsl2/setup-ipsec-vpn.git synced 2024-06-22 21:55:53 +02:00
Code Issues Packages Projects Releases Wiki Activity

Remove CentOS 6

Browse Source 
- CentOS 6 was EOL as of Nov. 30, 2020, and the default yum repos are
  no longer available for installing new packages
  Ref: https://wiki.centos.org/About/Product
This commit is contained in:
hwdsl2 2020-12-02 23:40:54 -06:00
parent 26d5b30434
commit 41142ee915
5 changed files with 41 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
.github/workflows/main.yml vendored
View File

@ -249,12 +249,11 @@ jobs:
if: github.repository_owner == 'hwdsl2'
strategy:
matrix:
os_version: ["ubuntu:20.04", "ubuntu:18.04", "debian:10", "debian:9", "centos:6"]
os_version: ["ubuntu:20.04", "ubuntu:18.04", "debian:10", "debian:9"]
fail-fast: false
container:
image: ${{ matrix.os_version }}
env:
OS_VERSION: ${{ matrix.os_version }}
EVENT_NAME: ${{ github.event_name }}
options: --privileged -v /lib/modules:/lib/modules:ro
steps:
@ -269,28 +268,16 @@ jobs:
cd /opt/src
echo "# hwdsl2" > run.sh
OS_NAME=$(echo "$OS_VERSION" | head -c6)
if [ "$OS_NAME" = "centos" ]; then
yum -y update
yum -y -q install wget rsyslog
service rsyslog start
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-centos
else
export DEBIAN_FRONTEND=noninteractive
apt-get -yq update
apt-get -yq dist-upgrade
apt-get -yq install wget rsyslog
service rsyslog start
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup
fi
export DEBIAN_FRONTEND=noninteractive
apt-get -yq update
apt-get -yq dist-upgrade
apt-get -yq install wget rsyslog
service rsyslog start
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup
sh vpnsetup.sh
sleep 5
if [ "$OS_NAME" = "centos" ]; then
sed -i '/^logtarget/d' /etc/fail2ban/fail2ban.conf
echo "logtarget = /var/log/fail2ban.log" >> /etc/fail2ban/fail2ban.conf
fi
service fail2ban restart
sleep 5
netstat -anpu | grep pluto
@ -299,17 +286,10 @@ jobs:
iptables -nL | grep -q '192\.168\.42\.0/24'
iptables -nL -t nat
iptables -nL -t nat | grep -q '192\.168\.43\.0/24'
if [ "$OS_NAME" = "centos" ]; then
grep pluto /var/log/secure
grep pluto /var/log/secure | grep -q 'added IKEv1 connection "l2tp-psk"'
grep pluto /var/log/secure | grep -q 'added IKEv1 connection "xauth-psk"'
grep xl2tpd /var/log/messages
else
grep pluto /var/log/auth.log
grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "l2tp-psk"'
grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "xauth-psk"'
grep xl2tpd /var/log/syslog
fi
grep pluto /var/log/auth.log
grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "l2tp-psk"'
grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "xauth-psk"'
grep xl2tpd /var/log/syslog
cat /var/log/fail2ban.log
grep -E "Jail '(sshd?|ssh-iptables)' started" /var/log/fail2ban.log
@ -339,13 +319,8 @@ jobs:
ls -ld /etc/ipsec.d/ikev2vpnca*.cer
ls -ld /etc/ipsec.d/vpnclient*.p12
sleep 10
if [ "$OS_NAME" = "centos" ]; then
grep pluto /var/log/secure | tail -n 20
grep pluto /var/log/secure | grep -q 'added IKEv2 connection "ikev2-cp"'
else
grep pluto /var/log/auth.log | tail -n 20
grep pluto /var/log/auth.log | grep -q 'added IKEv2 connection "ikev2-cp"'
fi
grep pluto /var/log/auth.log | tail -n 20
grep pluto /var/log/auth.log | grep -q 'added IKEv2 connection "ikev2-cp"'
bash ikev2.sh <<ANSWERS
y
@ -356,32 +331,19 @@ jobs:
ls -ld /etc/ipsec.d/vpnclient2*.p12
if [ "$OS_NAME" = "centos" ]; then
sed -i '/pluto/d' /var/log/secure
pkill -HUP rsyslog
wget -t 3 -T 30 -nv -O vpnupgrade.sh https://git.io/vpnupgrade-centos
else
sed -i '/pluto/d' /var/log/auth.log
pkill -HUP rsyslog
wget -t 3 -T 30 -nv -O vpnupgrade.sh https://git.io/vpnupgrade
fi
sed -i '/pluto/d' /var/log/auth.log
pkill -HUP rsyslog
wget -t 3 -T 30 -nv -O vpnupgrade.sh https://git.io/vpnupgrade
sh vpnupgrade.sh <<ANSWERS
y
y
ANSWERS
sleep 10
if [ "$OS_NAME" = "centos" ]; then
grep pluto /var/log/secure
grep pluto /var/log/secure | grep -q 'added IKEv1 connection "l2tp-psk"'
grep pluto /var/log/secure | grep -q 'added IKEv1 connection "xauth-psk"'
grep pluto /var/log/secure | grep -q 'added IKEv2 connection "ikev2-cp"'
else
grep pluto /var/log/auth.log
grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "l2tp-psk"'
grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "xauth-psk"'
grep pluto /var/log/auth.log | grep -q 'added IKEv2 connection "ikev2-cp"'
fi
grep pluto /var/log/auth.log
grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "l2tp-psk"'
grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "xauth-psk"'
grep pluto /var/log/auth.log | grep -q 'added IKEv2 connection "ikev2-cp"'
ls -ld vpnsetup.sh
ls -ld ikev2.sh

12
README-zh.md
View File

@ -53,17 +53,15 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
- 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持
- 可直接作为 Amazon EC2 实例创建时的用户数据使用
- 包含 `sysctl.conf` 优化设置,以达到更佳的传输性能
- 已测试: Ubuntu 20.04/18.04/16.04, Debian 10/9 和 CentOS 8/7/6
- 已测试: Ubuntu 20.04/18.04/16.04, Debian 10/9 和 CentOS 8/7
## 系统要求
一个新创建的 <a href="https://aws.amazon.com/ec2/" target="_blank">Amazon EC2</a> 实例,使用这些映像之一:
- <a href="https://cloud-images.ubuntu.com/locator/" target="_blank">Ubuntu 20.04 (Focal), 18.04 (Bionic) 或者 16.04 (Xenial)</a>
- <a href="https://wiki.debian.org/Cloud/AmazonEC2Image" target="_blank">Debian 10 (Buster)</a>[\*](#debian-10-note)<a href="https://wiki.debian.org/Cloud/AmazonEC2Image" target="_blank"> 或者 9 (Stretch)</a>
- <a href="https://wiki.centos.org/Cloud/AWS" target="_blank">CentOS 8 (x86_64)</a>
- <a href="https://aws.amazon.com/marketplace/pp/B00O7WM7QW" target="_blank">CentOS 7 (x86_64) with Updates</a>
- <a href="https://aws.amazon.com/marketplace/pp/B00NQAYLWO" target="_blank">CentOS 6 (x86_64) with Updates</a>
- <a href="https://aws.amazon.com/partners/redhat/faqs/" target="_blank">Red Hat Enterprise Linux (RHEL) 8, 7 或者 6</a>
- <a href="https://wiki.centos.org/Cloud/AWS" target="_blank">CentOS 8 或者 7</a>
- <a href="https://aws.amazon.com/partners/redhat/faqs/" target="_blank">Red Hat Enterprise Linux (RHEL) 8 或者 7</a>
请参见 <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#vpnsetup" target="_blank">详细步骤</a> 以及 <a href="https://aws.amazon.com/cn/ec2/pricing/" target="_blank">EC2 定价细节</a>。另外,你也可以使用 <a href="aws/README-zh.md" target="_blank">CloudFormation</a> 来快速部署。
@ -77,7 +75,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
<a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#gettingavps" target="_blank">**&raquo; 我想建立并使用自己的 VPN ,但是没有可用的服务器**</a>
高级用户可以在一个 $35 的 <a href="https://www.raspberrypi.org" target="_blank">Raspberry Pi</a> 上搭建 VPN 服务器。参见 <a href="https://blog.elasticbyte.net/setting-up-a-native-cisco-ipsec-vpn-server-using-a-raspberry-pi/" target="_blank">[1]</a> <a href="https://www.stewright.me/2018/07/create-a-raspberry-pi-vpn-server-using-l2tpipsec/" target="_blank">[2]</a>
高级用户可以在一个 $35 的 <a href="https://www.raspberrypi.org" target="_blank">Raspberry Pi</a> 上搭建 VPN 服务器。参见 <a href="https://elasticbyte.net/posts/setting-up-a-native-cisco-ipsec-vpn-server-using-a-raspberry-pi/" target="_blank">[1]</a> <a href="https://www.stewright.me/2018/07/create-a-raspberry-pi-vpn-server-using-l2tpipsec/" target="_blank">[2]</a>
<a name="debian-10-note"></a>
\* Debian 10 用户需要使用标准的 Linux 内核(而不是 "cloud" 版本)。更多信息请看 <a href="docs/clients-zh.md#debian-10-内核" target="_blank">这里</a>
@ -159,7 +157,7 @@ sh vpnsetup.sh
在 VPN 已连接时,客户端配置为使用 <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a>。如果偏好其它的域名解析服务,编辑 `/etc/ppp/options.xl2tpd``/etc/ipsec.conf` 并替换 `8.8.8.8``8.8.4.4`,然后重启服务器。高级用户可以在运行 VPN 脚本时定义 `VPN_DNS_SRV1``VPN_DNS_SRV2`(可选)。
使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 16.04-20.04, Debian 9-10 和 CentOS 6-8. Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`),然后运行 `service xl2tpd restart`
使用内核支持有助于提高 IPsec/L2TP 性能。它在[所有受支持的系统](#系统要求)上可用。Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`软件包,然后运行 `service xl2tpd restart`
如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。

12
README.md
View File

@ -53,17 +53,15 @@ For other installation options and how to set up VPN clients, read the sections
- Encapsulates all VPN traffic in UDP - does not need ESP protocol
- Can be directly used as "user-data" for a new Amazon EC2 instance
- Includes `sysctl.conf` optimizations for improved performance
- Tested with Ubuntu 20.04/18.04/16.04, Debian 10/9 and CentOS 8/7/6
- Tested with Ubuntu 20.04/18.04/16.04, Debian 10/9 and CentOS 8/7
## Requirements
A newly created <a href="https://aws.amazon.com/ec2/" target="_blank">Amazon EC2</a> instance, from one of these images:
- <a href="https://cloud-images.ubuntu.com/locator/" target="_blank">Ubuntu 20.04 (Focal), 18.04 (Bionic) or 16.04 (Xenial)</a>
- <a href="https://wiki.debian.org/Cloud/AmazonEC2Image" target="_blank">Debian 10 (Buster)</a>[\*](#debian-10-note)<a href="https://wiki.debian.org/Cloud/AmazonEC2Image" target="_blank"> or 9 (Stretch)</a>
- <a href="https://wiki.centos.org/Cloud/AWS" target="_blank">CentOS 8 (x86_64)</a>
- <a href="https://aws.amazon.com/marketplace/pp/B00O7WM7QW" target="_blank">CentOS 7 (x86_64) with Updates</a>
- <a href="https://aws.amazon.com/marketplace/pp/B00NQAYLWO" target="_blank">CentOS 6 (x86_64) with Updates</a>
- <a href="https://aws.amazon.com/partners/redhat/faqs/" target="_blank">Red Hat Enterprise Linux (RHEL) 8, 7 or 6</a>
- <a href="https://wiki.centos.org/Cloud/AWS" target="_blank">CentOS 8 or 7</a>
- <a href="https://aws.amazon.com/partners/redhat/faqs/" target="_blank">Red Hat Enterprise Linux (RHEL) 8 or 7</a>
See <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#vpnsetup" target="_blank">detailed instructions</a> and <a href="https://aws.amazon.com/ec2/pricing/" target="_blank">EC2 pricing</a>. Alternatively, you can deploy rapidly using <a href="aws/README.md" target="_blank">CloudFormation</a>.
@ -77,7 +75,7 @@ This also includes Linux VMs in public clouds, such as <a href="https://blog.ls2
<a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#gettingavps" target="_blank">**&raquo; I want to run my own VPN but don't have a server for that**</a>
Advanced users can set up the VPN server on a $35 <a href="https://www.raspberrypi.org" target="_blank">Raspberry Pi</a>. See <a href="https://blog.elasticbyte.net/setting-up-a-native-cisco-ipsec-vpn-server-using-a-raspberry-pi/" target="_blank">[1]</a> <a href="https://www.stewright.me/2018/07/create-a-raspberry-pi-vpn-server-using-l2tpipsec/" target="_blank">[2]</a>.
Advanced users can set up the VPN server on a $35 <a href="https://www.raspberrypi.org" target="_blank">Raspberry Pi</a>. See <a href="https://elasticbyte.net/posts/setting-up-a-native-cisco-ipsec-vpn-server-using-a-raspberry-pi/" target="_blank">[1]</a> <a href="https://www.stewright.me/2018/07/create-a-raspberry-pi-vpn-server-using-l2tpipsec/" target="_blank">[2]</a>.
<a name="debian-10-note"></a>
\* Debian 10 users should use the standard Linux kernel (not the "cloud" version). Read more <a href="docs/clients.md#debian-10-kernel" target="_blank">here</a>.
@ -159,7 +157,7 @@ For servers with an external firewall (e.g. <a href="https://docs.aws.amazon.com
Clients are set to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`, then reboot your server. Advanced users can define `VPN_DNS_SRV1` and optionally `VPN_DNS_SRV2` when running the VPN setup script.
Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 16.04-20.04, Debian 9-10 and CentOS 6-8. Ubuntu users: Install `linux-modules-extra-$(uname -r)` (or `linux-image-extra`), then run `service xl2tpd restart`.
Using kernel support could improve IPsec/L2TP performance. It is available on [all supported OS versions](#requirements). Ubuntu users should install the `linux-modules-extra-$(uname -r)` (or `linux-image-extra`) package, then run `service xl2tpd restart`.
To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). Then reboot your server.

9
extras/vpnupgrade_centos.sh
View File

@ -22,8 +22,8 @@ exiterr2() { exiterr "'yum install' failed."; }
vpnupgrade() {
if ! grep -qs -e "release 6" -e "release 7" -e "release 8" /etc/redhat-release; then
echo "Error: This script only supports CentOS/RHEL 6, 7 and 8." >&2
if ! grep -qs -e "release 7" -e "release 8" /etc/redhat-release; then
echo "Error: This script only supports CentOS/RHEL 7 and 8." >&2
echo "For Ubuntu/Debian, use https://git.io/vpnupgrade" >&2
exit 1
fi
@ -146,10 +146,7 @@ REPO1='--enablerepo=*server-*optional*'
REPO2='--enablerepo=*releases-optional*'
REPO3='--enablerepo=PowerTools'
if grep -qs "release 6" /etc/redhat-release; then
yum -y remove libevent-devel
yum "$REPO1" "$REPO2" -y install libevent2-devel fipscheck-devel || exiterr2
elif grep -qs "release 7" /etc/redhat-release; then
if grep -qs "release 7" /etc/redhat-release; then
yum -y install systemd-devel || exiterr2
yum "$REPO1" "$REPO2" -y install libevent-devel fipscheck-devel || exiterr2
else

30
vpnsetup_centos.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh
#
# Script for automatic setup of an IPsec VPN server on CentOS/RHEL 6-8.
# Script for automatic setup of an IPsec VPN server on CentOS/RHEL 7 and 8.
# Works on any dedicated server or virtual private server (VPS) except OpenVZ.
#
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
@ -49,8 +49,8 @@ check_ip() {
vpnsetup() {
if ! grep -qs -e "release 6" -e "release 7" -e "release 8" /etc/redhat-release; then
echo "Error: This script only supports CentOS/RHEL 6-8." >&2
if ! grep -qs -e "release 7" -e "release 8" /etc/redhat-release; then
echo "Error: This script only supports CentOS/RHEL 7 and 8." >&2
echo "For Ubuntu/Debian, use https://git.io/vpnsetup" >&2
exit 1
fi
@ -156,16 +156,10 @@ yum -y install nss-devel nspr-devel pkgconfig pam-devel \
yum "$REPO1" -y install xl2tpd || exiterr2
use_nft=0
if grep -qs "release 6" /etc/redhat-release; then
os_ver=6
yum -y remove libevent-devel
yum "$REPO2" "$REPO3" -y install libevent2-devel fipscheck-devel || exiterr2
elif grep -qs "release 7" /etc/redhat-release; then
os_ver=7
if grep -qs "release 7" /etc/redhat-release; then
yum -y install systemd-devel iptables-services || exiterr2
yum "$REPO2" "$REPO3" -y install libevent-devel fipscheck-devel || exiterr2
else
os_ver=8
if grep -qs "Red Hat" /etc/redhat-release; then
REPO4='--enablerepo=codeready-builder-for-rhel-8-*'
fi
@ -447,13 +441,7 @@ fi
bigecho "Enabling services on boot..."
if [ "$os_ver" = "6" ]; then
chkconfig iptables on
chkconfig fail2ban on
else
systemctl --now mask firewalld 2>/dev/null
fi
systemctl --now mask firewalld 2>/dev/null
if [ "$use_nft" = "1" ]; then
systemctl enable nftables fail2ban 2>/dev/null
else
@ -495,11 +483,9 @@ else
fi
# Fix xl2tpd if l2tp_ppp is unavailable
if [ "$os_ver" != "6" ]; then
if ! modprobe -q l2tp_ppp; then
sed -i '/^ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service
systemctl daemon-reload
fi
if ! modprobe -q l2tp_ppp; then
sed -i '/^ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service
systemctl daemon-reload
fi
mkdir -p /run/pluto