Created
November 10, 2023 17:25
-
-
Save soheilsec/c8d492dad9467cb78b62233cf617de50 to your computer and use it in GitHub Desktop.
Cisco Radcli
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #cisco | |
| #read -p "Enter your Domain For Let'sEncrypt You should Add subdomain before run script! like Vpn.diablo.com : " Domain | |
| #ping -c 1 $Domain | |
| read -p "Enter Your IBSNG domain : " IBSNG | |
| #YOUR_DNS='cisco4.servadd.net' | |
| #YOUR_IBSNG_DNS='ibsng-radius.servadd.net' | |
| yum update -y | |
| systemctl stop firewalld | |
| systemctl disable firewalld | |
| systemctl mask firewalld | |
| yum install iptables-services -y | |
| systemctl start iptables | |
| systemctl enable iptables | |
| iptables -t nat -F | |
| iptables -t mangle -F | |
| iptables -F | |
| iptables -X | |
| service iptables save | |
| yum install epel-release -y | |
| yum install lsof -y | |
| cd /tmp | |
| wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm | |
| ls *.rpm | |
| sudo yum install epel-release-latest-7.noarch.rpm -y | |
| iptables -F | |
| iptables -X | |
| iptables -t nat -F | |
| iptables -t nat -X | |
| iptables -t mangle -F | |
| iptables -t mangle -X | |
| iptables -P INPUT ACCEPT | |
| iptables -P FORWARD ACCEPT | |
| iptables -P OUTPUT ACCEPT | |
| sudo sysctl -w net.ipv4.ip_forward=1 | |
| service iptables save | |
| systemctl start iptables | |
| systemctl enable iptables | |
| yum install radiusclient-ng-utils -y | |
| yum groupinstall "Development Tools" -y | |
| yum install net-tools -y | |
| yum install nano wget -y | |
| yum install certbot -y | |
| #certbot certonly --standalone -n -m [email protected] -d "$Domain" --agree-tos | |
| cd /tmp/ | |
| yum install autoconf automake gcc libtasn1-devel zlib zlib-devel trousers trousers-devel gmp-devel gmp xz texinfo libnl-devel libnl tcp_wrappers-libs tcp_wrappers-devel tcp_wrappers dbus dbus-devel ncurses-devel pam-devel readline-devel bison bison-devel flex gcc automake autoconf wget nano lsof net-tools unzip gnutls-utils iptables-services epel-release lsof radiusclient-ng-utils epel-release-latest-7.noarch.rpm net-tools nano wget certbot -y | |
| yum install ocserv gnutls-utils -y | |
| mkdir -p /etc/ocserv/cert | |
| cd /etc/ocserv/cert/ | |
| #wget https://github.com/radcli/radcli/releases/download/1.2.4/radcli-1.2.4.tar.gz | |
| #tar -zxf radcli-1.2.4.tar.gz | |
| #cd radcli-1.2.4 | |
| #./configure --prefix=/usr --sysconfdir=/etc --enable-legacy-compat | |
| #make && make install | |
| #cd etc | |
| #cp dictionary /etc/radcli | |
| #Accounting Connect To IBSNG | |
| cat > /etc/radcli/radiusclient.conf <<EOF | |
| authserver $IBSNG | |
| acctserver $IBSNG | |
| servers /etc/radcli/servers | |
| dictionary /etc/radcli/dictionary | |
| default_realm | |
| radius_timeout 10 | |
| radius_retries 3 | |
| bindaddr * | |
| EOF | |
| cat > /etc/radcli/servers <<EOF | |
| ## Server Name or Client/Server pair Key | |
| ## ---------------- --------------- | |
| # | |
| $IBSNG/$IBSNG 123456 | |
| EOF | |
| mkdir -p /etc/ocserv/cert | |
| cd /etc/ocserv/cert/ | |
| cat > /etc/ocserv/cert/server.crt <<EOF | |
| Certificate: | |
| Data: | |
| Version: 3 (0x2) | |
| Serial Number: 1 (0x1) | |
| Signature Algorithm: sha1WithRSAEncryption | |
| Issuer: C=US, ST=CA, L=SanFrancisco, O=acegishniz, OU=acegishniz, CN=acegishniz/name=acegishniz/[email protected] | |
| Validity | |
| Not Before: Sep 17 21:20:29 2013 GMT | |
| Not After : Sep 15 21:20:29 2023 GMT | |
| Subject: C=US, ST=CA, L=SanFrancisco, O=acegishniz, OU=acegishniz, CN=acegishniz/name=acegishniz/[email protected] | |
| Subject Public Key Info: | |
| Public Key Algorithm: rsaEncryption | |
| RSA Public Key: (1024 bit) | |
| Modulus (1024 bit): | |
| 00:b9:2f:d1:a3:5a:61:3b:82:dc:c7:4d:ce:b8:e7: | |
| 8a:7c:d9:70:88:7a:d5:0d:cd:61:06:cc:c2:0a:c2: | |
| 69:51:f7:46:39:a0:8f:e7:df:20:38:9b:57:42:cb: | |
| 06:fc:d8:5f:5b:c7:07:b1:ba:56:45:9b:7d:b0:39: | |
| 77:a5:fe:4f:bc:f8:30:8e:81:34:1c:52:4c:d8:76: | |
| 87:14:5a:f8:db:f5:47:02:40:c4:82:c1:f7:c2:04: | |
| 67:b0:67:83:08:d6:5d:3c:5e:26:d6:32:b9:d1:d7: | |
| 61:94:9b:4d:a6:33:5d:3b:ec:44:6e:38:96:30:63: | |
| 60:15:15:6a:7a:3a:95:0e:31 | |
| Exponent: 65537 (0x10001) | |
| X509v3 extensions: | |
| X509v3 Basic Constraints: | |
| CA:FALSE | |
| Netscape Cert Type: | |
| SSL Server | |
| Netscape Comment: | |
| Easy-RSA Generated Server Certificate | |
| X509v3 Subject Key Identifier: | |
| 8B:AF:7F:55:CF:F5:32:85:D1:D1:C1:2A:1D:18:2F:35:C1:B6:09:8D | |
| X509v3 Authority Key Identifier: | |
| keyid:3D:BB:02:74:E7:E3:AC:1C:EC:FE:98:07:C5:39:4F:8A:5B:71:C3:4F | |
| DirName:/C=US/ST=CA/L=SanFrancisco/O=acegishniz/OU=acegishniz/CN=acegishniz/name=acegishniz/[email protected] | |
| serial:E8:6B:74:86:E1:AA:8E:9B | |
| X509v3 Extended Key Usage: | |
| TLS Web Server Authentication | |
| X509v3 Key Usage: | |
| Digital Signature, Key Encipherment | |
| Signature Algorithm: sha1WithRSAEncryption | |
| 06:d1:9a:bf:f9:c4:4e:7a:ca:c9:b4:8e:5f:7c:bb:2b:a8:4f: | |
| a1:d9:4e:59:2b:a7:95:e5:c4:f5:49:36:d7:3c:7f:b4:0d:dc: | |
| cf:9b:52:0b:e3:b7:db:fe:bb:ca:ff:e5:87:98:1a:5d:18:3f: | |
| ae:f1:88:6b:77:26:7c:75:b9:cd:85:4d:38:8b:47:87:59:de: | |
| 87:7d:a1:2d:ae:cc:71:ff:88:8b:71:d6:d6:06:c3:9d:5e:85: | |
| 5b:f6:ee:af:46:c8:92:a0:fb:ff:af:e1:db:a3:5d:0c:bc:6d: | |
| e0:76:b1:63:75:eb:fe:5d:c2:0b:33:08:6b:06:33:65:3d:71: | |
| aa:67 | |
| -----BEGIN CERTIFICATE----- | |
| MIIEPTCCA6agAwIBAgIBATANBgkqhkiG9w0BAQUFADCBpjELMAkGA1UEBhMCVVMx | |
| CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xEzARBgNVBAoTCmFj | |
| ZWdpc2huaXoxEzARBgNVBAsTCmFjZWdpc2huaXoxEzARBgNVBAMTCmFjZWdpc2hu | |
| aXoxEzARBgNVBCkTCmFjZWdpc2huaXoxHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9z | |
| dC5kb21haW4wHhcNMTMwOTE3MjEyMDI5WhcNMjMwOTE1MjEyMDI5WjCBpjELMAkG | |
| A1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xEzAR | |
| BgNVBAoTCmFjZWdpc2huaXoxEzARBgNVBAsTCmFjZWdpc2huaXoxEzARBgNVBAMT | |
| CmFjZWdpc2huaXoxEzARBgNVBCkTCmFjZWdpc2huaXoxHzAdBgkqhkiG9w0BCQEW | |
| EG1haWxAaG9zdC5kb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALkv | |
| 0aNaYTuC3MdNzrjninzZcIh61Q3NYQbMwgrCaVH3Rjmgj+ffIDibV0LLBvzYX1vH | |
| B7G6VkWbfbA5d6X+T7z4MI6BNBxSTNh2hxRa+Nv1RwJAxILB98IEZ7BngwjWXTxe | |
| JtYyudHXYZSbTaYzXTvsRG44ljBjYBUVano6lQ4xAgMBAAGjggF3MIIBczAJBgNV | |
| HRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1S | |
| U0EgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUi69/Vc/1 | |
| MoXR0cEqHRgvNcG2CY0wgdsGA1UdIwSB0zCB0IAUPbsCdOfjrBzs/pgHxTlPiltx | |
| w0+hgaykgakwgaYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM | |
| U2FuRnJhbmNpc2NvMRMwEQYDVQQKEwphY2VnaXNobml6MRMwEQYDVQQLEwphY2Vn | |
| aXNobml6MRMwEQYDVQQDEwphY2VnaXNobml6MRMwEQYDVQQpEwphY2VnaXNobml6 | |
| MR8wHQYJKoZIhvcNAQkBFhBtYWlsQGhvc3QuZG9tYWluggkA6Gt0huGqjpswEwYD | |
| VR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBBQUAA4GB | |
| AAbRmr/5xE56ysm0jl98uyuoT6HZTlkrp5XlxPVJNtc8f7QN3M+bUgvjt9v+u8r/ | |
| 5YeYGl0YP67xiGt3Jnx1uc2FTTiLR4dZ3od9oS2uzHH/iItx1tYGw51ehVv27q9G | |
| yJKg+/+v4dujXQy8beB2sWN16/5dwgszCGsGM2U9capn | |
| -----END CERTIFICATE----- | |
| EOF | |
| cat > /etc/ocserv/cert/server.key <<EOF | |
| -----BEGIN RSA PRIVATE KEY----- | |
| MIICXAIBAAKBgQC5L9GjWmE7gtzHTc6454p82XCIetUNzWEGzMIKwmlR90Y5oI/n | |
| 3yA4m1dCywb82F9bxwexulZFm32wOXel/k+8+DCOgTQcUkzYdocUWvjb9UcCQMSC | |
| wffCBGewZ4MI1l08XibWMrnR12GUm02mM1077ERuOJYwY2AVFWp6OpUOMQIDAQAB | |
| AoGAJAfAwwafqmOArypdUS6DjF0F/xffAgt2mEsYad1/flodCLNLrHKGI11d8fns | |
| hx9WFlY4EgVOKcbiAnp75AkB3E48/lxn+jaU7DEcNpi4r8GSo4/cX+PYOxxVzQS0 | |
| YnoXP5xKBWCp8D2cPZa1jYmm4fUYuMbSQ0gMnmraQLiW3t0CQQDyKCd2O/MSzjEk | |
| wduQ2AgCgVimkwhuUKCUb2OR6rTy6r/tTJDR0rVxeNWu0dbKDl3B+QxRriiRspCl | |
| zeVuL0MfAkEAw8Xvo0P/wg1DmNWXIcxVvXCnhjz3gGbYbTN6x7a9kEEVPCiEZ/am | |
| /2g61tFfcElQe7ZqKak/hqwz9V7LEcBUrwJBANe1UymsT2PiDr7KfRbyiXgJ1nlT | |
| on/6DIENFGon5BY7bMoqmRp/kydIVziKLcYBtB0VB5c/B1557QX1ejmDmksCQEOk | |
| fGw47oGp+5UvF40CAQ33gqqLHikrX9Q7WUzwAwd4tVGX3kfdnU3aQZo/tW4ipsBY | |
| As5qQBzUGw/ItPlpLtkCQHTOJ9d+/ONvXBWvUNZxBak0e7hQUipyu06kU3vnko1P | |
| J5sxO0QgEQV2XnmKD81PHKquRoiOgrwxE/f8FLhXTnM= | |
| -----END RSA PRIVATE KEY----- | |
| EOF | |
| cat > /etc/ocserv/ocserv.conf <<EOF | |
| session-control = true | |
| max-clients = 1024 | |
| rate-limit-ms = 0 | |
| max-same-clients = 3 | |
| tcp-port = 443 | |
| udp-port = 443 | |
| keepalive = 32400 | |
| dpd = 90 | |
| try-mtu-discovery = false | |
| #server-cert = /etc/letsencrypt/live/$Domain/fullchain.pem | |
| #server-key = /etc/letsencrypt/live/$Domain/privkey.pem | |
| server-cert = /etc/ocserv/cert/server.crt | |
| server-key = /etc/ocserv/cert/server.key | |
| cookie-timeout = 300 | |
| deny-roaming = false | |
| rekey-time = 172800 | |
| rekey-method = ssl | |
| use-utmp = true | |
| use-occtl = true | |
| pid-file = /var/run/ocserv.pid | |
| socket-file = /var/run/ocserv-socket | |
| run-as-user = nobody | |
| run-as-group = nobody | |
| device = vpns | |
| predictable-ips = true | |
| default-domain = $IP | |
| ipv4-network = 192.168.0.0/16 | |
| dns = 8.8.8.8 | |
| dns = 8.8.4.4 | |
| tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" | |
| auth-timeout = 240 | |
| min-reauth-time = 300 | |
| max-ban-score = 50 | |
| ban-reset-time = 300 | |
| cookie-timeout = 86400 | |
| ping-leases = false | |
| dtls-legacy = true | |
| user-profile = /etc/ocserv/profile.xml | |
| cisco-client-compat = true | |
| custom-header = "X-DTLS-MTU: 1200" | |
| custom-header = "X-CSTP-MTU: 1200" | |
| EOF | |
| cat > /etc/ocserv/profile.xml <<EOF | |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd"> | |
| <ClientInitialization> | |
| <UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon> | |
| <StrictCertificateTrust>false</StrictCertificateTrust> | |
| <RestrictPreferenceCaching>false</RestrictPreferenceCaching> | |
| <RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols> | |
| <BypassDownloader>true</BypassDownloader> | |
| <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment> | |
| <CertEnrollmentPin>pinAllowed</CertEnrollmentPin> | |
| <CertificateMatch> | |
| <KeyUsage> | |
| <MatchKey>Digital_Signature</MatchKey> | |
| </KeyUsage> | |
| <ExtendedKeyUsage> | |
| <ExtendedMatchKey>ClientAuth</ExtendedMatchKey> | |
| </ExtendedKeyUsage> | |
| </CertificateMatch> | |
| <BackupServerList> | |
| <HostName>VPN Server</HostName> | |
| <HostAddress>$Domain</HostAddress> | |
| </BackupServerList> | |
| </ClientInitialization> | |
| <ServerList> | |
| <HostEntry> | |
| <HostName>VPN Server</HostName> | |
| <HostAddress>$Domain</HostAddress> | |
| </HostEntry> | |
| </ServerList> | |
| </AnyConnectProfile> | |
| EOF | |
| Ethernet=$(ip link | awk -F: '$0 !~ "lo|vir|wl|^[^0-9]"{print $2;getline}' | head -1 ) | |
| #RUles NAT Firewall | |
| iptables -F | |
| iptables -X | |
| iptables -t nat -F | |
| iptables -t nat -X | |
| iptables -t mangle -F | |
| iptables -t mangle -X | |
| iptables -P INPUT ACCEPT | |
| iptables -P FORWARD ACCEPT | |
| iptables -P OUTPUT ACCEPT | |
| iptables -t nat -A POSTROUTING | |
| iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE | |
| iptables -A FORWARD -j ACCEPT | |
| iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 2202 -j ACCEPT | |
| iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 69 -j ACCEPT | |
| sudo sysctl -w net.ipv4.ip_forward=1 | |
| sysctl -p | |
| echo "net.ipv4.ip_forward=1" > /etc/sysctl.conf | |
| service iptables save | |
| service iptables restart | |
| service iptables stop | |
| service iptables start | |
| systemctl start ocserv | |
| systemctl enable ocserv | |
| systemctl status ocserv | |
| setenforce 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment