Simple PPTP, L2TP/IPsec, OpenVPN installers for fast, user-friendly deployment.
- Small bugfixes
- GeoIP-legacy updated database is maintained by mailfud.org
- Fixed and replaced Easy-RSA with lastest old version 2.2.2 that has vars and scripts.
- PPTP, OpenVPN, IPsec VPN support
- User-friendly installation and configuration process
- VPN client-side configs and script generating
- Backup and uninstallion support
- Users control (add, check, delete) scripts, autorestarting, iptables automation.
- Ability to choose OpenVPN custom PROTOCOL and PORT
- GEOIP: Block IP range from countries with GeoIP and iptables
- DNS: Predefined sets. Added system resolvers useful for prevent DNS leaks with geoblocked contents
- TODO: Scripted portforwarding to the clients (and static ip assignment)
- TODO: Check and adjust configuration files for pptp server and l2tp server for native Windows XP client
- TODO: Accurate revision of iptables rules restoring on reboot (considering to move to a systemd service to do this)
- Ubuntu (Successfully tested on Ubuntu Server 18.04 LTS with lastest core 4.15.0-177-generic x86_64)
- CentOS 7 (Successfully tested on CentOS 7.9 with lastest core 3.10.0-1160-62.1.el7.x86_64)
- CentOS Stream 8 (Successfully tested on CentOS Stream 8)
Download: git clone --depth=1 https://github.com/xyencode/vpn-install.git
And then some of (under root or using sudo):
vpn-install/pptp/install.shvpn-install/openvpn/install.shvpn-install/ipsec/install.sh
BEFORE INSTALLATION !!!
For GEOIP filtering remember to edit, according to your preferences, cc.allow and cc.deny files in each folder.
Please choose the operating mode between SELECTIVE (1) or EXCLUSIVE (2)
In SELECTIVE mode clients are allowed to connect only from specific countries.
All other countries will be dropped.
You MUST specify a list of country codes to allow inside **** cc.allow **** file
In EXCLUSIVE mode clients are rejected if try to connect from a specific countries,
but all other countries are accepted.
You MUST specify a list of country codes to block inside **** cc.deny **** file
Format for cc.allow or cc.deny files is coma-separated i.e. US,CA,FR,DE,IT
These "wizards" will install required packages, generate necessary config files, update network configurations (to enable routing), add iptables rules, add cron jobs (for restarting servers, restoring iptables rules after reboot).
You will be answered for login-passwords of VPN users, some network information, preferred DNS-resolvers, client-to-client routing possibility.
NOTE for Ubuntu branch: Ubuntu 18.04 is the last version supporting PPTP\L2TP because kernel module nf_conntrack_proto_gre is no longer available in upper releases
Only MS-CHAP v2 with MPPE-128 encryption is allowed.
Note that PPTP is NOT recommended for transmission secret data, because all strong PPTP authentication algorithms have been already hacked: see link for more information.
By default (see pptpd.conf.dist and env.sh) it uses 172.16.0.0/24 subnet.
- adduser.sh - script for user-friendly chap-secrets file editing and client-side setup script generating.
- autostart.sh - script for adding cron jobs (iptables restoring after boot and server running state checking).
- backup.sh - script for backuping system config files, parameters, services and packages statuses and uninstall script generating.
- checkserver.sh - script for cron job, which check server running state.
- checkuser.sh - script for user-friendly chap-secrets file existing user checking.
- deluser.sh - script for user-friendly chap-secrets file existing user removing.
- dns.sh - script for user-friendly modifiying of DNS-resolver settings which will be pushed to Windows clients.
- env.sh - common for all scripts config variables (packet manager, subnet, ip, config files paths).
- geoip.sh - Prepare (and update) system with xtables addons for iptables. This script can be run as standalone for update database or rebuild kernel modules.
- install.sh - main installation script (wizard).
- iptables-setup.sh - iptables configuration script.
- options.pptp.dist - PPP options template.
- pptpd.conf.dist - PPTPD config template.
- setup.sh.dist - client-side connection installer script template.
- sysctl.sh - script for set up IP forwarding and disabling some packets due to security reasons (using sysctl).
On Linux:
During VPN server installation (more precisely: during adding user procedure) it will generate client-side setup.sh script in %username% directory. Client-side setup script was tested on Ubuntu 16.04.
You can also use Ubuntu standard Network Manager for PPTP VPN connection. Remember to modify ADVANCED SETTINGS and enable MPPE
On Windows:
Create new VPN-connection using standart 'Set up a new connection or network' wizard, select PPTP VPN and provide host, login and password information. In the 'Security' tab of created connection check only MS-CHAP v2 protocol.
NOTE for Ubuntu branch: Ubuntu 18.04 is the last version supporting PPTP\L2TP because kernel module nf_conntrack_proto_gre is no longer available in upper releases
IPsec over L2TP VPN server with pre-shared key.
Only MS-CHAP v2 is allowed on L2TP.
IPsec implementation: strongSwan.
L2TP implementation: xl2tpd.
By default (see xl2tpd.conf.dist and env.sh) it uses 172.18.0.0/24 subnet.
IKE encryption algorithms: see ipsec.conf.dist.
- adduser.sh - script for user-friendly chap-secrets file editing and client-side setup script generating.
- autostart.sh - script for adding cron jobs (iptables restoring after boot and server running state checking).
- backup.sh - script for backuping system config files, parameters, services and packages statuses and uninstall script generating.
- checkserver.sh - script for cron job, which check servers running state.
- checkuser.sh - script for user-friendly chap-secrets file existing user checking.
- client-options.xl2tpd.dist - client-side ppp connection template.
- client-xl2tpd.conf.dist - client-side xl2tpd config template.
- connect.sh.dist - client-side connect script template.
- deluser.sh - script for user-friendly chap-secrets file existing user removing.
- disconnect.sh.dist - client-side disconnect script template.
- dns.sh - script for user-friendly modifiying of DNS-resolver settings which will be pushed to Windows clients.
- env.sh - common for all scripts config variables (subnet, ip, config files paths).
- install.sh - main installation script (wizard).
- ipsec.conf.dist - IPsec (strongSwan) config file template.
- iptables-setup.sh - iptables configuration script.
- geoip.sh - Prepare (and update) system with xtables addons for iptables. This script can be run as standalone for update database or rebuild kernel modules.
- options.xl2tpd.dist - PPP options template.
- psk.sh - script for user-friendly creating pre-shared key in ipsec.secrets file.
- setup.sh.dist - client-side connection installer script template.
- sysctl.sh - script for set up IP forwarding and disabling some packets due to security reasons (using sysctl).
- xl2tpd.conf.dist - xl2tpd config file template.
On Linux:
During VPN server installation (more precisely: during adding user procedure) it will generate client-side setup.sh script in %username% directory with necessary config files and connect.sh and disconnect.sh scripts. Client-side scripts was tested on Ubuntu 16.04.
You can also use Ubuntu standard Network Manager for IPsec VPN connection (not included in standard installation).
On Windows:
Create new VPN-connection using standart 'Set up a new connection or network' wizard, select 'L2TP/IPsec with pre-shared key', provide host, login and password information.
In the 'Security' tab of created connection check only MS-CHAP v2 protocol, then enter to 'Advanced settings' and enter your pre-shared key.
Server and client certificates and TLS auth are used for authentication (generating using Easy-RSA package, see adduser.sh and install.sh).
Used cipher: AES-256-CBC (see openvpn-server.conf.dist).
By default (see openvpn-server.conf.dist and env.sh) it uses 172.20.0.0/24 subnet. Port 1194 (default).
- adduser.sh - script for user-friendly client config and key+certificate generating.
- autostart.sh - script for adding cron jobs (iptables restoring after boot and server running state checking).
- backup.sh - script for backuping system config files, parameters, services and packages statuses and uninstall script generating.
- checkserver.sh - script for cron job, which check server running state.
- checkuser.sh - script for user-friendly existing user checking.
- customize.sh - script that implements new features: custom protocol and port selection
- deluser.sh - script for user-friendly existing user removing (certificate revoking).
- dns.sh - script for user-friendly modifiying of DNS-resolver settings which will be pushed to Windows clients.
- env.sh - common for all scripts config variables (subnet, ip, config files paths).
- install.sh - main installation script (wizard).
- iptables-setup.sh - iptables configuration script.
- geoip.sh - Prepare (and update) system with xtables addons for iptables. This script can be run as standalone for update database or rebuild kernel modules.
- openvpn-server-embedded.ovpn.dist - client config file with embedded keys and certificates template.
- openvpn-server.conf.dist - OpenVPN server config file template.
- openvpn-server.ovpn.dist - client config file template.
- sysctl.sh - script for set up IP forwarding and disabling some packets due to security reasons (using sysctl).
On Linux:
During VPN server installation (more precisely: during adding user procedure) it will generate client-side configs in %username% directory.
Then simply:
apt-get install openvpn
openvpn --config config.ovpn
You can also use Ubuntu standard Network Manager for OpenVPN connection. Just import *.ovpn embedded profile.
On Windows:
Download OpenVPN GUI client: https://openvpn.net/index.php/open-source/downloads.html.
For Windows XP SP3 download this patched version https://sourceforge.net/projects/openvpn-for-windows-xp/
Import config and connect, or run explorer context menu command.
During installation script will backup config files which are in system and will create uninstall script. So use some of (under root or using sudo):
vpn-install/pptp/uninstall/uninstall.shvpn-install/openvpn/uninstall/uninstall.shvpn-install/ipsec/uninstall/uninstall.sh
These "wizards" will uninstall installed packages, restore system config files (which was before installation), remove added iptables rules and cron jobs.