From ac0bde54bbe3a79856e225259881b6f2bd9d9417 Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Sat, 24 Apr 2021 16:15:05 -0500
Subject: [PATCH] New Libreswan version
- Use new Libreswan version 4.4
- Support updating to Libreswan 4.4
- Other small improvements and cleanup
---
extras/ikev2setup.sh | 21 +++++++++------------
extras/vpnupgrade.sh | 16 +++++++---------
extras/vpnupgrade_amzn.sh | 16 +++++++---------
extras/vpnupgrade_centos.sh | 16 +++++++---------
vpnsetup.sh | 11 +++--------
vpnsetup_amzn.sh | 11 +++--------
vpnsetup_centos.sh | 13 ++++---------
7 files changed, 40 insertions(+), 64 deletions(-)
diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh
index 6692fd2..d2cf0ae 100755
--- a/extras/ikev2setup.sh
+++ b/extras/ikev2setup.sh
@@ -108,8 +108,7 @@ Error: Libreswan version '$swan_ver' is not supported.
This script requires one of these versions:
3.23, 3.25-3.27, 3.29, 3.31-3.32 or 4.x
To update Libreswan, run:
- wget $update_url -O vpnupgrade.sh
- sudo sh vpnupgrade.sh
+ wget $update_url -O vpnup.sh && sudo sh vpnup.sh
EOF
exit 1
;;
@@ -238,15 +237,15 @@ check_swan_ver() {
run_swan_update() {
get_update_url
- TMPDIR=$(mktemp -d /tmp/vpnupg.XXX 2>/dev/null)
+ TMPDIR=$(mktemp -d /tmp/vpnup.XXX 2>/dev/null)
if [ -d "$TMPDIR" ]; then
set -x
- if wget -t 3 -T 30 -q -O "$TMPDIR/vpnupg.sh" "$update_url"; then
- /bin/sh "$TMPDIR/vpnupg.sh"
+ if wget -t 3 -T 30 -q -O "$TMPDIR/vpnup.sh" "$update_url"; then
+ /bin/sh "$TMPDIR/vpnup.sh"
fi
{ set +x; } 2>&-
- [ ! -s "$TMPDIR/vpnupg.sh" ] && echo "Error: Could not download update script." >&2
- /bin/rm -f "$TMPDIR/vpnupg.sh"
+ [ ! -s "$TMPDIR/vpnup.sh" ] && echo "Error: Could not download update script." >&2
+ /bin/rm -f "$TMPDIR/vpnup.sh"
/bin/rmdir "$TMPDIR"
else
echo "Error: Could not create temporary directory." >&2
@@ -256,7 +255,7 @@ run_swan_update() {
}
select_swan_update() {
- if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
+ if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
&& [ "$swan_ver" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$swan_ver" "$swan_ver_latest" | sort -C -V; then
echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
@@ -983,7 +982,6 @@ conn ikev2-cp
ikev2=insist
rekey=no
pfs=no
- fragmentation=yes
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
ikelifetime=24h
@@ -1079,7 +1077,7 @@ EOF
}
show_swan_update_info() {
- if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
+ if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
&& [ "$swan_ver" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$swan_ver" "$swan_ver_latest" | sort -C -V; then
echo
@@ -1087,8 +1085,7 @@ show_swan_update_info() {
if [ "$in_container" = "0" ]; then
get_update_url
echo " To update, run:"
- echo " wget $update_url -O vpnupgrade.sh"
- echo " sudo sh vpnupgrade.sh"
+ echo " wget $update_url -O vpnup.sh && sudo sh vpnup.sh"
else
echo " To update this Docker image, see: https://git.io/updatedockervpn"
fi
diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh
index 192cf57..49a1da9 100755
--- a/extras/vpnupgrade.sh
+++ b/extras/vpnupgrade.sh
@@ -14,7 +14,7 @@
# know how you have improved it!
# Specify which Libreswan version to install. See: https://libreswan.org
-SWAN_VER=4.3
+SWAN_VER=4.4
### DO NOT edit below this line ###
@@ -60,14 +60,14 @@ if [ "$(id -u)" != 0 ]; then
fi
case $SWAN_VER in
- 3.32|4.[123])
+ 3.32|4.[1234])
true
;;
*)
cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported.
This script can install one of these versions:
- 3.32, 4.1, 4.2 or 4.3
+ 3.32, 4.1-4.3 or 4.4
EOF
exit 1
;;
@@ -83,16 +83,15 @@ EOF
exit 1
fi
-swan_ver_cur=4.3
+swan_ver_cur=4.4
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
-if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
+if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
&& [ "$swan_ver_cur" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
echo " To update to the new version, exit this script and run:"
- echo " wget https://git.io/vpnupgrade -O vpnupgrade.sh"
- echo " sudo sh vpnupgrade.sh"
+ echo " wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh"
echo
printf "Do you want to continue anyway? [y/N] "
read -r response
@@ -144,7 +143,7 @@ Note: This script will make the following changes to your VPN configuration:
EOF
-if [ "$SWAN_VER" != "4.3" ]; then
+if [ "$SWAN_VER" != "4.4" ]; then
cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
See https://libreswan.org/security/ for more information.
@@ -166,7 +165,6 @@ case $response in
;;
esac
-# Create and change to working dir
mkdir -p /opt/src
cd /opt/src || exit 1
diff --git a/extras/vpnupgrade_amzn.sh b/extras/vpnupgrade_amzn.sh
index 98ca014..75114cb 100755
--- a/extras/vpnupgrade_amzn.sh
+++ b/extras/vpnupgrade_amzn.sh
@@ -14,7 +14,7 @@
# know how you have improved it!
# Specify which Libreswan version to install. See: https://libreswan.org
-SWAN_VER=4.3
+SWAN_VER=4.4
### DO NOT edit below this line ###
@@ -39,14 +39,14 @@ if [ "$(id -u)" != 0 ]; then
fi
case $SWAN_VER in
- 3.32|4.[123])
+ 3.32|4.[1234])
true
;;
*)
cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported.
This script can install one of these versions:
- 3.32, 4.1, 4.2 or 4.3
+ 3.32, 4.1-4.3 or 4.4
EOF
exit 1
;;
@@ -62,16 +62,15 @@ EOF
exit 1
fi
-swan_ver_cur=4.3
+swan_ver_cur=4.4
swan_ver_url="https://dl.ls20.com/v1/amzn/2/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
-if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
+if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
&& [ "$swan_ver_cur" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
echo " To update to the new version, exit this script and run:"
- echo " wget https://git.io/vpnupgrade-amzn -O vpnupgrade.sh"
- echo " sudo sh vpnupgrade.sh"
+ echo " wget https://git.io/vpnupgrade-amzn -O vpnup.sh && sudo sh vpnup.sh"
echo
printf "Do you want to continue anyway? [y/N] "
read -r response
@@ -123,7 +122,7 @@ Note: This script will make the following changes to your VPN configuration:
EOF
-if [ "$SWAN_VER" != "4.3" ]; then
+if [ "$SWAN_VER" != "4.4" ]; then
cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
See https://libreswan.org/security/ for more information.
@@ -145,7 +144,6 @@ case $response in
;;
esac
-# Create and change to working dir
mkdir -p /opt/src
cd /opt/src || exit 1
diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh
index 25e0657..cb6023e 100755
--- a/extras/vpnupgrade_centos.sh
+++ b/extras/vpnupgrade_centos.sh
@@ -14,7 +14,7 @@
# know how you have improved it!
# Specify which Libreswan version to install. See: https://libreswan.org
-SWAN_VER=4.3
+SWAN_VER=4.4
### DO NOT edit below this line ###
@@ -54,14 +54,14 @@ if [ "$(id -u)" != 0 ]; then
fi
case $SWAN_VER in
- 3.32|4.[123])
+ 3.32|4.[1234])
true
;;
*)
cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported.
This script can install one of these versions:
- 3.32, 4.1, 4.2 or 4.3
+ 3.32, 4.1-4.3 or 4.4
EOF
exit 1
;;
@@ -77,16 +77,15 @@ EOF
exit 1
fi
-swan_ver_cur=4.3
+swan_ver_cur=4.4
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
-if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
+if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
&& [ "$swan_ver_cur" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
echo " To update to the new version, exit this script and run:"
- echo " wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh"
- echo " sudo sh vpnupgrade.sh"
+ echo " wget https://git.io/vpnupgrade-centos -O vpnup.sh && sudo sh vpnup.sh"
echo
printf "Do you want to continue anyway? [y/N] "
read -r response
@@ -138,7 +137,7 @@ Note: This script will make the following changes to your VPN configuration:
EOF
-if [ "$SWAN_VER" != "4.3" ]; then
+if [ "$SWAN_VER" != "4.4" ]; then
cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
See https://libreswan.org/security/ for more information.
@@ -160,7 +159,6 @@ case $response in
;;
esac
-# Create and change to working dir
mkdir -p /opt/src
cd /opt/src || exit 1
diff --git a/vpnsetup.sh b/vpnsetup.sh
index 76981dc..272addb 100755
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -204,7 +204,7 @@ ikev2_url="https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/extras/ikev2setu
bigecho "Downloading Libreswan..."
-SWAN_VER=4.3
+SWAN_VER=4.4
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
@@ -268,7 +268,6 @@ version 2.0
config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET
- interfaces=%defaultroute
uniqueids=no
conn shared
@@ -295,7 +294,6 @@ conn l2tp-psk
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
- phase2=esp
also=shared
conn xauth-psk
@@ -308,8 +306,6 @@ conn xauth-psk
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
- xauthby=file
- fragmentation=yes
cisco-unity=yes
also=shared
@@ -522,15 +518,14 @@ service xl2tpd restart 2>/dev/null
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanver?arch=$os_arch&ver=$SWAN_VER"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
-if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
+if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
&& [ -n "$SWAN_VER" ] && [ "$SWAN_VER" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$SWAN_VER" "$swan_ver_latest" | sort -C -V; then
cat <<EOF
Note: A newer version of Libreswan ($swan_ver_latest) is available.
To update, run:
- wget https://git.io/vpnupgrade -O vpnupgrade.sh
- sudo sh vpnupgrade.sh
+ wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh
EOF
fi
diff --git a/vpnsetup_amzn.sh b/vpnsetup_amzn.sh
index 59f3c09..d1b95a6 100755
--- a/vpnsetup_amzn.sh
+++ b/vpnsetup_amzn.sh
@@ -168,7 +168,7 @@ ikev2_url="https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/extras/ikev2setu
bigecho "Downloading Libreswan..."
-SWAN_VER=4.3
+SWAN_VER=4.4
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
@@ -224,7 +224,6 @@ version 2.0
config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET
- interfaces=%defaultroute
uniqueids=no
conn shared
@@ -251,7 +250,6 @@ conn l2tp-psk
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
- phase2=esp
also=shared
conn xauth-psk
@@ -264,8 +262,6 @@ conn xauth-psk
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
- xauthby=file
- fragmentation=yes
cisco-unity=yes
also=shared
@@ -446,15 +442,14 @@ service xl2tpd restart 2>/dev/null
swan_ver_url="https://dl.ls20.com/v1/amzn/2/swanver?arch=$os_arch&ver=$SWAN_VER"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
-if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
+if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
&& [ -n "$SWAN_VER" ] && [ "$SWAN_VER" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$SWAN_VER" "$swan_ver_latest" | sort -C -V; then
cat <<EOF
Note: A newer version of Libreswan ($swan_ver_latest) is available.
To update, run:
- wget https://git.io/vpnupgrade-amzn -O vpnupgrade.sh
- sudo sh vpnupgrade.sh
+ wget https://git.io/vpnupgrade-amzn -O vpnup.sh && sudo sh vpnup.sh
EOF
fi
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index 2d22595..fee8dc6 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# Script for automatic setup of an IPsec VPN server on CentOS/RHEL 7 and 8
+# Script for automatic setup of an IPsec VPN server on CentOS and RHEL
# Works on any dedicated server or virtual private server (VPS)
#
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
@@ -217,7 +217,7 @@ ikev2_url="https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/extras/ikev2setu
bigecho "Downloading Libreswan..."
-SWAN_VER=4.3
+SWAN_VER=4.4
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
@@ -273,7 +273,6 @@ version 2.0
config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET
- interfaces=%defaultroute
uniqueids=no
conn shared
@@ -300,7 +299,6 @@ conn l2tp-psk
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
- phase2=esp
also=shared
conn xauth-psk
@@ -313,8 +311,6 @@ conn xauth-psk
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
- xauthby=file
- fragmentation=yes
cisco-unity=yes
also=shared
@@ -534,15 +530,14 @@ service xl2tpd restart 2>/dev/null
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanver?arch=$os_arch&ver=$SWAN_VER"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
-if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
+if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
&& [ -n "$SWAN_VER" ] && [ "$SWAN_VER" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$SWAN_VER" "$swan_ver_latest" | sort -C -V; then
cat <<EOF
Note: A newer version of Libreswan ($swan_ver_latest) is available.
To update, run:
- wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh
- sudo sh vpnupgrade.sh
+ wget https://git.io/vpnupgrade-centos -O vpnup.sh && sudo sh vpnup.sh
EOF
fi