yf-hk · June 2, 2023 07:11 · yf-hk · Jun 24, 2021
diff --git a/install-ikev2.sh b/install-ikev2.sh
 #!/bin/bash
 apt update && apt upgrade -y
 apt install strongswan strongswan-pki libcharon-extra-plugins net-tools wget certbot -y
 DEBIAN_FRONTEND=noninteractive apt-get -y install iptables-persistent

 HOST_NAME="vpn.example.com"
 read -e -i "$HOST_NAME" -p "VPN host name: " HOST_NAME
 HOST_NAME="${input:-$HOST_NAME}"

 LOCAL_SUBNET="172.19.240.0/20"
 read -e -i "$LOCAL_SUBNET" -p "NAT subnet info for clients of this VPN: " LOCAL_SUBNET
 LOCAL_SUBNET="${input:-$LOCAL_SUBNET}"

 VPN_USER="VPN"
 read -e -i "$VPN_USER" -p "VPN user name: " VPN_USER
 VPN_USER="${input:-$VPN_USER}"

 VPN_PASS="PASSWORD"
 read -e -i "$VPN_PASS" -p "VPN password: " VPN_PASS
 VPN_PASS="${input:-$VPN_PASS}"

 DEFAULT_IP="$(ip -o route get to 1.1.1.1 | sed -n 's/.*src \([0-9.]\+\).*/\1/p')"
 DEFAULT_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')"

 wget https://letsencrypt.org/certs/lets-encrypt-r3.pem -O /etc/ipsec.d/cacerts/lets-encrypt-r3.pem
 certbot certonly --standalone -d ${HOST_NAME} --rsa-key-size 2048 --staple-ocsp --agree-tos --register-unsafely-without-email
 chmod 755 -R /etc/letsencrypt
 ln -L -f /etc/letsencrypt/live/${HOST_NAME}/cert.pem /etc/ipsec.d/certs 
 ln -L -f /etc/letsencrypt/live/${HOST_NAME}/chain.pem /etc/ipsec.d/cacerts
 ln -L -f /etc/letsencrypt/live/${HOST_NAME}/privkey.pem /etc/ipsec.d/private

 cat > /etc/ipsec.secrets<<-EOF
 ${HOST_NAME} : RSA privkey.pem
 ${VPN_USER} %any : EAP "${VPN_PASS}"
 EOF

 cat > /etc/ipsec.conf<<-EOF
 config setup
    uniqueids=never
    strictcrlpolicy=no
 conn vpn
      auto=add
      compress=no
      type=tunnel
      keyexchange=ikev2
      fragmentation=yes
      forceencaps=yes

      dpdaction=clear
      dpddelay=300s
      rekey=no

      left=%any
      leftid=@${HOST_NAME}
      leftcert=cert.pem
      leftsendcert=always
      leftsubnet=0.0.0.0/0

      right=%any
      rightid=%any
      rightauth=eap-mschapv2
      rightdns=1.1.1.1,8.8.8.8
      rightsourceip=${LOCAL_SUBNET}
      rightsendcert=never
      eap_identity=%identity

 EOF

 cat > /etc/sysctl.d/ipsec.conf<<-EOF
 net.ipv4.ip_forward=1
 net.ipv6.conf.all.forwarding=1
 net.ipv4.conf.all.accept_redirects=0
 net.ipv4.conf.all.send_redirects=0
 net.ipv4.ip_no_pmtu_disc=1
 net.ipv4.conf.all.rp_filter=1
 EOF
 sysctl -p /etc/sysctl.d/ipsec.conf

 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -A FORWARD -s ${LOCAL_SUBNET} -j ACCEPT
 iptables -A INPUT -i ${DEFAULT_IFACE} -p esp -j ACCEPT
 #iptables -A INPUT -i ${DEFAULT_IFACE} -p udp --dport 500 -j ACCEPT
 #iptables -A INPUT -i ${DEFAULT_IFACE} -p tcp --dport 500 -j ACCEPT
 #iptables -A INPUT -i ${DEFAULT_IFACE} -p udp --dport 4500 -j ACCEPT
 iptables -t nat -A POSTROUTING -s ${LOCAL_SUBNET} -o ${DEFAULT_IFACE} -j SNAT --to-source ${DEFAULT_IP}

 iptables-save > /etc/iptables/rules.v4

 ipsec restart
	#!/bin/bash
	apt update && apt upgrade -y
	apt install strongswan strongswan-pki libcharon-extra-plugins net-tools wget certbot -y
	DEBIAN_FRONTEND=noninteractive apt-get -y install iptables-persistent

	HOST_NAME="vpn.example.com"
	read -e -i "$HOST_NAME" -p "VPN host name: " HOST_NAME
	HOST_NAME="${input:-$HOST_NAME}"

	LOCAL_SUBNET="172.19.240.0/20"
	read -e -i "$LOCAL_SUBNET" -p "NAT subnet info for clients of this VPN: " LOCAL_SUBNET
	LOCAL_SUBNET="${input:-$LOCAL_SUBNET}"

	VPN_USER="VPN"
	read -e -i "$VPN_USER" -p "VPN user name: " VPN_USER
	VPN_USER="${input:-$VPN_USER}"

	VPN_PASS="PASSWORD"
	read -e -i "$VPN_PASS" -p "VPN password: " VPN_PASS
	VPN_PASS="${input:-$VPN_PASS}"

	DEFAULT_IP="$(ip -o route get to 1.1.1.1 \| sed -n 's/.src \([0-9.]\+\)./\1/p')"
	DEFAULT_IFACE="$(route \| grep '^default' \| grep -o '[^ ]*$')"

	wget https://letsencrypt.org/certs/lets-encrypt-r3.pem -O /etc/ipsec.d/cacerts/lets-encrypt-r3.pem
	certbot certonly --standalone -d ${HOST_NAME} --rsa-key-size 2048 --staple-ocsp --agree-tos --register-unsafely-without-email
	chmod 755 -R /etc/letsencrypt
	ln -L -f /etc/letsencrypt/live/${HOST_NAME}/cert.pem /etc/ipsec.d/certs
	ln -L -f /etc/letsencrypt/live/${HOST_NAME}/chain.pem /etc/ipsec.d/cacerts
	ln -L -f /etc/letsencrypt/live/${HOST_NAME}/privkey.pem /etc/ipsec.d/private

	cat > /etc/ipsec.secrets<<-EOF
	${HOST_NAME} : RSA privkey.pem
	${VPN_USER} %any : EAP "${VPN_PASS}"
	EOF

	cat > /etc/ipsec.conf<<-EOF
	config setup
	uniqueids=never
	strictcrlpolicy=no
	conn vpn
	auto=add
	compress=no
	type=tunnel
	keyexchange=ikev2
	fragmentation=yes
	forceencaps=yes

	dpdaction=clear
	dpddelay=300s
	rekey=no

	left=%any
	leftid=@${HOST_NAME}
	leftcert=cert.pem
	leftsendcert=always
	leftsubnet=0.0.0.0/0

	right=%any
	rightid=%any
	rightauth=eap-mschapv2
	rightdns=1.1.1.1,8.8.8.8
	rightsourceip=${LOCAL_SUBNET}
	rightsendcert=never
	eap_identity=%identity

	EOF

	cat > /etc/sysctl.d/ipsec.conf<<-EOF
	net.ipv4.ip_forward=1
	net.ipv6.conf.all.forwarding=1
	net.ipv4.conf.all.accept_redirects=0
	net.ipv4.conf.all.send_redirects=0
	net.ipv4.ip_no_pmtu_disc=1
	net.ipv4.conf.all.rp_filter=1
	EOF
	sysctl -p /etc/sysctl.d/ipsec.conf

	iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -s ${LOCAL_SUBNET} -j ACCEPT
	iptables -A INPUT -i ${DEFAULT_IFACE} -p esp -j ACCEPT
	#iptables -A INPUT -i ${DEFAULT_IFACE} -p udp --dport 500 -j ACCEPT
	#iptables -A INPUT -i ${DEFAULT_IFACE} -p tcp --dport 500 -j ACCEPT
	#iptables -A INPUT -i ${DEFAULT_IFACE} -p udp --dport 4500 -j ACCEPT
	iptables -t nat -A POSTROUTING -s ${LOCAL_SUBNET} -o ${DEFAULT_IFACE} -j SNAT --to-source ${DEFAULT_IP}

	iptables-save > /etc/iptables/rules.v4

	ipsec restart