CentOS一键安装IPSEC/IKEV2 VPN服务器

2017-01-06 12:54 阅读 1,778 次 评论 0 条

CentOS一键安装IPSEC/IKEV2 VPN服务器(转)

用法很简单:
总结成一句话就是:除了类型要选对以外,其他的一路回车就好了23333

具体如下:
1.下载脚本:

wget https://raw.githubusercontent.com/quericy/one-key-ikev2-vpn/master/one-key-ikev2.sh

2.运行(如果有需要使用自己已有的根证书,请将私钥命名为ca.cert,将根证书命名为ca.cert.pem,放到脚本的相同目录下再运行该脚本,没有证书的话将自动生成自签名证书咯):

chmod +x one-key-ikev2.sh
bash one-key-ikev2.sh

3.等待自动配置部分内容后,选择vps类型(OpenVZ还是Xen、KVM),选错将无法成功连接,请务必核实服务器的类型。输入服务器ip或者绑定的域名(连接vpn时服务器地址将需要与此保持一致),以及证书的相关信息(C,O,CN),使用自己的根证书的话,C,O,CN的值需要与根证书一致,为空将使用默认值(default value),确认无误后按任意键继续

4.输入两次pkcs12证书的密码(可以为空)

5.看到install success字样即表示安装成功。默认用户名密码将以黄字显示,可根据提示自行修改文件中的用户名密码。(WindowsPhone8.1的用户请将用户名myUserNames修改为%any ,否则可能会由于域的问题无法连接,具体参见这篇文章中的说明)

6.将提示信息中的证书文件ca.cert.pem拷贝到客户端,修改后缀名为.cer后导入。ios设备使用Ikev1无需导入证书,而是需要在连接时输入共享密钥,共享密钥即是提示信息中的黄字PSK.

PS:

服务器重启后默认ipsec不会自启动,请自行添加,或使用命令手动开启:

ipsec start

连上服务器后无法链接外网:

vim /etc/sysctl.conf

修改net.ipv4.ip_forward=1后保存并关闭文件 然后使用以下指令刷新sysctl:

sysctl -p

如遇报错信息,请重新打开/etc/syctl并将报错的那些代码用#号注释,保存后再刷新sysctl直至不会报错为止。

PS2:

脚本代码可访问github查看和下载:
GitHub

如需Debian系统的IKEV2一键安装脚本,可参考magic282童鞋的一键脚本:
https://github.com/magic282/One-Key-L2TP-IKEV2-Setup

 

另附:

bash脚本源码(点击展开)

1 #! /bin/bash
2 PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
3 export PATH
4 #===============================================================================================
5 #?? System Required:? CentOS6.x (32bit/64bit) or Ubuntu
6 #?? Description:? Install IKEV2 VPN for CentOS and Ubuntu
7 #?? Author: quericy
8 #?? Intro:? http://quericy.me/blog/699
9 #===============================================================================================
10
11 clear
12 echo "#############################################################"
13 echo "# Install IKEV2 VPN for CentOS6.x (32bit/64bit) or Ubuntu"
14 echo "# Intro: http://quericy.me/blog/699"
15 echo "#"
16 echo "# Author:quericy"
17 echo "#"
18 echo "#############################################################"
19 echo ""
20
21 # Install IKEV2
22 function install_ikev2(){
23 ????rootness
24 ????disable_selinux
25 ????get_my_ip
26 ????get_system
27 ????yum_install
28 ????pre_install
29 ????download_files
30 ????setup_strongswan
31 ????get_key
32 ????configure_ipsec
33 ????configure_strongswan
34 ????configure_secrets
35 ????iptables_set
36 ????ipsec start
37 ????success_info
38 }
39
40 # Make sure only root can run our script
41 function rootness(){
42 if [[ $EUID -ne 0 ]]; then
43 ???echo "Error:This script must be run as root!" 1>&2
44 ???exit 1
45 fi
46 }
47
48 # Disable selinux
49 function disable_selinux(){
50 if [ -s /etc/selinux/config ] && grep 'SELINUX=enforcing' /etc/selinux/config; then
51 ????sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
52 ????setenforce 0
53 fi
54 }
55
56 # Get IP address of the server
57 function get_my_ip(){
58 ????echo "Preparing, Please wait a moment..."
59 ????IP=`curl -s checkip.dyndns.com | cut -d' ' -f 6? | cut -d'<' -f 1`
60 ????if [ -z $IP ]; then
61 ????????IP=`curl -s ifconfig.me/ip`
62 ????fi
63 }
64
65
66 # Ubuntu or CentOS
67 function get_system(){
68 ????get_system_str=`cat /etc/issue`
69 ????echo "$get_system_str" |grep -q "CentOS"
70 ????if? [ $? -eq 0 ]
71 ????then
72 ????????system_str="0"
73 ????else
74 ????????echo "$get_system_str" |grep -q "Ubuntu"
75 ????????if [ $? -eq 0 ]
76 ????????then
77 ????????????system_str="1"
78 ????????else
79 ????????????echo "This Script must be running at the CentOS or Ubuntu!"
80 ????????????exit 1
81 ????????fi
82 ????fi
83
84 }
85
86 # Pre-installation settings
87 function pre_install(){
88 ????echo "#############################################################"
89 ????echo "# Install IKEV2 VPN for CentOS6.x (32bit/64bit) or Ubuntu"
90 ????echo "# Intro: http://quericy.me/blog/699"
91 ????echo "#"
92 ????echo "# Author:quericy"
93 ????echo "#"
94 ????echo "#############################################################"
95 ????echo ""
96 ????echo "please choose the type of your VPS(Xen、KVM: 1? ,? OpenVZ: 2):"
97 ????read -p "your choice(1 or 2):" os_choice
98 ????if [ "$os_choice" = "1" ]; then
99 ????????os="1"
100 ????????os_str="Xen、KVM"
101 ????????else
102 ????????????if [ "$os_choice" = "2" ]; then
103 ????????????????os="2"
104 ????????????????os_str="OpenVZ"
105 ????????????????else
106 ????????????????echo "wrong choice!"
107 ????????????????exit 1
108 ????????????fi
109 ????fi
110 ????echo "please input the ip (or domain) of your VPS:"
111 ????read -p "ip or domain(default_vale:${IP}):" vps_ip
112 ????if [ "$vps_ip" = "" ]; then
113 ????????vps_ip=$IP
114 ????fi
115 ????echo "please input the cert country(C):"
116 ????read -p "C(default value:com):" my_cert_c
117 ????if [ "$my_cert_c" = "" ]; then
118 ????????my_cert_c="com"
119 ????fi
120 ????echo "please input the cert organization(O):"
121 ????read -p "O(default value:myvpn):" my_cert_o
122 ????if [ "$my_cert_o" = "" ]; then
123 ????????my_cert_o="myvpn"
124 ????fi
125 ????echo "please input the cert common name(CN):"
126 ????read -p "CN(default value:VPN CA):" my_cert_cn
127 ????if [ "$my_cert_cn" = "" ]; then
128 ????????my_cert_cn="VPN CA"
129 ????fi
130 ????echo "####################################"
131 ????get_char(){
132 ????????SAVEDSTTY=`stty -g`
133 ????????stty -echo
134 ????????stty cbreak
135 ????????dd if=/dev/tty bs=1 count=1 2> /dev/null
136 ????????stty -raw
137 ????????stty echo
138 ????????stty $SAVEDSTTY
139 ????}
140 ????echo "Please confirm the information:"
141 ????echo ""
142 ????echo -e "the type of your server: [\033[32;1m$os_str\033[0m]"
143 ????echo -e "the ip(or domain) of your server: [\033[32;1m$vps_ip\033[0m]"
144 ????echo -e "the cert_info:[\033[32;1mC=${my_cert_c}, O=${my_cert_o}\033[0m]"
145 ????echo ""
146 ????echo "Press any key to start...or Press Ctrl+C to cancel"
147 ????char=`get_char`
148 ????#Current folder
149 ????cur_dir=`pwd`
150 ????cd $cur_dir
151 }
152
153 #install necessary lib
154 function yum_install(){
155 ????if [ "$system_str" = "0" ]; then
156 ????yum -y update
157 ????yum -y install pam-devel openssl-devel make gcc
158 ????else
159 ????apt-get -y update
160 ????apt-get -y install libpam0g-dev libssl-dev make gcc
161 ????fi
162 }
163
164 # Download strongswan
165 function download_files(){
166 ????if [ -f strongswan.tar.gz ];then
167 ????????echo -e "strongswan.tar.gz [\033[32;1mfound\033[0m]"
168 ????else
169 ????????if ! wget http://download.strongswan.org/strongswan.tar.gz;then
170 ????????????echo "Failed to download strongswan.tar.gz"
171 ????????????exit 1
172 ????????fi
173 ????fi
174 ????tar xzf strongswan.tar.gz
175 ????if [ $? -eq 0 ];then
176 ????????cd $cur_dir/strongswan-*/
177 ????else
178 ????????echo ""
179 ????????echo "Unzip strongswan.tar.gz failed! Please visit http://quericy.me/blog/699 and contact."
180 ????????exit 1
181 ????fi
182 }
183
184 # configure and install strongswan
185 function setup_strongswan(){
186 ????if [ "$os" = "1" ]; then
187 ????????./configure? --enable-eap-identity --enable-eap-md5 \
188 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap? \
189 --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap? \
190 --enable-xauth-pam? --enable-dhcp? --enable-openssl? --enable-addrblock --enable-unity? \
191 --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp
192
193 ????else
194 ????????./configure? --enable-eap-identity --enable-eap-md5 \
195 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap? \
196 --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap? \
197 --enable-xauth-pam? --enable-dhcp? --enable-openssl? --enable-addrblock --enable-unity? \
198 --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp --enable-kernel-libipsec
199
200 ????fi
201 ????make; make install
202 }
203
204 # configure cert and key
205 function get_key(){
206 ????cd $cur_dir
207 ????if [ -f ca.pem ];then
208 ????????echo -e "ca.pem [\033[32;1mfound\033[0m]"
209 ????else
210 ????????echo -e "ca.pem [\033[33;1mnot found\033[0m]"
211 ????????echo "auto create ca.pem ..."
212 ????????ipsec pki --gen --outform pem > ca.pem
213 ????fi
214
215 ????if [ -f ca.cert.pem ];then
216 ????????echo -e "ca.cert.pem [\033[32;1mfound\033[0m]"
217 ????else
218 ????????echo -e "ca.cert.pem [\033[33;1mnot found\033[0m]"
219 ????????echo "auto create ca.cert.pem ..."
220 ????????ipsec pki --self --in ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${my_cert_cn}" --ca --outform pem >ca.cert.pem
221 ????fi
222 ????if [ ! -d my_key ];then
223 ????????mkdir my_key
224 ????fi
225 ????mv ca.pem my_key/ca.pem
226 ????mv ca.cert.pem my_key/ca.cert.pem
227 ????cd my_key
228 ????ipsec pki --gen --outform pem > server.pem
229 ????ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem \
230 --cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${vps_ip}" \
231 --san="${vps_ip}" --flag serverAuth --flag ikeIntermediate \
232 --outform pem > server.cert.pem
233 ????ipsec pki --gen --outform pem > client.pem
234 ????ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=VPN Client" --outform pem > client.cert.pem
235 ????echo "configure the pkcs12 cert password(Can be empty):"
236 ????openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "${my_cert_cn}"? -out client.cert.p12
237 ????echo "####################################"
238 ????get_char(){
239 ????????SAVEDSTTY=`stty -g`
240 ????????stty -echo
241 ????????stty cbreak
242 ????????dd if=/dev/tty bs=1 count=1 2> /dev/null
243 ????????stty -raw
244 ????????stty echo
245 ????????stty $SAVEDSTTY
246 ????}
247 ????echo "Press any key to install ikev2 VPN cert"
248 ????cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
249 ????cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/
250 ????cp -r server.pem /usr/local/etc/ipsec.d/private/
251 ????cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/
252 ????cp -r client.pem? /usr/local/etc/ipsec.d/private/
253
254 }
255
256 # configure the ipsec.conf
257 function configure_ipsec(){
258 ?cat > /usr/local/etc/ipsec.conf<<-EOF
259 config setup
260 ????uniqueids=never
261
262 conn iOS_cert
263 ????keyexchange=ikev1
264 ????fragmentation=yes
265 ????left=%defaultroute
266 ????leftauth=pubkey
267 ????leftsubnet=0.0.0.0/0
268 ????leftcert=server.cert.pem
269 ????right=%any
270 ????rightauth=pubkey
271 ????rightauth2=xauth
272 ????rightsourceip=10.31.2.0/24
273 ????rightcert=client.cert.pem
274 ????auto=add
275
276 conn android_xauth_psk
277 ????keyexchange=ikev1
278 ????left=%defaultroute
279 ????leftauth=psk
280 ????leftsubnet=0.0.0.0/0
281 ????right=%any
282 ????rightauth=psk
283 ????rightauth2=xauth
284 ????rightsourceip=10.31.2.0/24
285 ????auto=add
286
287 conn networkmanager-strongswan
288 ????keyexchange=ikev2
289 ????left=%defaultroute
290 ????leftauth=pubkey
291 ????leftsubnet=0.0.0.0/0
292 ????leftcert=server.cert.pem
293 ????right=%any
294 ????rightauth=pubkey
295 ????rightsourceip=10.31.2.0/24
296 ????rightcert=client.cert.pem
297 ????auto=add
298
299 conn windows7
300 ????keyexchange=ikev2
301 ????ike=aes256-sha1-modp1024!
302 ????rekey=no
303 ????left=%defaultroute
304 ????leftauth=pubkey
305 ????leftsubnet=0.0.0.0/0
306 ????leftcert=server.cert.pem
307 ????right=%any
308 ????rightauth=eap-mschapv2
309 ????rightsourceip=10.31.2.0/24
310 ????rightsendcert=never
311 ????eap_identity=%any
312 ????auto=add
313
314 EOF
315 }
316
317 # configure the strongswan.conf
318 function configure_strongswan(){
319 ?cat > /usr/local/etc/strongswan.conf<<-EOF
320 ?charon {
321 ????????load_modular = yes
322 ????????duplicheck.enable = no
323 ????????compress = yes
324 ????????plugins {
325 ????????????????include strongswan.d/charon/*.conf
326 ????????}
327 ????????dns1 = 8.8.8.8
328 ????????dns2 = 8.8.4.4
329 ????????nbns1 = 8.8.8.8
330 ????????nbns2 = 8.8.4.4
331 }
332 include strongswan.d/*.conf
333 EOF
334 }
335
336 # configure the ipsec.secrets
337 function configure_secrets(){
338 ????cat > /usr/local/etc/ipsec.secrets<<-EOF
339 : RSA server.pem
340 : PSK "myPSKkey"
341 : XAUTH "myXAUTHPass"
342 myUserName %any : EAP "myUserPass"
343 ????EOF
344 }
345
346 # iptables set
347 function iptables_set(){
348 ????sysctl -w net.ipv4.ip_forward=1
349 ????if [ "$os" = "1" ]; then
350 ????????iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
351 ????????iptables -A FORWARD -s 10.31.0.0/24? -j ACCEPT
352 ????????iptables -A FORWARD -s 10.31.1.0/24? -j ACCEPT
353 ????????iptables -A FORWARD -s 10.31.2.0/24? -j ACCEPT
354 ????????iptables -A INPUT -i eth0 -p esp -j ACCEPT
355 ????????iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
356 ????????iptables -A INPUT -i eth0 -p tcp --dport 500 -j ACCEPT
357 ????????iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
358 ????????iptables -A INPUT -i eth0 -p udp --dport 1701 -j ACCEPT
359 ????????iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
360 ????????iptables -A FORWARD -j REJECT
361 ????????iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o eth0 -j MASQUERADE
362 ????????iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o eth0 -j MASQUERADE
363 ????????iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o eth0 -j MASQUERADE
364 ????else
365 ????????iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
366 ????????iptables -A FORWARD -s 10.31.0.0/24? -j ACCEPT
367 ????????iptables -A FORWARD -s 10.31.1.0/24? -j ACCEPT
368 ????????iptables -A FORWARD -s 10.31.2.0/24? -j ACCEPT
369 ????????iptables -A INPUT -i venet0 -p esp -j ACCEPT
370 ????????iptables -A INPUT -i venet0 -p udp --dport 500 -j ACCEPT
371 ????????iptables -A INPUT -i venet0 -p tcp --dport 500 -j ACCEPT
372 ????????iptables -A INPUT -i venet0 -p udp --dport 4500 -j ACCEPT
373 ????????iptables -A INPUT -i venet0 -p udp --dport 1701 -j ACCEPT
374 ????????iptables -A INPUT -i venet0 -p tcp --dport 1723 -j ACCEPT
375 ????????iptables -A FORWARD -j REJECT
376 ????????iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o venet0 -j MASQUERADE
377 ????????iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o venet0 -j MASQUERADE
378 ????????iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o venet0 -j MASQUERADE
379 ????fi
380 ????if [ "$system_str" = "0" ]; then
381 ????????service iptables save
382 ????else
383 ????????iptables-save > /etc/iptables.rules
384 ????????cat > /etc/network/if-up.d/iptables<<EOF
385 #!/bin/sh
386 iptables-restore < /etc/iptables.rules
387 EOF
388 ????????chmod +x /etc/network/if-up.d/iptables
389 ????fi
390 }
391
392 # echo the success info
393 function success_info(){
394 ????echo "#############################################################"
395 ????echo -e "#"
396 ????echo -e "# [\033[32;1mInstall Successful\033[0m]"
397 ????echo -e "# There is the default login info of your VPN"
398 ????echo -e "# UserName:\033[33;1m myUserName\033[0m"
399 ????echo -e "# PassWord:\033[33;1m myUserPass\033[0m"
400 ????echo -e "# PSK:\033[33;1m myPSKkey\033[0m"
401 ????echo -e "# you can change UserName and PassWord in\033[32;1m /usr/local/etc/ipsec.secrets\033[0m"
402 ????echo -e "# you must copy the cert \033[32;1m ${cur_dir}/my_key/ca.cert.pem \033[0m to the client and install it."
403 ????echo -e "#"
404 ????echo -e "#############################################################"
405 ????echo -e ""
406 }
407
408 # Initialization step
409 install_ikev2

原创文章,转载请注明:?转载自quericy Eden*博客

版权声明:本文著作权归原作者所有,欢迎分享,谢谢支持!
转载请保留注明:CentOS一键安装IPSEC/IKEV2 VPN服务器 | DXL学习
分类:Centos, Ubuntu 标签:

发表评论

您必须 登录 才能发表留言!