jhenkens/Raspberry Pi L2TP VPN Setup Scripts.md

## commands.in
ServerPasswordSet ADMINPASSWORD
HubCreate VPN /PASSWORD:
hubdelete default
Hub VPN
UserCreate USERNAME /GROUP:none /REALNAME:none /NOTE:none
UserPasswordSet USERNAME /PASSWORD:TESTPASS
OpenVPNEnable no /PORTS:1194
sstpenable no
SecureNatDisable
natdisable
dhcpdisable
bridgecreate VPN /DEVICE:soft /TAP:yes
ipsecenable /L2TP:yes /L2TPRAW:no /ETHERIP:no /PSK:TESTSECRET /DEFAULTHUB:VPN
keepdisable
vpnovericmpdnsenable /ICMP:no /DNS:no
listenerdelete 1194
listenerdelete 5555
listenerdelete 992
ServerCipherset AES256-SHA
flush
exit

## interfaces
auto lo

iface lo inet loopback

auto br0
iface br0 inet dhcp
	bridge_ports eth0
	bridge_stp off
	bridge_waitport 0
	bridge_maxwait 0
	bridge_fd 0
	post-up ip link set br0 address MACADDRESS

allow-hotplug eth0
iface eth0 inet manual

## iptables.sh
#!/bin/bash
iptables --table nat --append POSTROUTING --jump MASQUERADE
echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.conf
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
sysctl -p


echo "

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > \$vpn/accept_redirects; echo 0 > \$vpn/send_redirects; done
iptables -A FORWARD -i br0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i br0 -o br0 -j ACCEPT" >> /etc/rc.local

## l2tpvpn
[L2TPVPN]
title=Johan's L2TP
description=Dis is a VPN
ports=500,1701,4500/udp|1701,1723/tcp

## Raspberry Pi L2TP VPN Setup Scripts.md

      
    Raw
  

              Raspberry Pi L2TP VPN Setup Scripts.md
            
          
    Install raspbian, set up your users however you would like, so long as you have
sudo access on the user you are running this with. You probably want to resize
the image so it fills the SD card as well.


Copy this entire gist to your raspberry pi


Do chmod +x step1.sh step2.sh iptables.sh in the gist folder (so that


Run step1.sh
a) This script does a few things - it first updates your raspberry pi, then
it installs a few needed utilities, then it upgrades the firmware on your
raspberry pi
b) Next, it sets up a few iptables rules in /etc/rc.local. Please verify
that there is not an 'exit 0' statement before those rules are run, as the
'exit 0' will obviously prevent them from being loaded
c) It downloads softether for raspberry pi, extracts it to
/usr/local/vpnserver, agrees to the license terms, and then "makes" it.
d) It changes the permissions as necessary on the /usr/local/vpnserevr files
e) It adds the ufw profile for l2tpvpn's and allows it (But it doesn't enable
ufw if it isn't already enabled)
f) It adds the init.d script to start up the vpn server on startup
A) Please enable ufw if you would like your pi to be more secure. The
IPTables and ufw rules should allow you to simple type 'sudo ufw enable' and
everything should work
B) Please check /etc/rc.local to ensure that 'exit 0' does not come before
the iptables commands
C) Unless you are confident in managing the services manually, please reboot
your pi to make sure everything is working nicely.


Run step2.sh
a) This script sets up the softether VPN config for an L2TP/IPSec vpn
b) It will ask you various things in order and then stream-edit them into
a copy of the 'commands.in' file, which it will then use to configure the
softether server with.
c) This script only works with a clean-install of softether - if you have
already placed a password on softether, it will not work
d) The soft-ether admin password is used only to administer the server
using the vpncmd program or the softether gui for Windows
e) The IPSec secret is the shared secret for all the IPSec connection
f) The User/Pass are for one specific account, and do not have to match your
unix account
g) The script also grabs the mac address of the Raspberry Pi's 'eth0'
interface, and then sets up the /etc/network/interfaces to use a bridge with
that mac address rather than the ethernet adapter direction
1) This is because we have softether binding to a TAP, which we then
need to bridge together, so that we can access the raspberry pi via the
vpn. If we did a local bridge directly onto eth0, we would be able to
access everything but the raspberry pi when connected via VPN
A) Please check /etc/network/interfaces to make sure things look good! You
shouldn't see MACADDRESS in the file, and you should see it making a bridge,
and that eth0 is set to manual with no additional settings


Lastly, which you must do on your own,
Set up a dhcp reservation for your Raspberry Pi in your router (essentially a
DHCP assigned static IP). If you cannot do this, you may want to mess around
with the bridge settings and assign the pi a static IP that way. Then, you need
to forward ports 1701tcp, 4500udp, and 500udp from your router to your Raspberry Pi
That should be it! Feel free to message me if you have issues, but only if you
are using a raspberrypi and raspbian. I may or may not be able to get back to
you. If you make modifications to these scripts to work for other OS's, it might
be nice if you shared them with us. If you have any tips on how I should improve
my PI's, let me know!

  
## step1.sh
#! /bin/bash
DOWNLOADURL="http://www.softether-download.com/files/softether/v4.08-9449-rtm-2014.06.08-tree/Linux/SoftEther%20VPN%20Server/32bit%20-%20ARM%20EABI/softether-vpnserver-v4.08-9449-rtm-2014.06.08-linux-arm_eabi-32bit.tar.gz"
sudo apt-get update
sudo apt-get dist-upgrade -y
sudo apt-get install vim git-core ufw moreutils lsof rpi-update build-essential curl bridge-utils -y
sudo rpi-update

sudo ./iptables.sh
curl $DOWNLOADURL -s | sudo tar xzvf - -C /usr/local/
pushd .
cd /usr/local/vpnserver
echo "1
1
1
1
" | sudo make
popd
sudo chmod 755 /usr/local/vpnserver
sudo chmod 600 /usr/local/vpnserver/*
sudo chmod 700 /usr/local/vpnserver/vpncmd
sudo chmod 700 /usr/local/vpnserver/vpnserver

sudo cp l2tpvpn /etc/ufw/applications.d/
sudo chmod 644 /etc/ufw/applications.d/l2tpvpn
sudo ufw allow L2TPVPN
sudo ufw allow ssh

sudo cp vpnserver /etc/init.d/
sudo chmod 755 /etc/init.d/vpnserver
sudo update-rc.d vpnserver defaults

echo "Please enable UFW if you would like to be more secure (sudo ufw enable)"
echo "Please check /etc/rc.local. If 'exit 0' occurs before the iptables rules,
please edit so that 'exit 0' is after."

echo "ATTENTION: Please restart before next step to ensure new raspberry pi
firmware is loaded and vpn server starts"


## step2.sh
#!/bin/bash

HOSTNAME=`hostname`
CONFIGBASEFILENAME=commands.in
NETWORKBASEFILENAME=interfaces
mkdir .vpnsetuptemp
cp $CONFIGBASEFILENAME $NETWORKBASEFILENAME .vpnsetuptemp/
CONFIG=.vpnsetuptemp/$CONFIGBASEFILENAME
CONFIG2=.vpnsetuptemp/$NETWORKBASEFILENAME
echo "Please enter your softether admin password: "
read softadmin
echo "Please enter your IPSEC Secret: "
read secret
echo "Please enter your l2tp username: "
read username
echo "Please enter your l2tp password: "
read pass
sed -i "s/ADMINPASSWORD/$softadmin/g" $CONFIG
sed -i "s/USERNAME/$username/g" $CONFIG
sed -i "s/TESTPASS/$pass/g" $CONFIG
sed -i "s/TESTSECRET/$secret/g" $CONFIG

sed -i "s/MACADDRESS/`cat /sys/class/net/eth0/address`/g" $CONFIG2

sudo /usr/local/vpnserver/vpncmd localhost:443 /SERVER /IN:$CONFIG

sudo cp /etc/network/interfaces /etc/network/interfaces.orig.bak
sudo cp $CONFIG2 /etc/network/interfaces


sudo rm -r .vpnsetuptemp

echo "You need to reboot for settings to take effect. PLEASE CHECK
/etc/network/interfaces TO make sure things look right! If they do
not, please edit accordingly, especially if working remotely!!!!"

## vpnserver
#!/bin/bash

### BEGIN INIT INFO
# Provides:          vpnserver
# Required-Start:    $network $syslog $remote_fs
# Required-Stop:     $network $syslog $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: start firewall
### END INIT INFO

# chkconfig: 2345 99 01
# description: SoftEther VPN Server
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/vpnserver
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
TIMEOUTCOUNTER=0
MAXTIMEOUT=50
SLEEPINTERVAL=0.5
until ifconfig tap_soft 1>/dev/null 2>&1; do
    TIMEOUTCOUNTER=$((TIMEOUTCOUNTER + 1))
    sleep $SLEEPINTERVAL
    if (( $TIMEOUTCOUNTER > $MAXTIMEOUT )); then
        echo "Time out waiting for device to come online. Could not add to bridge" 1>&2
        exit 1
    fi
done
brctl addif br0 tap_soft
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
	ServerPasswordSet ADMINPASSWORD
	HubCreate VPN /PASSWORD:
	hubdelete default
	Hub VPN
	UserCreate USERNAME /GROUP:none /REALNAME:none /NOTE:none
	UserPasswordSet USERNAME /PASSWORD:TESTPASS
	OpenVPNEnable no /PORTS:1194
	sstpenable no
	SecureNatDisable
	natdisable
	dhcpdisable
	bridgecreate VPN /DEVICE:soft /TAP:yes
	ipsecenable /L2TP:yes /L2TPRAW:no /ETHERIP:no /PSK:TESTSECRET /DEFAULTHUB:VPN
	keepdisable
	vpnovericmpdnsenable /ICMP:no /DNS:no
	listenerdelete 1194
	listenerdelete 5555
	listenerdelete 992
	ServerCipherset AES256-SHA
	flush
	exit
	auto lo

	iface lo inet loopback

	auto br0
	iface br0 inet dhcp
	bridge_ports eth0
	bridge_stp off
	bridge_waitport 0
	bridge_maxwait 0
	bridge_fd 0
	post-up ip link set br0 address MACADDRESS

	allow-hotplug eth0
	iface eth0 inet manual
	#!/bin/bash
	iptables --table nat --append POSTROUTING --jump MASQUERADE
	echo "net.ipv4.ip_forward = 1" \| tee -a /etc/sysctl.conf
	echo "net.ipv4.conf.all.accept_redirects = 0" \| tee -a /etc/sysctl.conf
	echo "net.ipv4.conf.all.send_redirects = 0" \| tee -a /etc/sysctl.conf
	for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
	sysctl -p


	echo "

	for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > \$vpn/accept_redirects; echo 0 > \$vpn/send_redirects; done
	iptables -A FORWARD -i br0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -i br0 -o br0 -j ACCEPT" >> /etc/rc.local
	[L2TPVPN]
	title=Johan's L2TP
	description=Dis is a VPN
	ports=500,1701,4500/udp\|1701,1723/tcp
	#! /bin/bash
	DOWNLOADURL="http://www.softether-download.com/files/softether/v4.08-9449-rtm-2014.06.08-tree/Linux/SoftEther%20VPN%20Server/32bit%20-%20ARM%20EABI/softether-vpnserver-v4.08-9449-rtm-2014.06.08-linux-arm_eabi-32bit.tar.gz"
	sudo apt-get update
	sudo apt-get dist-upgrade -y
	sudo apt-get install vim git-core ufw moreutils lsof rpi-update build-essential curl bridge-utils -y
	sudo rpi-update

	sudo ./iptables.sh
	curl $DOWNLOADURL -s \| sudo tar xzvf - -C /usr/local/
	pushd .
	cd /usr/local/vpnserver
	echo "1
	1
	1
	1
	" \| sudo make
	popd
	sudo chmod 755 /usr/local/vpnserver
	sudo chmod 600 /usr/local/vpnserver/*
	sudo chmod 700 /usr/local/vpnserver/vpncmd
	sudo chmod 700 /usr/local/vpnserver/vpnserver

	sudo cp l2tpvpn /etc/ufw/applications.d/
	sudo chmod 644 /etc/ufw/applications.d/l2tpvpn
	sudo ufw allow L2TPVPN
	sudo ufw allow ssh

	sudo cp vpnserver /etc/init.d/
	sudo chmod 755 /etc/init.d/vpnserver
	sudo update-rc.d vpnserver defaults

	echo "Please enable UFW if you would like to be more secure (sudo ufw enable)"
	echo "Please check /etc/rc.local. If 'exit 0' occurs before the iptables rules,
	please edit so that 'exit 0' is after."

	echo "ATTENTION: Please restart before next step to ensure new raspberry pi
	firmware is loaded and vpn server starts"
	#!/bin/bash

	HOSTNAME=`hostname`
	CONFIGBASEFILENAME=commands.in
	NETWORKBASEFILENAME=interfaces
	mkdir .vpnsetuptemp
	cp $CONFIGBASEFILENAME $NETWORKBASEFILENAME .vpnsetuptemp/
	CONFIG=.vpnsetuptemp/$CONFIGBASEFILENAME
	CONFIG2=.vpnsetuptemp/$NETWORKBASEFILENAME
	echo "Please enter your softether admin password: "
	read softadmin
	echo "Please enter your IPSEC Secret: "
	read secret
	echo "Please enter your l2tp username: "
	read username
	echo "Please enter your l2tp password: "
	read pass
	sed -i "s/ADMINPASSWORD/$softadmin/g" $CONFIG
	sed -i "s/USERNAME/$username/g" $CONFIG
	sed -i "s/TESTPASS/$pass/g" $CONFIG
	sed -i "s/TESTSECRET/$secret/g" $CONFIG

	sed -i "s/MACADDRESS/`cat /sys/class/net/eth0/address`/g" $CONFIG2

	sudo /usr/local/vpnserver/vpncmd localhost:443 /SERVER /IN:$CONFIG

	sudo cp /etc/network/interfaces /etc/network/interfaces.orig.bak
	sudo cp $CONFIG2 /etc/network/interfaces


	sudo rm -r .vpnsetuptemp

	echo "You need to reboot for settings to take effect. PLEASE CHECK
	/etc/network/interfaces TO make sure things look right! If they do
	not, please edit accordingly, especially if working remotely!!!!"
	#!/bin/bash

	### BEGIN INIT INFO
	# Provides: vpnserver
	# Required-Start: $network $syslog $remote_fs
	# Required-Stop: $network $syslog $remote_fs
	# Default-Start: 2 3 4 5
	# Default-Stop: 0 1 6
	# Short-Description: start firewall
	### END INIT INFO

	# chkconfig: 2345 99 01
	# description: SoftEther VPN Server
	DAEMON=/usr/local/vpnserver/vpnserver
	LOCK=/var/lock/vpnserver
	test -x $DAEMON \|\| exit 0
	case "$1" in
	start)
	$DAEMON start
	touch $LOCK
	TIMEOUTCOUNTER=0
	MAXTIMEOUT=50
	SLEEPINTERVAL=0.5
	until ifconfig tap_soft 1>/dev/null 2>&1; do
	TIMEOUTCOUNTER=$((TIMEOUTCOUNTER + 1))
	sleep $SLEEPINTERVAL
	if (( $TIMEOUTCOUNTER > $MAXTIMEOUT )); then
	echo "Time out waiting for device to come online. Could not add to bridge" 1>&2
	exit 1
	fi
	done
	brctl addif br0 tap_soft
	;;
	stop)
	$DAEMON stop
	rm $LOCK
	;;
	restart)
	$DAEMON stop
	sleep 3
	$DAEMON start
	;;
	*)
	echo "Usage: $0 {start\|stop\|restart}"
	exit 1
	esac
	exit 0