Forked from jhenkens/Raspberry Pi L2TP VPN Setup Scripts.md
Created
July 2, 2014 21:51
-
-
Save martakus/343b83406e545523ed8d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ServerPasswordSet ADMINPASSWORD | |
HubCreate VPN /PASSWORD: | |
hubdelete default | |
Hub VPN | |
UserCreate USERNAME /GROUP:none /REALNAME:none /NOTE:none | |
UserPasswordSet USERNAME /PASSWORD:TESTPASS | |
OpenVPNEnable no /PORTS:1194 | |
sstpenable no | |
SecureNatDisable | |
natdisable | |
dhcpdisable | |
bridgecreate VPN /DEVICE:soft /TAP:yes | |
ipsecenable /L2TP:yes /L2TPRAW:no /ETHERIP:no /PSK:TESTSECRET /DEFAULTHUB:VPN | |
keepdisable | |
vpnovericmpdnsenable /ICMP:no /DNS:no | |
listenerdelete 1194 | |
listenerdelete 5555 | |
listenerdelete 992 | |
ServerCipherset AES256-SHA | |
flush | |
exit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
auto lo | |
iface lo inet loopback | |
auto br0 | |
iface br0 inet dhcp | |
bridge_ports eth0 | |
bridge_stp off | |
bridge_waitport 0 | |
bridge_maxwait 0 | |
bridge_fd 0 | |
post-up ip link set br0 address MACADDRESS | |
allow-hotplug eth0 | |
iface eth0 inet manual |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
iptables --table nat --append POSTROUTING --jump MASQUERADE | |
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf | |
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf | |
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf | |
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done | |
sysctl -p | |
echo " | |
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > \$vpn/accept_redirects; echo 0 > \$vpn/send_redirects; done | |
iptables -A FORWARD -i br0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
iptables -A FORWARD -i br0 -o br0 -j ACCEPT" >> /etc/rc.local |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[L2TPVPN] | |
title=Johan's L2TP | |
description=Dis is a VPN | |
ports=500,1701,4500/udp|1701,1723/tcp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Install raspbian, set up your users however you would like, so long as you have | |
sudo access on the user you are running this with. You probably want to resize | |
the image so it fills the SD card as well. | |
1) Copy this entire gist to your raspberry pi | |
2) Run step1.sh | |
a) This script does a few things - it first updates your raspberry pi, then | |
it installs a few needed utilities, then it upgrades the firmware on your | |
raspberry pi | |
b) Next, it sets up a few iptables rules in /etc/rc.local. Please verify | |
that there is not an 'exit 0' statement before those rules are run, as the | |
'exit 0' will obviously prevent them from being loaded | |
c) It downloads softether for raspberry pi, extracts it to | |
/usr/local/vpnserver, agrees to the license terms, and then "makes" it. | |
d) It changes the permissions as necessary on the /usr/local/vpnserevr files | |
e) It adds the ufw profile for l2tpvpn's and allows it (But it doesn't enable | |
ufw if it isn't already enabled) | |
f) It adds the init.d script to start up the vpn server on startup | |
A) Please enable ufw if you would like your pi to be more secure. The | |
IPTables and ufw rules should allow you to simple type 'sudo ufw enable' and | |
everything should work | |
B) Please check /etc/rc.local to ensure that 'exit 0' does not come before | |
the iptables commands | |
C) Unless you are confident in managing the services manually, please reboot | |
your pi to make sure everything is working nicely. | |
2) Run step2.sh | |
a) This script sets up the softether VPN config for an L2TP/IPSec vpn | |
b) It will ask you various things in order and then stream-edit them into | |
a copy of the 'commands.in' file, which it will then use to configure the | |
softether server with. | |
c) This script only works with a clean-install of softether - if you have | |
already placed a password on softether, it will not work | |
d) The soft-ether admin password is used only to administer the server | |
using the vpncmd program or the softether gui for Windows | |
e) The IPSec secret is the shared secret for all the IPSec connection | |
f) The User/Pass are for one specific account, and do not have to match your | |
unix account | |
g) The script also grabs the mac address of the Raspberry Pi's 'eth0' | |
interface, and then sets up the /etc/network/interfaces to use a bridge with | |
that mac address rather than the ethernet adapter direction | |
1) This is because we have softether binding to a TAP, which we then | |
need to bridge together, so that we can access the raspberry pi via the | |
vpn. If we did a local bridge directly onto eth0, we would be able to | |
access everything but the raspberry pi when connected via VPN | |
A) Please check /etc/network/interfaces to make sure things look good! You | |
shouldn't see MACADDRESS in the file, and you should see it making a bridge, | |
and that eth0 is set to manual with no additional settings | |
Lastly, which you must do on your own, | |
Set up a dhcp reservation for your Raspberry Pi in your router (essentially a | |
DHCP assigned static IP). If you cannot do this, you may want to mess around | |
with the bridge settings and assign the pi a static IP that way. Then, you need | |
to forward ports 1701tcp, 4500udp, and 500udp from your router to your Raspberry Pi | |
That should be it! Feel free to message me if you have issues, but only if you | |
are using a raspberrypi and raspbian. I may or may not be able to get back to | |
you. If you make modifications to these scripts to work for other OS's, it might | |
be nice if you shared them with us. If you have any tips on how I should improve | |
my PI's, let me know! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /bin/bash | |
DOWNLOADURL="http://www.softether-download.com/files/softether/v4.08-9449-rtm-2014.06.08-tree/Linux/SoftEther%20VPN%20Server/32bit%20-%20ARM%20EABI/softether-vpnserver-v4.08-9449-rtm-2014.06.08-linux-arm_eabi-32bit.tar.gz" | |
sudo apt-get update | |
sudo apt-get dist-upgrade -y | |
sudo apt-get install vim git-core ufw moreutils lsof rpi-update build-essential curl bridge-utils -y | |
sudo rpi-update | |
sudo ./iptables.sh | |
curl $DOWNLOADURL -s | sudo tar xzvf - -C /usr/local/ | |
pushd . | |
cd /usr/local/vpnserver | |
echo "1 | |
1 | |
1 | |
1 | |
" | sudo make | |
popd | |
sudo chmod 755 /usr/local/vpnserver | |
sudo chmod 600 /usr/local/vpnserver/* | |
sudo chmod 700 /usr/local/vpnserver/vpncmd | |
sudo chmod 700 /usr/local/vpnserver/vpnserver | |
sudo cp l2tpvpn /etc/ufw/applications.d/ | |
sudo chmod 644 /etc/ufw/applications.d/l2tpvpn | |
sudo ufw allow L2TPVPN | |
sudo ufw allow ssh | |
sudo cp vpnserver /etc/init.d/ | |
sudo chmod 755 /etc/init.d/vpnserver | |
sudo update-rc.d vpnserver defaults | |
echo "Please enable UFW if you would like to be more secure (sudo ufw enable)" | |
echo "Please check /etc/rc.local. If 'exit 0' occurs before the iptables rules, | |
please edit so that 'exit 0' is after." | |
echo "ATTENTION: Please restart before next step to ensure new raspberry pi | |
firmware is loaded and vpn server starts" | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
HOSTNAME=`hostname` | |
CONFIGBASEFILENAME=commands.in | |
NETWORKBASEFILENAME=interfaces | |
mkdir .vpnsetuptemp | |
cp $CONFIGBASEFILENAME $NETWORKBASEFILENAME .vpnsetuptemp/ | |
CONFIG=.vpnsetuptemp/$CONFIGBASEFILENAME | |
CONFIG2=.vpnsetuptemp/$NETWORKBASEFILENAME | |
echo "Please enter your softether admin password: " | |
read softadmin | |
echo "Please enter your IPSEC Secret: " | |
read secret | |
echo "Please enter your l2tp username: " | |
read username | |
echo "Please enter your l2tp password: " | |
read pass | |
sed -i "s/ADMINPASSWORD/$softadmin/g" $CONFIG | |
sed -i "s/USERNAME/$username/g" $CONFIG | |
sed -i "s/TESTPASS/$pass/g" $CONFIG | |
sed -i "s/TESTSECRET/$secret/g" $CONFIG | |
sed -i "s/MACADDRESS/`cat /sys/class/net/eth0/address`/g" $CONFIG2 | |
sudo /usr/local/vpnserver/vpncmd localhost:443 /SERVER /IN:$CONFIG | |
sudo cp /etc/network/interfaces /etc/network/interfaces.orig.bak | |
sudo cp $CONFIG2 /etc/network/interfaces | |
sudo rm -r .vpnsetuptemp | |
echo "You need to reboot for settings to take effect. PLEASE CHECK | |
/etc/network/interfaces TO make sure things look right! If they do | |
not, please edit accordingly, especially if working remotely!!!!" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
### BEGIN INIT INFO | |
# Provides: vpnserver | |
# Required-Start: $network $syslog $remote_fs | |
# Required-Stop: $network $syslog $remote_fs | |
# Default-Start: 2 3 4 5 | |
# Default-Stop: 0 1 6 | |
# Short-Description: start firewall | |
### END INIT INFO | |
# chkconfig: 2345 99 01 | |
# description: SoftEther VPN Server | |
DAEMON=/usr/local/vpnserver/vpnserver | |
LOCK=/var/lock/vpnserver | |
test -x $DAEMON || exit 0 | |
case "$1" in | |
start) | |
$DAEMON start | |
touch $LOCK | |
TIMEOUTCOUNTER=0 | |
MAXTIMEOUT=50 | |
SLEEPINTERVAL=0.5 | |
until ifconfig tap_soft 1>/dev/null 2>&1; do | |
TIMEOUTCOUNTER=$((TIMEOUTCOUNTER + 1)) | |
sleep $SLEEPINTERVAL | |
if (( $TIMEOUTCOUNTER > $MAXTIMEOUT )); then | |
echo "Time out waiting for device to come online. Could not add to bridge" 1>&2 | |
exit 1 | |
fi | |
done | |
brctl addif br0 tap_soft | |
;; | |
stop) | |
$DAEMON stop | |
rm $LOCK | |
;; | |
restart) | |
$DAEMON stop | |
sleep 3 | |
$DAEMON start | |
;; | |
*) | |
echo "Usage: $0 {start|stop|restart}" | |
exit 1 | |
esac | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment