Created
May 29, 2015 08:43
-
-
Save duan-li/6bb75d1e8a96b683c79b to your computer and use it in GitHub Desktop.
ubuntu 14.04 LTS ipsec & l2tpd server setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# ref https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_14.04.html | |
echo "Type a VPN Username:" | |
read VPN_USER | |
echo "Type a VPN Password:" | |
read VPN_PASSWORD | |
echo "Type a Pre-Shared key(As long as possible)" | |
read IPSEC_PSK | |
PUBLIC_IP=$(curl http://ip.mtak.nl) | |
# IPSEC_PSK=$(openssl rand -hex 30) | |
apt-get update && \ | |
apt-get upgrade -y && \ | |
apt-get autoclean && \ | |
apt-get autoremove && \ | |
apt-get clean | |
sudo apt-get install xl2tpd openswan ppp lsof git -y | |
iptables -t nat -A POSTROUTING -j SNAT --to-source $PUBLIC_IP -o eth+ | |
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf | |
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf | |
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf | |
echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf | |
echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf | |
echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf | |
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf | |
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done | |
sysctl -p | |
cat > /etc/ipsec.conf <<EOF | |
version 2 # conforms to second version of ipsec.conf specification | |
config setup | |
dumpdir=/var/run/pluto/ | |
#in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core? | |
nat_traversal=yes | |
#whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec | |
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10 | |
#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects. | |
protostack=netkey | |
#decide which protocol stack is going to be used. | |
force_keepalive=yes | |
keep_alive=60 | |
#conn L2TP-PSK-NAT | |
# rightsubnet=vhost:%priv | |
# also=L2TP-PSK-noNAT | |
conn L2TP-PSK-noNAT | |
authby=secret | |
#shared secret. Use rsasig for certificates. | |
pfs=no | |
#Disable pfs | |
auto=add | |
#start at boot | |
keyingtries=3 | |
#Only negotiate a conn. 3 times. | |
ikelifetime=8h | |
keylife=1h | |
ike=aes256-sha1,aes128-sha1,3des-sha1 | |
phase2alg=aes256-sha1,aes128-sha1,3des-sha1 | |
type=transport | |
#because we use l2tp as tunnel protocol | |
left=$PUBLIC_IP | |
#fill in server IP above | |
leftprotoport=17/1701 | |
right=%any | |
rightprotoport=17/%any | |
dpddelay=10 | |
dpdtimeout=20 | |
dpdaction=clear | |
EOF | |
cat > /etc/ipsec.secrets <<EOF | |
$PUBLIC_IP %any : PSK "$IPSEC_PSK" | |
EOF | |
cat > /etc/xl2tpd/xl2tpd.conf <<EOF | |
[global] | |
ipsec saref = yes | |
saref refinfo = 30 | |
[lns default] | |
ip range = 172.16.1.30-172.16.1.100 | |
local ip = 172.16.1.1 | |
unix authentication = yes | |
require authentication = yes | |
;ppp debug = yes | |
pppoptfile = /etc/ppp/options.xl2tpd | |
length bit = yes | |
EOF | |
cat > /etc/ppp/options.xl2tpd <<EOF | |
require-mschap-v2 | |
ms-dns 8.8.8.8 | |
ms-dns 8.8.4.4 | |
auth | |
mtu 1200 | |
mru 1000 | |
crtscts | |
hide-password | |
modem | |
name l2tpd | |
proxyarp | |
lcp-echo-interval 30 | |
lcp-echo-failure 4 | |
login | |
EOF | |
cat > /etc/pam.d/ppp <<EOF | |
#%PAM-1.0 | |
# Information for the PPPD process with the 'login' option. | |
auth required pam_nologin.so | |
auth required pam_unix.so | |
account required pam_unix.so | |
session required pam_unix.so | |
@include common-auth | |
@include common-account | |
@include common-session | |
EOF | |
cat > /etc/ppp/chap-secrets <<EOF | |
# Secrets for authentication using CHAP | |
# client server secret IP addresses | |
$VPN_USER l2tpd $VPN_PASSWORD * | |
test l2ptd test * | |
EOF | |
service ipsec restart | |
service xl2tpd restart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment