antmd · April 10, 2017 10:43
diff --git a/libreswan_setup.sh b/libreswan_setup.sh
 #!/bin/bash -ex

 # Set some local variables
 PRIVATE_IP=`curl -s http://169.254.169.254/latest/meta-data/local-ipv4`
 PUBLIC_IP=`curl -s http://169.254.169.254/latest/meta-data/public-ipv4`
 VPN_DNSHOST=`grep -o "nameserver.*" /etc/resolv.conf | awk '{print $2}'`

 yum install -y libreswan ppp xl2tpd

 # Setup IPSEC Tunnel
 cat > /etc/ipsec.conf <<EOF
 config setup
  protostack=netkey
  dumpdir=/var/run/pluto/
  nat_traversal=yes
  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10,%4:!$VPN_NETWORK

 include /etc/ipsec.d/*.conf
 EOF

 cat > /etc/ipsec.d/vpnpsk.conf <<EOF
 conn vpnpsk
  connaddrfamily=ipv4
  auto=add
  left=$PRIVATE_IP
  leftid=$PUBLIC_IP
  leftsubnet=$PRIVATE_IP/32
  leftnexthop=%defaultroute
  leftprotoport=17/1701
  rightprotoport=17/%any
  right=%any
  rightsubnetwithin=0.0.0.0/0
  forceencaps=yes
  authby=secret
  pfs=no
  type=transport
  auth=esp
  ike=3des-sha1,aes-sha1
  phase2alg=3des-sha1,aes-sha1
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
 EOF

 # Set pre-shared key
 cat > /etc/ipsec.d/vpnpsk.secrets <<EOF
 $PUBLIC_IP  %any  : PSK "$IPSEC_PSK"
 EOF

 chmod 600 /etc/ipsec.d/vpnpsk.secrets

 # Setup XL2TP
 cat > /etc/xl2tpd/xl2tpd.conf <<EOF
 [global]
 port = 1701

 [lns default]
 ip range = $VPN_DHCP_RANGE
 local ip = $VPN_LOCAL_IP
 require chap = yes
 refuse pap = yes
 require authentication = yes
 name = l2tpd
 pppoptfile = /etc/ppp/options.xl2tpd
 length bit = yes
 EOF

 cat > /etc/ppp/options.xl2tpd <<EOF
 ipcp-accept-local
 ipcp-accept-remote
 ms-dns $VPN_DNSHOST
 noccp
 auth
 crtscts
 idle 1800
 mtu 1410
 mru 1410
 nodefaultroute
 debug
 lock
 proxyarp
 connect-delay 5000
 logfile /var/log/ppp.log
 EOF

 # Setup PPP user accounts
 cat $RS_ATTACH_DIR/vpn_users > /etc/ppp/chap-secrets
 chmod 600 /etc/ppp/chap-secrets

 # Tweak kernel settings
 cat > /etc/sysctl.conf <<EOF
 kernel.sysrq = 0
 kernel.core_uses_pid = 1
 net.ipv4.tcp_syncookies = 1
 kernel.msgmnb = 65536
 kernel.msgmax = 65536
 kernel.shmmax = 68719476736
 kernel.shmall = 4294967296
 kernel.printk = 8 4 1 7
 kernel.printk_ratelimit_burst = 10
 kernel.printk_ratelimit = 5
 net.ipv4.ip_forward = 1
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv4.conf.default.accept_source_route = 0
 net.ipv4.conf.all.log_martians = 1
 net.ipv4.conf.default.log_martians = 1
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0
 net.ipv4.conf.all.rp_filter = 0
 net.ipv4.conf.default.rp_filter = 0
 net.ipv6.conf.all.disable_ipv6=1
 net.ipv6.conf.default.disable_ipv6=1
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 net.ipv4.conf.all.secure_redirects = 0
 net.ipv4.conf.default.secure_redirects = 0
 kernel.randomize_va_space = 1
 net.core.wmem_max=12582912
 net.core.rmem_max=12582912
 net.ipv4.tcp_rmem= 10240 87380 12582912
 net.ipv4.tcp_wmem= 10240 87380 12582912
 EOF

 # Setup iptables
 cat > /etc/sysconfig/iptables <<EOF
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :ICMPALL - [0:0]
 :ZREJ - [0:0]
 -A INPUT -m conntrack --ctstate INVALID -j DROP
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -p icmp --icmp-type 255 -j ICMPALL
 -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
 -A INPUT -p tcp --dport 22 -j ACCEPT
 -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
 -A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
 -A INPUT -p udp --dport 1701 -j DROP
 -A INPUT -j ZREJ
 -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i ppp+ -o eth+ -j ACCEPT
 -A FORWARD -j ZREJ
 -A ICMPALL -p icmp --fragment -j DROP        
 -A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
 -A ICMPALL -p icmp -j DROP
 -A ZREJ -p tcp -j REJECT --reject-with tcp-reset 
 -A ZREJ -p udp -j REJECT --reject-with icmp-port-unreachable
 -A ZREJ -j REJECT --reject-with icmp-proto-unreachable
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 -A POSTROUTING -s ${VPN_NETWORK} -o eth+ -j SNAT --to-source ${PRIVATE_IP}
 COMMIT
 EOF

 # rc.local
 cat > /etc/rc.local <<EOF
 #!/bin/sh
 #
 # This script will be executed *after* all the other init scripts.
 # You can put your own initialization stuff in here if you don't
 # want to do the full Sys V style init stuff.

 touch /var/lock/subsys/local

 /sbin/service ipsec restart
 /sbin/service xl2tpd restart
 echo 1 > /proc/sys/net/ipv4/ip_forward
 exit 0
 EOF

 # Fire everything up

 # Make kernel settings take effect
 sysctl -p

 # Make iptables rules take effect
 service iptables restart

 # Turn services on
 chkconfig xl2tpd on
 chkconfig ipsec on
 service ipsec start
 service xl2tpd start
	#!/bin/bash -ex

	# Set some local variables
	PRIVATE_IP=`curl -s http://169.254.169.254/latest/meta-data/local-ipv4`
	PUBLIC_IP=`curl -s http://169.254.169.254/latest/meta-data/public-ipv4`
	VPN_DNSHOST=`grep -o "nameserver.*" /etc/resolv.conf \| awk '{print $2}'`

	yum install -y libreswan ppp xl2tpd

	# Setup IPSEC Tunnel
	cat > /etc/ipsec.conf <<EOF
	config setup
	protostack=netkey
	dumpdir=/var/run/pluto/
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10,%4:!$VPN_NETWORK

	include /etc/ipsec.d/*.conf
	EOF

	cat > /etc/ipsec.d/vpnpsk.conf <<EOF
	conn vpnpsk
	connaddrfamily=ipv4
	auto=add
	left=$PRIVATE_IP
	leftid=$PUBLIC_IP
	leftsubnet=$PRIVATE_IP/32
	leftnexthop=%defaultroute
	leftprotoport=17/1701
	rightprotoport=17/%any
	right=%any
	rightsubnetwithin=0.0.0.0/0
	forceencaps=yes
	authby=secret
	pfs=no
	type=transport
	auth=esp
	ike=3des-sha1,aes-sha1
	phase2alg=3des-sha1,aes-sha1
	rekey=no
	keyingtries=5
	dpddelay=30
	dpdtimeout=120
	dpdaction=clear
	EOF

	# Set pre-shared key
	cat > /etc/ipsec.d/vpnpsk.secrets <<EOF
	$PUBLIC_IP %any : PSK "$IPSEC_PSK"
	EOF

	chmod 600 /etc/ipsec.d/vpnpsk.secrets

	# Setup XL2TP
	cat > /etc/xl2tpd/xl2tpd.conf <<EOF
	[global]
	port = 1701

	[lns default]
	ip range = $VPN_DHCP_RANGE
	local ip = $VPN_LOCAL_IP
	require chap = yes
	refuse pap = yes
	require authentication = yes
	name = l2tpd
	pppoptfile = /etc/ppp/options.xl2tpd
	length bit = yes
	EOF

	cat > /etc/ppp/options.xl2tpd <<EOF
	ipcp-accept-local
	ipcp-accept-remote
	ms-dns $VPN_DNSHOST
	noccp
	auth
	crtscts
	idle 1800
	mtu 1410
	mru 1410
	nodefaultroute
	debug
	lock
	proxyarp
	connect-delay 5000
	logfile /var/log/ppp.log
	EOF

	# Setup PPP user accounts
	cat $RS_ATTACH_DIR/vpn_users > /etc/ppp/chap-secrets
	chmod 600 /etc/ppp/chap-secrets

	# Tweak kernel settings
	cat > /etc/sysctl.conf <<EOF
	kernel.sysrq = 0
	kernel.core_uses_pid = 1
	net.ipv4.tcp_syncookies = 1
	kernel.msgmnb = 65536
	kernel.msgmax = 65536
	kernel.shmmax = 68719476736
	kernel.shmall = 4294967296
	kernel.printk = 8 4 1 7
	kernel.printk_ratelimit_burst = 10
	kernel.printk_ratelimit = 5
	net.ipv4.ip_forward = 1
	net.ipv4.conf.all.accept_source_route = 0
	net.ipv4.conf.default.accept_source_route = 0
	net.ipv4.conf.all.log_martians = 1
	net.ipv4.conf.default.log_martians = 1
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv4.conf.default.accept_redirects = 0
	net.ipv4.conf.all.send_redirects = 0
	net.ipv4.conf.default.send_redirects = 0
	net.ipv4.conf.all.rp_filter = 0
	net.ipv4.conf.default.rp_filter = 0
	net.ipv6.conf.all.disable_ipv6=1
	net.ipv6.conf.default.disable_ipv6=1
	net.ipv4.icmp_echo_ignore_broadcasts = 1
	net.ipv4.icmp_ignore_bogus_error_responses = 1
	net.ipv4.conf.all.secure_redirects = 0
	net.ipv4.conf.default.secure_redirects = 0
	kernel.randomize_va_space = 1
	net.core.wmem_max=12582912
	net.core.rmem_max=12582912
	net.ipv4.tcp_rmem= 10240 87380 12582912
	net.ipv4.tcp_wmem= 10240 87380 12582912
	EOF

	# Setup iptables
	cat > /etc/sysconfig/iptables <<EOF
	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	:ICMPALL - [0:0]
	:ZREJ - [0:0]
	-A INPUT -m conntrack --ctstate INVALID -j DROP
	-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -i lo -j ACCEPT
	-A INPUT -p icmp --icmp-type 255 -j ICMPALL
	-A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
	-A INPUT -p tcp --dport 22 -j ACCEPT
	-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
	-A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
	-A INPUT -p udp --dport 1701 -j DROP
	-A INPUT -j ZREJ
	-A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A FORWARD -i ppp+ -o eth+ -j ACCEPT
	-A FORWARD -j ZREJ
	-A ICMPALL -p icmp --fragment -j DROP
	-A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
	-A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
	-A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
	-A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
	-A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
	-A ICMPALL -p icmp -j DROP
	-A ZREJ -p tcp -j REJECT --reject-with tcp-reset
	-A ZREJ -p udp -j REJECT --reject-with icmp-port-unreachable
	-A ZREJ -j REJECT --reject-with icmp-proto-unreachable
	COMMIT
	*nat
	:PREROUTING ACCEPT [0:0]
	:INPUT ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	:POSTROUTING ACCEPT [0:0]
	-A POSTROUTING -s ${VPN_NETWORK} -o eth+ -j SNAT --to-source ${PRIVATE_IP}
	COMMIT
	EOF

	# rc.local
	cat > /etc/rc.local <<EOF
	#!/bin/sh
	#
	# This script will be executed after all the other init scripts.
	# You can put your own initialization stuff in here if you don't
	# want to do the full Sys V style init stuff.

	touch /var/lock/subsys/local

	/sbin/service ipsec restart
	/sbin/service xl2tpd restart
	echo 1 > /proc/sys/net/ipv4/ip_forward
	exit 0
	EOF

	# Fire everything up

	# Make kernel settings take effect
	sysctl -p

	# Make iptables rules take effect
	service iptables restart

	# Turn services on
	chkconfig xl2tpd on
	chkconfig ipsec on
	service ipsec start
	service xl2tpd start