touzi/vpnserver.sh

## vpnserver.sh
#!/usr/bin/env bash
echo 'deb http://shadowsocks.org/debian wheezy main' >> /etc/apt/sources.list
# Pre-requisites


sudo apt-get -y update
sudo apt-get -y install pptpd
sudo apt-get -y install fail2ban
sudo apt-get -y install shadowsocks-libev

cat >/etc/shadowsocks-libev/config.json <<END
{
    "server":"0.0.0.0",
    "server_port":8088,
    "local_address": "127.0.0.1",
    "local_port":1080,
    "password":"test",
    "timeout":300,
    "method":"aes-256-cfb",
    "fast_open": true
}
END

cat >/etc/sysctl.d/local.conf <<END
fs.file-max = 51200

net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.rmem_default = 65536
net.core.wmem_default = 65536
net.core.netdev_max_backlog = 4096
net.core.somaxconn = 4096

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_mtu_probing = 1

# for high-latency network
net.ipv4.tcp_congestion_control = hybla

# for low-latency network, use cubic instead
# net.ipv4.tcp_congestion_control = cubic
END

sysctl --system


cat >/etc/ppp/options.pptpd <<END
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
ms-dns 8.8.4.4
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
END

cat >/etc/pptpd.conf <<END
option /etc/ppp/options.pptpd
logwtmp
localip 172.7.0.1
remoteip 172.7.0.10-100
END

cat >> /etc/sysctl.conf <<END
net.ipv4.ip_forward=1
END
sysctl -p

wget -O iptables.sh https://gist.githubusercontent.com/kevinzhow/984f55af8b6c901814b1/raw/5529f291da2410e6285d24f5203a5eb47fedbb0c/gistfile1.sh
sh iptables.sh

iptables-save > /etc/firewall.rules


cat >/etc/network/if-pre-up.d/firewall <<END
#!/bin/sh
/sbin/iptables-restore < /etc/firewall.rules
END

chmod +x /etc/network/if-pre-up.d/firewall

cat >/etc/ppp/chap-secrets <<END
test pptpd test *
END

service pptpd restart

#IPSec IKev1

sudo apt-get -y install strongswan strongswan-plugin-xauth-generic strongswan-plugin-eap-mschapv2

cat > /etc/ipsec.secrets <<END
: RSA serverKey.pem
: PSK "test"

test %any : EAP "test"
test %any : XAUTH "test"
END

cat > /etc/ipsec.conf <<END
config setup
    cachecrls=yes
    strictcrlpolicy=yes
    uniqueids=never

conn %default
    keyexchange=ikev1
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    right=%any
    #rightsubnet=10.7.0.0/24
    rightsourceip=10.7.0.0/24
    rightdns=8.8.8.8,8.8.4.4
    auto=add
    fragmentation=yes

conn iOS
    leftauth=pubkey
    rightauth2=xauth
    aggressive=yes
    rightauth=pubkey
    leftid=test

conn android
    aggressive=no
    leftauth=psk
    rightauth2=xauth
    rightauth=psk

conn xauth_psk
    leftid=test
    aggressive=yes
    leftauth=psk
    rightauth2=xauth
    rightauth=psk

conn ios_ikev2
    keyexchange=ikev2
    leftsendcert=always
    leftid=@*.domain.com
    leftcert=serverCert.pem
    rightauth=eap-mschapv2
    eap_identity=%any
    rightsendcert=never
    rightid="test"
    closeaction=clear
    #dpddelay = 1s
    auto=add

conn ios_ikev2_psk
    keyexchange=ikev2
    eap_identity = %any
    rightsendcert=never
    rightid="test"
    reauth=no
    #rekey=no
    closeaction=clear
    #dpddelay = 1s
    auto=add
    leftauth=psk
    #rightauth2=xauth
    rightauth = eap-mschapv2
    aggressive=yes
    #rightauth=psk

END

cat > /etc/strongswan.d/charon.conf <<END
charon {
    i_dont_care_about_security_and_use_aggressive_mode_psk = yes
    load_modular = yes
    duplicheck.enable = no
    crypto_test {

    }

    host_resolver {


    }

    leak_detective {


    }

    processor {


        priority_threads {

        }

    }

    tls {


    }

    x509 {


    }

}
END

service strongswan restart
	#!/usr/bin/env bash
	echo 'deb http://shadowsocks.org/debian wheezy main' >> /etc/apt/sources.list
	# Pre-requisites


	sudo apt-get -y update
	sudo apt-get -y install pptpd
	sudo apt-get -y install fail2ban
	sudo apt-get -y install shadowsocks-libev

	cat >/etc/shadowsocks-libev/config.json <<END
	{
	"server":"0.0.0.0",
	"server_port":8088,
	"local_address": "127.0.0.1",
	"local_port":1080,
	"password":"test",
	"timeout":300,
	"method":"aes-256-cfb",
	"fast_open": true
	}
	END

	cat >/etc/sysctl.d/local.conf <<END
	fs.file-max = 51200

	net.core.rmem_max = 67108864
	net.core.wmem_max = 67108864
	net.core.rmem_default = 65536
	net.core.wmem_default = 65536
	net.core.netdev_max_backlog = 4096
	net.core.somaxconn = 4096

	net.ipv4.tcp_syncookies = 1
	net.ipv4.tcp_tw_reuse = 1
	net.ipv4.tcp_tw_recycle = 0
	net.ipv4.tcp_fin_timeout = 30
	net.ipv4.tcp_keepalive_time = 1200
	net.ipv4.ip_local_port_range = 10000 65000
	net.ipv4.tcp_max_syn_backlog = 4096
	net.ipv4.tcp_max_tw_buckets = 5000
	net.ipv4.tcp_fastopen = 3
	net.ipv4.tcp_rmem = 4096 87380 67108864
	net.ipv4.tcp_wmem = 4096 65536 67108864
	net.ipv4.tcp_mtu_probing = 1

	# for high-latency network
	net.ipv4.tcp_congestion_control = hybla

	# for low-latency network, use cubic instead
	# net.ipv4.tcp_congestion_control = cubic
	END

	sysctl --system


	cat >/etc/ppp/options.pptpd <<END
	name pptpd
	refuse-pap
	refuse-chap
	refuse-mschap
	require-mschap-v2
	require-mppe-128
	ms-dns 8.8.8.8
	ms-dns 8.8.4.4
	proxyarp
	lock
	nobsdcomp
	novj
	novjccomp
	nologfd
	END

	cat >/etc/pptpd.conf <<END
	option /etc/ppp/options.pptpd
	logwtmp
	localip 172.7.0.1
	remoteip 172.7.0.10-100
	END

	cat >> /etc/sysctl.conf <<END
	net.ipv4.ip_forward=1
	END
	sysctl -p

	wget -O iptables.sh https://gist.githubusercontent.com/kevinzhow/984f55af8b6c901814b1/raw/5529f291da2410e6285d24f5203a5eb47fedbb0c/gistfile1.sh
	sh iptables.sh

	iptables-save > /etc/firewall.rules


	cat >/etc/network/if-pre-up.d/firewall <<END
	#!/bin/sh
	/sbin/iptables-restore < /etc/firewall.rules
	END

	chmod +x /etc/network/if-pre-up.d/firewall

	cat >/etc/ppp/chap-secrets <<END
	test pptpd test *
	END

	service pptpd restart

	#IPSec IKev1

	sudo apt-get -y install strongswan strongswan-plugin-xauth-generic strongswan-plugin-eap-mschapv2

	cat > /etc/ipsec.secrets <<END
	: RSA serverKey.pem
	: PSK "test"

	test %any : EAP "test"
	test %any : XAUTH "test"
	END

	cat > /etc/ipsec.conf <<END
	config setup
	cachecrls=yes
	strictcrlpolicy=yes
	uniqueids=never

	conn %default
	keyexchange=ikev1
	left=%defaultroute
	leftsubnet=0.0.0.0/0
	right=%any
	#rightsubnet=10.7.0.0/24
	rightsourceip=10.7.0.0/24
	rightdns=8.8.8.8,8.8.4.4
	auto=add
	fragmentation=yes

	conn iOS
	leftauth=pubkey
	rightauth2=xauth
	aggressive=yes
	rightauth=pubkey
	leftid=test

	conn android
	aggressive=no
	leftauth=psk
	rightauth2=xauth
	rightauth=psk

	conn xauth_psk
	leftid=test
	aggressive=yes
	leftauth=psk
	rightauth2=xauth
	rightauth=psk

	conn ios_ikev2
	keyexchange=ikev2
	leftsendcert=always
	leftid=@*.domain.com
	leftcert=serverCert.pem
	rightauth=eap-mschapv2
	eap_identity=%any
	rightsendcert=never
	rightid="test"
	closeaction=clear
	#dpddelay = 1s
	auto=add

	conn ios_ikev2_psk
	keyexchange=ikev2
	eap_identity = %any
	rightsendcert=never
	rightid="test"
	reauth=no
	#rekey=no
	closeaction=clear
	#dpddelay = 1s
	auto=add
	leftauth=psk
	#rightauth2=xauth
	rightauth = eap-mschapv2
	aggressive=yes
	#rightauth=psk

	END

	cat > /etc/strongswan.d/charon.conf <<END
	charon {
	i_dont_care_about_security_and_use_aggressive_mode_psk = yes
	load_modular = yes
	duplicheck.enable = no
	crypto_test {

	}

	host_resolver {


	}

	leak_detective {


	}

	processor {


	priority_threads {

	}

	}

	tls {



	}

	x509 {


	}

	}
	END

	service strongswan restart