一键设置L2TP脚本-Ubuntu14.04LTS

亲测在Vultr和UltraVPS的Ubuntu 14.04 LTS成功搭建L2TP的VPN。

本方法使用Linux自带的账户认证作为L2TP的认证。用户名默认为vpn_user，密码在脚本执行过程中，由执行者手动设定密码；PSK为psk，开机自动启动。

本脚本必须使用root账户执行。

#!/bin/bash# Referring from https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_14.04.htmlif [[ $EUID -ne 0 ]]; then    echo 'Error:This script must be run as root!'    exit 1fiapt-get install -y openswan xl2tpd ppp lsof vim rng-tools curlSERVERIP=`curl -s -4 icanhazip.com`iptables -t nat -A POSTROUTING -j SNAT --to-source $SERVERIP -o eth0echo 'net.ipv4.ip_forward = 1' |  tee -a /etc/sysctl.confecho 'net.ipv4.conf.all.accept_redirects = 0' |  tee -a /etc/sysctl.confecho 'net.ipv4.conf.all.send_redirects = 0' |  tee -a /etc/sysctl.confecho 'net.ipv4.conf.default.rp_filter = 0' |  tee -a /etc/sysctl.confecho 'net.ipv4.conf.default.accept_source_route = 0' |  tee -a /etc/sysctl.confecho 'net.ipv4.conf.default.send_redirects = 0' |  tee -a /etc/sysctl.confecho 'net.ipv4.icmp_ignore_bogus_error_responses = 1' |  tee -a /etc/sysctl.conffor vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; donesysctl -p# start VPN onstartcp /etc/rc.local{,.bak}sed -i '/exit 0/d' /etc/rc.localcat >> /etc/rc.local<<EOFfor vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; doneiptables -t nat -A POSTROUTING -j SNAT --to-source $SERVERIP -o eth0exit 0EOF# config ipseccp /etc/ipsec.conf{,.bak}cat >/etc/ipsec.conf <<EOFversion 2 # conforms to second version of ipsec.conf specificationconfig setup    dumpdir=/var/run/pluto/    #in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?    nat_traversal=yes    #whether to accept/offer to support NAT (NAPT, also known as 'IP Masqurade') workaround for IPsec    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10    #contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.    protostack=netkey    #decide which protocol stack is going to be used.    force_keepalive=yes    keep_alive=60    # Send a keep-alive packet every 60 seconds.conn L2TP-PSK-noNAT    authby=secret    #shared secret. Use rsasig for certificates.    pfs=no    #Disable pfs    auto=add    #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.    keyingtries=3    #Only negotiate a conn. 3 times.    ikelifetime=8h    keylife=1h    ike=aes256-sha1,aes128-sha1,3des-sha1    phase2alg=aes256-sha1,aes128-sha1,3des-sha1    # https://lists.openswan.org/pipermail/users/2014-April/022947.html    # specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested.    type=transport    #because we use l2tp as tunnel protocol    left=$SERVERIP    #fill in server IP above    leftprotoport=17/1701    right=%any    rightprotoport=17/%any    dpddelay=10    # Dead Peer Dectection (RFC 3706) keepalives delay    dpdtimeout=20    #  length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.    dpdaction=clear    # When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.EOF#config ipsec.secretscp /etc/ipsec.secrets{,.bak}cat >/etc/ipsec.secrets <<EOF$SERVERIP  %any:   PSK 'psk' #<<<<<<<<<<PSK>>>>>>>>>>#EOFipsec verifycp /etc/xl2tpd/xl2tpd.conf{,.bak}cat > /etc/xl2tpd/xl2tpd.conf <<EOF[global]ipsec saref = yessaref refinfo = 30;debug avp = yes;debug network = yes;debug state = yes;debug tunnel = yes[lns default]ip range = 172.16.1.30-172.16.1.100local ip = 172.16.1.1require authentication = yesunix authentication = yes;ppp debug = yespppoptfile = /etc/ppp/options.xl2tpdlength bit = yesEOF# config options.xl2tpdcp /etc/ppp/options.xl2tpd{,.bak}cat >/etc/ppp/options.xl2tpd <<EOFms-dns 8.8.8.8ms-dns 8.8.4.4authmtu 1200mru 1000crtsctshide-passwordmodemname l2tpdproxyarplcp-echo-interval 30lcp-echo-failure 4loginEOF#config pam.dcp  /etc/pam.d/ppp{,.bak}sed -i '/^auth/c\auth    required        pam_nologin.so\auth    required        pam_unix.so\account required        pam_unix.so\session required        pam_unix.so' /etc/pam.d/ppp#config pap-secretscp /etc/ppp/pap-secrets{,.bak}cat >>/etc/ppp/pap-secrets <<EOF*       l2tpd           ''              *EOFuseradd vpn_userecho -n 'set password for [vpn_user]:'passwd vpn_user/etc/init.d/ipsec restart/etc/init.d/xl2tpd restartecho 'IP:' $SERVERIPecho 'UserName(set by useradd vpn_user): vpn_user'echo 'PSK(set by /etc/ipsec.secrets): psk'exit 0