pptp

pptp/adduser.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source $DIR/env.sh
+
+if [[ ! -e $CHAPSECRETS ]] || [[ ! -r $CHAPSECRETS ]] || [[ ! -w $CHAPSECRETS ]]; then
+    echo "$CHAPSECRETS is not exist or not accessible (are you root?)"
+    exit 1
+fi
+
+if [[ $# -gt 0 ]]; then
+    LOGIN="$1"
+fi
+
+while [[ -z "$LOGIN" ]];
+do
+    read -p "Enter name: " LOGIN
+done
+
+unset PASSWORD
+
+while [[ -z "$PASSWORD" ]];
+do
+    read -p "Enter password: " PASSWORD
+    echo
+done
+
+$DIR/checkuser.sh $LOGIN
+
+if [[ $? -eq 0 ]]; then
+	NOTREM="no"
+	read -p "User '$LOGIN' already exists. Do you want to remove existing user? [no] " ANSREM
+	: ${ANSREM:=$NOTREM}
+	
+	if [ "$NOTREM" == "$ANSREM" ]; then
+		exit 1
+	else
+		$DIR/deluser.sh $LOGIN
+		# to avoid dublicate message
+		echo -e "$LOGIN\t    *\t    $PASSWORD\t    *" >> $CHAPSECRETS
+		exit 0
+	fi
+fi
+
+echo -e "$LOGIN\t    *\t    $PASSWORD\t    *" >> $CHAPSECRETS
+
+echo "$CHAPSECRETS updated!"

pptp/checkuser.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source $DIR/env.sh
+
+if [[ ! -e $CHAPSECRETS ]] || [[ ! -r $CHAPSECRETS ]]; then
+    echo "$CHAPSECRETS is not exist or not accessible (are you root?)"
+    exit 1
+fi
+
+if [[ $# -gt 0 ]]; then
+    LOGIN="$1"
+fi
+
+while [[ -z "$LOGIN" ]];
+do
+    read -p "Enter name: " LOGIN
+done
+
+RET=$(grep -P "^$LOGIN\s+" $CHAPSECRETS)
+
+exit $?

pptp/deluser.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source $DIR/env.sh
+
+if [[ ! -e $CHAPSECRETS ]] || [[ ! -r $CHAPSECRETS ]] || [[ ! -w $CHAPSECRETS ]]; then
+    echo "$CHAPSECRETS is not exist or not accessible (are you root?)"
+    exit 1
+fi
+
+if [[ $# -gt 0 ]]; then
+    LOGIN="$1"
+fi
+
+while [[ -z "$LOGIN" ]];
+do
+    read -p "Enter name: " LOGIN
+done
+
+sed -i -e "/^$LOGIN[[:space:]]/d" $CHAPSECRETS
+
+echo "$CHAPSECRETS updated!"

pptp/dns.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source $DIR/env.sh
+
+if [[ ! -e $PPTPOPTIONS ]] || [[ ! -r $PPTPOPTIONS ]] || [[ ! -w $PPTPOPTIONS ]]; then
+    echo "$PPTPOPTIONS is not exist or not accessible (are you root?)"
+    exit 1
+fi
+
+DEFAULTDNS1="8.8.8.8"
+DEFAULTDNS2="8.8.4.4"
+
+read -p "Preffered DNS resolver #1: " -e -i $DEFAULTDNS1 DNS1
+: ${DNS1:=$DEFAULTDNS1}
+
+read -p "Preffered DNS resolver #2: " -e -i $DEFAULTDNS2 DNS2
+: ${DNS2:=$DEFAULTDNS2}
+
+sed -i -e "/ms-dns/d" $PPTPOPTIONS
+
+echo "ms-dns $DNS1" >> $PPTPOPTIONS
+echo "ms-dns $DNS2" >> $PPTPOPTIONS
+
+echo "$PPTPOPTIONS updated!"

pptp/env.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+SYSCTLCONFIG=/etc/sysctl.conf
+PPTPDCONFIG=/etc/pptpd.conf
+PPTPOPTIONS=/etc/ppp/options.pptp
+CHAPSECRETS=/etc/ppp/chap-secrets
+IPTABLES=/etc/iptables.rules
+RCLOCAL=/etc/rc.local
+
+LOCALPREFIX="172.16"
+LOCALIP="$LOCALPREFIX.0.0"
+LOCALMASK="/24"
+
+LOCALIPMASK="$LOCALIP$LOCALMASK"

pptp/install.sh

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source $DIR/env.sh
+
+if [[ "$EUID" -ne 0 ]]; then
+	echo "Sorry, you need to run this as root"
+	exit 1
+fi
+
+echo
+echo "Installing PPTP server..."
+apt-get install pptpd
+
+ADDUSER="no"
+ANSUSER="yes"
+
+echo
+echo "Configuring VPN users..."
+while [ "$ANSUSER" != "$ADDUSER" ]; 
+do
+	$DIR/adduser.sh
+
+	read -p "Would you want add another user? [no] " ANSUSER
+	: ${ANSUSER:=$ADDUSER}
+done
+
+echo
+echo "Configuring iptables firewall..."
+$DIR/iptables-setup.sh
+
+echo
+echo "Configuring routing..."
+$DIR/sysctl.sh
+
+echo
+echo "Installing configuration files for PPTP..."
+yes | cp -rf $DIR/options.pptp.dist $PPTPOPTIONS
+yes | cp -rf $DIR/pptpd.conf.dist $PPTPDCONFIG
+
+sed -i -e "s@PPTPOPTIONS@$PPTPOPTIONS@g" $PPTPDCONFIG
+sed -i -e "s@LOCALPREFIX@$LOCALPREFIX@g" $PPTPDCONFIG
+
+echo
+echo "Configuring DNS parameters..."
+$DIR/dns.sh
+
+echo
+echo "Starting pptpd..."
+service pptpd restart
+systemctl enable pptpd
+
+IPTABLESRESTOR=$(which iptables-restore)
+if [[ ! -z $IPTABLESRESTOR ]]; then
+	sed -i -e "/exit 0/d" $RCLOCAL
+	echo "$IPTABLESRESTOR < $IPTABLES" >> $RCLOCAL
+	echo "exit 0" >> $RCLOCAL
+else
+	echo "Cannot save iptables-restore from $IPTABLES to $RCLOCAL."
+fi
+
+echo
+echo "Installation script completed!"
+

pptp/iptables-setup.sh

@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source $DIR/env.sh
+
+if [[ ! -e $IPTABLES ]]; then
+	touch $IPTABLES
+fi
+
+if [[ ! -e $IPTABLES ]] || [[ ! -r $IPTABLES ]] || [[ ! -w $IPTABLES ]]; then
+    echo "$IPTABLES is not exist or not accessible (are you root?)"
+    exit 1
+fi
+
+IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
+if [[ "$IP" = "" ]]; then
+	IP=$(wget -4qO- "http://whatismyip.akamai.com/")
+fi
+
+# backup and remove rules with $LOCALIP
+iptables-save | uniq -u > $IPTABLES.backup
+
+IFS=$'\n'
+
+iptablesclear=$(iptables -S -t nat | sed -n -e '/$LOCALPREFIX/p' | sed -e 's/-A/-D/g')
+for line in $iptablesclear
+do
+    cmd="iptables -t nat $line"
+    eval $cmd
+done
+
+# detect default gateway interface
+echo "Found next network interfaces:"
+ifconfig -a | sed 's/[ \t].*//;/^\(lo\|\)$/d'
+echo
+GATE=$(route | grep '^default' | grep -o '[^ ]*$')
+read -p "Enter your external network interface: " -i $GATE -e GATE
+
+STATIC="yes"
+read -p "Your external IP is $IP. Is this IP static? [yes] " ANSIP
+: ${ANSIP:=$STATIC}
+
+if [ "$STATIC" == "$ANSIP" ]; then
+    # SNAT
+    iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP
+else
+    # MASQUERADE
+    iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE
+fi
+
+DROP="yes"
+read -p "Would you want to disable client-to-client routing? [yes] " ANSDROP
+: ${ANSDROP:=$DROP}
+
+if [ "$DROP" == "$ANSDROP" ]; then
+    # disable forwarding
+    iptables -I FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP
+fi
+
+# PPP
+iptables -A INPUT -i ppp+ -j ACCEPT
+iptables -A OUTPUT -o ppp+ -j ACCEPT
+
+# PPTP
+iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
+
+# GRE
+iptables -A INPUT -p 47 -j ACCEPT
+iptables -A OUTPUT -p 47 -j ACCEPT
+
+iptables-save > $IPTABLES

pptp/options.pptp.dist

@@ -0,0 +1,34 @@
+# The name of the local system for authentication purposes
+name pptpd
+
+# Refuse EAP, PAP, CHAP or MS-CHAP connections
+# Accept ONLY MS-CHAPv2 or MPPE with 128-bit encryption
+refuse-eap
+refuse-pap
+refuse-chap
+refuse-mschap
+require-mschap-v2
+require-mppe
+require-mppe-128
+
+# Require authorization
+auth
+
+# Add entry to the ARP system table
+proxyarp
+
+# For the serial device to ensure exclusive access to the device
+lock
+
+# Disable BSD-Compress and Van Jacobson TCP/IP header compression
+nobsdcomp
+novj
+novjccomp
+
+# Disable logging
+nolog
+nologfd
+
+# DNS options for Windows clients
+ms-dns 8.8.8.8
+ms-dns 8.8.4.4

pptp/pptpd.conf.dist

@@ -0,0 +1,3 @@
+option      PPTPOPTIONS
+localip     LOCALPREFIX.0.1
+remoteip    LOCALPREFIX.0.10-100

pptp/sysctl.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source $DIR/env.sh
+
+if [[ ! -e $SYSCTLCONFIG ]] || [[ ! -r $SYSCTLCONFIG ]] || [[ ! -w $SYSCTLCONFIG ]]; then
+    echo "$SYSCTLCONFIG is not exist or not accessible (are you root?)"
+    exit 1
+fi
+
+sed -i -e "/net.ipv4.ip_forward/d" $SYSCTLCONFIG
+echo "net.ipv4.ip_forward=1" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.all.accept_redirects/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.all.accept_redirects=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.all.send_redirects/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.all.send_redirects=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.default.rp_filter/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.default.rp_filter=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.default.accept_source_route/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.default.accept_source_route=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.default.send_redirects/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.default.send_redirects=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.icmp_ignore_bogus_error_responses/d" $SYSCTLCONFIG
+echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> $SYSCTLCONFIG
+
+sysctl -p
+service procps restart