Last active
May 27, 2020 12:28
-
-
Save lemos1235/7b01bef53b4bbec79cba91ba08acc169 to your computer and use it in GitHub Desktop.
IPsec/L2TP VPN
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version: "3.2" | |
services: | |
vpn: | |
image: hwdsl2/ipsec-vpn-server | |
privileged: true | |
volumes: | |
- ./vpn.env:/opt/src/vpn.env:ro | |
ports: | |
- 500:500/udp | |
- 4500:4500/udp | |
- 1701:1701/udp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
#### your vpn info #### | |
IFACE=wlp4s0 | |
VPN_SERVER=lomy.club | |
NAME=liugang | |
PASSWORD=liugang | |
PSK=xiangzhi.123 | |
#### your vpn info ##### | |
report_error() { | |
local prefix="<3>" suffix="" | |
if [[ -t 2 ]]; then | |
prefix=$(tput bold; tput setaf 1) | |
suffix=$(tput sgr0) | |
fi | |
echo "$prefix$*$suffix" >&2 | |
} | |
exit_error() { | |
report_error "$@" | |
exit 1 | |
} | |
## Exit if we are not effectively root | |
ensure_root() { | |
(( EUID == 0 )) || exit_error "${1-$0} needs root privileges" | |
} | |
ensure_root "$(basename "$0")" | |
# help info | |
if [ $# != 1 ] ; then | |
echo "Usage: $(basename "$0") {init|start|stop|up}" | |
exit 1; | |
fi | |
function getIP(){ | |
ip addr show $1 | grep "inet " | awk '{print $2}' | sed 's:/.*::' | |
} | |
function getGateWay(){ | |
ip route show default | awk '/default/ {print $3}' | tail -n1 | |
} | |
function getVPNGateWay(){ | |
ip route | grep -m 1 "$VPN_ADDR" | awk '{print $3}' | |
} | |
function getADDR() { | |
addr=$(host $1 | grep "has address" | sed 's/.*has address//g' | tail -n1) | |
[[ $addr ]] && echo $addr || echo $1 | |
} | |
function initGlobalVar() { | |
echo | |
VPN_ADDR=$(getADDR $VPN_SERVER) | |
GW_ADDR=$(getGateWay) | |
LOCAL_ADDR=$(getIP $IFACE) | |
echo "==global variables info" | |
echo "VPN_ADDR=$VPN_ADDR, GW_ADDR=$GW_ADDR, LOCAL_ADDR=$LOCAL_ADDR" | |
echo | |
} | |
function init(){ | |
echo | |
echo "== your conf info" | |
echo Iface: $IFACE | |
echo VPN Server: $VPN_SERVER | |
echo Username: $NAME | |
echo Password: $PASSWORD | |
echo IPsec PSK: $PSK | |
echo | |
# create ipsec.conf | |
cat > /etc/ipsec.conf <<EOF | |
# ipsec.conf - strongSwan IPsec configuration file | |
# https://wiki.strongswan.org/projects/strongswan/wiki/Connsection | |
# basic configuration | |
config setup | |
# strictcrlpolicy=yes | |
# uniqueids = no | |
# Add connections here. | |
# Sample VPN connections | |
conn %default | |
authby=secret | |
ikelifetime=60m | |
keylife=20m | |
rekeymargin=3m | |
keyingtries=1 | |
keyexchange=ikev1 | |
# https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Known-Issues#querying-vpn-server-for-supported-ipsec-ikev1-ciphers | |
ike=aes128-sha256-modp3072,aes128-sha1-modp2048,3des-sha1-modp1024 | |
esp=aes128-sha256,aes128-sha1,3des-sha1,3des-md5 | |
# ike=aes128-sha1-modp2048! | |
# esp=aes128-sha1-modp2048! | |
conn myvpn | |
left=%defaultroute | |
auto=add | |
authby=secret | |
type=transport | |
leftprotoport=17/1701 | |
rightprotoport=17/1701 | |
right=$VPN_ADDR | |
EOF | |
# create ipsec.secrets | |
echo ": PSK \"$PSK\"" > /etc/ipsec.secrets | |
# create xl2tpd.conf | |
cat > /etc/xl2tpd/xl2tpd.conf <<EOF | |
[global] | |
; no need for listen-addr | |
[lac myvpn] | |
; DNS name or VPN server IP | |
lns = $VPN_ADDR | |
ppp debug = no | |
pppoptfile = /etc/ppp/options.server | |
EOF | |
# create options.server | |
cat > /etc/ppp/options.server <<EOF | |
# logfd 2 | |
# logfile /var/log/l2tpd.log | |
ipcp-accept-local | |
ipcp-accept-remote | |
ms-dns 114.114.114.114 | |
refuse-eap | |
require-mschap | |
require-mschap-v2 | |
noccp | |
noauth | |
idle 1800 | |
mtu 1200 | |
mru 1200 | |
defaultroute | |
noipdefault | |
usepeerdns | |
# debug | |
proxyarp | |
connect-delay 5000 | |
name $NAME | |
password $PASSWORD | |
EOF | |
} | |
function start(){ | |
echo | |
echo "==start" | |
echo ">>start service" | |
systemctl restart strongswan-starter | |
sleep 2 | |
systemctl restart xl2tpd | |
sleep 2 | |
echo ">>start ipsec" | |
ipsec stroke loglevel ike 2 | |
ipsec up myvpn | |
echo | |
echo ">>connect vpn" | |
echo "c myvpn" > /var/run/xl2tpd/l2tp-control | |
sleep 6 | |
echo ">>route" | |
ip route add $LOCAL_ADDR via $GW_ADDR dev $IFACE >/dev/null 2>&1 | |
ip route add $VPN_ADDR via $GW_ADDR dev $IFACE >/dev/null 2>&1 | |
ip_ppp0=$(getIP ppp0) | |
ip route add default via $ip_ppp0 dev ppp0 >/dev/null 2>&1 | |
echo "test.." | |
vpn_ip=$(curl -s --connect-timeout 1 -m 2 cip.cc | tail -1 | sed 's/.*cip.cc\///g') | |
echo "current ip is $vpn_ip" | |
if [[ $vpn_ip == $VPN_ADDR ]] | |
then | |
echo "enjoy it" | |
else | |
echo "failed" | |
fi | |
} | |
function stop(){ | |
echo | |
echo "==stop" | |
echo ">>stop ipsec" | |
ipsec down myvpn | |
echo ">>disconnect vpn" | |
echo "d myvpn" > /var/run/xl2tpd/l2tp-control | |
echo ">>stop service" | |
systemctl stop xl2tpd | |
systemctl stop strongswan-starter | |
echo ">>route" | |
ip route del $LOCAL_ADDR via $GW_ADDR dev $IFACE | |
ip route del $VPN_ADDR via $GW_ADDR dev $IFACE | |
# ip route del default via $(getIP ppp0) dev ppp0 | |
# ip route del default | |
# ip route add default via $GW_ADDR | |
echo "stoped" | |
echo | |
} | |
initGlobalVar | |
if [[ $1 == "up" ]] | |
then | |
stop && init && start | |
else | |
$1 | |
fi | |
exit 0 | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
VPN_IPSEC_PSK=xiangzhi.123 | |
VPN_USER=liugang | |
VPN_PASSWORD=liugang |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment