thuai
3/9/2015 - 1:54 PM

OnClickVPNServer

OnClickVPNServer

#!/usr/bin/env bash
echo 'deb http://shadowsocks.org/debian wheezy main' >> /etc/apt/sources.list
# Pre-requisites
 
 
sudo apt-get -y update
sudo apt-get -y install pptpd
sudo apt-get -y install fail2ban
sudo apt-get -y install shadowsocks-libev
 
cat >/etc/shadowsocks-libev/config.json <<END
{
    "server":"0.0.0.0",
    "server_port":8088,
    "local_address": "127.0.0.1",
    "local_port":1080,
    "password":"test",
    "timeout":300,
    "method":"aes-256-cfb",
    "fast_open": true
}
END
 
cat >/etc/sysctl.d/local.conf <<END
fs.file-max = 51200

net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.rmem_default = 65536
net.core.wmem_default = 65536
net.core.netdev_max_backlog = 4096
net.core.somaxconn = 4096

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_mtu_probing = 1

# for high-latency network
net.ipv4.tcp_congestion_control = hybla

# for low-latency network, use cubic instead
# net.ipv4.tcp_congestion_control = cubic
END
 
sysctl --system
 
 
cat >/etc/ppp/options.pptpd <<END
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
ms-dns 8.8.4.4
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
END
 
cat >/etc/pptpd.conf <<END
option /etc/ppp/options.pptpd
logwtmp
localip 172.7.0.1
remoteip 172.7.0.10-100
END
 
cat >> /etc/sysctl.conf <<END
net.ipv4.ip_forward=1
END
sysctl -p
 
wget -O iptables.sh https://gist.githubusercontent.com/kevinzhow/984f55af8b6c901814b1/raw/df3951ba942c1ee851caf63711bc0fc2ce55ca9b/gistfile1.sh
sh iptables.sh
 
iptables-save > /etc/firewall.rules
 
 
cat >/etc/network/if-pre-up.d/firewall <<END
#!/bin/sh
/sbin/iptables-restore < /etc/firewall.rules
END
 
chmod +x /etc/network/if-pre-up.d/firewall
 
cat >/etc/ppp/chap-secrets <<END
test pptpd test *
END
 
service pptpd restart
 
#IPSec IKev1
 
sudo apt-get -y install strongswan strongswan-plugin-xauth-generic strongswan-plugin-eap-mschapv2
 
cat > /etc/ipsec.secrets <<END
: RSA serverKey.pem
: PSK "test"

test %any : EAP "test"
test %any : XAUTH "test"
END
 
cat > /etc/ipsec.conf <<END
config setup
    cachecrls=yes
    strictcrlpolicy=yes
    uniqueids=never

conn %default
    keyexchange=ikev1
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    right=%any
    #rightsubnet=10.7.0.0/24
    rightsourceip=10.7.0.0/24
    rightdns=8.8.8.8,8.8.4.4
    auto=add
    fragmentation=yes

conn iOS
    leftauth=pubkey
    rightauth2=xauth
    aggressive=yes
    rightauth=pubkey
    leftid=test

conn android
    aggressive=no
    leftauth=psk
    rightauth2=xauth
    rightauth=psk

conn xauth_psk
    leftid=test
    aggressive=yes
    leftauth=psk
    rightauth2=xauth
    rightauth=psk
    
conn ios_ikev2
    keyexchange=ikev2
    leftsendcert=always
    leftid=@*.domain.com
    leftcert=serverCert.pem
    rightauth=eap-mschapv2
    eap_identity=%any
    rightsendcert=never
    rightid="test"
    closeaction=clear
    #dpddelay = 1s
    auto=add
    
conn ios_ikev2_psk
    keyexchange=ikev2
    eap_identity = %any
    rightsendcert=never
    rightid="test"
    reauth=no
    #rekey=no
    closeaction=clear
    #dpddelay = 1s
    auto=add
    leftauth=psk
    #rightauth2=xauth
    rightauth = eap-mschapv2
    aggressive=yes
    #rightauth=psk

END
 
cat > /etc/strongswan.d/charon.conf <<END
charon {
    i_dont_care_about_security_and_use_aggressive_mode_psk = yes
    load_modular = yes
    duplicheck.enable = no
    crypto_test {

    }

    host_resolver {


    }

    leak_detective {


    }

    processor {


        priority_threads {

        }

    }

    tls {



    }

    x509 {


    }

}
END
 
service strongswan restart