From d20bf4a8ee79bfee5b593d77bbb225a62c9ef87a Mon Sep 17 00:00:00 2001 From: fintzd <35842457+fintzd@users.noreply.github.com> Date: Sat, 5 Feb 2022 04:51:39 +0100 Subject: [PATCH 1/9] Update README.md (#1097) - Added usually required `sudo` to update & upgrade server --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 22c420d..acea0bf 100644 --- a/README.md +++ b/README.md @@ -88,7 +88,7 @@ A pre-built [Docker image](https://github.com/hwdsl2/docker-ipsec-vpn-server) is ## Installation -First, update your system with `apt-get update && apt-get dist-upgrade` (Ubuntu/Debian) or `yum update` and reboot. This is optional, but recommended. +First, update your system with `sudo apt-get update && sudo apt-get dist-upgrade` (Ubuntu/Debian) or `yum update` and reboot. This is optional, but recommended. To install the VPN, please choose one of the following options: From 8d9eeee65eb09ce6d24cda09b168236b459fd544 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 4 Feb 2022 21:55:50 -0600 Subject: [PATCH 2/9] Update docs - Ref: #1097 --- README-zh.md | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README-zh.md b/README-zh.md index b9e9dfe..d01be3f 100644 --- a/README-zh.md +++ b/README-zh.md @@ -88,7 +88,7 @@ wget https://git.io/vpnquickstart -O vpn.sh && sudo sh vpn.sh ## 安装说明 -首先,更新你的系统:运行 `apt-get update && apt-get dist-upgrade` (Ubuntu/Debian) 或者 `yum update` 并重启。这一步是可选的,但推荐。 +首先,更新你的系统:运行 `sudo apt-get update && sudo apt-get dist-upgrade` (Ubuntu/Debian) 或者 `sudo yum update` 并重启。这一步是可选的,但推荐。 要安装 VPN,请从以下选项中选择一个: diff --git a/README.md b/README.md index acea0bf..84a50f5 100644 --- a/README.md +++ b/README.md @@ -88,7 +88,7 @@ A pre-built [Docker image](https://github.com/hwdsl2/docker-ipsec-vpn-server) is ## Installation -First, update your system with `sudo apt-get update && sudo apt-get dist-upgrade` (Ubuntu/Debian) or `yum update` and reboot. This is optional, but recommended. +First, update your system with `sudo apt-get update && sudo apt-get dist-upgrade` (Ubuntu/Debian) or `sudo yum update` and reboot. This is optional, but recommended. To install the VPN, please choose one of the following options: From 3ca1bf63eee82ce3794952cc3fa9ac1959c1de20 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 6 Feb 2022 01:12:44 -0600 Subject: [PATCH 3/9] Update tests --- .github/workflows/cron.yml | 509 ++++++------------------------------ .github/workflows/main.yml | 511 ++++++------------------------------- 2 files changed, 157 insertions(+), 863 deletions(-) diff --git a/.github/workflows/cron.yml b/.github/workflows/cron.yml index 13a2433..ca956a3 100644 --- a/.github/workflows/cron.yml +++ b/.github/workflows/cron.yml @@ -610,7 +610,7 @@ jobs: if: github.repository_owner == 'hwdsl2' strategy: matrix: - os_version: ["ubuntu:20.04", "ubuntu:18.04", "debian:11", "debian:10", "debian:9"] + os_version: ["ubuntu:20.04", "ubuntu:18.04", "debian:11", "debian:10", "debian:9", "alpine:3.14", "alpine:3.15"] fail-fast: false container: image: ${{ matrix.os_version }} @@ -620,10 +620,22 @@ jobs: run: | set -ex + os_type="" + [ -f /etc/os-release ] && os_type=$(. /etc/os-release && printf '%s' "$ID") + [ -z "$os_type" ] && exit 1 + log1=/var/log/auth.log - log2=/var/log/syslog + if [ "$os_type" = "alpine" ]; then + log2=/var/log/messages + else + log2=/var/log/syslog + fi restart_ipsec() { + if [ "$os_type" = "alpine" ]; then + ipsec whack --shutdown || true + ipsec pluto --config /etc/ipsec.conf + fi echo "Waiting for IPsec to restart." count=0 while ! grep -q "pluto\[$(cat /var/run/pluto/pluto.pid)\]: listening for IKE messages" "$log1"; do @@ -653,20 +665,31 @@ jobs: cd /opt/src echo "# hwdsl2" > run.sh - export DEBIAN_FRONTEND=noninteractive - apt-get -yqq update - apt-get -yqq dist-upgrade - apt-get -yqq install wget rsyslog - service rsyslog start + if [ "$os_type" = "alpine" ]; then + apk add -U wget rsyslog + rsyslogd + else + export DEBIAN_FRONTEND=noninteractive + apt-get -yqq update + apt-get -yqq dist-upgrade + apt-get -yqq install wget rsyslog + service rsyslog start + fi wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' vpnsetup.sh sh vpnsetup.sh - restart_ipsec - restart_fail2ban - cat /var/log/fail2ban.log + if [ "$os_type" = "alpine" ]; then + ipsec initnss + xl2tpd -c /etc/xl2tpd/xl2tpd.conf + restart_ipsec + else + restart_ipsec + restart_fail2ban + cat /var/log/fail2ban.log + fi netstat -anpu | grep pluto netstat -anpu | grep xl2tpd @@ -691,15 +714,25 @@ jobs: ANSWERS rm -f /usr/bin/ikev2.sh /opt/src/ikev2.sh + if [ "$os_type" = "alpine" ]; then + killall pluto || true + killall xl2tpd || true + fi + wget -t 3 -T 30 -nv -O quickstart.sh https://git.io/vpnquickstart sed -i -e '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' \ -e '/sleep 1/a sed -i "/swan_ver_latest=/s/^/#/" /opt/src/ikev2.sh' quickstart.sh sh quickstart.sh - restart_ipsec - restart_fail2ban - cat /var/log/fail2ban.log + if [ "$os_type" = "alpine" ]; then + xl2tpd -c /etc/xl2tpd/xl2tpd.conf + restart_ipsec + else + restart_ipsec + restart_fail2ban + cat /var/log/fail2ban.log + fi netstat -anpu | grep pluto netstat -anpu | grep xl2tpd @@ -726,7 +759,16 @@ jobs: ANSWERS rm -f /usr/bin/ikev2.sh /opt/src/ikev2.sh - wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-ubuntu + if [ "$os_type" = "alpine" ]; then + killall pluto || true + killall xl2tpd || true + fi + + if [ "$os_type" = "alpine" ]; then + wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-alpine + else + wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-ubuntu + fi sed -i '/swan_ver_latest=/s/^/#/' vpnsetup.sh VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \ @@ -736,6 +778,10 @@ jobs: VPN_DNS_SRV2='1.0.0.1' \ bash vpnsetup.sh + if [ "$os_type" = "alpine" ]; then + ipsec initnss + xl2tpd -c /etc/xl2tpd/xl2tpd.conf + fi restart_ipsec netstat -anpu | grep pluto @@ -855,7 +901,11 @@ jobs: VPN_DNS_SRV1=invaliddns \ bash ikev2.sh --auto 2>&1 | grep -i "invalid" - apt-get -yqq remove uuid-runtime + if [ "$os_type" = "alpine" ]; then + apk del uuidgen + else + apt-get -yqq remove uuid-runtime + fi sed -i '/^include /d' /etc/ipsec.conf VPN_CLIENT_NAME=vpnclient1 \ @@ -986,7 +1036,11 @@ jobs: wget -t 3 -T 30 -nv -O vpnup.sh https://git.io/vpnupgrade sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpnup.sh"' vpnup.sh - for ver in 4.4 ""; do + [ "$os_type" = "alpine" ] && ver1=4.5 || ver1=4.4 + for ver in "$ver1" ""; do + if [ "$os_type" = "alpine" ]; then + ipsec whack --shutdown || true + fi sed -i "s/^SWAN_VER=.*/SWAN_VER=$ver/" vpnup.sh bash vpnup.sh < run.sh - - apk add -U wget rsyslog - rsyslogd - - wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup - sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' vpnsetup.sh - - sh vpnsetup.sh - - ipsec initnss - xl2tpd -c /etc/xl2tpd/xl2tpd.conf - restart_ipsec - - netstat -anpu | grep pluto - netstat -anpu | grep xl2tpd - iptables -nvL - iptables -nvL | grep -q 'ppp+' - iptables -nvL | grep -q '192\.168\.43\.0/24' - iptables -nvL -t nat - iptables -nvL -t nat | grep -q '192\.168\.42\.0/24' - iptables -nvL -t nat | grep -q '192\.168\.43\.0/24' - grep pluto "$log1" - grep xl2tpd "$log2" - ipsec status - ipsec status | grep -q l2tp-psk - ipsec status | grep -q xauth-psk - - ls -l /usr/bin/ikev2.sh - ls -l /opt/src/ikev2.sh - - wget -t 3 -T 30 -nv -O vpnunst.sh https://git.io/vpnuninstall - bash vpnunst.sh <&1 | grep -i "abort" - 4 - vpnclient2 - - ANSWERS - - bash ikev2.sh <&1 | grep -i "abort" - 2 - vpnclient2 - - ANSWERS - - bash ikev2.sh <&1 | grep -i "abort" - 5 - - ANSWERS - - bash ikev2.sh <&1 | grep -i "invalid" - - apk del uuidgen - sed -i '/^include /d' /etc/ipsec.conf - - VPN_CLIENT_NAME=vpnclient1 \ - VPN_DNS_NAME=vpn.example.com \ - VPN_DNS_SRV1=1.1.1.1 \ - VPN_DNS_SRV2=1.0.0.1 \ - bash ikev2.sh --auto - - grep -q 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf - grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.d/ikev2.conf - ls -ld /etc/ipsec.d/vpnclient1.mobileconfig - ls -ld /etc/ipsec.d/vpnclient1.sswan - ls -ld /etc/ipsec.d/vpnclient1.p12 - grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.mobileconfig - grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.sswan - - restart_ipsec - ipsec status | grep -q ikev2-cp - - bash ikev2.sh --auto --addclient invalidclient: 2>&1 | grep -i "warning" - bash ikev2.sh --addclient invalidclient: 2>&1 | grep -i "invalid" - bash ikev2.sh --addclient vpnclient1 2>&1 | grep -i "already exists" - - bash ikev2.sh --addclient vpnclient2 - - ls -ld /etc/ipsec.d/vpnclient2.mobileconfig - ls -ld /etc/ipsec.d/vpnclient2.sswan - ls -ld /etc/ipsec.d/vpnclient2.p12 - - bash ikev2.sh --exportclient nonexistclient 2>&1 | grep -i "does not exist" - - rm -f /etc/ipsec.d/vpnclient2* - bash ikev2.sh --exportclient vpnclient2 - - ls -ld /etc/ipsec.d/vpnclient2.mobileconfig - ls -ld /etc/ipsec.d/vpnclient2.sswan - ls -ld /etc/ipsec.d/vpnclient2.p12 - - bash ikev2.sh --addclient vpnclient2 --exportclient vpnclient2 2>&1 | grep -i "invalid" - - bash ikev2.sh --listclients | grep "vpnclient1 \+valid" - bash ikev2.sh --listclients | grep "vpnclient2 \+valid" - - bash ikev2.sh --revokeclient nonexistclient 2>&1 | grep -i "does not exist" - bash ikev2.sh --revokeclient vpnclient2 <&1 | grep -i "already been revoked" - bash ikev2.sh --exportclient vpnclient2 2>&1 | grep -i "revoked" - bash ikev2.sh -h 2>&1 | grep -i "usage:" - bash ikev2.sh --invalidoption 2>&1 | grep -i "usage:" - - bash ikev2.sh --removeikev2 --exportclient vpnclient1 2>&1 | grep -i "invalid" - bash ikev2.sh --removeikev2 < run.sh - export DEBIAN_FRONTEND=noninteractive - apt-get -yqq update - apt-get -yqq dist-upgrade - apt-get -yqq install wget rsyslog - service rsyslog start + if [ "$os_type" = "alpine" ]; then + apk add -U wget rsyslog + rsyslogd + else + export DEBIAN_FRONTEND=noninteractive + apt-get -yqq update + apt-get -yqq dist-upgrade + apt-get -yqq install wget rsyslog + service rsyslog start + fi wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' vpnsetup.sh sh vpnsetup.sh - restart_ipsec - restart_fail2ban - cat /var/log/fail2ban.log + if [ "$os_type" = "alpine" ]; then + ipsec initnss + xl2tpd -c /etc/xl2tpd/xl2tpd.conf + restart_ipsec + else + restart_ipsec + restart_fail2ban + cat /var/log/fail2ban.log + fi netstat -anpu | grep pluto netstat -anpu | grep xl2tpd @@ -720,15 +743,25 @@ jobs: ANSWERS rm -f /usr/bin/ikev2.sh /opt/src/ikev2.sh + if [ "$os_type" = "alpine" ]; then + killall pluto || true + killall xl2tpd || true + fi + wget -t 3 -T 30 -nv -O quickstart.sh https://git.io/vpnquickstart sed -i -e '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' \ -e '/sleep 1/a sed -i "/swan_ver_latest=/s/^/#/" /opt/src/ikev2.sh' quickstart.sh sh quickstart.sh - restart_ipsec - restart_fail2ban - cat /var/log/fail2ban.log + if [ "$os_type" = "alpine" ]; then + xl2tpd -c /etc/xl2tpd/xl2tpd.conf + restart_ipsec + else + restart_ipsec + restart_fail2ban + cat /var/log/fail2ban.log + fi netstat -anpu | grep pluto netstat -anpu | grep xl2tpd @@ -755,7 +788,16 @@ jobs: ANSWERS rm -f /usr/bin/ikev2.sh /opt/src/ikev2.sh - wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-ubuntu + if [ "$os_type" = "alpine" ]; then + killall pluto || true + killall xl2tpd || true + fi + + if [ "$os_type" = "alpine" ]; then + wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-alpine + else + wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-ubuntu + fi sed -i '/swan_ver_latest=/s/^/#/' vpnsetup.sh VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \ @@ -765,6 +807,10 @@ jobs: VPN_DNS_SRV2='1.0.0.1' \ bash vpnsetup.sh + if [ "$os_type" = "alpine" ]; then + ipsec initnss + xl2tpd -c /etc/xl2tpd/xl2tpd.conf + fi restart_ipsec netstat -anpu | grep pluto @@ -884,7 +930,11 @@ jobs: VPN_DNS_SRV1=invaliddns \ bash ikev2.sh --auto 2>&1 | grep -i "invalid" - apt-get -yqq remove uuid-runtime + if [ "$os_type" = "alpine" ]; then + apk del uuidgen + else + apt-get -yqq remove uuid-runtime + fi sed -i '/^include /d' /etc/ipsec.conf VPN_CLIENT_NAME=vpnclient1 \ @@ -1015,7 +1065,11 @@ jobs: wget -t 3 -T 30 -nv -O vpnup.sh https://git.io/vpnupgrade sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpnup.sh"' vpnup.sh - for ver in 4.4 ""; do + [ "$os_type" = "alpine" ] && ver1=4.5 || ver1=4.4 + for ver in "$ver1" ""; do + if [ "$os_type" = "alpine" ]; then + ipsec whack --shutdown || true + fi sed -i "s/^SWAN_VER=.*/SWAN_VER=$ver/" vpnup.sh bash vpnup.sh < run.sh - - apk add -U wget rsyslog - rsyslogd - - wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup - sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' vpnsetup.sh - - sh vpnsetup.sh - - ipsec initnss - xl2tpd -c /etc/xl2tpd/xl2tpd.conf - restart_ipsec - - netstat -anpu | grep pluto - netstat -anpu | grep xl2tpd - iptables -nvL - iptables -nvL | grep -q 'ppp+' - iptables -nvL | grep -q '192\.168\.43\.0/24' - iptables -nvL -t nat - iptables -nvL -t nat | grep -q '192\.168\.42\.0/24' - iptables -nvL -t nat | grep -q '192\.168\.43\.0/24' - grep pluto "$log1" - grep xl2tpd "$log2" - ipsec status - ipsec status | grep -q l2tp-psk - ipsec status | grep -q xauth-psk - - ls -l /usr/bin/ikev2.sh - ls -l /opt/src/ikev2.sh - - wget -t 3 -T 30 -nv -O vpnunst.sh https://git.io/vpnuninstall - bash vpnunst.sh <&1 | grep -i "abort" - 4 - vpnclient2 - - ANSWERS - - bash ikev2.sh <&1 | grep -i "abort" - 2 - vpnclient2 - - ANSWERS - - bash ikev2.sh <&1 | grep -i "abort" - 5 - - ANSWERS - - bash ikev2.sh <&1 | grep -i "invalid" - - apk del uuidgen - sed -i '/^include /d' /etc/ipsec.conf - - VPN_CLIENT_NAME=vpnclient1 \ - VPN_DNS_NAME=vpn.example.com \ - VPN_DNS_SRV1=1.1.1.1 \ - VPN_DNS_SRV2=1.0.0.1 \ - bash ikev2.sh --auto - - grep -q 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf - grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.d/ikev2.conf - ls -ld /etc/ipsec.d/vpnclient1.mobileconfig - ls -ld /etc/ipsec.d/vpnclient1.sswan - ls -ld /etc/ipsec.d/vpnclient1.p12 - grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.mobileconfig - grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.sswan - - restart_ipsec - ipsec status | grep -q ikev2-cp - - bash ikev2.sh --auto --addclient invalidclient: 2>&1 | grep -i "warning" - bash ikev2.sh --addclient invalidclient: 2>&1 | grep -i "invalid" - bash ikev2.sh --addclient vpnclient1 2>&1 | grep -i "already exists" - - bash ikev2.sh --addclient vpnclient2 - - ls -ld /etc/ipsec.d/vpnclient2.mobileconfig - ls -ld /etc/ipsec.d/vpnclient2.sswan - ls -ld /etc/ipsec.d/vpnclient2.p12 - - bash ikev2.sh --exportclient nonexistclient 2>&1 | grep -i "does not exist" - - rm -f /etc/ipsec.d/vpnclient2* - bash ikev2.sh --exportclient vpnclient2 - - ls -ld /etc/ipsec.d/vpnclient2.mobileconfig - ls -ld /etc/ipsec.d/vpnclient2.sswan - ls -ld /etc/ipsec.d/vpnclient2.p12 - - bash ikev2.sh --addclient vpnclient2 --exportclient vpnclient2 2>&1 | grep -i "invalid" - - bash ikev2.sh --listclients | grep "vpnclient1 \+valid" - bash ikev2.sh --listclients | grep "vpnclient2 \+valid" - - bash ikev2.sh --revokeclient nonexistclient 2>&1 | grep -i "does not exist" - bash ikev2.sh --revokeclient vpnclient2 <&1 | grep -i "already been revoked" - bash ikev2.sh --exportclient vpnclient2 2>&1 | grep -i "revoked" - bash ikev2.sh -h 2>&1 | grep -i "usage:" - bash ikev2.sh --invalidoption 2>&1 | grep -i "usage:" - - bash ikev2.sh --removeikev2 --exportclient vpnclient1 2>&1 | grep -i "invalid" - bash ikev2.sh --removeikev2 < Date: Sun, 6 Feb 2022 11:42:55 -0600 Subject: [PATCH 4/9] Update tests --- .github/workflows/cron.yml | 2 +- .github/workflows/main.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cron.yml b/.github/workflows/cron.yml index ca956a3..cef0a7f 100644 --- a/.github/workflows/cron.yml +++ b/.github/workflows/cron.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-20.04 if: github.repository_owner == 'hwdsl2' steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # 2.4.0 with: persist-credentials: false - name: Check diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1dc3ecf..4b7cb5c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-20.04 if: github.repository_owner == 'hwdsl2' steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # 2.4.0 with: persist-credentials: false - name: Check @@ -47,7 +47,7 @@ jobs: runs-on: ubuntu-20.04 if: github.repository_owner == 'hwdsl2' steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # 2.4.0 with: persist-credentials: false - name: Check From d01cc0b97ae35201568d062069bdea4215ae5dd5 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 6 Feb 2022 16:41:39 -0600 Subject: [PATCH 5/9] Update tests --- .github/workflows/check_urls.yml | 107 +++ .github/workflows/cron.yml | 1065 +---------------------------- .github/workflows/main.yml | 1093 +----------------------------- .github/workflows/shellcheck.yml | 38 ++ .github/workflows/test_set_1.yml | 508 ++++++++++++++ .github/workflows/test_set_2.yml | 493 ++++++++++++++ 6 files changed, 1157 insertions(+), 2147 deletions(-) create mode 100644 .github/workflows/check_urls.yml create mode 100644 .github/workflows/shellcheck.yml create mode 100644 .github/workflows/test_set_1.yml create mode 100644 .github/workflows/test_set_2.yml diff --git a/.github/workflows/check_urls.yml b/.github/workflows/check_urls.yml new file mode 100644 index 0000000..cec311d --- /dev/null +++ b/.github/workflows/check_urls.yml @@ -0,0 +1,107 @@ +# +# Copyright (C) 2020-2022 Lin Song +# +# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 +# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ +# +# Attribution required: please include my name in any derivative and let me +# know how you have improved it! + +name: check_urls + +on: workflow_call + +jobs: + check_urls: + runs-on: ubuntu-20.04 + if: github.repository_owner == 'hwdsl2' + steps: + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # 2.4.0 + with: + persist-credentials: false + - name: Check + run: | + cd "$GITHUB_WORKSPACE" + mkdir workdir + cd workdir + set -ex + + export DEBIAN_FRONTEND=noninteractive + sudo apt-get -yqq update + sudo apt-get -yqq install wget curl + + wg="wget -t 3 -T 30 -nv -O" + gh="https://github.com/hwdsl2/setup-ipsec-vpn/raw/master" + gi="https://git.io" + + $wg vpnsetup.sh "$gi/vpnsetup" + $wg vpnsetup_centos.sh "$gi/vpnsetup-centos" + $wg vpnsetup_amzn.sh "$gi/vpnsetup-amzn" + $wg vpnsetup_ubuntu.sh "$gi/vpnsetup-ubuntu" + $wg vpnsetup_alpine.sh "$gi/vpnsetup-alpine" + $wg quickstart.sh "$gi/vpnquickstart" + $wg ikev2setup.sh "$gi/ikev2setup" + $wg vpnupgrade.sh "$gi/vpnupgrade" + $wg vpnupgrade_centos.sh "$gi/vpnupgrade-centos" + $wg vpnupgrade_amzn.sh "$gi/vpnupgrade-amzn" + $wg vpnupgrade_ubuntu.sh "$gi/vpnupgrade-ubuntu" + $wg vpnupgrade_alpine.sh "$gi/vpnupgrade-alpine" + $wg vpnuninstall.sh "$gi/vpnuninstall" + + $wg vpnsetup2.sh "$gh/vpnsetup.sh" + $wg vpnsetup_centos2.sh "$gh/vpnsetup_centos.sh" + $wg vpnsetup_amzn2.sh "$gh/vpnsetup_amzn.sh" + $wg vpnsetup_ubuntu2.sh "$gh/vpnsetup_ubuntu.sh" + $wg vpnsetup_alpine2.sh "$gh/vpnsetup_alpine.sh" + $wg quickstart2.sh "$gh/extras/quickstart.sh" + $wg ikev2setup2.sh "$gh/extras/ikev2setup.sh" + $wg vpnupgrade2.sh "$gh/extras/vpnupgrade.sh" + $wg vpnupgrade_centos2.sh "$gh/extras/vpnupgrade_centos.sh" + $wg vpnupgrade_amzn2.sh "$gh/extras/vpnupgrade_amzn.sh" + $wg vpnupgrade_ubuntu2.sh "$gh/extras/vpnupgrade_ubuntu.sh" + $wg vpnupgrade_alpine2.sh "$gh/extras/vpnupgrade_alpine.sh" + $wg vpnuninstall2.sh "$gh/extras/vpnuninstall.sh" + + diff vpnsetup.sh ../vpnsetup.sh + diff vpnsetup_centos.sh ../vpnsetup_centos.sh + diff vpnsetup_amzn.sh ../vpnsetup_amzn.sh + diff vpnsetup_ubuntu.sh ../vpnsetup_ubuntu.sh + diff vpnsetup_alpine.sh ../vpnsetup_alpine.sh + diff quickstart.sh ../extras/quickstart.sh + diff ikev2setup.sh ../extras/ikev2setup.sh + diff vpnupgrade.sh ../extras/vpnupgrade.sh + diff vpnupgrade_centos.sh ../extras/vpnupgrade_centos.sh + diff vpnupgrade_amzn.sh ../extras/vpnupgrade_amzn.sh + diff vpnupgrade_ubuntu.sh ../extras/vpnupgrade_ubuntu.sh + diff vpnupgrade_alpine.sh ../extras/vpnupgrade_alpine.sh + diff vpnuninstall.sh ../extras/vpnuninstall.sh + + diff vpnsetup2.sh ../vpnsetup.sh + diff vpnsetup_centos2.sh ../vpnsetup_centos.sh + diff vpnsetup_amzn2.sh ../vpnsetup_amzn.sh + diff vpnsetup_ubuntu2.sh ../vpnsetup_ubuntu.sh + diff vpnsetup_alpine2.sh ../vpnsetup_alpine.sh + diff quickstart2.sh ../extras/quickstart.sh + diff ikev2setup2.sh ../extras/ikev2setup.sh + diff vpnupgrade2.sh ../extras/vpnupgrade.sh + diff vpnupgrade_centos2.sh ../extras/vpnupgrade_centos.sh + diff vpnupgrade_amzn2.sh ../extras/vpnupgrade_amzn.sh + diff vpnupgrade_ubuntu2.sh ../extras/vpnupgrade_ubuntu.sh + diff vpnupgrade_alpine2.sh ../extras/vpnupgrade_alpine.sh + diff vpnuninstall2.sh ../extras/vpnuninstall.sh + + url1="https://mirrors.kernel.org/ubuntu/pool/main/n/nss" + url2="https://mirrors.kernel.org/ubuntu/pool/universe/n/nss" + deb1="libnss3_3.49.1-1ubuntu1.6_amd64.deb" + deb2="libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb" + deb3="libnss3-tools_3.49.1-1ubuntu1.6_amd64.deb" + + $wg 1.deb "$url1/$deb1" + $wg 2.deb "$url1/$deb2" + $wg 3.deb "$url2/$deb3" + + bl="https://bit.ly" + curl -fsSI "$bl/addvpnuser" | grep -q 'add_vpn_user.sh' + curl -fsSI "$bl/delvpnuser" | grep -q 'del_vpn_user.sh' + curl -fsSI "$bl/updatevpnusers" | grep -q 'update_vpn_users.sh' + curl -fsSI "$bl/ikev2onlymode" | grep -q 'ikev2onlymode.sh' diff --git a/.github/workflows/cron.yml b/.github/workflows/cron.yml index cef0a7f..f691de5 100644 --- a/.github/workflows/cron.yml +++ b/.github/workflows/cron.yml @@ -15,1072 +15,13 @@ on: jobs: check_urls: - runs-on: ubuntu-20.04 if: github.repository_owner == 'hwdsl2' - steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # 2.4.0 - with: - persist-credentials: false - - name: Check - run: | - cd "$GITHUB_WORKSPACE" - mkdir workdir - cd workdir - set -ex - - export DEBIAN_FRONTEND=noninteractive - sudo apt-get -yqq update - sudo apt-get -yqq install wget curl - - wg="wget -t 3 -T 30 -nv -O" - gh="https://github.com/hwdsl2/setup-ipsec-vpn/raw/master" - gi="https://git.io" - - $wg vpnsetup.sh "$gi/vpnsetup" - $wg vpnsetup_centos.sh "$gi/vpnsetup-centos" - $wg vpnsetup_amzn.sh "$gi/vpnsetup-amzn" - $wg vpnsetup_ubuntu.sh "$gi/vpnsetup-ubuntu" - $wg vpnsetup_alpine.sh "$gi/vpnsetup-alpine" - $wg quickstart.sh "$gi/vpnquickstart" - $wg ikev2setup.sh "$gi/ikev2setup" - $wg vpnupgrade.sh "$gi/vpnupgrade" - $wg vpnupgrade_centos.sh "$gi/vpnupgrade-centos" - $wg vpnupgrade_amzn.sh "$gi/vpnupgrade-amzn" - $wg vpnupgrade_ubuntu.sh "$gi/vpnupgrade-ubuntu" - $wg vpnupgrade_alpine.sh "$gi/vpnupgrade-alpine" - $wg vpnuninstall.sh "$gi/vpnuninstall" - - $wg vpnsetup2.sh "$gh/vpnsetup.sh" - $wg vpnsetup_centos2.sh "$gh/vpnsetup_centos.sh" - $wg vpnsetup_amzn2.sh "$gh/vpnsetup_amzn.sh" - $wg vpnsetup_ubuntu2.sh "$gh/vpnsetup_ubuntu.sh" - $wg vpnsetup_alpine2.sh "$gh/vpnsetup_alpine.sh" - $wg quickstart2.sh "$gh/extras/quickstart.sh" - $wg ikev2setup2.sh "$gh/extras/ikev2setup.sh" - $wg vpnupgrade2.sh "$gh/extras/vpnupgrade.sh" - $wg vpnupgrade_centos2.sh "$gh/extras/vpnupgrade_centos.sh" - $wg vpnupgrade_amzn2.sh "$gh/extras/vpnupgrade_amzn.sh" - $wg vpnupgrade_ubuntu2.sh "$gh/extras/vpnupgrade_ubuntu.sh" - $wg vpnupgrade_alpine2.sh "$gh/extras/vpnupgrade_alpine.sh" - $wg vpnuninstall2.sh "$gh/extras/vpnuninstall.sh" - - diff vpnsetup.sh ../vpnsetup.sh - diff vpnsetup_centos.sh ../vpnsetup_centos.sh - diff vpnsetup_amzn.sh ../vpnsetup_amzn.sh - diff vpnsetup_ubuntu.sh ../vpnsetup_ubuntu.sh - diff vpnsetup_alpine.sh ../vpnsetup_alpine.sh - diff quickstart.sh ../extras/quickstart.sh - diff ikev2setup.sh ../extras/ikev2setup.sh - diff vpnupgrade.sh ../extras/vpnupgrade.sh - diff vpnupgrade_centos.sh ../extras/vpnupgrade_centos.sh - diff vpnupgrade_amzn.sh ../extras/vpnupgrade_amzn.sh - diff vpnupgrade_ubuntu.sh ../extras/vpnupgrade_ubuntu.sh - diff vpnupgrade_alpine.sh ../extras/vpnupgrade_alpine.sh - diff vpnuninstall.sh ../extras/vpnuninstall.sh - - diff vpnsetup2.sh ../vpnsetup.sh - diff vpnsetup_centos2.sh ../vpnsetup_centos.sh - diff vpnsetup_amzn2.sh ../vpnsetup_amzn.sh - diff vpnsetup_ubuntu2.sh ../vpnsetup_ubuntu.sh - diff vpnsetup_alpine2.sh ../vpnsetup_alpine.sh - diff quickstart2.sh ../extras/quickstart.sh - diff ikev2setup2.sh ../extras/ikev2setup.sh - diff vpnupgrade2.sh ../extras/vpnupgrade.sh - diff vpnupgrade_centos2.sh ../extras/vpnupgrade_centos.sh - diff vpnupgrade_amzn2.sh ../extras/vpnupgrade_amzn.sh - diff vpnupgrade_ubuntu2.sh ../extras/vpnupgrade_ubuntu.sh - diff vpnupgrade_alpine2.sh ../extras/vpnupgrade_alpine.sh - diff vpnuninstall2.sh ../extras/vpnuninstall.sh - - url1="https://mirrors.kernel.org/ubuntu/pool/main/n/nss" - url2="https://mirrors.kernel.org/ubuntu/pool/universe/n/nss" - deb1="libnss3_3.49.1-1ubuntu1.6_amd64.deb" - deb2="libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb" - deb3="libnss3-tools_3.49.1-1ubuntu1.6_amd64.deb" - - $wg 1.deb "$url1/$deb1" - $wg 2.deb "$url1/$deb2" - $wg 3.deb "$url2/$deb3" - - bl="https://bit.ly" - curl -fsSI "$bl/addvpnuser" | grep -q 'add_vpn_user.sh' - curl -fsSI "$bl/delvpnuser" | grep -q 'del_vpn_user.sh' - curl -fsSI "$bl/updatevpnusers" | grep -q 'update_vpn_users.sh' - curl -fsSI "$bl/ikev2onlymode" | grep -q 'ikev2onlymode.sh' + uses: ./.github/workflows/check_urls.yml test_set_1: needs: check_urls - runs-on: ubuntu-20.04 - if: github.repository_owner == 'hwdsl2' - strategy: - matrix: - os_version: ["centos:8s", "centos:7", "rockylinux:8", "almalinux:8", "amazonlinux:2"] - fail-fast: false - env: - OS_VERSION: ${{ matrix.os_version }} - steps: - - name: Build - run: | - mkdir -p "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}" - cd "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}" - - cat > run.sh <<'EOF' - #!/bin/bash - set -eEx - - log1=/var/log/secure - log2=/var/log/messages - - trap 'catch $? $LINENO' ERR - - catch() { - echo "Error $1 occurred on line $2." - cat -n -- "$0" | tail -n+"$(($2 - 3))" | head -n7 - exit 1 - } - - restart_ipsec() { - if ! command -v amazon-linux-extras; then - systemctl restart ipsec - fi - echo "Waiting for IPsec to restart." - count=0 - while ! grep -q "pluto\[$(cat /var/run/pluto/pluto.pid)\]: listening for IKE messages" "$log1"; do - [ "$count" -ge "30" ] && { echo "IPsec failed to start."; exit 1; } - count=$((count+1)) - printf '%s' '.' - sleep 0.5 - done - echo - } - - restart_fail2ban() { - rm -f /var/log/fail2ban.log - systemctl restart fail2ban - echo "Waiting for Fail2ban to restart." - count=0 - while ! grep -qs -E "Jail '(sshd?|ssh-iptables)' started" /var/log/fail2ban.log; do - [ "$count" -ge "30" ] && { echo "Fail2ban failed to start."; exit 1; } - count=$((count+1)) - printf '%s' '.' - sleep 0.5 - done - echo - } - - yum -y -q update - yum -y -q install wget rsyslog - systemctl start rsyslog - - wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup - sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' vpnsetup.sh - - sh vpnsetup.sh - - systemctl start xl2tpd - restart_ipsec - restart_fail2ban - cat /var/log/fail2ban.log - - netstat -anpu | grep pluto - netstat -anpu | grep xl2tpd - iptables -nvL - iptables -nvL | grep -q 'ppp+' - iptables -nvL | grep -q '192\.168\.43\.0/24' - iptables -nvL -t nat - iptables -nvL -t nat | grep -q '192\.168\.42\.0/24' - iptables -nvL -t nat | grep -q '192\.168\.43\.0/24' - grep pluto "$log1" - grep xl2tpd "$log2" - ipsec status - ipsec status | grep -q l2tp-psk - ipsec status | grep -q xauth-psk - - ls -l /usr/bin/ikev2.sh - ls -l /opt/src/ikev2.sh - - wget -t 3 -T 30 -nv -O vpnunst.sh https://git.io/vpnuninstall - bash vpnunst.sh <&1 | grep -i "abort" - 4 - vpnclient2 - - ANSWERS - - bash ikev2.sh <&1 | grep -i "abort" - 2 - vpnclient2 - - ANSWERS - - bash ikev2.sh <&1 | grep -i "abort" - 5 - - ANSWERS - - bash ikev2.sh <&1 | grep -i "invalid" - - sed -i '/^include /d' /etc/ipsec.conf - - VPN_CLIENT_NAME=vpnclient1 \ - VPN_DNS_NAME=vpn.example.com \ - VPN_DNS_SRV1=1.1.1.1 \ - VPN_DNS_SRV2=1.0.0.1 \ - bash ikev2.sh --auto - - grep -q 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf - grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.d/ikev2.conf - ls -ld /etc/ipsec.d/vpnclient1.mobileconfig - ls -ld /etc/ipsec.d/vpnclient1.sswan - ls -ld /etc/ipsec.d/vpnclient1.p12 - grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.mobileconfig - grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.sswan - - restart_ipsec - ipsec status | grep -q ikev2-cp - - bash ikev2.sh --auto --addclient invalidclient: 2>&1 | grep -i "warning" - bash ikev2.sh --addclient invalidclient: 2>&1 | grep -i "invalid" - bash ikev2.sh --addclient vpnclient1 2>&1 | grep -i "already exists" - - bash ikev2.sh --addclient vpnclient2 - - ls -ld /etc/ipsec.d/vpnclient2.mobileconfig - ls -ld /etc/ipsec.d/vpnclient2.sswan - ls -ld /etc/ipsec.d/vpnclient2.p12 - - bash ikev2.sh --exportclient nonexistclient 2>&1 | grep -i "does not exist" - - rm -f /etc/ipsec.d/vpnclient2* - bash ikev2.sh --exportclient vpnclient2 - - ls -ld /etc/ipsec.d/vpnclient2.mobileconfig - ls -ld /etc/ipsec.d/vpnclient2.sswan - ls -ld /etc/ipsec.d/vpnclient2.p12 - - bash ikev2.sh --addclient vpnclient2 --exportclient vpnclient2 2>&1 | grep -i "invalid" - - bash ikev2.sh --listclients | grep "vpnclient1 \+valid" - bash ikev2.sh --listclients | grep "vpnclient2 \+valid" - - bash ikev2.sh --revokeclient nonexistclient 2>&1 | grep -i "does not exist" - bash ikev2.sh --revokeclient vpnclient2 <&1 | grep -i "already been revoked" - bash ikev2.sh --exportclient vpnclient2 2>&1 | grep -i "revoked" - bash ikev2.sh -h 2>&1 | grep -i "usage:" - bash ikev2.sh --invalidoption 2>&1 | grep -i "usage:" - - bash ikev2.sh --removeikev2 --exportclient vpnclient1 2>&1 | grep -i "invalid" - bash ikev2.sh --removeikev2 < Dockerfile - else - echo "FROM $OS_VERSION" > Dockerfile - fi - - cat >> Dockerfile <<'EOF' - - ENV container docker - WORKDIR /opt/src - - RUN if command -v amazon-linux-extras; then amazon-linux-extras install -y kernel-ng; fi - - RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ "$i" = \ - systemd-tmpfiles-setup.service ] || rm -f "$i"; done); \ - rm -f /lib/systemd/system/multi-user.target.wants/*; \ - rm -f /etc/systemd/system/*.wants/*; \ - rm -f /lib/systemd/system/local-fs.target.wants/*; \ - rm -f /lib/systemd/system/sockets.target.wants/*udev*; \ - rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \ - rm -f /lib/systemd/system/basic.target.wants/*; \ - rm -f /lib/systemd/system/anaconda.target.wants/*; - - COPY ./run.sh /opt/src/run.sh - RUN chmod 755 /opt/src/run.sh - - VOLUME [ "/sys/fs/cgroup" ] - - CMD ["/sbin/init"] - EOF - cat Dockerfile - cat run.sh - docker build -t "${OS_VERSION//:}-test" . - - - name: Test - run: | - docker run -d --name "${OS_VERSION//:}-test-1" -v /sys/fs/cgroup:/sys/fs/cgroup:ro \ - --privileged "${OS_VERSION//:}-test" - sleep 5 - docker exec "${OS_VERSION//:}-test-1" /opt/src/run.sh "${OS_VERSION::6}" - - - name: Clear - if: always() - run: | - rm -rf "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}" - docker rm -f "${OS_VERSION//:}-test-1" || true - docker rmi "${OS_VERSION//:}-test" || true + uses: ./.github/workflows/test_set_1.yml test_set_2: needs: check_urls - runs-on: ubuntu-20.04 - if: github.repository_owner == 'hwdsl2' - strategy: - matrix: - os_version: ["ubuntu:20.04", "ubuntu:18.04", "debian:11", "debian:10", "debian:9", "alpine:3.14", "alpine:3.15"] - fail-fast: false - container: - image: ${{ matrix.os_version }} - options: --cap-add=NET_ADMIN --device=/dev/ppp - steps: - - name: Test - run: | - set -ex - - os_type="" - [ -f /etc/os-release ] && os_type=$(. /etc/os-release && printf '%s' "$ID") - [ -z "$os_type" ] && exit 1 - - log1=/var/log/auth.log - if [ "$os_type" = "alpine" ]; then - log2=/var/log/messages - else - log2=/var/log/syslog - fi - - restart_ipsec() { - if [ "$os_type" = "alpine" ]; then - ipsec whack --shutdown || true - ipsec pluto --config /etc/ipsec.conf - fi - echo "Waiting for IPsec to restart." - count=0 - while ! grep -q "pluto\[$(cat /var/run/pluto/pluto.pid)\]: listening for IKE messages" "$log1"; do - [ "$count" -ge "30" ] && { echo "IPsec failed to start."; exit 1; } - count=$((count+1)) - printf '%s' '.' - sleep 0.5 - done - echo - } - - restart_fail2ban() { - rm -f /var/log/fail2ban.log - service fail2ban restart - echo "Waiting for Fail2ban to restart." - count=0 - while ! grep -qs -E "Jail '(sshd?|ssh-iptables)' started" /var/log/fail2ban.log; do - [ "$count" -ge "30" ] && { echo "Fail2ban failed to start."; exit 1; } - count=$((count+1)) - printf '%s' '.' - sleep 0.5 - done - echo - } - - mkdir -p /opt/src - cd /opt/src - echo "# hwdsl2" > run.sh - - if [ "$os_type" = "alpine" ]; then - apk add -U wget rsyslog - rsyslogd - else - export DEBIAN_FRONTEND=noninteractive - apt-get -yqq update - apt-get -yqq dist-upgrade - apt-get -yqq install wget rsyslog - service rsyslog start - fi - - wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup - sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' vpnsetup.sh - - sh vpnsetup.sh - - if [ "$os_type" = "alpine" ]; then - ipsec initnss - xl2tpd -c /etc/xl2tpd/xl2tpd.conf - restart_ipsec - else - restart_ipsec - restart_fail2ban - cat /var/log/fail2ban.log - fi - - netstat -anpu | grep pluto - netstat -anpu | grep xl2tpd - iptables -nvL - iptables -nvL | grep -q 'ppp+' - iptables -nvL | grep -q '192\.168\.43\.0/24' - iptables -nvL -t nat - iptables -nvL -t nat | grep -q '192\.168\.42\.0/24' - iptables -nvL -t nat | grep -q '192\.168\.43\.0/24' - grep pluto "$log1" - grep xl2tpd "$log2" - ipsec status - ipsec status | grep -q l2tp-psk - ipsec status | grep -q xauth-psk - - ls -l /usr/bin/ikev2.sh - ls -l /opt/src/ikev2.sh - - wget -t 3 -T 30 -nv -O vpnunst.sh https://git.io/vpnuninstall - bash vpnunst.sh <&1 | grep -i "abort" - 4 - vpnclient2 - - ANSWERS - - bash ikev2.sh <&1 | grep -i "abort" - 2 - vpnclient2 - - ANSWERS - - bash ikev2.sh <&1 | grep -i "abort" - 5 - - ANSWERS - - bash ikev2.sh <&1 | grep -i "invalid" - - if [ "$os_type" = "alpine" ]; then - apk del uuidgen - else - apt-get -yqq remove uuid-runtime - fi - sed -i '/^include /d' /etc/ipsec.conf - - VPN_CLIENT_NAME=vpnclient1 \ - VPN_DNS_NAME=vpn.example.com \ - VPN_DNS_SRV1=1.1.1.1 \ - VPN_DNS_SRV2=1.0.0.1 \ - bash ikev2.sh --auto - - grep -q 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf - grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.d/ikev2.conf - ls -ld /etc/ipsec.d/vpnclient1.mobileconfig - ls -ld /etc/ipsec.d/vpnclient1.sswan - ls -ld /etc/ipsec.d/vpnclient1.p12 - grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.mobileconfig - grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.sswan - - restart_ipsec - ipsec status | grep -q ikev2-cp - - bash ikev2.sh --auto --addclient invalidclient: 2>&1 | grep -i "warning" - bash ikev2.sh --addclient invalidclient: 2>&1 | grep -i "invalid" - bash ikev2.sh --addclient vpnclient1 2>&1 | grep -i "already exists" - - bash ikev2.sh --addclient vpnclient2 - - ls -ld /etc/ipsec.d/vpnclient2.mobileconfig - ls -ld /etc/ipsec.d/vpnclient2.sswan - ls -ld /etc/ipsec.d/vpnclient2.p12 - - bash ikev2.sh --exportclient nonexistclient 2>&1 | grep -i "does not exist" - - rm -f /etc/ipsec.d/vpnclient2* - bash ikev2.sh --exportclient vpnclient2 - - ls -ld /etc/ipsec.d/vpnclient2.mobileconfig - ls -ld /etc/ipsec.d/vpnclient2.sswan - ls -ld /etc/ipsec.d/vpnclient2.p12 - - bash ikev2.sh --addclient vpnclient2 --exportclient vpnclient2 2>&1 | grep -i "invalid" - - bash ikev2.sh --listclients | grep "vpnclient1 \+valid" - bash ikev2.sh --listclients | grep "vpnclient2 \+valid" - - bash ikev2.sh --revokeclient nonexistclient 2>&1 | grep -i "does not exist" - bash ikev2.sh --revokeclient vpnclient2 <&1 | grep -i "already been revoked" - bash ikev2.sh --exportclient vpnclient2 2>&1 | grep -i "revoked" - bash ikev2.sh -h 2>&1 | grep -i "usage:" - bash ikev2.sh --invalidoption 2>&1 | grep -i "usage:" - - bash ikev2.sh --removeikev2 --exportclient vpnclient1 2>&1 | grep -i "invalid" - bash ikev2.sh --removeikev2 < run.sh <<'EOF' - #!/bin/bash - set -eEx - - log1=/var/log/secure - log2=/var/log/messages - - trap 'catch $? $LINENO' ERR - - catch() { - echo "Error $1 occurred on line $2." - cat -n -- "$0" | tail -n+"$(($2 - 3))" | head -n7 - exit 1 - } - - restart_ipsec() { - if ! command -v amazon-linux-extras; then - systemctl restart ipsec - fi - echo "Waiting for IPsec to restart." - count=0 - while ! grep -q "pluto\[$(cat /var/run/pluto/pluto.pid)\]: listening for IKE messages" "$log1"; do - [ "$count" -ge "30" ] && { echo "IPsec failed to start."; exit 1; } - count=$((count+1)) - printf '%s' '.' - sleep 0.5 - done - echo - } - - restart_fail2ban() { - rm -f /var/log/fail2ban.log - systemctl restart fail2ban - echo "Waiting for Fail2ban to restart." - count=0 - while ! grep -qs -E "Jail '(sshd?|ssh-iptables)' started" /var/log/fail2ban.log; do - [ "$count" -ge "30" ] && { echo "Fail2ban failed to start."; exit 1; } - count=$((count+1)) - printf '%s' '.' - sleep 0.5 - done - echo - } - - yum -y -q update - yum -y -q install wget rsyslog - systemctl start rsyslog - - wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup - sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' vpnsetup.sh - - sh vpnsetup.sh - - systemctl start xl2tpd - restart_ipsec - restart_fail2ban - cat /var/log/fail2ban.log - - netstat -anpu | grep pluto - netstat -anpu | grep xl2tpd - iptables -nvL - iptables -nvL | grep -q 'ppp+' - iptables -nvL | grep -q '192\.168\.43\.0/24' - iptables -nvL -t nat - iptables -nvL -t nat | grep -q '192\.168\.42\.0/24' - iptables -nvL -t nat | grep -q '192\.168\.43\.0/24' - grep pluto "$log1" - grep xl2tpd "$log2" - ipsec status - ipsec status | grep -q l2tp-psk - ipsec status | grep -q xauth-psk - - ls -l /usr/bin/ikev2.sh - ls -l /opt/src/ikev2.sh - - wget -t 3 -T 30 -nv -O vpnunst.sh https://git.io/vpnuninstall - bash vpnunst.sh <&1 | grep -i "abort" - 4 - vpnclient2 - - ANSWERS - - bash ikev2.sh <&1 | grep -i "abort" - 2 - vpnclient2 - - ANSWERS - - bash ikev2.sh <&1 | grep -i "abort" - 5 - - ANSWERS - - bash ikev2.sh <&1 | grep -i "invalid" - - sed -i '/^include /d' /etc/ipsec.conf - - VPN_CLIENT_NAME=vpnclient1 \ - VPN_DNS_NAME=vpn.example.com \ - VPN_DNS_SRV1=1.1.1.1 \ - VPN_DNS_SRV2=1.0.0.1 \ - bash ikev2.sh --auto - - grep -q 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf - grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.d/ikev2.conf - ls -ld /etc/ipsec.d/vpnclient1.mobileconfig - ls -ld /etc/ipsec.d/vpnclient1.sswan - ls -ld /etc/ipsec.d/vpnclient1.p12 - grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.mobileconfig - grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.sswan - - restart_ipsec - ipsec status | grep -q ikev2-cp - - bash ikev2.sh --auto --addclient invalidclient: 2>&1 | grep -i "warning" - bash ikev2.sh --addclient invalidclient: 2>&1 | grep -i "invalid" - bash ikev2.sh --addclient vpnclient1 2>&1 | grep -i "already exists" - - bash ikev2.sh --addclient vpnclient2 - - ls -ld /etc/ipsec.d/vpnclient2.mobileconfig - ls -ld /etc/ipsec.d/vpnclient2.sswan - ls -ld /etc/ipsec.d/vpnclient2.p12 - - bash ikev2.sh --exportclient nonexistclient 2>&1 | grep -i "does not exist" - - rm -f /etc/ipsec.d/vpnclient2* - bash ikev2.sh --exportclient vpnclient2 - - ls -ld /etc/ipsec.d/vpnclient2.mobileconfig - ls -ld /etc/ipsec.d/vpnclient2.sswan - ls -ld /etc/ipsec.d/vpnclient2.p12 - - bash ikev2.sh --addclient vpnclient2 --exportclient vpnclient2 2>&1 | grep -i "invalid" - - bash ikev2.sh --listclients | grep "vpnclient1 \+valid" - bash ikev2.sh --listclients | grep "vpnclient2 \+valid" - - bash ikev2.sh --revokeclient nonexistclient 2>&1 | grep -i "does not exist" - bash ikev2.sh --revokeclient vpnclient2 <&1 | grep -i "already been revoked" - bash ikev2.sh --exportclient vpnclient2 2>&1 | grep -i "revoked" - bash ikev2.sh -h 2>&1 | grep -i "usage:" - bash ikev2.sh --invalidoption 2>&1 | grep -i "usage:" - - bash ikev2.sh --removeikev2 --exportclient vpnclient1 2>&1 | grep -i "invalid" - bash ikev2.sh --removeikev2 < Dockerfile - else - echo "FROM $OS_VERSION" > Dockerfile - fi - - cat >> Dockerfile <<'EOF' - - ENV container docker - WORKDIR /opt/src - - RUN if command -v amazon-linux-extras; then amazon-linux-extras install -y kernel-ng; fi - - RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ "$i" = \ - systemd-tmpfiles-setup.service ] || rm -f "$i"; done); \ - rm -f /lib/systemd/system/multi-user.target.wants/*; \ - rm -f /etc/systemd/system/*.wants/*; \ - rm -f /lib/systemd/system/local-fs.target.wants/*; \ - rm -f /lib/systemd/system/sockets.target.wants/*udev*; \ - rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \ - rm -f /lib/systemd/system/basic.target.wants/*; \ - rm -f /lib/systemd/system/anaconda.target.wants/*; - - COPY ./run.sh /opt/src/run.sh - RUN chmod 755 /opt/src/run.sh - - VOLUME [ "/sys/fs/cgroup" ] - - CMD ["/sbin/init"] - EOF - cat Dockerfile - cat run.sh - docker build -t "${OS_VERSION//:}-test" . - - - name: Test - run: | - docker run -d --name "${OS_VERSION//:}-test-1" -v /sys/fs/cgroup:/sys/fs/cgroup:ro \ - --privileged "${OS_VERSION//:}-test" - sleep 5 - docker exec "${OS_VERSION//:}-test-1" /opt/src/run.sh "${OS_VERSION::6}" - - - name: Clear - if: always() - run: | - rm -rf "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}" - docker rm -f "${OS_VERSION//:}-test-1" || true - docker rmi "${OS_VERSION//:}-test" || true + uses: ./.github/workflows/test_set_1.yml test_set_2: needs: [shellcheck, check_urls] - runs-on: ubuntu-20.04 - if: github.repository_owner == 'hwdsl2' - strategy: - matrix: - os_version: ["ubuntu:20.04", "ubuntu:18.04", "debian:11", "debian:10", "debian:9", "alpine:3.14", "alpine:3.15"] - fail-fast: false - container: - image: ${{ matrix.os_version }} - options: --cap-add=NET_ADMIN --device=/dev/ppp - steps: - - name: Test - run: | - set -ex - - os_type="" - [ -f /etc/os-release ] && os_type=$(. /etc/os-release && printf '%s' "$ID") - [ -z "$os_type" ] && exit 1 - - log1=/var/log/auth.log - if [ "$os_type" = "alpine" ]; then - log2=/var/log/messages - else - log2=/var/log/syslog - fi - - restart_ipsec() { - if [ "$os_type" = "alpine" ]; then - ipsec whack --shutdown || true - ipsec pluto --config /etc/ipsec.conf - fi - echo "Waiting for IPsec to restart." - count=0 - while ! grep -q "pluto\[$(cat /var/run/pluto/pluto.pid)\]: listening for IKE messages" "$log1"; do - [ "$count" -ge "30" ] && { echo "IPsec failed to start."; exit 1; } - count=$((count+1)) - printf '%s' '.' - sleep 0.5 - done - echo - } - - restart_fail2ban() { - rm -f /var/log/fail2ban.log - service fail2ban restart - echo "Waiting for Fail2ban to restart." - count=0 - while ! grep -qs -E "Jail '(sshd?|ssh-iptables)' started" /var/log/fail2ban.log; do - [ "$count" -ge "30" ] && { echo "Fail2ban failed to start."; exit 1; } - count=$((count+1)) - printf '%s' '.' - sleep 0.5 - done - echo - } - - mkdir -p /opt/src - cd /opt/src - echo "# hwdsl2" > run.sh - - if [ "$os_type" = "alpine" ]; then - apk add -U wget rsyslog - rsyslogd - else - export DEBIAN_FRONTEND=noninteractive - apt-get -yqq update - apt-get -yqq dist-upgrade - apt-get -yqq install wget rsyslog - service rsyslog start - fi - - wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup - sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' vpnsetup.sh - - sh vpnsetup.sh - - if [ "$os_type" = "alpine" ]; then - ipsec initnss - xl2tpd -c /etc/xl2tpd/xl2tpd.conf - restart_ipsec - else - restart_ipsec - restart_fail2ban - cat /var/log/fail2ban.log - fi - - netstat -anpu | grep pluto - netstat -anpu | grep xl2tpd - iptables -nvL - iptables -nvL | grep -q 'ppp+' - iptables -nvL | grep -q '192\.168\.43\.0/24' - iptables -nvL -t nat - iptables -nvL -t nat | grep -q '192\.168\.42\.0/24' - iptables -nvL -t nat | grep -q '192\.168\.43\.0/24' - grep pluto "$log1" - grep xl2tpd "$log2" - ipsec status - ipsec status | grep -q l2tp-psk - ipsec status | grep -q xauth-psk - - ls -l /usr/bin/ikev2.sh - ls -l /opt/src/ikev2.sh - - wget -t 3 -T 30 -nv -O vpnunst.sh https://git.io/vpnuninstall - bash vpnunst.sh <&1 | grep -i "abort" - 4 - vpnclient2 - - ANSWERS - - bash ikev2.sh <&1 | grep -i "abort" - 2 - vpnclient2 - - ANSWERS - - bash ikev2.sh <&1 | grep -i "abort" - 5 - - ANSWERS - - bash ikev2.sh <&1 | grep -i "invalid" - - if [ "$os_type" = "alpine" ]; then - apk del uuidgen - else - apt-get -yqq remove uuid-runtime - fi - sed -i '/^include /d' /etc/ipsec.conf - - VPN_CLIENT_NAME=vpnclient1 \ - VPN_DNS_NAME=vpn.example.com \ - VPN_DNS_SRV1=1.1.1.1 \ - VPN_DNS_SRV2=1.0.0.1 \ - bash ikev2.sh --auto - - grep -q 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf - grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.d/ikev2.conf - ls -ld /etc/ipsec.d/vpnclient1.mobileconfig - ls -ld /etc/ipsec.d/vpnclient1.sswan - ls -ld /etc/ipsec.d/vpnclient1.p12 - grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.mobileconfig - grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.sswan - - restart_ipsec - ipsec status | grep -q ikev2-cp - - bash ikev2.sh --auto --addclient invalidclient: 2>&1 | grep -i "warning" - bash ikev2.sh --addclient invalidclient: 2>&1 | grep -i "invalid" - bash ikev2.sh --addclient vpnclient1 2>&1 | grep -i "already exists" - - bash ikev2.sh --addclient vpnclient2 - - ls -ld /etc/ipsec.d/vpnclient2.mobileconfig - ls -ld /etc/ipsec.d/vpnclient2.sswan - ls -ld /etc/ipsec.d/vpnclient2.p12 - - bash ikev2.sh --exportclient nonexistclient 2>&1 | grep -i "does not exist" - - rm -f /etc/ipsec.d/vpnclient2* - bash ikev2.sh --exportclient vpnclient2 - - ls -ld /etc/ipsec.d/vpnclient2.mobileconfig - ls -ld /etc/ipsec.d/vpnclient2.sswan - ls -ld /etc/ipsec.d/vpnclient2.p12 - - bash ikev2.sh --addclient vpnclient2 --exportclient vpnclient2 2>&1 | grep -i "invalid" - - bash ikev2.sh --listclients | grep "vpnclient1 \+valid" - bash ikev2.sh --listclients | grep "vpnclient2 \+valid" - - bash ikev2.sh --revokeclient nonexistclient 2>&1 | grep -i "does not exist" - bash ikev2.sh --revokeclient vpnclient2 <&1 | grep -i "already been revoked" - bash ikev2.sh --exportclient vpnclient2 2>&1 | grep -i "revoked" - bash ikev2.sh -h 2>&1 | grep -i "usage:" - bash ikev2.sh --invalidoption 2>&1 | grep -i "usage:" - - bash ikev2.sh --removeikev2 --exportclient vpnclient1 2>&1 | grep -i "invalid" - bash ikev2.sh --removeikev2 < +# +# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 +# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ +# +# Attribution required: please include my name in any derivative and let me +# know how you have improved it! + +name: shellcheck + +on: workflow_call + +jobs: + shellcheck: + runs-on: ubuntu-20.04 + if: github.repository_owner == 'hwdsl2' + steps: + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # 2.4.0 + with: + persist-credentials: false + - name: Check + run: | + if [ ! -x /usr/bin/shellcheck ]; then + export DEBIAN_FRONTEND=noninteractive + sudo apt-get -yqq update + sudo apt-get -yqq install shellcheck + fi + + cd "$GITHUB_WORKSPACE" + pwd + ls -ld vpnsetup.sh + + export SHELLCHECK_OPTS="-e SC1090,SC1091" + shellcheck --version + shopt -s globstar + ls -ld -- **/*.sh + shellcheck **/*.sh diff --git a/.github/workflows/test_set_1.yml b/.github/workflows/test_set_1.yml new file mode 100644 index 0000000..728fe46 --- /dev/null +++ b/.github/workflows/test_set_1.yml @@ -0,0 +1,508 @@ +# +# Copyright (C) 2020-2022 Lin Song +# +# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 +# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ +# +# Attribution required: please include my name in any derivative and let me +# know how you have improved it! + +name: test_set_1 + +on: workflow_call + +jobs: + test_set_1: + runs-on: ubuntu-20.04 + if: github.repository_owner == 'hwdsl2' + strategy: + matrix: + os_version: ["centos:8s", "centos:7", "rockylinux:8", "almalinux:8", "amazonlinux:2"] + fail-fast: false + env: + OS_VERSION: ${{ matrix.os_version }} + steps: + - name: Build + run: | + mkdir -p "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}" + cd "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}" + + cat > run.sh <<'EOF' + #!/bin/bash + set -eEx + + log1=/var/log/secure + log2=/var/log/messages + + trap 'catch $? $LINENO' ERR + + catch() { + echo "Error $1 occurred on line $2." + cat -n -- "$0" | tail -n+"$(($2 - 3))" | head -n7 + exit 1 + } + + restart_ipsec() { + if ! command -v amazon-linux-extras; then + systemctl restart ipsec + fi + echo "Waiting for IPsec to restart." + count=0 + while ! grep -q "pluto\[$(cat /var/run/pluto/pluto.pid)\]: listening for IKE messages" "$log1"; do + [ "$count" -ge "30" ] && { echo "IPsec failed to start."; exit 1; } + count=$((count+1)) + printf '%s' '.' + sleep 0.5 + done + echo + } + + restart_fail2ban() { + rm -f /var/log/fail2ban.log + systemctl restart fail2ban + echo "Waiting for Fail2ban to restart." + count=0 + while ! grep -qs -E "Jail '(sshd?|ssh-iptables)' started" /var/log/fail2ban.log; do + [ "$count" -ge "30" ] && { echo "Fail2ban failed to start."; exit 1; } + count=$((count+1)) + printf '%s' '.' + sleep 0.5 + done + echo + } + + yum -y -q update + yum -y -q install wget rsyslog + systemctl start rsyslog + + wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup + sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' vpnsetup.sh + + sh vpnsetup.sh + + systemctl start xl2tpd + restart_ipsec + restart_fail2ban + cat /var/log/fail2ban.log + + netstat -anpu | grep pluto + netstat -anpu | grep xl2tpd + iptables -nvL + iptables -nvL | grep -q 'ppp+' + iptables -nvL | grep -q '192\.168\.43\.0/24' + iptables -nvL -t nat + iptables -nvL -t nat | grep -q '192\.168\.42\.0/24' + iptables -nvL -t nat | grep -q '192\.168\.43\.0/24' + grep pluto "$log1" + grep xl2tpd "$log2" + ipsec status + ipsec status | grep -q l2tp-psk + ipsec status | grep -q xauth-psk + + ls -l /usr/bin/ikev2.sh + ls -l /opt/src/ikev2.sh + + wget -t 3 -T 30 -nv -O vpnunst.sh https://git.io/vpnuninstall + bash vpnunst.sh <&1 | grep -i "abort" + 4 + vpnclient2 + + ANSWERS + + bash ikev2.sh <&1 | grep -i "abort" + 2 + vpnclient2 + + ANSWERS + + bash ikev2.sh <&1 | grep -i "abort" + 5 + + ANSWERS + + bash ikev2.sh <&1 | grep -i "invalid" + + sed -i '/^include /d' /etc/ipsec.conf + + VPN_CLIENT_NAME=vpnclient1 \ + VPN_DNS_NAME=vpn.example.com \ + VPN_DNS_SRV1=1.1.1.1 \ + VPN_DNS_SRV2=1.0.0.1 \ + bash ikev2.sh --auto + + grep -q 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf + grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.d/ikev2.conf + ls -ld /etc/ipsec.d/vpnclient1.mobileconfig + ls -ld /etc/ipsec.d/vpnclient1.sswan + ls -ld /etc/ipsec.d/vpnclient1.p12 + grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.mobileconfig + grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.sswan + + restart_ipsec + ipsec status | grep -q ikev2-cp + + bash ikev2.sh --auto --addclient invalidclient: 2>&1 | grep -i "warning" + bash ikev2.sh --addclient invalidclient: 2>&1 | grep -i "invalid" + bash ikev2.sh --addclient vpnclient1 2>&1 | grep -i "already exists" + + bash ikev2.sh --addclient vpnclient2 + + ls -ld /etc/ipsec.d/vpnclient2.mobileconfig + ls -ld /etc/ipsec.d/vpnclient2.sswan + ls -ld /etc/ipsec.d/vpnclient2.p12 + + bash ikev2.sh --exportclient nonexistclient 2>&1 | grep -i "does not exist" + + rm -f /etc/ipsec.d/vpnclient2* + bash ikev2.sh --exportclient vpnclient2 + + ls -ld /etc/ipsec.d/vpnclient2.mobileconfig + ls -ld /etc/ipsec.d/vpnclient2.sswan + ls -ld /etc/ipsec.d/vpnclient2.p12 + + bash ikev2.sh --addclient vpnclient2 --exportclient vpnclient2 2>&1 | grep -i "invalid" + + bash ikev2.sh --listclients | grep "vpnclient1 \+valid" + bash ikev2.sh --listclients | grep "vpnclient2 \+valid" + + bash ikev2.sh --revokeclient nonexistclient 2>&1 | grep -i "does not exist" + bash ikev2.sh --revokeclient vpnclient2 <&1 | grep -i "already been revoked" + bash ikev2.sh --exportclient vpnclient2 2>&1 | grep -i "revoked" + bash ikev2.sh -h 2>&1 | grep -i "usage:" + bash ikev2.sh --invalidoption 2>&1 | grep -i "usage:" + + bash ikev2.sh --removeikev2 --exportclient vpnclient1 2>&1 | grep -i "invalid" + bash ikev2.sh --removeikev2 < Dockerfile + else + echo "FROM $OS_VERSION" > Dockerfile + fi + + cat >> Dockerfile <<'EOF' + + ENV container docker + WORKDIR /opt/src + + RUN if command -v amazon-linux-extras; then amazon-linux-extras install -y kernel-ng; fi + + RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ "$i" = \ + systemd-tmpfiles-setup.service ] || rm -f "$i"; done); \ + rm -f /lib/systemd/system/multi-user.target.wants/*; \ + rm -f /etc/systemd/system/*.wants/*; \ + rm -f /lib/systemd/system/local-fs.target.wants/*; \ + rm -f /lib/systemd/system/sockets.target.wants/*udev*; \ + rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \ + rm -f /lib/systemd/system/basic.target.wants/*; \ + rm -f /lib/systemd/system/anaconda.target.wants/*; + + COPY ./run.sh /opt/src/run.sh + RUN chmod 755 /opt/src/run.sh + + VOLUME [ "/sys/fs/cgroup" ] + + CMD ["/sbin/init"] + EOF + cat Dockerfile + cat run.sh + docker build -t "${OS_VERSION//:}-test" . + + - name: Test + run: | + docker run -d --name "${OS_VERSION//:}-test-1" -v /sys/fs/cgroup:/sys/fs/cgroup:ro \ + --privileged "${OS_VERSION//:}-test" + sleep 5 + docker exec "${OS_VERSION//:}-test-1" /opt/src/run.sh "${OS_VERSION::6}" + + - name: Clear + if: always() + run: | + rm -rf "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}" + docker rm -f "${OS_VERSION//:}-test-1" || true + docker rmi "${OS_VERSION//:}-test" || true diff --git a/.github/workflows/test_set_2.yml b/.github/workflows/test_set_2.yml new file mode 100644 index 0000000..cbb6312 --- /dev/null +++ b/.github/workflows/test_set_2.yml @@ -0,0 +1,493 @@ +# +# Copyright (C) 2020-2022 Lin Song +# +# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 +# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ +# +# Attribution required: please include my name in any derivative and let me +# know how you have improved it! + +name: test_set_2 + +on: workflow_call + +jobs: + test_set_2: + runs-on: ubuntu-20.04 + if: github.repository_owner == 'hwdsl2' + strategy: + matrix: + os_version: ["ubuntu:20.04", "ubuntu:18.04", "debian:11", "debian:10", "debian:9", "alpine:3.14", "alpine:3.15"] + fail-fast: false + container: + image: ${{ matrix.os_version }} + options: --cap-add=NET_ADMIN --device=/dev/ppp + steps: + - name: Test + run: | + set -ex + + os_type="" + [ -f /etc/os-release ] && os_type=$(. /etc/os-release && printf '%s' "$ID") + [ -z "$os_type" ] && exit 1 + + log1=/var/log/auth.log + if [ "$os_type" = "alpine" ]; then + log2=/var/log/messages + else + log2=/var/log/syslog + fi + + restart_ipsec() { + if [ "$os_type" = "alpine" ]; then + ipsec whack --shutdown || true + ipsec pluto --config /etc/ipsec.conf + fi + echo "Waiting for IPsec to restart." + count=0 + while ! grep -q "pluto\[$(cat /var/run/pluto/pluto.pid)\]: listening for IKE messages" "$log1"; do + [ "$count" -ge "30" ] && { echo "IPsec failed to start."; exit 1; } + count=$((count+1)) + printf '%s' '.' + sleep 0.5 + done + echo + } + + restart_fail2ban() { + rm -f /var/log/fail2ban.log + service fail2ban restart + echo "Waiting for Fail2ban to restart." + count=0 + while ! grep -qs -E "Jail '(sshd?|ssh-iptables)' started" /var/log/fail2ban.log; do + [ "$count" -ge "30" ] && { echo "Fail2ban failed to start."; exit 1; } + count=$((count+1)) + printf '%s' '.' + sleep 0.5 + done + echo + } + + mkdir -p /opt/src + cd /opt/src + echo "# hwdsl2" > run.sh + + if [ "$os_type" = "alpine" ]; then + apk add -U wget rsyslog + rsyslogd + else + export DEBIAN_FRONTEND=noninteractive + apt-get -yqq update + apt-get -yqq dist-upgrade + apt-get -yqq install wget rsyslog + service rsyslog start + fi + + wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup + sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' vpnsetup.sh + + sh vpnsetup.sh + + if [ "$os_type" = "alpine" ]; then + ipsec initnss + xl2tpd -c /etc/xl2tpd/xl2tpd.conf + restart_ipsec + else + restart_ipsec + restart_fail2ban + cat /var/log/fail2ban.log + fi + + netstat -anpu | grep pluto + netstat -anpu | grep xl2tpd + iptables -nvL + iptables -nvL | grep -q 'ppp+' + iptables -nvL | grep -q '192\.168\.43\.0/24' + iptables -nvL -t nat + iptables -nvL -t nat | grep -q '192\.168\.42\.0/24' + iptables -nvL -t nat | grep -q '192\.168\.43\.0/24' + grep pluto "$log1" + grep xl2tpd "$log2" + ipsec status + ipsec status | grep -q l2tp-psk + ipsec status | grep -q xauth-psk + + ls -l /usr/bin/ikev2.sh + ls -l /opt/src/ikev2.sh + + wget -t 3 -T 30 -nv -O vpnunst.sh https://git.io/vpnuninstall + bash vpnunst.sh <&1 | grep -i "abort" + 4 + vpnclient2 + + ANSWERS + + bash ikev2.sh <&1 | grep -i "abort" + 2 + vpnclient2 + + ANSWERS + + bash ikev2.sh <&1 | grep -i "abort" + 5 + + ANSWERS + + bash ikev2.sh <&1 | grep -i "invalid" + + if [ "$os_type" = "alpine" ]; then + apk del uuidgen + else + apt-get -yqq remove uuid-runtime + fi + sed -i '/^include /d' /etc/ipsec.conf + + VPN_CLIENT_NAME=vpnclient1 \ + VPN_DNS_NAME=vpn.example.com \ + VPN_DNS_SRV1=1.1.1.1 \ + VPN_DNS_SRV2=1.0.0.1 \ + bash ikev2.sh --auto + + grep -q 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf + grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.d/ikev2.conf + ls -ld /etc/ipsec.d/vpnclient1.mobileconfig + ls -ld /etc/ipsec.d/vpnclient1.sswan + ls -ld /etc/ipsec.d/vpnclient1.p12 + grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.mobileconfig + grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.sswan + + restart_ipsec + ipsec status | grep -q ikev2-cp + + bash ikev2.sh --auto --addclient invalidclient: 2>&1 | grep -i "warning" + bash ikev2.sh --addclient invalidclient: 2>&1 | grep -i "invalid" + bash ikev2.sh --addclient vpnclient1 2>&1 | grep -i "already exists" + + bash ikev2.sh --addclient vpnclient2 + + ls -ld /etc/ipsec.d/vpnclient2.mobileconfig + ls -ld /etc/ipsec.d/vpnclient2.sswan + ls -ld /etc/ipsec.d/vpnclient2.p12 + + bash ikev2.sh --exportclient nonexistclient 2>&1 | grep -i "does not exist" + + rm -f /etc/ipsec.d/vpnclient2* + bash ikev2.sh --exportclient vpnclient2 + + ls -ld /etc/ipsec.d/vpnclient2.mobileconfig + ls -ld /etc/ipsec.d/vpnclient2.sswan + ls -ld /etc/ipsec.d/vpnclient2.p12 + + bash ikev2.sh --addclient vpnclient2 --exportclient vpnclient2 2>&1 | grep -i "invalid" + + bash ikev2.sh --listclients | grep "vpnclient1 \+valid" + bash ikev2.sh --listclients | grep "vpnclient2 \+valid" + + bash ikev2.sh --revokeclient nonexistclient 2>&1 | grep -i "does not exist" + bash ikev2.sh --revokeclient vpnclient2 <&1 | grep -i "already been revoked" + bash ikev2.sh --exportclient vpnclient2 2>&1 | grep -i "revoked" + bash ikev2.sh -h 2>&1 | grep -i "usage:" + bash ikev2.sh --invalidoption 2>&1 | grep -i "usage:" + + bash ikev2.sh --removeikev2 --exportclient vpnclient1 2>&1 | grep -i "invalid" + bash ikev2.sh --removeikev2 < Date: Tue, 8 Feb 2022 23:24:46 -0600 Subject: [PATCH 6/9] Improve VPN setup - Retry certain 'apt-get' and 'yum' commands on failure --- extras/ikev2setup.sh | 4 ++-- extras/quickstart.sh | 6 +++--- extras/vpnupgrade.sh | 6 +++--- extras/vpnupgrade_ubuntu.sh | 2 +- vpnsetup.sh | 6 +++--- vpnsetup_centos.sh | 2 ++ vpnsetup_ubuntu.sh | 4 +++- 7 files changed, 17 insertions(+), 13 deletions(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index c4448b1..f6522f3 100755 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -686,7 +686,7 @@ install_base64_uuidgen() { bigecho2 "Installing required packages..." if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then export DEBIAN_FRONTEND=noninteractive - apt-get -yqq update || exiterr "'apt-get update' failed." + apt-get -yqq update || apt-get -yqq update || exiterr "'apt-get update' failed." fi fi if ! command -v base64 >/dev/null 2>&1; then @@ -1018,7 +1018,7 @@ apply_ubuntu1804_nss_fix() { if wget -t 3 -T 30 -q -O "$tmpdir/1.deb" "$nss_url1/$nss_deb1" \ && wget -t 3 -T 30 -q -O "$tmpdir/2.deb" "$nss_url1/$nss_deb2" \ && wget -t 3 -T 30 -q -O "$tmpdir/3.deb" "$nss_url2/$nss_deb3"; then - apt-get -yqq update + apt-get -yqq update || apt-get -yqq update apt-get -yqq install "$tmpdir/1.deb" "$tmpdir/2.deb" "$tmpdir/3.deb" >/dev/null fi /bin/rm -f "$tmpdir/1.deb" "$tmpdir/2.deb" "$tmpdir/3.deb" diff --git a/extras/quickstart.sh b/extras/quickstart.sh index bf5d680..b49d90d 100755 --- a/extras/quickstart.sh +++ b/extras/quickstart.sh @@ -153,16 +153,16 @@ install_pkgs() { export DEBIAN_FRONTEND=noninteractive ( set -x - apt-get -yqq update + apt-get -yqq update || apt-get -yqq update ) || exiterr "'apt-get update' failed." ( set -x - apt-get -yqq install wget >/dev/null + apt-get -yqq install wget >/dev/null || apt-get -yqq install wget >/dev/null ) || exiterr "'apt-get install wget' failed." elif [ "$os_type" != "alpine" ]; then ( set -x - yum -y -q install wget >/dev/null + yum -y -q install wget >/dev/null || yum -y -q install wget >/dev/null ) || exiterr "'yum install wget' failed." fi fi diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 0bee9df..74e17fe 100755 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -108,16 +108,16 @@ install_pkgs() { export DEBIAN_FRONTEND=noninteractive ( set -x - apt-get -yqq update + apt-get -yqq update || apt-get -yqq update ) || exiterr "'apt-get update' failed." ( set -x - apt-get -yqq install wget >/dev/null + apt-get -yqq install wget >/dev/null || apt-get -yqq install wget >/dev/null ) || exiterr "'apt-get install wget' failed." elif [ "$os_type" != "alpine" ]; then ( set -x - yum -y -q install wget >/dev/null + yum -y -q install wget >/dev/null || yum -y -q install wget >/dev/null ) || exiterr "'yum install wget' failed." fi fi diff --git a/extras/vpnupgrade_ubuntu.sh b/extras/vpnupgrade_ubuntu.sh index dbd9188..36fb354 100755 --- a/extras/vpnupgrade_ubuntu.sh +++ b/extras/vpnupgrade_ubuntu.sh @@ -157,7 +157,7 @@ update_apt_cache() { export DEBIAN_FRONTEND=noninteractive ( set -x - apt-get -yqq update + apt-get -yqq update || apt-get -yqq update ) || exiterr "'apt-get update' failed." } diff --git a/vpnsetup.sh b/vpnsetup.sh index 3b3393b..f80bbba 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -206,16 +206,16 @@ install_pkgs() { export DEBIAN_FRONTEND=noninteractive ( set -x - apt-get -yqq update + apt-get -yqq update || apt-get -yqq update ) || exiterr "'apt-get update' failed." ( set -x - apt-get -yqq install wget >/dev/null + apt-get -yqq install wget >/dev/null || apt-get -yqq install wget >/dev/null ) || exiterr "'apt-get install wget' failed." elif [ "$os_type" != "alpine" ]; then ( set -x - yum -y -q install wget >/dev/null + yum -y -q install wget >/dev/null || yum -y -q install wget >/dev/null ) || exiterr "'yum install wget' failed." fi fi diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 37c2a12..865caf4 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -143,6 +143,8 @@ install_setup_pkgs() { ( set -x yum -y -q install wget bind-utils openssl tar \ + iptables iproute gawk grep sed net-tools >/dev/null \ + || yum -y -q install wget bind-utils openssl tar \ iptables iproute gawk grep sed net-tools >/dev/null ) || exiterr2 } diff --git a/vpnsetup_ubuntu.sh b/vpnsetup_ubuntu.sh index 4566b75..345b7ed 100755 --- a/vpnsetup_ubuntu.sh +++ b/vpnsetup_ubuntu.sh @@ -169,7 +169,7 @@ update_apt_cache() { export DEBIAN_FRONTEND=noninteractive ( set -x - apt-get -yqq update + apt-get -yqq update || apt-get -yqq update ) || exiterr "'apt-get update' failed." } @@ -177,6 +177,8 @@ install_setup_pkgs() { ( set -x apt-get -yqq install wget dnsutils openssl \ + iptables iproute2 gawk grep sed net-tools >/dev/null \ + || apt-get -yqq install wget dnsutils openssl \ iptables iproute2 gawk grep sed net-tools >/dev/null ) || exiterr2 } From 6dbc47e0dbe31658f8eb226155c82873678d5893 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 8 Feb 2022 23:46:11 -0600 Subject: [PATCH 7/9] Improve upgrade scripts - Stop IPsec service before updating Libreswan --- extras/vpnupgrade_alpine.sh | 2 ++ extras/vpnupgrade_amzn.sh | 2 ++ extras/vpnupgrade_centos.sh | 2 ++ extras/vpnupgrade_ubuntu.sh | 2 ++ 4 files changed, 8 insertions(+) diff --git a/extras/vpnupgrade_alpine.sh b/extras/vpnupgrade_alpine.sh index 94ef0d4..6a68647 100755 --- a/extras/vpnupgrade_alpine.sh +++ b/extras/vpnupgrade_alpine.sh @@ -169,6 +169,7 @@ get_libreswan() { install_libreswan() { bigecho "Compiling and installing Libreswan, please wait..." cd "libreswan-$SWAN_VER" || exit 1 + service ipsec stop >/dev/null 2>&1 sed -i '28s/stdlib\.h/sys\/types.h/' include/fd.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS=-w -s @@ -187,6 +188,7 @@ EOF cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then + service ipsec start >/dev/null 2>&1 exiterr "Libreswan $SWAN_VER failed to build." fi } diff --git a/extras/vpnupgrade_amzn.sh b/extras/vpnupgrade_amzn.sh index 7c14282..b563e5e 100755 --- a/extras/vpnupgrade_amzn.sh +++ b/extras/vpnupgrade_amzn.sh @@ -153,6 +153,7 @@ get_libreswan() { install_libreswan() { bigecho "Compiling and installing Libreswan, please wait..." cd "libreswan-$SWAN_VER" || exit 1 + service ipsec stop >/dev/null 2>&1 [ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS=-w -s @@ -176,6 +177,7 @@ EOF cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then + service ipsec start >/dev/null 2>&1 exiterr "Libreswan $SWAN_VER failed to build." fi } diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index eb1eda3..f6fa048 100755 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -189,6 +189,7 @@ get_libreswan() { install_libreswan() { bigecho "Compiling and installing Libreswan, please wait..." cd "libreswan-$SWAN_VER" || exit 1 + service ipsec stop >/dev/null 2>&1 [ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS=-w -s @@ -212,6 +213,7 @@ EOF cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then + service ipsec start >/dev/null 2>&1 exiterr "Libreswan $SWAN_VER failed to build." fi } diff --git a/extras/vpnupgrade_ubuntu.sh b/extras/vpnupgrade_ubuntu.sh index 36fb354..eec5a5d 100755 --- a/extras/vpnupgrade_ubuntu.sh +++ b/extras/vpnupgrade_ubuntu.sh @@ -188,6 +188,7 @@ get_libreswan() { install_libreswan() { bigecho "Compiling and installing Libreswan, please wait..." cd "libreswan-$SWAN_VER" || exit 1 + service ipsec stop >/dev/null 2>&1 [ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS=-w -s @@ -219,6 +220,7 @@ EOF cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then + service ipsec start >/dev/null 2>&1 exiterr "Libreswan $SWAN_VER failed to build." fi } From df37738677b17deed3f39276ac7c5f128bfb1ad6 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 9 Feb 2022 22:18:12 -0600 Subject: [PATCH 8/9] Update docs - Add English translations for the "Google BBR" section, which was contributed by @optimusleobear in #1096 - Other minor improvements --- README-zh.md | 2 +- README.md | 1 + docs/advanced-usage-zh.md | 8 +-- docs/advanced-usage.md | 9 +++ docs/bbr-zh.md | 48 +++++++++------- docs/bbr.md | 113 ++++++++++++++++++++++++++++++++++++++ 6 files changed, 155 insertions(+), 26 deletions(-) create mode 100644 docs/bbr.md diff --git a/README-zh.md b/README-zh.md index d01be3f..c7ba060 100644 --- a/README-zh.md +++ b/README-zh.md @@ -202,7 +202,7 @@ wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh - [VPN 分流](docs/advanced-usage-zh.md#vpn-分流) - [访问 VPN 服务器的网段](docs/advanced-usage-zh.md#访问-vpn-服务器的网段) - [更改 IPTables 规则](docs/advanced-usage-zh.md#更改-iptables-规则) -- [部署Google BBR拥塞控制算法](docs/advanced-usage-zh.md#部署google-bbr拥塞控制算法) +- [部署 Google BBR 拥塞控制算法](docs/advanced-usage-zh.md#部署-google-bbr-拥塞控制算法) ## 问题和反馈 diff --git a/README.md b/README.md index 84a50f5..820aa6f 100644 --- a/README.md +++ b/README.md @@ -202,6 +202,7 @@ See [Advanced usage](docs/advanced-usage.md). - [Split tunneling](docs/advanced-usage.md#split-tunneling) - [Access VPN server's subnet](docs/advanced-usage.md#access-vpn-servers-subnet) - [Modify IPTables rules](docs/advanced-usage.md#modify-iptables-rules) +- [Deploy Google BBR congestion control algorithm](docs/advanced-usage.md#deploy-google-bbr-congestion-control-algorithm) ## Bugs & Questions diff --git a/docs/advanced-usage-zh.md b/docs/advanced-usage-zh.md index f854a87..043da8d 100644 --- a/docs/advanced-usage-zh.md +++ b/docs/advanced-usage-zh.md @@ -10,7 +10,7 @@ * [VPN 分流](#vpn-分流) * [访问 VPN 服务器的网段](#访问-vpn-服务器的网段) * [更改 IPTables 规则](#更改-iptables-规则) -* [部署Google BBR拥塞控制算法](#部署google-bbr拥塞控制算法) +* [部署 Google BBR 拥塞控制算法](#部署-google-bbr-拥塞控制算法) ## 使用其他的 DNS 服务器 @@ -280,11 +280,11 @@ iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$netif" -j MASQUERADE **注:** 如果使用 Rocky Linux, AlmaLinux 或者 CentOS/RHEL 8 并且在安装 VPN 时 firewalld 正在运行,则可能已配置 nftables。在这种情况下,编辑 `/etc/sysconfig/nftables.conf` 而不是 `/etc/sysconfig/iptables`。 -## 部署Google BBR拥塞控制算法 +## 部署 Google BBR 拥塞控制算法 -VPN服务器搭建完成后,可以通过部署Google BBR拥塞控制算法提升性能。 +VPN 服务器搭建完成后,可以通过部署 Google BBR 拥塞控制算法提升性能。 -这通常只需要在配置文件 `/etc/sysctl.conf` 中插入设定即可完成。但是部分Linux发行版可能需要额外更新Linux Kernel。 +这通常只需要在配置文件 `/etc/sysctl.conf` 中插入设定即可完成。但是部分 Linux 发行版可能需要额外更新 Linux 内核。 详细的部署方法,可以参考[这篇文档](bbr-zh.md)。 diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index 71d5568..089eb2a 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -10,6 +10,7 @@ * [Split tunneling](#split-tunneling) * [Access VPN server's subnet](#access-vpn-servers-subnet) * [Modify IPTables rules](#modify-iptables-rules) +* [Deploy Google BBR congestion control algorithm](#deploy-google-bbr-congestion-control-algorithm) ## Use alternative DNS servers @@ -280,6 +281,14 @@ If you want to modify the IPTables rules after install, edit `/etc/iptables.rule **Note:** If using Rocky Linux, AlmaLinux or CentOS/RHEL 8 and firewalld was active during VPN setup, nftables may be configured. In this case, edit `/etc/sysconfig/nftables.conf` instead of `/etc/sysconfig/iptables`. +## Deploy Google BBR congestion control algorithm + +After the VPN server is set up, the performance can be improved by deploying the Google BBR congestion control algorithm. + +This is usually done by modifying the configuration file `/etc/sysctl.conf`. However, some Linux distributions may additionally require updates to the Linux kernel. + +For detailed deployment methods, please refer to [this document](bbr.md). + ## License Copyright (C) 2021-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) diff --git a/docs/bbr-zh.md b/docs/bbr-zh.md index bac70af..3298538 100644 --- a/docs/bbr-zh.md +++ b/docs/bbr-zh.md @@ -1,20 +1,22 @@ -# Google BBR +# 高级用法:部署 Google BBR 拥塞控制算法 -Google BBR是一种由Google开发的拥塞控制算法,它能够显著提升服务器吞吐率并降低延迟。 +*其他语言版本: [English](bbr.md), [简体中文](bbr-zh.md)。* -Google BBR已经被内置于Linux Kernel 4.9及更高版本中,但是需要手动开启。 +Google BBR是一种拥塞控制算法,它能够显著提升服务器吞吐率并降低延迟。 + +Google BBR已经被内置于Linux内核4.9及更高版本中,但是需要手动开启。 关于Google BBR算法,可以在这篇[官方博客](https://cloud.google.com/blog/products/networking/tcp-bbr-congestion-control-comes-to-gcp-your-internet-just-got-faster)或者这个[官方库](https://github.com/google/bbr)中找到更多信息。 ## 准备 -可以通过命令 `uname -r` 来查看当前Linux Kernel版本。版本大于等于4.9时,可以直接参照[下方的说明](#部署google-bbr)部署BBR。 +可以通过命令 `uname -r` 来查看当前Linux内核版本。版本大于等于4.9时,可以直接参照[下方的说明](#部署-google-bbr)部署BBR。 通常而言,Ubuntu 18.04+, Debian 10+,CentOS 8+及RHEL 8+的内核版本都大于4.9。但是对于CentOS 7或者Amazon Linux 2,需要通过以下的方式更新内核之后才能部署Google BBR。 ### Amazon Linux 2 -Amazon Linux 2提供过经过验证的新版Linux Kernel,并可以通过启用预置的Extras库安装。 +Amazon Linux 2提供过经过验证的新版Linux内核,并可以通过启用预置的Extras库安装。 1. 启用 `kernel-ng` Extras 库 ```bash @@ -28,53 +30,53 @@ Amazon Linux 2提供过经过验证的新版Linux Kernel,并可以通过启用 ```bash sudo reboot ``` -4. 检查Linux Kernel版本 +4. 检查Linux内核版本 ```bash uname -r ``` ### CentOS 7 -当使用CentOS 7时,需要安装由ELRepo Project提供的新版Linux Kernel。可以在[这个页面](http://elrepo.org/tiki/kernel-ml)找到有关ELRepo Project提供的Linux Kernel的更多信息。 +当使用CentOS 7时,需要安装由ELRepo Project提供的新版Linux内核。可以在[这个页面](http://elrepo.org/tiki/kernel-ml)找到有关ELRepo Project提供的Linux内核的更多信息。 -以下的安装说明,因为缺少可供参考的中文文档,暂仅提供英文版。 +参见下面的安装说明。 -1. Import ELRepo Project's public key. +1. 导入ELRepo Project的公钥。 ```bash sudo rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org ``` -2. Install ELRepo for RHEL-7, SL-7 or CentOS-7. +2. 为 RHEL-7、SL-7 或 CentOS-7 安装 ELRepo。 ```bash sudo yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm ``` -3. Install `kernel-ml`. +3. 安装 `kernel-ml`。 ```bash sudo yum --enablerepo=elrepo-kernel install kernel-ml ``` -4. Confirm the result. +4. 确认结果。 ```bash rpm -qa | grep kernel ``` - You should see `kernel-ml-xxx` in output. -5. Show all entries in the grub2 menu and setup `kernel-ml`. + 你应该在输出中看到 `kernel-ml-xxx`。 +5. 显示 grub2 菜单中的所有条目并设置 `kernel-ml`。 ```bash sudo egrep ^menuentry /etc/grub2.cfg | cut -f 2 -d \' ``` - **Indexing starts at `0`.** - For example, when the `kernel-ml` is located at `1`, use the command below to activate `kernel-ml`. + **索引从 `0` 开始。** + 例如,当 `kernel-ml` 位于 `1` 时,使用下面的命令来激活 `kernel-ml`。 ```bash sudo grub2-set-default 1 ``` -6. Reboot. +6. 重启。 ```bash sudo reboot ``` -7. Check Linux kernel version. +7. 检查 Linux 内核版本。 ```bash uname -r ``` -## 部署Google BBR +## 部署 Google BBR 在这个部分,我们将通过修改配置文件启动Google BBR。 @@ -82,7 +84,7 @@ Amazon Linux 2提供过经过验证的新版Linux Kernel,并可以通过启用 ```bash sudo cp /etc/sysctl.conf /etc/sysctl.conf.backup ``` -2. 修改`/etc/sysctl.conf` +2. 修改 `/etc/sysctl.conf` ```bash sudo vim /etc/sysctl.conf ``` @@ -103,4 +105,8 @@ Amazon Linux 2提供过经过验证的新版Linux Kernel,并可以通过启用 # bbr lsmod | grep bbr # tcp_bbr 16384 0 - ``` \ No newline at end of file + ``` + +## 作者 + +版权所有 (C) 2022 [Leo Liu](https://github.com/optimusleobear) diff --git a/docs/bbr.md b/docs/bbr.md new file mode 100644 index 0000000..15d2147 --- /dev/null +++ b/docs/bbr.md @@ -0,0 +1,113 @@ +# Advanced usage: Deploy Google BBR congestion control algorithm + +*Read this in other languages: [English](bbr.md), [简体中文](bbr-zh.md).* + +Google BBR is a congestion control algorithm that could significantly increase server throughput and reduce latency. + +Google BBR has been built into Linux kernel 4.9 and higher, but needs to be manually turned on. + +To learn more about the Google BBR algorithm, see this [official blog](https://cloud.google.com/blog/products/networking/tcp-bbr-congestion-control-comes-to-gcp-your-internet-just-got-faster) or this [official repository](https://github.com/google/bbr). + +## Prepare + +You can check the current Linux kernel version with the command `uname -r`. When the version is greater than or equal to 4.9, you can deploy BBR directly by referring to the [instructions below](#deploy-google-bbr). + +Generally speaking, the kernel versions of Ubuntu 18.04+, Debian 10+, CentOS 8+ and RHEL 8+ are greater than 4.9. But for CentOS 7 or Amazon Linux 2, you need to update the kernel in the following ways before deploying Google BBR. + +### Amazon Linux 2 + +Amazon Linux 2 provides newer versions of the verified Linux kernel, which can be installed by enabling the "Extras" repository. + +1. Enable the `kernel-ng` Extras repository + ```bash + sudo amazon-linux-extras install kernel-ng + ``` +2. Update packages + ```bash + sudo yum update + ``` +3. Restart the system + ```bash + sudo reboot + ``` +4. Check the Linux kernel version + ```bash + uname -r + ``` + +### CentOS 7 + +When using CentOS 7, a newer Linux kernel provided by the ELRepo Project needs to be installed. More information about the Linux kernels provided by the ELRepo Project can be found at [this page](http://elrepo.org/tiki/kernel-ml). + +Refer to the installation instructions below. + +1. Import ELRepo Project's public key. + ```bash + sudo rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org + ``` +2. Install ELRepo for RHEL-7, SL-7 or CentOS-7. + ```bash + sudo yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm + ``` +3. Install `kernel-ml`. + ```bash + sudo yum --enablerepo=elrepo-kernel install kernel-ml + ``` +4. Confirm the result. + ```bash + rpm -qa | grep kernel + ``` + You should see `kernel-ml-xxx` in output. +5. Show all entries in the grub2 menu and setup `kernel-ml`. + ```bash + sudo egrep ^menuentry /etc/grub2.cfg | cut -f 2 -d \' + ``` + **Indexing starts at `0`.** + For example, when the `kernel-ml` is located at `1`, use the command below to activate `kernel-ml`. + ```bash + sudo grub2-set-default 1 + ``` +6. Reboot. + ```bash + sudo reboot + ``` +7. Check Linux kernel version. + ```bash + uname -r + ``` + +## Deploy Google BBR + +In this section, we will start Google BBR by modifying the configuration file. + +1. Backup `/etc/sysctl.conf` + ```bash + sudo cp /etc/sysctl.conf /etc/sysctl.conf.backup + ``` +2. Modify `/etc/sysctl.conf` + ```bash + sudo vim /etc/sysctl.conf + ``` + Add the following lines to the file + ``` + net.core.default_qdisc = fq + net.ipv4.tcp_congestion_control = bbr + ``` +3. Enable Google BBR + ```bash + sudo sysctl -p + ``` +4. Check Google BBR status + ```bash + sudo sysctl net.ipv4.tcp_available_congestion_control + # net.ipv4.tcp_available_congestion_control = reno cubic bbr + sudo sysctl -n net.ipv4.tcp_congestion_control + # bbr + lsmod | grep bbr + # tcp_bbr 16384 0 + ``` + +## Author + +Copyright (C) 2022 [Leo Liu](https://github.com/optimusleobear) +Translated by [Lin Song](https://github.com/hwdsl2) From 68b78879fdf9c5559447a09fec6d4b46f33c8421 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 9 Feb 2022 22:26:02 -0600 Subject: [PATCH 9/9] Update docs --- docs/bbr-zh.md | 2 +- docs/bbr.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/bbr-zh.md b/docs/bbr-zh.md index 3298538..3ceb6bf 100644 --- a/docs/bbr-zh.md +++ b/docs/bbr-zh.md @@ -18,7 +18,7 @@ Google BBR已经被内置于Linux内核4.9及更高版本中,但是需要手 Amazon Linux 2提供过经过验证的新版Linux内核,并可以通过启用预置的Extras库安装。 -1. 启用 `kernel-ng` Extras 库 +1. 从Extras库安装 `kernel-ng` ```bash sudo amazon-linux-extras install kernel-ng ``` diff --git a/docs/bbr.md b/docs/bbr.md index 15d2147..3ed620f 100644 --- a/docs/bbr.md +++ b/docs/bbr.md @@ -16,9 +16,9 @@ Generally speaking, the kernel versions of Ubuntu 18.04+, Debian 10+, CentOS 8+ ### Amazon Linux 2 -Amazon Linux 2 provides newer versions of the verified Linux kernel, which can be installed by enabling the "Extras" repository. +Amazon Linux 2 provides newer versions of the verified Linux kernel, which can be installed from the Extras repository. -1. Enable the `kernel-ng` Extras repository +1. Install `kernel-ng` from the Extras repository ```bash sudo amazon-linux-extras install kernel-ng ```