Set up IPSEC VPN Server with IKEv1/IKEv2/L2TP Automatically

#! /bin/bash # # Automatically install and configure several programs needed by # VPN Server. For example, xl2tpd, ppp, strongswan... # And make them work well. # # Created by Beyan Zhang 24-9-2016. # Copyleft (c) 2016 Beyan. All left reserved. # Welcome banner. echo -e "\npress any key to start, \c" echo -en "or \\033[31mCTRL-C\\033[0m abort." read this_is_not_used echo -e "\nPlease type \033[31mUSERNAME\033[0m, \c" echo -e "or use default [username]:\c" read username [ -z $username ] && username=username echo -e "Please type \033[31mPASSWORD\033[0m, \c" echo -e "or use default [password]:\c" read password [ -z $password ] && password=password echo -e "Please type \033[31mPSK\033[0m, \c" echo -e "or default [PSK]:\c" read psk [ -z $psk ] && psk=psk echo -e "Please type \033[31mXAUTH\033[0m, \c" echo -e "or default [xauth]:\c" read xauth [ -z $xauth ] && xauth=xauth # work place. cd $HOME home="$HOME/vpn_install" mkdir $home 2>/dev/null cd $home # function to write log. # usage: rlog $? [action name] function rlog() { log_file=$home/install.log; log_date=`date "+%b %d %H:%M:%S"` log_user=`whoami` if [[ ! -z $1 ]]; then if [ $1 -eq 0 ]; then echo -e "$log_date $log_user execute \"$2\" \033[32m[Success]\033[0m." >> ${log_file}; elif [ $1 -gt 0 ]; then echo -e "$log_date $log_user execute \"$2\" \033[41;37m[failed]\033[0m!" >> ${log_file}; else echo -e "$log_date $log_user [info] \033[33m$2\033[0m" >> $log_file; fi else >$log_file fi } # function to judge weather type is 'yes' or 'no'. # return '0' for 'yes', '1' for 'no'. function yes_or_no() { read answer while [[ ! -z $answer && $answer != 'Y' && $answer != 'y' && $answer != 'n' && $answer != 'N' ]] do echo -e "Please type 'Y/y' or 'N/n' [default: Yes]:\c" read answer; done if [[ $answer = 'y' || $answer = 'Y' || -z $answer ]]; then return 0; else return 1; fi } # function used when shell abort. # Usage: shell_abort [action] function shell_abort() { echo -e "\n\033[31m$1 failed, installing abort!\033[0m"; echo -e "\033[31mFor more information, please check the log file \033[4m'$log_file'\033[0m!\033[0m"; rlog 1 "$1" exit; } # clear log file rlog; # This Script is on only tested on Debian 7 i386. # Maybe Debian 8 x64, Debian 7 x86 also work well, # Turn off this item if you know what you are doing. check_os=yes # yes or other if [ $check_os = 'yes' ]; then echo -e "\nCheck OS release..." if [[ `cat /proc/version 2>/dev/null | grep -i debian` ]]; then os_release="Debian `cat /etc/debian_version`" [[ ! -z $os_release ]] && echo "OS Release: $os_release"; else rlog -1 "May be '/proc/version' or '/etc/debian_version' is missing!" shell_abort "Check OS release" fi else echo "OS check ignore." fi rlog 0 "os Check"; # network card type and ip addr. netcard=`ifconfig | grep -i ethernet | awk '{print $1}'` num_of_netcard=`echo "$netcard" | wc -l` if [ $num_of_netcard -eq 1 ]; then echo -e "\nFind one netcard \033[31m$netcard\033[0m, make it default? [Yes/no]:\c" yes_or_no; if [ $? -eq 1 ]; then echo -e "Type your own:\c" read netcard; fi echo -e "Network card: $netcard" echo -e "Please confirm: [Yes/no]\c" yes_or_no; if [ $? -eq 1 ]; then echo -e "\033[31mPlease type again:\033[0m\c"; read netcard; echo -e "Network card: $netcard" echo -e "Please confirm: [Yes/no]\c" yes_or_no; if [ $? -eq 1 ]; then echo -e "\033[31mInstalling abort.\033[0m"; exit 2; fi fi elif [ $num_of_netcard -gt 1 ]; then echo -e "\nMore than \033[31m1\033[0m Network card detected:" for I in $( seq 1 $num_of_netcard ) do echo -e "$I \c" echo "$netcard" | sed -n ''$I'p'; done echo -e "Please make a choice \033[31m[default: 1]\033[0m:\c" read which_netcard count=1 until [[ -z $which_netcard || $which_netcard -le $num_of_netcard && $which_netcard -gt 0 ]] do echo -e "Input error, repeat:\c" read which_netcard count=$((count+1)) if [ $count -ge 5 ]; then shell_abort "Network card detect" fi done [ -z $which_netcard ] && which_netcard=1; netcard=`echo "$netcard" | sed -n ''$which_netcard'p'` echo -e "\nNetwork card: $netcard" # echo -e "\nNetwork card: `echo "$netcard" | sed -n ''$which_netcard'p'`" echo -e "Please confirm: [Yes/no]\c" yes_or_no; if [ $? -eq 1 ]; then shell_abort "Network card detect" fi else echo -e "\nNo netcard detected, type manual:\c" read netcard; echo -e "Network card: $netcard" echo -e "Please confirm: [Yes/no]\c" yes_or_no; if [ $? -eq 1 ]; then echo -e "\033[31mPlease type again:\033[0m\c"; read netcard; echo -e "Network card: $netcard" echo -e "Please confirm: [Yes/no]\c" yes_or_no; [ $? -eq 1 ] && shell_abort "Network card detect" fi fi ip_addr=`ifconfig "$netcard" | grep "inet addr" | awk '{print $2}' | awk -F ":" '{print $2}'` [[ $? -ne 0 || -z $ip_addr ]] && shell_abort "IP addr configure" # Network test codename=`lsb_release -c | awk '{print $2}'` echo -e "\nNetwork analysis..." ping_time_debian=`ping www.debian.org -c 3 -W 0.5 | grep rtt | awk -F '=' '{print $2}' | awk -F '/' '{print $2}' | awk -F '.' '{print $1}'` ping_time_163=`ping www.163.com -c 3 -W 0.5 | grep rtt | awk -F '=' '{print $2}' | awk -F '/' '{print $2}'| awk -F '.' '{print $1}'` if [ $ping_time_debian -ge $ping_time_163 ]; then echo -e "163 open source mirror is recommended,\c" echo -e " is this what you expected [Yes/no]?\c" yes_or_no; if [ $? -eq 0 ]; then cp /etc/apt/sources.list /etc/apt/sources.list.bak 2>/dev/null cat > /etc/apt/sources.list << EOF deb http://mirrors.163.com/debian/ $codename main contrib non-free deb-src http://mirrors.163.com/debian $codename main contrib non-free deb http://mirrors.163.com/debian/ $codename-proposed-updates main contrib non-free deb-src http://mirrors.163.com/debian/ $codename-proposed-updates main contrib non-free deb http://mirrors.163.com/debian/ $codename-updates main contrib non-free deb-src http://mirrors.163.com/debian/ $codename-updates main contrib non-free deb http://mirrors.163.com/debian-security/ $codename/updates main contrib non-free deb-src http://mirrors.163.com/debian-security/ $codename/updates main contrib non-free EOF fi else echo -e "Debian official mirror is recommended, \c" echo -e "is this what you expected [Yes/no]?\c" yes_or_no; if [ $? -eq 0 ]; then cp /etc/apt/sources.list /etc/apt/sources.list.bak 2>/dev/null cat > /etc/apt/sources.list << EOF # deb http://http.us.debian.org/debian/ $codename main deb http://http.us.debian.org/debian/ $codename main deb-src http://http.us.debian.org/debian/ $codename main deb http://security.debian.org/ $codename/updates main deb-src http://security.debian.org/ $codename/updates main # $codename-updates, previously known as 'volatile' deb http://http.us.debian.org/debian/ $codename-updates main deb-src http://http.us.debian.org/debian/ $codename-updates main deb http://http.debian.net/debian $codename-backports main EOF fi fi # install necessary programs and library echo -e "\nApt sources changed, updating system..." apt-get update 1>/dev/null 2>&1 [ $? -ne 0 ] && shell_abort "apt-get update" apt-get install libpam0g-dev libssl-dev \ make gcc ppp xl2tpd -y 1>/dev/null 2>&1 [ $? -ne 0 ] && shell_abort "apt-get install" # download VPN-test tools wget http://people.redhat.com/~rjones/virt-what/files/virt-what-1.15.tar.gz 1>/dev/null 2>&1 [ $? -ne 0 ] && shell_abort "Download VPN-test tools" tar -xvf virt-* 1>/dev/null 2>&1 && cd virt-* 1>/dev/null 2>&1 ./configure 1>/dev/null 2>&1 \ && make 1>/dev/null 2>&1 \ && make install 1>/dev/null 2>&1 vps_type=`virt-what 2>/dev/null` echo -e "\nVPS type: $vps_type" echo -e "Please confirm: [Yes/no]\c" yes_or_no; if [ $? -eq 1 ]; then echo -e "\nIs your VPS type OpenVZ? [Yes/no]:\c" yes_or_no; [ $? -eq 0 ] && vps_type=openvz; fi config_prrameter='' [ $vps_type = "openvz" ] && config_parameter="--enable-kernel-libipsec" # download strongswan echo -e "\nDownload and install strongswan..." wget https://download.strongswan.org/strongswan-5.2.2.tar.gz --no-check-certificate 1>/dev/null 2>&1 [ $? -ne 0 ] && shell_abort "Download strongswan"; tar -xvf strongswan-* 1>/dev/null 2>&1 cd strongswan-* 2>/dev/null echo -e "\nConfigure strongswan..." ./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 \ --enable-eap-tls --enable-eap-ttls --enable-eap-peap \ --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius \ --enable-xauth-eap --enable-xauth-pam --enable-dhcp \ --enable-openssl --enable-addrblock --enable-unity \ --enable-certexpire --enable-radattr --enable-tools \ --enable-openssl --disable-gmp $config_parameter 1>/dev/null 2>&1 [ $? -ne 0 ] && shell_abort "Configure Strongswan" echo -e "\nCompile strongswan..." make 1>/dev/null 2>&1 \ && make install 1>/dev/null 2>&1 [ $? -ne 0 ] && shell_abort "Compile strongswan" ipsec --version 1>/dev/null 2>&1 [ $? -ne 0 ] && shell_abort "Strongswan install" # certificate configuration # generate the private key of the CA certificate echo -e "\nCertificate configure..." cd $home ipsec pki --gen --outform pem > ca.pem # sign CA certificate with the private key ipsec pki --self --in ca.pem --dn "C=com, O=myvpn, CN=$ip_addr VPN CA" --ca --outform pem > ca.cert.pem # generate the private key needed by server certificate ipsec pki --gen --outform pem > server.pem # sign server certificate with the CA sertificate # be sure the value of 'C' and 'O' is the same as the above ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=com, O=myvpn, CN=$ip_addr" --san="$ip_addr" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem # generate the private key needed by client certificate ipsec pki --gen --outform pem > client.pem # sign client certificate with the CA sertificate # keep the value of 'C' and 'O' the same as the above ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=com, O=myvpn, CN=$ip_addr VPN Client" --outform pem > client.cert.pem # generate pkcs12 certificate echo -e "You need a password for pkcs12." # make sure the value of 'caname' is the same as the one in 'ca.cert.pem' openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "$ip_addr VPN CA" -out client.cert.p12 # define configuration directory of each program config_dir=/usr/local/etc # copy certificate to configuration directory echo -e "\nCopy certificate..." cp -r ca.cert.pem $config_dir/ipsec.d/cacerts/ cp -r server.cert.pem $config_dir/ipsec.d/certs/ cp -r server.pem $config_dir/ipsec.d/private cp -r client.cert.pem $config_dir/ipsec.d/certs cp -r client.pem $config_dir/ipsec.d/private echo -e "\nConfig ipsec, please wait." cp -av $config_dir/ipsec.conf $config_dir/ipsec.conf.bak 1>/dev/null 2>&1 cat > $config_dir/ipsec.conf << EOF config setup uniqueids=never conn iOS_cert keyexchange=ikev1 # strongswan version >= 5.0.2, compatible with iOS 6.0,6.0.1 fragmentation=yes left=%defaultroute leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=pubkey rightauth2=xauth rightsourceip=10.31.2.0/24 rightcert=client.cert.pem auto=add conn android_xauth_psk keyexchange=ikev1 left=%defaultroute leftauth=psk leftsubnet=0.0.0.0/0 right=%any rightauth=psk rightauth2=xauth rightsourceip=10.31.2.0/24 auto=add conn networkmanager-strongswan keyexchange=ikev2 left=%defaultroute leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=pubkey rightsourceip=10.31.2.0/24 rightcert=client.cert.pem auto=add conn windows7 keyexchange=ikev2 ike=aes256-sha1-modp1024! rekey=no left=%defaultroute leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=eap-mschapv2 rightsourceip=10.31.2.0/24 rightsendcert=never eap_identity=%any auto=add # compatible with xl2tp conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret #pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=%defaultroute leftprotoport=17/1701 right=%any rightprotoport=17/%any dpddelay=40 dpdtimeout=130 dpdaction=clear EOF echo -e "\nConfigure Strongswan..." cp -av $config_dir/strongswan.conf \ $config_dir/strongswan.conf.bak 1>/dev/null 2>&1 cat > $config_dir/strongswan.conf << EOF charon { load_modular = yes duplicheck.enable = no compress = yes plugins { include strongswan.d/charon/*.conf } dns1 = 8.8.8.8 dns2 = 8.8.4.4 nbns1 = 8.8.8.8 nbns2 = 8.8.4.4 } include strongswan.d/*.conf EOF echo -e "\nConfigure ipsec secrets..." cp -av $config_dir/ipsec.secrets \ $config_dir/ipsec.secrets.bak 1>/dev/nul 2>&1 cat > $config_dir/ipsec.secrets << EOF : RSA server.pem : PSK "$psk" : XAUTH "$xauth" $username %any: EAP "$password" EOF echo -e "\nAdd PPP user..." cp -av /etc/ppp/chap-secrets \ /etc/ppp/chap-secrets.bak 1>/dev/null 2>&1 cat > /etc/ppp/chap-secrets << EOF $username * "$password" * EOF echo -e "\nConfigure xl2tpd..." cp -av /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf 1>/dev/null 2>&1 cat > /etc/xl2tpd/xl2tpd.conf << EOF [global] ipsec saref = yes [lns default] ip range = 192.168.1.2-192.168.1.254 local ip = 192.168.1.1 refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes EOF echo -e "\nConfigure PPP..." cp -av /etc/ppp/options.xl2tpd \ /etc/ppp/options.xl2tpd.bak 1>/dev/null 2>&1 cat > /etc/ppp/options.xl2tpd << EOF require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4 EOF echo -e "\nConfigure ip forward..." echo 1 > /proc/sys/net/ipv4/ip_forward echo "echo 1 > /proc/sys/net/ipv4/ip_forward" >> /etc/rc.local echo "ipsec start" >> /etc/rc.local echo -e "\nConfigure iptables..." iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -s 10.31.0.0/24 -j ACCEPT iptables -A FORWARD -s 10.31.1.0/24 -j ACCEPT iptables -A FORWARD -s 10.31.2.0/24 -j ACCEPT iptables -A INPUT -i $netcard -p esp -j ACCEPT iptables -A INPUT -i $netcard -p udp --dport 500 -j ACCEPT iptables -A INPUT -i $netcard -p tcp --dport 500 -j ACCEPT iptables -A INPUT -i $netcard -p udp --dport 4500 -j ACCEPT iptables -A INPUT -i $netcard -p udp --dport 1701 -j ACCEPT iptables -A INPUT -i $netcard -p tcp --dport 1723 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o $netcard -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $netcard -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $netcard -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $netcard -j MASQUERADE iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p udp --dport 4500 -j ACCEPT iptables --table nat --append POSTROUTING --jump MASQUERADE iptables-save > /etc/iptables.rules cat > /etc/network/if-up.d/iptables << EOF #! /bin/bash iptables-restore < /etc/iptables.rules EOF chmod +x /etc/network/if-up.d/iptables 1>/dev/null 2>&1 echo -e "\nInstalling finished." echo -e "\nIP:\t\t\033[31m$ip_addr\033[0m" echo -e "USERNAME:\t\033[31m$username\033[0m" echo -e "PASSWORD:\t\033[31m$password\033[0m" echo -e "PSK:\t\t\033[31m$psk\033[0m" echo -e "XAUTH:\t\t\033[31m$xauth\033[0m" echo -e "\nCertificate directory: \033[31m$home\033[0m" echo -e "IOS 9+, please install '\033[31mca.cert.pem\033[0m' \c" echo -e "and '\033[31mclient.cert.p12\033[0m', \c" echo -e "then add VPN use IPSec." echo -e "Other OS, please search the internet." echo -e "\nEnjoy youself!" Download.