Created
November 26, 2018 00:31
-
-
Save stek29/6ce910b474d2a85493f48860bf3422ce to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# See https://hub.zhovner.com/geek/universal-ikev2-server-configuration | |
# stek29 2018.11 | |
set -euxo pipefail | |
DOMAIN=tunnel.example.com | |
IPv4_NET="10.1.1.0/24" | |
IPv6_NET="2a01:cafe:babe:feed:face::/112" | |
IPv4_PUBLIC="115.116.101.107" | |
DNSv4="1.1.1.1" | |
DNSv6="2606:4700:4700::1111" | |
initstuff() { | |
certbot certonly --standalone -d "${DOMAIN}" | |
apt install strongswan libcharon-standard-plugins libcharon-extra-plugins | |
} | |
certstuff() { | |
# Intermediate cert | |
INTERM="/etc/letsencrypt/live/${DOMAIN}/chain.pem" | |
openssl x509 -outform der \ | |
-in "$INTERM" \ | |
-out /etc/ipsec.d/cacerts/intermediate1.crt | |
# CA for intermediate cert | |
openssl x509 -outform der \ | |
-in "/etc/ssl/certs/$(openssl x509 -in "$INTERM" -noout -issuer_hash).0" \ | |
-out /etc/ipsec.d/cacerts/ca.crt | |
# Server cert | |
openssl x509 -outform der -in "/etc/letsencrypt/live/${DOMAIN}/cert.pem" -out "/etc/ipsec.d/certs/${DOMAIN}.crt" | |
# Server key | |
cp "/etc/letsencrypt/live/${DOMAIN}/privkey.pem" "/etc/ipsec.d/private/${DOMAIN}.pem" | |
chmod o-r "/etc/ipsec.d/private/${DOMAIN}.pem" | |
chmod g-r "/etc/ipsec.d/private/${DOMAIN}.pem" | |
} | |
confstuff() { | |
cat > /etc/ipsec.conf <<EOF | |
# ipsec.conf - strongSwan IPsec configuration file | |
# basic configuration | |
config setup | |
# strictcrlpolicy=yes | |
# uniqueids = no | |
# Add connections here. | |
conn %default | |
# Most universal cypher list for all platforms | |
# Comment this line if connection fails | |
ike=aes256-sha256-modp1024,aes256-sha256-modp2048 | |
# Dead peer detection will ping clients and terminate sessions after timeout | |
dpdaction=clear | |
dpddelay=35s | |
dpdtimeout=2000s | |
keyexchange=ikev2 | |
auto=add | |
rekey=no | |
reauth=no | |
fragmentation=yes | |
#compress=yes | |
# left - local (server) side | |
leftcert=${DOMAIN}.crt # Filename of certificate located at /etc/ipsec.d/certs/ | |
leftsendcert=always | |
# Routes pushed to clients. If you don't have ipv6 then remove ::/0 | |
leftsubnet=0.0.0.0/0,2000::/0 | |
# right - remote (client) side | |
eap_identity=%identity | |
# ipv4 and ipv6 subnets that assigns to clients. If you don't have ipv6 then remove it | |
rightsourceip=${IPv4_NET},${IPv6_NET} | |
rightdns=${DNSv4},${DNSv6} | |
# Windows and BlackBerry clients usually goes here | |
conn ikev2-mschapv2 | |
rightauth=eap-mschapv2 | |
# Apple clients usually goes here | |
conn ikev2-mschapv2-apple | |
rightauth=eap-mschapv2 | |
leftid=${DOMAIN} | |
EOF | |
cat >/etc/ipsec.secrets <<EOF | |
# This file holds shared secrets or RSA private keys for authentication. | |
# RSA private key for this host, authenticating it to any other host | |
# which knows the public part. | |
: RSA ${DOMAIN}.pem | |
testuser : EAP "testpass" | |
EOF | |
} | |
iptablesstuff() { | |
iptables -t nat -A POSTROUTING -s ${IPv4_NET} ! -d ${IPv4_NET} -j SNAT --to ${IPv4_PUBLIC} | |
iptables -A INPUT -p udp --dport 500 -j ACCEPT | |
iptables -A INPUT -p udp --dport 4500 -j ACCEPT | |
} | |
case "${1:-invalid}" in | |
cert) | |
certstuff | |
systemctl restart strongswan | |
;; | |
init) | |
initstuff | |
confstuff | |
systemctl restart strongswan | |
;; | |
iptables) | |
iptablesstuff | |
;; | |
*) | |
echo "Need $0 cert/init/iptables" | |
exit 1 | |
esac |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment