Last active
February 15, 2023 12:20
-
-
Save vi/5628320 to your computer and use it in GitHub Desktop.
simplevpn: Simple IPsec and ipip[6] tunnel configuration for Linux using SSH for key exchange
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Setup encrypted IPv4 tunnel over IPv4 or IPv6 on two Linux nodes using SSH for tunnel setup. | |
| # Requires only ipsec-tools, iproute2, ssh and necessry kernel modules locally and remotely. | |
| # Warning: it flushes IPsec settings both locally and remotely. | |
| # Don't use with other IPsec tunnnels. | |
| # Sample usage: | |
| # simplevpn -6 fc::1 fc::2 ssh -T root@fc::2 | |
| # fc::1 is your IPv6 address | |
| # fc::2 is other peer's IPv6 address | |
| # after successful run it should create tunnel named "simplevpn" locally and remotely | |
| # and set up addresses 192.168.77.1 and 192.168.77.2 locally and remotely respectively | |
| # Note: tested only once in my configuration. This is not a serious production-ready VPN solution. | |
| # Implemented by Vitaly "_Vi" Shukela in 2013, License=MIT | |
| MODE="ipip" | |
| PROT="-4" | |
| if [ "$1" == "-6" ]; then | |
| shift; | |
| MODE=ipip6 | |
| PROT="-6" | |
| fi | |
| SRC="$1"; shift | |
| DST="$1"; shift | |
| if [ -z "$1" ]; then | |
| echo Usage: simplevpn [-6] source_ip destination_ip ssh_command_line | |
| exit 1; | |
| fi | |
| set -e | |
| KEY1=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64` | |
| KEY2=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64` | |
| true ${LOCALIP:="192.168.77.1"} | |
| true ${REMOTEIP:="192.168.77.2"} | |
| true ${DEVNAME:="simplevpn"} | |
| # 4 is encapsulated IPv4 both in IPv4 an IPv6 | |
| setkey -c << EOF | |
| flush; | |
| spdflush; | |
| spdadd $SRC $DST 4 -P out ipsec esp/transport//require ah/transport//require; | |
| spdadd $DST $SRC 4 -P in ipsec esp/transport//require ah/transport//require; | |
| add $SRC $DST esp 0x4444 -E rijndael-cbc $KEY1 ; | |
| add $DST $SRC esp 0x4444 -E rijndael-cbc $KEY1 ; | |
| add $SRC $DST ah 0x4445 -A hmac-sha256 $KEY2 ; | |
| add $DST $SRC ah 0x4445 -A hmac-sha256 $KEY2 ; | |
| EOF | |
| modprobe ip6_tunnel | |
| ip $PROT tunnel del $DEVNAME || true | |
| ip $PROT tunnel add $DEVNAME mode $MODE local $SRC remote $DST | |
| ip link set $DEVNAME up | |
| ip -4 addr add $LOCALIP/32 dev $DEVNAME | |
| ip -4 route add $REMOTEIP/32 dev $DEVNAME | |
| "$@" << EOF | |
| set -e | |
| # the same as above, but "in" and "out" swapped | |
| setkey -c << EOF2 | |
| flush; | |
| spdflush; | |
| spdadd $SRC $DST 4 -P in ipsec esp/transport//require ah/transport//require; | |
| spdadd $DST $SRC 4 -P out ipsec esp/transport//require ah/transport//require; | |
| add $SRC $DST esp 0x4444 -E rijndael-cbc $KEY1 ; | |
| add $DST $SRC esp 0x4444 -E rijndael-cbc $KEY1 ; | |
| add $SRC $DST ah 0x4445 -A hmac-sha256 $KEY2 ; | |
| add $DST $SRC ah 0x4445 -A hmac-sha256 $KEY2 ; | |
| EOF2 | |
| modprobe ip6_tunnel | |
| ip $PROT tunnel del $DEVNAME || true | |
| ip $PROT tunnel add $DEVNAME mode $MODE remote $SRC local $DST | |
| ip link set $DEVNAME up | |
| ip -4 addr add $REMOTEIP/32 dev $DEVNAME | |
| ip -4 route add $LOCALIP/32 dev $DEVNAME | |
| EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment