# # Copyright (C) 2020-2021 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ # # Attribution required: please include my name in any derivative and let me # know how you have improved it! name: vpn test cron on: schedule: - cron: '25 2 * * 0,4' jobs: check_urls: runs-on: ubuntu-20.04 if: github.repository_owner == 'hwdsl2' steps: - uses: actions/checkout@v2 with: persist-credentials: false - name: Check run: | cd "$GITHUB_WORKSPACE" mkdir workdir cd workdir set -ex export DEBIAN_FRONTEND=noninteractive sudo apt-get -yqq update sudo apt-get -yqq install wget curl wget_c="wget -t 3 -T 30 -nv -O" gh_url="https://github.com/hwdsl2/setup-ipsec-vpn/raw/master" $wget_c vpnsetup.sh https://git.io/vpnsetup $wget_c vpnsetup_centos.sh https://git.io/vpnsetup-centos $wget_c vpnsetup_amzn.sh https://git.io/vpnsetup-amzn $wget_c vpnsetup_ubuntu.sh https://git.io/vpnsetup-ubuntu $wget_c quickstart.sh https://git.io/vpnquickstart $wget_c ikev2setup.sh https://git.io/ikev2setup $wget_c vpnupgrade.sh https://git.io/vpnupgrade $wget_c vpnupgrade_centos.sh https://git.io/vpnupgrade-centos $wget_c vpnupgrade_amzn.sh https://git.io/vpnupgrade-amzn $wget_c vpnupgrade_ubuntu.sh https://git.io/vpnupgrade-ubuntu $wget_c vpnsetup2.sh "$gh_url/vpnsetup.sh" $wget_c vpnsetup_centos2.sh "$gh_url/vpnsetup_centos.sh" $wget_c vpnsetup_amzn2.sh "$gh_url/vpnsetup_amzn.sh" $wget_c vpnsetup_ubuntu2.sh "$gh_url/vpnsetup_ubuntu.sh" $wget_c quickstart2.sh "$gh_url/extras/quickstart.sh" $wget_c ikev2setup2.sh "$gh_url/extras/ikev2setup.sh" $wget_c vpnupgrade2.sh "$gh_url/extras/vpnupgrade.sh" $wget_c vpnupgrade_centos2.sh "$gh_url/extras/vpnupgrade_centos.sh" $wget_c vpnupgrade_amzn2.sh "$gh_url/extras/vpnupgrade_amzn.sh" $wget_c vpnupgrade_ubuntu2.sh "$gh_url/extras/vpnupgrade_ubuntu.sh" curl -fsSI https://bit.ly/addvpnuser | grep -q 'add_vpn_user.sh' curl -fsSI https://bit.ly/delvpnuser | grep -q 'del_vpn_user.sh' curl -fsSI https://bit.ly/updatevpnusers | grep -q 'update_vpn_users.sh' diff vpnsetup.sh ../vpnsetup.sh diff vpnsetup_centos.sh ../vpnsetup_centos.sh diff vpnsetup_amzn.sh ../vpnsetup_amzn.sh diff vpnsetup_ubuntu.sh ../vpnsetup_ubuntu.sh diff quickstart.sh ../extras/quickstart.sh diff ikev2setup.sh ../extras/ikev2setup.sh diff vpnupgrade.sh ../extras/vpnupgrade.sh diff vpnupgrade_centos.sh ../extras/vpnupgrade_centos.sh diff vpnupgrade_amzn.sh ../extras/vpnupgrade_amzn.sh diff vpnupgrade_ubuntu.sh ../extras/vpnupgrade_ubuntu.sh diff vpnsetup2.sh ../vpnsetup.sh diff vpnsetup_centos2.sh ../vpnsetup_centos.sh diff vpnsetup_amzn2.sh ../vpnsetup_amzn.sh diff vpnsetup_ubuntu2.sh ../vpnsetup_ubuntu.sh diff quickstart2.sh ../extras/quickstart.sh diff ikev2setup2.sh ../extras/ikev2setup.sh diff vpnupgrade2.sh ../extras/vpnupgrade.sh diff vpnupgrade_centos2.sh ../extras/vpnupgrade_centos.sh diff vpnupgrade_amzn2.sh ../extras/vpnupgrade_amzn.sh diff vpnupgrade_ubuntu2.sh ../extras/vpnupgrade_ubuntu.sh test_set_1: needs: check_urls runs-on: ubuntu-20.04 if: github.repository_owner == 'hwdsl2' strategy: matrix: os_version: ["centos:8", "centos:8s", "centos:7", "rockylinux:8", "almalinux:8", "amazonlinux:2"] fail-fast: false env: OS_VERSION: ${{ matrix.os_version }} steps: - name: Build run: | mkdir -p "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}" cd "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}" cat > run.sh <<'EOF' #!/bin/bash set -eEx log1=/var/log/secure log2=/var/log/messages trap 'catch $? $LINENO' ERR catch() { echo "Error $1 occurred on line $2." cat -n -- "$0" | tail -n+"$(($2 - 3))" | head -n7 exit 1 } restart_ipsec() { if ! command -v amazon-linux-extras; then systemctl restart ipsec fi echo "Waiting for IPsec to restart." count=0 while ! grep -q "pluto\[$(cat /var/run/pluto/pluto.pid)\]: listening for IKE messages" "$log1"; do [ "$count" -ge "30" ] && { echo "IPsec failed to start."; exit 1; } count=$((count+1)) printf '%s' '.' sleep 0.5 done echo } restart_fail2ban() { rm -f /var/log/fail2ban.log systemctl restart fail2ban echo "Waiting for Fail2ban to restart." count=0 while ! grep -qs -E "Jail '(sshd?|ssh-iptables)' started" /var/log/fail2ban.log; do [ "$count" -ge "30" ] && { echo "Fail2ban failed to start."; exit 1; } count=$((count+1)) printf '%s' '.' sleep 0.5 done echo } yum -y -q update yum -y -q install wget rsyslog systemctl start rsyslog if [ "$1" != "amazon" ]; then wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-centos else wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-amzn fi sed -i '/swan_ver_latest=/s/^/#/' vpnsetup.sh sh vpnsetup.sh systemctl start xl2tpd restart_ipsec restart_fail2ban cat /var/log/fail2ban.log netstat -anpu | grep pluto netstat -anpu | grep xl2tpd iptables -nvL iptables -nvL | grep -q 'ppp+' iptables -nvL | grep -q '192\.168\.43\.0/24' iptables -nvL -t nat iptables -nvL -t nat | grep -q '192\.168\.42\.0/24' iptables -nvL -t nat | grep -q '192\.168\.43\.0/24' grep pluto "$log1" grep xl2tpd "$log2" ipsec status ipsec status | grep -q l2tp-psk ipsec status | grep -q xauth-psk ls -l /usr/bin/ikev2.sh ls -l /opt/src/ikev2.sh VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \ VPN_USER='your_vpn_username' \ VPN_PASSWORD='your_vpn_password' \ VPN_DNS_SRV1='1.1.1.1' \ VPN_DNS_SRV2='1.0.0.1' \ bash vpnsetup.sh restart_ipsec grep -q "your_ipsec_pre_shared_key" /etc/ipsec.secrets grep -q "your_vpn_username" /etc/ppp/chap-secrets grep -q "your_vpn_password" /etc/ppp/chap-secrets grep -q "your_vpn_username" /etc/ipsec.d/passwd grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.conf grep -q 'ms-dns 1.1.1.1' /etc/ppp/options.xl2tpd grep -q 'ms-dns 1.0.0.1' /etc/ppp/options.xl2tpd wget -t 3 -T 30 -nv -O ikev2.sh https://git.io/ikev2setup # hwdsl2 sed -i '/swan_ver_latest=/s/^/#/' ikev2.sh bash ikev2.sh <&1 | grep -i "abort" 4 vpnclient2 ANSWERS bash ikev2.sh <&1 | grep -i "abort" 2 vpnclient2 ANSWERS bash ikev2.sh <&1 | grep -i "abort" 5 ANSWERS bash ikev2.sh <&1 | grep -i "invalid" sed -i '/^include /d' /etc/ipsec.conf VPN_CLIENT_NAME=vpnclient1 \ VPN_DNS_NAME=vpn.example.com \ VPN_DNS_SRV1=1.1.1.1 \ VPN_DNS_SRV2=1.0.0.1 \ bash ikev2.sh --auto grep -q 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.d/ikev2.conf ls -ld /etc/ipsec.d/vpnclient1.mobileconfig ls -ld /etc/ipsec.d/vpnclient1.sswan ls -ld /etc/ipsec.d/vpnclient1.p12 grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.mobileconfig grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.sswan restart_ipsec ipsec status | grep -q ikev2-cp bash ikev2.sh --auto --addclient invalidclient: 2>&1 | grep -i "warning" bash ikev2.sh --addclient invalidclient: 2>&1 | grep -i "invalid" bash ikev2.sh --addclient vpnclient1 2>&1 | grep -i "already exists" bash ikev2.sh --addclient vpnclient2 ls -ld /etc/ipsec.d/vpnclient2.mobileconfig ls -ld /etc/ipsec.d/vpnclient2.sswan ls -ld /etc/ipsec.d/vpnclient2.p12 bash ikev2.sh --exportclient nonexistclient 2>&1 | grep -i "does not exist" rm -f /etc/ipsec.d/vpnclient2* bash ikev2.sh --exportclient vpnclient2 ls -ld /etc/ipsec.d/vpnclient2.mobileconfig ls -ld /etc/ipsec.d/vpnclient2.sswan ls -ld /etc/ipsec.d/vpnclient2.p12 bash ikev2.sh --addclient vpnclient2 --exportclient vpnclient2 2>&1 | grep -i "invalid" bash ikev2.sh --listclients | grep "vpnclient1" bash ikev2.sh --listclients | grep "vpnclient2" bash ikev2.sh --revokeclient nonexistclient 2>&1 | grep -i "does not exist" bash ikev2.sh --revokeclient vpnclient2 <&1 | grep -i "already been revoked" bash ikev2.sh --exportclient vpnclient2 2>&1 | grep -i "revoked" bash ikev2.sh -h 2>&1 | grep -i "usage:" bash ikev2.sh --invalidoption 2>&1 | grep -i "usage:" bash ikev2.sh --removeikev2 --exportclient vpnclient1 2>&1 | grep -i "invalid" bash ikev2.sh --removeikev2 < Dockerfile elif [ "$OS_VERSION" = "rockylinux:8" ]; then echo "FROM rockylinux/rockylinux:8" > Dockerfile else echo "FROM $OS_VERSION" > Dockerfile fi cat >> Dockerfile <<'EOF' ENV container docker WORKDIR /opt/src RUN if command -v amazon-linux-extras; then amazon-linux-extras install -y kernel-ng; fi RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ "$i" = \ systemd-tmpfiles-setup.service ] || rm -f "$i"; done); \ rm -f /lib/systemd/system/multi-user.target.wants/*; \ rm -f /etc/systemd/system/*.wants/*; \ rm -f /lib/systemd/system/local-fs.target.wants/*; \ rm -f /lib/systemd/system/sockets.target.wants/*udev*; \ rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \ rm -f /lib/systemd/system/basic.target.wants/*; \ rm -f /lib/systemd/system/anaconda.target.wants/*; COPY ./run.sh /opt/src/run.sh RUN chmod 755 /opt/src/run.sh VOLUME [ "/sys/fs/cgroup" ] CMD ["/sbin/init"] EOF cat Dockerfile cat run.sh docker build -t "${OS_VERSION//:}-test" . - name: Test run: | docker run -d --name "${OS_VERSION//:}-test-1" -v /sys/fs/cgroup:/sys/fs/cgroup:ro \ --privileged "${OS_VERSION//:}-test" sleep 5 docker exec "${OS_VERSION//:}-test-1" /opt/src/run.sh "${OS_VERSION::6}" - name: Clear if: always() run: | rm -rf "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}" docker rm -f "${OS_VERSION//:}-test-1" || true docker rmi "${OS_VERSION//:}-test" || true test_set_2: needs: check_urls runs-on: ubuntu-20.04 if: github.repository_owner == 'hwdsl2' strategy: matrix: os_version: ["ubuntu:20.04", "ubuntu:18.04", "debian:bullseye", "debian:10", "debian:9"] fail-fast: false container: image: ${{ matrix.os_version }} options: --cap-add=NET_ADMIN --device=/dev/ppp steps: - name: Test run: | set -ex log1=/var/log/auth.log log2=/var/log/syslog restart_ipsec() { echo "Waiting for IPsec to restart." count=0 while ! grep -q "pluto\[$(cat /var/run/pluto/pluto.pid)\]: listening for IKE messages" "$log1"; do [ "$count" -ge "30" ] && { echo "IPsec failed to start."; exit 1; } count=$((count+1)) printf '%s' '.' sleep 0.5 done echo } restart_fail2ban() { rm -f /var/log/fail2ban.log service fail2ban restart echo "Waiting for Fail2ban to restart." count=0 while ! grep -qs -E "Jail '(sshd?|ssh-iptables)' started" /var/log/fail2ban.log; do [ "$count" -ge "30" ] && { echo "Fail2ban failed to start."; exit 1; } count=$((count+1)) printf '%s' '.' sleep 0.5 done echo } mkdir -p /opt/src cd /opt/src echo "# hwdsl2" > run.sh export DEBIAN_FRONTEND=noninteractive apt-get -yqq update apt-get -yqq dist-upgrade apt-get -yqq install wget rsyslog service rsyslog start wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-ubuntu sed -i '/swan_ver_latest=/s/^/#/' vpnsetup.sh sh vpnsetup.sh restart_ipsec restart_fail2ban cat /var/log/fail2ban.log netstat -anpu | grep pluto netstat -anpu | grep xl2tpd iptables -nvL iptables -nvL | grep -q 'ppp+' iptables -nvL | grep -q '192\.168\.43\.0/24' iptables -nvL -t nat iptables -nvL -t nat | grep -q '192\.168\.42\.0/24' iptables -nvL -t nat | grep -q '192\.168\.43\.0/24' grep pluto "$log1" grep xl2tpd "$log2" ipsec status ipsec status | grep -q l2tp-psk ipsec status | grep -q xauth-psk ls -l /usr/bin/ikev2.sh ls -l /opt/src/ikev2.sh VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \ VPN_USER='your_vpn_username' \ VPN_PASSWORD='your_vpn_password' \ VPN_DNS_SRV1='1.1.1.1' \ VPN_DNS_SRV2='1.0.0.1' \ bash vpnsetup.sh restart_ipsec grep -q "your_ipsec_pre_shared_key" /etc/ipsec.secrets grep -q "your_vpn_username" /etc/ppp/chap-secrets grep -q "your_vpn_password" /etc/ppp/chap-secrets grep -q "your_vpn_username" /etc/ipsec.d/passwd grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.conf grep -q 'ms-dns 1.1.1.1' /etc/ppp/options.xl2tpd grep -q 'ms-dns 1.0.0.1' /etc/ppp/options.xl2tpd wget -t 3 -T 30 -nv -O ikev2.sh https://git.io/ikev2setup sed -i '/swan_ver_latest=/s/^/#/' ikev2.sh bash ikev2.sh <&1 | grep -i "abort" 4 vpnclient2 ANSWERS bash ikev2.sh <&1 | grep -i "abort" 2 vpnclient2 ANSWERS bash ikev2.sh <&1 | grep -i "abort" 5 ANSWERS bash ikev2.sh <&1 | grep -i "invalid" apt-get -yqq remove uuid-runtime sed -i '/^include /d' /etc/ipsec.conf VPN_CLIENT_NAME=vpnclient1 \ VPN_DNS_NAME=vpn.example.com \ VPN_DNS_SRV1=1.1.1.1 \ VPN_DNS_SRV2=1.0.0.1 \ bash ikev2.sh --auto grep -q 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.d/ikev2.conf ls -ld /etc/ipsec.d/vpnclient1.mobileconfig ls -ld /etc/ipsec.d/vpnclient1.sswan ls -ld /etc/ipsec.d/vpnclient1.p12 grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.mobileconfig grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.sswan restart_ipsec ipsec status | grep -q ikev2-cp bash ikev2.sh --auto --addclient invalidclient: 2>&1 | grep -i "warning" bash ikev2.sh --addclient invalidclient: 2>&1 | grep -i "invalid" bash ikev2.sh --addclient vpnclient1 2>&1 | grep -i "already exists" bash ikev2.sh --addclient vpnclient2 ls -ld /etc/ipsec.d/vpnclient2.mobileconfig ls -ld /etc/ipsec.d/vpnclient2.sswan ls -ld /etc/ipsec.d/vpnclient2.p12 bash ikev2.sh --exportclient nonexistclient 2>&1 | grep -i "does not exist" rm -f /etc/ipsec.d/vpnclient2* bash ikev2.sh --exportclient vpnclient2 ls -ld /etc/ipsec.d/vpnclient2.mobileconfig ls -ld /etc/ipsec.d/vpnclient2.sswan ls -ld /etc/ipsec.d/vpnclient2.p12 bash ikev2.sh --addclient vpnclient2 --exportclient vpnclient2 2>&1 | grep -i "invalid" bash ikev2.sh --listclients | grep "vpnclient1" bash ikev2.sh --listclients | grep "vpnclient2" bash ikev2.sh --revokeclient nonexistclient 2>&1 | grep -i "does not exist" bash ikev2.sh --revokeclient vpnclient2 <&1 | grep -i "already been revoked" bash ikev2.sh --exportclient vpnclient2 2>&1 | grep -i "revoked" bash ikev2.sh -h 2>&1 | grep -i "usage:" bash ikev2.sh --invalidoption 2>&1 | grep -i "usage:" bash ikev2.sh --removeikev2 --exportclient vpnclient1 2>&1 | grep -i "invalid" bash ikev2.sh --removeikev2 <