kevinzhow · March 19, 2019 12:59
diff --git a/vpnserver.sh b/vpnserver.sh
 #!/usr/bin/env bash
 echo 'deb http://shadowsocks.org/debian wheezy main' >> /etc/apt/sources.list
 # Pre-requisites
 
 
 sudo apt-get -y update
 sudo apt-get -y install pptpd
 sudo apt-get -y install fail2ban
 sudo apt-get -y install shadowsocks-libev
 
 cat >/etc/shadowsocks-libev/config.json <<END
 {
    "server":"0.0.0.0",
    "server_port":8088,
    "local_address": "127.0.0.1",
    "local_port":1080,
    "password":"test",
    "timeout":300,
    "method":"aes-256-cfb",
    "fast_open": true
 }
 END
 
 cat >/etc/sysctl.d/local.conf <<END
 fs.file-max = 51200

 net.core.rmem_max = 67108864
 net.core.wmem_max = 67108864
 net.core.rmem_default = 65536
 net.core.wmem_default = 65536
 net.core.netdev_max_backlog = 4096
 net.core.somaxconn = 4096

 net.ipv4.tcp_syncookies = 1
 net.ipv4.tcp_tw_reuse = 1
 net.ipv4.tcp_tw_recycle = 0
 net.ipv4.tcp_fin_timeout = 30
 net.ipv4.tcp_keepalive_time = 1200
 net.ipv4.ip_local_port_range = 10000 65000
 net.ipv4.tcp_max_syn_backlog = 4096
 net.ipv4.tcp_max_tw_buckets = 5000
 net.ipv4.tcp_fastopen = 3
 net.ipv4.tcp_rmem = 4096 87380 67108864
 net.ipv4.tcp_wmem = 4096 65536 67108864
 net.ipv4.tcp_mtu_probing = 1

 # for high-latency network
 net.ipv4.tcp_congestion_control = hybla

 # for low-latency network, use cubic instead
 # net.ipv4.tcp_congestion_control = cubic
 END
 
 sysctl --system
 
 
 cat >/etc/ppp/options.pptpd <<END
 name pptpd
 refuse-pap
 refuse-chap
 refuse-mschap
 require-mschap-v2
 require-mppe-128
 ms-dns 8.8.8.8
 ms-dns 8.8.4.4
 proxyarp
 lock
 nobsdcomp
 novj
 novjccomp
 nologfd
 END
 
 cat >/etc/pptpd.conf <<END
 option /etc/ppp/options.pptpd
 logwtmp
 localip 172.7.0.1
 remoteip 172.7.0.10-100
 END
 
 cat >> /etc/sysctl.conf <<END
 net.ipv4.ip_forward=1
 END
 sysctl -p
 
 wget -O iptables.sh https://gist.githubusercontent.com/kevinzhow/984f55af8b6c901814b1/raw/df3951ba942c1ee851caf63711bc0fc2ce55ca9b/gistfile1.sh
 sh iptables.sh
 
 iptables-save > /etc/firewall.rules
 
 
 cat >/etc/network/if-pre-up.d/firewall <<END
 #!/bin/sh
 /sbin/iptables-restore < /etc/firewall.rules
 END
 
 chmod +x /etc/network/if-pre-up.d/firewall
 
 cat >/etc/ppp/chap-secrets <<END
 test pptpd test *
 END
 
 service pptpd restart
 
 #IPSec IKev1
 
 sudo apt-get -y install strongswan strongswan-plugin-xauth-generic strongswan-plugin-eap-mschapv2
 
 cat > /etc/ipsec.secrets <<END
 : RSA serverKey.pem
 : PSK "test"

 test %any : EAP "test"
 test %any : XAUTH "test"
 END
 
 cat > /etc/ipsec.conf <<END
 config setup
    cachecrls=yes
    strictcrlpolicy=yes
    uniqueids=never

 conn %default
    keyexchange=ikev1
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    right=%any
    #rightsubnet=10.7.0.0/24
    rightsourceip=10.7.0.0/24
    rightdns=8.8.8.8,8.8.4.4
    auto=add
    fragmentation=yes

 conn iOS
    leftauth=pubkey
    rightauth2=xauth
    aggressive=yes
    rightauth=pubkey
    leftid=test

 conn android
    aggressive=no
    leftauth=psk
    rightauth2=xauth
    rightauth=psk

 conn xauth_psk
    leftid=test
    aggressive=yes
    leftauth=psk
    rightauth2=xauth
    rightauth=psk
    
 conn ios_ikev2
    keyexchange=ikev2
    leftsendcert=always
    leftid=@*.domain.com
    leftcert=serverCert.pem
    rightauth=eap-mschapv2
    eap_identity=%any
    rightsendcert=never
    rightid="test"
    closeaction=clear
    #dpddelay = 1s
    auto=add
    
 conn ios_ikev2_psk
    keyexchange=ikev2
    eap_identity = %any
    rightsendcert=never
    rightid="test"
    reauth=no
    #rekey=no
    closeaction=clear
    #dpddelay = 1s
    auto=add
    leftauth=psk
    #rightauth2=xauth
    rightauth = eap-mschapv2
    aggressive=yes
    #rightauth=psk

 END
 
 cat > /etc/strongswan.d/charon.conf <<END
 charon {
    i_dont_care_about_security_and_use_aggressive_mode_psk = yes
    load_modular = yes
    duplicheck.enable = no
    crypto_test {

    }

    host_resolver {


    }

    leak_detective {


    }

    processor {


        priority_threads {

        }

    }

    tls {



    }

    x509 {


    }

 }
 END
 
 service strongswan restart
	#!/usr/bin/env bash
	echo 'deb http://shadowsocks.org/debian wheezy main' >> /etc/apt/sources.list
	# Pre-requisites


	sudo apt-get -y update
	sudo apt-get -y install pptpd
	sudo apt-get -y install fail2ban
	sudo apt-get -y install shadowsocks-libev

	cat >/etc/shadowsocks-libev/config.json <<END
	{
	"server":"0.0.0.0",
	"server_port":8088,
	"local_address": "127.0.0.1",
	"local_port":1080,
	"password":"test",
	"timeout":300,
	"method":"aes-256-cfb",
	"fast_open": true
	}
	END

	cat >/etc/sysctl.d/local.conf <<END
	fs.file-max = 51200

	net.core.rmem_max = 67108864
	net.core.wmem_max = 67108864
	net.core.rmem_default = 65536
	net.core.wmem_default = 65536
	net.core.netdev_max_backlog = 4096
	net.core.somaxconn = 4096

	net.ipv4.tcp_syncookies = 1
	net.ipv4.tcp_tw_reuse = 1
	net.ipv4.tcp_tw_recycle = 0
	net.ipv4.tcp_fin_timeout = 30
	net.ipv4.tcp_keepalive_time = 1200
	net.ipv4.ip_local_port_range = 10000 65000
	net.ipv4.tcp_max_syn_backlog = 4096
	net.ipv4.tcp_max_tw_buckets = 5000
	net.ipv4.tcp_fastopen = 3
	net.ipv4.tcp_rmem = 4096 87380 67108864
	net.ipv4.tcp_wmem = 4096 65536 67108864
	net.ipv4.tcp_mtu_probing = 1

	# for high-latency network
	net.ipv4.tcp_congestion_control = hybla

	# for low-latency network, use cubic instead
	# net.ipv4.tcp_congestion_control = cubic
	END

	sysctl --system


	cat >/etc/ppp/options.pptpd <<END
	name pptpd
	refuse-pap
	refuse-chap
	refuse-mschap
	require-mschap-v2
	require-mppe-128
	ms-dns 8.8.8.8
	ms-dns 8.8.4.4
	proxyarp
	lock
	nobsdcomp
	novj
	novjccomp
	nologfd
	END

	cat >/etc/pptpd.conf <<END
	option /etc/ppp/options.pptpd
	logwtmp
	localip 172.7.0.1
	remoteip 172.7.0.10-100
	END

	cat >> /etc/sysctl.conf <<END
	net.ipv4.ip_forward=1
	END
	sysctl -p

	wget -O iptables.sh https://gist.githubusercontent.com/kevinzhow/984f55af8b6c901814b1/raw/df3951ba942c1ee851caf63711bc0fc2ce55ca9b/gistfile1.sh
	sh iptables.sh

	iptables-save > /etc/firewall.rules


	cat >/etc/network/if-pre-up.d/firewall <<END
	#!/bin/sh
	/sbin/iptables-restore < /etc/firewall.rules
	END

	chmod +x /etc/network/if-pre-up.d/firewall

	cat >/etc/ppp/chap-secrets <<END
	test pptpd test *
	END

	service pptpd restart

	#IPSec IKev1

	sudo apt-get -y install strongswan strongswan-plugin-xauth-generic strongswan-plugin-eap-mschapv2

	cat > /etc/ipsec.secrets <<END
	: RSA serverKey.pem
	: PSK "test"

	test %any : EAP "test"
	test %any : XAUTH "test"
	END

	cat > /etc/ipsec.conf <<END
	config setup
	cachecrls=yes
	strictcrlpolicy=yes
	uniqueids=never

	conn %default
	keyexchange=ikev1
	left=%defaultroute
	leftsubnet=0.0.0.0/0
	right=%any
	#rightsubnet=10.7.0.0/24
	rightsourceip=10.7.0.0/24
	rightdns=8.8.8.8,8.8.4.4
	auto=add
	fragmentation=yes

	conn iOS
	leftauth=pubkey
	rightauth2=xauth
	aggressive=yes
	rightauth=pubkey
	leftid=test

	conn android
	aggressive=no
	leftauth=psk
	rightauth2=xauth
	rightauth=psk

	conn xauth_psk
	leftid=test
	aggressive=yes
	leftauth=psk
	rightauth2=xauth
	rightauth=psk

	conn ios_ikev2
	keyexchange=ikev2
	leftsendcert=always
	leftid=@*.domain.com
	leftcert=serverCert.pem
	rightauth=eap-mschapv2
	eap_identity=%any
	rightsendcert=never
	rightid="test"
	closeaction=clear
	#dpddelay = 1s
	auto=add

	conn ios_ikev2_psk
	keyexchange=ikev2
	eap_identity = %any
	rightsendcert=never
	rightid="test"
	reauth=no
	#rekey=no
	closeaction=clear
	#dpddelay = 1s
	auto=add
	leftauth=psk
	#rightauth2=xauth
	rightauth = eap-mschapv2
	aggressive=yes
	#rightauth=psk

	END

	cat > /etc/strongswan.d/charon.conf <<END
	charon {
	i_dont_care_about_security_and_use_aggressive_mode_psk = yes
	load_modular = yes
	duplicheck.enable = no
	crypto_test {

	}

	host_resolver {


	}

	leak_detective {


	}

	processor {


	priority_threads {

	}

	}

	tls {



	}

	x509 {


	}

	}
	END

	service strongswan restart