duan-li/initial_l2tpd.sh

## initial_l2tpd.sh
#!/bin/bash
# ref https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_14.04.html
echo "Type a VPN Username:"
read VPN_USER
echo "Type a VPN Password:"
read VPN_PASSWORD

echo "Type a Pre-Shared key(As long as possible)"
read IPSEC_PSK

PUBLIC_IP=$(curl http://ip.mtak.nl)
# IPSEC_PSK=$(openssl rand -hex 30)
apt-get update && \
apt-get upgrade -y && \
apt-get autoclean && \
apt-get autoremove && \
apt-get clean

sudo apt-get install xl2tpd openswan ppp lsof git -y

iptables -t nat -A POSTROUTING -j SNAT --to-source $PUBLIC_IP -o eth+

echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" |  tee -a /etc/sysctl.conf


for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done

sysctl -p

cat > /etc/ipsec.conf <<EOF
version 2 # conforms to second version of ipsec.conf specification
config setup
    dumpdir=/var/run/pluto/
    #in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?
    nat_traversal=yes
    #whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
    #contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.
    protostack=netkey
    #decide which protocol stack is going to be used.
	force_keepalive=yes
    keep_alive=60

#conn L2TP-PSK-NAT
#    rightsubnet=vhost:%priv
#    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    #shared secret. Use rsasig for certificates.
    pfs=no
    #Disable pfs
    auto=add
    #start at boot
    keyingtries=3
    #Only negotiate a conn. 3 times.
    ikelifetime=8h
    keylife=1h
    ike=aes256-sha1,aes128-sha1,3des-sha1
    phase2alg=aes256-sha1,aes128-sha1,3des-sha1
    type=transport
    #because we use l2tp as tunnel protocol
    left=$PUBLIC_IP
    #fill in server IP above
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    dpddelay=10
    dpdtimeout=20
    dpdaction=clear
EOF

cat > /etc/ipsec.secrets <<EOF
$PUBLIC_IP  %any  : PSK "$IPSEC_PSK"
EOF


cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[global]
ipsec saref = yes
saref refinfo = 30

[lns default]
ip range = 172.16.1.30-172.16.1.100
local ip = 172.16.1.1
unix authentication = yes
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
EOF

cat > /etc/ppp/options.xl2tpd <<EOF
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
login
EOF

cat > /etc/pam.d/ppp <<EOF
#%PAM-1.0
# Information for the PPPD process with the 'login' option.
auth	required	pam_nologin.so
auth    required        pam_unix.so
account required        pam_unix.so
session required        pam_unix.so
@include common-auth
@include common-account
@include common-session
EOF


cat > /etc/ppp/chap-secrets <<EOF
# Secrets for authentication using CHAP
# client  server  secret  IP addresses

$VPN_USER	l2tpd	$VPN_PASSWORD	*
test	l2ptd	test	*
EOF


service ipsec restart
service xl2tpd restart
	#!/bin/bash
	# ref https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_14.04.html
	echo "Type a VPN Username:"
	read VPN_USER
	echo "Type a VPN Password:"
	read VPN_PASSWORD

	echo "Type a Pre-Shared key(As long as possible)"
	read IPSEC_PSK

	PUBLIC_IP=$(curl http://ip.mtak.nl)
	# IPSEC_PSK=$(openssl rand -hex 30)
	apt-get update && \
	apt-get upgrade -y && \
	apt-get autoclean && \
	apt-get autoremove && \
	apt-get clean

	sudo apt-get install xl2tpd openswan ppp lsof git -y

	iptables -t nat -A POSTROUTING -j SNAT --to-source $PUBLIC_IP -o eth+

	echo "net.ipv4.ip_forward = 1" \| tee -a /etc/sysctl.conf
	echo "net.ipv4.conf.all.accept_redirects = 0" \| tee -a /etc/sysctl.conf
	echo "net.ipv4.conf.all.send_redirects = 0" \| tee -a /etc/sysctl.conf
	echo "net.ipv4.conf.default.rp_filter = 0" \| tee -a /etc/sysctl.conf
	echo "net.ipv4.conf.default.accept_source_route = 0" \| tee -a /etc/sysctl.conf
	echo "net.ipv4.conf.default.send_redirects = 0" \| tee -a /etc/sysctl.conf
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" \| tee -a /etc/sysctl.conf


	for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done

	sysctl -p

	cat > /etc/ipsec.conf <<EOF
	version 2 # conforms to second version of ipsec.conf specification
	config setup
	dumpdir=/var/run/pluto/
	#in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?
	nat_traversal=yes
	#whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
	#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.
	protostack=netkey
	#decide which protocol stack is going to be used.
	force_keepalive=yes
	keep_alive=60

	#conn L2TP-PSK-NAT
	# rightsubnet=vhost:%priv
	# also=L2TP-PSK-noNAT

	conn L2TP-PSK-noNAT
	authby=secret
	#shared secret. Use rsasig for certificates.
	pfs=no
	#Disable pfs
	auto=add
	#start at boot
	keyingtries=3
	#Only negotiate a conn. 3 times.
	ikelifetime=8h
	keylife=1h
	ike=aes256-sha1,aes128-sha1,3des-sha1
	phase2alg=aes256-sha1,aes128-sha1,3des-sha1
	type=transport
	#because we use l2tp as tunnel protocol
	left=$PUBLIC_IP
	#fill in server IP above
	leftprotoport=17/1701
	right=%any
	rightprotoport=17/%any
	dpddelay=10
	dpdtimeout=20
	dpdaction=clear
	EOF

	cat > /etc/ipsec.secrets <<EOF
	$PUBLIC_IP %any : PSK "$IPSEC_PSK"
	EOF



	cat > /etc/xl2tpd/xl2tpd.conf <<EOF
	[global]
	ipsec saref = yes
	saref refinfo = 30

	[lns default]
	ip range = 172.16.1.30-172.16.1.100
	local ip = 172.16.1.1
	unix authentication = yes
	require authentication = yes
	;ppp debug = yes
	pppoptfile = /etc/ppp/options.xl2tpd
	length bit = yes
	EOF

	cat > /etc/ppp/options.xl2tpd <<EOF
	require-mschap-v2
	ms-dns 8.8.8.8
	ms-dns 8.8.4.4
	auth
	mtu 1200
	mru 1000
	crtscts
	hide-password
	modem
	name l2tpd
	proxyarp
	lcp-echo-interval 30
	lcp-echo-failure 4
	login
	EOF

	cat > /etc/pam.d/ppp <<EOF
	#%PAM-1.0
	# Information for the PPPD process with the 'login' option.
	auth required pam_nologin.so
	auth required pam_unix.so
	account required pam_unix.so
	session required pam_unix.so
	@include common-auth
	@include common-account
	@include common-session
	EOF


	cat > /etc/ppp/chap-secrets <<EOF
	# Secrets for authentication using CHAP
	# client server secret IP addresses

	$VPN_USER l2tpd $VPN_PASSWORD *
	test l2ptd test *
	EOF


	service ipsec restart
	service xl2tpd restart