Skip to content

Instantly share code, notes, and snippets.

@kevinzhow

kevinzhow/vpnserver.sh

Last active March 19, 2019 12:59
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save kevinzhow/126d7518769817b67152 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save kevinzhow/126d7518769817b67152 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. kevinzhow revised this gist Sep 17, 2016. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion vpnserver.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -83,7 +83,7 @@ net.ipv4.ip_forward=1
    END
    sysctl -p

    wget -O iptables.sh https://gist.github.com/kevinzhow/984f55af8b6c901814b1/raw/5529f291da2410e6285d24f5203a5eb47fedbb0c/gistfile1.sh
    wget -O iptables.sh https://gist.github.com/kevinzhow/984f55af8b6c901814b1/raw/df3951ba942c1ee851caf63711bc0fc2ce55ca9b/gistfile1.sh
    sh iptables.sh

    iptables-save > /etc/firewall.rules
  2. kevinzhow created this gist Mar 9, 2015.
    229 changes: 229 additions & 0 deletions vpnserver.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,229 @@
    #!/usr/bin/env bash
    echo 'deb http://shadowsocks.org/debian wheezy main' >> /etc/apt/sources.list
    # Pre-requisites


    sudo apt-get -y update
    sudo apt-get -y install pptpd
    sudo apt-get -y install fail2ban
    sudo apt-get -y install shadowsocks-libev

    cat >/etc/shadowsocks-libev/config.json <<END
    {
    "server":"0.0.0.0",
    "server_port":8088,
    "local_address": "127.0.0.1",
    "local_port":1080,
    "password":"test",
    "timeout":300,
    "method":"aes-256-cfb",
    "fast_open": true
    }
    END

    cat >/etc/sysctl.d/local.conf <<END
    fs.file-max = 51200
    net.core.rmem_max = 67108864
    net.core.wmem_max = 67108864
    net.core.rmem_default = 65536
    net.core.wmem_default = 65536
    net.core.netdev_max_backlog = 4096
    net.core.somaxconn = 4096
    net.ipv4.tcp_syncookies = 1
    net.ipv4.tcp_tw_reuse = 1
    net.ipv4.tcp_tw_recycle = 0
    net.ipv4.tcp_fin_timeout = 30
    net.ipv4.tcp_keepalive_time = 1200
    net.ipv4.ip_local_port_range = 10000 65000
    net.ipv4.tcp_max_syn_backlog = 4096
    net.ipv4.tcp_max_tw_buckets = 5000
    net.ipv4.tcp_fastopen = 3
    net.ipv4.tcp_rmem = 4096 87380 67108864
    net.ipv4.tcp_wmem = 4096 65536 67108864
    net.ipv4.tcp_mtu_probing = 1
    # for high-latency network
    net.ipv4.tcp_congestion_control = hybla
    # for low-latency network, use cubic instead
    # net.ipv4.tcp_congestion_control = cubic
    END

    sysctl --system


    cat >/etc/ppp/options.pptpd <<END
    name pptpd
    refuse-pap
    refuse-chap
    refuse-mschap
    require-mschap-v2
    require-mppe-128
    ms-dns 8.8.8.8
    ms-dns 8.8.4.4
    proxyarp
    lock
    nobsdcomp
    novj
    novjccomp
    nologfd
    END

    cat >/etc/pptpd.conf <<END
    option /etc/ppp/options.pptpd
    logwtmp
    localip 172.7.0.1
    remoteip 172.7.0.10-100
    END

    cat >> /etc/sysctl.conf <<END
    net.ipv4.ip_forward=1
    END
    sysctl -p

    wget -O iptables.sh https://gist.github.com/kevinzhow/984f55af8b6c901814b1/raw/5529f291da2410e6285d24f5203a5eb47fedbb0c/gistfile1.sh
    sh iptables.sh

    iptables-save > /etc/firewall.rules


    cat >/etc/network/if-pre-up.d/firewall <<END
    #!/bin/sh
    /sbin/iptables-restore < /etc/firewall.rules
    END

    chmod +x /etc/network/if-pre-up.d/firewall

    cat >/etc/ppp/chap-secrets <<END
    test pptpd test *
    END

    service pptpd restart

    #IPSec IKev1

    sudo apt-get -y install strongswan strongswan-plugin-xauth-generic strongswan-plugin-eap-mschapv2

    cat > /etc/ipsec.secrets <<END
    : RSA serverKey.pem
    : PSK "test"
    test %any : EAP "test"
    test %any : XAUTH "test"
    END

    cat > /etc/ipsec.conf <<END
    config setup
    cachecrls=yes
    strictcrlpolicy=yes
    uniqueids=never
    conn %default
    keyexchange=ikev1
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    right=%any
    #rightsubnet=10.7.0.0/24
    rightsourceip=10.7.0.0/24
    rightdns=8.8.8.8,8.8.4.4
    auto=add
    fragmentation=yes
    conn iOS
    leftauth=pubkey
    rightauth2=xauth
    aggressive=yes
    rightauth=pubkey
    leftid=test
    conn android
    aggressive=no
    leftauth=psk
    rightauth2=xauth
    rightauth=psk
    conn xauth_psk
    leftid=test
    aggressive=yes
    leftauth=psk
    rightauth2=xauth
    rightauth=psk
    conn ios_ikev2
    keyexchange=ikev2
    leftsendcert=always
    leftid=@*.domain.com
    leftcert=serverCert.pem
    rightauth=eap-mschapv2
    eap_identity=%any
    rightsendcert=never
    rightid="test"
    closeaction=clear
    #dpddelay = 1s
    auto=add
    conn ios_ikev2_psk
    keyexchange=ikev2
    eap_identity = %any
    rightsendcert=never
    rightid="test"
    reauth=no
    #rekey=no
    closeaction=clear
    #dpddelay = 1s
    auto=add
    leftauth=psk
    #rightauth2=xauth
    rightauth = eap-mschapv2
    aggressive=yes
    #rightauth=psk
    END

    cat > /etc/strongswan.d/charon.conf <<END
    charon {
    i_dont_care_about_security_and_use_aggressive_mode_psk = yes
    load_modular = yes
    duplicheck.enable = no
    crypto_test {
    }
    host_resolver {
    }
    leak_detective {
    }
    processor {
    priority_threads {
    }
    }
    tls {
    }
    x509 {
    }
    }
    END

    service strongswan restart