Last active
December 13, 2018 06:05
-
-
Save id4ehsan/51b78dbecb6a22486e59a7e5a54804bb to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# XMMMWMMM@MMMMMMMMMi | |
# 7MMMMMMMMMMMMMMMMMMW, | |
# MMMMMMMMMM0W@@80MMMMMMi | |
# SMM@Xrrri:, ,rWMMM7 | |
# .MM2. ,8MMB | |
# XMW . i@MM: | |
# SM2.. iBMM: | |
# rM0. . :MMM. | |
# MM:rXr;:. .;SZZZaS; XMM | |
# XW700MMMM2rXZMBMB22X..M7,. | |
# :77.r2r@7Sr :7;2Xr7, ai,; | |
# rX; .,.. : . ... .;.i | |
# ,;i. ., , ..:,i, | |
# ;;:... :i ::, . ..,i:,. | |
# i;;:. . ;S77X;, ....,,: | |
# :;.... .:: ,.,.:: | |
# i:.:r7;i:;;77:....:;,S | |
# ,;:,:::ii:,.:,,,,;r @B, | |
# r;:,,,::,,,..,iSr :MWM2: | |
# 87;,,. .:XWX BB08B@M8X: | |
# :M7rrrr;;;;rXa0r 0W8ZZZZBMMMM0X, | |
# .XW ra8:;rXXSS2XXr;: ZW8ZZZZZBWB0WWM@ | |
# .78MMM7 ;7MX,iiiiiii;,iS SM8ZZZ8880W000088 | |
# ,rZMMMMM@M7..:ZWii;i;i;;i rr;@088Z880ZBB0Z088Z | |
# XMMMMMWWWWW@MM:,;SX;i;rr;r,,.r@0Z08008888B8008ZZ | |
#.aMM@WWWWW@WWWMMrr: iiii::,;, aBZ88008Z0Z80008ZZZ | |
# configs,change as you want | |
## ocserv version ftp://ftp.infradead.org/pub/ocserv/ | |
nettle_version="3.3" | |
libtasn1_version="4.9" | |
libunistring_version="0.9.7" | |
gnutls_version="3.5.8" | |
bison_version="3.0" | |
flex_version="2.6.0" | |
libnl_version="3.2.25" | |
ocserv_version="0.11.6" | |
pam_version="1.4.0" | |
talloc_version="2.1.8" | |
freeradius_version="3.0.12" | |
scriptdir=$(pwd) | |
## config used in ocserv | |
ipv4network="192.168.43.0" | |
ipv4netmask="255.255.255.0" | |
tun_dev="vpns" | |
route_add_cmd="ip route add $ipv4network/24 dev $tun_dev" | |
route_del_cmd="ip route del $ipv4network/24 dev $tun_dev" | |
gateway="192.168.43.1" | |
dns="8.8.8.8" | |
tcp_port="443" | |
udp_port="443" | |
max_client="30" | |
max_same_clients="1" | |
if [[ "$(id -u)" != "0" ]] | |
then | |
echo "Error: must be run as root" | |
exit 1 | |
fi | |
if ! which apt-get | |
then | |
echo "Error: Support ubuntu only" | |
exit 1 | |
fi | |
echo "Install lsb_release..." | |
apt-get install lsb_release -y &>/dev/null | |
if [[ $(lsb_release -sr) != '16.04' ]] | |
then | |
echo "Error: Support Ubuntu 16.04 only" | |
exit 1 | |
fi | |
# get public ip info | |
if which ip | |
then | |
devname=$(echo $(ip -4 -o addr show scope global) | head -n 1 | awk '{print $2}') | |
address=$(echo $(ip -4 -o addr show scope global) | head -n 1 | awk '{print $4}' | cut -d'/' -f1) | |
else | |
devname="" | |
address="" | |
fi | |
if [[ $devname == "" || $address == "" ]]; | |
then | |
read -p "can't get ip address, input the public ip address and device name:" address devname | |
else | |
read -p "ip address and devname are $address, $devname, is that right?:[Yn]": ipinfo | |
case $ipinfo in | |
[yY]) | |
echo "continue..." | |
;; | |
[nN]) | |
read -p "input ip address and device name manually:" address devname | |
;; | |
*) | |
echo "continue..." | |
esac | |
fi | |
# install prereqsit | |
apt-get install build-essential m4 nano python libssl-dev iptables git | |
# install dependencies | |
apt-get install libev-dev | |
apt-get install libgnutls28-dev | |
# install optionals | |
apt-get install libwrap0-dev libpam0g-dev liblz4-dev libseccomp-dev libreadline-dev libnl-route-3-dev libkrb5-dev liboath-dev libradcli-dev | |
# install development | |
#apt-get install libprotobuf-c0-dev libtalloc-dev libhttp-parser-dev libpcl1-dev libopts25-dev autogen protobuf-c-compiler gperf liblockfile-bin nuttcp lcov libuid-wrapper libpam-wrapper libnss-wrapper libsocket-wrapper gss-ntlmssp libpam-oath | |
apt-get install libgnutls28 | |
apt-get install libdbus-1-dev uml-utilities | |
apt-get install -y libwrap0-dev libpam0g-dev \ | |
libreadline-dev libnl-route-3-dev libprotobuf-c-dev libpcl1-dev libopts25-dev \ | |
autogen libgnutls28-dev libseccomp-dev libhttp-parser-dev gnutls-bin uml-utilities | |
# prepare tun device | |
if ! ip link show $tun_dev &>/dev/null | |
then | |
echo "tun device $tun_dev not exists,creating..." | |
if ! tunctl -t $tun_dev | |
then | |
echo "Error can't create tun device, abort." | |
exit 1 | |
fi | |
fi | |
if ! ip -4 -o addr show $tun_dev | grep $gateway | |
then | |
if ! ip addr add $gateway dev $tun_dev | |
then | |
echo "Error: can't add $gateway to $tun_dev, abort." | |
exit 1 | |
fi | |
fi | |
# build and install ocserv | |
#cd /usr/src | |
#wget https://ftp.gnu.org/gnu/nettle/nettle-${nettle_version}.tar.gz | |
#tar xvf nettle-${nettle_version}.tar.gz && cd nettle-${nettle_version} | |
#./configure && make && make install | |
#cd /usr/src | |
#wget https://ftp.gnu.org/gnu/libtasn1/libtasn1-${libtasn1_version}.tar.gz | |
#tar xvf libtasn1-${libtasn1_version}.tar.gz && cd libtasn1-${libtasn1_version} | |
#./configure && make && make install | |
#cd /usr/src | |
#wget http://ftp.gnu.org/gnu/libunistring/libunistring-${libunistring_version}.tar.xz | |
#unxz libunistring-${libunistring_version}.tar.xz && tar xvf libunistring-${libunistring_version}.tar && cd libunistring-${libunistring_version} | |
#./configure && make && make install | |
# TODO: v3.5 | |
#cd /usr/src | |
#wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-${gnutls_version}.tar.xz | |
#unxz gnutls-${gnutls_version}.tar.xz && tar xvf gnutls-${gnutls_version}.tar && cd gnutls-${gnutls_version} | |
#./configure && make && make install | |
#cd /usr/src | |
#wget https://ftp.gnu.org/gnu/bison/bison-${bison_version}.tar.xz | |
#unxz bison-${bison_version}.tar.xz && tar xvf bison-${bison_version}.tar && cd bison-${bison_version} | |
#./configure && make && make install | |
#cd /usr/src | |
#wget https://kent.dl.sourceforge.net/project/flex/flex-${flex_version}.tar.bz2 | |
#tar xjvf flex-${flex_version}.tar.bz2 && cd flex-${flex_version} | |
#./configure && make && make install | |
#cd /usr/src | |
#wget https://www.infradead.org/~tgr/libnl/files/libnl-${libnl_version}.tar.gz | |
#tar xvf libnl-${libnl_version}.tar.gz && cd libnl-${libnl_version} | |
#./configure && make && make install | |
cd /usr/src | |
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-${ocserv_version}.tar.xz | |
unxz ocserv-${ocserv_version}.tar.xz && tar xvf ocserv-${ocserv_version}.tar && cd ocserv-${ocserv_version} | |
./configure && make && make install | |
#cd /usr/src | |
#wget ftp://ftp.freeradius.org/pub/radius/pam_radius-${pam_version}.tar.gz | |
#tar -xvf pam_radius-${pam_version}.tar.gz && cd pam_radius-${pam_version} | |
#./configure && make | |
#mkdir /lib/security/ | |
#cp pam_radius_auth.so /lib/security/ | |
#mkdir /etc/raddb/ | |
#cp pam_radius_auth.conf /etc/raddb/server | |
#nano /etc/raddb/server | |
#cd /usr/src | |
#wget https://www.samba.org/ftp/talloc/talloc-${talloc_version}.tar.gz | |
#tar -xvf talloc-${talloc_version}.tar.gz && cd talloc-${talloc_version} | |
#./configure && make && make install | |
#cd /usr/src | |
#wget ftp://62.210.29.29/pub/freeradius/freeradius-server-${freeradius_version}.tar.gz | |
#tar -xvf freeradius-server-${freeradius_version}.tar.gz && cd freeradius-server-${freeradius_version} | |
#./configure && make && make install | |
cd /usr/src | |
git clone https://github.com/daleobrien/start-stop-daemon.git | |
cd start-stop-daemon | |
gcc start-stop-daemon.c -o start-stop-daemon | |
mv start-stop-daemon /usr/local/bin/start-stop-daemon | |
mkdir /etc/ocserv | |
cat > /etc/ocserv/profile.xml <<EOF | |
<?xml version="1.0" encoding="UTF-8"?> | |
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd"> | |
<ClientInitialization> | |
<AutoUpdate>true</AutoUpdate> | |
<BypassDownloader>true</BypassDownloader> | |
<UseStartBeforeLogon>false</UseStartBeforeLogon> | |
<StrictCertificateTrust>false</StrictCertificateTrust> | |
<RestrictPreferenceCaching>false</RestrictPreferenceCaching> | |
<RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols> | |
<CertEnrollmentPin>pinAllowed</CertEnrollmentPin> | |
<CertificateMatch> | |
<KeyUsage> | |
<MatchKey>Digital_Signature</MatchKey> | |
</KeyUsage> | |
<ExtendedKeyUsage> | |
<ExtendedMatchKey>ClientAuth</ExtendedMatchKey> | |
</ExtendedKeyUsage> | |
</CertificateMatch> | |
</ClientInitialization> | |
<ServerList> | |
<HostEntry> | |
<HostName>PCRider</HostName> | |
<HostAddress> $address </HostAddress> | |
</HostEntry> | |
</ServerList> | |
</AnyConnectProfile> | |
EOF | |
cd /usr/src | |
mkdir /etc/ocserv/ssl | |
cat > ca.tmp1 <<EOF | |
cn = "CA" | |
organization = "PCRider Corp" | |
serial = 02 | |
expiration_days = 3650 | |
ca | |
signing_key | |
cert_signing_key | |
crl_signing_key | |
EOF | |
certtool --generate-privkey --outfile /etc/ocserv/ssl/ca-key.pem --bits 2048 | |
certtool --generate-self-signed --load-privkey /etc/ocserv/ssl/ca-key.pem --template ./ca.tmpl --outfile /etc/ocserv/ssl/ca-cert.pem | |
cat > cert.tmpl <<EOF | |
organization = "PCRider" | |
unit = "VPN" | |
state = "Holland" | |
country = "Netherland" | |
cn = "www.pcrider.com" | |
serial = 01 | |
expiration_days = 3650 | |
email = "admin@pcrider.com" | |
signing_key | |
encryption_key | |
tls_www_server | |
EOF | |
certtool --generate-privkey --outfile /etc/ocserv/ssl/server-key.pem --bits 2048 | |
certtool --generate-self-signed --load-privkey /etc/ocserv/ssl/server-key.pem --load-ca-certificate /etc/ocserv/ssl/ca-cert.pem --load-ca-privkey /etc/ocserv/ssl/ca-key.pem --template ./cert.tmpl --outfile /etc/ocserv/ssl/server-cert.pem | |
cat > /etc/ocserv/ocserv.conf <<EOF | |
auth = "plain[/etc/ocserv/ocpasswd]" | |
isolate-workers = true | |
max-clients = $max_clients | |
max-same-clients = $max_same_clients | |
listen-host = $address | |
tcp-port = $tcp_port | |
udp-port = $udp_port | |
listen-clear-file = /var/run/ocserv-conn.socket | |
rate-limit-ms = 0 | |
keepalive = 32400 | |
dpd = 90 | |
mobile-dpd = 1800 | |
try-mtu-discovery = false | |
server-cert = /etc/ocserv/ssl/server-cert.pem | |
server-key = /etc/ocserv/ssl/server-key.pem | |
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" | |
auth-timeout = 30 | |
mobile-idle-timeout = 2400 | |
min-reauth-time = 120 | |
cookie-timeout = 300 | |
deny-roaming = false | |
rekey-time = 172800 | |
rekey-method = ssl | |
use-utmp = true | |
use-occtl = true | |
pid-file = /var/run/ocserv.pid | |
socket-file = /var/run/ocserv-socket | |
run-as-user = nobody | |
run-as-group = daemon | |
device = vpns | |
predictable-ips = true | |
default-domain = pcrider.com | |
ipv4-network = $ipv4network | |
ipv4-netmask = $ipv4netmask | |
dns = $dns | |
ping-leases = false | |
route-add-cmd = $route_add_cmd | |
route-del-cmd = $route_del_cmd | |
user-profile = /etc/ocserv/profile.xml | |
cisco-client-compat = true | |
custom-header = "X-DTLS-MTU: 1200" | |
custom-header = "X-CSTP-MTU: 1200" | |
EOF | |
nano /etc/sysctl.conf | |
sysctl -p | |
#iptables -t nat -A POSTROUTING -j MASQUERADE | |
#iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
#iptables -A INPUT -p tcp --dport 443 -j ACCEPT | |
#iptables -A INPUT -p udp --dport 443 -j ACCEPT | |
#iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT | |
#iptables -A INPUT -m state --state NEW -m udp -p udp --dport 443 -j ACCEPT | |
#iptables -t nat -A POSTROUTING -s ${ipv4network}/24 -o eth0 -j MASQUERADE | |
#iptables -A FORWARD -s ${ipv4network}/24 -j ACCEPT | |
#iptables -A INPUT -i eth0 -m state --state NEW -p tcp --dport 443 -j ACCEPT | |
#iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 443 -j ACCEPT | |
#iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 1812 -j ACCEPT | |
#iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 1813 -j ACCEPT | |
#iptables-save > /etc/iptables.firewall.rules | |
#iptables-restore < /etc/iptables.firewall.rules | |
#start ufw | |
#iptables -t nat -A POSTROUTING -j MASQUERADE | |
#iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
#ufw allow 22 | |
#ufw reload | |
#service iptables-persistent restart | |
#ocpasswd -c /etc/ocserv/ocpasswd test | |
#ocserv -c /etc/ocserv/ocserv.conf -f -d 1 | |
cd /usr/src | |
cd ocserv-${ocserv_version} | |
cp doc/dbus/org.infradead.ocserv.conf /etc/dbus-1/system.d/ | |
#ocserv -c /etc/ocserv/ocserv.conf -f -d 1 | |
chmod 755 /etc/init.d/ocserv | |
update-rc.d ocserv defaults | |
# configure iptable rules | |
#if ! iptables -t nat -A POSTROUTING -j SNAT --to-source $address -o $devname | |
#then | |
# echo "Error: iptables rule not add,abort" | |
# exit 1 | |
#fi | |
modprobe iptable_nat | |
iptables -t nat -A POSTROUTING -o $devname -j MASQUERADE | |
iptables-save | |
# create account? | |
read -p "Should I create an default account for you?[Yn]:" createaccount | |
case $createaccount in | |
[Yy]) | |
read -p "username(default PCRider):" username | |
read -p "password(default 1234567):" password | |
[[ $username == "" ]] && username="PCRider" | |
[[ $password == "" ]] && password="1234567" | |
echo -e "$password\n$password" | ocpasswd -c passwd $username | |
if grep -q $username passwd | |
then | |
echo "account added" | |
else | |
echo "failed to add account" | |
fi | |
;; | |
*) | |
echo "" | |
;; | |
esac | |
echo "ocserv installed at /opt/ocserv" | |
echo "now you can add account with \`ocpasswd -c /etc/ocserv/ocpasswd pcrider\`" | |
echo "start ocserv server with \`ocserv -c /etc/ocserv/ocserv.conf\`" | |
echo "change config as you wish in \`/etc/ocserv/ocserv.conf\`" | |
cat <<EOF | |
_________________ | |
< Ehsan Alem > | |
----------------- | |
EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment