[
  {
    "path": "README.md",
    "content": "# Setup a Strongswan IPSec (& L2TP) Server\n\n> NOTE: This is probably securer than using https://github.com/philplckthun/setup-simple-ipsec-l2tp-vpn\n> Furthermore it supports both L2TP and regular IPSec connections\n\n## Installation\n\nThis script doesn't need a domain or specific public IP to work.\n\n```\ncurl -L -O https://raw.github.com/philplckthun/setup-strong-strongswan/master/setup.sh\nchmod +x setup.sh\nsudo ./setup.sh\n```\n\nThe script will lead you through the installation process. If you haven't run\nthis script before it will ask you to enter credentials for the VPN, namely:\n\n- a username\n- a password\n- a PSK (pre-shared key)\n\nFor upgrading Strongswan you can just run the script again. Remember to back up\nyour custom IPSec configuration files beforehand.\n\n## Usage\n\nThis installs the `vpn-assist` init.d script. Systemd is backwards compatible to these\nscripts and thus you can use it to `start|stop|restart` the VPN server, which\nshould also start itself automatically on startup.\n\nYou can manage accounts for your VPN via `/etc/ipsec.secrets` and `etc/ppp/chap-secrets`.\n[@zackdevine's account managing script automates this process](https://github.com/zackdevine/setup-strongswan-vpn-account)\n\n## Uninstallation\n\nDownload the Strongswan source and run:\n\n```\nmake uninstall\n```\n\nThen uninstall `xl2tpd` and remove `/etc/init.d/vpn-assist`. That should\nsuffice for a rather clean uninstallation.\n"
  },
  {
    "path": "setup.sh",
    "content": "#!/bin/bash\n#    Setup Strong strongSwan server for Ubuntu and Debian\n#\n#    Copyright (C) 2014-2015 Phil Plückthun <phil@plckthn.me>\n#    Based on Strongswan on Docker\n#    https://github.com/philplckthun/docker-strongswan\n#\n#    This work is licensed under the Creative Commons Attribution-ShareAlike 3.0\n#    Unported License: http://creativecommons.org/licenses/by-sa/3.0/\n\nif [ `id -u` -ne 0 ]\nthen\n  echo \"Please start this script with root privileges!\"\n  echo \"Try again with sudo.\"\n  exit 0\nfi\n\n#################################################################\n# Variables\n\n[ -z \"$STRONGSWAN_TMP\" ] && STRONGSWAN_TMP=\"/tmp/strongswan\"\n[ -z \"$STRONGSWAN_VERSION\" ] && STRONGSWAN_VERSION=\"5.5.1\"\n[ -z \"$KEYSIZE\" ] && KEYSIZE=16\n#STRONGSWAN_USER\n#STRONGSWAN_PASSWORD\n#STRONGSWAN_PSK\n\nif [ -z \"$INTERACTIVE\" ]; then\n  INTERACTIVE=1\nfi\n[[ $INTERACTIVE = \"true\" ]] && INTERACTIVE=1\n[[ $INTERACTIVE = \"false\" ]] && INTERACTIVE=0\n\n#################################################################\n# Functions\n\ncall () {\n  eval \"$@ > /dev/null 2>&1\"\n}\n\ncheckForError () {\n  if [ \"$?\" = \"1\" ]\n  then\n    bigEcho \"An unexpected error occured!\"\n    exit 1\n  fi\n}\n\ngenerateKey () {\n  KEY=`cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c $KEYSIZE`\n}\n\nbigEcho () {\n  echo \"\"\n  echo \"============================================================\"\n  echo \"$@\"\n  echo \"============================================================\"\n  echo \"\"\n}\n\npacapt () {\n  eval \"$STRONGSWAN_TMP/pacapt $@\"\n}\n\nbackupCredentials () {\n  if [ -f /etc/ipsec.secrets ]; then\n    cp /etc/ipsec.secrets /etc/ipsec.secrets.backup\n  fi\n\n  if [ -f /etc/ppp/l2tp-secrets ]; then\n    cp /etc/ppp/l2tp-secrets /etc/ppp/l2tp-secrets.backup\n  fi\n}\n\nwriteCredentials () {\n  bigEcho \"Saving credentials\"\n\n  cat > /etc/ipsec.secrets <<EOF\n# This file holds shared secrets or RSA private keys for authentication.\n# RSA private key for this host, authenticating it to any other host\n# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,\n# or configuration of other implementations, can be extracted conveniently\n# with \"ipsec showhostkey\".\n\n: PSK \"$STRONGSWAN_PSK\"\n\n$STRONGSWAN_USER : EAP \"$STRONGSWAN_PASSWORD\"\n$STRONGSWAN_USER : XAUTH \"$STRONGSWAN_PASSWORD\"\nEOF\n\n  cat > /etc/ppp/chap-secrets <<EOF\n# This file holds secrets for L2TP authentication.\n# Username  Server  Secret  Hosts\n\"$STRONGSWAN_USER\" \"*\" \"$STRONGSWAN_PASSWORD\" \"*\"\nEOF\n}\n\ngetCredentials () {\n  bigEcho \"Querying for credentials\"\n\n  if [ \"$STRONGSWAN_PSK\" = \"\" ]; then\n    echo \"The VPN needs a PSK (Pre-shared key).\"\n    echo \"Do you wish to set it yourself? [y|n]\"\n    echo \"(Otherwise a random one is generated)\"\n    while true; do\n      if [ $INTERACTIVE -eq 0 ]; then\n        echo \"Auto-Generating PSK...\"\n        yn=\"n\"\n      else\n        read -p \"\" yn\n      fi\n\n      case $yn in\n        [Yy]* ) echo \"\"; echo \"Enter your preferred key:\"; read -p \"\" STRONGSWAN_PSK; break;;\n        [Nn]* ) generateKey; STRONGSWAN_PSK=$KEY; break;;\n        * ) echo \"Please answer with Yes or No [y|n].\";;\n      esac\n    done\n\n    echo \"\"\n    echo \"The PSK is: '$STRONGSWAN_PSK'.\"\n    echo \"\"\n  fi\n\n  #################################################################\n\n  if [ \"$STRONGSWAN_USER\" = \"\" ]; then\n    if [ \"$INTERACTIVE\" = \"0\" ]; then\n      STRONGSWAN_USER=\"\"\n    else\n      read -p \"Please enter your preferred username [vpn]: \" STRONGSWAN_USER\n    fi\n\n    if [ \"$STRONGSWAN_USER\" = \"\" ]\n    then\n      STRONGSWAN_USER=\"vpn\"\n    fi\n  fi\n\n  #################################################################\n\n  if [ \"$STRONGSWAN_PASSWORD\" = \"\" ]; then\n    echo \"The VPN user '$STRONGSWAN_USER' needs a password.\"\n    echo \"Do you wish to set it yourself? [y|n]\"\n    echo \"(Otherwise a random one is generated)\"\n    while true; do\n      if [ \"$INTERACTIVE\" = \"0\" ]; then\n        echo \"Auto-Generating Password...\"\n        yn=\"n\"\n      else\n        read -p \"\" yn\n      fi\n\n      case $yn in\n        [Yy]* ) echo \"\"; echo \"Enter your preferred key:\"; read -p \"\" STRONGSWAN_PASSWORD; break;;\n        [Nn]* ) generateKey; STRONGSWAN_PASSWORD=$KEY; break;;\n        * ) echo \"Please answer with Yes or No [y|n].\";;\n      esac\n    done\n  fi\n}\n\n#################################################################\n\nif [ \"$INTERACTIVE\" = \"0\" ]; then\n  bigEcho \"Automating installation in non-interactive mode...\"\nelse\n  echo \"This script will install strongSwan on this machine.\"\n  echo -n \"Do you wish to continue? [y|n] \"\n\n  while true; do\n    read -p \"\" yn\n    case $yn in\n        [Yy]* ) break;;\n        [Nn]* ) exit 0;;\n        * ) echo \"Please answer with Yes or No [y|n].\";;\n    esac\n  done\nfi\n\n#################################################################\n\n# Checks if curl is installed\n\ncall which curl\nif [ \"$?\" = \"1\" ]; then\n  bigEcho \"This script requires curl to be installed, to work correctly.\"\n  exit 1\nfi\n\n#################################################################\n\n# Checks if an ipsec binary is already installed\n\ncall which ipsec\nif [ \"$?\" = \"0\" ]; then\n  echo \"An ipsec binary is already installed and present on this machine!\"\n  \n  if [ \"$INTERACTIVE\" = \"0\" ]; then\n    bigEcho \"Ignored this warning in non-interactive mode...\"\n  else\n    echo -n \"Do you wish to continue? [y|n] \"\n\n    while true; do\n      read -p \"\" yn\n      case $yn in\n          [Yy]* ) break;;\n          [Nn]* ) exit 0;;\n          * ) echo \"Please answer with Yes or No [y|n].\";;\n      esac\n    done\n  fi\nfi\n\n#################################################################\n\n# Clean up and create compilation environment\ncall rm -rf $STRONGSWAN_TMP\ncall mkdir -p $STRONGSWAN_TMP\n\ncurl -sSL \"https://github.com/icy/pacapt/raw/ng/pacapt\" > $STRONGSWAN_TMP/pacapt\nif [ \"$?\" = \"1\" ]; then\n  bigEcho \"An unexpected error occured while downloading pacapt!\"\n  exit 1\nfi\n\ncall chmod +x $STRONGSWAN_TMP/pacapt\n\necho \"\"\n\n#################################################################\n\nbigEcho \"Installing necessary dependencies\"\n\ncall pacapt -Sy --noconfirm\ncheckForError\n\ncall pacapt -S --noconfirm -- make g++ gcc iptables xl2tpd libssl-dev module-init-tools curl openssl-devel\ncheckForError\n\n#################################################################\n\nbigEcho \"Installing StrongSwan...\"\n\ncall mkdir -p $STRONGSWAN_TMP/src\ncurl -sSL \"https://download.strongswan.org/strongswan-$STRONGSWAN_VERSION.tar.gz\" | tar -zxC $STRONGSWAN_TMP/src --strip-components 1\ncheckForError\n\ncd $STRONGSWAN_TMP/src\n./configure --prefix=/usr --sysconfdir=/etc \\\n  --enable-eap-radius \\\n  --enable-eap-mschapv2 \\\n  --enable-eap-identity \\\n  --enable-eap-md5 \\\n  --enable-eap-mschapv2 \\\n  --enable-eap-tls \\\n  --enable-eap-ttls \\\n  --enable-eap-peap \\\n  --enable-eap-tnc \\\n  --enable-eap-dynamic \\\n  --enable-xauth-eap \\\n  --enable-openssl \\\n  --disable-gmp\ncheckForError\n\nmake\ncheckForError\n\nmake install\ncheckForError\n\n#################################################################\n\nbigEcho \"Preparing various configuration files...\"\n\ncat > /etc/ipsec.conf <<EOF\n# ipsec.conf - strongSwan IPsec configuration file\n\nconfig setup\n  uniqueids=no\n  charondebug=\"cfg 2, dmn 2, ike 2, net 0\"\n\nconn %default\n  dpdaction=clear\n  dpddelay=300s\n  rekey=no\n  left=%defaultroute\n  leftfirewall=yes\n  right=%any\n  ikelifetime=60m\n  keylife=20m\n  rekeymargin=3m\n  keyingtries=1\n  auto=add\n\n#######################################\n# L2TP Connections\n#######################################\n\nconn L2TP-IKEv1-PSK\n  type=transport\n  keyexchange=ikev1\n  authby=secret\n  leftprotoport=udp/l2tp\n  left=%any\n  right=%any\n  rekey=no\n  forceencaps=yes\n\n#######################################\n# Default non L2TP Connections\n#######################################\n\nconn Non-L2TP\n  leftsubnet=0.0.0.0/0\n  rightsubnet=10.0.0.0/24\n  rightsourceip=10.0.0.0/24\n\n#######################################\n# EAP Connections\n#######################################\n\n# This detects a supported EAP method\nconn IKEv2-EAP\n  also=Non-L2TP\n  keyexchange=ikev2\n  eap_identity=%any\n  rightauth=eap-dynamic\n\n#######################################\n# PSK Connections\n#######################################\n\nconn IKEv2-PSK\n  also=Non-L2TP\n  keyexchange=ikev2\n  authby=secret\n\n# Cisco IPSec\nconn IKEv1-PSK-XAuth\n  also=Non-L2TP\n  keyexchange=ikev1\n  leftauth=psk\n  rightauth=psk\n  rightauth2=xauth\n\nEOF\n\ncat > /etc/strongswan.conf <<EOF\n# /etc/strongswan.conf - strongSwan configuration file\n# strongswan.conf - strongSwan configuration file\n#\n# Refer to the strongswan.conf(5) manpage for details\n\ncharon {\n  load_modular = yes\n  send_vendor_id = yes\n  plugins {\n    include strongswan.d/charon/*.conf\n    attr {\n      dns = 8.8.8.8, 8.8.4.4\n    }\n  }\n}\n\ninclude strongswan.d/*.conf\nEOF\n\ncat > /etc/xl2tpd/xl2tpd.conf <<EOF\n[global]\nport = 1701\nauth file = /etc/ppp/chap-secrets\ndebug avp = yes\ndebug network = yes\ndebug state = yes\ndebug tunnel = yes\n[lns default]\nip range = 10.1.0.2-10.1.0.254\nlocal ip = 10.1.0.1\nrequire chap = yes\nrefuse pap = yes\nrequire authentication = no\nname = l2tpd\n;ppp debug = yes\npppoptfile = /etc/ppp/options.xl2tpd\nlength bit = yes\nEOF\n\ncat > /etc/ppp/options.xl2tpd <<EOF\nipcp-accept-local\nipcp-accept-remote\nms-dns 8.8.8.8\nms-dns 8.8.4.4\nnoccp\nauth\ncrtscts\nidle 1800\nmtu 1280\nmru 1280\nlock\nlcp-echo-failure 10\nlcp-echo-interval 60\nconnect-delay 5000\nEOF\n\n#################################################################\n\nif [[ -f /etc/ipsec.secrets ]] || [[ -f /etc/ppp/chap-secrets ]]; then\n  echo \"Do you wish to replace your old credentials? (Including a backup) [y|n]\"\n\n  while true; do\n    if [ \"$INTERACTIVE\" = \"0\" ]; then\n      echo \"Old credentials were found but to play safe, they will not be automatically replaced. Delete them manually if you want them replaced.\"\n      break\n    fi\n\n    read -p \"\" yn\n    case $yn in\n        [Yy]* ) backupCredentials; getCredentials; writeCredentials; break;;\n        [Nn]* ) break;;\n        * ) echo \"Please answer with Yes or No [y|n].\";;\n    esac\n  done\nelse\n  getCredentials\n  writeCredentials\nfi\n\n#################################################################\n\nbigEcho \"Applying changes...\"\n\niptables --table nat --append POSTROUTING --jump MASQUERADE\necho 1 > /proc/sys/net/ipv4/ip_forward\nfor each in /proc/sys/net/ipv4/conf/*\ndo\n  echo 0 > $each/accept_redirects\n  echo 0 > $each/send_redirects\ndone\n\n#################################################################\n\nbigEcho \"Create /etc/init.d/vpn-assist helper...\"\n\ncat > /etc/init.d/vpn-assist <<'EOF'\n#!/bin/sh\n### BEGIN INIT INFO\n# Provides:          vpn\n# Required-Start:    $network $local_fs\n# Required-Stop:     $network $local_fs\n# Default-Start:     2 3 4 5\n# Default-Stop:      0 1 6\n# Short-Description: Strongswan and L2TPD helper\n# Description:       Service that starts up XL2TPD and IPSEC\n### END INIT INFO\n\n# Author: Phil Plückthun <phil@plckthn.me>\n\ncase \"$1\" in\n  start)\n    iptables --table nat --append POSTROUTING --jump MASQUERADE\n    echo 1 > /proc/sys/net/ipv4/ip_forward\n    for each in /proc/sys/net/ipv4/conf/*\n    do\n      echo 0 > $each/accept_redirects\n      echo 0 > $each/send_redirects\n    done\n    /usr/sbin/xl2tpd -p /var/run/xl2tpd.pid -c /etc/xl2tpd/xl2tpd.conf -C /var/run/xl2tpd.control\n    ipsec start\n    ;;\n  stop)\n    iptables --table nat --flush\n    echo 0 > /proc/sys/net/ipv4/ip_forward\n    kill $(cat /var/run/xl2tpd.pid)\n    ipsec stop\n    ;;\n  restart)\n    echo \"Restarting IPSec and XL2TPD\"\n    iptables --table nat --append POSTROUTING --jump MASQUERADE\n    echo 1 > /proc/sys/net/ipv4/ip_forward\n    for each in /proc/sys/net/ipv4/conf/*\n    do\n      echo 0 > $each/accept_redirects\n      echo 0 > $each/send_redirects\n    done\n    kill $(cat /var/run/xl2tpd.pid)\n    /usr/sbin/xl2tpd -p /var/run/xl2tpd.pid -c /etc/xl2tpd/xl2tpd.conf -C /var/run/xl2tpd.control\n    ipsec restart\n    ;;\nesac\nexit 0\nEOF\n\nchmod +x /etc/init.d/vpn-assist\n\n#################################################################\n\nbigEcho \"Starting up VPN...\"\n\n/etc/init.d/vpn-assist start\n\n#################################################################\n\necho \"============================================================\"\necho \"PSK Key: $STRONGSWAN_PSK\"\necho \"Username: $STRONGSWAN_USER\"\necho \"Password: $STRONGSWAN_PASSWORD\"\necho \"============================================================\"\n\necho \"Note:\"\necho \"* Before connecting with a Windows client, please see: http://support.microsoft.com/kb/926179\"\necho \"* UDP Ports 1701, 500 and 4500 must be opened\"\necho \"* A specific host or public IP is not necessary as Strongswan utilises NAT traversal\"\n\n#################################################################\n\nbigEcho \"Cleaning up...\"\n\ncall rm -rf $STRONGSWAN_TMP\n\nsleep 2\nexit 0\n"
  }
]