From cc99e1812393b659621cfc10e60eec2c3c9747af Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 24 Sep 2022 18:56:27 -0500 Subject: [PATCH] Cleanup --- extras/del_vpn_user.sh | 8 +-- extras/ikev2changeaddr.sh | 26 ++++----- extras/ikev2setup.sh | 110 ++++++++++++++++++------------------ extras/quickstart.sh | 8 +-- extras/vpnuninstall.sh | 6 +- extras/vpnupgrade.sh | 2 +- extras/vpnupgrade_alpine.sh | 6 +- extras/vpnupgrade_amzn.sh | 6 +- extras/vpnupgrade_centos.sh | 8 +-- extras/vpnupgrade_ubuntu.sh | 8 +-- vpnsetup.sh | 8 +-- vpnsetup_alpine.sh | 8 +-- vpnsetup_amzn.sh | 8 +-- vpnsetup_centos.sh | 30 +++++----- vpnsetup_ubuntu.sh | 16 +++--- 15 files changed, 128 insertions(+), 130 deletions(-) diff --git a/extras/del_vpn_user.sh b/extras/del_vpn_user.sh index b9624b1..199d06a 100755 --- a/extras/del_vpn_user.sh +++ b/extras/del_vpn_user.sh @@ -65,16 +65,16 @@ EOF exiterr "VPN username must not contain these special characters: \\ \" '" ;; esac - if [ "$(grep -c "^\"$VPN_USER\" " /etc/ppp/chap-secrets)" = "0" ] \ - || [ "$(grep -c "^$VPN_USER:\\\$1\\\$" /etc/ipsec.d/passwd)" = "0" ]; then + if [ "$(grep -c "^\"$VPN_USER\" " /etc/ppp/chap-secrets)" = 0 ] \ + || [ "$(grep -c "^$VPN_USER:\\\$1\\\$" /etc/ipsec.d/passwd)" = 0 ]; then cat 1>&2 <<'EOF' Error: The specified VPN user does not exist in /etc/ppp/chap-secrets and/or /etc/ipsec.d/passwd. EOF exit 1 fi - if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = "1" ] \ - || [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = "1" ]; then + if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = 1 ] \ + || [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = 1 ]; then cat 1>&2 <<'EOF' Error: Could not delete the only VPN user from /etc/ppp/chap-secrets and/or /etc/ipsec.d/passwd. diff --git a/extras/ikev2changeaddr.sh b/extras/ikev2changeaddr.sh index 25f13a1..6a27ed3 100755 --- a/extras/ikev2changeaddr.sh +++ b/extras/ikev2changeaddr.sh @@ -108,7 +108,6 @@ get_server_address() { show_welcome() { cat <&2 echo " To manage VPN clients, re-run this script without '--auto'." >&2 echo " To change IKEv2 server address, see https://vpnsetup.net/ikev2" >&2 @@ -220,37 +220,37 @@ check_arguments() { if [ "$((add_client + export_client + list_clients + revoke_client + delete_client))" -gt 1 ]; then show_usage "Invalid parameters. Specify only one of '--addclient', '--exportclient', '--listclients', '--revokeclient' or '--deleteclient'." fi - if [ "$remove_ikev2" = "1" ]; then + if [ "$remove_ikev2" = 1 ]; then if [ "$((add_client + export_client + list_clients + revoke_client + delete_client + use_defaults))" -gt 0 ]; then show_usage "Invalid parameters. '--removeikev2' cannot be specified with other parameters." fi fi if ! check_ikev2_exists; then - [ "$add_client" = "1" ] && exiterr "You must first set up IKEv2 before adding a client." - [ "$export_client" = "1" ] && exiterr "You must first set up IKEv2 before exporting a client." - [ "$list_clients" = "1" ] && exiterr "You must first set up IKEv2 before listing clients." - [ "$revoke_client" = "1" ] && exiterr "You must first set up IKEv2 before revoking a client." - [ "$delete_client" = "1" ] && exiterr "You must first set up IKEv2 before deleting a client." - [ "$remove_ikev2" = "1" ] && exiterr "Cannot remove IKEv2 because it has not been set up on this server." + [ "$add_client" = 1 ] && exiterr "You must first set up IKEv2 before adding a client." + [ "$export_client" = 1 ] && exiterr "You must first set up IKEv2 before exporting a client." + [ "$list_clients" = 1 ] && exiterr "You must first set up IKEv2 before listing clients." + [ "$revoke_client" = 1 ] && exiterr "You must first set up IKEv2 before revoking a client." + [ "$delete_client" = 1 ] && exiterr "You must first set up IKEv2 before deleting a client." + [ "$remove_ikev2" = 1 ] && exiterr "Cannot remove IKEv2 because it has not been set up on this server." fi - if [ "$add_client" = "1" ]; then + if [ "$add_client" = 1 ]; then if [ -z "$client_name" ] || ! check_client_name "$client_name"; then exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'." elif check_cert_exists "$client_name"; then exiterr "Invalid client name. Client '$client_name' already exists." fi fi - if [ "$export_client" = "1" ] || [ "$revoke_client" = "1" ] || [ "$delete_client" = "1" ]; then + if [ "$export_client" = 1 ] || [ "$revoke_client" = 1 ] || [ "$delete_client" = 1 ]; then get_server_address if [ -z "$client_name" ] || ! check_client_name "$client_name" \ || [ "$client_name" = "$CA_NAME" ] || [ "$client_name" = "$server_addr" ] \ || ! check_cert_exists "$client_name"; then exiterr "Invalid client name, or client does not exist." fi - if [ "$delete_client" = "0" ] && ! check_cert_status "$client_name"; then + if [ "$delete_client" = 0 ] && ! check_cert_status "$client_name"; then printf '%s' "Error: Certificate '$client_name' " >&2 if printf '%s' "$cert_status" | grep -q "revoked"; then - if [ "$revoke_client" = "1" ]; then + if [ "$revoke_client" = 1 ]; then echo "has already been revoked." >&2 else echo "has been revoked." >&2 @@ -370,10 +370,11 @@ get_default_ip() { } get_server_ip() { - bigecho2 "Trying to auto discover IP of this server..." + use_default_ip=0 public_ip=${VPN_PUBLIC_IP:-''} check_ip "$public_ip" || get_default_ip - check_ip "$public_ip" && return 0 + check_ip "$public_ip" && { use_default_ip=1; return 0; } + bigecho2 "Trying to auto discover IP of this server..." check_ip "$public_ip" || public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ipv4.icanhazip.com) check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ip1.dynupdate.no-ip.com) @@ -405,7 +406,7 @@ list_existing_clients() { fi client_count=$(printf '%s\n' "$client_names" | wc -l 2>/dev/null) [ -z "$client_names" ] && client_count=0 - if [ "$client_count" = "1" ]; then + if [ "$client_count" = 1 ]; then printf '\n%s\n' "Total: 1 client" elif [ -n "$client_count" ]; then printf '\n%s\n' "Total: $client_count clients" @@ -426,7 +427,7 @@ enter_server_address() { echo ;; esac - if [ "$use_dns_name" = "1" ]; then + if [ "$use_dns_name" = 1 ]; then read -rp "Enter the DNS name of this VPN server: " server_addr until check_dns_name "$server_addr"; do echo "Invalid DNS name. You must enter a fully qualified domain name (FQDN)." @@ -434,8 +435,7 @@ enter_server_address() { done else get_server_ip - echo - echo + [ "$use_default_ip" = 0 ] && { echo; echo; } read -rp "Enter the IPv4 address of this VPN server: [$public_ip] " server_addr [ -z "$server_addr" ] && server_addr="$public_ip" until check_ip "$server_addr"; do @@ -476,7 +476,7 @@ enter_client_name() { enter_client_name_for() { echo list_existing_clients - if [ "$client_count" = "0" ]; then + if [ "$client_count" = 0 ]; then echo echo "No IKEv2 clients in the IPsec database. Nothing to $1." >&2 exit 1 @@ -541,7 +541,7 @@ enter_custom_dns() { dns_servers="8.8.8.8 8.8.4.4" ;; esac - if [ "$use_custom_dns" = "1" ]; then + if [ "$use_custom_dns" = 1 ]; then read -rp "Enter primary DNS server: " dns_server_1 until check_ip "$dns_server_1"; do echo "Invalid DNS server." @@ -582,7 +582,7 @@ check_mobike_support() { fi fi # Linux kernels on Ubuntu do not support MOBIKE - if [ "$in_container" = "0" ]; then + if [ "$in_container" = 0 ]; then if [ "$os_type" = "ubuntu" ] || uname -v | grep -qi ubuntu; then mobike_support=0 fi @@ -597,7 +597,7 @@ check_mobike_support() { if uname -a | grep -qi synology; then mobike_support=0 fi - if [ "$mobike_support" = "1" ]; then + if [ "$mobike_support" = 1 ]; then bigecho2 "Checking for MOBIKE support... available" else bigecho2 "Checking for MOBIKE support... not available" @@ -607,7 +607,7 @@ check_mobike_support() { select_mobike() { echo mobike_enable=0 - if [ "$mobike_support" = "1" ]; then + if [ "$mobike_support" = 1 ]; then cat <<'EOF' The MOBIKE IKEv2 extension allows VPN clients to change network attachment points, @@ -642,7 +642,7 @@ check_config_password() { } select_config_password() { - if [ "$use_config_password" = "0" ]; then + if [ "$use_config_password" = 0 ]; then cat <<'EOF' IKEv2 client config files contain the client certificate, private key and CA certificate. @@ -699,13 +699,13 @@ We are ready to set up IKEv2 now. Below are the setup options you selected. EOF print_server_client_info - if [ "$client_validity" = "1" ]; then + if [ "$client_validity" = 1 ]; then echo "Client cert valid for: 1 month" else echo "Client cert valid for: $client_validity months" fi - if [ "$mobike_support" = "1" ]; then - if [ "$mobike_enable" = "1" ]; then + if [ "$mobike_support" = 1 ]; then + if [ "$mobike_enable" = 1 ]; then echo "MOBIKE support: Enable" else echo "MOBIKE support: Disable" @@ -713,7 +713,7 @@ EOF else echo "MOBIKE support: Not available" fi - if [ "$use_config_password" = "1" ]; then + if [ "$use_config_password" = 1 ]; then echo "Protect client config: Yes" else echo "Protect client config: No" @@ -754,7 +754,7 @@ create_p12_password() { } get_p12_password() { - if [ "$use_config_password" = "0" ]; then + if [ "$use_config_password" = 0 ]; then create_p12_password else p12_password=$(grep -s '^IKEV2_CONFIG_PASSWORD=.\+' "$CONF_FILE" | tail -n 1 | cut -f2- -d= | sed -e "s/^'//" -e "s/'$//") @@ -788,7 +788,7 @@ export_p12_file() { /bin/rm -f "$client_key" "$client_crt" "$ca_crt" openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \ -legacy -name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1 - if [ "$use_config_password" = "0" ]; then + if [ "$use_config_password" = 0 ]; then openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \ -legacy -name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1 fi @@ -798,18 +798,18 @@ export_p12_file() { openssl pkcs12 -in "$p12_file_enc" -out "$pem_file" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1 openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \ -name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1 - if [ "$use_config_password" = "0" ]; then + if [ "$use_config_password" = 0 ]; then openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \ -name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1 fi /bin/rm -f "$pem_file" - elif [ "$use_config_password" = "0" ]; then + elif [ "$use_config_password" = 0 ]; then pk12util -W "" -d "$CERT_DB" -n "$client_name" -o "$p12_file" >/dev/null || exit 1 fi - if [ "$use_config_password" = "1" ]; then + if [ "$use_config_password" = 1 ]; then /bin/cp -f "$p12_file_enc" "$p12_file" fi - if [ "$export_to_home_dir" = "1" ]; then + if [ "$export_to_home_dir" = 1 ]; then chown "$SUDO_USER:$SUDO_USER" "$p12_file" fi chmod 600 "$p12_file" @@ -950,7 +950,7 @@ cat > "$mc_file" < EOF - if [ "$use_config_password" = "0" ]; then + if [ "$use_config_password" = 0 ]; then cat >> "$mc_file" <Password $p12_password @@ -1012,7 +1012,7 @@ $ca_base64 EOF - if [ "$export_to_home_dir" = "1" ]; then + if [ "$export_to_home_dir" = 1 ]; then chown "$SUDO_USER:$SUDO_USER" "$mc_file" fi chmod 600 "$mc_file" @@ -1041,7 +1041,7 @@ cat > "$sswan_file" < "$readme_file" <<'EOF' These IKEv2 client config files were created during IPsec VPN setup. To configure IKEv2 clients, see: https://vpnsetup.net/clients EOF - if [ "$export_to_home_dir" = "1" ]; then + if [ "$export_to_home_dir" = 1 ]; then chown "$SUDO_USER:$SUDO_USER" "$readme_file" fi chmod 600 "$readme_file" @@ -1140,7 +1140,7 @@ conn ikev2-cp salifetime=24h encapsulation=yes EOF - if [ "$use_dns_name" = "1" ]; then + if [ "$use_dns_name" = 1 ]; then cat >> "$IKEV2_CONF" <> "$IKEV2_CONF" <> "$IKEV2_CONF" else echo " mobike=no" >> "$IKEV2_CONF" @@ -1189,7 +1189,7 @@ apply_ubuntu1804_nss_fix() { } restart_ipsec_service() { - if [ "$in_container" = "0" ] || { [ "$in_container" = "1" ] && service ipsec status >/dev/null 2>&1; }; then + if [ "$in_container" = 0 ] || { [ "$in_container" = 1 ] && service ipsec status >/dev/null 2>&1; }; then bigecho2 "Restarting IPsec service..." mkdir -p /run/pluto service ipsec restart 2>/dev/null @@ -1281,7 +1281,7 @@ print_client_deleted() { print_setup_complete() { printf '\e[2K\e[1A\e[2K\r' - [ "$use_defaults" = "1" ] && printf '\e[1A\e[2K\e[1A\e[2K\e[1A\e[2K\r' + [ "$use_defaults" = 1 ] && printf '\e[1A\e[2K\e[1A\e[2K\e[1A\e[2K\r' cat </dev/null 2>&1 \ || lsof "$apt_lk" >/dev/null 2>&1 || lsof "$pkg_lk" >/dev/null 2>&1; do - [ "$count" = "0" ] && echo "## Waiting for apt to be available..." - [ "$count" -ge "100" ] && exiterr "Could not get apt/dpkg lock." + [ "$count" = 0 ] && echo "## Waiting for apt to be available..." + [ "$count" -ge 100 ] && exiterr "Could not get apt/dpkg lock." count=$((count+1)) printf '%s' '.' sleep 3 diff --git a/extras/vpnuninstall.sh b/extras/vpnuninstall.sh index cddfb66..ae3f75b 100755 --- a/extras/vpnuninstall.sh +++ b/extras/vpnuninstall.sh @@ -99,7 +99,7 @@ check_iface() { else check_wl=1 fi - if [ "$check_wl" = "1" ]; then + if [ "$check_wl" = 1 ]; then case $def_iface in wl*) exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" @@ -244,8 +244,8 @@ update_iptables_rules() { ipf='iptables -D FORWARD' ipp='iptables -t nat -D POSTROUTING' res='RELATED,ESTABLISHED' - if [ "$ipt_flag" = "1" ]; then - if [ "$use_nft" = "0" ]; then + if [ "$ipt_flag" = 1 ]; then + if [ "$use_nft" = 0 ]; then bigecho "Updating IPTables rules..." get_vpn_subnets iptables-save > "$IPT_FILE.old-$SYS_DT" diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 5370300..fa14360 100755 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -95,7 +95,7 @@ EOF fi else os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9') - if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then + if [ "$os_ver" = 8 ] || [ "$os_ver" = "jessiesid" ]; then exiterr "Debian 8 or Ubuntu < 16.04 is not supported." fi fi diff --git a/extras/vpnupgrade_alpine.sh b/extras/vpnupgrade_alpine.sh index bbbae23..05bf56b 100755 --- a/extras/vpnupgrade_alpine.sh +++ b/extras/vpnupgrade_alpine.sh @@ -230,10 +230,10 @@ update_config() { -e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \ -e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \ -e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf - if [ "$dns_state" = "1" ]; then + if [ "$dns_state" = 1 ]; then sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ -e "/modecfgdns2=/d" /etc/ipsec.conf - elif [ "$dns_state" = "2" ]; then + elif [ "$dns_state" = 2 ]; then sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf fi sed -i "/ikev2=never/d" /etc/ipsec.conf @@ -260,7 +260,7 @@ Libreswan $SWAN_VER has been successfully installed! ================================================ EOF - if [ "$dns_state" = "3" ]; then + if [ "$dns_state" = 3 ]; then cat <<'EOF' IMPORTANT: You must edit /etc/ipsec.conf and replace all occurrences of these two lines: diff --git a/extras/vpnupgrade_amzn.sh b/extras/vpnupgrade_amzn.sh index 8f99280..19f1d7a 100755 --- a/extras/vpnupgrade_amzn.sh +++ b/extras/vpnupgrade_amzn.sh @@ -219,10 +219,10 @@ update_config() { -e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \ -e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \ -e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf - if [ "$dns_state" = "1" ]; then + if [ "$dns_state" = 1 ]; then sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ -e "/modecfgdns2=/d" /etc/ipsec.conf - elif [ "$dns_state" = "2" ]; then + elif [ "$dns_state" = 2 ]; then sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf fi sed -i "/ikev2=never/d" /etc/ipsec.conf @@ -248,7 +248,7 @@ Libreswan $SWAN_VER has been successfully installed! ================================================ EOF - if [ "$dns_state" = "3" ]; then + if [ "$dns_state" = 3 ]; then cat <<'EOF' IMPORTANT: You must edit /etc/ipsec.conf and replace all occurrences of these two lines: diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index e335de5..e511b75 100755 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -173,7 +173,7 @@ install_pkgs_2() { if [ "$os_type$os_ver" = "ol7" ]; then rp2="$erp=ol7_optional_latest" fi - if [ "$os_ver" = "7" ]; then + if [ "$os_ver" = 7 ]; then ( set -x yum "$rp1" "$rp2" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null @@ -271,10 +271,10 @@ update_config() { -e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \ -e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \ -e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf - if [ "$dns_state" = "1" ]; then + if [ "$dns_state" = 1 ]; then sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ -e "/modecfgdns2=/d" /etc/ipsec.conf - elif [ "$dns_state" = "2" ]; then + elif [ "$dns_state" = 2 ]; then sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf fi sed -i "/ikev2=never/d" /etc/ipsec.conf @@ -300,7 +300,7 @@ Libreswan $SWAN_VER has been successfully installed! ================================================ EOF - if [ "$dns_state" = "3" ]; then + if [ "$dns_state" = 3 ]; then cat <<'EOF' IMPORTANT: You must edit /etc/ipsec.conf and replace all occurrences of these two lines: diff --git a/extras/vpnupgrade_ubuntu.sh b/extras/vpnupgrade_ubuntu.sh index 3cf0504..97a87d8 100755 --- a/extras/vpnupgrade_ubuntu.sh +++ b/extras/vpnupgrade_ubuntu.sh @@ -57,7 +57,7 @@ check_os() { ;; esac os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9') - if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then + if [ "$os_ver" = 8 ] || [ "$os_ver" = "jessiesid" ]; then exiterr "Debian 8 or Ubuntu < 16.04 is not supported." fi } @@ -260,10 +260,10 @@ update_config() { -e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \ -e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \ -e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf - if [ "$dns_state" = "1" ]; then + if [ "$dns_state" = 1 ]; then sed -i -e "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \ -e "/modecfgdns2=/d" /etc/ipsec.conf - elif [ "$dns_state" = "2" ]; then + elif [ "$dns_state" = 2 ]; then sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf fi sed -i "/ikev2=never/d" /etc/ipsec.conf @@ -289,7 +289,7 @@ Libreswan $SWAN_VER has been successfully installed! ================================================ EOF - if [ "$dns_state" = "3" ]; then + if [ "$dns_state" = 3 ]; then cat <<'EOF' IMPORTANT: You must edit /etc/ipsec.conf and replace all occurrences of these two lines: diff --git a/vpnsetup.sh b/vpnsetup.sh index e76b303..4254810 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -127,7 +127,7 @@ EOF fi else os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9') - if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then + if [ "$os_ver" = 8 ] || [ "$os_ver" = "jessiesid" ]; then exiterr "Debian 8 or Ubuntu < 16.04 is not supported." fi fi @@ -150,7 +150,7 @@ check_iface() { check_wl=1 fi fi - if [ "$check_wl" = "1" ]; then + if [ "$check_wl" = 1 ]; then case $def_iface in wl*) exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" @@ -208,8 +208,8 @@ wait_for_apt() { pkg_lk=/var/lib/dpkg/lock while fuser "$apt_lk" "$pkg_lk" >/dev/null 2>&1 \ || lsof "$apt_lk" >/dev/null 2>&1 || lsof "$pkg_lk" >/dev/null 2>&1; do - [ "$count" = "0" ] && echo "## Waiting for apt to be available..." - [ "$count" -ge "100" ] && exiterr "Could not get apt/dpkg lock." + [ "$count" = 0 ] && echo "## Waiting for apt to be available..." + [ "$count" -ge 100 ] && exiterr "Could not get apt/dpkg lock." count=$((count+1)) printf '%s' '.' sleep 3 diff --git a/vpnsetup_alpine.sh b/vpnsetup_alpine.sh index 95ffd47..2030e2f 100755 --- a/vpnsetup_alpine.sh +++ b/vpnsetup_alpine.sh @@ -261,7 +261,7 @@ check_libreswan() { } get_libreswan() { - if [ "$check_result" = "0" ]; then + if [ "$check_result" = 0 ]; then bigecho "Downloading Libreswan..." cd /opt/src || exit 1 swan_file="libreswan-$SWAN_VER.tar.gz" @@ -279,7 +279,7 @@ get_libreswan() { } install_libreswan() { - if [ "$check_result" = "0" ]; then + if [ "$check_result" = 0 ]; then bigecho "Compiling and installing Libreswan, please wait..." cd "libreswan-$SWAN_VER" || exit 1 sed -i '28s/stdlib\.h/sys\/types.h/' include/fd.h @@ -463,7 +463,7 @@ update_iptables() { ipf='iptables -I FORWARD' ipp='iptables -t nat -I POSTROUTING' res='RELATED,ESTABLISHED' - if [ "$ipt_flag" = "1" ]; then + if [ "$ipt_flag" = 1 ]; then service fail2ban stop >/dev/null 2>&1 iptables-save > "$IPT_FILE.old-$SYS_DT" $ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP @@ -555,7 +555,7 @@ set_up_ikev2() { skip_ikev2=1 ;; esac - if [ "$skip_ikev2" = "0" ]; then + if [ "$skip_ikev2" = 0 ]; then sleep 1 VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \ VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \ diff --git a/vpnsetup_amzn.sh b/vpnsetup_amzn.sh index 7625b62..81d71bb 100755 --- a/vpnsetup_amzn.sh +++ b/vpnsetup_amzn.sh @@ -275,7 +275,7 @@ check_libreswan() { } get_libreswan() { - if [ "$check_result" = "0" ]; then + if [ "$check_result" = 0 ]; then bigecho "Downloading Libreswan..." cd /opt/src || exit 1 swan_file="libreswan-$SWAN_VER.tar.gz" @@ -293,7 +293,7 @@ get_libreswan() { } install_libreswan() { - if [ "$check_result" = "0" ]; then + if [ "$check_result" = 0 ]; then bigecho "Compiling and installing Libreswan, please wait..." cd "libreswan-$SWAN_VER" || exit 1 cat > Makefile.inc.local <<'EOF' @@ -474,7 +474,7 @@ update_iptables() { ipf='iptables -I FORWARD' ipp='iptables -t nat -I POSTROUTING' res='RELATED,ESTABLISHED' - if [ "$ipt_flag" = "1" ]; then + if [ "$ipt_flag" = 1 ]; then service fail2ban stop >/dev/null 2>&1 iptables-save > "$IPT_FILE.old-$SYS_DT" $ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP @@ -572,7 +572,7 @@ set_up_ikev2() { skip_ikev2=1 ;; esac - if [ "$skip_ikev2" = "0" ]; then + if [ "$skip_ikev2" = 0 ]; then sleep 1 VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \ VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \ diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index f8f58c9..cfe1e4d 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -237,9 +237,9 @@ install_vpn_pkgs_1() { rp2="$erp=*server-*optional*" rp3="$erp=*releases-optional*" if [ "$os_type" = "ol" ]; then - if [ "$os_ver" = "9" ]; then + if [ "$os_ver" = 9 ]; then rp1="$erp=ol9_developer_EPEL" - elif [ "$os_ver" = "8" ]; then + elif [ "$os_ver" = 8 ]; then rp1="$erp=ol8_developer_EPEL" else rp3="$erp=ol7_optional_latest" @@ -266,7 +266,7 @@ install_vpn_pkgs_3() { p2=libevent-devel p3=fipscheck-devel p4=iptables-services - if [ "$os_ver" = "7" ]; then + if [ "$os_ver" = 7 ]; then ( set -x yum "$rp2" "$rp3" -y -q install $p1 $p2 $p3 $p4 >/dev/null @@ -276,7 +276,7 @@ install_vpn_pkgs_3() { set -x yum -y -q install $p1 $p2 >/dev/null ) || exiterr2 - if [ "$os_ver" = "9" ] || [ "$os_ver" = "9s" ] \ + if [ "$os_ver" = 9 ] || [ "$os_ver" = 9s ] \ || systemctl is-active --quiet firewalld \ || systemctl is-active --quiet nftables \ || grep -qs "hwdsl2 VPN script" /etc/sysconfig/nftables.conf; then @@ -301,7 +301,7 @@ filter = sshd logpath = /var/log/secure EOF - if [ "$use_nft" = "1" ]; then + if [ "$use_nft" = 1 ]; then cat >> "$F2B_FILE" <<'EOF' port = ssh banaction = nftables-multiport[blocktype=drop] @@ -375,7 +375,7 @@ check_libreswan() { } get_libreswan() { - if [ "$check_result" = "0" ]; then + if [ "$check_result" = 0 ]; then bigecho "Downloading Libreswan..." cd /opt/src || exit 1 swan_file="libreswan-$SWAN_VER.tar.gz" @@ -393,7 +393,7 @@ get_libreswan() { } install_libreswan() { - if [ "$check_result" = "0" ]; then + if [ "$check_result" = 0 ]; then bigecho "Compiling and installing Libreswan, please wait..." cd "libreswan-$SWAN_VER" || exit 1 cat > Makefile.inc.local <<'EOF' @@ -573,7 +573,7 @@ EOF update_iptables() { bigecho "Updating IPTables rules..." IPT_FILE=/etc/sysconfig/iptables - [ "$use_nft" = "1" ] && IPT_FILE=/etc/sysconfig/nftables.conf + [ "$use_nft" = 1 ] && IPT_FILE=/etc/sysconfig/nftables.conf ipt_flag=0 if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then ipt_flag=1 @@ -584,9 +584,9 @@ update_iptables() { res='RELATED,ESTABLISHED' nff='nft insert rule inet firewalld' nfn='nft insert rule inet nftables_svc' - if [ "$ipt_flag" = "1" ]; then + if [ "$ipt_flag" = 1 ]; then service fail2ban stop >/dev/null 2>&1 - if [ "$use_nft" = "1" ]; then + if [ "$use_nft" = 1 ]; then nft list ruleset > "$IPT_FILE.old-$SYS_DT" chmod 600 "$IPT_FILE.old-$SYS_DT" else @@ -605,13 +605,13 @@ update_iptables() { $ipf 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate "$res" -j ACCEPT $ipf 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT $ipf 7 -s "$XAUTH_NET" -o ppp+ -j ACCEPT - if [ "$use_nft" != "1" ]; then + if [ "$use_nft" != 1 ]; then iptables -A FORWARD -j DROP fi $ipp -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE $ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" - if [ "$use_nft" = "1" ]; then + if [ "$use_nft" = 1 ]; then for vport in 500 4500 1701; do $nff filter_INPUT udp dport "$vport" accept 2>/dev/null $nfn allow udp dport "$vport" accept 2>/dev/null @@ -660,7 +660,7 @@ enable_on_boot() { systemctl --now mask firewalld 2>/dev/null if [ "$os_type$os_ver" = "ol9" ]; then systemctl enable nftables 2>/dev/null - elif [ "$use_nft" = "1" ]; then + elif [ "$use_nft" = 1 ]; then systemctl enable nftables 2>/dev/null systemctl enable fail2ban 2>/dev/null else @@ -692,7 +692,7 @@ start_services() { restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null - if [ "$use_nft" = "1" ]; then + if [ "$use_nft" = 1 ]; then nft -f "$IPT_FILE" else iptables-restore < "$IPT_FILE" @@ -740,7 +740,7 @@ set_up_ikev2() { skip_ikev2=1 ;; esac - if [ "$skip_ikev2" = "0" ]; then + if [ "$skip_ikev2" = 0 ]; then sleep 1 VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \ VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \ diff --git a/vpnsetup_ubuntu.sh b/vpnsetup_ubuntu.sh index 3671bdb..8d07010 100755 --- a/vpnsetup_ubuntu.sh +++ b/vpnsetup_ubuntu.sh @@ -90,7 +90,7 @@ check_os() { ;; esac os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9') - if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then + if [ "$os_ver" = 8 ] || [ "$os_ver" = "jessiesid" ]; then exiterr "Debian 8 or Ubuntu < 16.04 is not supported." fi } @@ -194,8 +194,8 @@ wait_for_apt() { pkg_lk=/var/lib/dpkg/lock while fuser "$apt_lk" "$pkg_lk" >/dev/null 2>&1 \ || lsof "$apt_lk" >/dev/null 2>&1 || lsof "$pkg_lk" >/dev/null 2>&1; do - [ "$count" = "0" ] && echo "## Waiting for apt to be available..." - [ "$count" -ge "100" ] && exiterr "Could not get apt/dpkg lock." + [ "$count" = 0 ] && echo "## Waiting for apt to be available..." + [ "$count" -ge 100 ] && exiterr "Could not get apt/dpkg lock." count=$((count+1)) printf '%s' '.' sleep 3 @@ -312,7 +312,7 @@ check_libreswan() { } get_libreswan() { - if [ "$check_result" = "0" ]; then + if [ "$check_result" = 0 ]; then bigecho "Downloading Libreswan..." cd /opt/src || exit 1 swan_file="libreswan-$SWAN_VER.tar.gz" @@ -330,7 +330,7 @@ get_libreswan() { } install_libreswan() { - if [ "$check_result" = "0" ]; then + if [ "$check_result" = 0 ]; then bigecho "Compiling and installing Libreswan, please wait..." cd "libreswan-$SWAN_VER" || exit 1 cat > Makefile.inc.local <<'EOF' @@ -532,7 +532,7 @@ update_iptables() { ipf='iptables -I FORWARD' ipp='iptables -t nat -I POSTROUTING' res='RELATED,ESTABLISHED' - if [ "$ipt_flag" = "1" ]; then + if [ "$ipt_flag" = 1 ]; then service fail2ban stop >/dev/null 2>&1 iptables-save > "$IPT_FILE.old-$SYS_DT" $ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP @@ -583,7 +583,7 @@ enable_on_boot() { if [ -f "$IPT_FILE2" ] && { [ -f "$IPT_PST" ] || [ -f "$IPT_PST2" ]; }; then ipt_load=0 fi - if [ "$ipt_load" = "1" ]; then + if [ "$ipt_load" = 1 ]; then mkdir -p /etc/network/if-pre-up.d cat > /etc/network/if-pre-up.d/iptablesload <<'EOF' #!/bin/sh @@ -688,7 +688,7 @@ set_up_ikev2() { skip_ikev2=1 ;; esac - if [ "$skip_ikev2" = "0" ]; then + if [ "$skip_ikev2" = 0 ]; then sleep 1 VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \ VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \