-
-
Save mohemohe/d3c54c5fe47d87e01a1e0afb09a8ec1b to your computer and use it in GitHub Desktop.
L2TP/IPsecゲートウェイチンポソイヤ
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -x | |
nmcli connection up vpn | |
NAT_NIC="$(grep set-name /etc/netplan/50-cloud-init.yaml | awk '{print $2}')" | |
BRIDGE_NIC="$(ip -o link | grep 'state UP' | grep -v "${NAT_NIC}" | awk '{print $2}' | cut -d: -f1)" | |
IP_ADDR="$(ip addr show dev "${BRIDGE_NIC}" | grep 'inet\b' | awk '{print $2}' | cut -d/ -f1)" | |
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE | |
iptables -A FORWARD -i "${BRIDGE_NIC}" -o ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
iptables -A FORWARD -i ppp0 -o "${BRIDGE_NIC}" -j ACCEPT | |
if nmcli connection show --active | grep -P '^vpn' ; then | |
cat <<EOS | |
################################################## | |
VPN connected. | |
Please set static route to ${IP_ADDR} | |
################################################## | |
EOS | |
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -x | |
source '/tmp/.env' | |
export DEBIAN_FRONTEND=noninteractive; | |
## インストール | |
sed -i.bak -e 's|http://archive.ubuntu.com|http://jp.archive.ubuntu.com|g' /etc/apt/sources.list | |
apt update | |
apt install -y strongswan xl2tpd network-manager network-manager-l2tp | |
## 設定ファイル 基本的に触らなくていいはず | |
cat <<EOS > /root/vpn.conf | |
[connection] | |
id=vpn | |
[vpn] | |
gateway=${VPN_ADDRESS} | |
user=${VPN_USERNAME} | |
refuse-eap=true | |
refuse-pap=true | |
refuse-chap=false | |
refuse-mschap=true | |
refuse-mschapv2=true | |
lcp-echo-failure=5 | |
lcp-echo-interval=30 | |
mru=1200 | |
mtu=1200 | |
ipsec-enabled=true | |
ipsec-gateway-id=${VPN_GATEWAY_ID} | |
ipsec-psk=${VPN_PSK} | |
ipsec-ike=3des-sha1-modp1024 | |
ipsec-esp=aes128-sha1 | |
[ip4] | |
method=auto | |
ignore-auto-routes=false | |
ignore-auto-dns=false | |
dhcp-send-hostname=true | |
never-default=false | |
EOS | |
touch /etc/ipsec.secrets | |
echo "${VPN_ADDRESS} : PSK \"${VPN_PSK}\"" >> /etc/ipsec.secrets | |
## NetworkManagerに入れ替え | |
systemctl enable --now NetworkManager | |
systemctl disable --now systemd-networkd | |
cat <<EOS > /etc/netplan/99-networkmanager.yaml | |
network: | |
version: 2 | |
renderer: NetworkManager | |
EOS | |
netplan apply | |
## インポして強制書き換え | |
while : ; do | |
if nmcli connection import type l2tp file /root/vpn.conf ; then | |
break | |
else | |
sleep 1 | |
fi | |
done | |
sed -i.bak -e 's|\[vpn\]|\[vpn\]\npassword-flags=0|g' /etc/NetworkManager/system-connections/vpn | |
echo '[vpn-secrets]' >> /etc/NetworkManager/system-connections/vpn | |
echo "password=${VPN_PASSWORD}" >> /etc/NetworkManager/system-connections/vpn | |
# systemctl restart NetworkManager | |
## 動かないから stop -> start | |
systemctl stop NetworkManager | |
systemctl start NetworkManager | |
netplan apply | |
## ルーター化 | |
cat <<EOS > /etc/sysctl.d/99-vpn.conf | |
net.ipv4.ip_forward=1 | |
net.ipv4.conf.all.send_redirects = 0 | |
net.ipv4.conf.all.accept_redirects = 0 | |
net.ipv4.conf.default.send_redirects = 0 | |
net.ipv4.conf.default.accept_redirects = 0 | |
net.ipv4.conf.eth0.send_redirects = 0 | |
net.ipv4.conf.eth0.accept_redirects = 0 | |
net.ipv4.conf.lo.send_redirects = 0 | |
net.ipv4.conf.lo.accept_redirects = 0 | |
EOS | |
sysctl --system |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment