Marown/setup-ipsec-vpn
1
0
Fork 0
mirror of https://github.com/hwdsl2/setup-ipsec-vpn.git synced 2024-09-22 00:00:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Improve output

Browse Source 
- Improve output for the VPN setup and upgrade scripts. The outputs
  of the scripts are now significantly reduced and only include the
  most useful information for users.
- Other minor cleanup
This commit is contained in:
hwdsl2 2021-02-05 21:49:35 -06:00
parent 89eaacc0b8
commit 5779b2e6c8
7 changed files with 283 additions and 162 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
extras/ikev2setup.sh
View File

@ -263,17 +263,14 @@ EOF
show_start_message() { show_start_message() {
bigecho "Starting IKEv2 setup in auto mode, using default options." bigecho "Starting IKEv2 setup in auto mode, using default options."
echo
} }
show_add_client_message() { show_add_client_message() {
bigecho "Adding a new IKEv2 client '$client_name', using default options." bigecho "Adding a new IKEv2 client '$client_name', using default options."
echo
} }
show_export_client_message() { show_export_client_message() {
bigecho "Exporting existing IKEv2 client '$client_name', using default options." bigecho "Exporting existing IKEv2 client '$client_name', using default options."
echo
} }
get_export_dir() { get_export_dir() {
@ -293,7 +290,7 @@ get_export_dir() {
} }
get_server_ip() { get_server_ip() {
echo "Trying to auto discover IP of this server..." bigecho "Trying to auto discover IP of this server..."
public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
check_ip "$public_ip" || public_ip=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) check_ip "$public_ip" || public_ip=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
} }
@ -453,6 +450,7 @@ enter_custom_dns() {
else else
echo "Using Google Public DNS (8.8.8.8, 8.8.4.4)." echo "Using Google Public DNS (8.8.8.8, 8.8.4.4)."
fi fi
echo
} }
check_mobike_support() { check_mobike_support() {
@ -492,8 +490,7 @@ check_mobike_support() {
fi fi
fi fi
echo echo -n "## Checking for MOBIKE support... "
echo -n "Checking for MOBIKE support... "
if [ "$mobike_support" = "1" ]; then if [ "$mobike_support" = "1" ]; then
echo "available" echo "available"
else else
@ -652,13 +649,38 @@ EOF
install_base64_uuidgen() { install_base64_uuidgen() {
if ! command -v base64 >/dev/null 2>&1 || ! command -v uuidgen >/dev/null 2>&1; then if ! command -v base64 >/dev/null 2>&1 || ! command -v uuidgen >/dev/null 2>&1; then
bigecho "Installing required packages..." bigecho "Installing required packages..."
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
apt-get -yqq update || exiterr "'apt-get update' failed." (
apt-get -yqq install coreutils uuid-runtime >/dev/null || exiterr "'apt-get install' failed." set -x
apt-get -yqq update
) || exiterr "'apt-get update' failed."
fi
fi
if ! command -v base64 >/dev/null 2>&1; then
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
(
set -x
apt-get -yqq install coreutils >/dev/null
) || exiterr "'apt-get install' failed."
else else
yum -yq install coreutils util-linux || exiterr "'yum install' failed." (
set -x
yum -y -q install coreutils >/dev/null
) || exiterr "'yum install' failed."
fi
fi
if ! command -v uuidgen >/dev/null 2>&1; then
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
(
set -x
apt-get -yqq install uuid-runtime >/dev/null
) || exiterr "'apt-get install' failed."
else
(
set -x
yum -y -q install util-linux >/dev/null
) || exiterr "'yum install' failed."
fi fi
fi fi
} }
@ -989,20 +1011,21 @@ EOF
apply_ubuntu1804_nss_fix() { apply_ubuntu1804_nss_fix() {
if [ "$os_type" = "ubuntu" ] && [ "$os_ver" = "bustersid" ] && [ "$os_arch" = "x86_64" ]; then if [ "$os_type" = "ubuntu" ] && [ "$os_ver" = "bustersid" ] && [ "$os_arch" = "x86_64" ]; then
bigecho "Applying fix for NSS bug on Ubuntu 18.04..." bigecho "Applying fix for NSS bug on Ubuntu 18.04..."
nss_url1="https://mirrors.kernel.org/ubuntu/pool/main/n/nss" nss_url1="https://mirrors.kernel.org/ubuntu/pool/main/n/nss"
nss_url2="https://mirrors.kernel.org/ubuntu/pool/universe/n/nss" nss_url2="https://mirrors.kernel.org/ubuntu/pool/universe/n/nss"
nss_deb1="libnss3_3.49.1-1ubuntu1.5_amd64.deb" nss_deb1="libnss3_3.49.1-1ubuntu1.5_amd64.deb"
nss_deb2="libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb" nss_deb2="libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb"
nss_deb3="libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb" nss_deb3="libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb"
if wget -t 3 -T 30 -nv -O "/tmp/$nss_deb1" "$nss_url1/$nss_deb1" \ export DEBIAN_FRONTEND=noninteractive
&& wget -t 3 -T 30 -nv -O "/tmp/$nss_deb2" "$nss_url1/$nss_deb2" \ set -x
&& wget -t 3 -T 30 -nv -O "/tmp/$nss_deb3" "$nss_url2/$nss_deb3"; then if wget -t 3 -T 30 -q -O "/tmp/libnss3.deb" "$nss_url1/$nss_deb1" \
export DEBIAN_FRONTEND=noninteractive && wget -t 3 -T 30 -q -O "/tmp/libnss3-dev.deb" "$nss_url1/$nss_deb2" \
&& wget -t 3 -T 30 -q -O "/tmp/libnss3-tools.deb" "$nss_url2/$nss_deb3"; then
apt-get -yqq update apt-get -yqq update
apt-get -yqq install "/tmp/$nss_deb1" "/tmp/$nss_deb2" "/tmp/$nss_deb3" apt-get -yqq install "/tmp/libnss3.deb" "/tmp/libnss3-dev.deb" "/tmp/libnss3-tools.deb" >/dev/null
/bin/rm -f "/tmp/libnss3.deb" "/tmp/libnss3-dev.deb" "/tmp/libnss3-tools.deb"
fi fi
/bin/rm -f "/tmp/$nss_deb1" "/tmp/$nss_deb2" "/tmp/$nss_deb3" { set +x; } 2>&-
fi fi
} }
@ -1010,7 +1033,7 @@ restart_ipsec_service() {
bigecho "Restarting IPsec service..." bigecho "Restarting IPsec service..."
mkdir -p /run/pluto mkdir -p /run/pluto
service ipsec restart service ipsec restart 2>/dev/null
} }
print_client_added_message() { print_client_added_message() {

53
extras/vpnupgrade.sh
View File

@ -22,6 +22,7 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr() { echo "Error: $1" >&2; exit 1; } exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { exiterr "'apt-get install' failed."; } exiterr2() { exiterr "'apt-get install' failed."; }
bigecho() { echo "## $1"; }
vpnupgrade() { vpnupgrade() {
@ -129,7 +130,6 @@ clear
cat <<EOF cat <<EOF
Welcome! This script will build and install Libreswan on your server. Welcome! This script will build and install Libreswan on your server.
Additional packages required for compilation will also be installed. Additional packages required for compilation will also be installed.
It is intended for upgrading servers to a newer Libreswan version. It is intended for upgrading servers to a newer Libreswan version.
Current version: $ipsec_ver_short Current version: $ipsec_ver_short
@ -141,7 +141,6 @@ cat <<'EOF'
Note: This script will make the following changes to your VPN configuration: Note: This script will make the following changes to your VPN configuration:
- Fix obsolete ipsec.conf and/or ikev2.conf options - Fix obsolete ipsec.conf and/or ikev2.conf options
- Optimize VPN ciphers - Optimize VPN ciphers
Your other VPN config files will not be modified. Your other VPN config files will not be modified.
EOF EOF
@ -160,8 +159,7 @@ read -r response
case $response in case $response in
[yY][eE][sS]|[yY]) [yY][eE][sS]|[yY])
echo echo
echo "Please be patient. Setup is continuing..." bigecho "Please be patient. Setup is continuing..."
echo
;; ;;
*) *)
echo "Abort. No changes were made." echo "Abort. No changes were made."
@ -173,25 +171,35 @@ esac
mkdir -p /opt/src mkdir -p /opt/src
cd /opt/src || exit 1 cd /opt/src || exit 1
# Update package index bigecho "Installing required packages..."
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
apt-get -yq update || exiterr "'apt-get update' failed." (
set -x
apt-get -yqq update
) || exiterr "'apt-get update' failed."
(
set -x
apt-get -yqq install libnss3-dev libnspr4-dev pkg-config \
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev libnss3-tools libevent-dev libsystemd-dev \
flex bison gcc make wget sed >/dev/null
) || exiterr2
# Install necessary packages bigecho "Downloading Libreswan..."
apt-get -yq install libnss3-dev libnspr4-dev pkg-config \
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev libnss3-tools libevent-dev libsystemd-dev \
flex bison gcc make wget sed || exiterr2
# Compile and install Libreswan
swan_file="libreswan-$SWAN_VER.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file" swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then (
exit 1 set -x
fi wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file" tar xzf "$swan_file" && /bin/rm -f "$swan_file"
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1 cd "libreswan-$SWAN_VER" || exit 1
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in [ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
@ -216,16 +224,19 @@ if [ "$SWAN_VER" != "3.32" ]; then
fi fi
NPROCS=$(grep -c ^processor /proc/cpuinfo) NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1 [ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base (
set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
)
# Verify the install and clean up
cd /opt/src || exit 1 cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
exiterr "Libreswan $SWAN_VER failed to build." exiterr "Libreswan $SWAN_VER failed to build."
fi fi
# Update IPsec config bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2" PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
@ -265,13 +276,13 @@ if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi fi
# Restart IPsec service bigecho "Restarting IPsec service..."
mkdir -p /run/pluto mkdir -p /run/pluto
service ipsec restart service ipsec restart 2>/dev/null
cat <<EOF cat <<EOF
================================================ ================================================
Libreswan $SWAN_VER has been successfully installed! Libreswan $SWAN_VER has been successfully installed!

56
extras/vpnupgrade_amzn.sh
View File

@ -22,6 +22,7 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr() { echo "Error: $1" >&2; exit 1; } exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { exiterr "'yum install' failed."; } exiterr2() { exiterr "'yum install' failed."; }
bigecho() { echo "## $1"; }
vpnupgrade() { vpnupgrade() {
@ -108,7 +109,6 @@ clear
cat <<EOF cat <<EOF
Welcome! This script will build and install Libreswan on your server. Welcome! This script will build and install Libreswan on your server.
Additional packages required for compilation will also be installed. Additional packages required for compilation will also be installed.
It is intended for upgrading servers to a newer Libreswan version. It is intended for upgrading servers to a newer Libreswan version.
Current version: $ipsec_ver_short Current version: $ipsec_ver_short
@ -120,7 +120,6 @@ cat <<'EOF'
Note: This script will make the following changes to your VPN configuration: Note: This script will make the following changes to your VPN configuration:
- Fix obsolete ipsec.conf and/or ikev2.conf options - Fix obsolete ipsec.conf and/or ikev2.conf options
- Optimize VPN ciphers - Optimize VPN ciphers
Your other VPN config files will not be modified. Your other VPN config files will not be modified.
EOF EOF
@ -139,8 +138,7 @@ read -r response
case $response in case $response in
[yY][eE][sS]|[yY]) [yY][eE][sS]|[yY])
echo echo
echo "Please be patient. Setup is continuing..." bigecho "Please be patient. Setup is continuing..."
echo
;; ;;
*) *)
echo "Abort. No changes were made." echo "Abort. No changes were made."
@ -152,24 +150,37 @@ esac
mkdir -p /opt/src mkdir -p /opt/src
cd /opt/src || exit 1 cd /opt/src || exit 1
# Add the EPEL repository bigecho "Adding the EPEL repository..."
amazon-linux-extras install epel -y || exiterr2
# Install necessary packages (
yum -y install nss-devel nspr-devel pkgconfig pam-devel \ set -x
libcap-ng-devel libselinux-devel curl-devel nss-tools \ amazon-linux-extras install epel -y >/dev/null
flex bison gcc make wget sed tar \ ) || exiterr2
systemd-devel libevent-devel fipscheck-devel || exiterr2
bigecho "Installing required packages..."
(
set -x
yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel curl-devel nss-tools \
flex bison gcc make wget sed tar \
systemd-devel libevent-devel fipscheck-devel >/dev/null
) || exiterr2
bigecho "Downloading Libreswan..."
# Compile and install Libreswan
swan_file="libreswan-$SWAN_VER.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file" swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then (
exit 1 set -x
fi wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file" tar xzf "$swan_file" && /bin/rm -f "$swan_file"
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1 cd "libreswan-$SWAN_VER" || exit 1
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in [ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
@ -186,9 +197,11 @@ if [ "$SWAN_VER" != "3.32" ]; then
fi fi
NPROCS=$(grep -c ^processor /proc/cpuinfo) NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1 [ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base (
set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
)
# Verify the install and clean up
cd /opt/src || exit 1 cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
@ -200,7 +213,8 @@ restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Update IPsec config bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2" PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
@ -234,13 +248,13 @@ if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi fi
# Restart IPsec service bigecho "Restarting IPsec service..."
mkdir -p /run/pluto mkdir -p /run/pluto
service ipsec restart service ipsec restart 2>/dev/null
cat <<EOF cat <<EOF
================================================ ================================================
Libreswan $SWAN_VER has been successfully installed! Libreswan $SWAN_VER has been successfully installed!

71
extras/vpnupgrade_centos.sh
View File

@ -22,6 +22,7 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr() { echo "Error: $1" >&2; exit 1; } exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { exiterr "'yum install' failed."; } exiterr2() { exiterr "'yum install' failed."; }
bigecho() { echo "## $1"; }
vpnupgrade() { vpnupgrade() {
@ -120,7 +121,6 @@ clear
cat <<EOF cat <<EOF
Welcome! This script will build and install Libreswan on your server. Welcome! This script will build and install Libreswan on your server.
Additional packages required for compilation will also be installed. Additional packages required for compilation will also be installed.
It is intended for upgrading servers to a newer Libreswan version. It is intended for upgrading servers to a newer Libreswan version.
Current version: $ipsec_ver_short Current version: $ipsec_ver_short
@ -132,7 +132,6 @@ cat <<'EOF'
Note: This script will make the following changes to your VPN configuration: Note: This script will make the following changes to your VPN configuration:
- Fix obsolete ipsec.conf and/or ikev2.conf options - Fix obsolete ipsec.conf and/or ikev2.conf options
- Optimize VPN ciphers - Optimize VPN ciphers
Your other VPN config files will not be modified. Your other VPN config files will not be modified.
EOF EOF
@ -151,8 +150,7 @@ read -r response
case $response in case $response in
[yY][eE][sS]|[yY]) [yY][eE][sS]|[yY])
echo echo
echo "Please be patient. Setup is continuing..." bigecho "Please be patient. Setup is continuing..."
echo
;; ;;
*) *)
echo "Abort. No changes were made." echo "Abort. No changes were made."
@ -164,14 +162,22 @@ esac
mkdir -p /opt/src mkdir -p /opt/src
cd /opt/src || exit 1 cd /opt/src || exit 1
# Add the EPEL repository bigecho "Adding the EPEL repository..."
epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm"
yum -y install epel-release || yum -y install "$epel_url" || exiterr2
# Install necessary packages epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm"
yum -y install nss-devel nspr-devel pkgconfig pam-devel \ (
libcap-ng-devel libselinux-devel curl-devel nss-tools \ set -x
flex bison gcc make wget sed tar || exiterr2 yum -y -q install epel-release >/dev/null || yum -y -q install "$epel_url" >/dev/null
) || exiterr2
bigecho "Installing required packages..."
(
set -x
yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel curl-devel nss-tools \
flex bison gcc make wget sed tar >/dev/null
) || exiterr2
REPO1='--enablerepo=*server-*optional*' REPO1='--enablerepo=*server-*optional*'
REPO2='--enablerepo=*releases-optional*' REPO2='--enablerepo=*releases-optional*'
@ -179,21 +185,35 @@ REPO3='--enablerepo=[Pp]ower[Tt]ools'
[ "$os_type" = "rhel" ] && REPO3='--enablerepo=codeready-builder-for-rhel-8-*' [ "$os_type" = "rhel" ] && REPO3='--enablerepo=codeready-builder-for-rhel-8-*'
if [ "$os_ver" = "7" ]; then if [ "$os_ver" = "7" ]; then
yum -y install systemd-devel || exiterr2 (
yum "$REPO1" "$REPO2" -y install libevent-devel fipscheck-devel || exiterr2 set -x
yum -y -q install systemd-devel >/dev/null
) || exiterr2
(
set -x
yum "$REPO1" "$REPO2" -y -q install libevent-devel fipscheck-devel >/dev/null
) || exiterr2
else else
yum "$REPO3" -y install systemd-devel libevent-devel fipscheck-devel || exiterr2 (
set -x
yum "$REPO3" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
) || exiterr2
fi fi
# Compile and install Libreswan bigecho "Downloading Libreswan..."
swan_file="libreswan-$SWAN_VER.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file" swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then (
exit 1 set -x
fi wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file" tar xzf "$swan_file" && /bin/rm -f "$swan_file"
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1 cd "libreswan-$SWAN_VER" || exit 1
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in [ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
@ -210,9 +230,11 @@ if [ "$SWAN_VER" != "3.32" ]; then
fi fi
NPROCS=$(grep -c ^processor /proc/cpuinfo) NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1 [ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base (
set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
)
# Verify the install and clean up
cd /opt/src || exit 1 cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
@ -224,7 +246,8 @@ restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Update IPsec config bigecho "Updating VPN configuration..."
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2" PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
@ -258,13 +281,13 @@ if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi fi
# Restart IPsec service bigecho "Restarting IPsec service..."
mkdir -p /run/pluto mkdir -p /run/pluto
service ipsec restart service ipsec restart 2>/dev/null
cat <<EOF cat <<EOF
================================================ ================================================
Libreswan $SWAN_VER has been successfully installed! Libreswan $SWAN_VER has been successfully installed!

59
vpnsetup.sh
View File

@ -40,7 +40,7 @@ SYS_DT=$(date +%F-%T | tr ':' '_')
exiterr() { echo "Error: $1" >&2; exit 1; } exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { exiterr "'apt-get install' failed."; } exiterr2() { exiterr "'apt-get install' failed."; }
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
bigecho() { echo; echo "## $1"; echo; } bigecho() { echo "## $1"; }
check_ip() { check_ip() {
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
@ -157,53 +157,59 @@ while fuser "$APT_LK" "$PKG_LK" >/dev/null 2>&1 \
sleep 3 sleep 3
done done
bigecho "Populating apt-get cache..."
export DEBIAN_FRONTEND=noninteractive
apt-get -yq update || exiterr "'apt-get update' failed."
bigecho "Installing packages required for setup..." bigecho "Installing packages required for setup..."
apt-get -yq install wget dnsutils openssl \ export DEBIAN_FRONTEND=noninteractive
iptables iproute2 gawk grep sed net-tools || exiterr2 (
set -x
apt-get -yqq update
) || exiterr "'apt-get update' failed."
(
set -x
apt-get -yqq install wget dnsutils openssl \
iptables iproute2 gawk grep sed net-tools >/dev/null
) || exiterr2
bigecho "Trying to auto discover IP of this server..." bigecho "Trying to auto discover IP of this server..."
cat <<'EOF'
In case the script hangs here for more than a few minutes,
press Ctrl-C to abort. Then edit it and manually enter IP.
EOF
# In case auto IP discovery fails, enter server's public IP here. # In case auto IP discovery fails, enter server's public IP here.
PUBLIC_IP=${VPN_PUBLIC_IP:-''} PUBLIC_IP=${VPN_PUBLIC_IP:-''}
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it." check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it."
bigecho "Installing packages required for the VPN..." bigecho "Installing packages required for the VPN..."
apt-get -yq install libnss3-dev libnspr4-dev pkg-config \ (
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \ set -x
libcurl4-nss-dev flex bison gcc make libnss3-tools \ apt-get -yqq install libnss3-dev libnspr4-dev pkg-config \
libevent-dev libsystemd-dev ppp xl2tpd || exiterr2 libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev flex bison gcc make libnss3-tools \
libevent-dev libsystemd-dev ppp xl2tpd >/dev/null
) || exiterr2
bigecho "Installing Fail2Ban to protect SSH..." bigecho "Installing Fail2Ban to protect SSH..."
apt-get -yq install fail2ban || exiterr2 (
set -x
apt-get -yqq install fail2ban >/dev/null
) || exiterr2
bigecho "Compiling and installing Libreswan..." bigecho "Downloading Libreswan..."
SWAN_VER=4.2 SWAN_VER=4.2
swan_file="libreswan-$SWAN_VER.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file" swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then (
exit 1 set -x
fi wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file" tar xzf "$swan_file" && /bin/rm -f "$swan_file"
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1 cd "libreswan-$SWAN_VER" || exit 1
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w WERROR_CFLAGS=-w
@ -225,7 +231,10 @@ if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
fi fi
NPROCS=$(grep -c ^processor /proc/cpuinfo) NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1 [ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base (
set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
)
cd /opt/src || exit 1 cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"

64
vpnsetup_amzn.sh
View File

@ -39,7 +39,7 @@ SYS_DT=$(date +%F-%T | tr ':' '_')
exiterr() { echo "Error: $1" >&2; exit 1; } exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { exiterr "'yum install' failed."; } exiterr2() { exiterr "'yum install' failed."; }
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
bigecho() { echo; echo "## $1"; echo; } bigecho() { echo "## $1"; }
check_ip() { check_ip() {
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
@ -116,55 +116,64 @@ cd /opt/src || exit 1
bigecho "Installing packages required for setup..." bigecho "Installing packages required for setup..."
yum -y install wget bind-utils openssl tar \ (
iptables iproute gawk grep sed net-tools || exiterr2 set -x
yum -y -q install wget bind-utils openssl tar \
iptables iproute gawk grep sed net-tools >/dev/null
) || exiterr2
bigecho "Trying to auto discover IP of this server..." bigecho "Trying to auto discover IP of this server..."
cat <<'EOF'
In case the script hangs here for more than a few minutes,
press Ctrl-C to abort. Then edit it and manually enter IP.
EOF
# In case auto IP discovery fails, enter server's public IP here. # In case auto IP discovery fails, enter server's public IP here.
PUBLIC_IP=${VPN_PUBLIC_IP:-''} PUBLIC_IP=${VPN_PUBLIC_IP:-''}
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it." check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it."
bigecho "Adding the EPEL repository..." bigecho "Adding the EPEL repository..."
amazon-linux-extras install epel -y || exiterr2 (
set -x
amazon-linux-extras install epel -y >/dev/null
) || exiterr2
bigecho "Installing packages required for the VPN..." bigecho "Installing packages required for the VPN..."
REPO1='--enablerepo=epel' (
set -x
yum -y install nss-devel nspr-devel pkgconfig pam-devel \ yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel curl-devel nss-tools \ libcap-ng-devel libselinux-devel curl-devel nss-tools \
flex bison gcc make ppp \ flex bison gcc make ppp \
systemd-devel iptables-services \ systemd-devel iptables-services \
libevent-devel fipscheck-devel || exiterr2 libevent-devel fipscheck-devel >/dev/null
) || exiterr2
yum "$REPO1" -y install xl2tpd || exiterr2 (
set -x
yum --enablerepo=epel -y -q install xl2tpd >/dev/null 2>&1
) || exiterr2
bigecho "Installing Fail2Ban to protect SSH..." bigecho "Installing Fail2Ban to protect SSH..."
yum "$REPO1" -y install fail2ban || exiterr2 (
set -x
yum --enablerepo=epel -y -q install fail2ban >/dev/null
) || exiterr2
bigecho "Compiling and installing Libreswan..." bigecho "Downloading Libreswan..."
SWAN_VER=4.2 SWAN_VER=4.2
swan_file="libreswan-$SWAN_VER.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file" swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then (
exit 1 set -x
fi wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file" tar xzf "$swan_file" && /bin/rm -f "$swan_file"
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1 cd "libreswan-$SWAN_VER" || exit 1
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w WERROR_CFLAGS=-w
@ -178,7 +187,10 @@ if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
fi fi
NPROCS=$(grep -c ^processor /proc/cpuinfo) NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1 [ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base (
set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
)
cd /opt/src || exit 1 cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"

83
vpnsetup_centos.sh
View File

@ -40,7 +40,7 @@ SYS_DT=$(date +%F-%T | tr ':' '_')
exiterr() { echo "Error: $1" >&2; exit 1; } exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { exiterr "'yum install' failed."; } exiterr2() { exiterr "'yum install' failed."; }
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
bigecho() { echo; echo "## $1"; echo; } bigecho() { echo "## $1"; }
check_ip() { check_ip() {
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
@ -129,28 +129,27 @@ cd /opt/src || exit 1
bigecho "Installing packages required for setup..." bigecho "Installing packages required for setup..."
yum -y install wget bind-utils openssl tar \ (
iptables iproute gawk grep sed net-tools || exiterr2 set -x
yum -y -q install wget bind-utils openssl tar \
iptables iproute gawk grep sed net-tools >/dev/null
) || exiterr2
bigecho "Trying to auto discover IP of this server..." bigecho "Trying to auto discover IP of this server..."
cat <<'EOF'
In case the script hangs here for more than a few minutes,
press Ctrl-C to abort. Then edit it and manually enter IP.
EOF
# In case auto IP discovery fails, enter server's public IP here. # In case auto IP discovery fails, enter server's public IP here.
PUBLIC_IP=${VPN_PUBLIC_IP:-''} PUBLIC_IP=${VPN_PUBLIC_IP:-''}
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it." check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it."
bigecho "Adding the EPEL repository..." bigecho "Adding the EPEL repository..."
epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm" epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm"
yum -y install epel-release || yum -y install "$epel_url" || exiterr2 (
set -x
yum -y -q install epel-release >/dev/null || yum -y -q install "$epel_url" >/dev/null
) || exiterr2
bigecho "Installing packages required for the VPN..." bigecho "Installing packages required for the VPN..."
@ -160,42 +159,69 @@ REPO3='--enablerepo=*releases-optional*'
REPO4='--enablerepo=[Pp]ower[Tt]ools' REPO4='--enablerepo=[Pp]ower[Tt]ools'
[ "$os_type" = "rhel" ] && REPO4='--enablerepo=codeready-builder-for-rhel-8-*' [ "$os_type" = "rhel" ] && REPO4='--enablerepo=codeready-builder-for-rhel-8-*'
yum -y install nss-devel nspr-devel pkgconfig pam-devel \ (
libcap-ng-devel libselinux-devel curl-devel nss-tools \ set -x
flex bison gcc make ppp || exiterr2 yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel curl-devel nss-tools \
yum "$REPO1" -y install xl2tpd || exiterr2 flex bison gcc make ppp >/dev/null
) || exiterr2
(
set -x
yum "$REPO1" -y -q install xl2tpd >/dev/null 2>&1
) || exiterr2
use_nft=0 use_nft=0
if [ "$os_ver" = "7" ]; then if [ "$os_ver" = "7" ]; then
yum -y install systemd-devel iptables-services || exiterr2 (
yum "$REPO2" "$REPO3" -y install libevent-devel fipscheck-devel || exiterr2 set -x
yum -y -q install systemd-devel iptables-services >/dev/null
) || exiterr2
(
set -x
yum "$REPO2" "$REPO3" -y -q install libevent-devel fipscheck-devel >/dev/null
) || exiterr2
else else
yum "$REPO4" -y install systemd-devel libevent-devel fipscheck-devel || exiterr2 (
set -x
yum "$REPO4" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
) || exiterr2
if systemctl is-active --quiet firewalld.service \ if systemctl is-active --quiet firewalld.service \
|| grep -qs "hwdsl2 VPN script" /etc/sysconfig/nftables.conf; then || grep -qs "hwdsl2 VPN script" /etc/sysconfig/nftables.conf; then
use_nft=1 use_nft=1
yum -y install nftables || exiterr2 (
set -x
yum -y -q install nftables >/dev/null
) || exiterr2
else else
yum -y install iptables-services || exiterr2 (
set -x
yum -y -q install iptables-services >/dev/null
) || exiterr2
fi fi
fi fi
bigecho "Installing Fail2Ban to protect SSH..." bigecho "Installing Fail2Ban to protect SSH..."
yum "$REPO1" -y install fail2ban || exiterr2 (
set -x
yum "$REPO1" -y -q install fail2ban >/dev/null
) || exiterr2
bigecho "Compiling and installing Libreswan..." bigecho "Downloading Libreswan..."
SWAN_VER=4.2 SWAN_VER=4.2
swan_file="libreswan-$SWAN_VER.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file" swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then (
exit 1 set -x
fi wget -t 3 -T 30 -q -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -q -O "$swan_file" "$swan_url2"
) || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file" tar xzf "$swan_file" && /bin/rm -f "$swan_file"
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1 cd "libreswan-$SWAN_VER" || exit 1
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w WERROR_CFLAGS=-w
@ -209,7 +235,10 @@ if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
fi fi
NPROCS=$(grep -c ^processor /proc/cpuinfo) NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1 [ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base (
set -x
make "-j$((NPROCS+1))" -s base >/dev/null && make -s install-base >/dev/null
)
cd /opt/src || exit 1 cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"