#! /bin/bash


psk=${1:-baidu.com}
vpnuser=${2:-vpn}
vpnpassword=${3-vpnadmin}

arr=( $(ip a |
awk '
    /^[0-9]:/{
        name=substr($2, 1, length($2) - 1)
    }
    /^[ ]*inet /{
        split($2, a, "/")
        if (name != "lo" && name !~ '/^ppp/')
            print name,a[1]
    }
'))

lip="${arr[1]}"
netcard="${arr[0]}"

echo 'net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0' >>/etc/sysctl.conf
sysctl -p

sudo apt-get update
sudo apt-get upgrade -y
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections
sudo apt-get install netfilter-persistent iptables-persistent strongswan xl2tpd -y

echo 'config setup
    charondebug="ike 2, knl 2, cfg 2"
    uniqueids=yes

conn %default
    keyexchange=ikev1
    authby=secret

conn L2TP-PSK
    keyexchange=ikev1
    left='$lip'
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    authby=secret
    keyingtries=3
    ikelifetime=8h
    lifetime=1h
    dpdaction=clear
    dpddelay=30s
    dpdtimeout=120s
    rekey=no
    leftfirewall=yes
    leftsubnet=0.0.0.0/0
    rightsubnet=192.168.88.0/24
    forceencaps=yes
    pfs=no
    sha2-truncbug=no
    auto=add'>/etc/ipsec.conf

echo ': PSK "'$psk'"'>/etc/ipsec.secrets

echo '[global]
ipsec saref = yes

[lns default]
ip range = 192.168.88.10-192.168.88.250
local ip = 192.168.88.1
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpd
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes'>/etc/xl2tpd/xl2tpd.conf

echo 'require-mschap-v2
refuse-mschap
refuse-pap
refuse-chap
refuse-eap
name l2tpd
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
mtu 1410
mru 1410
lcp-echo-interval 30
lcp-echo-failure 4'>/etc/ppp/options.xl2tpd

echo '# Secrets for authentication using CHAP
# client    server  secret          IP addresses
'$vpnuser'  l2tpd  '$vpnpassword'  *'>/etc/ppp/chap-secrets

# 配置NAT
EXTERNAL_INTERFACE="$netcard"
iptables --table nat --append POSTROUTING --out-interface $EXTERNAL_INTERFACE --jump MASQUERADE

# 配置防火墙规则
iptables --append FORWARD --match policy --pol ipsec --dir in --proto esp --source 192.168.88.0/24 --destination 0.0.0.0/0 --jump ACCEPT
iptables --append FORWARD --match policy --pol ipsec --dir out --proto esp --source 0.0.0.0/0 --destination 192.168.88.0/24 --jump ACCEPT
iptables --append FORWARD --source 192.168.88.0/24 --destination 0.0.0.0/0 --jump ACCEPT
iptables --append FORWARD --source 0.0.0.0/0 --destination 192.168.88.0/24 --jump ACCEPT

# 保存防火墙规则
apt install -y iptables-persistent
netfilter-persistent save

# 重启服务
systemctl restart strongswan-starter
systemctl restart xl2tpd
systemctl enable strongswan-starter
systemctl enable xl2tpd

echo "***********************************************"
curl ip.fm
echo 'PSK: '$psk
echo 'User: '$vpnuser
echo 'password: '$vpnpassword