Created
June 30, 2017 18:10
-
-
Save qmaxquique/52c361257ac4a4ec1e7949383ca03df8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html#No_L2TP? | |
| echo "This script is to be executed in the VPN server!!" | |
| echo "Continue in 5 seconds..." | |
| sleep 5 | |
| yum -y install strongswan | |
| yum -y install haveged | |
| systemctl enable haveged | |
| systemctl start haveged | |
| ##################################################################### | |
| # HOST CERTIFICATES # | |
| ##################################################################### | |
| cd /etc/strongswan | |
| # ****** HOST PUBLIC CERTIFICATES ******* # | |
| # Private Key for root CA | |
| strongswan pki --gen --type rsa --size 4096 --outform der > ipsec.d/private/strongswanKey.der | |
| chmod 600 ipsec.d/private/strongswanKey.der | |
| # Self signed root CA certificate | |
| strongswan pki --self --ca --lifetime 3650 --in ipsec.d/private/strongswanKey.der \ | |
| --type rsa --dn "C=US, O=HDMZ, CN=HDMZ strongSwan Root CA" \ | |
| --outform der > ipsec.d/cacerts/strongswanCert.der | |
| # Check certificate | |
| strongswan pki --print --in ipsec.d/cacerts/strongswanCert.der | |
| # *************************************** # | |
| # ****** HOST PUBLIC CERTIFICATES ******* # | |
| # VPN Host Private Key | |
| strongswan pki --gen --type rsa --size 3285 --outform der > ipsec.d/private/vpnHostKey.der | |
| chmod 600 ipsec.d/private/vpnHostKey.der | |
| # VPN Host Public Key | |
| strongswan pki --pub --in ipsec.d/private/vpnHostKey.der --type rsa | strongswan pki --issue --lifetime 3000 \ | |
| --cacert ipsec.d/cacerts/strongswanCert.der --cakey ipsec.d/private/strongswanKey.der \ | |
| --dn "C=US, O=HDMZ, CN=uservpn.hdmz.com" \ | |
| --san uservpn.hdmz.com --san 104.198.159.221 --san @104.198.159.221 --san 10.10.0.200 --san @10.10.0.200 \ | |
| --flag serverAuth --flag ikeIntermediate --outform der > ipsec.d/certs/vpnHostCert.der | |
| # Check certificate | |
| strongswan pki --print --in ipsec.d/certs/vpnHostCert.der | |
| # More verbosely | |
| openssl x509 -inform DER -in ipsec.d/certs/vpnHostCert.der -noout -text | |
| # *************************************** # | |
| ##################################################################### | |
| # The private key (/etc/openswan/ipsec.d/private/strongswanKey.der) # | |
| # of the CA should be moved somewhere safe, possibly to a special # | |
| # signing host without access to the Internet. # | |
| # Theft of this master signing key would completely compromise your # | |
| # public key infrastructure. Use it only to generate client # | |
| # certificates when needed. # | |
| ##################################################################### | |
| ##################################################################### | |
| # CLIENT CERTIFICATES # | |
| ##################################################################### | |
| userCert(){ | |
| USER=$1 | |
| LIFETIME=$2 | |
| EMAIL=$3 | |
| cd /etc/strongswan/ | |
| strongswan pki --gen --type rsa --size 2048 --outform der > "ipsec.d/private/$USER-key.der" | |
| chmod 600 "ipsec.d/private/$USER-key.der" | |
| strongswan pki --pub --in "ipsec.d/private/$USER-key.der" --type rsa \ | |
| | strongswan pki --issue --lifetime $LIFETIME \ | |
| --cacert ipsec.d/cacerts/strongswanCert.der \ | |
| --cakey ipsec.d/private/strongswanKey.der \ | |
| --dn "C=US, O=HDMZ, CN=$EMAIL" --san "$EMAIL" --san "$USER" --outform der > "ipsec.d/certs/$USER-crt.der" | |
| openssl rsa -inform DER -in "ipsec.d/private/$USER-key.der" -out "ipsec.d/private/$USER-key.pem" -outform PEM | |
| openssl x509 -inform DER -in "ipsec.d/certs/$USER-crt.der" -out "ipsec.d/certs/$USER-crt.pem" -outform PEM | |
| openssl x509 -inform DER -in ipsec.d/cacerts/strongswanCert.der -out ipsec.d/cacerts/strongswanCert.pem -outform PEM | |
| } | |
| send_Cert(){ | |
| USER=$1 | |
| EMAIL=$2 | |
| mkdir -p /root/vpn-certs/ | |
| openssl pkcs12 -export -inkey "ipsec.d/private/$USER-key.pem" -in "ipsec.d/certs/$USER-crt.pem" \ | |
| -name "$USER's VPN Certificate" \ | |
| -certfile ipsec.d/cacerts/strongswanCert.pem -caname "strongSwan Root CA" -out /root/vpn-certs/$USER.p12 | |
| echo "Check the attachment" | mail -s "$USER's VPN Certificate" -a /root/vpn-certs/$USER.p12 $EMAIL | |
| } | |
| # Firewall Setup | |
| firewall-cmd --zone=dmz --permanent --add-rich-rule='rule protocol value="esp" accept' # ESP (the encrypted data packets) | |
| firewall-cmd --zone=dmz --permanent --add-rich-rule='rule protocol value="ah" accept' # AH (authenticated headers) | |
| firewall-cmd --zone=dmz --permanent --add-port=500/udp #IKE (security associations) | |
| firewall-cmd --zone=dmz --permanent --add-port=4500/udp # IKE NAT Traversal (IPsec between natted devices) | |
| firewall-cmd --permanent --add-service="ipsec" | |
| firewall-cmd --zone=dmz --permanent --add-masquerade | |
| firewall-cmd --set-default-zone=dmz | |
| firewall-cmd --reload | |
| firewall-cmd --list-all | |
| # IP Forwarding | |
| echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf | |
| echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf | |
| echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf | |
| sysctl -p | |
| cp ipsec.conf /etc/strongswang/ipsec.conf | |
| systemctl enable strongswan |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment