Improve output

- Improve output for the VPN setup and upgrade scripts. The outputs
  of the scripts are now significantly reduced and only include the
  most useful information for users.
- Other minor cleanup
This commit is contained in:
hwdsl2 2021-02-05 21:49:35 -06:00
parent 89eaacc0b8
commit 5779b2e6c8
7 changed files with 283 additions and 162 deletions

View File

@ -263,17 +263,14 @@ EOF
show_start_message() {
bigecho "Starting IKEv2 setup in auto mode, using default options."
echo
}
show_add_client_message() {
bigecho "Adding a new IKEv2 client '$client_name', using default options."
echo
}
show_export_client_message() {
bigecho "Exporting existing IKEv2 client '$client_name', using default options."
echo
}
get_export_dir() {
@ -293,7 +290,7 @@ get_export_dir() {
}
get_server_ip() {
echo "Trying to auto discover IP of this server..."
bigecho "Trying to auto discover IP of this server..."
public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
check_ip "$public_ip" || public_ip=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
}
@ -453,6 +450,7 @@ enter_custom_dns() {
else
echo "Using Google Public DNS (8.8.8.8, 8.8.4.4)."
fi
echo
}
check_mobike_support() {
@ -492,8 +490,7 @@ check_mobike_support() {
fi
fi
echo
echo -n "Checking for MOBIKE support... "
echo -n "## Checking for MOBIKE support... "
if [ "$mobike_support" = "1" ]; then
echo "available"
else
@ -652,13 +649,38 @@ EOF
install_base64_uuidgen() {
if ! command -v base64 >/dev/null 2>&1 || ! command -v uuidgen >/dev/null 2>&1; then
bigecho "Installing required packages..."
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
export DEBIAN_FRONTEND=noninteractive
apt-get -yqq update || exiterr "'apt-get update' failed."
apt-get -yqq install coreutils uuid-runtime >/dev/null || exiterr "'apt-get install' failed."
(
set -x
apt-get -yqq update
) || exiterr "'apt-get update' failed."
fi
fi
if ! command -v base64 >/dev/null 2>&1; then
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
(
set -x
apt-get -yqq install coreutils >/dev/null
) || exiterr "'apt-get install' failed."
else
yum -yq install coreutils util-linux || exiterr "'yum install' failed."
(
set -x
yum -y -q install coreutils >/dev/null
) || exiterr "'yum install' failed."
fi
fi
if ! command -v uuidgen >/dev/null 2>&1; then
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
(
set -x
apt-get -yqq install uuid-runtime >/dev/null
) || exiterr "'apt-get install' failed."
else
(
set -x
yum -y -q install util-linux >/dev/null
) || exiterr "'yum install' failed."
fi
fi
}
@ -989,20 +1011,21 @@ EOF
apply_ubuntu1804_nss_fix() {
if [ "$os_type" = "ubuntu" ] && [ "$os_ver" = "bustersid" ] && [ "$os_arch" = "x86_64" ]; then
bigecho "Applying fix for NSS bug on Ubuntu 18.04..."
nss_url1="https://mirrors.kernel.org/ubuntu/pool/main/n/nss"
nss_url2="https://mirrors.kernel.org/ubuntu/pool/universe/n/nss"
nss_deb1="libnss3_3.49.1-1ubuntu1.5_amd64.deb"
nss_deb2="libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb"
nss_deb3="libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb"
if wget -t 3 -T 30 -nv -O "/tmp/$nss_deb1" "$nss_url1/$nss_deb1" \
&& wget -t 3 -T 30 -nv -O "/tmp/$nss_deb2" "$nss_url1/$nss_deb2" \
&& wget -t 3 -T 30 -nv -O "/tmp/$nss_deb3" "$nss_url2/$nss_deb3"; then
export DEBIAN_FRONTEND=noninteractive
export DEBIAN_FRONTEND=noninteractive
set -x
if wget -t 3 -T 30 -q -O "/tmp/libnss3.deb" "$nss_url1/$nss_deb1" \
&& wget -t 3 -T 30 -q -O "/tmp/libnss3-dev.deb" "$nss_url1/$nss_deb2" \
&& wget -t 3 -T 30 -q -O "/tmp/libnss3-tools.deb" "$nss_url2/$nss_deb3"; then
apt-get -yqq update
apt-get -yqq install "/tmp/$nss_deb1" "/tmp/$nss_deb2" "/tmp/$nss_deb3"
apt-get -yqq install "/tmp/libnss3.deb" "/tmp/libnss3-dev.deb" "/tmp/libnss3-tools.deb" >/dev/null
/bin/rm -f "/tmp/libnss3.deb" "/tmp/libnss3-dev.deb" "/tmp/libnss3-tools.deb"
fi
/bin/rm -f "/tmp/$nss_deb1" "/tmp/$nss_deb2" "/tmp/$nss_deb3"
{ set +x; } 2>&-
fi
}
@ -1010,7 +1033,7 @@ restart_ipsec_service() {
bigecho "Restarting IPsec service..."
mkdir -p /run/pluto
service ipsec restart
service ipsec restart 2>/dev/null
}
print_client_added_message() {

View File

@ -22,6 +22,7 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { exiterr "'apt-get install' failed."; }
bigecho() { echo "## $1"; }
vpnupgrade() {
@ -129,7 +130,6 @@ clear
cat <<EOF
Welcome! This script will build and install Libreswan on your server.
Additional packages required for compilation will also be installed.
It is intended for upgrading servers to a newer Libreswan version.
Current version: $ipsec_ver_short
@ -141,7 +141,6 @@ cat <<'EOF'
Note: This script will make the following changes to your VPN configuration:
- Fix obsolete ipsec.conf and/or ikev2.conf options
- Optimize VPN ciphers
Your other VPN config files will not be modified.
EOF
@ -160,8 +159,7 @@ read -r response
case $response in
[yY][eE][sS]|[yY])
echo
echo "Please be patient. Setup is continuing..."
echo
bigecho "Please be patient. Setup is continuing..."
;;
*)
echo "Abort. No changes were made."
@ -173,25 +171,35 @@ esac
mkdir -p /opt/src
cd /opt/src || exit 1
# Update package index
bigecho "Installing required packages..."
export DEBIAN_FRONTEND=noninteractive
apt-get -yq update || exiterr "'apt-get update' failed."
(
set -x
apt-get -yqq update
) || exiterr "'apt-get update' failed."
(
set -x
apt-get -yqq install libnss3-dev libnspr4-dev pkg-config \
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev libnss3-tools libevent-dev libsystemd-dev \
flex bison gcc make wget sed >/dev/null
) || exiterr2
# Install necessary packages
apt-get -yq install libnss3-dev libnspr4-dev pkg-config \
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev libnss3-tools libevent-dev libsystemd-dev \
flex bison gcc make wget sed || exiterr2
bigecho "Downloading Libreswan..."
# Compile and install Libreswan
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
exit 1
fi
(
set -x
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF'
@ -216,16 +224,19 @@ if [ "$SWAN_VER" != "3.32" ]; then
fi
NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base
(
set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
)
# Verify the install and clean up
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
exiterr "Libreswan $SWAN_VER failed to build."
fi
# Update IPsec config
bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
@ -265,13 +276,13 @@ if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi
# Restart IPsec service
bigecho "Restarting IPsec service..."
mkdir -p /run/pluto
service ipsec restart
service ipsec restart 2>/dev/null
cat <<EOF
================================================
Libreswan $SWAN_VER has been successfully installed!

View File

@ -22,6 +22,7 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { exiterr "'yum install' failed."; }
bigecho() { echo "## $1"; }
vpnupgrade() {
@ -108,7 +109,6 @@ clear
cat <<EOF
Welcome! This script will build and install Libreswan on your server.
Additional packages required for compilation will also be installed.
It is intended for upgrading servers to a newer Libreswan version.
Current version: $ipsec_ver_short
@ -120,7 +120,6 @@ cat <<'EOF'
Note: This script will make the following changes to your VPN configuration:
- Fix obsolete ipsec.conf and/or ikev2.conf options
- Optimize VPN ciphers
Your other VPN config files will not be modified.
EOF
@ -139,8 +138,7 @@ read -r response
case $response in
[yY][eE][sS]|[yY])
echo
echo "Please be patient. Setup is continuing..."
echo
bigecho "Please be patient. Setup is continuing..."
;;
*)
echo "Abort. No changes were made."
@ -152,24 +150,37 @@ esac
mkdir -p /opt/src
cd /opt/src || exit 1
# Add the EPEL repository
amazon-linux-extras install epel -y || exiterr2
bigecho "Adding the EPEL repository..."
# Install necessary packages
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel curl-devel nss-tools \
flex bison gcc make wget sed tar \
systemd-devel libevent-devel fipscheck-devel || exiterr2
(
set -x
amazon-linux-extras install epel -y >/dev/null
) || exiterr2
bigecho "Installing required packages..."
(
set -x
yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel curl-devel nss-tools \
flex bison gcc make wget sed tar \
systemd-devel libevent-devel fipscheck-devel >/dev/null
) || exiterr2
bigecho "Downloading Libreswan..."
# Compile and install Libreswan
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
exit 1
fi
(
set -x
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF'
@ -186,9 +197,11 @@ if [ "$SWAN_VER" != "3.32" ]; then
fi
NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base
(
set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
)
# Verify the install and clean up
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
@ -200,7 +213,8 @@ restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Update IPsec config
bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
@ -234,13 +248,13 @@ if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi
# Restart IPsec service
bigecho "Restarting IPsec service..."
mkdir -p /run/pluto
service ipsec restart
service ipsec restart 2>/dev/null
cat <<EOF
================================================
Libreswan $SWAN_VER has been successfully installed!

View File

@ -22,6 +22,7 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { exiterr "'yum install' failed."; }
bigecho() { echo "## $1"; }
vpnupgrade() {
@ -120,7 +121,6 @@ clear
cat <<EOF
Welcome! This script will build and install Libreswan on your server.
Additional packages required for compilation will also be installed.
It is intended for upgrading servers to a newer Libreswan version.
Current version: $ipsec_ver_short
@ -132,7 +132,6 @@ cat <<'EOF'
Note: This script will make the following changes to your VPN configuration:
- Fix obsolete ipsec.conf and/or ikev2.conf options
- Optimize VPN ciphers
Your other VPN config files will not be modified.
EOF
@ -151,8 +150,7 @@ read -r response
case $response in
[yY][eE][sS]|[yY])
echo
echo "Please be patient. Setup is continuing..."
echo
bigecho "Please be patient. Setup is continuing..."
;;
*)
echo "Abort. No changes were made."
@ -164,14 +162,22 @@ esac
mkdir -p /opt/src
cd /opt/src || exit 1
# Add the EPEL repository
epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm"
yum -y install epel-release || yum -y install "$epel_url" || exiterr2
bigecho "Adding the EPEL repository..."
# Install necessary packages
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel curl-devel nss-tools \
flex bison gcc make wget sed tar || exiterr2
epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm"
(
set -x
yum -y -q install epel-release >/dev/null || yum -y -q install "$epel_url" >/dev/null
) || exiterr2
bigecho "Installing required packages..."
(
set -x
yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel curl-devel nss-tools \
flex bison gcc make wget sed tar >/dev/null
) || exiterr2
REPO1='--enablerepo=*server-*optional*'
REPO2='--enablerepo=*releases-optional*'
@ -179,21 +185,35 @@ REPO3='--enablerepo=[Pp]ower[Tt]ools'
[ "$os_type" = "rhel" ] && REPO3='--enablerepo=codeready-builder-for-rhel-8-*'
if [ "$os_ver" = "7" ]; then
yum -y install systemd-devel || exiterr2
yum "$REPO1" "$REPO2" -y install libevent-devel fipscheck-devel || exiterr2
(
set -x
yum -y -q install systemd-devel >/dev/null
) || exiterr2
(
set -x
yum "$REPO1" "$REPO2" -y -q install libevent-devel fipscheck-devel >/dev/null
) || exiterr2
else
yum "$REPO3" -y install systemd-devel libevent-devel fipscheck-devel || exiterr2
(
set -x
yum "$REPO3" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
) || exiterr2
fi
# Compile and install Libreswan
bigecho "Downloading Libreswan..."
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
exit 1
fi
(
set -x
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF'
@ -210,9 +230,11 @@ if [ "$SWAN_VER" != "3.32" ]; then
fi
NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base
(
set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
)
# Verify the install and clean up
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
@ -224,7 +246,8 @@ restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Update IPsec config
bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
@ -258,13 +281,13 @@ if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi
# Restart IPsec service
bigecho "Restarting IPsec service..."
mkdir -p /run/pluto
service ipsec restart
service ipsec restart 2>/dev/null
cat <<EOF
================================================
Libreswan $SWAN_VER has been successfully installed!

View File

@ -40,7 +40,7 @@ SYS_DT=$(date +%F-%T | tr ':' '_')
exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { exiterr "'apt-get install' failed."; }
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
bigecho() { echo; echo "## $1"; echo; }
bigecho() { echo "## $1"; }
check_ip() {
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
@ -157,53 +157,59 @@ while fuser "$APT_LK" "$PKG_LK" >/dev/null 2>&1 \
sleep 3
done
bigecho "Populating apt-get cache..."
export DEBIAN_FRONTEND=noninteractive
apt-get -yq update || exiterr "'apt-get update' failed."
bigecho "Installing packages required for setup..."
apt-get -yq install wget dnsutils openssl \
iptables iproute2 gawk grep sed net-tools || exiterr2
export DEBIAN_FRONTEND=noninteractive
(
set -x
apt-get -yqq update
) || exiterr "'apt-get update' failed."
(
set -x
apt-get -yqq install wget dnsutils openssl \
iptables iproute2 gawk grep sed net-tools >/dev/null
) || exiterr2
bigecho "Trying to auto discover IP of this server..."
cat <<'EOF'
In case the script hangs here for more than a few minutes,
press Ctrl-C to abort. Then edit it and manually enter IP.
EOF
# In case auto IP discovery fails, enter server's public IP here.
PUBLIC_IP=${VPN_PUBLIC_IP:-''}
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it."
bigecho "Installing packages required for the VPN..."
apt-get -yq install libnss3-dev libnspr4-dev pkg-config \
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev flex bison gcc make libnss3-tools \
libevent-dev libsystemd-dev ppp xl2tpd || exiterr2
(
set -x
apt-get -yqq install libnss3-dev libnspr4-dev pkg-config \
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev flex bison gcc make libnss3-tools \
libevent-dev libsystemd-dev ppp xl2tpd >/dev/null
) || exiterr2
bigecho "Installing Fail2Ban to protect SSH..."
apt-get -yq install fail2ban || exiterr2
(
set -x
apt-get -yqq install fail2ban >/dev/null
) || exiterr2
bigecho "Compiling and installing Libreswan..."
bigecho "Downloading Libreswan..."
SWAN_VER=4.2
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
exit 1
fi
(
set -x
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w
@ -225,7 +231,10 @@ if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
fi
NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base
(
set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
)
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"

View File

@ -39,7 +39,7 @@ SYS_DT=$(date +%F-%T | tr ':' '_')
exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { exiterr "'yum install' failed."; }
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
bigecho() { echo; echo "## $1"; echo; }
bigecho() { echo "## $1"; }
check_ip() {
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
@ -116,55 +116,64 @@ cd /opt/src || exit 1
bigecho "Installing packages required for setup..."
yum -y install wget bind-utils openssl tar \
iptables iproute gawk grep sed net-tools || exiterr2
(
set -x
yum -y -q install wget bind-utils openssl tar \
iptables iproute gawk grep sed net-tools >/dev/null
) || exiterr2
bigecho "Trying to auto discover IP of this server..."
cat <<'EOF'
In case the script hangs here for more than a few minutes,
press Ctrl-C to abort. Then edit it and manually enter IP.
EOF
# In case auto IP discovery fails, enter server's public IP here.
PUBLIC_IP=${VPN_PUBLIC_IP:-''}
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it."
bigecho "Adding the EPEL repository..."
amazon-linux-extras install epel -y || exiterr2
(
set -x
amazon-linux-extras install epel -y >/dev/null
) || exiterr2
bigecho "Installing packages required for the VPN..."
REPO1='--enablerepo=epel'
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel curl-devel nss-tools \
flex bison gcc make ppp \
systemd-devel iptables-services \
libevent-devel fipscheck-devel || exiterr2
yum "$REPO1" -y install xl2tpd || exiterr2
(
set -x
yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel curl-devel nss-tools \
flex bison gcc make ppp \
systemd-devel iptables-services \
libevent-devel fipscheck-devel >/dev/null
) || exiterr2
(
set -x
yum --enablerepo=epel -y -q install xl2tpd >/dev/null 2>&1
) || exiterr2
bigecho "Installing Fail2Ban to protect SSH..."
yum "$REPO1" -y install fail2ban || exiterr2
(
set -x
yum --enablerepo=epel -y -q install fail2ban >/dev/null
) || exiterr2
bigecho "Compiling and installing Libreswan..."
bigecho "Downloading Libreswan..."
SWAN_VER=4.2
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
exit 1
fi
(
set -x
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w
@ -178,7 +187,10 @@ if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
fi
NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base
(
set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
)
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"

View File

@ -40,7 +40,7 @@ SYS_DT=$(date +%F-%T | tr ':' '_')
exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { exiterr "'yum install' failed."; }
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
bigecho() { echo; echo "## $1"; echo; }
bigecho() { echo "## $1"; }
check_ip() {
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
@ -129,28 +129,27 @@ cd /opt/src || exit 1
bigecho "Installing packages required for setup..."
yum -y install wget bind-utils openssl tar \
iptables iproute gawk grep sed net-tools || exiterr2
(
set -x
yum -y -q install wget bind-utils openssl tar \
iptables iproute gawk grep sed net-tools >/dev/null
) || exiterr2
bigecho "Trying to auto discover IP of this server..."
cat <<'EOF'
In case the script hangs here for more than a few minutes,
press Ctrl-C to abort. Then edit it and manually enter IP.
EOF
# In case auto IP discovery fails, enter server's public IP here.
PUBLIC_IP=${VPN_PUBLIC_IP:-''}
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it."
bigecho "Adding the EPEL repository..."
epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm"
yum -y install epel-release || yum -y install "$epel_url" || exiterr2
(
set -x
yum -y -q install epel-release >/dev/null || yum -y -q install "$epel_url" >/dev/null
) || exiterr2
bigecho "Installing packages required for the VPN..."
@ -160,42 +159,69 @@ REPO3='--enablerepo=*releases-optional*'
REPO4='--enablerepo=[Pp]ower[Tt]ools'
[ "$os_type" = "rhel" ] && REPO4='--enablerepo=codeready-builder-for-rhel-8-*'
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel curl-devel nss-tools \
flex bison gcc make ppp || exiterr2
yum "$REPO1" -y install xl2tpd || exiterr2
(
set -x
yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel curl-devel nss-tools \
flex bison gcc make ppp >/dev/null
) || exiterr2
(
set -x
yum "$REPO1" -y -q install xl2tpd >/dev/null 2>&1
) || exiterr2
use_nft=0
if [ "$os_ver" = "7" ]; then
yum -y install systemd-devel iptables-services || exiterr2
yum "$REPO2" "$REPO3" -y install libevent-devel fipscheck-devel || exiterr2
(
set -x
yum -y -q install systemd-devel iptables-services >/dev/null
) || exiterr2
(
set -x
yum "$REPO2" "$REPO3" -y -q install libevent-devel fipscheck-devel >/dev/null
) || exiterr2
else
yum "$REPO4" -y install systemd-devel libevent-devel fipscheck-devel || exiterr2
(
set -x
yum "$REPO4" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
) || exiterr2
if systemctl is-active --quiet firewalld.service \
|| grep -qs "hwdsl2 VPN script" /etc/sysconfig/nftables.conf; then
use_nft=1
yum -y install nftables || exiterr2
(
set -x
yum -y -q install nftables >/dev/null
) || exiterr2
else
yum -y install iptables-services || exiterr2
(
set -x
yum -y -q install iptables-services >/dev/null
) || exiterr2
fi
fi
bigecho "Installing Fail2Ban to protect SSH..."
yum "$REPO1" -y install fail2ban || exiterr2
(
set -x
yum "$REPO1" -y -q install fail2ban >/dev/null
) || exiterr2
bigecho "Compiling and installing Libreswan..."
bigecho "Downloading Libreswan..."
SWAN_VER=4.2
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
exit 1
fi
(
set -x
wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w
@ -209,7 +235,10 @@ if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
fi
NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base
(
set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
)
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"