部署脚本

  1. #! /bin/bash
  2. PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
  3. export PATH
  4. #===============================================================================================
  5. # System Required: CentOS6.x/7 (32bit/64bit) or Ubuntu
  6. # Description: Install IKEV2 VPN for CentOS and Ubuntu
  7. # Author: quericy
  8. # Intro: https://quericy.me/blog/699
  9. #===============================================================================================
  10. clear
  11. VER=1.2.0
  12. echo "#############################################################"
  13. echo "# Install IKEV2 VPN for CentOS6.x/7 (32bit/64bit) or Ubuntu or Debian7/8.*"
  14. echo "# Intro: https://quericy.me/blog/699"
  15. echo "#"
  16. echo "# Author:quericy"
  17. echo "#"
  18. echo "# Version:$VER"
  19. echo "#############################################################"
  20. echo ""
  21. __INTERACTIVE=""
  22. if [ -t 1 ] ; then
  23. __INTERACTIVE="1"
  24. fi
  25. __green(){
  26. if [ "$__INTERACTIVE" ] ; then
  27. printf '\033[1;31;32m'
  28. fi
  29. printf -- "$1"
  30. if [ "$__INTERACTIVE" ] ; then
  31. printf '\033[0m'
  32. fi
  33. }
  34. __red(){
  35. if [ "$__INTERACTIVE" ] ; then
  36. printf '\033[1;31;40m'
  37. fi
  38. printf -- "$1"
  39. if [ "$__INTERACTIVE" ] ; then
  40. printf '\033[0m'
  41. fi
  42. }
  43. __yellow(){
  44. if [ "$__INTERACTIVE" ] ; then
  45. printf '\033[1;31;33m'
  46. fi
  47. printf -- "$1"
  48. if [ "$__INTERACTIVE" ] ; then
  49. printf '\033[0m'
  50. fi
  51. }
  52. # Install IKEV2
  53. function install_ikev2(){
  54. rootness
  55. disable_selinux
  56. get_system
  57. yum_install
  58. get_my_ip
  59. pre_install
  60. download_files
  61. setup_strongswan
  62. get_key
  63. configure_ipsec
  64. configure_strongswan
  65. configure_secrets
  66. SNAT_set
  67. iptables_check
  68. ipsec restart
  69. success_info
  70. }
  71. # Make sure only root can run our script
  72. function rootness(){
  73. if [[ $EUID -ne 0 ]]; then
  74. echo "Error:This script must be run as root!" 1>&2
  75. exit 1
  76. fi
  77. }
  78. # Disable selinux
  79. function disable_selinux(){
  80. if [ -s /etc/selinux/config ] && grep 'SELINUX=enforcing' /etc/selinux/config; then
  81. sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
  82. setenforce 0
  83. fi
  84. }
  85. # Ubuntu or CentOS
  86. function get_system(){
  87. if grep -Eqi "CentOS" /etc/issue || grep -Eq "CentOS" /etc/*-release; then
  88. system_str="0"
  89. elif grep -Eqi "Ubuntu" /etc/issue || grep -Eq "Ubuntu" /etc/*-release; then
  90. system_str="1"
  91. elif grep -Eqi "Debian" /etc/issue || grep -Eq "Debian" /etc/*-release; then
  92. system_str="1"
  93. elif grep -Eqi "Raspbian" /etc/issue || grep -Eq "Raspbian" /etc/*-release; then
  94. system_str="1"
  95. else
  96. echo "This Script must be running at the CentOS or Ubuntu or Debian!"
  97. exit 1
  98. fi
  99. }
  100. #install necessary lib
  101. function yum_install(){
  102. if [ "$system_str" = "0" ]; then
  103. yum -y update
  104. yum -y install pam-devel openssl-devel make gcc curl
  105. else
  106. apt-get -y update
  107. apt-get -y install libpam0g-dev libssl-dev make gcc curl
  108. fi
  109. }
  110. # Get IP address of the server
  111. function get_my_ip(){
  112. echo "Preparing, Please wait a moment..."
  113. IP=`curl -s checkip.dyndns.com | cut -d' ' -f 6 | cut -d'<' -f 1`
  114. if [ -z $IP ]; then
  115. IP=`curl -s ifconfig.me/ip`
  116. fi
  117. }
  118. # Pre-installation settings
  119. function pre_install(){
  120. echo "#############################################################"
  121. echo "# Install IKEV2 VPN for CentOS6.x/7 (32bit/64bit) or Ubuntu or Debian7/8.*"
  122. echo "# Intro: https://quericy.me/blog/699"
  123. echo "#"
  124. echo "# Author:quericy"
  125. echo "#"
  126. echo "# Version:$VER"
  127. echo "#############################################################"
  128. echo "please choose the type of your VPS(Xen、KVM: 1 , OpenVZ: 2):"
  129. read -p "your choice(1 or 2):" os_choice
  130. if [ "$os_choice" = "1" ]; then
  131. os="1"
  132. os_str="Xen、KVM"
  133. else
  134. if [ "$os_choice" = "2" ]; then
  135. os="2"
  136. os_str="OpenVZ"
  137. else
  138. echo "wrong choice!"
  139. exit 1
  140. fi
  141. fi
  142. echo "please input the ip (or domain) of your VPS:"
  143. read -p "ip or domain(default_value:${IP}):" vps_ip
  144. if [ "$vps_ip" = "" ]; then
  145. vps_ip=$IP
  146. fi
  147. echo "Would you want to import existing cert? You NEED copy your cert file to the same directory of this script"
  148. read -p "yes or no?(default_value:no):" have_cert
  149. if [ "$have_cert" = "yes" ]; then
  150. have_cert="1"
  151. else
  152. have_cert="0"
  153. echo "please input the cert country(C):"
  154. read -p "C(default value:com):" my_cert_c
  155. if [ "$my_cert_c" = "" ]; then
  156. my_cert_c="com"
  157. fi
  158. echo "please input the cert organization(O):"
  159. read -p "O(default value:myvpn):" my_cert_o
  160. if [ "$my_cert_o" = "" ]; then
  161. my_cert_o="myvpn"
  162. fi
  163. echo "please input the cert common name(CN):"
  164. read -p "CN(default value:VPN CA):" my_cert_cn
  165. if [ "$my_cert_cn" = "" ]; then
  166. my_cert_cn="VPN CA"
  167. fi
  168. fi
  169. echo "####################################"
  170. get_char(){
  171. SAVEDSTTY=`stty -g`
  172. stty -echo
  173. stty cbreak
  174. dd if=/dev/tty bs=1 count=1 2> /dev/null
  175. stty -raw
  176. stty echo
  177. stty $SAVEDSTTY
  178. }
  179. echo "Please confirm the information:"
  180. echo ""
  181. echo -e "the type of your server: [$(__green $os_str)]"
  182. echo -e "the ip(or domain) of your server: [$(__green $vps_ip)]"
  183. if [ "$have_cert" = "1" ]; then
  184. echo -e "$(__yellow "These are the certificate you MUST be prepared:")"
  185. echo -e "[$(__green "ca.cert.pem")]:The CA cert or the chain cert."
  186. echo -e "[$(__green "server.cert.pem")]:Your server cert."
  187. echo -e "[$(__green "server.pem")]:Your key of the server cert."
  188. echo -e "[$(__yellow "Please copy these file to the same directory of this script before start!")]"
  189. else
  190. echo -e "the cert_info:[$(__green "C=${my_cert_c}, O=${my_cert_o}")]"
  191. fi
  192. echo ""
  193. echo "Press any key to start...or Press Ctrl+C to cancel"
  194. char=`get_char`
  195. #Current folder
  196. cur_dir=`pwd`
  197. cd $cur_dir
  198. }
  199. # Download strongswan
  200. function download_files(){
  201. strongswan_version='strongswan-5.9.0'
  202. strongswan_file="$strongswan_version.tar.gz"
  203. if [ -f $strongswan_file ];then
  204. echo -e "$strongswan_file [$(__green "found")]"
  205. else
  206. if ! wget --no-check-certificate https://download.strongswan.org/$strongswan_file;then
  207. echo "Failed to download $strongswan_file"
  208. exit 1
  209. fi
  210. fi
  211. tar xzf $strongswan_file
  212. if [ $? -eq 0 ];then
  213. cd $cur_dir/$strongswan_version/
  214. else
  215. echo ""
  216. echo "Unzip $strongswan_file failed! Please visit https://quericy.me/blog/699 and contact."
  217. exit 1
  218. fi
  219. }
  220. # configure and install strongswan
  221. function setup_strongswan(){
  222. if [ "$os" = "1" ]; then
  223. ./configure --enable-eap-identity --enable-eap-md5 \
  224. --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \
  225. --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \
  226. --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \
  227. --enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp
  228. else
  229. ./configure --enable-eap-identity --enable-eap-md5 \
  230. --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \
  231. --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \
  232. --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \
  233. --enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp --enable-kernel-libipsec
  234. fi
  235. make; make install
  236. }
  237. # configure cert and key
  238. function get_key(){
  239. cd $cur_dir
  240. if [ ! -d my_key ];then
  241. mkdir my_key
  242. fi
  243. if [ "$have_cert" = "1" ]; then
  244. import_cert
  245. else
  246. create_cert
  247. fi
  248. echo "####################################"
  249. get_char(){
  250. SAVEDSTTY=`stty -g`
  251. stty -echo
  252. stty cbreak
  253. dd if=/dev/tty bs=1 count=1 2> /dev/null
  254. stty -raw
  255. stty echo
  256. stty $SAVEDSTTY
  257. }
  258. cp -f ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
  259. cp -f server.cert.pem /usr/local/etc/ipsec.d/certs/
  260. cp -f server.pem /usr/local/etc/ipsec.d/private/
  261. cp -f client.cert.pem /usr/local/etc/ipsec.d/certs/
  262. cp -f client.pem /usr/local/etc/ipsec.d/private/
  263. echo "Cert copy completed"
  264. }
  265. # import cert if user has ssl certificate
  266. function import_cert(){
  267. cd $cur_dir
  268. if [ -f ca.cert.pem ];then
  269. cp -f ca.cert.pem my_key/ca.cert.pem
  270. echo -e "ca.cert.pem [$(__green "found")]"
  271. else
  272. echo -e "ca.cert.pem [$(__red "Not found!")]"
  273. exit
  274. fi
  275. if [ -f server.cert.pem ];then
  276. cp -f server.cert.pem my_key/server.cert.pem
  277. cp -f server.cert.pem my_key/client.cert.pem
  278. echo -e "server.cert.pem [$(__green "found")]"
  279. echo -e "client.cert.pem [$(__green "auto create")]"
  280. else
  281. echo -e "server.cert.pem [$(__red "Not found!,auto creating...")]"
  282. ipsec pki --gen --outform pem > server.pem
  283. ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem \
  284. --cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${vps_ip}" \
  285. --san="${vps_ip}" --flag serverAuth --flag ikeIntermediate \
  286. --outform pem > server.cert.pem
  287. cp -f server.cert.pem my_key/server.cert.pem
  288. cp -f server.cert.pem my_key/client.cert.pem
  289. echo -e "server.cert.pem [$(__green "created")]"
  290. echo -e "client.cert.pem [$(__green "auto create")]"
  291. fi
  292. if [ -f server.pem ];then
  293. cp -f server.pem my_key/server.pem
  294. cp -f server.pem my_key/client.pem
  295. echo -e "server.pem [$(__green "found")]"
  296. echo -e "client.pem [$(__green "auto create")]"
  297. else
  298. echo -e "server.pem [$(__red "Not found!")]"
  299. exit
  300. fi
  301. cd my_key
  302. }
  303. # auto create certificate
  304. function create_cert(){
  305. cd $cur_dir
  306. cd my_key
  307. ipsec pki --gen --outform pem > ca.pem
  308. ipsec pki --self --in ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${my_cert_cn}" --ca --outform pem >ca.cert.pem
  309. ipsec pki --gen --outform pem > server.pem
  310. ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem \
  311. --cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${vps_ip}" \
  312. --san="${vps_ip}" --flag serverAuth --flag ikeIntermediate \
  313. --outform pem > server.cert.pem
  314. ipsec pki --gen --outform pem > client.pem
  315. ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=VPN Client" --outform pem > client.cert.pem
  316. echo "configure the pkcs12 cert password(Can be empty):"
  317. openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "${my_cert_cn}" -out client.cert.p12
  318. }
  319. # configure the ipsec.conf
  320. function configure_ipsec(){
  321. cat > /usr/local/etc/ipsec.conf<<-EOF
  322. config setup
  323. uniqueids=never
  324. conn iOS_cert
  325. keyexchange=ikev1
  326. fragmentation=yes
  327. left=%defaultroute
  328. leftauth=pubkey
  329. leftsubnet=0.0.0.0/0
  330. leftcert=server.cert.pem
  331. right=%any
  332. rightauth=pubkey
  333. rightauth2=xauth
  334. rightsourceip=10.31.2.0/24
  335. rightcert=client.cert.pem
  336. auto=add
  337. conn android_xauth_psk
  338. keyexchange=ikev1
  339. left=%defaultroute
  340. leftauth=psk
  341. leftsubnet=0.0.0.0/0
  342. right=%any
  343. rightauth=psk
  344. rightauth2=xauth
  345. rightsourceip=10.31.2.0/24
  346. auto=add
  347. conn networkmanager-strongswan
  348. keyexchange=ikev2
  349. left=%defaultroute
  350. leftauth=pubkey
  351. leftsubnet=0.0.0.0/0
  352. leftcert=server.cert.pem
  353. right=%any
  354. rightauth=pubkey
  355. rightsourceip=10.31.2.0/24
  356. rightcert=client.cert.pem
  357. auto=add
  358. conn ios_ikev2
  359. keyexchange=ikev2
  360. ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048!
  361. esp=aes256-sha256,3des-sha1,aes256-sha1!
  362. rekey=no
  363. left=%defaultroute
  364. leftid=${vps_ip}
  365. leftsendcert=always
  366. leftsubnet=0.0.0.0/0
  367. leftcert=server.cert.pem
  368. right=%any
  369. rightauth=eap-mschapv2
  370. rightsourceip=10.31.2.0/24
  371. rightsendcert=never
  372. eap_identity=%any
  373. dpdaction=clear
  374. fragmentation=yes
  375. auto=add
  376. conn windows7
  377. keyexchange=ikev2
  378. ike=aes256-sha1-modp1024!
  379. rekey=no
  380. left=%defaultroute
  381. leftauth=pubkey
  382. leftsubnet=0.0.0.0/0
  383. leftcert=server.cert.pem
  384. right=%any
  385. rightauth=eap-mschapv2
  386. rightsourceip=10.31.2.0/24
  387. rightsendcert=never
  388. eap_identity=%any
  389. auto=add
  390. EOF
  391. }
  392. # configure the strongswan.conf
  393. function configure_strongswan(){
  394. cat > /usr/local/etc/strongswan.conf<<-EOF
  395. charon {
  396. load_modular = yes
  397. duplicheck {
  398. enable = no
  399. }
  400. compress = yes
  401. plugins {
  402. include strongswan.d/charon/*.conf
  403. }
  404. dns1 = 8.8.8.8
  405. dns2 = 8.8.4.4
  406. nbns1 = 8.8.8.8
  407. nbns2 = 8.8.4.4
  408. }
  409. include strongswan.d/*.conf
  410. EOF
  411. }
  412. # configure the ipsec.secrets
  413. function configure_secrets(){
  414. cat > /usr/local/etc/ipsec.secrets<<-EOF
  415. : RSA server.pem
  416. : PSK "myPSKkey"
  417. : XAUTH "myXAUTHPass"
  418. myUserName %any : EAP "myUserPass"
  419. EOF
  420. }
  421. function SNAT_set(){
  422. echo "Use SNAT could implove the speed,but your server MUST have static ip address."
  423. read -p "yes or no?(default_value:no):" use_SNAT
  424. if [ "$use_SNAT" = "yes" ]; then
  425. use_SNAT_str="1"
  426. echo -e "$(__yellow "ip address info:")"
  427. ip address | grep inet
  428. echo "Some servers has elastic IP (AWS) or mapping IP.In this case,you should input the IP address which is binding in network interface."
  429. read -p "static ip or network interface ip (default_value:${IP}):" static_ip
  430. if [ "$static_ip" = "" ]; then
  431. static_ip=$IP
  432. fi
  433. else
  434. use_SNAT_str="0"
  435. fi
  436. }
  437. # iptables check
  438. function iptables_check(){
  439. cat > /etc/sysctl.d/10-ipsec.conf<<-EOF
  440. net.ipv4.ip_forward=1
  441. EOF
  442. sysctl --system
  443. echo "Do you use firewall in CentOS7 instead of iptables?"
  444. read -p "yes or no?(default_value:no):" use_firewall
  445. if [ "$use_firewall" = "yes" ]; then
  446. firewall_set
  447. else
  448. iptables_set
  449. fi
  450. }
  451. # firewall set in CentOS7
  452. function firewall_set(){
  453. if ! systemctl is-active firewalld > /dev/null; then
  454. systemctl start firewalld
  455. fi
  456. firewall-cmd --permanent --add-service="ipsec"
  457. firewall-cmd --permanent --add-port=500/udp
  458. firewall-cmd --permanent --add-port=4500/udp
  459. firewall-cmd --permanent --add-masquerade
  460. firewall-cmd --reload
  461. }
  462. # iptables set
  463. function iptables_set(){
  464. echo -e "$(__yellow "ip address info:")"
  465. ip address | grep inet
  466. echo "The above content is the network card information of your VPS."
  467. echo "[$(__yellow "Important")]Please enter the name of the interface which can be connected to the public network."
  468. if [ "$os" = "1" ]; then
  469. read -p "Network card interface(default_value:eth0):" interface
  470. if [ "$interface" = "" ]; then
  471. interface="eth0"
  472. fi
  473. iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  474. iptables -A FORWARD -s 10.31.0.0/24 -j ACCEPT
  475. iptables -A FORWARD -s 10.31.1.0/24 -j ACCEPT
  476. iptables -A FORWARD -s 10.31.2.0/24 -j ACCEPT
  477. iptables -A INPUT -i $interface -p esp -j ACCEPT
  478. iptables -A INPUT -i $interface -p udp --dport 500 -j ACCEPT
  479. iptables -A INPUT -i $interface -p tcp --dport 500 -j ACCEPT
  480. iptables -A INPUT -i $interface -p udp --dport 4500 -j ACCEPT
  481. iptables -A INPUT -i $interface -p udp --dport 1701 -j ACCEPT
  482. iptables -A INPUT -i $interface -p tcp --dport 1723 -j ACCEPT
  483. #iptables -A FORWARD -j REJECT
  484. if [ "$use_SNAT_str" = "1" ]; then
  485. iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j SNAT --to-source $static_ip
  486. iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j SNAT --to-source $static_ip
  487. iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j SNAT --to-source $static_ip
  488. else
  489. iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j MASQUERADE
  490. iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j MASQUERADE
  491. iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j MASQUERADE
  492. fi
  493. else
  494. read -p "Network card interface(default_value:venet0):" interface
  495. if [ "$interface" = "" ]; then
  496. interface="venet0"
  497. fi
  498. iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  499. iptables -A FORWARD -s 10.31.0.0/24 -j ACCEPT
  500. iptables -A FORWARD -s 10.31.1.0/24 -j ACCEPT
  501. iptables -A FORWARD -s 10.31.2.0/24 -j ACCEPT
  502. iptables -A INPUT -i $interface -p esp -j ACCEPT
  503. iptables -A INPUT -i $interface -p udp --dport 500 -j ACCEPT
  504. iptables -A INPUT -i $interface -p tcp --dport 500 -j ACCEPT
  505. iptables -A INPUT -i $interface -p udp --dport 4500 -j ACCEPT
  506. iptables -A INPUT -i $interface -p udp --dport 1701 -j ACCEPT
  507. iptables -A INPUT -i $interface -p tcp --dport 1723 -j ACCEPT
  508. #iptables -A FORWARD -j REJECT
  509. if [ "$use_SNAT_str" = "1" ]; then
  510. iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j SNAT --to-source $static_ip
  511. iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j SNAT --to-source $static_ip
  512. iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j SNAT --to-source $static_ip
  513. else
  514. iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j MASQUERADE
  515. iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j MASQUERADE
  516. iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j MASQUERADE
  517. fi
  518. fi
  519. if [ "$system_str" = "0" ]; then
  520. service iptables save
  521. else
  522. iptables-save > /etc/iptables.rules
  523. cat > /etc/network/if-up.d/iptables<<-EOF
  524. #!/bin/sh
  525. iptables-restore < /etc/iptables.rules
  526. EOF
  527. chmod +x /etc/network/if-up.d/iptables
  528. fi
  529. }
  530. # echo the success info
  531. function success_info(){
  532. echo "#############################################################"
  533. echo -e "#"
  534. echo -e "# [$(__green "Install Complete")]"
  535. echo -e "# Version:$VER"
  536. echo -e "# There is the default login info of your IPSec/IkeV2 VPN Service"
  537. echo -e "# UserName:$(__green " myUserName")"
  538. echo -e "# PassWord:$(__green " myUserPass")"
  539. echo -e "# PSK:$(__green " myPSKkey")"
  540. echo -e "# you should change default username and password in$(__green " /usr/local/etc/ipsec.secrets")"
  541. echo -e "# you cert:$(__green " ${cur_dir}/my_key/ca.cert.pem ")"
  542. if [ "$have_cert" = "1" ]; then
  543. echo -e "# you don't need to install cert if it's be trusted."
  544. else
  545. echo -e "# you must copy the cert to the client and install it."
  546. fi
  547. echo -e "#"
  548. echo -e "#############################################################"
  549. echo -e ""
  550. }
  551. # Initialization step
  552. install_ikev2