Created
May 31, 2013 19:45
-
-
Save abeluck/5687507 to your computer and use it in GitHub Desktop.
ipsec VPN setup script for Ubuntu >= 12.04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# | |
# DO NOT RUN THIS SCRIPT ON YOUR COMPUTER | |
# | |
# This script installs a VPN on server with Ubuntu >= 12.04 | |
# | |
# Based on voodoo-vpn.sh | |
# Copyright Thomas Sarlandie 2012 | |
# See http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md | |
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 | |
# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ | |
# | |
# Attribution required: please include my name in any derivative and let me | |
# know how you have improved it! | |
# Edit these values | |
IPSEC_PSK=correcthorsebatterystaple | |
VPN_USER=orange | |
VPN_PASSWORD=pineapple | |
PUBLIC_IP=198.199.124.112 | |
PRIVATE_IP=$PUBLIC_IP | |
########################### | |
export DEBIAN_FRONTEND=noninteractive | |
apt-get install -y openswan xl2tpd | |
cat > /etc/ipsec.conf <<EOF | |
version 2.0 | |
config setup | |
dumpdir=/var/run/pluto/ | |
nat_traversal=yes | |
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 | |
oe=off | |
protostack=netkey | |
nhelpers=0 | |
interfaces=%defaultroute | |
conn vpnpsk | |
auto=add | |
left=$PRIVATE_IP | |
leftid=$PUBLIC_IP | |
leftsubnet=$PRIVATE_IP/32 | |
leftnexthop=%defaultroute | |
leftprotoport=17/1701 | |
rightprotoport=17/%any | |
right=%any | |
rightsubnetwithin=0.0.0.0/0 | |
forceencaps=yes | |
authby=secret | |
pfs=no | |
type=transport | |
auth=esp | |
ike=3des-sha1 | |
phase2alg=3des-sha1 | |
dpddelay=30 | |
dpdtimeout=120 | |
dpdaction=clear | |
EOF | |
cat > /etc/ipsec.secrets <<EOF | |
$PUBLIC_IP %any : PSK "$IPSEC_PSK" | |
EOF | |
cat > /etc/xl2tpd/xl2tpd.conf <<EOF | |
[global] | |
port = 1701 | |
;debug avp = yes | |
;debug network = yes | |
;debug state = yes | |
;debug tunnel = yes | |
[lns default] | |
ip range = 192.168.42.10-192.168.42.250 | |
local ip = 192.168.42.1 | |
require chap = yes | |
refuse pap = yes | |
require authentication = yes | |
name = l2tpd | |
;ppp debug = yes | |
pppoptfile = /etc/ppp/options.xl2tpd | |
length bit = yes | |
EOF | |
cat > /etc/ppp/options.xl2tpd <<EOF | |
ipcp-accept-local | |
ipcp-accept-remote | |
ms-dns 8.8.8.8 | |
ms-dns 8.8.4.4 | |
noccp | |
auth | |
crtscts | |
idle 1800 | |
mtu 1280 | |
mru 1280 | |
lock | |
connect-delay 5000 | |
EOF | |
cat > /etc/ppp/chap-secrets <<EOF | |
# Secrets for authentication using CHAP | |
# client server secret IP addresses | |
$VPN_USER l2tpd "$VPN_PASSWORD" * | |
EOF | |
iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE | |
echo 1 > /proc/sys/net/ipv4/ip_forward | |
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf | |
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf | |
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf | |
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done | |
sysctl -p | |
iptables-save > /etc/iptables.rules | |
cat > /etc/network/if-pre-up.d/iptablesload <<EOF | |
#!/bin/sh | |
iptables-restore < /etc/iptables.rules | |
echo 1 > /proc/sys/net/ipv4/ip_forward | |
exit 0 | |
EOF | |
/etc/init.d/ipsec restart | |
/etc/init.d/xl2tpd restart | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment