L2TP/IPSec一键安装脚本

本脚本适用环境：

系统支持：CentOS6+，Debian7+，Ubuntu12+

内存要求：≥128M

关于本脚本：

名词解释如下

L2TP（Layer 2 Tunneling Protocol）

IPSec（Internet Protocol Security）

IKEv2 (Internet Key Exchange v2)

能实现 IPsec 的目前总体上有 openswan，libreswan，strongswan 这3种。

libreswan 是基于 openswan 的 fork，所以现在各个发行版基本已经看不到 openswan 的身影了。

当然也有使用 strongswan 的。

之所以要更新 L2TP 一键安装脚本，是因为随着各个 Linux 发行版不断推陈出新，原有的脚本已经不适应现在的需求。

本脚本通过编译安装最新版 libreswan 来实现 IPSec（CentOS7 下则是全部 yum 安装），yum 或 apt-get 来安装 xl2tpd，再根据各个发行版的使用方法不同，部署防火墙规则。

写在前面：

基于 OpenVZ 虚拟化技术的 VPS 需要开启TUN/TAP才能正常使用，购买 VPS 时请先咨询服务商是否支持开启 TUN/TAP。

纠正：

OpenVZ 虚拟的 VPS 需要系统内核支持 IPSec 才行。也就是说，母服务器的内核如果不支持的话那就没办法，只能换 VPS。

因此，一般不建议在 OpenVZ 的 VPS 上安装本脚本。脚本如果检测到该 VPS 为 OpenVZ 架构，会出现警告提醒。

如何检测是否支持TUN模块？

执行命令：

cat /dev/net/tun

如果返回信息为：cat: /dev/net/tun: File descriptor in bad state 说明正常

如何检测是否支持ppp模块？

执行命令：

cat /dev/ppp

如果返回信息为：cat: /dev/ppp: No such device or address 说明正常

当然，脚本在安装时也会执行检查，如果不适用于安装，脚本会予以提示。

使用方法：

root 用户登录后，运行以下命令：

wget –no-check-certificate

chmod +x l2tp.sh

./l2tp.sh

执行后，会有如下交互界面

Please input IP-Range:

(Default Range: 192.168.18):

输入本地IP段范围（本地电脑连接到VPS后给分配的一个本地IP地址），直接回车意味着输入默认值192.168.18

Please input PSK:

(Default PSK: teddysun.com):

PSK意为预共享密钥，即指定一个密钥将来在连接时需要用到，直接回车意味着输入默认值teddysun.com

Please input Username:

(Default Username: teddysun):

Username意为用户名，即第一个默认用户。直接回车意味着输入默认值teddysun

Please input teddysun’s password:

(Default Password: Q4SKhu2EXQ):

输入用户的密码，默认会随机生成一个10位包含大小写字母和数字的密码，当然你也可以指定密码。

ServerIP:your_server_main_IP

显示你的 VPS 的主 IP（如果是多 IP 的 VPS 也只显示一个）

Server Local IP:192.168.18.1

显示你的 VPS 的本地 IP（默认即可）

Client Remote IP Range:192.168.18.2-192.168.18.254

显示 IP 段范围

PSK:teddysun.com

显示 PSK

Press any key to start…or Press Ctrl+c to cancel

按下任意按键继续，如果想取消安装，请按Ctrl+c键

安装完成后，脚本会执行 ipsec verify 命令并提示如下：

If there are no [FAILED] above, then you can connect to your

L2TP VPN Server with the default Username/Password is below:

ServerIP:your_server_IP

PSK:your PSK

Username:your usename

Password:your password

If you want to modify user settings, please use command(s):

l2tp -a (Add a user)

l2tp -d (Delete a user)

l2tp -l (List all users)

l2tp -m (Modify a user password)

Welcome to visit

Enjoy it!

如果你要想对用户进行操作，可以使用如下命令：

l2tp -a 新增用户

l2tp -d 删除用户

l2tp -m 修改现有的用户的密码

l2tp -l 列出所有用户名和密码

l2tp -h 列出帮助信息

其他事项：

1、脚本在安装完成后，已自动启动进程，并加入了开机自启动。

2、脚本会改写 iptables 或 firewalld 的规则。

3、脚本安装时，会即时将安装日志写到 /root/l2tp.log 文件里，如果你安装失败，可以通过此文件来寻找错误信息。

使用命令：

ipsec status （查看 IPSec 运行状态）

ipsec verify （查看 IPSec 检查结果）

/etc/init.d/ipsec start|stop|restart|status （CentOS6 下使用）

/etc/init.d/xl2tpd start|stop|restart （CentOS6 下使用）

systemctl start|stop|restart|status ipsec （CentOS7 下使用）

systemctl start|stop|restart xl2tpd （CentOS7 下使用）

service ipsec start|stop|restart|status （Debian/Ubuntu 下使用）

service xl2tpd start|stop|restart （Debian/Ubuntu 下使用）

评论节选（有改动），供参考

评论节选1（感谢@wawnnzxd 评论于 2016-11-10）

安卓6.0系统无法成功连接l2tp，查了谷歌之后发现好像是安卓是sha256加密

我是这么做的，目前正常连接一小时，没有断线，mac ios android

需要在 /etc/ipsec.conf 的 conn L2TP-PSK-noNAT 下加入

sha2-truncbug=yes

然后重启 IPSec 和 xl2tpd 服务，重新连接就可以了。

可以解决安卓 6.0 的 vpn 无法连接问题。

评论节选2（感谢@S_ven 评论于 2016-10-17）

在/etc/ipsec.conf 的 conn L2TP-PSK-noNAT 下加入

leftnexthop defaultroute

rightnexthop defaultroute

然后重启 IPSec 和 xl2tpd 服务应该可以解决同一局域下多人连接的时候，出现连接不上的情况。

如果还是不行，就得看下这个链接里面的配置：

我就是根据这个里面的配置和你的对比改好了。

更新日志

2016 年 04 月 18 日更新

1、目前在 Debian 7 上测试的结果，因为 libnss3 和 libnspr4 的版本过低而导致编译 libreswan 失败。临时解决办法是 dpkg 安装 libnss3_3.17.2 和 libnspr4_4.10.7 的 deb 包后重试

参考链接：

2016 年 04 月 19 日更新

2、修复了在 Debian 7 下因为 libnss3 和 libnspr4 的版本过低而导致编译 libreswan 失败的问题。

2016 年 04 月 22 日更新

3、修复了在 Ubuntu 16.04 下因为默认缺少 python 命令而导致 ipsec verify 等命令不能用的问题。

2016 年 04 月 25 日更新

4、在 Vultr 的 Debian 7 的系统模板下安装时，软件包 libcurl4-nss-dev 会出现依赖错误。如下所示：

The following packages have unmet dependencies:

libcurl4-nss-dev : Depends: libldap2-dev but it is not going to be installed

Depends: librtmp-dev but it is not going to be installed

而 libldap2-dev 和 librtmp-dev 又依赖了其他几种软件包。总之最后的依赖关系如下：

libldap2-dev : Depends: libldap-2.4-2 (= 2.4.31-2+deb7u1) but 2.4.31+really2.4.40+dfsg-1+deb8u1~bpo70+1 is to be installed

librtmp-dev : Depends: libgnutls-dev but it is not going to be installed

libgnutls-dev : Depends: libp11-kit-dev (>= 0.4) but it is not going to be installed

libp11-kit-dev : Depends: libp11-kit0 (= 0.12-3) but 0.20.7-1~bpo70+1 is to be installed

那么解决办法就是把最底层的依赖包 libp11-kit0 先卸载掉，然后再安装 libcurl4-nss-dev 即可。

apt-get -y remove libp11-kit0

apt-get -y –no-install-recommends install libcurl4-nss-dev wget

然后再运行脚本安装即可。

2016 年 06 月 10 日更新

脚本在安装完成后，新增了几个命令，便于操作用户

l2tp -a 新增用户

l2tp -d 删除用户

l2tp -l 列出所有用户

l2tp -h 列出帮助信息

2016 年 08 月 05 日更新

升级 libreswan 到版本 3.18。

2016 年 08 月 13 日更新

修正 Debian 8 下的 sd-daemon.h: No such file or directory 问题，是由于缺少依赖包 libsystemd-daemon-dev 导致的。

2016 年 09 月 12 日更新

修正了在 CentOS 6 下 libevent2 依赖的问题；

新增了一个 -m 选项，用以修改现有用户的密码。

#脚本源码#!/usr/bin/env bashPATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/binexport PATH#=======================================================================##  System Supported:  CentOS 6+ / Debian 7+ / Ubuntu 12+              ##  Description: L2TP VPN Auto Installer                                ##  Author: Teddysun 
     
                                        ##  Intro:  https://teddysun.com/448.html                              ##=======================================================================#cur_dir=`pwd`libevent2_src_filename="libevent-2.0.22-stable"libreswan_filename="libreswan-3.18"rootness(){    if [[ $EUID -ne 0 ]]; then      echo "Error:This script must be run as root!" 1>&2      exit 1    fi}tunavailable(){    if [[ ! -e /dev/net/tun ]]; then        echo "Error:TUN/TAP is not available!" 1>&2        exit 1    fi}disable_selinux(){if [ -s /etc/selinux/config ] && grep 'SELINUX=enforcing' /etc/selinux/config; then    sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config    setenforce 0fi}get_opsy(){    [ -f /etc/redhat-release ] && awk '{print ($1,$3~/^[0-9]/?$3:$4)}' /etc/redhat-release && return    [ -f /etc/os-release ] && awk -F'[= "]' '/PRETTY_NAME/{print $3,$4,$5}' /etc/os-release && return    [ -f /etc/lsb-release ] && awk -F'[="]+' '/DESCRIPTION/{print $2}' /etc/lsb-release && return}get_os_info(){    IP=$( ip addr | egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | egrep -v "^192\.168|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[0-2]\.|^10\.|^127\.|^255\.|^0\." | head -n 1 )    if [ -z ${IP} ]; then        IP=$( wget -qO- -t1 -T2 ipv4.icanhazip.com )    fi    local cname=$( awk -F: '/model name/ {name=$2} END {print name}' /proc/cpuinfo | sed 's/^[ \t]*//;s/[ \t]*$//' )    local cores=$( awk -F: '/model name/ {core++} END {print core}' /proc/cpuinfo )    local freq=$( awk -F: '/cpu MHz/ {freq=$2} END {print freq}' /proc/cpuinfo | sed 's/^[ \t]*//;s/[ \t]*$//' )    local tram=$( free -m | awk '/Mem/ {print $2}' )    local swap=$( free -m | awk '/Swap/ {print $2}' )    local up=$( awk '{a=$1/86400;b=($1%86400)/3600;c=($1%3600)/60;d=$1%60} {printf("%ddays, %d:%d:%d\n",a,b,c,d)}' /proc/uptime )    local load=$( w | head -1 | awk -F'load average:' '{print $2}' | sed 's/^[ \t]*//;s/[ \t]*$//' )    local opsy=$( get_opsy )    local arch=$( uname -m )    local lbit=$( getconf LONG_BIT )    local host=$( hostname )    local kern=$( uname -r )    echo "########## System Information ##########"    echo    echo "CPU model            : ${cname}"    echo "Number of cores      : ${cores}"    echo "CPU frequency        : ${freq} MHz"    echo "Total amount of ram  : ${tram} MB"    echo "Total amount of swap : ${swap} MB"    echo "System uptime        : ${up}"    echo "Load average        : ${load}"    echo "OS                  : ${opsy}"    echo "Arch                : ${arch} (${lbit} Bit)"    echo "Kernel              : ${kern}"    echo "Hostname            : ${host}"    echo "IPv4 address        : ${IP}"    echo    echo "########################################"}check_sys(){    local checkType=$1    local value=$2    local release=''    local systemPackage=''    if [[ -f /etc/redhat-release ]];then        release="centos"        systemPackage="yum"    elif cat /etc/issue | grep -q -E -i "debian";then        release="debian"        systemPackage="apt"    elif cat /etc/issue | grep -q -E -i "ubuntu";then        release="ubuntu"        systemPackage="apt"    elif cat /etc/issue | grep -q -E -i "centos|red hat|redhat";then        release="centos"        systemPackage="yum"    elif cat /proc/version | grep -q -E -i "debian";then        release="debian"        systemPackage="apt"    elif cat /proc/version | grep -q -E -i "ubuntu";then        release="ubuntu"        systemPackage="apt"    elif cat /proc/version | grep -q -E -i "centos|red hat|redhat";then        release="centos"        systemPackage="yum"    fi    if [[ ${checkType} == "sysRelease" ]]; then        if [ "$value" == "$release" ];then            return 0        else            return 1        fi    elif [[ ${checkType} == "packageManager" ]]; then        if [ "$value" == "$systemPackage" ];then            return 0        else            return 1        fi    fi}rand() {    index=0    str=""    for i in {a..z}; do arr[index]=${i}; index=`expr ${index} + 1`; done    for i in {A..Z}; do arr[index]=${i}; index=`expr ${index} + 1`; done    for i in {
    0..9}; do arr[index]=${i}; index=`expr ${index} + 1`; done    for i in {
    1..10}; do str="$str${arr[$RANDOM%$index]}"; done    echo ${str}}is_64bit(){    if [ `getconf WORD_BIT` = '32' ] && [ `getconf LONG_BIT` = '64' ] ; then        return 0    else        return 1    fi}download_file(){    local download_root_url="http://dl.teddysun.com/files"    if [ -s ${1} ]; then        echo "$1 [found]"    else        echo "$1 not found!!!download now..."        if ! wget -c -t3 -T60 ${download_root_url}/${1};then            echo "Failed to download $1, please download it to ${cur_dir} directory manually and try again."            exit 1        fi    fi}versionget(){    if [[ -s /etc/redhat-release ]];then        grep -oE  "[0-9.]+" /etc/redhat-release    else        grep -oE  "[0-9.]+" /etc/issue    fi}centosversion(){    if check_sys sysRelease centos;then        local code=${1}        local version="`versionget`"        local main_ver=${version%%.*}        if [ "${main_ver}" == "${code}" ];then            return 0        else            return 1        fi    else        return 1    fi}debianversion(){    if check_sys sysRelease debian;then        local version=$( get_opsy )        local code=${1}        local main_ver=$( echo ${version} | sed 's/[^0-9]//g')        if [ "${main_ver}" == "${code}" ];then            return 0        else            return 1        fi    else        return 1    fi}version_check(){    if check_sys packageManager yum; then        if centosversion 5; then            echo "Error: CentOS 5 is not supported, Please re-install OS and try again."            exit 1        fi    fi}preinstall_l2tp(){    echo    if [ -d "/proc/vz" ]; then        echo -e "\033[41;37m WARNING: \033[0m Your VPS is based on OpenVZ, and IPSec might not be supported by the kernel."        echo "Continue installation? (y/n)"        read -p "(Default: n)" agree        [ -z ${agree} ] && agree="n"        if [ "${agree}" == "n" ]; then            echo            echo "L2TP installation cancelled."            echo            exit 0        fi    fi    echo    echo "Please enter IP-Range:"    read -p "(Default Range: 192.168.18):" iprange    [ -z ${iprange} ] && iprange="192.168.18"    echo "Please enter PSK:"    read -p "(Default PSK: teddysun.com):" mypsk    [ -z ${mypsk} ] && mypsk="teddysun.com"    echo "Please enter Username:"    read -p "(Default Username: teddysun):" username    [ -z ${username} ] && username="teddysun"    password=`rand`    echo "Please enter ${username}'s password:"    read -p "(Default Password: ${password}):" tmppassword    [ ! -z ${tmppassword} ] && password=${tmppassword}    get_char(){    SAVEDSTTY=`stty -g`    stty -echo    stty cbreak    dd if=/dev/tty bs=1 count=1 2> /dev/null    stty -raw    stty echo    stty $SAVEDSTTY    }    echo    echo "ServerIP:${IP}"    echo "Server Local IP:${iprange}.1"    echo "Client Remote IP Range:${iprange}.2-${iprange}.254"    echo "PSK:${mypsk}"    echo    echo "Press any key to start... or press Ctrl + C to cancel."    char=`get_char`}install_l2tp(){    mknod /dev/random c 1 9    if check_sys packageManager apt;then        apt-get -y update        if debianversion 7;then            if is_64bit;then                local libnspr4_filename1="libnspr4_4.10.7-1_amd64.deb"                local libnspr4_filename2="libnspr4-0d_4.10.7-1_amd64.deb"                local libnspr4_filename3="libnspr4-dev_4.10.7-1_amd64.deb"                local libnspr4_filename4="libnspr4-dbg_4.10.7-1_amd64.deb"                local libnss3_filename1="libnss3_3.17.2-1.1_amd64.deb"                local libnss3_filename2="libnss3-1d_3.17.2-1.1_amd64.deb"                local libnss3_filename3="libnss3-tools_3.17.2-1.1_amd64.deb"                local libnss3_filename4="libnss3-dev_3.17.2-1.1_amd64.deb"                local libnss3_filename5="libnss3-dbg_3.17.2-1.1_amd64.deb"            else                local libnspr4_filename1="libnspr4_4.10.7-1_i386.deb"                local libnspr4_filename2="libnspr4-0d_4.10.7-1_i386.deb"                local libnspr4_filename3="libnspr4-dev_4.10.7-1_i386.deb"                local libnspr4_filename4="libnspr4-dbg_4.10.7-1_i386.deb"                local libnss3_filename1="libnss3_3.17.2-1.1_i386.deb"                local libnss3_filename2="libnss3-1d_3.17.2-1.1_i386.deb"                local libnss3_filename3="libnss3-tools_3.17.2-1.1_i386.deb"                local libnss3_filename4="libnss3-dev_3.17.2-1.1_i386.deb"                local libnss3_filename5="libnss3-dbg_3.17.2-1.1_i386.deb"            fi            rm -rf ${cur_dir}/l2tp            mkdir -p ${cur_dir}/l2tp            cd ${cur_dir}/l2tp            download_file "${libnspr4_filename1}"            download_file "${libnspr4_filename2}"            download_file "${libnspr4_filename3}"            download_file "${libnspr4_filename4}"            download_file "${libnss3_filename1}"            download_file "${libnss3_filename2}"            download_file "${libnss3_filename3}"            download_file "${libnss3_filename4}"            download_file "${libnss3_filename5}"            dpkg -i ${libnspr4_filename1} ${libnspr4_filename2} ${libnspr4_filename3} ${libnspr4_filename4}            dpkg -i ${libnss3_filename1} ${libnss3_filename2} ${libnss3_filename3} ${libnss3_filename4} ${libnss3_filename5}            apt-get -y install wget gcc ppp flex bison make pkg-config libpam0g-dev libcap-ng-dev libcap-ng-utils libunbound-dev libevent-dev libcurl4-nss-dev libsystemd-daemon-dev        else            apt-get -y install wget gcc ppp flex bison make python libnss3-dev libnspr4-dev pkg-config libpam0g-dev libcap-ng-dev libcap-ng-utils libunbound-dev libnss3-tools libevent-dev libcurl4-nss-dev libsystemd-daemon-dev        fi        apt-get -y --no-install-recommends install xmlto        apt-get -y install xl2tpd        compile_install    elif check_sys packageManager yum; then        if centosversion 7; then            yum -y install epel-release            yum -y install ppp libreswan xl2tpd firewalld            yum_install        elif centosversion 6; then            yum -y install epel-release            yum -y install gcc gcc-c++ ppp iptables make gmp-devel xmlto bison flex libpcap-devel lsof            yum -y install xl2tpd curl-devel nss-devel nspr-devel pkgconfig pam-devel unbound-devel libcap-ng-devel            compile_install        fi    fi}compile_install(){    rm -rf ${cur_dir}/l2tp    mkdir -p ${cur_dir}/l2tp    cd ${cur_dir}/l2tp    download_file "${libreswan_filename}.tar.gz"    tar -zxf ${libreswan_filename}.tar.gz    if centosversion 6; then        download_file "${libevent2_src_filename}.tar.gz"        tar -zxf ${libevent2_src_filename}.tar.gz        cd ${libevent2_src_filename}        ./configure        make && make install        if [ $? -eq 0 ]; then            if is_64bit;then                ln -sf /usr/local/lib/libevent-2.0.so.5 /usr/lib64/libevent-2.0.so.5                ln -sf /usr/local/lib/libevent_pthreads-2.0.so.5 /usr/lib64/libevent_pthreads-2.0.so.5            else                ln -sf /usr/local/lib/libevent-2.0.so.5 /usr/lib/libevent-2.0.so.5                ln -sf /usr/local/lib/libevent_pthreads-2.0.so.5 /usr/lib/libevent_pthreads-2.0.so.5            fi            echo "/usr/local/lib" > /etc/ld.so.conf.d/local.conf            ldconfig        else            echo "libevent2 install failed..."            exit 1        fi    fi    cd ${cur_dir}/l2tp/${libreswan_filename}    echo "WERROR_CFLAGS =" > Makefile.inc.local    make programs && make install    /usr/local/sbin/ipsec --version >/dev/null 2>&1    if [ $? -ne 0 ];then        echo "${libreswan_filename} install failed."        exit 1    fi    cat > /etc/ipsec.conf<
      
        /etc/ipsec.secrets<
       
         /etc/xl2tpd/xl2tpd.conf<
        
          /etc/ppp/options.xl2tpd<
         
           /etc/ppp/chap-secrets<
          
           > /etc/sysctl.conf echo "net.ipv4.conf.${each}.accept_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.${each}.send_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.${each}.rp_filter=0" >> /etc/sysctl.conf done sysctl -p if centosversion 6; then [ -f /etc/sysconfig/iptables ] && cp -pf /etc/sysconfig/iptables /etc/sysconfig/iptables.old.`date +%Y%m%d` if [ "`/sbin/iptables-save | grep -c '^\-'`" = "0" ]; then cat > /etc/sysconfig/iptables <
           
             /var/tmp/libreswan-nss-pwd certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d rm -f /var/tmp/libreswan-nss-pwd fi chkconfig --add iptables chkconfig iptables on chkconfig --add ipsec chkconfig ipsec on chkconfig --add xl2tpd chkconfig xl2tpd on /etc/init.d/iptables restart /etc/init.d/ipsec start /etc/init.d/xl2tpd start else [ -f /etc/iptables.rules ] && cp -pf /etc/iptables.rules /etc/iptables.rules.old.`date +%Y%m%d` if [ "`/sbin/iptables-save | grep -c '^\-'`" = "0" ]; then cat > /etc/iptables.rules <
            
              /etc/iptables.rules fi cat > /etc/network/if-up.d/iptables <
             
               /var/tmp/libreswan-nss-pwd certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d rm -f /var/tmp/libreswan-nss-pwd fi update-rc.d -f xl2tpd defaults cp -f /etc/rc.local /etc/rc.local.old.`date +%Y%m%d` sed --follow-symlinks -i -e '/^exit 0/d' /etc/rc.local cat >> /etc/rc.local <
              
                /proc/sys/net/ipv4/ip_forward/usr/sbin/service ipsec startexit 0EOF chmod +x /etc/rc.local echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/iptables-restore < /etc/iptables.rules /usr/sbin/service ipsec start /usr/sbin/service xl2tpd restart fi}yum_install(){ rm -f /etc/ipsec.conf cat > /etc/ipsec.conf<
               
                 /etc/ipsec.secrets<
                
                  /etc/xl2tpd/xl2tpd.conf<
                 
                   /etc/ppp/options.xl2tpd<
                  
                    /etc/ppp/chap-secrets<
                   
                    > /etc/sysctl.conf echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.conf echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> /etc/sysctl.conf for each in `ls /proc/sys/net/ipv4/conf/` do echo "net.ipv4.conf.${each}.accept_source_route=0" >> /etc/sysctl.conf echo "net.ipv4.conf.${each}.accept_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.${each}.send_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.${each}.rp_filter=0" >> /etc/sysctl.conf done sysctl -p cat > /usr/lib/firewalld/services/xl2tpd.xml<
                    
                     
                      
                      
                       xl2tpd
                       
                      
                       L2TP IPSec
                       
                       
                      
                     EOF chmod 640 /usr/lib/firewalld/services/xl2tpd.xml systemctl enable ipsec systemctl enable xl2tpd systemctl enable firewalld systemctl status firewalld > /dev/null 2>&1 if [ $? -eq 0 ];then echo "Checking firewalld status..." firewall-cmd --list-all echo "add firewalld rules..." firewall-cmd --permanent --add-service=ipsec firewall-cmd --permanent --add-service=xl2tpd firewall-cmd --permanent --add-masquerade firewall-cmd --reload else echo "Firewalld looks like not running, trying to start..." systemctl start firewalld if [ $? -eq 0 ];then echo "Firewalld start successfully..." echo "Checking firewalld status..." firewall-cmd --list-all echo "adding firewalld rules..." firewall-cmd --permanent --add-service=ipsec firewall-cmd --permanent --add-service=xl2tpd firewall-cmd --permanent --add-masquerade firewall-cmd --reload else echo "Failed to start firewalld. please enable port 500 4500 manually if necessary." fi fi systemctl restart ipsec systemctl restart xl2tpd echo "Checking ipsec status..." systemctl -a | grep ipsec echo "Checking xl2tpd status..." systemctl -a | grep xl2tpd echo "Checking firewalld status..." firewall-cmd --list-all firewall-cmd --list-all | grep xl2tpd > /dev/null 2>&1 if [ $? -ne 0 ];then firewall-cmd --permanent --add-service=xl2tpd firewall-cmd --reload fi}finally(){ cd ${cur_dir} rm -fr ${cur_dir}/l2tp # create l2tp command cp -f ${cur_dir}/`basename $0` /usr/bin/l2tp echo "Please wait a moment..." sleep 5 ipsec verify echo echo "###############################################################" echo "# L2TP VPN Auto Installer #" echo "# System Supported: CentOS 6+ / Debian 7+ / Ubuntu 12+ #" echo "# Intro: https://teddysun.com/448.html #" echo "# Author: Teddysun 
                     
                       #" echo "###############################################################" echo "If there is no [FAILED] above, you can connect to your L2TP " echo "VPN Server with the default Username/Password is below:" echo echo "ServerIP:${IP}" echo "PSK:${mypsk}" echo "Username:${username}" echo "Password:${password}" echo echo "If you want to modify user settings, please use command(s):" echo "l2tp -a (Add a user)" echo "l2tp -d (Delete a user)" echo "l2tp -l (List all users)" echo "l2tp -m (Modify a user password)" echo echo "Welcome to visit https://teddysun.com/448.html" echo "Enjoy it!" echo}l2tp(){ clear echo echo "###############################################################" echo "# L2TP VPN Auto Installer #" echo "# System Supported: CentOS 6+ / Debian 7+ / Ubuntu 12+ #" echo "# Intro: https://teddysun.com/448.html #" echo "# Author: Teddysun 
                      
                        #" echo "###############################################################" echo rootness tunavailable disable_selinux version_check get_os_info preinstall_l2tp install_l2tp finally}list_users(){ if [ ! -f /etc/ppp/chap-secrets ];then echo "Error: /etc/ppp/chap-secrets file not found." exit 1 fi local line="+-------------------------------------------+\n" local string=%20s printf "${line}|${string} |${string} |\n${line}" Username Password grep -v "^#" /etc/ppp/chap-secrets | awk '{printf "|'${string}' |'${string}' |\n", $1,$3}' printf ${line}}add_user(){ while : do read -p "Please input your Username:" user if [ -z ${user} ]; then echo "Username can not be empty" else grep -w "${user}" /etc/ppp/chap-secrets > /dev/null 2>&1 if [ $? -eq 0 ];then echo "Username (${user}) already exists. Please re-enter your username." else break fi fi done pass=`rand` echo "Please input ${user}'s password:" read -p "(Default Password: ${pass}):" tmppass [ ! -z ${tmppass} ] && pass=${tmppass} echo "${user} l2tpd ${pass} *" >> /etc/ppp/chap-secrets echo "Username (${user}) add completed."}del_user(){ while : do read -p "Please input Username you want to delete it:" user if [ -z ${user} ]; then echo "Username can not be empty" else grep -w "${user}" /etc/ppp/chap-secrets >/dev/null 2>&1 if [ $? -eq 0 ];then break else echo "Username (${user}) is not exists. Please re-enter your username." fi fi done sed -i "/^\<${user}\>/d" /etc/ppp/chap-secrets echo "Username (${user}) delete completed."}mod_user(){ while : do read -p "Please input Username you want to change password:" user if [ -z ${user} ]; then echo "Username can not be empty" else grep -w "${user}" /etc/ppp/chap-secrets >/dev/null 2>&1 if [ $? -eq 0 ];then break else echo "Username (${user}) is not exists. Please re-enter your username." fi fi done pass=`rand` echo "Please input ${user}'s new password:" read -p "(Default Password: ${pass}):" tmppass [ ! -z ${tmppass} ] && pass=${tmppass} sed -i "/^\<${user}\>/d" /etc/ppp/chap-secrets echo "${user} l2tpd ${pass} *" >> /etc/ppp/chap-secrets echo "Username ${user}'s password has been changed."}# Main processaction=$1if [ -z ${action} ] && [ "`basename $0`" != "l2tp" ]; then action=installficase ${action} in install) l2tp 2>&1 | tee /root/l2tp.log ;; -l|--list) list_users ;; -a|--add) add_user ;; -d|--del) del_user ;; -m|--mod) mod_user ;; -h|--help) echo "Usage: `basename $0` -l,--list List all users" echo " `basename $0` -a,--add Add a user" echo " `basename $0` -d,--del Delete a user" echo " `basename $0` -m,--mod Modify a user password" echo " `basename $0` -h,--help Print this help information" ;; *) echo "Usage: `basename $0` [-l,--list|-a,--add|-d,--del|-m,--mod|-h,--help]" && exit ;;esac