forked from tgbyte/docker-strongswan
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathrun.sh
executable file
·117 lines (91 loc) · 4.02 KB
/
run.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
#!/bin/bash
sysctl -w net.ipv4.conf.all.rp_filter=2
iptables --table nat --append POSTROUTING --jump MASQUERADE
iptables -I INPUT -p UDP --dport 4500 -j ACCEPT
iptables -I INPUT -p UDP --dport 500 -j ACCEPT
iptables -I INPUT -p UDP --dport 1701 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
if [ "$VPN_PASSWORD" = "password" ] || [ "$VPN_PASSWORD" = "" ]; then
# Generate a random password
P1=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
P2=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
P3=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
VPN_PASSWORD="$P1$P2$P3"
echo "No VPN_PASSWORD set! Generated a random password: $VPN_PASSWORD"
fi
if [ "$VPN_PSK" = "password" ] || [ "$VPN_PSK" = "" ]; then
# Generate a random password
P1=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
P2=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
P3=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
VPN_PSK="$P1$P2$P3"
echo "No VPN_PSK set! Generated a random PSK key: $VPN_PSK"
fi
if [ "$VPN_PASSWORD" = "$VPN_PSK" ]; then
echo "It is not recommended to use the same secret as password and PSK key!"
fi
cat > /etc/ppp/chap-secrets <<EOF
# Secrets for authentication using CHAP
# client server secret IP addresses
$VPN_USER * "$VPN_PASSWORD" *
EOF
cat > /etc/ppp/l2tp-secrets <<EOF
# This file holds secrets for L2TP authentication.
# Username Server Secret Hosts
"$VPN_USER" "*" "$VPN_PASSWORD" "*"
EOF
cat > /etc/ipsec.secrets <<EOF
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
: PSK "$VPN_PSK"
$VPN_USER : EAP "$VPN_PASSWORD"
$VPN_USER : XAUTH "$VPN_PASSWORD"
EOF
if [ -f "/etc/ipsec.d/chap-secrets" ]; then
echo "Overwriting standard /etc/ppp/chap-secrets with /etc/ipsec.d/chap-secrets"
cp -f /etc/ipsec.d/chap-secrets /etc/ppp/chap-secrets
fi
if [ -f "/etc/ipsec.d/l2tp-secrets" ]; then
echo "Overwriting standard /etc/ppp/l2tp-secrets with /etc/ipsec.d/l2tp-secrets"
cp -f /etc/ipsec.d/l2tp-secrets /etc/ppp/l2tp-secrets
fi
if [ -f "/etc/ipsec.d/ipsec.secrets" ]; then
echo "Overwriting standard /etc/ipsec.secrets with /etc/ipsec.d/ipsec.secrets"
cp -f /etc/ipsec.d/ipsec.secrets /etc/ipsec.secrets
fi
if [ -f "/etc/ipsec.d/ipsec.conf" ]; then
echo "Overwriting standard /etc/ipsec.conf with /etc/ipsec.d/ipsec.conf"
cp -f /etc/ipsec.d/ipsec.conf /etc/ipsec.conf
fi
if [ -f "/etc/ipsec.d/strongswan.conf" ]; then
echo "Overwriting standard /etc/strongswan.conf with /etc/ipsec.d/strongswan.conf"
cp -f /etc/ipsec.d/strongswan.conf /etc/strongswan.conf
fi
if [ -f "/etc/ipsec.d/xl2tpd.conf" ]; then
echo "Overwriting standard /etc/xl2tpd/xl2tpd.conf with /etc/ipsec.d/xl2tpd.conf"
cp -f /etc/ipsec.d/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf
fi
# SETUP DNS
if [ -n "$VPN_DNS" ]; then
sed -i "s/ms-dns 8.8.8.8/ms-dns $VPN_DNS/g" /etc/ppp/options.xl2tpd
sed -i "/ms-dns 8.8.4.4/d" /etc/ppp/options.xl2tpd
sed -i "s/dns = 8.8.8.8, 8.8.4.4/dns = $VPN_DNS/g" /etc/strongswan.conf
fi
# SETUP IP RANGE must = use format 192.168.1.x
if [[ "$VPN_IP_RANGE" =~ ".x" ]]; then
local_ip=$(sed 's|.x|.1|g' <<< $VPN_IP_RANGE)
start_ip=$(sed 's|.x|.2|g' <<< $VPN_IP_RANGE)
finish_ip=$(sed 's|.x|.254|g' <<< $VPN_IP_RANGE)
sed -i "s/ip range = 10.1.0.2-10.1.0.254/ip range = $start_ip-$finish_ip/g" /etc/xl2tpd/xl2tpd.conf
sed -i "s/local ip = 10.1.0.1/local ip = $local_ip/g" /etc/xl2tpd/xl2tpd.conf
fi
mkdir -p /var/run/xl2tpd
exec /usr/bin/supervisord -c /supervisord.conf