Created
October 28, 2015 19:15
-
-
Save Mic92/ca85a993d68a5043e0f2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
### LICENSE (BSD 2-Clause) // ### | |
# | |
# Copyright (c) 2014, Daniel Plominski (Plominski IT Consulting) | |
# All rights reserved. | |
# | |
# Redistribution and use in source and binary forms, with or without modification, | |
# are permitted provided that the following conditions are met: | |
# | |
# * Redistributions of source code must retain the above copyright notice, this | |
# list of conditions and the following disclaimer. | |
# | |
# * Redistributions in binary form must reproduce the above copyright notice, this | |
# list of conditions and the following disclaimer in the documentation and/or | |
# other materials provided with the distribution. | |
# | |
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND | |
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | |
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR | |
# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | |
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON | |
# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | |
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
# | |
### // LICENSE (BSD 2-Clause) ### | |
### ### ### PLITC ### ### ### | |
### stage0 // ### | |
UNAME=$(uname) | |
MYNAME=$(whoami) | |
### // stage0 ### | |
### stage1 // ### | |
case $UNAME in | |
Darwin) | |
### MacOS ### | |
BREW=$(/usr/bin/which brew) | |
MDIALOG=$(/usr/bin/which dialog) | |
LASTUSER=$(/usr/bin/last | head -n 1 | awk '{print $1}') | |
LASTGROUP=$(/usr/bin/id "$LASTUSER" | grep -o 'gid=[^(]*[^)]*)' | sed 's/[0-9]//g' | sed 's/gid=(//g' | sed 's/)//g') | |
# | |
### ### ### ### ### ### ### ### ### | |
if [ "$MYNAME" = root ]; then | |
echo "" # dummy | |
else | |
echo "<--- --- --->" | |
echo "" | |
echo "ERROR: You must be root to run this script" | |
exit 1 | |
fi | |
if [ -z "$BREW" ]; then | |
echo "<--- --- --->" | |
echo "need homebrew" | |
echo "<--- --- --->" | |
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" | |
echo "<--- --- --->" | |
else | |
echo "" # dummy | |
fi | |
if [ -z "$MDIALOG" ]; then | |
echo "<--- --- --->" | |
echo "need dialog" | |
echo "<--- --- --->" | |
/usr/sbin/chown -R "$LASTUSER:$LASTGROUP" /usr/local | |
sudo -u "$LASTUSER" -s "/usr/local/bin/brew install dialog" | |
echo "<--- --- --->" | |
else | |
echo "" # dummy | |
fi | |
( | |
# clean up | |
/bin/rm -rf /tmp/easy_ipsec*.txt | |
) | |
#/ function: say clean up | |
KILLSAY(){ | |
(pgrep "say" | xargs -L 1 -I % kill -9 % > /dev/null 2>&1) | |
} | |
### stage2 // ### | |
GIF1=50 | |
( | |
while test $GIF1 != 150 | |
do | |
echo $GIF1 | |
echo "XXX" | |
echo "create gif interface: ($GIF1 percent)" | |
echo "XXX" | |
# | |
### run // | |
/sbin/ifconfig gif0 create > /dev/null 2>&1 | |
/sbin/ifconfig gif0 up | |
### // run | |
# | |
GIF1=$((GIF1 + 50)) | |
sleep 1 | |
done | |
) | dialog --title "generic tunnel interface" --gauge "create gif interface" 20 70 0 | |
EASYIPSECCLIENTIP="/tmp/easy_ipsec_client_ip.txt" | |
touch $EASYIPSECCLIENTIP | |
KILLSAY > /dev/null 2>&1 | |
say "Enter your Roadwarrior Client IP: for example 10.0.0.1" > /dev/null 2>&1 & | |
dialog --inputbox "Enter your Roadwarrior Client IP: (for example 10.0.0.1)" 8 40 2>$EASYIPSECCLIENTIP | |
EASYIPSECDESTNET="/tmp/easy_ipsec_destination_net.txt" | |
touch $EASYIPSECDESTNET | |
KILLSAY > /dev/null 2>&1 | |
say "Enter your VPN destination network: for example 172.31.254.0" > /dev/null 2>&1 & | |
dialog --inputbox "Enter your VPN destination network: (for example 172.31.254.0)" 8 40 2>$EASYIPSECDESTNET | |
EASYIPSECCLIENTIPVALUE=$(sed 's/#//g' $EASYIPSECCLIENTIP | sed 's/%//g') | |
EASYIPSECDESTNETVALUE=$(sed 's/#//g' $EASYIPSECDESTNET | sed 's/%//g') | |
GIF2=50 | |
( | |
while test $GIF2 != 150 | |
do | |
echo $GIF2 | |
echo "XXX" | |
echo "set gif options: ($GIF2 percent)" | |
echo "XXX" | |
# | |
### run // | |
/sbin/ifconfig gif0 "$EASYIPSECCLIENTIPVALUE" "$EASYIPSECDESTNETVALUE" | |
/sbin/route add -net "$EASYIPSECDESTNETVALUE"/24 -interface gif0 > /dev/null 2>&1 | |
### // run | |
# | |
GIF2=$((GIF2 + 50)) | |
sleep 1 | |
done | |
) | dialog --title "generic tunnel interface" --gauge "set gif options" 20 70 0 | |
EASYIPSECSERVERIP="/tmp/easy_ipsec_server_ip.txt" | |
touch $EASYIPSECSERVERIP | |
KILLSAY > /dev/null 2>&1 | |
say "Enter your VPN IP security Server IP:" > /dev/null 2>&1 & | |
dialog --inputbox "Enter your VPN IPsec Server IP:" 8 40 2>$EASYIPSECSERVERIP | |
EASYIPSECLOCALGATEWAY="/tmp/easy_ipsec_local_gateway.txt" | |
touch $EASYIPSECLOCALGATEWAY | |
KILLSAY > /dev/null 2>&1 | |
say "Enter your local gateway IP:" > /dev/null 2>&1 & | |
dialog --inputbox "Enter your local gateway IP:" 8 40 2>$EASYIPSECLOCALGATEWAY | |
EASYIPSECSERVERIPVALUE=$(sed 's/#//g' $EASYIPSECSERVERIP | sed 's/%//g') | |
EASYIPSECLOCALGATEWAYVALUE=$(sed 's/#//g' $EASYIPSECLOCALGATEWAY | sed 's/%//g') | |
GIF3=50 | |
( | |
while test $GIF3 != 150 | |
do | |
echo $GIF3 | |
echo "XXX" | |
echo "set direct vpn server route: ($GIF3 percent)" | |
echo "XXX" | |
# | |
### run // | |
# clean up double entries | |
/usr/sbin/netstat -rn -f inet | grep "$EASYIPSECSERVERIPVALUE" | awk '{print $2}' | xargs -L1 route delete -host "$EASYIPSECSERVERIPVALUE" > /dev/null 2>&1 | |
# | |
/sbin/route delete -host "$EASYIPSECSERVERIPVALUE" > /dev/null 2>&1 | |
/sbin/route add -host "$EASYIPSECSERVERIPVALUE" "$EASYIPSECLOCALGATEWAYVALUE" > /dev/null 2>&1 | |
### // run | |
# | |
GIF3=$((GIF3 + 50)) | |
sleep 1 | |
done | |
) | dialog --title "generic tunnel interface" --gauge "set direct vpn server route" 20 70 0 | |
### check vpn server // | |
# | |
/bin/echo "" | |
#( | |
/sbin/ping -q -c5 "$EASYIPSECSERVERIPVALUE" > /dev/null | |
if [ $? -eq 0 ] | |
then | |
/bin/echo "" | |
KILLSAY > /dev/null 2>&1 | |
say "well, server is responsive" > /dev/null 2>&1 & | |
/bin/echo "server is responsive" | |
sleep 3 | |
# exit 0 | |
else | |
/bin/echo "" | |
KILLSAY > /dev/null 2>&1 | |
say "excuse me if have got an error: IP security server isn't responsive" > /dev/null 2>&1 & | |
/bin/echo "ERROR: IPsec server isn't responsive" | |
exit 1 | |
fi | |
#) | |
# | |
### // check vpn server | |
/bin/mkdir -p /etc/racoon | |
/bin/mkdir -p /etc/racoon/certs | |
/bin/chmod 0700 /etc/racoon/certs | |
### modify /etc/racoon/setkey.conf // | |
# | |
#( | |
EASYIPSECGETIFIP=$(/usr/sbin/netstat -rn -f inet | grep "$EASYIPSECSERVERIPVALUE" | awk '{print $6}' | xargs -L1 ifconfig | grep -w "inet" | awk '{print $2}') | |
/bin/cat <<SETKEY > /etc/racoon/setkey.conf | |
### ### ### PLITC // ### ### ### | |
# | |
flush; | |
spdflush; | |
spdadd $EASYIPSECCLIENTIPVALUE/32 $EASYIPSECDESTNETVALUE/24 any -P out ipsec | |
esp/tunnel/$EASYIPSECGETIFIP-$EASYIPSECSERVERIPVALUE/require; | |
spdadd $EASYIPSECDESTNETVALUE/24 $EASYIPSECCLIENTIPVALUE/32 any -P in ipsec | |
esp/tunnel/$EASYIPSECSERVERIPVALUE-$EASYIPSECGETIFIP/require; | |
# | |
### ### ### // PLITC ### ### ### | |
# EOF | |
SETKEY | |
#) | |
# | |
/bin/chmod 0600 /etc/racoon/setkey.conf | |
# | |
### // modify /etc/racoon/setkey.conf | |
### modify /etc/racoon/psk.txt // | |
# | |
#( | |
EASYIPSECSERVERPSK="/tmp/easy_ipsec_server_psk.txt" | |
touch $EASYIPSECSERVERPSK | |
/bin/chmod 0600 $EASYIPSECSERVERPSK | |
KILLSAY > /dev/null 2>&1 | |
say "Enter your VPN IP security Server Pre-shared key: without spaces and pound" > /dev/null 2>&1 & | |
dialog --inputbox "Enter your VPN IPsec Server Pre-shared key: (without spaces and pound)" 8 85 2>$EASYIPSECSERVERPSK | |
EASYIPSECSERVERPSKVALUE=$(sed 's/#//g' $EASYIPSECSERVERPSK | sed 's/%//g') | |
echo "" # dummy | |
/bin/cat <<PSK > /etc/racoon/psk.txt | |
### ### ### PLITC ### ### ### | |
# IPv4/v6 addresses | |
# 10.160.94.3 asecretkeygoeshere | |
# 172.16.1.133 asecretkeygoeshere | |
# 3ffe:501:410:ffff:200:86ff:fe05:80fa asecretkeygoeshere | |
# 3ffe:501:410:ffff:210:4bff:fea2:8baa asecretkeygoeshere | |
# USER_FQDN | |
# macuser@localhost somethingsecret | |
# FQDN | |
# kame hoge | |
### ### ### ##### ### ### ### | |
# | |
$EASYIPSECSERVERIPVALUE $EASYIPSECSERVERPSKVALUE | |
# | |
### ### ### PLITC ### ### ### | |
# EOF | |
PSK | |
if [ $? -eq 0 ] | |
then | |
: # dummy | |
else | |
KILLSAY > /dev/null 2>&1 | |
say "Warning, the racoon/psk.txt file probably has a write-protection or immutable flag!" > /dev/null 2>&1 & | |
sleep 2 | |
fi | |
/bin/chmod 0600 /etc/racoon/psk.txt | |
/bin/rm $EASYIPSECSERVERPSK | |
#) | |
# | |
### // modify /etc/racoon/psk.txt | |
### modify /etc/racoon/racoon.conf // | |
# | |
EASYIPSECGETIFIPCONF=$(/usr/sbin/netstat -rn -f inet | grep "$EASYIPSECSERVERIPVALUE" | awk '{print $6}' | xargs -L1 ifconfig | grep -w "inet" | awk '{print $2}') | |
# | |
#( | |
/bin/cat <<CONF > /etc/racoon/racoon.conf | |
### ### ### PLITC ### ### ### | |
# | |
path include "/etc/racoon" ; | |
path pre_shared_key "/etc/racoon/psk.txt" ; | |
path certificate "/etc/cert" ; | |
log debug; | |
# | |
### ### ### ##### ### ### ### | |
padding # options are not to be changed | |
{ | |
maximum_length 20; | |
randomize off; | |
strict_check off; | |
exclusive_tail off; | |
} | |
timer # timing options. change as needed | |
{ | |
counter 5; | |
interval 20 sec; | |
persend 1; | |
natt_keepalive 20 sec; | |
phase1 120 sec; | |
phase2 60 sec; | |
} | |
listen # address [port] that racoon will listening on | |
{ | |
# | |
### CHANGEME // ### | |
isakmp $EASYIPSECGETIFIPCONF [500]; | |
isakmp_natt $EASYIPSECGETIFIPCONF [4500]; | |
### // CHANGEME ### | |
# | |
} | |
remote $EASYIPSECSERVERIPVALUE | |
{ | |
# ph1id 1; | |
exchange_mode main; | |
doi ipsec_doi; | |
situation identity_only; | |
peers_identifier address $EASYIPSECSERVERIPVALUE; | |
verify_identifier on; | |
verify_cert off; | |
weak_phase1_check on; | |
passive off; | |
proposal_check strict; | |
ike_frag on; | |
nonce_size 16; | |
support_proxy on; | |
generate_policy off; | |
nat_traversal force; | |
dpd_delay 30; | |
dpd_retry 10; | |
dpd_maxfail 10; | |
proposal { | |
dh_group 16; | |
lifetime time 600 sec; | |
encryption_algorithm aes 256; | |
hash_algorithm sha512; | |
authentication_method pre_shared_key; | |
} | |
} | |
sainfo (address $EASYIPSECCLIENTIPVALUE/32 any address $EASYIPSECDESTNETVALUE/24 any) | |
{ | |
# remoteid 1; | |
pfs_group 16; | |
lifetime time 300 sec; | |
encryption_algorithm aes 256; | |
authentication_algorithm hmac_sha512; | |
compression_algorithm deflate; | |
} | |
# | |
### ### ### ### ### ### ### ### ### | |
# EOF | |
CONF | |
#) | |
# | |
/bin/chmod 0600 /etc/racoon/racoon.conf | |
# | |
### // modify /etc/racoon/racoon.conf | |
### start ipsec // | |
# | |
#( | |
KILLSAY > /dev/null 2>&1 | |
say "syslog can be very slow, do you want delete all system logs before ?" > /dev/null 2>&1 & | |
dialog --title "Delete all System-Logs" --backtitle "Delete all System-Logs" --yesno "syslog can be very slow, do you want delete all system logs before ?" 7 60 | |
response=$? | |
case $response in | |
0) | |
#/bin/rm -rf /private/var/log/asl/*.asl | |
/usr/sbin/aslmanager -size 1 | |
/bin/echo "" | |
/bin/echo "System-Logs deleted!" | |
;; | |
1) | |
/bin/echo "" | |
/bin/echo "System-Logs not deleted." | |
;; | |
255) | |
/bin/echo "" | |
/bin/echo "[ESC] key pressed." | |
;; | |
esac | |
# | |
#/ /bin/launchctl stop com.apple.syslog | |
#/ /bin/launchctl start com.apple.syslog | |
# | |
#/ | |
#/ launchctl unload /System/Library/LaunchDaemons/com.apple.racoon.plist | |
#/ sleep 1 | |
#/ launchctl load /System/Library/LaunchDaemons/com.apple.racoon.plist | |
# | |
#) | |
# | |
#( | |
/bin/echo "" | |
KILLSAY > /dev/null 2>&1 | |
say "Starting IP security" > /dev/null 2>&1 & | |
/bin/echo "Starting IPsec" | |
/usr/sbin/setkey -f /etc/racoon/setkey.conf | |
sleep 1 | |
/bin/launchctl stop com.apple.racoon | |
/bin/launchctl stop com.apple.ipsec | |
sleep 1 | |
/bin/launchctl start com.apple.ipsec | |
/bin/launchctl start com.apple.racoon | |
sleep 1 | |
/bin/echo "" | |
KILLSAY > /dev/null 2>&1 | |
say "wait a minute please" > /dev/null 2>&1 & | |
/bin/echo "prepare racoon log ... wait a minute" | |
/bin/echo "" | |
sleep 15 | |
#) | |
# | |
/usr/bin/syslog -k Facility -k Sender racoon | tail -n 100 | grep "established" > /tmp/easy_ipsec_racoon_log.txt | |
# | |
RACOONLOG="/tmp/easy_ipsec_racoon_log.txt" | |
# | |
#( | |
KILLSAY > /dev/null 2>&1 | |
say "VPN Logfile" > /dev/null 2>&1 & | |
dialog --textbox "$RACOONLOG" 0 0 | |
#) | |
# | |
### // start ipsec | |
### ipsec test // | |
# | |
#( | |
EASYIPSECSERVERTEST="/tmp/easy_ipsec_server_test.txt" | |
touch $EASYIPSECSERVERTEST | |
/bin/chmod 0600 $EASYIPSECSERVERTEST | |
KILLSAY > /dev/null 2>&1 | |
say "Enter your VPN IP security Server forwarding interface IP: for example 172.31.254.254" > /dev/null 2>&1 & | |
dialog --inputbox "Enter your VPN IPsec Server forwarding interface IP: (for example 172.31.254.254)" 8 85 2>$EASYIPSECSERVERTEST | |
EASYIPSECSERVERTESTVALUE=$(sed 's/#//g' $EASYIPSECSERVERTEST | sed 's/%//g') | |
/sbin/ping -q -c5 "$EASYIPSECSERVERTESTVALUE" > /dev/null | |
if [ $? -eq 0 ] | |
then | |
KILLSAY > /dev/null 2>&1 | |
say "It works!" > /dev/null 2>&1 & | |
dialog --title "VPN IPsec Gateway Test" --backtitle "VPN IPsec Gateway Test" --msgbox "It works!" 0 0 | |
# exit 0 | |
else | |
dialog --title "VPN IPsec Gateway Test" --backtitle "VPN IPsec Gateway Test" --msgbox "ERROR: can't ping!" 0 0 | |
/bin/echo "" | |
KILLSAY > /dev/null 2>&1 | |
say "excuse me if have got an error: IP security server isn't responsive" > /dev/null 2>&1 & | |
/bin/echo "ERROR: IPsec server isn't responsive" | |
exit 1 | |
fi | |
#) | |
/bin/rm -rf "$EASYIPSECSERVERTEST" | |
# | |
### // ipsec test | |
### // stage2 ### | |
### stage3 // ### | |
### ipsec/openvpn relay setup // ### | |
# | |
#( | |
KILLSAY > /dev/null 2>&1 | |
say "if you have an IP security/OpenVPN Relay Server-Setup, Go ahead" > /dev/null 2>&1 & | |
dialog --title "IPsec/OpenVPN Relay Network" --backtitle "IPsec/OpenVPN Relay Network" --yesno "if you have an IPsec/OpenVPN Relay Server-Setup Go ahead!" 7 70 | |
OPENVPN=$? | |
case $OPENVPN in | |
0) | |
/bin/echo "" | |
;; | |
1) | |
/bin/echo "" | |
#/bin/echo "no thanks!" | |
KILLSAY > /dev/null 2>&1 | |
say "Have a nice day with IP security, good bye" > /dev/null 2>&1 & | |
/bin/echo "Have a nice day with IPsec" | |
### | |
# clean up | |
/bin/rm -rf /tmp/easy_ipsec*.txt | |
### | |
exit 1 | |
;; | |
255) | |
/bin/echo "" | |
/bin/echo "[ESC] key pressed." | |
;; | |
esac | |
#) | |
# | |
#( | |
KILLSAY > /dev/null 2>&1 | |
say "its time now to establish, manually a successful connection" > /dev/null 2>&1 & | |
dialog --title "IPsec/OpenVPN Relay Network" --backtitle "IPsec/OpenVPN Relay Network" --msgbox "its time now to establish a successful connection! ... than press OK" 8 80 | |
#) | |
# | |
### // ipsec/openvpn relay setup ### | |
### openvpn server // ### | |
# | |
EASYIPSECSERVEROVPNTEST="/tmp/easy_ipsec_server_openvpn_test.txt" | |
touch $EASYIPSECSERVEROVPNTEST | |
/bin/chmod 0600 $EASYIPSECSERVEROVPNTEST | |
KILLSAY > /dev/null 2>&1 | |
say "Enter your VPN, OpenVPN Server forwarding interface IP: for example 172.31.253.1" > /dev/null 2>&1 & | |
dialog --inputbox "Enter your VPN OpenVPN Server forwarding interface IP: (for example 172.31.253.1)" 8 85 2>$EASYIPSECSERVEROVPNTEST | |
EASYIPSECSERVEROVPNTESTVALUE=$(sed 's/#//g' $EASYIPSECSERVEROVPNTEST | sed 's/%//g') | |
#( | |
/sbin/ping -q -c5 "$EASYIPSECSERVEROVPNTESTVALUE" > /dev/null | |
if [ $? -eq 0 ] | |
then | |
KILLSAY > /dev/null 2>&1 | |
say "It works!" > /dev/null 2>&1 & | |
dialog --title "VPN OpenVPN Gateway Test" --backtitle "VPN OpenVPN Gateway Test" --msgbox "It works!" 0 0 | |
# exit 0 | |
else | |
dialog --title "VPN OpenVPN Gateway Test" --backtitle "VPN OpenVPN Gateway Test" --msgbox "ERROR: can't ping!" 0 0 | |
/bin/echo "" | |
KILLSAY > /dev/null 2>&1 | |
say "excuse me if have got an error: OpenVPN server isn't responsive" > /dev/null 2>&1 & | |
/bin/echo "ERROR: OpenVPN server isn't responsive" | |
exit 1 | |
fi | |
#) | |
##/bin/rm -rf "$EASYIPSECSERVEROVPNTEST" | |
# | |
### // openvpn server ### | |
### new default gateway // ### | |
# | |
EASYIPSECNETSTATOVPN1="/tmp/easy_ipsec_server_openvpn_netstat1.txt" | |
touch $EASYIPSECNETSTATOVPN1 | |
/bin/chmod 0600 $EASYIPSECNETSTATOVPN1 | |
EASYIPSECNETSTATOVPN2="/tmp/easy_ipsec_server_openvpn_netstat2.txt" | |
touch $EASYIPSECNETSTATOVPN2 | |
/bin/chmod 0600 $EASYIPSECNETSTATOVPN2 | |
# | |
KILLSAY > /dev/null 2>&1 | |
say "it seems to work, lets change the default gateway!" > /dev/null 2>&1 & | |
dialog --title "IPsec/OpenVPN Relay Network" --backtitle "IPsec/OpenVPN Relay Network" --msgbox "it seems to work, lets change the default gateway!" 8 70 | |
# | |
/sbin/route delete default > /dev/null 2>&1 | |
/sbin/route delete 128.0.0.0/1 > /dev/null 2>&1 | |
/sbin/route delete 0.0.0.0/1 > /dev/null 2>&1 | |
# | |
/sbin/route add -net 128.0.0.0/1 "$EASYIPSECSERVEROVPNTESTVALUE" > /dev/null 2>&1 | |
/sbin/route add -net 0.0.0.0/1 "$EASYIPSECSERVEROVPNTESTVALUE" > /dev/null 2>&1 | |
# | |
### | |
/usr/sbin/netstat -rn -f inet > "$EASYIPSECNETSTATOVPN1" | |
### | |
# | |
KILLSAY > /dev/null 2>&1 | |
say "your default gateway is now $EASYIPSECSERVEROVPNTESTVALUE" > /dev/null 2>&1 & | |
dialog --textbox "$EASYIPSECNETSTATOVPN1" 0 0 | |
# | |
### | |
/bin/echo "" | |
KILLSAY > /dev/null 2>&1 | |
say "Have a nice day with IP security and OpenVPN, good bye" > /dev/null 2>&1 & | |
/bin/echo "Have a nice day with IPsec and OpenVPN" | |
### | |
# | |
/bin/rm -rf "$EASYIPSECNETSTATOVPN1" | |
# | |
### // new default gateway ### | |
### // stage3 ### | |
### stage4 // ### | |
# | |
( | |
# clean up | |
/bin/rm -rf /tmp/easy_ipsec*.txt | |
) | |
# | |
### // stage4 ### | |
### ### ### ### ### ### ### ### ### | |
;; | |
FreeBSD) | |
### FreeBSD ### | |
# | |
FRACOON=$(/usr/bin/which racoon) | |
FOPENVPN=$(/usr/bin/which openvpn) | |
# | |
### ### ### ### ### ### ### ### ### | |
if [ "$MYNAME" = root ]; then | |
echo "" # dummy | |
else | |
echo "<--- --- --->" | |
echo "" | |
echo "ERROR: You must be root to run this script" | |
exit 1 | |
fi | |
if [ -z "$FRACOON" ]; then | |
echo "<--- --- --->" | |
echo "need racoon/ipsec-tools" | |
echo "<--- --- --->" | |
# ( | |
cd /usr/ports/security/ipsec-tools/ && make install clean | |
# ) | |
echo "<--- --- --->" | |
### break // ### | |
echo "" | |
read -r "Press [Enter] key to continue..." | |
### // break ### | |
else | |
echo "" # dummy | |
fi | |
if [ -z "$FOPENVPN" ]; then | |
echo "<--- --- --->" | |
echo "need openvpn" | |
echo "<--- --- --->" | |
# ( | |
cd /usr/ports/security/openvpn/ && make install clean | |
# ) | |
echo "<--- --- --->" | |
### break // ### | |
echo "" | |
read -r "Press [Enter] key to continue..." | |
### // break ### | |
else | |
echo "" # dummy | |
fi | |
( | |
# clean up | |
/bin/rm -rf /tmp/easy_ipsec*.txt | |
) | |
### stage2 // ### | |
GIF1=50 | |
( | |
while test $GIF1 != 150 | |
do | |
echo $GIF1 | |
echo "XXX" | |
echo "create gif interface: ($GIF1 percent)" | |
echo "XXX" | |
# | |
### run // | |
/sbin/ifconfig gif0 create > /dev/null 2>&1 | |
/sbin/ifconfig gif0 up | |
### // run | |
# | |
GIF1=$((GIF1 + 50)) | |
sleep 1 | |
done | |
) | dialog --title "generic tunnel interface" --gauge "create gif interface" 20 70 0 | |
EASYIPSECCLIENTIP="/tmp/easy_ipsec_client_ip.txt" | |
touch $EASYIPSECCLIENTIP | |
dialog --inputbox "Enter your Roadwarrior Client IP: (for example 10.0.0.1)" 8 40 2>$EASYIPSECCLIENTIP | |
EASYIPSECDESTNET="/tmp/easy_ipsec_destination_net.txt" | |
touch $EASYIPSECDESTNET | |
dialog --inputbox "Enter your VPN destination network: (for example 172.31.254.0)" 8 40 2>$EASYIPSECDESTNET | |
EASYIPSECCLIENTIPVALUE=$(sed 's/#//g' $EASYIPSECCLIENTIP | sed 's/%//g') | |
EASYIPSECDESTNETVALUE=$(sed 's/#//g' $EASYIPSECDESTNET | sed 's/%//g') | |
GIF2=50 | |
( | |
while test $GIF2 != 150 | |
do | |
echo $GIF2 | |
echo "XXX" | |
echo "set gif options: ($GIF2 percent)" | |
echo "XXX" | |
# | |
### run // | |
/sbin/ifconfig gif0 "$EASYIPSECCLIENTIPVALUE" "$EASYIPSECDESTNETVALUE" | |
/sbin/route add -net "$EASYIPSECDESTNETVALUE"/24 -interface gif0 > /dev/null 2>&1 | |
### // run | |
# | |
GIF2=$((GIF2 + 50)) | |
sleep 1 | |
done | |
) | dialog --title "generic tunnel interface" --gauge "set gif options" 20 70 0 | |
EASYIPSECSERVERIP="/tmp/easy_ipsec_server_ip.txt" | |
touch $EASYIPSECSERVERIP | |
dialog --inputbox "Enter your VPN IPsec Server IP:" 8 40 2>$EASYIPSECSERVERIP | |
EASYIPSECLOCALGATEWAY="/tmp/easy_ipsec_local_gateway.txt" | |
touch $EASYIPSECLOCALGATEWAY | |
dialog --inputbox "Enter your local gateway IP:" 8 40 2>$EASYIPSECLOCALGATEWAY | |
EASYIPSECSERVERIPVALUE=$(sed 's/#//g' $EASYIPSECSERVERIP | sed 's/%//g') | |
EASYIPSECLOCALGATEWAYVALUE=$(sed 's/#//g' $EASYIPSECLOCALGATEWAY | sed 's/%//g') | |
GIF3=50 | |
( | |
while test $GIF3 != 150 | |
do | |
echo $GIF3 | |
echo "XXX" | |
echo "set direct vpn server route: ($GIF3 percent)" | |
echo "XXX" | |
# | |
### run // | |
# clean up double entries on (RADIX_MPATH) equal-cost multi-path routing (ecmp) systems | |
/usr/bin/netstat -rn -f inet | grep "$EASYIPSECSERVERIPVALUE" | awk '{print $2}' | xargs -L1 route del -host "$EASYIPSECSERVERIPVALUE" > /dev/null 2>&1 | |
# | |
/sbin/route del -host "$EASYIPSECSERVERIPVALUE" "$EASYIPSECLOCALGATEWAYVALUE" > /dev/null 2>&1 | |
/sbin/route add -host "$EASYIPSECSERVERIPVALUE" "$EASYIPSECLOCALGATEWAYVALUE" > /dev/null 2>&1 | |
### // run | |
# | |
GIF3=$((GIF3 + 50)) | |
sleep 1 | |
done | |
) | dialog --title "generic tunnel interface" --gauge "set direct vpn server route" 20 70 0 | |
### check vpn server // | |
# | |
/bin/echo "" | |
( | |
/sbin/ping -q -c5 "$EASYIPSECSERVERIPVALUE" > /dev/null | |
if [ $? -eq 0 ] | |
then | |
/bin/echo "" | |
/bin/echo "server is responsive" | |
sleep 3 | |
exit 0 | |
else | |
/bin/echo "" | |
/bin/echo "ERROR: server isn't responsive" | |
exit 1 | |
fi | |
) | |
# | |
### // check vpn server | |
/bin/mkdir -p /usr/local/etc/racoon | |
/bin/mkdir -p /usr/local/etc/racoon/certs | |
/bin/chmod 0700 /usr/local/etc/racoon/certs | |
### modify /usr/local/etc/racoon/setkey.conf // | |
# | |
( | |
EASYIPSECGETIFIP=$(/usr/bin/netstat -rnW -f inet | grep "$EASYIPSECSERVERIPVALUE" | awk '{print $7}' | xargs -L1 ifconfig | grep -w "inet" | awk '{print $2}') | |
/bin/cat <<SETKEY > /usr/local/etc/racoon/setkey.conf | |
### ### ### PLITC // ### ### ### | |
# | |
flush; | |
spdflush; | |
spdadd $EASYIPSECCLIENTIPVALUE/32 $EASYIPSECDESTNETVALUE/24 any -P out ipsec | |
esp/tunnel/$EASYIPSECGETIFIP-$EASYIPSECSERVERIPVALUE/require; | |
spdadd $EASYIPSECDESTNETVALUE/24 $EASYIPSECCLIENTIPVALUE/32 any -P in ipsec | |
esp/tunnel/$EASYIPSECSERVERIPVALUE-$EASYIPSECGETIFIP/require; | |
# | |
### ### ### // PLITC ### ### ### | |
# EOF | |
SETKEY | |
) | |
# | |
/bin/chmod 0600 /usr/local/etc/racoon/setkey.conf | |
# | |
### // modify /usr/local/etc/racoon/setkey.conf | |
### modify /usr/local/etc/racoon/psk.txt // | |
# | |
( | |
EASYIPSECSERVERPSK="/tmp/easy_ipsec_server_psk.txt" | |
touch $EASYIPSECSERVERPSK | |
/bin/chmod 0600 $EASYIPSECSERVERPSK | |
dialog --inputbox "Enter your VPN IPsec Server Pre-shared key: (without spaces and pound)" 8 85 2>$EASYIPSECSERVERPSK | |
EASYIPSECSERVERPSKVALUE=$(sed 's/#//g' $EASYIPSECSERVERPSK | sed 's/%//g') | |
/bin/cat <<PSK > /usr/local/etc/racoon/psk.txt | |
### ### ### PLITC ### ### ### | |
# | |
$EASYIPSECSERVERIPVALUE $EASYIPSECSERVERPSKVALUE | |
# | |
### ### ### PLITC ### ### ### | |
# EOF | |
PSK | |
/bin/chmod 0600 /usr/local/etc/racoon/psk.txt | |
/bin/rm $EASYIPSECSERVERPSK | |
) | |
# | |
### // modify /usr/local/etc/racoon/psk.txt | |
### modify /usr/local/etc/racoon/racoon.conf // | |
# | |
EASYIPSECGETIFIPCONF=$(/usr/bin/netstat -rnW -f inet | grep "$EASYIPSECSERVERIPVALUE" | awk '{print $7}' | xargs -L1 ifconfig | grep -w "inet" | awk '{print $2}') | |
# | |
( | |
/bin/cat <<CONF > /usr/local/etc/racoon/racoon.conf | |
### ### ### PLITC ### ### ### | |
# | |
path include "/usr/local/etc/racoon"; | |
path certificate "/usr/local/etc/racoon/certs"; #location of cert files | |
path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file | |
log debug; #log verbosity setting: set to 'notify' when testing and debugging is complete | |
# | |
### ### ### ##### ### ### ### | |
padding # options are not to be changed | |
{ | |
maximum_length 20; | |
randomize off; | |
strict_check off; | |
exclusive_tail off; | |
} | |
timer # timing options. change as needed | |
{ | |
counter 5; | |
interval 20 sec; | |
persend 1; | |
natt_keepalive 20 sec; | |
phase1 120 sec; | |
phase2 60 sec; | |
} | |
listen # address [port] that racoon will listening on | |
{ | |
# | |
### CHANGEME // ### | |
isakmp $EASYIPSECGETIFIPCONF [500]; | |
isakmp_natt $EASYIPSECGETIFIPCONF [4500]; | |
### // CHANGEME ### | |
# | |
} | |
remote $EASYIPSECSERVERIPVALUE | |
{ | |
# ph1id 1; | |
exchange_mode main; | |
doi ipsec_doi; | |
situation identity_only; | |
peers_identifier address $EASYIPSECSERVERIPVALUE; | |
verify_identifier on; | |
verify_cert off; | |
weak_phase1_check on; | |
passive off; | |
proposal_check strict; | |
ike_frag on; | |
nonce_size 16; | |
support_proxy on; | |
generate_policy off; | |
nat_traversal force; | |
dpd_delay 30; | |
dpd_retry 10; | |
dpd_maxfail 10; | |
proposal { | |
dh_group 16; | |
lifetime time 600 sec; | |
encryption_algorithm aes 256; | |
hash_algorithm sha512; | |
authentication_method pre_shared_key; | |
} | |
} | |
sainfo (address $EASYIPSECCLIENTIPVALUE/32 any address $EASYIPSECDESTNETVALUE/24 any) | |
{ | |
# remoteid 1; | |
pfs_group 16; | |
lifetime time 300 sec; | |
encryption_algorithm aes 256; | |
authentication_algorithm hmac_sha512; | |
compression_algorithm deflate; | |
} | |
# | |
### ### ### ### ### ### ### ### ### | |
# EOF | |
CONF | |
) | |
# | |
/bin/chmod 0600 /usr/local/etc/racoon/racoon.conf | |
# | |
### // modify /usr/local/etc/racoon/racoon.conf | |
### start ipsec // | |
# | |
( | |
dialog --title "Delete Racoon-Logs" --backtitle "Delete Racoon-Logs" --yesno "syslog can be very slow, do you want delete racoon logs before ?" 7 60 | |
response=$? | |
case $response in | |
0) | |
/bin/echo "" > /var/log/racoon.log | |
/bin/echo "" | |
/bin/echo "System-Logs deleted!" | |
;; | |
1) | |
/bin/echo "" | |
/bin/echo "System-Logs not deleted." | |
;; | |
255) | |
/bin/echo "" | |
/bin/echo "[ESC] key pressed." | |
;; | |
esac | |
# | |
) | |
# | |
( | |
/bin/echo "" | |
/bin/echo "Starting IPsec" | |
sleep 1 | |
/bin/echo "" | |
/usr/sbin/service racoon stop | |
/usr/sbin/service ipsec stop | |
sleep 1 | |
/bin/echo "" | |
/usr/sbin/service ipsec start | |
/usr/sbin/service racoon start | |
sleep 1 | |
/bin/echo "" | |
) | |
# | |
### ipsec test // | |
# | |
#( | |
EASYIPSECSERVERTEST="/tmp/easy_ipsec_server_test.txt" | |
touch $EASYIPSECSERVERTEST | |
/bin/chmod 0600 $EASYIPSECSERVERTEST | |
dialog --inputbox "Enter your VPN IPsec Server forwarding interface IP: (for example 172.31.254.254)" 8 85 2>$EASYIPSECSERVERTEST | |
EASYIPSECSERVERTESTVALUE=$(sed 's/#//g' $EASYIPSECSERVERTEST | sed 's/%//g') | |
/sbin/ping -q -c5 "$EASYIPSECSERVERTESTVALUE" > /dev/null | |
if [ $? -eq 0 ] | |
then | |
dialog --title "VPN IPsec Gateway Test" --backtitle "VPN IPsec Gateway Test" --msgbox "It works!" 0 0 | |
exit 0 | |
else | |
dialog --title "VPN IPsec Gateway Test" --backtitle "VPN IPsec Gateway Test" --msgbox "ERROR: can't ping!" 0 0 | |
/bin/echo "" | |
/bin/echo "ERROR: server isn't responsive" | |
exit 1 | |
fi | |
#) | |
# | |
### // ipsec test | |
/bin/echo "" | |
/bin/echo "prepare racoon log ... wait a minute" | |
/bin/echo "" | |
sleep 15 | |
egrep "established|WARNING" /var/log/racoon.log | tail -n 10 > /tmp/easy_ipsec_racoon_log.txt | |
# | |
RACOONLOG="/tmp/easy_ipsec_racoon_log.txt" | |
# | |
( | |
dialog --textbox "$RACOONLOG" 0 0 | |
) | |
# | |
/bin/rm -rf "$EASYIPSECSERVERTEST" | |
# | |
### // start ipsec | |
### // stage2 ### | |
### stage3 // ### | |
### ipsec/openvpn relay setup // ### | |
# | |
#( | |
dialog --title "IPsec/OpenVPN Relay Network" --backtitle "IPsec/OpenVPN Relay Network" --yesno "if you have an IPsec/OpenVPN Relay Server-Setup Go ahead!" 7 70 | |
OPENVPN=$? | |
case $OPENVPN in | |
0) | |
/bin/echo "" | |
;; | |
1) | |
/bin/echo "" | |
#/bin/echo "no thanks!" | |
/bin/echo "Have a nice day with IPsec" | |
### | |
# clean up | |
/bin/rm -rf /tmp/easy_ipsec*.txt | |
### | |
exit 1 | |
;; | |
255) | |
/bin/echo "" | |
/bin/echo "[ESC] key pressed." | |
;; | |
esac | |
#) | |
# | |
( | |
dialog --title "IPsec/OpenVPN Relay Network" --backtitle "IPsec/OpenVPN Relay Network" --msgbox "its time now to establish a successful connection! ... than press OK" 8 80 | |
) | |
# | |
### // ipsec/openvpn relay setup ### | |
### openvpn server // ### | |
# | |
EASYIPSECSERVEROVPNTEST="/tmp/easy_ipsec_server_openvpn_test.txt" | |
touch $EASYIPSECSERVEROVPNTEST | |
/bin/chmod 0600 $EASYIPSECSERVEROVPNTEST | |
dialog --inputbox "Enter your VPN OpenVPN Server forwarding interface IP: (for example 172.31.253.1)" 8 85 2>$EASYIPSECSERVEROVPNTEST | |
EASYIPSECSERVEROVPNTESTVALUE=$(sed 's/#//g' $EASYIPSECSERVEROVPNTEST | sed 's/%//g') | |
( | |
/sbin/ping -q -c5 "$EASYIPSECSERVEROVPNTESTVALUE" > /dev/null | |
if [ $? -eq 0 ] | |
then | |
dialog --title "VPN OpenVPN Gateway Test" --backtitle "VPN OpenVPN Gateway Test" --msgbox "It works!" 0 0 | |
exit 0 | |
else | |
dialog --title "VPN OpenVPN Gateway Test" --backtitle "VPN OpenVPN Gateway Test" --msgbox "ERROR: can't ping!" 0 0 | |
/bin/echo "" | |
/bin/echo "ERROR: server isn't responsive" | |
exit 1 | |
fi | |
) | |
##/bin/rm -rf $EASYIPSECSERVEROVPNTEST | |
# | |
### // openvpn server ### | |
### new default gateway // ### | |
# | |
EASYIPSECNETSTATOVPN="/tmp/easy_ipsec_server_openvpn_netstat.txt" | |
touch $EASYIPSECNETSTATOVPN | |
/bin/chmod 0600 $EASYIPSECNETSTATOVPN | |
# | |
dialog --title "IPsec/OpenVPN Relay Network" --backtitle "IPsec/OpenVPN Relay Network" --msgbox "it seems to work, lets change the default gateway!" 8 70 | |
# | |
/sbin/route delete default > /dev/null 2>&1 | |
/sbin/route delete 128.0.0.0/1 > /dev/null 2>&1 | |
/sbin/route delete 0.0.0.0/1 > /dev/null 2>&1 | |
# | |
/sbin/route add -net 128.0.0.0/1 "$EASYIPSECSERVEROVPNTESTVALUE" > /dev/null 2>&1 | |
/sbin/route add -net 0.0.0.0/1 "$EASYIPSECSERVEROVPNTESTVALUE" > /dev/null 2>&1 | |
# | |
### | |
/usr/bin/netstat -rn -f inet > "$EASYIPSECNETSTATOVPN" | |
### | |
# | |
dialog --textbox "$EASYIPSECNETSTATOVPN" 0 0 | |
# | |
### | |
/bin/echo "" | |
/bin/echo "Have a nice day with IPsec and OpenVPN" | |
### | |
# | |
/bin/rm -rf $EASYIPSECNETSTATOVPN | |
# | |
### // new default gateway ### | |
### // stage3 ### | |
### stage4 // ### | |
# | |
( | |
# clean up | |
/bin/rm -rf /tmp/easy_ipsec*.txt | |
) | |
# | |
### // stage4 ### | |
### ### ### ### ### ### ### ### ### | |
;; | |
Linux) | |
### Linux ### | |
# | |
DEBIAN=$(grep "ID" /etc/os-release | egrep -v "VERSION" | sed 's/ID=//g') | |
DEBVERSION=$(grep "VERSION_ID" /etc/os-release | sed 's/VERSION_ID=//g' | sed 's/"//g') | |
# | |
case $DEBIAN in | |
debian) | |
### stage2 // ### | |
# | |
DEBPING=$(/usr/bin/dpkg -l | grep "iputils-ping" | awk '{print $2}') | |
DEBDIALOG=$(/usr/bin/which dialog) | |
DEBSTRONGSWAN=$(/usr/bin/dpkg -l | grep "strongswan-ikev1" | awk '{print $2}') | |
DEBOPENVPN=$(/usr/bin/dpkg -l | grep "openvpn" | awk '{print $2}') | |
DEBSPEAK1=$(/usr/bin/dpkg -l | grep "espeak" | awk '{print $2}') | |
DEBSPEAK2=$(/usr/bin/dpkg -l | grep "mbrola" | awk '{print $2}') | |
# | |
#/ spinner | |
spinner() | |
{ | |
local pid=$1 | |
local delay=0.01 | |
local spinstr='|/-\' | |
while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do | |
local temp=${spinstr#?} | |
printf " [%c] " "$spinstr" | |
local spinstr=$temp${spinstr%"$temp"} | |
sleep $delay | |
printf "\b\b\b\b\b\b" | |
done | |
printf " \b\b\b\b" | |
} | |
# | |
### ### ### ### ### ### ### ### ### | |
if [ "$MYNAME" = root ]; then | |
echo "" # dummy | |
else | |
echo "<--- --- --->" | |
echo "" | |
echo "ERROR: You must be root to run this script" | |
exit 1 | |
fi | |
if [ "$DEBVERSION" = "8" ]; then | |
: # dummy | |
else | |
if [ "$DEBVERSION" = "9" ]; then | |
: # dummy | |
else | |
echo "<--- --- --->" | |
echo "" | |
echo "ERROR: You need Debian 8 (Jessie) or 9 (Stretch) Version" | |
exit 1 | |
fi | |
fi | |
if [ -z "$DEBPING" ]; then | |
echo "<--- --- --->" | |
echo "need iputils-ping" | |
echo "<--- --- --->" | |
# ( | |
apt-get update | |
apt-get -y install iputils-ping | |
# ) | |
echo "<--- --- --->" | |
### break // ### | |
#/ echo "" | |
#/ read "Press [Enter] key to continue..." | |
### // break ### | |
else | |
: # dummy | |
fi | |
if [ -z "$DEBDIALOG" ]; then | |
echo "<--- --- --->" | |
echo "need dialog" | |
echo "<--- --- --->" | |
# ( | |
apt-get update | |
apt-get -y install dialog | |
# ) | |
echo "<--- --- --->" | |
### break // ### | |
#/ echo "" | |
#/ read "Press [Enter] key to continue..." | |
### // break ### | |
else | |
: # dummy | |
fi | |
if [ -z "$DEBSTRONGSWAN" ]; then | |
echo "<--- --- --->" | |
echo "need strongswan-ikev1" | |
echo "<--- --- --->" | |
# ( | |
apt-get update | |
apt-get -y install strongswan libstrongswan libstrongswan-standard-plugins libstrongswan-extra-plugins strongswan-charon strongswan-ike strongswan-ikev1 strongswan-ikev2 | |
# ) | |
echo "<--- --- --->" | |
### break // ### | |
#/ echo "" | |
#/ read "Press [Enter] key to continue..." | |
### // break ### | |
else | |
: # dummy | |
fi | |
if [ -z "$DEBOPENVPN" ]; then | |
echo "<--- --- --->" | |
echo "need openvpn" | |
echo "<--- --- --->" | |
# ( | |
apt-get update | |
apt-get -y install openvpn | |
# ) | |
echo "<--- --- --->" | |
### break // ### | |
#/ echo "" | |
#/ read "Press [Enter] key to continue..." | |
### // break ### | |
else | |
: # dummy | |
fi | |
if [ -z "$DEBSPEAK1" ]; then | |
echo "<--- --- --->" | |
echo "need espeak" | |
echo "<--- --- --->" | |
# ( | |
apt-get update | |
apt-get -y install espeak | |
# ) | |
echo "<--- --- --->" | |
### break // ### | |
#/ echo "" | |
#/ read "Press [Enter] key to continue..." | |
### // break ### | |
else | |
: # dummy | |
fi | |
if [ -z "$DEBSPEAK2" ]; then | |
echo "<--- --- --->" | |
echo "need mbrola" | |
echo "<--- --- --->" | |
# ( | |
apt-get update | |
apt-get -y install mbrola mbrola-us1 mbrola-us2 mbrola-us3 | |
# ) | |
echo "<--- --- --->" | |
### break // ### | |
#/ echo "" | |
#/ read "Press [Enter] key to continue..." | |
### // break ### | |
else | |
: # dummy | |
fi | |
( | |
# clean up | |
/bin/rm -rf /tmp/easy_ipsec*.txt | |
) | |
( | |
### clean up - openvpn iptable rules // ## | |
# | |
CHECKIPSECIPTABLERULES0=$(iptables -S | grep -c "EASYIPSEC") | |
if [ "$CHECKIPSECIPTABLERULES0" = "1" ] | |
then | |
### ACCEPT // ### | |
###/ v4 | |
iptables -P INPUT ACCEPT | |
iptables -P FORWARD ACCEPT | |
iptables -P OUTPUT ACCEPT | |
##/ v6 | |
ip6tables -P INPUT ACCEPT | |
ip6tables -P FORWARD ACCEPT | |
ip6tables -P OUTPUT ACCEPT | |
### // ACCEPT ### | |
### flush // ### | |
##/ v4 | |
iptables -F INPUT | |
iptables -F FORWARD | |
iptables -F OUTPUT | |
iptables -t nat -F PREROUTING | |
iptables -t nat -F POSTROUTING | |
##/ v6 | |
ip6tables -F INPUT | |
ip6tables -F FORWARD | |
ip6tables -F OUTPUT | |
ip6tables -t nat -F PREROUTING | |
ip6tables -t nat -F POSTROUTING | |
### // flush ### | |
### info // ### | |
iptables -X EASYIPSEC > /dev/null 2>&1 | |
ip6tables -X EASYIPSEC > /dev/null 2>&1 | |
### | |
ip6tables -F ICMPv6 > /dev/null 2>&1 | |
ip6tables -D INPUT -p ipv6-icmp -j ICMPv6 > /dev/null 2>&1 | |
ip6tables -D OUTPUT -p ipv6-icmp -j ACCEPT > /dev/null 2>&1 | |
ip6tables -X ICMPv6 > /dev/null 2>&1 | |
### // info ### | |
else | |
: # dummy | |
fi | |
# | |
### // clean up - openvpn iptable rules ### | |
) | |
### stage2 // ### | |
EASYIPSECINTERFACE="/tmp/easy_ipsec_interface.txt" | |
touch $EASYIPSECINTERFACE | |
/bin/su -m pulse -c 'espeak -v mb-us1 "choose your public transport interface: (for example wlan0)"' > /dev/null 2>&1 & | |
dialog --inputbox "choose your public transport interface: (for example wlan0)" 8 70 2>$EASYIPSECINTERFACE | |
EASYIPSECINTERFACEVALUE=$(sed 's/#//g' $EASYIPSECINTERFACE | sed 's/%//g') | |
CHECKINTERFACE=$(ip a | egrep "UP" | awk '{print $2}' | sed 's/://' | egrep -v "lo" | tr '\n' ' ' | grep -Fc "$EASYIPSECINTERFACEVALUE") | |
if [ "$CHECKINTERFACE" = "1" ]; then | |
: # dummy | |
else | |
echo "" # dummy | |
echo "" # dummy | |
echo "[ERROR] interface not usable!" | |
exit 1 | |
fi | |
EASYIPSECCLIENTIP="/tmp/easy_ipsec_client_ip.txt" | |
touch $EASYIPSECCLIENTIP | |
/bin/su -m pulse -c 'espeak -v mb-us1 "Enter your Roadwarrior Client IP: (for example 10.0.0.1)"' > /dev/null 2>&1 & | |
dialog --inputbox "Enter your Roadwarrior Client IP: (for example 10.0.0.1)" 8 40 2>$EASYIPSECCLIENTIP | |
EASYIPSECDESTNET="/tmp/easy_ipsec_destination_net.txt" | |
touch $EASYIPSECDESTNET | |
/bin/su -m pulse -c 'espeak -v mb-us1 "Enter your VPN destination network: (for example 172.31.254.0)"' > /dev/null 2>&1 & | |
dialog --inputbox "Enter your VPN destination network: (for example 172.31.254.0)" 8 40 2>$EASYIPSECDESTNET | |
EASYIPSECCLIENTIPVALUE=$(sed 's/#//g' $EASYIPSECCLIENTIP | sed 's/%//g') | |
EASYIPSECDESTNETVALUE=$(sed 's/#//g' $EASYIPSECDESTNET | sed 's/%//g') | |
OLDINTERFACE=$(/bin/ip a | grep "$EASYIPSECCLIENTIPVALUE" | awk '{print $5}') | |
GIF2=50 | |
( | |
while test $GIF2 != 150 | |
do | |
echo $GIF2 | |
echo "XXX" | |
echo "set ipsec local subnet address: ($GIF2 percent)" | |
echo "XXX" | |
# | |
### run // | |
/bin/ip addr del "$EASYIPSECCLIENTIPVALUE" dev "$OLDINTERFACE" > /dev/null 2>&1 | |
/bin/ip addr add "$EASYIPSECCLIENTIPVALUE"/32 dev "$EASYIPSECINTERFACEVALUE" > /dev/null 2>&1 | |
### // run | |
# | |
GIF2=$((GIF2 + 50)) | |
sleep 1 | |
done | |
) | dialog --title "set ipsec local subnet address" --gauge "set ipsec local subnet address" 20 70 0 | |
EASYIPSECSERVERIP="/tmp/easy_ipsec_server_ip.txt" | |
touch $EASYIPSECSERVERIP | |
/bin/su -m pulse -c 'espeak -v mb-us1 "Enter your VPN IPsec Server IP:"' > /dev/null 2>&1 & | |
dialog --inputbox "Enter your VPN IPsec Server IP:" 8 40 2>$EASYIPSECSERVERIP | |
EASYIPSECLOCALGATEWAY="/tmp/easy_ipsec_local_gateway.txt" | |
touch $EASYIPSECLOCALGATEWAY | |
/bin/su -m pulse -c 'espeak -v mb-us1 "Enter your local gateway IP:"' > /dev/null 2>&1 & | |
dialog --inputbox "Enter your local gateway IP:" 8 40 2>$EASYIPSECLOCALGATEWAY | |
EASYIPSECSERVERIPVALUE=$(sed 's/#//g' $EASYIPSECSERVERIP | sed 's/%//g') | |
EASYIPSECLOCALGATEWAYVALUE=$(sed 's/#//g' $EASYIPSECLOCALGATEWAY | sed 's/%//g') | |
GIF3=50 | |
( | |
while test $GIF3 != 150 | |
do | |
echo $GIF3 | |
echo "XXX" | |
echo "set direct vpn server route: ($GIF3 percent)" | |
echo "XXX" | |
# | |
### run // | |
/bin/netstat -rn4 | grep "$EASYIPSECSERVERIPVALUE" | awk '{print $2}' | xargs -L1 route del -host "$EASYIPSECSERVERIPVALUE" > /dev/null 2>&1 | |
/sbin/route del -host "$EASYIPSECSERVERIPVALUE" > /dev/null 2>&1 | |
/sbin/route add -host "$EASYIPSECSERVERIPVALUE" gw "$EASYIPSECLOCALGATEWAYVALUE" dev "$EASYIPSECINTERFACEVALUE" > /dev/null 2>&1 | |
### // run | |
# | |
GIF3=$((GIF3 + 50)) | |
sleep 1 | |
done | |
) | dialog --title "generic tunnel interface" --gauge "set direct vpn server route" 20 70 0 | |
### check vpn server // | |
# | |
/bin/echo "" | |
### initial "routed" connection // ### | |
( | |
/bin/ping -q -c4 "$EASYIPSECSERVERIPVALUE" > /dev/null | |
) | |
### // initial "routed" connection ### | |
/bin/ping -q -c5 "$EASYIPSECSERVERIPVALUE" > /dev/null | |
if [ $? -eq 0 ] | |
then | |
/bin/echo "" | |
#/ /bin/echo "server is responsive" | |
/bin/su -m pulse -c 'espeak -v mb-us1 "server is responsive"' > /dev/null 2>&1 & | |
printf "\033[1;32m[OK]\033[0m server is responsive \n" | |
sleep 3 | |
else | |
/bin/echo "" | |
#/ /bin/echo "ERROR: server isn't responsive" | |
/bin/su -m pulse -c 'espeak -v mb-us1 "server is not responsive"' > /dev/null 2>&1 & | |
printf "\033[1;33m[WARNING]\033[0m server isn't responsive \n" | |
exit 1 | |
fi | |
# | |
### // check vpn server | |
### modify /etc/ipsec.conf // | |
# | |
( | |
EASYIPSECGETIFIP=$(/bin/netstat -rnW4 | grep "$EASYIPSECSERVERIPVALUE" | awk '{print $8}' | xargs -L1 ifconfig | grep -w "inet" | awk '{print $2}' | sed 's/Adresse://g') | |
/bin/cat <<IPSECCONF > /etc/ipsec.conf | |
### ### ### PLITC ### ### ### | |
config setup | |
strictcrlpolicy=yes | |
conn %default | |
ikelifetime=10m | |
keylife=5m | |
rekeymargin=1m | |
keyingtries=1 | |
keyexchange=ikev1 | |
conn roadwarrior | |
left=%any | |
leftsubnet=$EASYIPSECCLIENTIPVALUE/32 | |
leftauth=psk | |
leftsendcert=never | |
leftfirewall=yes | |
type=tunnel | |
right=$EASYIPSECSERVERIPVALUE | |
rightsubnet=$EASYIPSECDESTNETVALUE/24 | |
rightauth=psk | |
auto=route | |
forceencaps=yes | |
compress=no | |
dpddelay=30 | |
dpdtimeout=10 | |
dpdaction=clear | |
ike=aes256-sha512-modp4096! | |
esp=aes256-sha512-modp4096! | |
leftikeport=4500 | |
rightikeport=4500 | |
### ### ### PLITC ### ### ### | |
# EOF | |
IPSECCONF | |
) | |
# | |
/bin/chmod 0600 /etc/ipsec.conf | |
# | |
### // modify /etc/ipsec.conf | |
### modify /etc/ipsec.secrets // | |
# | |
( | |
EASYIPSECSERVERPSK="/tmp/easy_ipsec_server_psk.txt" | |
touch $EASYIPSECSERVERPSK | |
/bin/chmod 0600 $EASYIPSECSERVERPSK | |
/bin/su -m pulse -c 'espeak -v mb-us1 "Enter your VPN IPsec Server Pre-shared key: (without spaces and pound)"' > /dev/null 2>&1 & | |
dialog --inputbox "Enter your VPN IPsec Server Pre-shared key: (without spaces and pound)" 8 85 2>$EASYIPSECSERVERPSK | |
EASYIPSECSERVERPSKVALUE=$(sed 's/#//g' $EASYIPSECSERVERPSK | sed 's/%//g') | |
/bin/cat <<PSK > /etc/ipsec.secrets | |
### ### ### PLITC ### ### ### | |
# | |
$EASYIPSECSERVERIPVALUE : PSK "$EASYIPSECSERVERPSKVALUE" | |
# | |
### ### ### PLITC ### ### ### | |
# EOF | |
PSK | |
/bin/chmod 0600 /etc/ipsec.secrets > /dev/null 2>&1 | |
if [ $? -eq 0 ] | |
then | |
: # dummy | |
else | |
CHECKATTRIPSECSECRETS=$(lsattr /etc/ipsec.secrets | awk '{print $1}' | grep -c "i") | |
if [ "$CHECKATTRIPSECSECRETS" = "1" ]; then | |
echo "" # dummy | |
/bin/su -m pulse -c 'espeak -v mb-us1 "WARNING your ipsec.secrets file has an immutable flag!"' > /dev/null 2>&1 & | |
printf "\033[1;31m[WARNING] /etc/ipsec.secrets has immutable flag!\033[0m\n" | |
echo "" # dummy | |
sleep 4 | |
fi | |
fi | |
/bin/rm $EASYIPSECSERVERPSK | |
) | |
# | |
### // modify /etc/ipsec.secrets | |
### start ipsec // | |
# | |
( | |
/bin/echo "" | |
/bin/echo "Starting IPsec" | |
sleep 1 | |
/bin/echo "" | |
/bin/systemctl restart strongswan | |
sleep 1 | |
/bin/echo "" | |
/bin/systemctl status strongswan | |
sleep 1 | |
/bin/echo "" | |
/usr/sbin/ipsec statusall | |
sleep 5 | |
/bin/echo "" | |
) | |
# | |
### ipsec test // | |
# | |
#( | |
EASYIPSECSERVERTEST="/tmp/easy_ipsec_server_test.txt" | |
touch $EASYIPSECSERVERTEST | |
/bin/chmod 0600 $EASYIPSECSERVERTEST | |
/bin/su -m pulse -c 'espeak -v mb-us1 "Enter your VPN IPsec Server forwarding interface IP: (for example 172.31.254.254)"' > /dev/null 2>&1 & | |
dialog --inputbox "Enter your VPN IPsec Server forwarding interface IP: (for example 172.31.254.254)" 8 85 2>$EASYIPSECSERVERTEST | |
EASYIPSECSERVERTESTVALUE=$(sed 's/#//g' $EASYIPSECSERVERTEST | sed 's/%//g') | |
/bin/ping -q -c5 "$EASYIPSECSERVERTESTVALUE" > /dev/null | |
if [ $? -eq 0 ] | |
then | |
#/ dialog --title "VPN IPsec Gateway Test" --backtitle "VPN IPsec Gateway Test" --msgbox "It works!" 0 0 | |
echo "" # dummy | |
echo "" # dummy | |
/bin/su -m pulse -c 'espeak -v mb-us1 "server is responsive"' > /dev/null 2>&1 & | |
printf "\033[1;32m[OK]\033[0m server is responsive \n" | |
sleep 2 | |
else | |
#/ dialog --title "VPN IPsec Gateway Test" --backtitle "VPN IPsec Gateway Test" --msgbox "ERROR: can't ping!" 0 0 | |
echo "" # dummy | |
echo "" # dummy | |
/bin/su -m pulse -c 'espeak -v mb-us1 "server is not responsive"' > /dev/null 2>&1 & | |
printf "\033[1;33m[WARNING]\033[0m server isn't responsive \n" | |
exit 1 | |
fi | |
#) | |
# | |
### // ipsec test | |
systemctl status strongswan > /tmp/easy_ipsec_racoon_log.txt | |
# | |
RACOONLOG="/tmp/easy_ipsec_racoon_log.txt" | |
# | |
( | |
dialog --textbox "$RACOONLOG" 0 0 | |
) | |
# | |
/bin/rm -rf "$EASYIPSECSERVERTEST" | |
# | |
### // start ipsec | |
### // stage2 ### | |
### ipsec iptable rules // ### | |
# | |
#( | |
/bin/su -m pulse -c 'espeak -v mb-us1 "do you want allow (ipv4) ipsec only traffic?"' > /dev/null 2>&1 & | |
dialog --title "IPsec restrictive Firewall Rules" --backtitle "IPsec restrictive Firewall Rules" --yesno "do you want allow (ipv4) ipsec only traffic?" 7 70 | |
IPSECFIREWALL=$? | |
case $IPSECFIREWALL in | |
0) | |
#/ ### | |
#/ #/ clean up | |
#/ /bin/rm -rf /tmp/easy_ipsec*.txt | |
#/ ### | |
# | |
sleep 2 | |
# | |
### ACCEPT // ### | |
###/ v4 | |
iptables -P INPUT ACCEPT | |
iptables -P FORWARD ACCEPT | |
iptables -P OUTPUT ACCEPT | |
##/ v6 | |
ip6tables -P INPUT ACCEPT | |
ip6tables -P FORWARD ACCEPT | |
ip6tables -P OUTPUT ACCEPT | |
### // ACCEPT ### | |
### flush // ### | |
##/ v4 | |
iptables -F INPUT | |
iptables -F FORWARD | |
iptables -F OUTPUT | |
iptables -t nat -F PREROUTING | |
iptables -t nat -F POSTROUTING | |
##/ v6 | |
ip6tables -F INPUT | |
ip6tables -F FORWARD | |
ip6tables -F OUTPUT | |
ip6tables -t nat -F PREROUTING | |
ip6tables -t nat -F POSTROUTING | |
### // flush ### | |
### ALLOW: loopback interface // ### | |
##/ v4 | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A OUTPUT -o lo -j ACCEPT | |
##/ v6 | |
ip6tables -A INPUT -i lo -j ACCEPT | |
ip6tables -A OUTPUT -o lo -j ACCEPT | |
### // ALLOW: loopback interface ### | |
### ALLOW: from any to me DHCP // ### | |
iptables -A INPUT -i "$EASYIPSECINTERFACEVALUE" -p udp --dport 67:68 --sport 67:68 -j ACCEPT | |
iptables -A OUTPUT -o "$EASYIPSECINTERFACEVALUE" -p udp --dport 67:68 --sport 67:68 -j ACCEPT | |
### // ALLOW: from any to me DHCP ### | |
### ALLOW: Internet Protocol v6 ICMP // ### | |
ip6tables -N ICMPv6 | |
ip6tables -A INPUT -i "$EASYIPSECINTERFACEVALUE" -p icmpv6 -j ICMPv6 | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type echo-request -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type redirect -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 141 -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 142 -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 148 -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 149 -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 151 -s fe80::/10 -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 152 -s fe80::/10 -j ACCEPT | |
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 153 -s fe80::/10 -j ACCEPT | |
ip6tables -A ICMPv6 -j RETURN | |
ip6tables -A OUTPUT -o "$EASYIPSECINTERFACEVALUE" -p icmpv6 -j ACCEPT | |
### // ALLOW: Internet Protocol v6 ICMP ### | |
### ALLOW: from me to any SSH // ### | |
##/ v4 | |
iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
##/ v6 | |
ip6tables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
ip6tables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
### // ALLOW: from me to any SSH ### | |
### ALLOW: from me to any SMB/CIFS // ### | |
##/ v4 | |
iptables -A INPUT -p tcp --sport 445 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
iptables -A OUTPUT -p tcp --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
##/ v6 | |
ip6tables -A INPUT -p tcp --sport 445 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
ip6tables -A OUTPUT -p tcp --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
### // ALLOW: from me to any SMB/CIFS ### | |
### ALLOW: from any to any ICMP // ### | |
iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
iptables -A OUTPUT -p icmp --icmp-type 0 -s 0/0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
iptables -A OUTPUT -p icmp --icmp-type 8 -s 0/0 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
if [ $? -eq 0 ] | |
then | |
: # dummy | |
else | |
iptables -A OUTPUT -p icmp --icmp-type 8 -s 0/0 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
fi | |
iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP | |
### // ALLOW: from any to any ICMP ### | |
### ALLOW: ipsec encapsulation // ### | |
##/ v4 | |
##/ IKE negotiations | |
iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT | |
iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT | |
##/ IKE negotiations over nat | |
iptables -A INPUT -p udp --sport 4500 --dport 4500 -j ACCEPT | |
iptables -A OUTPUT -p udp --sport 4500 --dport 4500 -j ACCEPT | |
##/ ESP encrypton and authentication | |
iptables -A INPUT -p 50 -j ACCEPT | |
iptables -A OUTPUT -p 50 -j ACCEPT | |
##/ uncomment for AH authentication header | |
#/ iptables -A INPUT -p 51 -j ACCEPT | |
#/ iptables -A OUTPUT -p 51 -j ACCEPT | |
##/ v6 | |
##/ IKE negotiations | |
ip6tables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT | |
ip6tables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT | |
##/ IKE negotiations over nat | |
#/ iptables -A INPUT -p udp --sport 4500 --dport 4500 -j ACCEPT | |
#/ iptables -A OUTPUT -p udp --sport 4500 --dport 4500 -j ACCEPT | |
##/ ESP encrypton and authentication | |
ip6tables -A INPUT -p 50 -j ACCEPT | |
ip6tables -A OUTPUT -p 50 -j ACCEPT | |
##/ uncomment for AH authentication header | |
#/ iptables -A INPUT -p 51 -j ACCEPT | |
#/ iptables -A OUTPUT -p 51 -j ACCEPT | |
### // ALLOW: ipsec encapsulation ### | |
### ALLOW: ipsec policy // ### | |
iptables -A FORWARD -s "$EASYIPSECDESTNETVALUE"/24 -d "$EASYIPSECCLIENTIPVALUE"/32 -i "$EASYIPSECINTERFACEVALUE" -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT | |
iptables -A FORWARD -s "$EASYIPSECCLIENTIPVALUE"/32 -d "$EASYIPSECDESTNETVALUE"/24 -o "$EASYIPSECINTERFACEVALUE" -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT | |
### // ALLOW: ipsec policy ### | |
### ALLOW: through ipsec // ### | |
iptables -A INPUT -m policy --pol ipsec --dir in -j ACCEPT | |
iptables -A OUTPUT -m policy --pol ipsec --dir out -j ACCEPT | |
### // ALLOW: through ipsec ### | |
### info // ### | |
iptables -N EASYIPSEC > /dev/null 2>&1 | |
ip6tables -N EASYIPSEC > /dev/null 2>&1 | |
### // info ### | |
### DROP: igmp // ### | |
##/ v4 | |
iptables -A INPUT -p igmp -j DROP | |
iptables -A OUTPUT -p igmp -j DROP | |
##/ v6 | |
ip6tables -A INPUT -p igmp -j DROP | |
ip6tables -A OUTPUT -p igmp -j DROP | |
### // DROP: igmp ### | |
### DROP: broadcast/multicast // ### | |
##/ v4 | |
iptables -A INPUT -s 224.0.0.0/4 -j DROP | |
iptables -A INPUT -d 224.0.0.0/4 -j DROP | |
iptables -A INPUT -s 240.0.0.0/5 -j DROP | |
iptables -A INPUT -m pkttype --pkt-type multicast -j DROP | |
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP | |
iptables -A OUTPUT -s 224.0.0.0/4 -j DROP | |
iptables -A OUTPUT -d 224.0.0.0/4 -j DROP | |
iptables -A OUTPUT -s 240.0.0.0/5 -j DROP | |
iptables -A OUTPUT -m pkttype --pkt-type multicast -j DROP | |
iptables -A OUTPUT -m pkttype --pkt-type broadcast -j DROP | |
##/ v6 | |
ip6tables -A INPUT -m pkttype --pkt-type multicast -j DROP | |
ip6tables -A OUTPUT -m pkttype --pkt-type multicast -j DROP | |
### // DROP: broadcast/multicast ### | |
### DROP // ### | |
##/ v4 | |
iptables -P INPUT DROP | |
iptables -P FORWARD DROP | |
iptables -P OUTPUT DROP | |
##/ v6 | |
ip6tables -P INPUT DROP | |
ip6tables -P FORWARD DROP | |
ip6tables -P OUTPUT DROP | |
### // DROP ### | |
# | |
;; | |
1) | |
/bin/echo "" # dummy | |
printf "\033[1;31mIPsec finished\033[0m\n" | |
### | |
#/ clean up | |
/bin/rm -rf /tmp/easy_ipsec*.txt | |
### | |
;; | |
255) | |
/bin/echo "" # dummy | |
/bin/echo "[ESC] key pressed." | |
/bin/echo "" # dummy | |
printf "\033[1;31mIPsec finished\033[0m\n" | |
### | |
#/ clean up | |
/bin/rm -rf /tmp/easy_ipsec*.txt | |
### | |
;; | |
esac | |
#) | |
# | |
### // ipsec iptable rules ### | |
### stage3 // ### | |
### ipsec/openvpn relay setup // ### | |
# | |
#( | |
/bin/su -m pulse -c 'espeak -v mb-us1 "if you have an IPsec/OpenVPN Relay Server-Setup Go ahead!"' > /dev/null 2>&1 & | |
dialog --title "IPsec/OpenVPN Relay Network" --backtitle "IPsec/OpenVPN Relay Network" --yesno "if you have an IPsec/OpenVPN Relay Server-Setup Go ahead!" 7 70 | |
OPENVPN=$? | |
case $OPENVPN in | |
0) | |
/bin/echo "" # dummy | |
/bin/echo "" # dummy | |
;; | |
1) | |
/bin/echo "" # dummy | |
/bin/echo "" # dummy | |
printf "\033[1;31mHave a nice day with IPsec\033[0m\n" | |
### | |
#/ clean up | |
/bin/rm -rf /tmp/easy_ipsec*.txt | |
### | |
exit 0 | |
;; | |
255) | |
/bin/echo "" # dummy | |
/bin/echo "" # dummy | |
/bin/echo "[ESC] key pressed." | |
;; | |
esac | |
#) | |
# | |
( | |
/bin/su -m pulse -c 'espeak -v mb-us1 "its time now to establish a successful connection! ... than press OK"' > /dev/null 2>&1 & | |
dialog --title "IPsec/OpenVPN Relay Network" --backtitle "IPsec/OpenVPN Relay Network" --msgbox "its time now to establish a successful connection! ... than press OK" 8 80 | |
) | |
# | |
### // ipsec/openvpn relay setup ### | |
### openvpn connection // ### | |
# | |
EASYIPSECOVPNCONFIG1="/tmp/easy_ipsec_server_openvpn_config1.txt" | |
EASYIPSECOVPNCONFIG2="/tmp/easy_ipsec_server_openvpn_config2.txt" | |
EASYIPSECOVPNCONFIG3="/tmp/easy_ipsec_server_openvpn_config3.txt" | |
EASYIPSECOVPNCONFIG4="/tmp/easy_ipsec_server_openvpn_config4.txt" | |
EASYIPSECOVPNCONFIG5="/tmp/easy_ipsec_server_openvpn_config5.txt" | |
( | |
# clean up - systemctl | |
systemctl reset-failed | |
sleep 1 | |
systemctl daemon-reload | |
sleep 1 | |
) | |
systemctl --all | grep openvpn | awk '{print $1}' | egrep -v "system" > "$EASYIPSECOVPNCONFIG1" | |
nl "$EASYIPSECOVPNCONFIG1" | sed 's/ //g' > "$EASYIPSECOVPNCONFIG2" | |
/bin/sed 's/$/ off/' "$EASYIPSECOVPNCONFIG2" > "$EASYIPSECOVPNCONFIG3" | |
/bin/su -m pulse -c 'espeak -v mb-us1 "Choose one OpenVPN Service:"' > /dev/null 2>&1 & | |
dialog --radiolist "Choose one OpenVPN Service:" 45 80 60 --file "$EASYIPSECOVPNCONFIG3" 2>"$EASYIPSECOVPNCONFIG4" | |
list1=$? | |
case $list1 in | |
0) | |
echo "" # dummy | |
echo "" # dummy | |
awk 'NR==FNR {h[$1] = $2; next} {print $1,$2,h[$1]}' "$EASYIPSECOVPNCONFIG3" "$EASYIPSECOVPNCONFIG4" | awk '{print $2}' | sed 's/"//g' > "$EASYIPSECOVPNCONFIG5" | |
GETSERVICE=$(cat "$EASYIPSECOVPNCONFIG5") | |
systemctl restart "$GETSERVICE" | |
(echo "systemctl restart $GETSERVICE"; sleep 10) & spinner $! | |
: # dummy | |
;; | |
1) | |
echo "" # dummy | |
echo "" # dummy | |
exit 0 | |
;; | |
255) | |
echo "" # dummy | |
echo "" # dummy | |
echo "[ESC] key pressed." | |
exit 0 | |
;; | |
esac | |
# | |
### // openvpn connection ### | |
### openvpn server // ### | |
# | |
EASYIPSECSERVEROVPNTEST="/tmp/easy_ipsec_server_openvpn_test.txt" | |
touch $EASYIPSECSERVEROVPNTEST | |
/bin/chmod 0600 $EASYIPSECSERVEROVPNTEST | |
/bin/su -m pulse -c 'espeak -v mb-us1 "Enter your VPN OpenVPN Server forwarding interface IP: (for example 172.31.253.1)"' > /dev/null 2>&1 & | |
dialog --inputbox "Enter your VPN OpenVPN Server forwarding interface IP: (for example 172.31.253.1)" 8 85 2>$EASYIPSECSERVEROVPNTEST | |
EASYIPSECSERVEROVPNTESTVALUE=$(sed 's/#//g' $EASYIPSECSERVEROVPNTEST | sed 's/%//g') | |
/bin/ping -q -c5 "$EASYIPSECSERVEROVPNTESTVALUE" > /dev/null | |
if [ $? -eq 0 ] | |
then | |
#/ dialog --title "VPN OpenVPN Gateway Test" --backtitle "VPN OpenVPN Gateway Test" --msgbox "It works!" 0 0 | |
echo "" # dummy | |
echo "" # dummy | |
/bin/su -m pulse -c 'espeak -v mb-us1 "server is responsive"' > /dev/null 2>&1 & | |
printf "\033[1;32m[OK]\033[0m server is responsive \n" | |
sleep 2 | |
else | |
#/ dialog --title "VPN OpenVPN Gateway Test" --backtitle "VPN OpenVPN Gateway Test" --msgbox "ERROR: can't ping!" 0 0 | |
echo "" # dummy | |
echo "" # dummy | |
/bin/su -m pulse -c 'espeak -v mb-us1 "server is not responsive"' > /dev/null 2>&1 & | |
printf "\033[1;33m[WARNING]\033[0m server isn't responsive \n" | |
exit 1 | |
fi | |
##/bin/rm -rf $EASYIPSECSERVEROVPNTEST | |
# | |
### // openvpn server ### | |
### new default gateway // ### | |
# | |
EASYIPSECNETSTATOVPN1="/tmp/easy_ipsec_server_openvpn_netstat1.txt" | |
touch $EASYIPSECNETSTATOVPN1 | |
/bin/chmod 0600 $EASYIPSECNETSTATOVPN1 | |
EASYIPSECNETSTATOVPN2="/tmp/easy_ipsec_server_openvpn_netstat2.txt" | |
touch $EASYIPSECNETSTATOVPN2 | |
/bin/chmod 0600 $EASYIPSECNETSTATOVPN2 | |
# | |
/bin/su -m pulse -c 'espeak -v mb-us1 "it seems to work, lets change the default gateway!"' > /dev/null 2>&1 & | |
dialog --title "IPsec/OpenVPN Relay Network" --backtitle "IPsec/OpenVPN Relay Network" --msgbox "it seems to work, lets change the default gateway!" 8 70 | |
# | |
#/ /sbin/route del default > /dev/null 2>&1 | |
/sbin/route del -net 128.0.0.0/1 > /dev/null 2>&1 | |
/sbin/route del -net 0.0.0.0/1 > /dev/null 2>&1 | |
# | |
#/ EASYIPSECOVPNSUBNET=$(echo "$EASYIPSECSERVEROVPNTESTVALUE" | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.' | sed 's/$/0/') | |
EASYIPSECOVPNSUBNETSMALL=$(echo "$EASYIPSECSERVEROVPNTESTVALUE" | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') | |
EASYIPSECOVPNINTERFACE=$(netstat -rn4 | grep "$EASYIPSECOVPNSUBNETSMALL" | head -n1 | awk '{print $8}') | |
/bin/ip r a "$EASYIPSECSERVEROVPNTESTVALUE"/32 dev "$EASYIPSECOVPNINTERFACE" | |
/bin/ip r a 0.0.0.0/1 via "$EASYIPSECSERVEROVPNTESTVALUE" > /dev/null 2>&1 | |
/bin/ip r a 128.0.0/1 via "$EASYIPSECSERVEROVPNTESTVALUE" > /dev/null 2>&1 | |
# | |
### openvpn iptable rules // ## | |
# | |
CHECKIPSECIPTABLERULES=$(iptables -S | grep -c "EASYIPSEC") | |
if [ "$CHECKIPSECIPTABLERULES" = "1" ] | |
then | |
##/ v4 | |
iptables -A INPUT -i "$EASYIPSECOVPNINTERFACE" -j ACCEPT | |
iptables -A OUTPUT -o "$EASYIPSECOVPNINTERFACE" -j ACCEPT | |
##/ v6 | |
ip6tables -A INPUT -i "$EASYIPSECOVPNINTERFACE" -j ACCEPT | |
ip6tables -A OUTPUT -o "$EASYIPSECOVPNINTERFACE" -j ACCEPT | |
#/ check minidlna | |
CHECKIPSECOVPNMINIDLNA=$(dpkg -l | grep -c "minidlna") | |
if [ "$CHECKIPSECOVPNMINIDLNA" = "1" ] | |
then | |
CHECKIPSECOVPNMINIDLNASERVICE=$(systemctl status minidlna | grep -c "running") | |
if [ "$CHECKIPSECOVPNMINIDLNASERVICE" = "1" ] | |
then | |
iptables -A INPUT -i "$EASYIPSECINTERFACEVALUE" -p udp --dport 1900 -j ACCEPT | |
iptables -A OUTPUT -o "$EASYIPSECINTERFACEVALUE" -p udp --sport 1900 -j ACCEPT | |
iptables -A INPUT -i "$EASYIPSECINTERFACEVALUE" -p tcp --dport 8200 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
iptables -A OUTPUT -o "$EASYIPSECINTERFACEVALUE" -p tcp --sport 8200 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
ip6tables -A INPUT -i "$EASYIPSECINTERFACEVALUE" -p udp --dport 1900 -j ACCEPT | |
ip6tables -A OUTPUT -o "$EASYIPSECINTERFACEVALUE" -p udp --sport 1900 -j ACCEPT | |
ip6tables -A INPUT -i "$EASYIPSECINTERFACEVALUE" -p tcp --dport 8200 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
ip6tables -A OUTPUT -o "$EASYIPSECINTERFACEVALUE" -p tcp --sport 8200 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
##/ v4 | |
iptables -D INPUT -s 224.0.0.0/4 -j DROP | |
iptables -D INPUT -d 224.0.0.0/4 -j DROP | |
iptables -D INPUT -s 240.0.0.0/5 -j DROP | |
iptables -D INPUT -m pkttype --pkt-type multicast -j DROP | |
iptables -D INPUT -m pkttype --pkt-type broadcast -j DROP | |
iptables -D OUTPUT -s 224.0.0.0/4 -j DROP | |
iptables -D OUTPUT -d 224.0.0.0/4 -j DROP | |
iptables -D OUTPUT -s 240.0.0.0/5 -j DROP | |
iptables -D OUTPUT -m pkttype --pkt-type multicast -j DROP | |
iptables -D OUTPUT -m pkttype --pkt-type broadcast -j DROP | |
##/ v6 | |
ip6tables -D INPUT -m pkttype --pkt-type multicast -j DROP | |
ip6tables -D OUTPUT -m pkttype --pkt-type multicast -j DROP | |
fi | |
fi | |
#/ check local unbound | |
CHECKIPSECOVPNUNBOUND=$(dpkg -l | grep -c "unbound") | |
if [ "$CHECKIPSECOVPNUNBOUND" = "1" ] | |
then | |
CHECKIPSECOVPNUNBOUNDSERVICE=$(systemctl status unbound | grep -c "running") | |
if [ "$CHECKIPSECOVPNUNBOUNDSERVICE" = "1" ] | |
then | |
#/ systemctl restart unbound | |
systemctl stop unbound | |
sleep 2 | |
systemctl start unbound | |
fi | |
fi | |
#/ static ARP | |
GETIPSECSERVERGATEWAYFORMAT=$(echo "$EASYIPSECSERVERIPVALUE" | grep -cEo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') | |
if [ "$GETIPSECSERVERGATEWAYFORMAT" = "0" ] | |
then | |
#/ fqdn | |
GETIPSECGATEWAYFQDN=$(netstat -r4 | awk '{print $1,$2}' | grep "$(echo "$EASYIPSECSERVERIPVALUE" | cut -c 1,2,3,4,5,6)" | awk '{print $2}') | |
GETIPSECGATEWAYFQDNMAC=$(arp -n | grep "$GETIPSECGATEWAYFQDN" | awk '{print $3}') | |
arp -s "$GETIPSECGATEWAYFQDN" "$GETIPSECGATEWAYFQDNMAC" | |
else | |
#/ ip address | |
GETIPSECGATEWAY=$(netstat -rn4 | grep "$EASYIPSECSERVERIPVALUE" | awk '{print $2}') | |
GETIPSECGATEWAYMAC=$(arp -n | grep "$GETIPSECGATEWAY" | awk '{print $3}') | |
arp -s "$GETIPSECGATEWAY" "$GETIPSECGATEWAYMAC" | |
fi | |
else | |
: # dummy | |
fi | |
# | |
### // openvpn iptable rules ### | |
### | |
/bin/netstat -rn4 > "$EASYIPSECNETSTATOVPN1" | |
/bin/netstat -rn6 > "$EASYIPSECNETSTATOVPN2" | |
### | |
# | |
dialog --textbox "$EASYIPSECNETSTATOVPN1" 0 0 | |
dialog --textbox "$EASYIPSECNETSTATOVPN2" 0 0 | |
# | |
### | |
/bin/echo "" # dummy | |
/bin/echo "" # dummy | |
/bin/su -m pulse -c 'espeak -v mb-us1 "Have a nice day with Internet Protocol Security and OpenVPN"' > /dev/null 2>&1 & | |
printf "\033[1;31mHave a nice day with IPsec and OpenVPN\033[0m\n" | |
### | |
# | |
#HUHU /bin/rm -rf "$EASYIPSECNETSTATOVPN1" | |
# | |
### // new default gateway ### | |
### // stage3 ### | |
### stage4 // ### | |
# | |
( | |
# clean up | |
/bin/rm -rf /tmp/easy_ipsec*.txt | |
) | |
# | |
### // stage4 ### | |
### ### ### ### ### ### ### ### ### | |
;; | |
*) | |
# error 1 | |
echo "<--- --- --->" | |
echo "" | |
echo "ERROR: Plattform = unknown" | |
exit 1 | |
;; | |
esac | |
### ### ### ### ### ### ### ### ### | |
;; | |
*) | |
# error 1 | |
echo "<--- --- --->" | |
echo "" | |
echo "ERROR: Plattform = unknown" | |
exit 1 | |
;; | |
esac | |
# | |
### // stage1 ### | |
### ### ### PLITC ### ### ### | |
# EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment