Add XAuth support

See: hwdsl2/setup-ipsec-vpn#386
vizv · Jul 4, 2018 · b627cee · b627cee
1 parent 07e89c8
commit b627cee
Showing 1 changed file with 33 additions and 4 deletions.
diff --git a/run.sh b/run.sh
@@ -46,7 +46,7 @@ ip link delete dummy0 >/dev/null 2>&1
 
 mkdir -p /opt/src
 vpn_env="/opt/src/vpn-gen.env"
-if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then
+if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ] && [ -z "$VPN_GROUP" ]; then
   if [ -f "$vpn_env" ]; then
     echo
     echo "Retrieving previously generated VPN credentials..."
@@ -57,10 +57,12 @@ if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then
     VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)"
     VPN_USER=vpnuser
     VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)"
+    VPN_GROUP=group
 
     echo "VPN_IPSEC_PSK=$VPN_IPSEC_PSK" > "$vpn_env"
     echo "VPN_USER=$VPN_USER" >> "$vpn_env"
     echo "VPN_PASSWORD=$VPN_PASSWORD" >> "$vpn_env"
+    echo "VPN_GROUP=$VPN_GROUP" >> "$vpn_env"
     chmod 600 "$vpn_env"
   fi
 fi
@@ -72,21 +74,28 @@ VPN_USER="$(nospaces "$VPN_USER")"
 VPN_USER="$(noquotes "$VPN_USER")"
 VPN_PASSWORD="$(nospaces "$VPN_PASSWORD")"
 VPN_PASSWORD="$(noquotes "$VPN_PASSWORD")"
+VPN_GROUP="$(nospaces "$VPN_GROUP")"
+VPN_GROUP="$(noquotes "$VPN_GROUP")"
 
 if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
   exiterr "All VPN credentials must be specified. Edit your 'env' file and re-enter them."
 fi
+[ -z "$VPN_GROUP" ] && VPN_GROUP=group
 
-if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
+if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD $VPN_GROUP" | LC_ALL=C grep -q '[^ -~]\+'; then
   exiterr "VPN credentials must not contain non-ASCII characters."
 fi
 
-case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
+case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD $VPN_GROUP" in
   *[\\\"\']*)
     exiterr "VPN credentials must not contain these special characters: \\ \" '"
     ;;
 esac
 
+# Create system user for vpnc aggressive mode
+useradd -s /usr/sbin/nologin "$VPN_USER"
+echo "$VPN_USER:$VPN_PASSWORD" | chpasswd
+
 echo
 echo 'Trying to auto discover IP of this server...'
 
@@ -131,7 +140,7 @@ conn shared
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
-  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
+  ike=3des-sha1,3des-sha1;modp1024,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
   phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
   sha2-truncbug=yes
 
@@ -159,6 +168,25 @@ conn xauth-psk
   ikev2=never
   cisco-unity=yes
   also=shared
+
+conn xauth-psk-vpnc
+  auto=add
+  leftsubnet=0.0.0.0/0
+  rightaddresspool=$XAUTH_POOL
+  modecfgdns1=$DNS_SRV1
+  modecfgdns2=$DNS_SRV2
+  leftxauthserver=yes
+  rightxauthclient=yes
+  leftmodecfgserver=yes
+  rightmodecfgclient=yes
+  modecfgpull=yes
+  xauthby=pam
+  ike-frag=yes
+  ikev2=never
+  cisco-unity=yes
+  also=shared
+  rightid=@[$VPN_GROUP]
+  aggrmode=yes
 EOF
 
 # Specify IPsec PSK
@@ -269,6 +297,7 @@ Server IP: $PUBLIC_IP
 IPsec PSK: $VPN_IPSEC_PSK
 Username: $VPN_USER
 Password: $VPN_PASSWORD
+Group: $VPN_GROUP
 
 Write these down. You'll need them to connect!