Skip to content

Instantly share code, notes, and snippets.

@touzi
Forked from kevinzhow/vpnserver.sh
Created October 8, 2015 09:34
Show Gist options
  • Save touzi/51ff2ffbd17a59df19e4 to your computer and use it in GitHub Desktop.
Save touzi/51ff2ffbd17a59df19e4 to your computer and use it in GitHub Desktop.
OnClickVPNServer
#!/usr/bin/env bash
echo 'deb http://shadowsocks.org/debian wheezy main' >> /etc/apt/sources.list
# Pre-requisites
sudo apt-get -y update
sudo apt-get -y install pptpd
sudo apt-get -y install fail2ban
sudo apt-get -y install shadowsocks-libev
cat >/etc/shadowsocks-libev/config.json <<END
{
"server":"0.0.0.0",
"server_port":8088,
"local_address": "127.0.0.1",
"local_port":1080,
"password":"test",
"timeout":300,
"method":"aes-256-cfb",
"fast_open": true
}
END
cat >/etc/sysctl.d/local.conf <<END
fs.file-max = 51200
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.rmem_default = 65536
net.core.wmem_default = 65536
net.core.netdev_max_backlog = 4096
net.core.somaxconn = 4096
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_mtu_probing = 1
# for high-latency network
net.ipv4.tcp_congestion_control = hybla
# for low-latency network, use cubic instead
# net.ipv4.tcp_congestion_control = cubic
END
sysctl --system
cat >/etc/ppp/options.pptpd <<END
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
ms-dns 8.8.4.4
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
END
cat >/etc/pptpd.conf <<END
option /etc/ppp/options.pptpd
logwtmp
localip 172.7.0.1
remoteip 172.7.0.10-100
END
cat >> /etc/sysctl.conf <<END
net.ipv4.ip_forward=1
END
sysctl -p
wget -O iptables.sh https://gist.githubusercontent.com/kevinzhow/984f55af8b6c901814b1/raw/5529f291da2410e6285d24f5203a5eb47fedbb0c/gistfile1.sh
sh iptables.sh
iptables-save > /etc/firewall.rules
cat >/etc/network/if-pre-up.d/firewall <<END
#!/bin/sh
/sbin/iptables-restore < /etc/firewall.rules
END
chmod +x /etc/network/if-pre-up.d/firewall
cat >/etc/ppp/chap-secrets <<END
test pptpd test *
END
service pptpd restart
#IPSec IKev1
sudo apt-get -y install strongswan strongswan-plugin-xauth-generic strongswan-plugin-eap-mschapv2
cat > /etc/ipsec.secrets <<END
: RSA serverKey.pem
: PSK "test"
test %any : EAP "test"
test %any : XAUTH "test"
END
cat > /etc/ipsec.conf <<END
config setup
cachecrls=yes
strictcrlpolicy=yes
uniqueids=never
conn %default
keyexchange=ikev1
left=%defaultroute
leftsubnet=0.0.0.0/0
right=%any
#rightsubnet=10.7.0.0/24
rightsourceip=10.7.0.0/24
rightdns=8.8.8.8,8.8.4.4
auto=add
fragmentation=yes
conn iOS
leftauth=pubkey
rightauth2=xauth
aggressive=yes
rightauth=pubkey
leftid=test
conn android
aggressive=no
leftauth=psk
rightauth2=xauth
rightauth=psk
conn xauth_psk
leftid=test
aggressive=yes
leftauth=psk
rightauth2=xauth
rightauth=psk
conn ios_ikev2
keyexchange=ikev2
leftsendcert=always
leftid=@*.domain.com
leftcert=serverCert.pem
rightauth=eap-mschapv2
eap_identity=%any
rightsendcert=never
rightid="test"
closeaction=clear
#dpddelay = 1s
auto=add
conn ios_ikev2_psk
keyexchange=ikev2
eap_identity = %any
rightsendcert=never
rightid="test"
reauth=no
#rekey=no
closeaction=clear
#dpddelay = 1s
auto=add
leftauth=psk
#rightauth2=xauth
rightauth = eap-mschapv2
aggressive=yes
#rightauth=psk
END
cat > /etc/strongswan.d/charon.conf <<END
charon {
i_dont_care_about_security_and_use_aggressive_mode_psk = yes
load_modular = yes
duplicheck.enable = no
crypto_test {
}
host_resolver {
}
leak_detective {
}
processor {
priority_threads {
}
}
tls {
}
x509 {
}
}
END
service strongswan restart
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment