IPsec/L2TP-IT
Altre Pagine: · Home Page · Documentazione · Downloads · Screenshots · Contatti
Indice
Introduzione
- A partire dalla versione 15.04 di PoliArch è stato introdotto uno script per la configurazione automatica di un server VPN (IPsec/L2TP)
Utilizzo
- Per avviare la procedura guidata eseguire:
$ setup_l2tp_vpn_server.sh
Script
Integrato a partire dalla versione 15.04
File: setup_l2tp_vpn_server.sh |
#!/bin/sh # Setup Simple IPSec/L2TP VPN server for PoliArch Linux # # Copyright (C) 2015 Dennis Anfossi <danfossi@itfor.it> # Based on the work of Phil Plückthun (https://github.com/philplckthun/setup-simple-ipsec-l2tp-vpn) # Based on the work of Lin Song (Copyright 2014) # Based on the work of Viljo Viitanen (Setup Simple PPTP VPN server for Ubuntu and Debian) # Based on the work of Thomas Sarlandie (Copyright 2012) # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ if [ `id -u` -ne 0 ] then echo "Please start this script with root privileges!" echo "Try again with sudo." exit 0 fi if [[ ! -e /etc/arch-release ]]; then echo "This script was designed to run on PoliArch Linux" echo "Do you wish to continue anyway? [y|n] " while true; do read -p "" yn case $yn in [Yy]* ) break;; [Nn]* ) exit 0;; * ) echo "Please answer with Yes or No [y|n].";; esac done echo "" fi echo "This script will configure an IPSec/L2TP VPN Server" echo "Do you wish to continue? [y|n] " while true; do read -p "" yn case $yn in [Yy]* ) break;; [Nn]* ) exit 0;; * ) echo "Please answer with Yes or No [y|n].";; esac done echo "" # Generate a random key generateKey () { P1=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3` P2=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3` P3=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3` IPSEC_PSK="$P1$P2$P3" } echo "The VPN needs a private PSK key." echo "Do you wish to set it yourself? [y|n] " echo "(Otherwise a random key is generated)" while true; do read -p "" yn case $yn in [Yy]* ) echo ""; echo "Enter your preferred key: "; read -p "" IPSEC_PSK; break;; [Nn]* ) generateKey; break;; * ) echo "Please answer with Yes or No [y|n].";; esac done echo "" echo "The key you chose is: '$IPSEC_PSK'." echo "Please save it, because you'll need it to connect!" echo "" read -p "Please enter your preferred username [vpn]: " VPN_USER if [ "$VPN_USER" = "" ] then VPN_USER="vpn" fi echo "" while true; do stty_orig=`stty -g` stty -echo read -p "Please enter your preferred password: " VPN_PASSWORD if [ "x$VPN_PASSWORD" = "x" ] then echo "Please enter a valid password!" else stty $stty_orig break fi done echo "" echo "" PUBLICIP=`wget -q -O - http://wtfismyip.com/text` if [ "x$PUBLICIP" = "x" ] then echo "Your server's external IP address could not be detected!" echo "Please enter the IP yourself: " read -p "" PUBLICIP else echo "Detected your server's external IP address: $PUBLICIP" fi PRIVATEIP=$(ip addr | awk '/inet/ && /eth0/{sub(/\/.*$/,"",$2); print $2}') IPADDRESS=$PUBLICIP echo "" echo "Are you behind a NAT-T (eg. Amazon EC2) ? [y|n]" echo "If you answer no to this and you are behind, clients will be unable to connect to your VPN." echo "This is needed because using the public IP in the config causes incoming connections to fail with auth failures." while true; do read -p "" yn case $yn in [Yy]* ) IPADDRESS=$PRIVATEIP; break;; [Nn]* ) break;; * ) echo "Please answer with Yes or No [y|n].";; esac done echo "The IP address that will be used in the config is $IPADDRESS" echo "" echo "=================================================================" echo "" echo "Preparing various configuration files..." cat > /etc/ipsec.conf <<EOF version 2.0 config setup dumpdir=/var/run/pluto/ nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.10.0/24,%v4:!192.168.42.0/24 oe=off protostack=netkey nhelpers=0 interfaces=%defaultroute conn vpnpsk connaddrfamily=ipv4 auto=add left=$IPADDRESS leftid=$IPADDRESS leftsubnet=$IPADDRESS/32 leftnexthop=%defaultroute leftprotoport=17/1701 rightprotoport=17/%any right=%any rightsubnetwithin=0.0.0.0/0 forceencaps=yes authby=secret pfs=no type=transport auth=esp ike=3des-sha1,aes-sha1 phase2alg=3des-sha1,aes-sha1 rekey=no keyingtries=5 dpddelay=30 dpdtimeout=120 dpdaction=clear EOF cat > /etc/ipsec.secrets <<EOF $IPADDRESS %any : PSK "$IPSEC_PSK" EOF cat > /etc/xl2tpd/xl2tpd.conf <<EOF [global] port = 1701 ;debug avp = yes ;debug network = yes ;debug state = yes ;debug tunnel = yes [lns default] ip range = 172.16.10.2-172.16.10.250 local ip = 172.16.10.1 require chap = yes refuse pap = yes require authentication = yes name = l2tpd ;ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes EOF cat > /etc/ppp/options.xl2tpd <<EOF ipcp-accept-local ipcp-accept-remote ms-dns 8.8.8.8 ms-dns 8.8.4.4 noccp auth crtscts idle 1800 mtu 1280 mru 1280 lock lcp-echo-failure 10 lcp-echo-interval 60 connect-delay 5000 EOF cat > /etc/ppp/chap-secrets <<EOF # Secrets for authentication using CHAP # client server secret IP addresses $VPN_USER l2tpd $VPN_PASSWORD * EOF echo "Applying changes..." iptables --table nat --append POSTROUTING --jump MASQUERADE > /dev/null echo 1 > /proc/sys/net/ipv4/ip_forward for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done if [ ! -f /etc/ipsec.d/cert8.db ] ; then echo > /var/tmp/libreswan-nss-pwd /usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d > /dev/null /bin/rm -f /var/tmp/libreswan-nss-pwd fi /sbin/sysctl --system > /dev/null 2>&1 echo "Starting IPSec and XL2TP services..." systemctl enable ipsec.service systemctl enable xl2tpd.service systemctl restart ipsec.service systemctl restart xl2tpd.service echo "Done!" echo "" clear echo "==============================================================" echo "Host: $PUBLICIP (Or a domain pointing to your server)" echo "IPSec PSK Key: $IPSEC_PSK" echo "Username: $VPN_USER" echo "Password: ********" echo "==============================================================" echo "Your VPN server password is hidden. Would you like to reveal it? [y|n] " while true; do read -p "" yn case $yn in [Yy]* ) clear; break;; [Nn]* ) exit 0;; * ) echo "Please answer with Yes or No [y|n].";; esac done echo "==============================================================" echo "Host: $PUBLICIP (Or a domain pointing to your server)" echo "IPSec PSK Key: $IPSEC_PSK" echo "Username: $VPN_USER" echo "Password: $VPN_PASSWORD" echo "==============================================================" echo "" echo "Note:" echo "* Before connect with windows client see: http://support.microsoft.com/kb/926179" echo "* Ports 1701, 500 and 4500 must be opened for the VPN to work!" sleep 1 exit 0 |
Note
- Prima di connettere con un client Microsoft Windows consultare la pagina: Configurazione IPsec / L2TP su Windows
- Le porte 1701, 500 e 4500 devono essere aperte affinchè la VPN funzioni!
Altre Pagine: · Home Page · Documentazione · Downloads · Screenshots · Contatti