2017年4月6日 星期四

Shell script 安裝、設定 L2TP VPN

另一篇 Shell script 安裝、設定 PPTP VPN

很久以前在網路上有看到一篇使用 Shell script 安裝及設定一次搞定 L2TP VPN,
稍微修改一下符合自己的需求。

#!/bin/bash
# Author:  yeho <lj2007331 AT gmail.com>

# Check if user is root
[ $(id -u) != "0" ] && echo "Error: You must be root to run this script" && exit 1

export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
clear

printf "
#######################################################################
#                        For CentOS/RadHat 6+                                                                            #
#######################################################################
"

while :
do
echo
read -p "Please input private IP-Range(Default Range: 192.168.50): " iprange
[ -z "$iprange" ] && iprange="192.168.50"
if [ -z "`echo $iprange | grep -E "^10\.|^192\.168\.|^172\." | grep -o '^[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}$'`" ];then
echo -e "\033[31minput error! Input format: xxx.xxx.xxx\033[0m"
else
break
fi
done

echo
read -p "Please input PSK(Default PSK: psk): " MYPSK
[ -z "$MYPSK" ] && MYPSK="psk"

while :
do
echo
        read -p "Please input username: " Username 
        [ -n "$Username" ] && break 
done

while :
do
echo
        read -p "Please input password: " Password 
        [ -n "$Password" ] && break 
done

while :
do
echo
        read -p "Please input public ip: " public_IP 
        [ -n "$public_IP" ] && break 
done
clear

get_char()
{
SAVEDSTTY=`stty -g`
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1 2> /dev/null
stty -raw
stty echo
stty $SAVEDSTTY
}

echo ""
echo "ServerIP:$public_IP"
echo ""
echo "Server Local IP:$iprange.1"
echo ""
echo "Client Remote IP Range:$iprange.2-$iprange.254"
echo ""
echo "PSK:$MYPSK"
echo ""
echo "Press any key to start..."
char=`get_char`
clear

if [ -n "`grep 'CentOS Linux release 7' /etc/redhat-release`" ];then
        CentOS_REL=7
        for Package in wget net-tools ppp iptables iptables-services make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced
        do
                yum -y install $Package
        done
        echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
elif [ -n "`grep 'CentOS release 6' /etc/redhat-release`" ];then
        CentOS_REL=6
        for Package in wget net-tools ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced
        do
                yum -y install $Package
        done
        sed -i 's@net.ipv4.ip_forward.*@net.ipv4.ip_forward = 1@g' /etc/sysctl.conf
else
        echo -e "\033[31mDoes not support this OS, Please contact the author! \033[0m"
        exit 1
fi

sysctl -p
mknod /dev/random c 1 9

wget http://pkgs.fedoraproject.org/repo/pkgs/openswan/openswan-2.6.38.tar.gz/13073eb5314b83a31be88e4117e8bbcd/openswan-2.6.38.tar.gz
tar -xzf openswan-2.6.38.tar.gz
cd openswan-2.6.38
make programs install
cd ..

cat >/etc/ipsec.conf<<EOF
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey
    plutostderrlog=/var/log/ipsec.log

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    type=tunnel
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    left=$public_IP
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    rightsubnetwithin=0.0.0.0/0
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
EOF

cat >/etc/ipsec.secrets<<EOF
$public_IP %any: PSK "$MYPSK"
EOF

cat > /usr/bin/zl2tpset << EOF
#!/bin/bash
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > \$each/accept_redirects
echo 0 > \$each/send_redirects
echo 0 > \$each/rp_filter
done
EOF

chmod +x /usr/bin/zl2tpset
/usr/bin/zl2tpset

[ -z "`grep zl2tpset /etc/rc.local`" ] &&  echo '/usr/bin/zl2tpset' >> /etc/rc.local
service ipsec restart
#wget http://pkgs.fedoraproject.org/repo/pkgs/xl2tpd/xl2tpd-1.3.8.tar.gz/d244fdcd88f64601b64b7302870afca8/xl2tpd-1.3.8.tar.gz
#tar xzf xl2tpd-1.3.8.tar.gz
#cd xl2tpd-1.3.8
#make install
if [ -n "`grep 'CentOS Linux release 7' /etc/redhat-release`" ];then
        CentOS_REL=7
wget http://dl.fedoraproject.org/pub/epel/7/x86_64/x/xl2tpd-1.3.8-2.el7.x86_64.rpm
rpm -Uvh xl2tpd-1.3.8-2.el7.x86_64.rpm
elif [ -n "`grep 'CentOS release 6' /etc/redhat-release`" ];then
        CentOS_REL=6
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/xl2tpd-1.3.8-1.el6.x86_64.rpm
        rpm -Uvh xl2tpd-1.3.8-1.el6.x86_64.rpm
else
        echo -e "\033[31mDoes not support this OS, Please contact the author! \033[0m"
        exit 1
fi

[ ! -e "/var/run/xl2tpd" ] && mkdir /var/run/xl2tpd
[ ! -e "/etc/xl2tpd" ] && mkdir /etc/xl2tpd
#cd ..

cat >/etc/xl2tpd/xl2tpd.conf<<EOF
[global]
listen-addr = $public_IP
ipsec saref = yes
auth file = /etc/ppp/chap-secrets
port = 1701

[lns default]
ip range = $iprange.2-$iprange.254
local ip = $iprange.1
assign ip = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
name = L2TPVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
EOF

cat >/etc/ppp/options.xl2tpd<<EOF
ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
noccp
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
idle 1800
mtu 1410
mru 1410
nodefaultroute
connect-delay 5000
logfd 2
logfile /var/log/l2tpd.log
EOF

cat > /etc/ppp/chap-secrets<<EOF
$Username l2tpd $Password *
EOF

if [ -n "`grep 'CentOS Linux release 7' /etc/redhat-release`" ];then
        CentOS_REL=7
        NETWORK_INT=`ip route | grep default | awk '{print $5}'`
iptables -I INPUT -p udp --dport 1701 -j ACCEPT
iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -I INPUT -p udp --dport 4500 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o $NETWORK_INT -j MASQUERADE
#Forwarding rules for VPN
iptables -A FORWARD -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
elif [ -n "`grep 'CentOS release 6' /etc/redhat-release`" ];then
        CentOS_REL=6
NETWORK_INT=`route | grep default | awk '{print $NF}'`
iptables -I INPUT -p udp --dport 1701 -j ACCEPT
iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -I INPUT -p udp --dport 4500 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o $NETWORK_INT -j MASQUERADE
#Forwarding rules for VPN
iptables -A FORWARD -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
else
        echo -e "\033[31mDoes not support this OS, Please contact the author! \033[0m"
        exit 1
fi

service ipsec restart
service xl2tpd restart
chkconfig ipsec on
chkconfig xl2tpd on
clear
ipsec verify
printf "
Serverip:$public_IP
PSK:$MYPSK
username:$Username
password:$Password
"



沒有留言:

張貼留言

ManageEngine EventLog Analyzer版本更新步驟

更新檔下載位址: Upgrade to Latest Version of EventLog Analyzer Build (manageengine.com) 先將下載的更新檔上傳到主機裡,再進行下列動作。 切換到 ManageEngine EventLog Analyzer ...