部署脚本
#! /bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
#===============================================================================================
# System Required: CentOS6.x/7 (32bit/64bit) or Ubuntu
# Description: Install IKEV2 VPN for CentOS and Ubuntu
# Author: quericy
# Intro: https://quericy.me/blog/699
#===============================================================================================
clear
VER=1.2.0
echo "#############################################################"
echo "# Install IKEV2 VPN for CentOS6.x/7 (32bit/64bit) or Ubuntu or Debian7/8.*"
echo "# Intro: https://quericy.me/blog/699"
echo "#"
echo "# Author:quericy"
echo "#"
echo "# Version:$VER"
echo "#############################################################"
echo ""
__INTERACTIVE=""
if [ -t 1 ] ; then
__INTERACTIVE="1"
fi
__green(){
if [ "$__INTERACTIVE" ] ; then
printf '\033[1;31;32m'
fi
printf -- "$1"
if [ "$__INTERACTIVE" ] ; then
printf '\033[0m'
fi
}
__red(){
if [ "$__INTERACTIVE" ] ; then
printf '\033[1;31;40m'
fi
printf -- "$1"
if [ "$__INTERACTIVE" ] ; then
printf '\033[0m'
fi
}
__yellow(){
if [ "$__INTERACTIVE" ] ; then
printf '\033[1;31;33m'
fi
printf -- "$1"
if [ "$__INTERACTIVE" ] ; then
printf '\033[0m'
fi
}
# Install IKEV2
function install_ikev2(){
rootness
disable_selinux
get_system
yum_install
get_my_ip
pre_install
download_files
setup_strongswan
get_key
configure_ipsec
configure_strongswan
configure_secrets
SNAT_set
iptables_check
ipsec restart
success_info
}
# Make sure only root can run our script
function rootness(){
if [[ $EUID -ne 0 ]]; then
echo "Error:This script must be run as root!" 1>&2
exit 1
fi
}
# Disable selinux
function disable_selinux(){
if [ -s /etc/selinux/config ] && grep 'SELINUX=enforcing' /etc/selinux/config; then
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 0
fi
}
# Ubuntu or CentOS
function get_system(){
if grep -Eqi "CentOS" /etc/issue || grep -Eq "CentOS" /etc/*-release; then
system_str="0"
elif grep -Eqi "Ubuntu" /etc/issue || grep -Eq "Ubuntu" /etc/*-release; then
system_str="1"
elif grep -Eqi "Debian" /etc/issue || grep -Eq "Debian" /etc/*-release; then
system_str="1"
elif grep -Eqi "Raspbian" /etc/issue || grep -Eq "Raspbian" /etc/*-release; then
system_str="1"
else
echo "This Script must be running at the CentOS or Ubuntu or Debian!"
exit 1
fi
}
#install necessary lib
function yum_install(){
if [ "$system_str" = "0" ]; then
yum -y update
yum -y install pam-devel openssl-devel make gcc curl
else
apt-get -y update
apt-get -y install libpam0g-dev libssl-dev make gcc curl
fi
}
# Get IP address of the server
function get_my_ip(){
echo "Preparing, Please wait a moment..."
IP=`curl -s checkip.dyndns.com | cut -d' ' -f 6 | cut -d'<' -f 1`
if [ -z $IP ]; then
IP=`curl -s ifconfig.me/ip`
fi
}
# Pre-installation settings
function pre_install(){
echo "#############################################################"
echo "# Install IKEV2 VPN for CentOS6.x/7 (32bit/64bit) or Ubuntu or Debian7/8.*"
echo "# Intro: https://quericy.me/blog/699"
echo "#"
echo "# Author:quericy"
echo "#"
echo "# Version:$VER"
echo "#############################################################"
echo "please choose the type of your VPS(Xen、KVM: 1 , OpenVZ: 2):"
read -p "your choice(1 or 2):" os_choice
if [ "$os_choice" = "1" ]; then
os="1"
os_str="Xen、KVM"
else
if [ "$os_choice" = "2" ]; then
os="2"
os_str="OpenVZ"
else
echo "wrong choice!"
exit 1
fi
fi
echo "please input the ip (or domain) of your VPS:"
read -p "ip or domain(default_value:${IP}):" vps_ip
if [ "$vps_ip" = "" ]; then
vps_ip=$IP
fi
echo "Would you want to import existing cert? You NEED copy your cert file to the same directory of this script"
read -p "yes or no?(default_value:no):" have_cert
if [ "$have_cert" = "yes" ]; then
have_cert="1"
else
have_cert="0"
echo "please input the cert country(C):"
read -p "C(default value:com):" my_cert_c
if [ "$my_cert_c" = "" ]; then
my_cert_c="com"
fi
echo "please input the cert organization(O):"
read -p "O(default value:myvpn):" my_cert_o
if [ "$my_cert_o" = "" ]; then
my_cert_o="myvpn"
fi
echo "please input the cert common name(CN):"
read -p "CN(default value:VPN CA):" my_cert_cn
if [ "$my_cert_cn" = "" ]; then
my_cert_cn="VPN CA"
fi
fi
echo "####################################"
get_char(){
SAVEDSTTY=`stty -g`
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1 2> /dev/null
stty -raw
stty echo
stty $SAVEDSTTY
}
echo "Please confirm the information:"
echo ""
echo -e "the type of your server: [$(__green $os_str)]"
echo -e "the ip(or domain) of your server: [$(__green $vps_ip)]"
if [ "$have_cert" = "1" ]; then
echo -e "$(__yellow "These are the certificate you MUST be prepared:")"
echo -e "[$(__green "ca.cert.pem")]:The CA cert or the chain cert."
echo -e "[$(__green "server.cert.pem")]:Your server cert."
echo -e "[$(__green "server.pem")]:Your key of the server cert."
echo -e "[$(__yellow "Please copy these file to the same directory of this script before start!")]"
else
echo -e "the cert_info:[$(__green "C=${my_cert_c}, O=${my_cert_o}")]"
fi
echo ""
echo "Press any key to start...or Press Ctrl+C to cancel"
char=`get_char`
#Current folder
cur_dir=`pwd`
cd $cur_dir
}
# Download strongswan
function download_files(){
strongswan_version='strongswan-5.9.0'
strongswan_file="$strongswan_version.tar.gz"
if [ -f $strongswan_file ];then
echo -e "$strongswan_file [$(__green "found")]"
else
if ! wget --no-check-certificate https://download.strongswan.org/$strongswan_file;then
echo "Failed to download $strongswan_file"
exit 1
fi
fi
tar xzf $strongswan_file
if [ $? -eq 0 ];then
cd $cur_dir/$strongswan_version/
else
echo ""
echo "Unzip $strongswan_file failed! Please visit https://quericy.me/blog/699 and contact."
exit 1
fi
}
# configure and install strongswan
function setup_strongswan(){
if [ "$os" = "1" ]; then
./configure --enable-eap-identity --enable-eap-md5 \
--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \
--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \
--enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \
--enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp
else
./configure --enable-eap-identity --enable-eap-md5 \
--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \
--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \
--enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \
--enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp --enable-kernel-libipsec
fi
make; make install
}
# configure cert and key
function get_key(){
cd $cur_dir
if [ ! -d my_key ];then
mkdir my_key
fi
if [ "$have_cert" = "1" ]; then
import_cert
else
create_cert
fi
echo "####################################"
get_char(){
SAVEDSTTY=`stty -g`
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1 2> /dev/null
stty -raw
stty echo
stty $SAVEDSTTY
}
cp -f ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
cp -f server.cert.pem /usr/local/etc/ipsec.d/certs/
cp -f server.pem /usr/local/etc/ipsec.d/private/
cp -f client.cert.pem /usr/local/etc/ipsec.d/certs/
cp -f client.pem /usr/local/etc/ipsec.d/private/
echo "Cert copy completed"
}
# import cert if user has ssl certificate
function import_cert(){
cd $cur_dir
if [ -f ca.cert.pem ];then
cp -f ca.cert.pem my_key/ca.cert.pem
echo -e "ca.cert.pem [$(__green "found")]"
else
echo -e "ca.cert.pem [$(__red "Not found!")]"
exit
fi
if [ -f server.cert.pem ];then
cp -f server.cert.pem my_key/server.cert.pem
cp -f server.cert.pem my_key/client.cert.pem
echo -e "server.cert.pem [$(__green "found")]"
echo -e "client.cert.pem [$(__green "auto create")]"
else
echo -e "server.cert.pem [$(__red "Not found!,auto creating...")]"
ipsec pki --gen --outform pem > server.pem
ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem \
--cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${vps_ip}" \
--san="${vps_ip}" --flag serverAuth --flag ikeIntermediate \
--outform pem > server.cert.pem
cp -f server.cert.pem my_key/server.cert.pem
cp -f server.cert.pem my_key/client.cert.pem
echo -e "server.cert.pem [$(__green "created")]"
echo -e "client.cert.pem [$(__green "auto create")]"
fi
if [ -f server.pem ];then
cp -f server.pem my_key/server.pem
cp -f server.pem my_key/client.pem
echo -e "server.pem [$(__green "found")]"
echo -e "client.pem [$(__green "auto create")]"
else
echo -e "server.pem [$(__red "Not found!")]"
exit
fi
cd my_key
}
# auto create certificate
function create_cert(){
cd $cur_dir
cd my_key
ipsec pki --gen --outform pem > ca.pem
ipsec pki --self --in ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${my_cert_cn}" --ca --outform pem >ca.cert.pem
ipsec pki --gen --outform pem > server.pem
ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem \
--cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${vps_ip}" \
--san="${vps_ip}" --flag serverAuth --flag ikeIntermediate \
--outform pem > server.cert.pem
ipsec pki --gen --outform pem > client.pem
ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=VPN Client" --outform pem > client.cert.pem
echo "configure the pkcs12 cert password(Can be empty):"
openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "${my_cert_cn}" -out client.cert.p12
}
# configure the ipsec.conf
function configure_ipsec(){
cat > /usr/local/etc/ipsec.conf<<-EOF
config setup
uniqueids=never
conn iOS_cert
keyexchange=ikev1
fragmentation=yes
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=pubkey
rightauth2=xauth
rightsourceip=10.31.2.0/24
rightcert=client.cert.pem
auto=add
conn android_xauth_psk
keyexchange=ikev1
left=%defaultroute
leftauth=psk
leftsubnet=0.0.0.0/0
right=%any
rightauth=psk
rightauth2=xauth
rightsourceip=10.31.2.0/24
auto=add
conn networkmanager-strongswan
keyexchange=ikev2
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=pubkey
rightsourceip=10.31.2.0/24
rightcert=client.cert.pem
auto=add
conn ios_ikev2
keyexchange=ikev2
ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048!
esp=aes256-sha256,3des-sha1,aes256-sha1!
rekey=no
left=%defaultroute
leftid=${vps_ip}
leftsendcert=always
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=eap-mschapv2
rightsourceip=10.31.2.0/24
rightsendcert=never
eap_identity=%any
dpdaction=clear
fragmentation=yes
auto=add
conn windows7
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=eap-mschapv2
rightsourceip=10.31.2.0/24
rightsendcert=never
eap_identity=%any
auto=add
EOF
}
# configure the strongswan.conf
function configure_strongswan(){
cat > /usr/local/etc/strongswan.conf<<-EOF
charon {
load_modular = yes
duplicheck {
enable = no
}
compress = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
dns2 = 8.8.4.4
nbns1 = 8.8.8.8
nbns2 = 8.8.4.4
}
include strongswan.d/*.conf
EOF
}
# configure the ipsec.secrets
function configure_secrets(){
cat > /usr/local/etc/ipsec.secrets<<-EOF
: RSA server.pem
: PSK "myPSKkey"
: XAUTH "myXAUTHPass"
myUserName %any : EAP "myUserPass"
EOF
}
function SNAT_set(){
echo "Use SNAT could implove the speed,but your server MUST have static ip address."
read -p "yes or no?(default_value:no):" use_SNAT
if [ "$use_SNAT" = "yes" ]; then
use_SNAT_str="1"
echo -e "$(__yellow "ip address info:")"
ip address | grep inet
echo "Some servers has elastic IP (AWS) or mapping IP.In this case,you should input the IP address which is binding in network interface."
read -p "static ip or network interface ip (default_value:${IP}):" static_ip
if [ "$static_ip" = "" ]; then
static_ip=$IP
fi
else
use_SNAT_str="0"
fi
}
# iptables check
function iptables_check(){
cat > /etc/sysctl.d/10-ipsec.conf<<-EOF
net.ipv4.ip_forward=1
EOF
sysctl --system
echo "Do you use firewall in CentOS7 instead of iptables?"
read -p "yes or no?(default_value:no):" use_firewall
if [ "$use_firewall" = "yes" ]; then
firewall_set
else
iptables_set
fi
}
# firewall set in CentOS7
function firewall_set(){
if ! systemctl is-active firewalld > /dev/null; then
systemctl start firewalld
fi
firewall-cmd --permanent --add-service="ipsec"
firewall-cmd --permanent --add-port=500/udp
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload
}
# iptables set
function iptables_set(){
echo -e "$(__yellow "ip address info:")"
ip address | grep inet
echo "The above content is the network card information of your VPS."
echo "[$(__yellow "Important")]Please enter the name of the interface which can be connected to the public network."
if [ "$os" = "1" ]; then
read -p "Network card interface(default_value:eth0):" interface
if [ "$interface" = "" ]; then
interface="eth0"
fi
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.31.0.0/24 -j ACCEPT
iptables -A FORWARD -s 10.31.1.0/24 -j ACCEPT
iptables -A FORWARD -s 10.31.2.0/24 -j ACCEPT
iptables -A INPUT -i $interface -p esp -j ACCEPT
iptables -A INPUT -i $interface -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i $interface -p tcp --dport 500 -j ACCEPT
iptables -A INPUT -i $interface -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -i $interface -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -i $interface -p tcp --dport 1723 -j ACCEPT
#iptables -A FORWARD -j REJECT
if [ "$use_SNAT_str" = "1" ]; then
iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j SNAT --to-source $static_ip
iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j SNAT --to-source $static_ip
iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j SNAT --to-source $static_ip
else
iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j MASQUERADE
fi
else
read -p "Network card interface(default_value:venet0):" interface
if [ "$interface" = "" ]; then
interface="venet0"
fi
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.31.0.0/24 -j ACCEPT
iptables -A FORWARD -s 10.31.1.0/24 -j ACCEPT
iptables -A FORWARD -s 10.31.2.0/24 -j ACCEPT
iptables -A INPUT -i $interface -p esp -j ACCEPT
iptables -A INPUT -i $interface -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i $interface -p tcp --dport 500 -j ACCEPT
iptables -A INPUT -i $interface -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -i $interface -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -i $interface -p tcp --dport 1723 -j ACCEPT
#iptables -A FORWARD -j REJECT
if [ "$use_SNAT_str" = "1" ]; then
iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j SNAT --to-source $static_ip
iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j SNAT --to-source $static_ip
iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j SNAT --to-source $static_ip
else
iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o $interface -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o $interface -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j MASQUERADE
fi
fi
if [ "$system_str" = "0" ]; then
service iptables save
else
iptables-save > /etc/iptables.rules
cat > /etc/network/if-up.d/iptables<<-EOF
#!/bin/sh
iptables-restore < /etc/iptables.rules
EOF
chmod +x /etc/network/if-up.d/iptables
fi
}
# echo the success info
function success_info(){
echo "#############################################################"
echo -e "#"
echo -e "# [$(__green "Install Complete")]"
echo -e "# Version:$VER"
echo -e "# There is the default login info of your IPSec/IkeV2 VPN Service"
echo -e "# UserName:$(__green " myUserName")"
echo -e "# PassWord:$(__green " myUserPass")"
echo -e "# PSK:$(__green " myPSKkey")"
echo -e "# you should change default username and password in$(__green " /usr/local/etc/ipsec.secrets")"
echo -e "# you cert:$(__green " ${cur_dir}/my_key/ca.cert.pem ")"
if [ "$have_cert" = "1" ]; then
echo -e "# you don't need to install cert if it's be trusted."
else
echo -e "# you must copy the cert to the client and install it."
fi
echo -e "#"
echo -e "#############################################################"
echo -e ""
}
# Initialization step
install_ikev2