From b2626dc921f80ddb457e27df72ed18d7a093fad4 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 27 Apr 2022 00:05:45 -0500 Subject: [PATCH] Cleanup --- extras/add_vpn_user.sh | 141 ++++++++++++++------------------ extras/del_vpn_user.sh | 139 ++++++++++++++----------------- extras/ikev2setup.sh | 9 +- extras/quickstart.sh | 13 +-- extras/update_vpn_users.sh | 159 ++++++++++++++++-------------------- extras/vpnuninstall.sh | 2 - extras/vpnupgrade_alpine.sh | 11 --- extras/vpnupgrade_amzn.sh | 10 --- extras/vpnupgrade_centos.sh | 10 --- extras/vpnupgrade_ubuntu.sh | 12 --- vpnsetup.sh | 7 +- vpnsetup_alpine.sh | 17 +--- vpnsetup_amzn.sh | 18 +--- vpnsetup_centos.sh | 18 +--- vpnsetup_ubuntu.sh | 20 +---- 15 files changed, 206 insertions(+), 380 deletions(-) diff --git a/extras/add_vpn_user.sh b/extras/add_vpn_user.sh index 5606f7a..0c142eb 100755 --- a/extras/add_vpn_user.sh +++ b/extras/add_vpn_user.sh @@ -28,67 +28,57 @@ EOF } add_vpn_user() { - -if [ "$(id -u)" != 0 ]; then - exiterr "Script must be run as root. Try 'sudo bash $0'" -fi - -if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \ - || [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then + if [ "$(id -u)" != 0 ]; then + exiterr "Script must be run as root. Try 'sudo bash $0'" + fi + if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \ + || [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then cat 1>&2 <<'EOF' Error: Your must first set up the IPsec VPN server before adding VPN users. See: https://github.com/hwdsl2/setup-ipsec-vpn EOF - exit 1 -fi - -command -v openssl >/dev/null 2>&1 || exiterr "'openssl' not found. Abort." - -if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then + exit 1 + fi + command -v openssl >/dev/null 2>&1 || exiterr "'openssl' not found. Abort." + if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then cat 1>&2 <&2 exit 1 fi - read -rp "Password: " VPN_PASSWORD - if [ -z "$VPN_PASSWORD" ]; then - echo "Abort. No changes were made." >&2 - exit 1 + VPN_USER=$1 + VPN_PASSWORD=$2 + if [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then + show_intro + echo + echo "List of existing VPN usernames:" + cut -f1 -d : /etc/ipsec.d/passwd | LC_ALL=C sort + echo + echo "Enter the VPN username you want to add or update." + read -rp "Username: " VPN_USER + if [ -z "$VPN_USER" ]; then + echo "Abort. No changes were made." >&2 + exit 1 + fi + read -rp "Password: " VPN_PASSWORD + if [ -z "$VPN_PASSWORD" ]; then + echo "Abort. No changes were made." >&2 + exit 1 + fi + fi + if printf '%s' "$VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then + exiterr "VPN credentials must not contain non-ASCII characters." + fi + case "$VPN_USER $VPN_PASSWORD" in + *[\\\"\']*) + exiterr "VPN credentials must not contain these special characters: \\ \" '" + ;; + esac + if [ -n "$1" ] && [ -n "$2" ]; then + show_intro fi -fi - -if printf '%s' "$VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then - exiterr "VPN credentials must not contain non-ASCII characters." -fi - -case "$VPN_USER $VPN_PASSWORD" in - *[\\\"\']*) - exiterr "VPN credentials must not contain these special characters: \\ \" '" - ;; -esac - -if [ -n "$1" ] && [ -n "$2" ]; then - show_intro -fi - cat <> /etc/ppp/chap-secrets <> /etc/ipsec.d/passwd <&2 <<'EOF' Error: Your must first set up the IPsec VPN server before deleting VPN users. See: https://github.com/hwdsl2/setup-ipsec-vpn EOF - exit 1 -fi - -if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then + exit 1 + fi + if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then cat 1>&2 <&2 exit 1 fi -fi - -if printf '%s' "$VPN_USER" | LC_ALL=C grep -q '[^ -~]\+'; then - exiterr "VPN username must not contain non-ASCII characters." -fi - -case "$VPN_USER" in - *[\\\"\']*) - exiterr "VPN username must not contain these special characters: \\ \" '" - ;; -esac - -if [ "$(grep -c "^\"$VPN_USER\" " /etc/ppp/chap-secrets)" = "0" ] \ - || [ "$(grep -c "^$VPN_USER:\\\$1\\\$" /etc/ipsec.d/passwd)" = "0" ]; then + VPN_USER=$1 + if [ -z "$VPN_USER" ]; then + show_intro + echo + echo "List of existing VPN usernames:" + cut -f1 -d : /etc/ipsec.d/passwd | LC_ALL=C sort + echo + echo "Enter the VPN username you want to delete." + read -rp "Username: " VPN_USER + if [ -z "$VPN_USER" ]; then + echo "Abort. No changes were made." >&2 + exit 1 + fi + fi + if printf '%s' "$VPN_USER" | LC_ALL=C grep -q '[^ -~]\+'; then + exiterr "VPN username must not contain non-ASCII characters." + fi + case "$VPN_USER" in + *[\\\"\']*) + exiterr "VPN username must not contain these special characters: \\ \" '" + ;; + esac + if [ "$(grep -c "^\"$VPN_USER\" " /etc/ppp/chap-secrets)" = "0" ] \ + || [ "$(grep -c "^$VPN_USER:\\\$1\\\$" /etc/ipsec.d/passwd)" = "0" ]; then cat 1>&2 <<'EOF' Error: The specified VPN user does not exist in /etc/ppp/chap-secrets and/or /etc/ipsec.d/passwd. EOF - exit 1 -fi - -if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = "1" ] \ - || [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = "1" ]; then + exit 1 + fi + if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = "1" ] \ + || [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = "1" ]; then cat 1>&2 <<'EOF' Error: Could not delete the only VPN user from /etc/ppp/chap-secrets and/or /etc/ipsec.d/passwd. EOF - exit 1 -fi - -[ -n "$1" ] && show_intro - + exit 1 + fi + [ -n "$1" ] && show_intro cat <&2; + echo "Error: $1" >&2 fi show_header cat 1>&2 <&2 <<'EOF' Error: Your must first set up the IPsec VPN server before updating VPN users. See: https://github.com/hwdsl2/setup-ipsec-vpn EOF - exit 1 -fi - -command -v openssl >/dev/null 2>&1 || exiterr "'openssl' not found. Abort." - -if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then + exit 1 + fi + command -v openssl >/dev/null 2>&1 || exiterr "'openssl' not found. Abort." + if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then cat 1>&2 <<'EOF' For usage information, visit https://git.io/vpnnotes, then click on Manage VPN Users. EOF - exit 1 -fi - -[ -n "$YOUR_USERNAMES" ] && VPN_USERS="$YOUR_USERNAMES" -[ -n "$YOUR_PASSWORDS" ] && VPN_PASSWORDS="$YOUR_PASSWORDS" - -VPN_USERS=$(noquotes "$VPN_USERS") -VPN_USERS=$(onespace "$VPN_USERS") -VPN_USERS=$(noquotes2 "$VPN_USERS") -VPN_PASSWORDS=$(noquotes "$VPN_PASSWORDS") -VPN_PASSWORDS=$(onespace "$VPN_PASSWORDS") -VPN_PASSWORDS=$(noquotes2 "$VPN_PASSWORDS") - -if [ -z "$VPN_USERS" ] || [ -z "$VPN_PASSWORDS" ]; then - exiterr "All VPN credentials must be specified. Edit the script and re-enter them." -fi - -if printf '%s' "$VPN_USERS $VPN_PASSWORDS" | LC_ALL=C grep -q '[^ -~]\+'; then - exiterr "VPN credentials must not contain non-ASCII characters." -fi - -case "$VPN_USERS $VPN_PASSWORDS" in - *[\\\"\']*) - exiterr "VPN credentials must not contain these special characters: \\ \" '" - ;; -esac - -if printf '%s' "$VPN_USERS" | tr ' ' '\n' | sort | uniq -c | grep -qv '^ *1 '; then - exiterr "VPN usernames must not contain duplicates." -fi - + exit 1 + fi + [ -n "$YOUR_USERNAMES" ] && VPN_USERS="$YOUR_USERNAMES" + [ -n "$YOUR_PASSWORDS" ] && VPN_PASSWORDS="$YOUR_PASSWORDS" + VPN_USERS=$(noquotes "$VPN_USERS") + VPN_USERS=$(onespace "$VPN_USERS") + VPN_USERS=$(noquotes2 "$VPN_USERS") + VPN_PASSWORDS=$(noquotes "$VPN_PASSWORDS") + VPN_PASSWORDS=$(onespace "$VPN_PASSWORDS") + VPN_PASSWORDS=$(noquotes2 "$VPN_PASSWORDS") + if [ -z "$VPN_USERS" ] || [ -z "$VPN_PASSWORDS" ]; then + exiterr "All VPN credentials must be specified. Edit the script and re-enter them." + fi + if printf '%s' "$VPN_USERS $VPN_PASSWORDS" | LC_ALL=C grep -q '[^ -~]\+'; then + exiterr "VPN credentials must not contain non-ASCII characters." + fi + case "$VPN_USERS $VPN_PASSWORDS" in + *[\\\"\']*) + exiterr "VPN credentials must not contain these special characters: \\ \" '" + ;; + esac + if printf '%s' "$VPN_USERS" | tr ' ' '\n' | sort | uniq -c | grep -qv '^ *1 '; then + exiterr "VPN usernames must not contain duplicates." + fi cat <<'EOF' Welcome! Use this script to update VPN user accounts for both @@ -103,19 +92,17 @@ WARNING: *ALL* existing VPN users will be removed and replaced Updated list of VPN users (username | password): EOF - -count=1 -vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1) -vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -d ' ' -f 1) -while [ -n "$vpn_user" ] && [ -n "$vpn_password" ]; do + count=1 + vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1) + vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -d ' ' -f 1) + while [ -n "$vpn_user" ] && [ -n "$vpn_password" ]; do cat <> /etc/ppp/chap-secrets <> /etc/ipsec.d/passwd < "$IPT_FILE" - if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then if [ -f "$IPT_FILE2" ]; then conf_bk "$IPT_FILE2" diff --git a/extras/vpnupgrade_alpine.sh b/extras/vpnupgrade_alpine.sh index e26b203..a352a9a 100755 --- a/extras/vpnupgrade_alpine.sh +++ b/extras/vpnupgrade_alpine.sh @@ -106,7 +106,6 @@ Note: This script will make the following changes to your VPN configuration: Your other VPN config files will not be modified. EOF - if [ "$SWAN_VER" != "$swan_ver_cur" ]; then cat <<'EOF' WARNING: Older versions of Libreswan could contain known security vulnerabilities. @@ -115,7 +114,6 @@ WARNING: Older versions of Libreswan could contain known security vulnerabilitie EOF fi - if [ "$swan_ver_old" = "$SWAN_VER" ]; then cat </dev/null && make -s install-base >/dev/null ) - cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then @@ -215,20 +211,17 @@ update_config() { bigecho "Updating VPN configuration..." IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2" - if uname -m | grep -qi '^arm'; then if ! modprobe -q sha512; then PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2" fi fi - dns_state=0 DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) [ -n "$DNS_SRV1" ] && dns_state=2 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3 - sed -i".old-$SYS_DT" \ -e "s/^[[:space:]]\+auth=/ phase2=/" \ -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ @@ -237,17 +230,14 @@ update_config() { -e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \ -e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \ -e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf - if [ "$dns_state" = "1" ]; then sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ -e "/modecfgdns2=/d" /etc/ipsec.conf elif [ "$dns_state" = "2" ]; then sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf fi - sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf - if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf fi @@ -270,7 +260,6 @@ Libreswan $SWAN_VER has been successfully installed! ================================================ EOF - if [ "$dns_state" = "3" ]; then cat <<'EOF' IMPORTANT: You must edit /etc/ipsec.conf and replace diff --git a/extras/vpnupgrade_amzn.sh b/extras/vpnupgrade_amzn.sh index 69ee61c..e08df01 100755 --- a/extras/vpnupgrade_amzn.sh +++ b/extras/vpnupgrade_amzn.sh @@ -90,7 +90,6 @@ Note: This script will make the following changes to your VPN configuration: Your other VPN config files will not be modified. EOF - if [ "$SWAN_VER" != "$swan_ver_cur" ]; then cat <<'EOF' WARNING: Older versions of Libreswan could contain known security vulnerabilities. @@ -99,7 +98,6 @@ WARNING: Older versions of Libreswan could contain known security vulnerabilitie EOF fi - if [ "$swan_ver_old" = "$SWAN_VER" ]; then cat </dev/null && make -s install-base >/dev/null ) - cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then @@ -209,14 +205,12 @@ update_config() { bigecho "Updating VPN configuration..." IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2" - dns_state=0 DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) [ -n "$DNS_SRV1" ] && dns_state=2 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3 - sed -i".old-$SYS_DT" \ -e "s/^[[:space:]]\+auth=/ phase2=/" \ -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ @@ -225,17 +219,14 @@ update_config() { -e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \ -e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \ -e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf - if [ "$dns_state" = "1" ]; then sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ -e "/modecfgdns2=/d" /etc/ipsec.conf elif [ "$dns_state" = "2" ]; then sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf fi - sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf - if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf fi @@ -257,7 +248,6 @@ Libreswan $SWAN_VER has been successfully installed! ================================================ EOF - if [ "$dns_state" = "3" ]; then cat <<'EOF' IMPORTANT: You must edit /etc/ipsec.conf and replace diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 7f3c3a0..3432758 100755 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -116,7 +116,6 @@ Note: This script will make the following changes to your VPN configuration: Your other VPN config files will not be modified. EOF - if [ "$SWAN_VER" != "$swan_ver_cur" ]; then cat <<'EOF' WARNING: Older versions of Libreswan could contain known security vulnerabilities. @@ -125,7 +124,6 @@ WARNING: Older versions of Libreswan could contain known security vulnerabilitie EOF fi - if [ "$swan_ver_old" = "$SWAN_VER" ]; then cat </dev/null && make -s install-base >/dev/null ) - cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then @@ -259,14 +255,12 @@ update_config() { bigecho "Updating VPN configuration..." IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2" - dns_state=0 DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) [ -n "$DNS_SRV1" ] && dns_state=2 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3 - sed -i".old-$SYS_DT" \ -e "s/^[[:space:]]\+auth=/ phase2=/" \ -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ @@ -275,17 +269,14 @@ update_config() { -e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \ -e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \ -e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf - if [ "$dns_state" = "1" ]; then sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ -e "/modecfgdns2=/d" /etc/ipsec.conf elif [ "$dns_state" = "2" ]; then sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf fi - sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf - if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf fi @@ -307,7 +298,6 @@ Libreswan $SWAN_VER has been successfully installed! ================================================ EOF - if [ "$dns_state" = "3" ]; then cat <<'EOF' IMPORTANT: You must edit /etc/ipsec.conf and replace diff --git a/extras/vpnupgrade_ubuntu.sh b/extras/vpnupgrade_ubuntu.sh index f27d7a0..3474865 100755 --- a/extras/vpnupgrade_ubuntu.sh +++ b/extras/vpnupgrade_ubuntu.sh @@ -89,7 +89,6 @@ check_swan_ver() { if [ "$SWAN_VER" = "3.32" ] && [ "$os_ver" = "11" ]; then exiterr "Libreswan 3.32 is not supported on Debian 11." fi - if [ "$SWAN_VER" != "3.32" ] \ && { ! printf '%s\n%s' "4.1" "$SWAN_VER" | sort -C -V \ || ! printf '%s\n%s' "$SWAN_VER" "$swan_ver_cur" | sort -C -V; }; then @@ -117,7 +116,6 @@ Note: This script will make the following changes to your VPN configuration: Your other VPN config files will not be modified. EOF - if [ "$SWAN_VER" != "$swan_ver_cur" ]; then cat <<'EOF' WARNING: Older versions of Libreswan could contain known security vulnerabilities. @@ -126,7 +124,6 @@ WARNING: Older versions of Libreswan could contain known security vulnerabilitie EOF fi - if [ "$swan_ver_old" = "$SWAN_VER" ]; then cat </dev/null && make -s install-base >/dev/null ) - cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then @@ -246,20 +241,17 @@ update_config() { bigecho "Updating VPN configuration..." IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2" - if uname -m | grep -qi '^arm'; then if ! modprobe -q sha512; then PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2" fi fi - dns_state=0 DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) [ -n "$DNS_SRV1" ] && dns_state=2 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3 - sed -i".old-$SYS_DT" \ -e "s/^[[:space:]]\+auth=/ phase2=/" \ -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ @@ -268,17 +260,14 @@ update_config() { -e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \ -e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \ -e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf - if [ "$dns_state" = "1" ]; then sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ -e "/modecfgdns2=/d" /etc/ipsec.conf elif [ "$dns_state" = "2" ]; then sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf fi - sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf - if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf fi @@ -300,7 +289,6 @@ Libreswan $SWAN_VER has been successfully installed! ================================================ EOF - if [ "$dns_state" = "3" ]; then cat <<'EOF' IMPORTANT: You must edit /etc/ipsec.conf and replace diff --git a/vpnsetup.sh b/vpnsetup.sh index 5f3d165..7097714 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -2,7 +2,6 @@ # # Script for automatic setup of an IPsec VPN server on Ubuntu, Debian, CentOS/RHEL, # Rocky Linux, AlmaLinux, Oracle Linux, Amazon Linux 2 and Alpine Linux -# Works on any dedicated server or virtual private server (VPS) # # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! # @@ -159,19 +158,15 @@ check_creds() { [ -n "$YOUR_IPSEC_PSK" ] && VPN_IPSEC_PSK="$YOUR_IPSEC_PSK" [ -n "$YOUR_USERNAME" ] && VPN_USER="$YOUR_USERNAME" [ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD" - if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then return 0 fi - if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then exiterr "All VPN credentials must be specified. Edit the script and re-enter them." fi - if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then exiterr "VPN credentials must not contain non-ASCII characters." fi - case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in *[\\\"\']*) exiterr "VPN credentials must not contain these special characters: \\ \" '" @@ -196,7 +191,7 @@ check_client_name() { if [ -n "$VPN_CLIENT_NAME" ]; then name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)" if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ - || case $VPN_CLIENT_NAME in -*) true;; *) false;; esac; then + || case $VPN_CLIENT_NAME in -*) true ;; *) false ;; esac; then exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'." fi fi diff --git a/vpnsetup_alpine.sh b/vpnsetup_alpine.sh index c7ce791..19f7d4f 100755 --- a/vpnsetup_alpine.sh +++ b/vpnsetup_alpine.sh @@ -1,7 +1,6 @@ #!/bin/bash # # Script for automatic setup of an IPsec VPN server on Alpine Linux -# Works on any dedicated server or virtual private server (VPS) # # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! # @@ -141,7 +140,7 @@ check_client_name() { if [ -n "$VPN_CLIENT_NAME" ]; then name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)" if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ - || case $VPN_CLIENT_NAME in -*) true;; *) false;; esac; then + || case $VPN_CLIENT_NAME in -*) true ;; *) false ;; esac; then exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'." fi fi @@ -285,7 +284,6 @@ EOF create_vpn_config() { bigecho "Creating VPN configuration..." - L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'} L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'} L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'} @@ -295,7 +293,6 @@ create_vpn_config() { DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\"" [ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1" - # Create IPsec config conf_bk "/etc/ipsec.conf" cat > /etc/ipsec.conf < /etc/ipsec.secrets < /etc/xl2tpd/xl2tpd.conf < /etc/ppp/options.xl2tpd <> /etc/ppp/options.xl2tpd < /etc/ppp/chap-secrets < /etc/ipsec.d/passwd </dev/null @@ -495,14 +483,11 @@ EOF start_services() { bigecho "Starting services..." sysctl -e -q -p - chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* - mkdir -p /run/pluto service fail2ban restart >/dev/null 2>&1 service ipsec restart >/dev/null 2>&1 service xl2tpd restart >/dev/null 2>&1 - mkdir -p /etc/crontabs cron_cmd="rc-service -c ipsec zap start" if ! grep -qs "$cron_cmd" /etc/crontabs/root; then diff --git a/vpnsetup_amzn.sh b/vpnsetup_amzn.sh index 749fcee..73a2381 100755 --- a/vpnsetup_amzn.sh +++ b/vpnsetup_amzn.sh @@ -1,7 +1,6 @@ #!/bin/bash # # Script for automatic setup of an IPsec VPN server on Amazon Linux 2 -# Works on any dedicated server or virtual private server (VPS) # # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! # @@ -123,7 +122,7 @@ check_client_name() { if [ -n "$VPN_CLIENT_NAME" ]; then name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)" if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ - || case $VPN_CLIENT_NAME in -*) true;; *) false;; esac; then + || case $VPN_CLIENT_NAME in -*) true ;; *) false ;; esac; then exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'." fi fi @@ -287,7 +286,6 @@ EOF create_vpn_config() { bigecho "Creating VPN configuration..." - L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'} L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'} L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'} @@ -297,7 +295,6 @@ create_vpn_config() { DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\"" [ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1" - # Create IPsec config conf_bk "/etc/ipsec.conf" cat > /etc/ipsec.conf < /etc/ipsec.secrets < /etc/xl2tpd/xl2tpd.conf < /etc/ppp/options.xl2tpd <> /etc/ppp/options.xl2tpd < /etc/ppp/chap-secrets < /etc/ipsec.d/passwd </dev/null systemctl enable iptables fail2ban 2>/dev/null - if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if [ -f /etc/rc.local ]; then conf_bk "/etc/rc.local" @@ -511,22 +500,17 @@ EOF start_services() { bigecho "Starting services..." sysctl -e -q -p - chmod +x /etc/rc.local chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* - restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null - iptables-restore < "$IPT_FILE" - # Fix xl2tpd if l2tp_ppp is unavailable if ! modprobe -q l2tp_ppp; then sed -i '/^ExecStartPre=\//s/=/=-/' /usr/lib/systemd/system/xl2tpd.service systemctl daemon-reload fi - mkdir -p /run/pluto service fail2ban restart 2>/dev/null service ipsec restart 2>/dev/null diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index afecddb..e3d6ed1 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -2,7 +2,6 @@ # # Script for automatic setup of an IPsec VPN server on CentOS/RHEL, Rocky Linux, # AlmaLinux and Oracle Linux -# Works on any dedicated server or virtual private server (VPS) # # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! # @@ -151,7 +150,7 @@ check_client_name() { if [ -n "$VPN_CLIENT_NAME" ]; then name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)" if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ - || case $VPN_CLIENT_NAME in -*) true;; *) false;; esac; then + || case $VPN_CLIENT_NAME in -*) true ;; *) false ;; esac; then exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'." fi fi @@ -358,7 +357,6 @@ EOF create_vpn_config() { bigecho "Creating VPN configuration..." - L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'} L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'} L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'} @@ -368,7 +366,6 @@ create_vpn_config() { DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\"" [ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1" - # Create IPsec config conf_bk "/etc/ipsec.conf" cat > /etc/ipsec.conf < /etc/ipsec.secrets < /etc/xl2tpd/xl2tpd.conf < /etc/ppp/options.xl2tpd <> /etc/ppp/options.xl2tpd < /etc/ppp/chap-secrets < /etc/ipsec.d/passwd </dev/null fi - if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if [ -f /etc/rc.local ]; then conf_bk "/etc/rc.local" @@ -634,26 +623,21 @@ EOF start_services() { bigecho "Starting services..." sysctl -e -q -p - chmod +x /etc/rc.local chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* - restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null - if [ "$use_nft" = "1" ]; then nft -f "$IPT_FILE" else iptables-restore < "$IPT_FILE" fi - # Fix xl2tpd if l2tp_ppp is unavailable if ! modprobe -q l2tp_ppp; then sed -i '/^ExecStartPre=\//s/=/=-/' /usr/lib/systemd/system/xl2tpd.service systemctl daemon-reload fi - mkdir -p /run/pluto service fail2ban restart 2>/dev/null service ipsec restart 2>/dev/null diff --git a/vpnsetup_ubuntu.sh b/vpnsetup_ubuntu.sh index 64fd26f..8cda816 100755 --- a/vpnsetup_ubuntu.sh +++ b/vpnsetup_ubuntu.sh @@ -1,7 +1,6 @@ #!/bin/bash # # Script for automatic setup of an IPsec VPN server on Ubuntu and Debian -# Works on any dedicated server or virtual private server (VPS) # # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! # @@ -149,7 +148,7 @@ check_client_name() { if [ -n "$VPN_CLIENT_NAME" ]; then name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)" if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ - || case $VPN_CLIENT_NAME in -*) true;; *) false;; esac; then + || case $VPN_CLIENT_NAME in -*) true ;; *) false ;; esac; then exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'." fi fi @@ -335,7 +334,6 @@ EOF create_vpn_config() { bigecho "Creating VPN configuration..." - L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'} L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'} L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'} @@ -345,7 +343,6 @@ create_vpn_config() { DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\"" [ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1" - # Create IPsec config conf_bk "/etc/ipsec.conf" cat > /etc/ipsec.conf < /etc/ipsec.secrets < /etc/xl2tpd/xl2tpd.conf < /etc/ppp/options.xl2tpd <> /etc/ppp/options.xl2tpd < /etc/ppp/chap-secrets < /etc/ipsec.d/passwd < "$IPT_FILE" iptables-save >> "$IPT_FILE" - if [ -f "$IPT_FILE2" ]; then conf_bk "$IPT_FILE2" /bin/cp -f "$IPT_FILE" "$IPT_FILE2" @@ -555,7 +543,6 @@ enable_on_boot() { if [ -f "$IPT_FILE2" ] && { [ -f "$IPT_PST" ] || [ -f "$IPT_PST2" ]; }; then ipt_load=0 fi - if [ "$ipt_load" = "1" ]; then mkdir -p /etc/network/if-pre-up.d cat > /etc/network/if-pre-up.d/iptablesload <<'EOF' @@ -564,7 +551,6 @@ iptables-restore < /etc/iptables.rules exit 0 EOF chmod +x /etc/network/if-pre-up.d/iptablesload - if [ -f /usr/sbin/netplan ]; then mkdir -p /etc/systemd/system cat > /etc/systemd/system/load-iptables-rules.service <<'EOF' @@ -588,12 +574,10 @@ EOF systemctl enable load-iptables-rules 2>/dev/null fi fi - for svc in fail2ban ipsec xl2tpd; do update-rc.d "$svc" enable >/dev/null 2>&1 systemctl enable "$svc" 2>/dev/null done - if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if [ -f /etc/rc.local ]; then conf_bk "/etc/rc.local" @@ -616,10 +600,8 @@ EOF start_services() { bigecho "Starting services..." sysctl -e -q -p - chmod +x /etc/rc.local chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* - mkdir -p /run/pluto service fail2ban restart 2>/dev/null service ipsec restart 2>/dev/null