From 4fb5ab5d63ba7735ddd34506b46dd45d7797a288 Mon Sep 17 00:00:00 2001
From: bedefaced <thisisnewlife@mail.ru>
Date: Thu, 13 Apr 2017 16:57:31 +0300
Subject: [PATCH] ipsec

---
 ipsec/adduser.sh          | 47 ++++++++++++++++++++++++
 ipsec/checkuser.sh        | 22 ++++++++++++
 ipsec/deluser.sh          | 22 ++++++++++++
 ipsec/dns.sh              | 25 +++++++++++++
 ipsec/env.sh              | 16 +++++++++
 ipsec/install.sh          | 76 +++++++++++++++++++++++++++++++++++++++
 ipsec/ipsec.conf.dist     | 28 +++++++++++++++
 ipsec/iptables-setup.sh   | 72 +++++++++++++++++++++++++++++++++++++
 ipsec/options.xl2tpd.dist | 40 +++++++++++++++++++++
 ipsec/psk.sh              | 24 +++++++++++++
 ipsec/sysctl.sh           | 33 +++++++++++++++++
 ipsec/xl2tpd.conf.dist    | 11 ++++++
 12 files changed, 416 insertions(+)
 create mode 100755 ipsec/adduser.sh
 create mode 100755 ipsec/checkuser.sh
 create mode 100755 ipsec/deluser.sh
 create mode 100755 ipsec/dns.sh
 create mode 100755 ipsec/env.sh
 create mode 100755 ipsec/install.sh
 create mode 100644 ipsec/ipsec.conf.dist
 create mode 100755 ipsec/iptables-setup.sh
 create mode 100644 ipsec/options.xl2tpd.dist
 create mode 100755 ipsec/psk.sh
 create mode 100755 ipsec/sysctl.sh
 create mode 100644 ipsec/xl2tpd.conf.dist

diff --git a/ipsec/adduser.sh b/ipsec/adduser.sh
new file mode 100755
index 0000000..0f831b7
--- /dev/null
+++ b/ipsec/adduser.sh
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source $DIR/env.sh
+
+if [[ ! -e $CHAPSECRETS ]] || [[ ! -r $CHAPSECRETS ]] || [[ ! -w $CHAPSECRETS ]]; then
+    echo "$CHAPSECRETS is not exist or not accessible (are you root?)"
+    exit 1
+fi
+
+if [[ $# -gt 0 ]]; then
+    LOGIN="$1"
+fi
+
+while [[ -z "$LOGIN" ]];
+do
+    read -p "Enter name: " LOGIN
+done
+
+unset PASSWORD
+
+while [[ -z "$PASSWORD" ]];
+do
+    read -p "Enter password: " PASSWORD
+    echo
+done
+
+$DIR/checkuser.sh $LOGIN
+
+if [[ $? -eq 0 ]]; then
+	NOTREM="no"
+	read -p "User '$LOGIN' already exists. Do you want to remove existing user? [no] " ANSREM
+	: ${ANSREM:=$NOTREM}
+	
+	if [ "$NOTREM" == "$ANSREM" ]; then
+		exit 1
+	else
+		$DIR/deluser.sh $LOGIN
+		# to avoid dublicate message
+		echo -e "$LOGIN\t    *\t    $PASSWORD\t    *" >> $CHAPSECRETS
+		exit 0
+	fi
+fi
+
+echo -e "$LOGIN\t    *\t    $PASSWORD\t    *" >> $CHAPSECRETS
+
+echo "$CHAPSECRETS updated!"
diff --git a/ipsec/checkuser.sh b/ipsec/checkuser.sh
new file mode 100755
index 0000000..2178ce8
--- /dev/null
+++ b/ipsec/checkuser.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source $DIR/env.sh
+
+if [[ ! -e $CHAPSECRETS ]] || [[ ! -r $CHAPSECRETS ]]; then
+    echo "$CHAPSECRETS is not exist or not accessible (are you root?)"
+    exit 1
+fi
+
+if [[ $# -gt 0 ]]; then
+    LOGIN="$1"
+fi
+
+while [[ -z "$LOGIN" ]];
+do
+    read -p "Enter name: " LOGIN
+done
+
+RET=$(grep -P "^$LOGIN\s+" $CHAPSECRETS)
+
+exit $?
diff --git a/ipsec/deluser.sh b/ipsec/deluser.sh
new file mode 100755
index 0000000..107851c
--- /dev/null
+++ b/ipsec/deluser.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source $DIR/env.sh
+
+if [[ ! -e $CHAPSECRETS ]] || [[ ! -r $CHAPSECRETS ]] || [[ ! -w $CHAPSECRETS ]]; then
+    echo "$CHAPSECRETS is not exist or not accessible (are you root?)"
+    exit 1
+fi
+
+if [[ $# -gt 0 ]]; then
+    LOGIN="$1"
+fi
+
+while [[ -z "$LOGIN" ]];
+do
+    read -p "Enter name: " LOGIN
+done
+
+sed -i -e "/^$LOGIN[[:space:]]/d" $CHAPSECRETS
+
+echo "$CHAPSECRETS updated!"
diff --git a/ipsec/dns.sh b/ipsec/dns.sh
new file mode 100755
index 0000000..dbc765a
--- /dev/null
+++ b/ipsec/dns.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source $DIR/env.sh
+
+if [[ ! -e $PPPCONFIG ]] || [[ ! -r $PPPCONFIG ]] || [[ ! -w $PPPCONFIG ]]; then
+    echo "$PPPCONFIG is not exist or not accessible (are you root?)"
+    exit 1
+fi
+
+DEFAULTDNS1="8.8.8.8"
+DEFAULTDNS2="8.8.4.4"
+
+read -p "Preffered DNS resolver #1: " -e -i $DEFAULTDNS1 DNS1
+: ${DNS1:=$DEFAULTDNS1}
+
+read -p "Preffered DNS resolver #2: " -e -i $DEFAULTDNS2 DNS2
+: ${DNS2:=$DEFAULTDNS2}
+
+sed -i -e "/ms-dns/d" $PPPCONFIG
+
+echo "ms-dns $DNS1" >> $PPPCONFIG
+echo "ms-dns $DNS2" >> $PPPCONFIG
+
+echo "$PPPCONFIG updated!"
diff --git a/ipsec/env.sh b/ipsec/env.sh
new file mode 100755
index 0000000..df153ef
--- /dev/null
+++ b/ipsec/env.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+SYSCTLCONFIG=/etc/sysctl.conf
+IPSECCONFIG=/etc/ipsec.conf
+XL2TPDCONFIG=/etc/xl2tpd/xl2tpd.conf
+PPPCONFIG=/etc/ppp/options.xl2tpd
+CHAPSECRETS=/etc/ppp/chap-secrets
+IPTABLES=/etc/iptables.rules
+RCLOCAL=/etc/rc.local
+SECRETSFILE=/etc/ipsec.secrets
+
+LOCALPREFIX="172.18"
+LOCALIP="$LOCALPREFIX.0.0"
+LOCALMASK="/24"
+
+LOCALIPMASK="$LOCALIP$LOCALMASK"
diff --git a/ipsec/install.sh b/ipsec/install.sh
new file mode 100755
index 0000000..acda683
--- /dev/null
+++ b/ipsec/install.sh
@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source $DIR/env.sh
+
+if [[ "$EUID" -ne 0 ]]; then
+	echo "Sorry, you need to run this as root"
+	exit 1
+fi
+
+echo
+echo "Installing strongSwan and xl2tp server..."
+apt-get install strongswan xl2tpd
+
+ADDUSER="no"
+ANSUSER="yes"
+
+echo
+echo "Configuring VPN users..."
+while [ "$ANSUSER" != "$ADDUSER" ]; 
+do
+	$DIR/adduser.sh
+
+	read -p "Would you want add another user? [no] " ANSUSER
+	: ${ANSUSER:=$ADDUSER}
+done
+
+echo
+echo "Configuring PSK..."
+$DIR/psk.sh
+
+echo
+echo "Configuring routing..."
+$DIR/sysctl.sh
+
+echo
+echo "Installing configuration files..."
+yes | cp -rf $DIR/options.xl2tpd.dist $PPPCONFIG
+yes | cp -rf $DIR/xl2tpd.conf.dist $XL2TPDCONFIG
+yes | cp -rf $DIR/ipsec.conf.dist $IPSECCONFIG
+
+sed -i -e "s@PPPCONFIG@$PPPCONFIG@g" $XL2TPDCONFIG
+sed -i -e "s@LOCALPREFIX@$LOCALPREFIX@g" $XL2TPDCONFIG
+
+sed -i -e "s@LOCALIPMASK@$LOCALIPMASK@g" $IPSECCONFIG
+
+echo
+echo "Configuring iptables firewall..."
+$DIR/iptables-setup.sh
+
+echo
+echo "Configuring DNS parameters..."
+$DIR/dns.sh
+
+echo
+echo "Starting strongSwan and xl2tp..."
+systemctl enable xl2tpd
+systemctl enable strongswan
+service xl2tpd restart
+service strongswan restart
+
+IPTABLESRESTOR=$(which iptables-restore)
+RESTORPRESENTS=$(grep iptables-restore $RCLOCAL)
+if [ $? -ne 0 ]; then
+	if [[ ! -z $IPTABLESRESTOR ]]; then
+		sed -i -e "/exit 0/d" $RCLOCAL
+		echo "$IPTABLESRESTOR < $IPTABLES" >> $RCLOCAL
+		echo "exit 0" >> $RCLOCAL
+	else
+		echo "Cannot save iptables-restore from $IPTABLES to $RCLOCAL."
+	fi
+fi
+
+echo
+echo "Installation script completed!"
+
diff --git a/ipsec/ipsec.conf.dist b/ipsec/ipsec.conf.dist
new file mode 100644
index 0000000..e1e768f
--- /dev/null
+++ b/ipsec/ipsec.conf.dist
@@ -0,0 +1,28 @@
+version 2
+config setup
+    nat_traversal=yes
+    protostack=netkey
+    virtual_private=%v4:!LOCALIPMASK
+    force_keepalive=yes
+    keep_alive=60
+
+conn L2TP-PSK-NAT
+    authby=secret
+    pfs=yes
+    auto=add
+    keyingtries=3
+    rekey=no
+    ikelifetime=8h
+    keylife=1h
+    ike=aes256-sha1,aes128-sha1,3des-sha1
+    phase2alg=aes256-sha1,aes128-sha1,3des-sha1
+    keylife=1h
+    type=transport
+    left=PUBLICIP
+    leftprotoport=17/1701
+    right=%any
+    rightprotoport=17/%any
+    dpddelay=30
+    dpdtimeout=120
+    dpdaction=clear
+
diff --git a/ipsec/iptables-setup.sh b/ipsec/iptables-setup.sh
new file mode 100755
index 0000000..5862f6d
--- /dev/null
+++ b/ipsec/iptables-setup.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source $DIR/env.sh
+
+if [[ ! -e $IPTABLES ]]; then
+	touch $IPTABLES
+fi
+
+if [[ ! -e $IPTABLES ]] || [[ ! -r $IPTABLES ]] || [[ ! -w $IPTABLES ]]; then
+    echo "$IPTABLES is not exist or not accessible (are you root?)"
+    exit 1
+fi
+
+IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
+if [[ "$IP" = "" ]]; then
+	IP=$(wget -4qO- "http://whatismyip.akamai.com/")
+fi
+
+# backup and remove rules with $LOCALIP
+iptables-save > $IPTABLES.backup
+
+IFS=$'\n'
+
+iptablesclear=$(iptables -S -t nat | sed -n -e '/$LOCALPREFIX/p' | sed -e 's/-A/-D/g')
+for line in $iptablesclear
+do
+    cmd="iptables -t nat $line"
+    eval $cmd
+done
+
+# detect default gateway interface
+echo "Found next network interfaces:"
+ifconfig -a | sed 's/[ \t].*//;/^\(lo\|\)$/d'
+echo
+GATE=$(route | grep '^default' | grep -o '[^ ]*$')
+read -p "Enter your external network interface: " -i $GATE -e GATE
+
+STATIC="yes"
+read -p "Your external IP is $IP. Is this IP static? [yes] " ANSIP
+: ${ANSIP:=$STATIC}
+
+if [ "$STATIC" == "$ANSIP" ]; then
+    # SNAT
+    sed -i -e "s@PUBLICIP@$IP@g" $IPSECCONFIG
+    iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP
+else
+    # MASQUERADE
+    sed -i -e "s@PUBLICIP@%$GATE@g" $IPSECCONFIG
+    iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE
+fi
+
+DROP="yes"
+read -p "Would you want to disable client-to-client routing? [yes] " ANSDROP
+: ${ANSDROP:=$DROP}
+
+if [ "$DROP" == "$ANSDROP" ]; then
+    # disable forwarding
+    iptables -I FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP
+fi
+
+# MSS Clamping
+iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu
+
+# PPP
+iptables -A INPUT -i ppp+ -j ACCEPT
+iptables -A OUTPUT -o ppp+ -j ACCEPT
+
+# XL2TPD
+iptables -A INPUT -p tcp --dport 1701 -j ACCEPT
+
+iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES
diff --git a/ipsec/options.xl2tpd.dist b/ipsec/options.xl2tpd.dist
new file mode 100644
index 0000000..52ad05d
--- /dev/null
+++ b/ipsec/options.xl2tpd.dist
@@ -0,0 +1,40 @@
+# The name of the local system for authentication purposes
+name l2tpd
+
+# Refuse EAP, PAP, CHAP or MS-CHAP connections
+# Accept ONLY MS-CHAPv2 or MPPE with 128-bit encryption
+refuse-eap
+refuse-pap
+refuse-chap
+refuse-mschap
+require-mschap-v2
+
+# Require authorization
+auth
+
+# Add entry to the ARP system table
+proxyarp
+
+# For the serial device to ensure exclusive access to the device
+lock
+
+# Disable BSD-Compress and Van Jacobson TCP/IP header compression
+nobsdcomp
+novj
+novjccomp
+
+# Disable logging
+nolog
+nologfd
+
+# LCP echo-requests options
+lcp-echo-interval 30
+lcp-echo-failure 5
+
+# MTU MRU options
+mtu 1200
+mru 1200
+
+# DNS options for Windows clients
+ms-dns 8.8.8.8
+ms-dns 8.8.4.4
diff --git a/ipsec/psk.sh b/ipsec/psk.sh
new file mode 100755
index 0000000..9d55d6b
--- /dev/null
+++ b/ipsec/psk.sh
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source $DIR/env.sh
+
+if [[ ! -e $SECRETSFILE ]] || [[ ! -r $SECRETSFILE ]] || [[ ! -w $SECRETSFILE ]]; then
+    echo "$SECRETSFILE is not exist or not accessible (are you root?)"
+    exit 1
+fi
+
+unset PSK
+
+while [[ -z "$PSK" ]];
+do
+    read -p "Enter preferred IPsec pre-shared key (PSK) : " PSK
+    echo
+done
+
+# comment existing PSK
+sed -i -e "/[[:space:]]\+PSK[[:space:]]\+/s/^/# /" $SECRETSFILE
+
+echo "%any %any : PSK \"$PSK\"" >> $SECRETSFILE
+
+echo "$SECRETSFILE updated!"
diff --git a/ipsec/sysctl.sh b/ipsec/sysctl.sh
new file mode 100755
index 0000000..2c7b237
--- /dev/null
+++ b/ipsec/sysctl.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source $DIR/env.sh
+
+if [[ ! -e $SYSCTLCONFIG ]] || [[ ! -r $SYSCTLCONFIG ]] || [[ ! -w $SYSCTLCONFIG ]]; then
+    echo "$SYSCTLCONFIG is not exist or not accessible (are you root?)"
+    exit 1
+fi
+
+sed -i -e "/net.ipv4.ip_forward/d" $SYSCTLCONFIG
+echo "net.ipv4.ip_forward=1" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.all.accept_redirects/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.all.accept_redirects=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.all.send_redirects/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.all.send_redirects=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.default.rp_filter/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.default.rp_filter=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.default.accept_source_route/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.default.accept_source_route=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.default.send_redirects/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.default.send_redirects=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.icmp_ignore_bogus_error_responses/d" $SYSCTLCONFIG
+echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> $SYSCTLCONFIG
+
+sysctl -p
+service procps restart
diff --git a/ipsec/xl2tpd.conf.dist b/ipsec/xl2tpd.conf.dist
new file mode 100644
index 0000000..f322637
--- /dev/null
+++ b/ipsec/xl2tpd.conf.dist
@@ -0,0 +1,11 @@
+[lns default]
+ip range = LOCALPREFIX.0.10-LOCALPREFIX.0.100
+local ip = LOCALPREFIX.0.1
+refuse pap = yes
+refuse chap = yes
+require authentication = yes
+pppoptfile = PPPCONFIG
+length bit = yes
+exclusive = yes
+ppp debug = no
+assign ip = yes