├── README.md ├── install-ikev2-radius-apt.sh └── install-ikev2-radius-ldap.sh /README.md: -------------------------------------------------------------------------------- 1 | # ikev2-radius-ldap 2 | you need a radius server reading info from ldap server for login. tested with synology DSM directory server and radius server
3 | 你需要准备radius服务器用来认证用户名密码。此脚本已经使用群晖dsm的directory server和radius server测试通过
4 | referer ：https://quericy.me/blog/699/
5 | 改写自https://quericy.me/blog/699/
6 | thanks to quericy
7 | 感谢quericy
8 | more info https://www.willnet.net/index.php/archives/100/
9 | 更多详情访问https://www.willnet.net/index.php/archives/100/
10 | -------------------------------------------------------------------------------- /install-ikev2-radius-apt.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin 3 | export PATH 4 | clear 5 | VER=1.1.0 6 | echo "#############################################################" 7 | echo "# Install IKEV2 VPN for Ubuntu" 8 | echo "# Intro: https://willnet.net" 9 | echo "# Version:$VER" 10 | echo "#############################################################" 11 | echo "" 12 | 13 | __INTERACTIVE="" 14 | if [ -t 1 ] ; then 15 | __INTERACTIVE="1" 16 | fi 17 | 18 | __green(){ 19 | if [ "$__INTERACTIVE" ] ; then 20 | printf '\033[1;31;32m' 21 | fi 22 | printf -- "$1" 23 | if [ "$__INTERACTIVE" ] ; then 24 | printf '\033[0m' 25 | fi 26 | } 27 | 28 | __red(){ 29 | if [ "$__INTERACTIVE" ] ; then 30 | printf '\033[1;31;40m' 31 | fi 32 | printf -- "$1" 33 | if [ "$__INTERACTIVE" ] ; then 34 | printf '\033[0m' 35 | fi 36 | } 37 | 38 | __yellow(){ 39 | if [ "$__INTERACTIVE" ] ; then 40 | printf '\033[1;31;33m' 41 | fi 42 | printf -- "$1" 43 | if [ "$__INTERACTIVE" ] ; then 44 | printf '\033[0m' 45 | fi 46 | } 47 | # Install IKEV2 48 | function install_ikev2(){ 49 | rootness 50 | install_lib 51 | get_public_ip 52 | pre_install 53 | install_strongswan 54 | get_key 55 | configure_ipsec 56 | configure_strongswan 57 | configure_secrets 58 | configure_radius_server 59 | enable_ip_forward 60 | get_interface 61 | iptables_set 62 | service strongswan restart 63 | success_info 64 | } 65 | # Make sure only root can run our script 66 | function rootness(){ 67 | if [[ $EUID -ne 0 ]]; then 68 | echo "Error:This script must be run as root!" 1>&2 69 | exit 1 70 | fi 71 | } 72 | #install necessary lib 73 | function install_lib(){ 74 | apt-get -y update 75 | apt-get -y install curl 76 | } 77 | # Get IP address of the server 78 | function get_public_ip(){ 79 | echo "Getting public IP, Please wait a moment..." 80 | publicIP=`curl -s checkip.dyndns.com | cut -d' ' -f 6 | cut -d'<' -f 1` 81 | if [ -z $IP ]; then 82 | publicIP=`curl -s ifconfig.me/ip` 83 | fi 84 | } 85 | # Pre-installation settings 86 | function pre_install(){ 87 | echo "" 88 | echo "please choose the type of your server(Xen\KVM\ESXI\BareMetal: 1 , OpenVZ: 2):" 89 | read -p "your choice(1 or 2):" os_choice 90 | if [ "$os_choice" = "1" ]; then 91 | os="1" 92 | os_str="Xen\KVM\ESXI\BareMetal" 93 | else 94 | if [ "$os_choice" = "2" ]; then 95 | os="2" 96 | os_str="OpenVZ" 97 | else 98 | echo "wrong choice!" 99 | exit 1 100 | fi 101 | fi 102 | echo "please input the domain of your VPS:" 103 | read -p "domain or IP(default_value:${publicIP}):" domain 104 | if [ "$domain" = "" ]; then 105 | domain=$publicIP 106 | fi 107 | echo "please enter radius server ip address:" 108 | read -p "radius server ip:" radius_server 109 | if [ "$radius_server" = "" ]; then 110 | echo "you must enter an ip address!" 111 | exit 1 112 | fi 113 | echo "please enter radius server secret:" 114 | read -p "radius server secret:" radius_secret 115 | echo "please input the dns server 1 ip address(default is 8.8.8.8):" 116 | read -p "dns server 1:" dns_1 117 | if [ "$dns_1" = "" ]; then 118 | dns_1=8.8.8.8 119 | fi 120 | echo "please input the dns server 2 ip address(default is 8.8.4.4):" 121 | read -p "dns server 2:" dns_2 122 | if [ "$dns_2" = "" ]; then 123 | dns_2=8.8.4.4 124 | fi 125 | echo "####################################" 126 | get_char(){ 127 | SAVEDSTTY=`stty -g` 128 | stty -echo 129 | stty cbreak 130 | dd if=/dev/tty bs=1 count=1 2> /dev/null 131 | stty -raw 132 | stty echo 133 | stty $SAVEDSTTY 134 | } 135 | echo "Please confirm the information:" 136 | echo "" 137 | echo -e "the type of your server: [$(__green $os_str)]" 138 | echo -e "the domain or IP of your server: [$(__green $domain)]" 139 | echo -e "the radius server: [$(__green $radius_server)]" 140 | echo -e "the radius server secret: [$(__green $radius_secret)]" 141 | echo -e "the dns server 1: [$(__green $dns_1)]" 142 | echo -e "the dns server 2: [$(__green $dns_2)]" 143 | echo -e "$(__yellow "These are the certificate you MUST be prepared:")" 144 | echo -e "[$(__green "ca.cert.pem")]:The CA cert or the chain cert." 145 | echo -e "[$(__green "server.cert.pem")]:Your server cert." 146 | echo -e "[$(__green "server.pem")]:Your key of the server cert." 147 | echo -e "[$(__yellow "Please copy these file to the same directory of this script before start!")]" 148 | 149 | echo "" 150 | echo "Press any key to start...or Press Ctrl+C to cancel" 151 | char=`get_char` 152 | #Current folder 153 | cur_dir=`pwd` 154 | cd $cur_dir 155 | } 156 | function install_strongswan(){ 157 | apt-get -y install strongswan libstrongswan-extra-plugins 158 | } 159 | # configure cert and key 160 | function get_key(){ 161 | cd $cur_dir 162 | if [ ! -d my_key ];then 163 | mkdir my_key 164 | fi 165 | import_cert 166 | 167 | echo "####################################" 168 | get_char(){ 169 | SAVEDSTTY=`stty -g` 170 | stty -echo 171 | stty cbreak 172 | dd if=/dev/tty bs=1 count=1 2> /dev/null 173 | stty -raw 174 | stty echo 175 | stty $SAVEDSTTY 176 | } 177 | cp -f ca.cert.pem /etc/ipsec.d/cacerts/ 178 | cp -f server.cert.pem /etc/ipsec.d/certs/ 179 | cp -f server.pem /etc/ipsec.d/private/ 180 | cp -f client.cert.pem /etc/ipsec.d/certs/ 181 | cp -f client.pem /etc/ipsec.d/private/ 182 | echo "Cert copy completed" 183 | } 184 | 185 | # import cert if user has ssl certificate 186 | function import_cert(){ 187 | cd $cur_dir 188 | if [ -f ca.cert.pem ];then 189 | cp -f ca.cert.pem my_key/ca.cert.pem 190 | echo -e "ca.cert.pem [$(__green "found")]" 191 | else 192 | echo -e "ca.cert.pem [$(__red "Not found!")]" 193 | exit 194 | fi 195 | if [ -f server.cert.pem ];then 196 | cp -f server.cert.pem my_key/server.cert.pem 197 | cp -f server.cert.pem my_key/client.cert.pem 198 | echo -e "server.cert.pem [$(__green "found")]" 199 | echo -e "client.cert.pem [$(__green "auto create")]" 200 | else 201 | echo -e "server.cert.pem [$(__red "Not found!")]" 202 | exit 203 | fi 204 | if [ -f server.pem ];then 205 | cp -f server.pem my_key/server.pem 206 | cp -f server.pem my_key/client.pem 207 | echo -e "server.pem [$(__green "found")]" 208 | echo -e "client.pem [$(__green "auto create")]" 209 | else 210 | echo -e "server.pem [$(__red "Not found!")]" 211 | exit 212 | fi 213 | cd my_key 214 | } 215 | 216 | # configure the ipsec.conf 217 | function configure_ipsec(){ 218 | cat > /etc/ipsec.conf<<-EOF 219 | config setup 220 | uniqueids=never 221 | conn ikev2 222 | keyexchange=ikev2 223 | ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048! 224 | esp=aes256-sha256,3des-sha1,aes256-sha1! 225 | rekey=no 226 | left=%defaultroute 227 | leftid=${domain} 228 | leftsendcert=always 229 | leftsubnet=0.0.0.0/0 230 | leftcert=server.cert.pem 231 | right=%any 232 | rightauth=eap-radius 233 | #rightauth=eap-mschapv2 234 | rightsourceip=10.31.0.0/24 235 | rightsendcert=never 236 | eap_identity=%identity 237 | dpdaction=clear 238 | fragmentation=yes 239 | auto=add 240 | EOF 241 | } 242 | 243 | # configure the strongswan.conf 244 | function configure_strongswan(){ 245 | cat > /etc/strongswan.conf<<-EOF 246 | charon { 247 | load_modular = yes 248 | duplicheck.enable = no 249 | compress = yes 250 | plugins { 251 | include strongswan.d/charon/*.conf 252 | } 253 | dns1 = ${dns_1} 254 | dns2 = ${dns_2} 255 | nbns1 = 8.8.8.8 256 | nbns2 = 8.8.4.4 257 | } 258 | include strongswan.d/*.conf 259 | EOF 260 | } 261 | 262 | # configure the ipsec.secrets 263 | function configure_secrets(){ 264 | cat > /etc/ipsec.secrets<<-EOF 265 | : RSA server.pem 266 | #: PSK "myPSKkey" 267 | #: XAUTH "myXAUTHPass" 268 | username : EAP "password" 269 | EOF 270 | } 271 | 272 | # configure the eap-radius.conf 273 | function configure_radius_server(){ 274 | cat > /etc/strongswan.d/charon/eap-radius.conf<<-EOF 275 | eap-radius { 276 | load = yes 277 | dae { 278 | } 279 | forward { 280 | } 281 | servers { 282 | server_a { 283 | address = ${radius_server} 284 | secret = ${radius_secret} 285 | } 286 | } 287 | xauth { 288 | } 289 | } 290 | EOF 291 | } 292 | 293 | function SNAT_set(){ 294 | echo "Use SNAT could implove the speed,but your server MUST have static ip address." 295 | read -p "yes or no?(default_value:no):" use_SNAT 296 | if [ "$use_SNAT" = "yes" ]; then 297 | use_SNAT_str="1" 298 | echo -e "$(__yellow "ip address info:")" 299 | ip address | grep inet 300 | echo "Some servers has elastic IP (AWS) or mapping IP.In this case,you should input the IP address which is binding in network interface." 301 | read -p "static ip or network interface ip (default_value:${local_ip}):" static_ip 302 | if [ "$static_ip" = "" ]; then 303 | static_ip=$local_ip 304 | fi 305 | else 306 | use_SNAT_str="0" 307 | fi 308 | } 309 | function get_interface(){ 310 | interface=`ip route | grep default | awk -F"[ ]" '{print $5}'` 311 | local_ip=`ip address |grep inet|grep $interface |awk -F"[ /]" '{print $6}'` 312 | } 313 | 314 | 315 | # iptables check 316 | function enable_ip_forward(){ 317 | cat > /etc/sysctl.d/10-ipsec.conf<<-EOF 318 | net.ipv4.ip_forward=1 319 | EOF 320 | sysctl --system 321 | } 322 | 323 | # iptables set 324 | function iptables_set(){ 325 | echo "Use SNAT could improve the speed,but your server MUST have static ip address." 326 | read -p "yes or no?(default_value:no):" use_SNAT 327 | if [ "$use_SNAT" = "yes" ]; then 328 | use_SNAT_str="1" 329 | echo -e "$(__yellow "ip address info:")" 330 | ip address | grep inet 331 | echo "Some servers has elastic IP (AWS) or mapping IP.In this case,you should input the IP address which is binding in network interface." 332 | read -p "static ip or network interface ip (default_value:${local_ip}):" static_ip 333 | if [ "$static_ip" = "" ]; then 334 | static_ip=$local_ip 335 | fi 336 | else 337 | use_SNAT_str="0" 338 | fi 339 | echo "[$(__yellow "Important")]Please enter the name of the interface which can be connected to the public network." 340 | if [ "$os" = "1" ]; then 341 | read -p "Network card interface(default_value:${interface}):" input_interface 342 | if [ "$input_interface" = "" ]; then 343 | input_interface=$interface 344 | fi 345 | iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 346 | iptables -A FORWARD -s 10.31.0.0/24 -j ACCEPT 347 | iptables -A INPUT -i $input_interface -p esp -j ACCEPT 348 | iptables -A INPUT -i $input_interface -p udp --dport 500 -j ACCEPT 349 | iptables -A INPUT -i $input_interface -p udp --dport 4500 -j ACCEPT 350 | #iptables -A FORWARD -j REJECT 351 | if [ "$use_SNAT_str" = "1" ]; then 352 | iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $input_interface -j SNAT --to-source $static_ip 353 | else 354 | iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $input_interface -j MASQUERADE 355 | fi 356 | else 357 | read -p "Network card interface(default_value:venet0):" input_interface 358 | if [ "$input_interface" = "" ]; then 359 | input_interface="venet0" 360 | fi 361 | iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 362 | iptables -A FORWARD -s 10.31.0.0/24 -j ACCEPT 363 | iptables -A INPUT -i $input_interface -p esp -j ACCEPT 364 | iptables -A INPUT -i $input_interface -p udp --dport 500 -j ACCEPT 365 | iptables -A INPUT -i $input_interface -p udp --dport 4500 -j ACCEPT 366 | #iptables -A FORWARD -j REJECT 367 | if [ "$use_SNAT_str" = "1" ]; then 368 | iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $input_interface -j SNAT --to-source $static_ip 369 | else 370 | iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $input_interface -j MASQUERADE 371 | fi 372 | fi 373 | iptables-save > /etc/iptables.rules 374 | cat > /etc/network/if-up.d/iptables<<-EOF 375 | #!/bin/sh 376 | iptables-restore < /etc/iptables.rules 377 | EOF 378 | chmod +x /etc/network/if-up.d/iptables 379 | mkdir -p /etc/networkd-dispatcher/routable.d 380 | cp /etc/network/if-up.d/iptables /etc/networkd-dispatcher/routable.d/iptables 381 | } 382 | # echo the success info 383 | function success_info(){ 384 | echo "#############################################################" 385 | echo -e "# [$(__green "Install Complete")]" 386 | echo -e "#############################################################" 387 | echo -e "" 388 | } 389 | 390 | # Initialization step 391 | install_ikev2 392 | -------------------------------------------------------------------------------- /install-ikev2-radius-ldap.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin 3 | export PATH 4 | #=============================================================================================== 5 | # System Required: CentOS6.x/7 (32bit/64bit) or Ubuntu 16.04 6 | # Description: Install IKEV2 VPN for CentOS and Ubuntu 7 | # Author: trepwq 8 | # Intro: https://willnet.net 9 | #=============================================================================================== 10 | 11 | clear 12 | VER=1.0.0 13 | echo "#############################################################" 14 | echo "# Install IKEV2 VPN for CentOS6.x/7 (32bit/64bit) or Ubuntu 16.04 or Debian7/8.*" 15 | echo "# Intro: https://willnet.net" 16 | echo "#" 17 | echo "# Author:trepwq" 18 | echo "#" 19 | echo "# Version:$VER" 20 | echo "#############################################################" 21 | echo "" 22 | 23 | __INTERACTIVE="" 24 | if [ -t 1 ] ; then 25 | __INTERACTIVE="1" 26 | fi 27 | 28 | __green(){ 29 | if [ "$__INTERACTIVE" ] ; then 30 | printf '\033[1;31;32m' 31 | fi 32 | printf -- "$1" 33 | if [ "$__INTERACTIVE" ] ; then 34 | printf '\033[0m' 35 | fi 36 | } 37 | 38 | __red(){ 39 | if [ "$__INTERACTIVE" ] ; then 40 | printf '\033[1;31;40m' 41 | fi 42 | printf -- "$1" 43 | if [ "$__INTERACTIVE" ] ; then 44 | printf '\033[0m' 45 | fi 46 | } 47 | 48 | __yellow(){ 49 | if [ "$__INTERACTIVE" ] ; then 50 | printf '\033[1;31;33m' 51 | fi 52 | printf -- "$1" 53 | if [ "$__INTERACTIVE" ] ; then 54 | printf '\033[0m' 55 | fi 56 | } 57 | 58 | # Install IKEV2 59 | function install_ikev2(){ 60 | rootness 61 | disable_selinux 62 | get_system 63 | yum_install 64 | get_my_ip 65 | pre_install 66 | download_files 67 | setup_strongswan 68 | get_key 69 | configure_ipsec 70 | configure_strongswan 71 | configure_secrets 72 | configure_radius_server 73 | SNAT_set 74 | iptables_check 75 | ipsec restart 76 | success_info 77 | } 78 | 79 | # Make sure only root can run our script 80 | function rootness(){ 81 | if [[ $EUID -ne 0 ]]; then 82 | echo "Error:This script must be run as root!" 1>&2 83 | exit 1 84 | fi 85 | } 86 | 87 | # Disable selinux 88 | function disable_selinux(){ 89 | if [ -s /etc/selinux/config ] && grep 'SELINUX=enforcing' /etc/selinux/config; then 90 | sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config 91 | setenforce 0 92 | fi 93 | } 94 | 95 | # Ubuntu or CentOS 96 | function get_system(){ 97 | if grep -Eqi "CentOS" /etc/issue || grep -Eq "CentOS" /etc/*-release; then 98 | system_str="0" 99 | elif grep -Eqi "Ubuntu" /etc/issue || grep -Eq "Ubuntu" /etc/*-release; then 100 | system_str="1" 101 | elif grep -Eqi "Debian" /etc/issue || grep -Eq "Debian" /etc/*-release; then 102 | system_str="1" 103 | else 104 | echo "This Script must be running at the CentOS or Ubuntu or Debian!" 105 | exit 1 106 | fi 107 | } 108 | 109 | #install necessary lib 110 | function yum_install(){ 111 | if [ "$system_str" = "0" ]; then 112 | yum -y update 113 | yum -y install pam-devel openssl-devel make gcc curl 114 | else 115 | apt-get -y update 116 | apt-get -y install libpam0g-dev libssl-dev make gcc curl 117 | fi 118 | } 119 | 120 | # Get IP address of the server 121 | function get_my_ip(){ 122 | echo "Preparing, Please wait a moment..." 123 | IP=`curl -s checkip.dyndns.com | cut -d' ' -f 6 | cut -d'<' -f 1` 124 | if [ -z $IP ]; then 125 | IP=`curl -s ifconfig.me/ip` 126 | fi 127 | } 128 | 129 | # Pre-installation settings 130 | function pre_install(){ 131 | echo "#############################################################" 132 | echo "# Install IKEV2 VPN for CentOS6.x/7 (32bit/64bit) or Ubuntu 16.04 or Debian7/8.*" 133 | echo "# Intro: https://willnet.net" 134 | echo "#" 135 | echo "# Author:trepwq" 136 | echo "#" 137 | echo "# Version:$VER" 138 | echo "#############################################################" 139 | echo "please choose the type of your VPS(Xen、KVM: 1 , OpenVZ: 2):" 140 | read -p "your choice(1 or 2):" os_choice 141 | if [ "$os_choice" = "1" ]; then 142 | os="1" 143 | os_str="Xen、KVM" 144 | else 145 | if [ "$os_choice" = "2" ]; then 146 | os="2" 147 | os_str="OpenVZ" 148 | else 149 | echo "wrong choice!" 150 | exit 1 151 | fi 152 | fi 153 | echo "please input the ip (or domain) of your VPS:" 154 | read -p "ip or domain(default_value:${IP}):" vps_ip 155 | if [ "$vps_ip" = "" ]; then 156 | vps_ip=$IP 157 | fi 158 | echo "please enter radius server ip address:" 159 | read -p "radius server ip:" radius_server 160 | if [ "$radius_server" = "" ]; then 161 | echo "you must enter an ip address!" 162 | exit 1 163 | fi 164 | echo "please enter radius server secret:" 165 | read -p "radius server secret:" radius_secret 166 | echo "please input the dns server 1 ip address(default is 8.8.8.8):" 167 | read -p "dns server 1:" dns_1 168 | if [ "$dns_1" = "" ]; then 169 | dns_1=8.8.8.8 170 | fi 171 | echo "please input the dns server 2 ip address(default is 8.8.4.4):" 172 | read -p "dns server 2:" dns_2 173 | if [ "$dns_2" = "" ]; then 174 | dns_2=8.8.4.4 175 | fi 176 | 177 | 178 | echo "Would you want to import existing cert? You NEED copy your cert file to the same directory of this script" 179 | read -p "yes or no?(default_value:no):" have_cert 180 | if [ "$have_cert" = "yes" ]; then 181 | have_cert="1" 182 | else 183 | have_cert="0" 184 | echo "please input the cert country(C):" 185 | read -p "C(default value:com):" my_cert_c 186 | if [ "$my_cert_c" = "" ]; then 187 | my_cert_c="com" 188 | fi 189 | echo "please input the cert organization(O):" 190 | read -p "O(default value:myvpn):" my_cert_o 191 | if [ "$my_cert_o" = "" ]; then 192 | my_cert_o="myvpn" 193 | fi 194 | echo "please input the cert common name(CN):" 195 | read -p "CN(default value:VPN CA):" my_cert_cn 196 | if [ "$my_cert_cn" = "" ]; then 197 | my_cert_cn="VPN CA" 198 | fi 199 | fi 200 | 201 | echo "####################################" 202 | get_char(){ 203 | SAVEDSTTY=`stty -g` 204 | stty -echo 205 | stty cbreak 206 | dd if=/dev/tty bs=1 count=1 2> /dev/null 207 | stty -raw 208 | stty echo 209 | stty $SAVEDSTTY 210 | } 211 | echo "Please confirm the information:" 212 | echo "" 213 | echo -e "the type of your server: [$(__green $os_str)]" 214 | echo -e "the ip(or domain) of your server: [$(__green $vps_ip)]" 215 | echo -e "the radius server: [$(__green $radius_server)]" 216 | echo -e "the radius server secret: [$(__green $radius_secret)]" 217 | echo -e "the dns server 1: [$(__green $dns_1)]" 218 | echo -e "the dns server 2: [$(__green $dns_2)]" 219 | if [ "$have_cert" = "1" ]; then 220 | echo -e "$(__yellow "These are the certificate you MUST be prepared:")" 221 | echo -e "[$(__green "ca.cert.pem")]:The CA cert or the chain cert." 222 | echo -e "[$(__green "server.cert.pem")]:Your server cert." 223 | echo -e "[$(__green "server.pem")]:Your key of the server cert." 224 | echo -e "[$(__yellow "Please copy these file to the same directory of this script before start!")]" 225 | else 226 | echo -e "the cert_info:[$(__green "C=${my_cert_c}, O=${my_cert_o}")]" 227 | fi 228 | echo "" 229 | echo "Press any key to start...or Press Ctrl+C to cancel" 230 | char=`get_char` 231 | #Current folder 232 | cur_dir=`pwd` 233 | cd $cur_dir 234 | } 235 | 236 | 237 | # Download strongswan 238 | function download_files(){ 239 | strongswan_version='strongswan-5.6.3' 240 | strongswan_file="$strongswan_version.tar.gz" 241 | if [ -f $strongswan_file ];then 242 | echo -e "$strongswan_file [$(__green "found")]" 243 | else 244 | if ! wget --no-check-certificate https://download.strongswan.org/$strongswan_file;then 245 | echo "Failed to download $strongswan_file" 246 | exit 1 247 | fi 248 | fi 249 | tar xzf $strongswan_file 250 | if [ $? -eq 0 ];then 251 | cd $cur_dir/$strongswan_version/ 252 | else 253 | echo "" 254 | echo "Unzip $strongswan_file failed! Please visit https://quericy.me/blog/699 and contact." 255 | exit 1 256 | fi 257 | } 258 | 259 | # configure and install strongswan 260 | function setup_strongswan(){ 261 | if [ "$os" = "1" ]; then 262 | ./configure --enable-eap-identity --enable-eap-md5 \ 263 | --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \ 264 | --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \ 265 | --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \ 266 | --enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp 267 | 268 | else 269 | ./configure --enable-eap-identity --enable-eap-md5 \ 270 | --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \ 271 | --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \ 272 | --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \ 273 | --enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp --enable-kernel-libipsec 274 | 275 | fi 276 | make; make install 277 | } 278 | 279 | # configure cert and key 280 | function get_key(){ 281 | cd $cur_dir 282 | if [ ! -d my_key ];then 283 | mkdir my_key 284 | fi 285 | if [ "$have_cert" = "1" ]; then 286 | import_cert 287 | else 288 | create_cert 289 | fi 290 | 291 | echo "####################################" 292 | get_char(){ 293 | SAVEDSTTY=`stty -g` 294 | stty -echo 295 | stty cbreak 296 | dd if=/dev/tty bs=1 count=1 2> /dev/null 297 | stty -raw 298 | stty echo 299 | stty $SAVEDSTTY 300 | } 301 | cp -f ca.cert.pem /usr/local/etc/ipsec.d/cacerts/ 302 | cp -f server.cert.pem /usr/local/etc/ipsec.d/certs/ 303 | cp -f server.pem /usr/local/etc/ipsec.d/private/ 304 | cp -f client.cert.pem /usr/local/etc/ipsec.d/certs/ 305 | cp -f client.pem /usr/local/etc/ipsec.d/private/ 306 | echo "Cert copy completed" 307 | } 308 | 309 | # import cert if user has ssl certificate 310 | function import_cert(){ 311 | cd $cur_dir 312 | if [ -f ca.cert.pem ];then 313 | cp -f ca.cert.pem my_key/ca.cert.pem 314 | echo -e "ca.cert.pem [$(__green "found")]" 315 | else 316 | echo -e "ca.cert.pem [$(__red "Not found!")]" 317 | exit 318 | fi 319 | if [ -f server.cert.pem ];then 320 | cp -f server.cert.pem my_key/server.cert.pem 321 | cp -f server.cert.pem my_key/client.cert.pem 322 | echo -e "server.cert.pem [$(__green "found")]" 323 | echo -e "client.cert.pem [$(__green "auto create")]" 324 | else 325 | echo -e "server.cert.pem [$(__red "Not found!")]" 326 | exit 327 | fi 328 | if [ -f server.pem ];then 329 | cp -f server.pem my_key/server.pem 330 | cp -f server.pem my_key/client.pem 331 | echo -e "server.pem [$(__green "found")]" 332 | echo -e "client.pem [$(__green "auto create")]" 333 | else 334 | echo -e "server.pem [$(__red "Not found!")]" 335 | exit 336 | fi 337 | cd my_key 338 | } 339 | 340 | # auto create certificate 341 | function create_cert(){ 342 | cd $cur_dir 343 | cd my_key 344 | ipsec pki --gen --outform pem > ca.pem 345 | ipsec pki --self --in ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${my_cert_cn}" --ca --outform pem >ca.cert.pem 346 | ipsec pki --gen --outform pem > server.pem 347 | ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem \ 348 | --cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${vps_ip}" \ 349 | --san="${vps_ip}" --flag serverAuth --flag ikeIntermediate \ 350 | --outform pem > server.cert.pem 351 | ipsec pki --gen --outform pem > client.pem 352 | ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=VPN Client" --outform pem > client.cert.pem 353 | echo "configure the pkcs12 cert password(Can be empty):" 354 | openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "${my_cert_cn}" -out client.cert.p12 355 | } 356 | 357 | # configure the ipsec.conf 358 | function configure_ipsec(){ 359 | cat > /usr/local/etc/ipsec.conf<<-EOF 360 | config setup 361 | uniqueids=never 362 | conn iOS_cert 363 | keyexchange=ikev1 364 | fragmentation=yes 365 | left=%defaultroute 366 | leftauth=pubkey 367 | leftsubnet=0.0.0.0/0 368 | leftcert=server.cert.pem 369 | right=%any 370 | rightauth=pubkey 371 | rightauth2=xauth 372 | rightsourceip=10.31.2.0/24 373 | rightcert=client.cert.pem 374 | auto=add 375 | conn android_xauth_psk 376 | keyexchange=ikev1 377 | left=%defaultroute 378 | leftauth=psk 379 | leftsubnet=0.0.0.0/0 380 | right=%any 381 | rightauth=psk 382 | rightauth2=xauth 383 | rightsourceip=10.31.2.0/24 384 | auto=add 385 | conn networkmanager-strongswan 386 | keyexchange=ikev2 387 | left=%defaultroute 388 | leftauth=pubkey 389 | leftsubnet=0.0.0.0/0 390 | leftcert=server.cert.pem 391 | right=%any 392 | rightauth=pubkey 393 | rightsourceip=10.31.2.0/24 394 | rightcert=client.cert.pem 395 | auto=add 396 | conn ios_ikev2 397 | keyexchange=ikev2 398 | ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048! 399 | esp=aes256-sha256,3des-sha1,aes256-sha1! 400 | rekey=no 401 | left=%defaultroute 402 | leftid=${vps_ip} 403 | leftsendcert=always 404 | leftsubnet=0.0.0.0/0 405 | leftcert=server.cert.pem 406 | right=%any 407 | rightauth=eap-radius 408 | rightsourceip=10.31.2.0/24 409 | rightsendcert=never 410 | eap_identity=%identity 411 | dpdaction=clear 412 | fragmentation=yes 413 | auto=add 414 | conn windows7 415 | keyexchange=ikev2 416 | ike=aes256-sha1-modp1024! 417 | rekey=no 418 | left=%defaultroute 419 | leftauth=pubkey 420 | leftsubnet=0.0.0.0/0 421 | leftcert=server.cert.pem 422 | right=%any 423 | rightauth=eap-mschapv2 424 | rightsourceip=10.31.2.0/24 425 | rightsendcert=never 426 | eap_identity=%any 427 | auto=add 428 | EOF 429 | } 430 | 431 | # configure the strongswan.conf 432 | function configure_strongswan(){ 433 | cat > /usr/local/etc/strongswan.conf<<-EOF 434 | charon { 435 | load_modular = yes 436 | duplicheck.enable = no 437 | compress = yes 438 | plugins { 439 | include strongswan.d/charon/*.conf 440 | } 441 | dns1 = ${dns_1} 442 | dns2 = ${dns_2} 443 | nbns1 = 8.8.8.8 444 | nbns2 = 8.8.4.4 445 | } 446 | include strongswan.d/*.conf 447 | EOF 448 | } 449 | 450 | # configure the ipsec.secrets 451 | function configure_secrets(){ 452 | cat > /usr/local/etc/ipsec.secrets<<-EOF 453 | : RSA server.pem 454 | #: PSK "myPSKkey" 455 | #: XAUTH "myXAUTHPass" 456 | #myUserName %any : EAP "myUserPass" 457 | EOF 458 | } 459 | 460 | # configure the eap-radius.conf 461 | function configure_radius_server(){ 462 | cat > /usr/local/etc/strongswan.d/charon/eap-radius.conf<<-EOF 463 | eap-radius { 464 | load = yes 465 | dae { 466 | } 467 | forward { 468 | } 469 | servers { 470 | server_a { 471 | address = ${radius_server} 472 | secret = ${radius_secret} 473 | } 474 | } 475 | xauth { 476 | } 477 | } 478 | EOF 479 | } 480 | 481 | function SNAT_set(){ 482 | echo "Use SNAT could implove the speed,but your server MUST have static ip address." 483 | read -p "yes or no?(default_value:no):" use_SNAT 484 | if [ "$use_SNAT" = "yes" ]; then 485 | use_SNAT_str="1" 486 | echo -e "$(__yellow "ip address info:")" 487 | ip address | grep inet 488 | echo "Some servers has elastic IP (AWS) or mapping IP.In this case,you should input the IP address which is binding in network interface." 489 | read -p "static ip or network interface ip (default_value:${IP}):" static_ip 490 | if [ "$static_ip" = "" ]; then 491 | static_ip=$IP 492 | fi 493 | else 494 | use_SNAT_str="0" 495 | fi 496 | } 497 | 498 | # iptables check 499 | function iptables_check(){ 500 | cat > /etc/sysctl.d/10-ipsec.conf<<-EOF 501 | net.ipv4.ip_forward=1 502 | EOF 503 | sysctl --system 504 | echo "Do you use firewall in CentOS7 instead of iptables?" 505 | read -p "yes or no?(default_value:no):" use_firewall 506 | if [ "$use_firewall" = "yes" ]; then 507 | firewall_set 508 | else 509 | iptables_set 510 | fi 511 | } 512 | 513 | # firewall set in CentOS7 514 | function firewall_set(){ 515 | if ! systemctl is-active firewalld > /dev/null; then 516 | systemctl start firewalld 517 | fi 518 | firewall-cmd --permanent --add-service="ipsec" 519 | firewall-cmd --permanent --add-port=500/udp 520 | firewall-cmd --permanent --add-port=4500/udp 521 | firewall-cmd --permanent --add-masquerade 522 | firewall-cmd --reload 523 | } 524 | 525 | # iptables set 526 | function iptables_set(){ 527 | echo -e "$(__yellow "ip address info:")" 528 | ip address | grep inet 529 | echo "The above content is the network card information of your VPS." 530 | echo "[$(__yellow "Important")]Please enter the name of the interface which can be connected to the public network." 531 | if [ "$os" = "1" ]; then 532 | read -p "Network card interface(default_value:eth0):" interface 533 | if [ "$interface" = "" ]; then 534 | interface="eth0" 535 | fi 536 | iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 537 | iptables -A FORWARD -s 10.31.0.0/24 -j ACCEPT 538 | iptables -A FORWARD -s 10.31.1.0/24 -j ACCEPT 539 | iptables -A FORWARD -s 10.31.2.0/24 -j ACCEPT 540 | iptables -A INPUT -i $interface -p esp -j ACCEPT 541 | iptables -A INPUT -i $interface -p udp --dport 500 -j ACCEPT 542 | iptables -A INPUT -i $interface -p tcp --dport 500 -j ACCEPT 543 | iptables -A INPUT -i $interface -p udp --dport 4500 -j ACCEPT 544 | iptables -A INPUT -i $interface -p udp --dport 1701 -j ACCEPT 545 | iptables -A INPUT -i $interface -p tcp --dport 1723 -j ACCEPT 546 | #iptables -A FORWARD -j REJECT 547 | if [ "$use_SNAT_str" = "1" ]; then 548 | iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j SNAT --to-source $static_ip 549 | iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j SNAT --to-source $static_ip 550 | iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j SNAT --to-source $static_ip 551 | else 552 | iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j MASQUERADE 553 | iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j MASQUERADE 554 | iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j MASQUERADE 555 | fi 556 | else 557 | read -p "Network card interface(default_value:venet0):" interface 558 | if [ "$interface" = "" ]; then 559 | interface="venet0" 560 | fi 561 | iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 562 | iptables -A FORWARD -s 10.31.0.0/24 -j ACCEPT 563 | iptables -A FORWARD -s 10.31.1.0/24 -j ACCEPT 564 | iptables -A FORWARD -s 10.31.2.0/24 -j ACCEPT 565 | iptables -A INPUT -i $interface -p esp -j ACCEPT 566 | iptables -A INPUT -i $interface -p udp --dport 500 -j ACCEPT 567 | iptables -A INPUT -i $interface -p tcp --dport 500 -j ACCEPT 568 | iptables -A INPUT -i $interface -p udp --dport 4500 -j ACCEPT 569 | iptables -A INPUT -i $interface -p udp --dport 1701 -j ACCEPT 570 | iptables -A INPUT -i $interface -p tcp --dport 1723 -j ACCEPT 571 | #iptables -A FORWARD -j REJECT 572 | if [ "$use_SNAT_str" = "1" ]; then 573 | iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j SNAT --to-source $static_ip 574 | iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j SNAT --to-source $static_ip 575 | iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j SNAT --to-source $static_ip 576 | else 577 | iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j MASQUERADE 578 | iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j MASQUERADE 579 | iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j MASQUERADE 580 | fi 581 | fi 582 | if [ "$system_str" = "0" ]; then 583 | service iptables save 584 | else 585 | iptables-save > /etc/iptables.rules 586 | cat > /etc/network/if-up.d/iptables<<-EOF 587 | #!/bin/sh 588 | iptables-restore < /etc/iptables.rules 589 | EOF 590 | chmod +x /etc/network/if-up.d/iptables 591 | fi 592 | } 593 | 594 | # echo the success info 595 | function success_info(){ 596 | echo "#############################################################" 597 | echo -e "#" 598 | echo -e "# [$(__green "Install Complete")]" 599 | echo -e "# Version:$VER" 600 | echo -e "# There is the default login info of your IPSec/IkeV2 VPN Service" 601 | echo -e "# UserName:$(__green " myUserName")" 602 | echo -e "# PassWord:$(__green " myUserPass")" 603 | echo -e "# PSK:$(__green " myPSKkey")" 604 | echo -e "# you should change default username and password in$(__green " /usr/local/etc/ipsec.secrets")" 605 | echo -e "# you cert:$(__green " ${cur_dir}/my_key/ca.cert.pem ")" 606 | if [ "$have_cert" = "1" ]; then 607 | echo -e "# you don't need to install cert if it's be trusted." 608 | else 609 | echo -e "# you must copy the cert to the client and install it." 610 | fi 611 | echo -e "#" 612 | echo -e "#############################################################" 613 | echo -e "" 614 | } 615 | 616 | # Initialization step 617 | install_ikev2 618 | --------------------------------------------------------------------------------