easy_ipsec.sh

#!/bin/sh

### LICENSE (BSD 2-Clause) // ###
#
# Copyright (c) 2014, Daniel Plominski (Plominski IT Consulting)
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification,
# are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice, this
# list of conditions and the following disclaimer in the documentation and/or
# other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
### // LICENSE (BSD 2-Clause) ###

### ### ### PLITC ### ### ###


### stage0 // ###
UNAME=$(uname)
MYNAME=$(whoami)
### // stage0 ###

### stage1 // ###
case $UNAME in
Darwin)
   ### MacOS ###
BREW=$(/usr/bin/which brew)
MDIALOG=$(/usr/bin/which dialog)
LASTUSER=$(/usr/bin/last | head -n 1 | awk '{print $1}')
LASTGROUP=$(/usr/bin/id "$LASTUSER" | grep -o 'gid=[^(]*[^)]*)' | sed 's/[0-9]//g' | sed 's/gid=(//g' | sed 's/)//g')
#
### ### ### ### ### ### ### ### ###

if [ "$MYNAME" = root ]; then
   echo "" # dummy
else
   echo "<--- --- --->"
   echo ""
   echo "ERROR: You must be root to run this script"
   exit 1
fi

if [ -z "$BREW" ]; then
   echo "<--- --- --->"
   echo "need homebrew"
   echo "<--- --- --->"
        ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
   echo "<--- --- --->"
else
   echo "" # dummy
fi

if [ -z "$MDIALOG" ]; then
   echo "<--- --- --->"
   echo "need dialog"
   echo "<--- --- --->"
        /usr/sbin/chown -R "$LASTUSER:$LASTGROUP" /usr/local
        sudo -u "$LASTUSER" -s "/usr/local/bin/brew install dialog"
   echo "<--- --- --->"
else
   echo "" # dummy
fi

(
# clean up
/bin/rm -rf /tmp/easy_ipsec*.txt
)

#/ function: say clean up
KILLSAY(){
   (pgrep "say" | xargs -L 1 -I % kill -9 % > /dev/null 2>&1)
}

### stage2 // ###

GIF1=50
(
while test $GIF1 != 150
do
echo $GIF1
echo "XXX"
echo "create gif interface: ($GIF1 percent)"
echo "XXX"
#
### run //
/sbin/ifconfig gif0 create > /dev/null 2>&1
/sbin/ifconfig gif0 up
### // run
#
GIF1=$((GIF1 + 50))
sleep 1
done
) | dialog --title "generic tunnel interface" --gauge "create gif interface" 20 70 0

EASYIPSECCLIENTIP="/tmp/easy_ipsec_client_ip.txt"
touch $EASYIPSECCLIENTIP

KILLSAY > /dev/null 2>&1
say "Enter your Roadwarrior Client IP: for example 10.0.0.1" > /dev/null 2>&1 &
dialog --inputbox "Enter your Roadwarrior Client IP: (for example 10.0.0.1)" 8 40 2>$EASYIPSECCLIENTIP

EASYIPSECDESTNET="/tmp/easy_ipsec_destination_net.txt"
touch $EASYIPSECDESTNET

KILLSAY > /dev/null 2>&1
say "Enter your VPN destination network: for example 172.31.254.0" > /dev/null 2>&1 &
dialog --inputbox "Enter your VPN destination network: (for example 172.31.254.0)" 8 40 2>$EASYIPSECDESTNET

EASYIPSECCLIENTIPVALUE=$(sed 's/#//g' $EASYIPSECCLIENTIP | sed 's/%//g')
EASYIPSECDESTNETVALUE=$(sed 's/#//g' $EASYIPSECDESTNET | sed 's/%//g')

GIF2=50
(
while test $GIF2 != 150
do
echo $GIF2
echo "XXX"
echo "set gif options: ($GIF2 percent)"
echo "XXX"
#
### run //
/sbin/ifconfig gif0 "$EASYIPSECCLIENTIPVALUE" "$EASYIPSECDESTNETVALUE"
/sbin/route add -net "$EASYIPSECDESTNETVALUE"/24 -interface gif0 > /dev/null 2>&1
### // run
#
GIF2=$((GIF2 + 50))
sleep 1
done
) | dialog --title "generic tunnel interface" --gauge "set gif options" 20 70 0

EASYIPSECSERVERIP="/tmp/easy_ipsec_server_ip.txt"
touch $EASYIPSECSERVERIP

KILLSAY > /dev/null 2>&1
say "Enter your VPN IP security Server IP:" > /dev/null 2>&1 &
dialog --inputbox "Enter your VPN IPsec Server IP:" 8 40 2>$EASYIPSECSERVERIP

EASYIPSECLOCALGATEWAY="/tmp/easy_ipsec_local_gateway.txt"
touch $EASYIPSECLOCALGATEWAY

KILLSAY > /dev/null 2>&1
say "Enter your local gateway IP:" > /dev/null 2>&1 &
dialog --inputbox "Enter your local gateway IP:" 8 40 2>$EASYIPSECLOCALGATEWAY

EASYIPSECSERVERIPVALUE=$(sed 's/#//g' $EASYIPSECSERVERIP | sed 's/%//g')
EASYIPSECLOCALGATEWAYVALUE=$(sed 's/#//g' $EASYIPSECLOCALGATEWAY | sed 's/%//g')

GIF3=50
(
while test $GIF3 != 150
do
echo $GIF3
echo "XXX"
echo "set direct vpn server route: ($GIF3 percent)"
echo "XXX"
#
### run //
# clean up double entries
/usr/sbin/netstat -rn -f inet | grep "$EASYIPSECSERVERIPVALUE" | awk '{print $2}' | xargs -L1 route delete -host "$EASYIPSECSERVERIPVALUE" > /dev/null 2>&1
#
/sbin/route delete -host "$EASYIPSECSERVERIPVALUE" > /dev/null 2>&1
/sbin/route add -host "$EASYIPSECSERVERIPVALUE" "$EASYIPSECLOCALGATEWAYVALUE" > /dev/null 2>&1
### // run
#
GIF3=$((GIF3 + 50))
sleep 1
done
) | dialog --title "generic tunnel interface" --gauge "set direct vpn server route" 20 70 0

### check vpn server //
#
/bin/echo ""
#(
/sbin/ping -q -c5 "$EASYIPSECSERVERIPVALUE" > /dev/null
if [ $? -eq 0 ]
then
      /bin/echo ""
      KILLSAY > /dev/null 2>&1
      say "well, server is responsive" > /dev/null 2>&1 &
      /bin/echo "server is responsive"
      sleep 3
      # exit 0
else
      /bin/echo ""
      KILLSAY > /dev/null 2>&1
      say "excuse me if have got an error: IP security server isn't responsive" > /dev/null 2>&1 &
      /bin/echo "ERROR: IPsec server isn't responsive"
      exit 1
fi
#)
#
### // check vpn server

/bin/mkdir -p /etc/racoon
/bin/mkdir -p /etc/racoon/certs
/bin/chmod 0700 /etc/racoon/certs

### modify /etc/racoon/setkey.conf //
#
#(
EASYIPSECGETIFIP=$(/usr/sbin/netstat -rn -f inet | grep "$EASYIPSECSERVERIPVALUE" | awk '{print $6}' | xargs -L1 ifconfig | grep -w "inet" | awk '{print $2}')

/bin/cat <<SETKEY > /etc/racoon/setkey.conf
### ### ### PLITC // ### ### ###
#
flush;

spdflush;

spdadd $EASYIPSECCLIENTIPVALUE/32 $EASYIPSECDESTNETVALUE/24 any -P out ipsec
   esp/tunnel/$EASYIPSECGETIFIP-$EASYIPSECSERVERIPVALUE/require;

spdadd $EASYIPSECDESTNETVALUE/24 $EASYIPSECCLIENTIPVALUE/32 any -P in ipsec
   esp/tunnel/$EASYIPSECSERVERIPVALUE-$EASYIPSECGETIFIP/require;
#
### ### ### // PLITC ### ### ###
# EOF
SETKEY
#)
#
/bin/chmod 0600 /etc/racoon/setkey.conf
#
### // modify /etc/racoon/setkey.conf

### modify /etc/racoon/psk.txt //
#
#(
EASYIPSECSERVERPSK="/tmp/easy_ipsec_server_psk.txt"
touch $EASYIPSECSERVERPSK
/bin/chmod 0600 $EASYIPSECSERVERPSK

KILLSAY > /dev/null 2>&1
say "Enter your VPN IP security Server Pre-shared key: without spaces and pound" > /dev/null 2>&1 &
dialog --inputbox "Enter your VPN IPsec Server Pre-shared key: (without spaces and pound)" 8 85 2>$EASYIPSECSERVERPSK

EASYIPSECSERVERPSKVALUE=$(sed 's/#//g' $EASYIPSECSERVERPSK | sed 's/%//g')

echo "" # dummy
/bin/cat <<PSK > /etc/racoon/psk.txt
### ### ### PLITC ### ### ###
# IPv4/v6 addresses
# 10.160.94.3	asecretkeygoeshere
# 172.16.1.133	asecretkeygoeshere
# 3ffe:501:410:ffff:200:86ff:fe05:80fa	asecretkeygoeshere
# 3ffe:501:410:ffff:210:4bff:fea2:8baa	asecretkeygoeshere
# USER_FQDN
# macuser@localhost	somethingsecret
# FQDN
# kame		hoge
### ### ### ##### ### ### ###
#
$EASYIPSECSERVERIPVALUE $EASYIPSECSERVERPSKVALUE
#
### ### ### PLITC ### ### ###
# EOF
PSK
if [ $? -eq 0 ]
then
   : # dummy
else
   KILLSAY > /dev/null 2>&1
   say "Warning, the racoon/psk.txt file probably has a write-protection or immutable flag!" > /dev/null 2>&1 &
   sleep 2
fi

/bin/chmod 0600 /etc/racoon/psk.txt
/bin/rm $EASYIPSECSERVERPSK
#)
#
### // modify /etc/racoon/psk.txt

### modify /etc/racoon/racoon.conf //
#
EASYIPSECGETIFIPCONF=$(/usr/sbin/netstat -rn -f inet | grep "$EASYIPSECSERVERIPVALUE" | awk '{print $6}' | xargs -L1 ifconfig | grep -w "inet" | awk '{print $2}')
#
#(
/bin/cat <<CONF > /etc/racoon/racoon.conf
### ### ### PLITC ### ### ###
#
path include "/etc/racoon" ;
path pre_shared_key "/etc/racoon/psk.txt" ;
path certificate "/etc/cert" ;
log debug;
#
### ### ### ##### ### ### ###

padding # options are not to be changed
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}

timer   # timing options. change as needed
{
        counter         5;
        interval        20 sec;
        persend         1;
        natt_keepalive  20 sec;
        phase1          120 sec;
        phase2          60 sec;
}

listen  # address [port] that racoon will listening on
{
#
### CHANGEME // ###
        isakmp          $EASYIPSECGETIFIPCONF [500];
        isakmp_natt     $EASYIPSECGETIFIPCONF [4500];
### // CHANGEME ###
#
}

remote $EASYIPSECSERVERIPVALUE
{
        # ph1id 1;
        exchange_mode   main;
        doi             ipsec_doi;
        situation       identity_only;

        peers_identifier address $EASYIPSECSERVERIPVALUE;
        verify_identifier on;
        verify_cert off;
        weak_phase1_check on;

        passive         off;
        proposal_check  strict;

        ike_frag on;
        nonce_size 16;
        support_proxy on;
        generate_policy off;

        nat_traversal   force;
        dpd_delay 30;
        dpd_retry 10;
        dpd_maxfail 10;

                        proposal {
                                dh_group                16;
                                lifetime time           600 sec;
                                encryption_algorithm    aes 256;
                                hash_algorithm          sha512;
                                authentication_method   pre_shared_key;
                        }
}

sainfo (address $EASYIPSECCLIENTIPVALUE/32 any address $EASYIPSECDESTNETVALUE/24 any)
{
        # remoteid 1;
        pfs_group       16;
        lifetime        time       300 sec;
        encryption_algorithm       aes 256;
        authentication_algorithm   hmac_sha512;
        compression_algorithm      deflate;
}

#
### ### ### ### ### ### ### ### ###
# EOF
CONF
#)
#
/bin/chmod 0600 /etc/racoon/racoon.conf
#
### // modify /etc/racoon/racoon.conf

### start ipsec //
#
#(
KILLSAY > /dev/null 2>&1
say "syslog can be very slow, do you want delete all system logs before ?" > /dev/null 2>&1 &
dialog --title "Delete all System-Logs" --backtitle "Delete all System-Logs" --yesno "syslog can be very slow, do you want delete all system logs before ?" 7 60

response=$?
case $response in
   0)
      #/bin/rm -rf /private/var/log/asl/*.asl
      /usr/sbin/aslmanager -size 1
      /bin/echo ""
      /bin/echo "System-Logs deleted!"
;;
   1)
      /bin/echo ""
      /bin/echo "System-Logs not deleted."
;;
   255)
      /bin/echo ""
      /bin/echo "[ESC] key pressed."
;;
esac
#
#/ /bin/launchctl stop com.apple.syslog
#/ /bin/launchctl start com.apple.syslog
#
#/ 
#/ launchctl unload /System/Library/LaunchDaemons/com.apple.racoon.plist
#/ sleep 1
#/ launchctl load /System/Library/LaunchDaemons/com.apple.racoon.plist
#
#)
#
#(
/bin/echo ""
KILLSAY > /dev/null 2>&1
say "Starting IP security" > /dev/null 2>&1 &
/bin/echo "Starting IPsec"
/usr/sbin/setkey -f /etc/racoon/setkey.conf
sleep 1
/bin/launchctl stop com.apple.racoon
/bin/launchctl stop com.apple.ipsec
sleep 1
/bin/launchctl start com.apple.ipsec
/bin/launchctl start com.apple.racoon
sleep 1
/bin/echo ""
KILLSAY > /dev/null 2>&1
say "wait a minute please" > /dev/null 2>&1 &
/bin/echo "prepare racoon log ... wait a minute"
/bin/echo ""
sleep 15
#)
#
/usr/bin/syslog -k Facility -k Sender racoon | tail -n 100 | grep "established" > /tmp/easy_ipsec_racoon_log.txt
#
RACOONLOG="/tmp/easy_ipsec_racoon_log.txt"
#
#(
KILLSAY > /dev/null 2>&1
say "VPN Logfile" > /dev/null 2>&1 &
dialog --textbox "$RACOONLOG" 0 0
#)
#
### // start ipsec

### ipsec test //
#
#(
EASYIPSECSERVERTEST="/tmp/easy_ipsec_server_test.txt"
touch $EASYIPSECSERVERTEST
/bin/chmod 0600 $EASYIPSECSERVERTEST

KILLSAY > /dev/null 2>&1
say "Enter your VPN IP security Server forwarding interface IP: for example 172.31.254.254" > /dev/null 2>&1 &
dialog --inputbox "Enter your VPN IPsec Server forwarding interface IP: (for example 172.31.254.254)" 8 85 2>$EASYIPSECSERVERTEST

EASYIPSECSERVERTESTVALUE=$(sed 's/#//g' $EASYIPSECSERVERTEST | sed 's/%//g')

/sbin/ping -q -c5 "$EASYIPSECSERVERTESTVALUE" > /dev/null
if [ $? -eq 0 ]
then
      KILLSAY > /dev/null 2>&1
      say "It works!" > /dev/null 2>&1 &
      dialog --title "VPN IPsec Gateway Test" --backtitle "VPN IPsec Gateway Test" --msgbox "It works!" 0 0
      # exit 0
else
      dialog --title "VPN IPsec Gateway Test" --backtitle "VPN IPsec Gateway Test" --msgbox "ERROR: can't ping!" 0 0
      /bin/echo ""
      KILLSAY > /dev/null 2>&1
      say "excuse me if have got an error: IP security server isn't responsive" > /dev/null 2>&1 &
      /bin/echo "ERROR: IPsec server isn't responsive"
      exit 1
fi
#)
/bin/rm -rf "$EASYIPSECSERVERTEST"
#
### // ipsec test

### // stage2 ###

### stage3 // ###

### ipsec/openvpn relay setup // ###
#
#(
KILLSAY > /dev/null 2>&1
say "if you have an IP security/OpenVPN Relay Server-Setup, Go ahead" > /dev/null 2>&1 &
dialog --title "IPsec/OpenVPN Relay Network" --backtitle "IPsec/OpenVPN Relay Network" --yesno "if you have an IPsec/OpenVPN Relay Server-Setup Go ahead!" 7 70

OPENVPN=$?
case $OPENVPN in
   0)
      /bin/echo ""
;;
   1)
      /bin/echo ""
      #/bin/echo "no thanks!"
      KILLSAY > /dev/null 2>&1
      say "Have a nice day with IP security, good bye" > /dev/null 2>&1 &
      /bin/echo "Have a nice day with IPsec"
###
# clean up
/bin/rm -rf /tmp/easy_ipsec*.txt
###
      exit 1
;;
   255)
      /bin/echo ""
      /bin/echo "[ESC] key pressed."
;;
esac
#)
#
#(
KILLSAY > /dev/null 2>&1
say "its time now to establish, manually a successful connection" > /dev/null 2>&1 &
dialog --title "IPsec/OpenVPN Relay Network" --backtitle "IPsec/OpenVPN Relay Network" --msgbox "its time now to establish a successful connection! ... than press OK" 8 80
#)
#
### // ipsec/openvpn relay setup ###

### openvpn server // ###
#
EASYIPSECSERVEROVPNTEST="/tmp/easy_ipsec_server_openvpn_test.txt"
touch $EASYIPSECSERVEROVPNTEST
/bin/chmod 0600 $EASYIPSECSERVEROVPNTEST

KILLSAY > /dev/null 2>&1
say "Enter your VPN, OpenVPN Server forwarding interface IP: for example 172.31.253.1" > /dev/null 2>&1 &
dialog --inputbox "Enter your VPN OpenVPN Server forwarding interface IP: (for example 172.31.253.1)" 8 85 2>$EASYIPSECSERVEROVPNTEST

EASYIPSECSERVEROVPNTESTVALUE=$(sed 's/#//g' $EASYIPSECSERVEROVPNTEST | sed 's/%//g')
#(
/sbin/ping -q -c5 "$EASYIPSECSERVEROVPNTESTVALUE" > /dev/null
if [ $? -eq 0 ]
then
      KILLSAY > /dev/null 2>&1
      say "It works!" > /dev/null 2>&1 &
      dialog --title "VPN OpenVPN Gateway Test" --backtitle "VPN OpenVPN Gateway Test" --msgbox "It works!" 0 0
      # exit 0
else
      dialog --title "VPN OpenVPN Gateway Test" --backtitle "VPN OpenVPN Gateway Test" --msgbox "ERROR: can't ping!" 0 0
      /bin/echo ""
      KILLSAY > /dev/null 2>&1
      say "excuse me if have got an error: OpenVPN server isn't responsive" > /dev/null 2>&1 &
      /bin/echo "ERROR: OpenVPN server isn't responsive"
      exit 1
fi
#)
##/bin/rm -rf "$EASYIPSECSERVEROVPNTEST"
#
### // openvpn server ###

### new default gateway // ###
#
EASYIPSECNETSTATOVPN1="/tmp/easy_ipsec_server_openvpn_netstat1.txt"
touch $EASYIPSECNETSTATOVPN1
/bin/chmod 0600 $EASYIPSECNETSTATOVPN1
EASYIPSECNETSTATOVPN2="/tmp/easy_ipsec_server_openvpn_netstat2.txt"
touch $EASYIPSECNETSTATOVPN2
/bin/chmod 0600 $EASYIPSECNETSTATOVPN2
#
KILLSAY > /dev/null 2>&1
say "it seems to work, lets change the default gateway!" > /dev/null 2>&1 &
dialog --title "IPsec/OpenVPN Relay Network" --backtitle "IPsec/OpenVPN Relay Network" --msgbox "it seems to work, lets change the default gateway!" 8 70
#
/sbin/route delete default > /dev/null 2>&1
/sbin/route delete 128.0.0.0/1 > /dev/null 2>&1
/sbin/route delete 0.0.0.0/1 > /dev/null 2>&1
#
/sbin/route add -net 128.0.0.0/1 "$EASYIPSECSERVEROVPNTESTVALUE" > /dev/null 2>&1
/sbin/route add -net 0.0.0.0/1 "$EASYIPSECSERVEROVPNTESTVALUE" > /dev/null 2>&1
#
###
/usr/sbin/netstat -rn -f inet > "$EASYIPSECNETSTATOVPN1"
###
#
KILLSAY > /dev/null 2>&1
say "your default gateway is now $EASYIPSECSERVEROVPNTESTVALUE" > /dev/null 2>&1 &
dialog --textbox "$EASYIPSECNETSTATOVPN1" 0 0
#
###
/bin/echo ""
KILLSAY > /dev/null 2>&1
say "Have a nice day with IP security and OpenVPN, good bye" > /dev/null 2>&1 &
/bin/echo "Have a nice day with IPsec and OpenVPN"
###
#
/bin/rm -rf "$EASYIPSECNETSTATOVPN1"
#
### // new default gateway ###

### // stage3 ###

### stage4 // ###
#
(
# clean up
/bin/rm -rf /tmp/easy_ipsec*.txt
)
#
### // stage4 ###

### ### ### ### ### ### ### ### ###
   ;;
FreeBSD)
   ### FreeBSD ###
#
FRACOON=$(/usr/bin/which racoon)
FOPENVPN=$(/usr/bin/which openvpn)
#
### ### ### ### ### ### ### ### ###

if [ "$MYNAME" = root ]; then
   echo "" # dummy
else
   echo "<--- --- --->"
   echo ""
   echo "ERROR: You must be root to run this script"
   exit 1
fi

if [ -z "$FRACOON" ]; then
   echo "<--- --- --->"
   echo "need racoon/ipsec-tools"
   echo "<--- --- --->"
   # (
        cd /usr/ports/security/ipsec-tools/ && make install clean
   # )
   echo "<--- --- --->"
   ### break // ###
   echo ""
   read -r "Press [Enter] key to continue..."
   ### // break ###
else
   echo "" # dummy
fi

if [ -z "$FOPENVPN" ]; then
   echo "<--- --- --->"
   echo "need openvpn"
   echo "<--- --- --->"
   # (
        cd /usr/ports/security/openvpn/ && make install clean
   # )
   echo "<--- --- --->"
   ### break // ###
   echo ""
   read -r "Press [Enter] key to continue..."
   ### // break ###
else
   echo "" # dummy
fi

(
# clean up
/bin/rm -rf /tmp/easy_ipsec*.txt
)

### stage2 // ###

GIF1=50
(
while test $GIF1 != 150
do
echo $GIF1
echo "XXX"
echo "create gif interface: ($GIF1 percent)"
echo "XXX"
#
### run //
/sbin/ifconfig gif0 create > /dev/null 2>&1
/sbin/ifconfig gif0 up
### // run
#
GIF1=$((GIF1 + 50))
sleep 1
done
) | dialog --title "generic tunnel interface" --gauge "create gif interface" 20 70 0

EASYIPSECCLIENTIP="/tmp/easy_ipsec_client_ip.txt"
touch $EASYIPSECCLIENTIP

dialog --inputbox "Enter your Roadwarrior Client IP: (for example 10.0.0.1)" 8 40 2>$EASYIPSECCLIENTIP

EASYIPSECDESTNET="/tmp/easy_ipsec_destination_net.txt"
touch $EASYIPSECDESTNET

dialog --inputbox "Enter your VPN destination network: (for example 172.31.254.0)" 8 40 2>$EASYIPSECDESTNET

EASYIPSECCLIENTIPVALUE=$(sed 's/#//g' $EASYIPSECCLIENTIP | sed 's/%//g')
EASYIPSECDESTNETVALUE=$(sed 's/#//g' $EASYIPSECDESTNET | sed 's/%//g')

GIF2=50
(
while test $GIF2 != 150
do
echo $GIF2
echo "XXX"
echo "set gif options: ($GIF2 percent)"
echo "XXX"
#
### run //
/sbin/ifconfig gif0 "$EASYIPSECCLIENTIPVALUE" "$EASYIPSECDESTNETVALUE"
/sbin/route add -net "$EASYIPSECDESTNETVALUE"/24 -interface gif0 > /dev/null 2>&1
### // run
#
GIF2=$((GIF2 + 50))
sleep 1
done
) | dialog --title "generic tunnel interface" --gauge "set gif options" 20 70 0

EASYIPSECSERVERIP="/tmp/easy_ipsec_server_ip.txt"
touch $EASYIPSECSERVERIP

dialog --inputbox "Enter your VPN IPsec Server IP:" 8 40 2>$EASYIPSECSERVERIP

EASYIPSECLOCALGATEWAY="/tmp/easy_ipsec_local_gateway.txt"
touch $EASYIPSECLOCALGATEWAY

dialog --inputbox "Enter your local gateway IP:" 8 40 2>$EASYIPSECLOCALGATEWAY

EASYIPSECSERVERIPVALUE=$(sed 's/#//g' $EASYIPSECSERVERIP | sed 's/%//g')
EASYIPSECLOCALGATEWAYVALUE=$(sed 's/#//g' $EASYIPSECLOCALGATEWAY | sed 's/%//g')

GIF3=50
(
while test $GIF3 != 150
do
echo $GIF3
echo "XXX"
echo "set direct vpn server route: ($GIF3 percent)"
echo "XXX"
#
### run //
# clean up double entries on (RADIX_MPATH) equal-cost multi-path routing (ecmp) systems
/usr/bin/netstat -rn -f inet | grep "$EASYIPSECSERVERIPVALUE" | awk '{print $2}' | xargs -L1 route del -host "$EASYIPSECSERVERIPVALUE" > /dev/null 2>&1
#
/sbin/route del -host "$EASYIPSECSERVERIPVALUE" "$EASYIPSECLOCALGATEWAYVALUE" > /dev/null 2>&1
/sbin/route add -host "$EASYIPSECSERVERIPVALUE" "$EASYIPSECLOCALGATEWAYVALUE" > /dev/null 2>&1
### // run
#
GIF3=$((GIF3 + 50))
sleep 1
done
) | dialog --title "generic tunnel interface" --gauge "set direct vpn server route" 20 70 0

### check vpn server //
#
/bin/echo ""
(
/sbin/ping -q -c5 "$EASYIPSECSERVERIPVALUE" > /dev/null
if [ $? -eq 0 ]
then
      /bin/echo ""
      /bin/echo "server is responsive"
      sleep 3
      exit 0
else
      /bin/echo ""
      /bin/echo "ERROR: server isn't responsive"
      exit 1
fi
)
#
### // check vpn server

/bin/mkdir -p /usr/local/etc/racoon
/bin/mkdir -p /usr/local/etc/racoon/certs
/bin/chmod 0700 /usr/local/etc/racoon/certs

### modify /usr/local/etc/racoon/setkey.conf //
#
(
EASYIPSECGETIFIP=$(/usr/bin/netstat -rnW -f inet | grep "$EASYIPSECSERVERIPVALUE" | awk '{print $7}' | xargs -L1 ifconfig | grep -w "inet" | awk '{print $2}')

/bin/cat <<SETKEY > /usr/local/etc/racoon/setkey.conf
### ### ### PLITC // ### ### ###
#
flush;

spdflush;

spdadd $EASYIPSECCLIENTIPVALUE/32 $EASYIPSECDESTNETVALUE/24 any -P out ipsec
   esp/tunnel/$EASYIPSECGETIFIP-$EASYIPSECSERVERIPVALUE/require;

spdadd $EASYIPSECDESTNETVALUE/24 $EASYIPSECCLIENTIPVALUE/32 any -P in ipsec
   esp/tunnel/$EASYIPSECSERVERIPVALUE-$EASYIPSECGETIFIP/require;
#
### ### ### // PLITC ### ### ###
# EOF
SETKEY
)
#
/bin/chmod 0600 /usr/local/etc/racoon/setkey.conf
#
### // modify /usr/local/etc/racoon/setkey.conf

### modify /usr/local/etc/racoon/psk.txt //
#
(
EASYIPSECSERVERPSK="/tmp/easy_ipsec_server_psk.txt"
touch $EASYIPSECSERVERPSK
/bin/chmod 0600 $EASYIPSECSERVERPSK

dialog --inputbox "Enter your VPN IPsec Server Pre-shared key: (without spaces and pound)" 8 85 2>$EASYIPSECSERVERPSK

EASYIPSECSERVERPSKVALUE=$(sed 's/#//g' $EASYIPSECSERVERPSK | sed 's/%//g')

/bin/cat <<PSK > /usr/local/etc/racoon/psk.txt
### ### ### PLITC ### ### ###
#
$EASYIPSECSERVERIPVALUE $EASYIPSECSERVERPSKVALUE
#
### ### ### PLITC ### ### ###
# EOF
PSK

/bin/chmod 0600 /usr/local/etc/racoon/psk.txt
/bin/rm $EASYIPSECSERVERPSK
)
#
### // modify /usr/local/etc/racoon/psk.txt

### modify /usr/local/etc/racoon/racoon.conf //
#
EASYIPSECGETIFIPCONF=$(/usr/bin/netstat -rnW -f inet | grep "$EASYIPSECSERVERIPVALUE" | awk '{print $7}' | xargs -L1 ifconfig | grep -w "inet" | awk '{print $2}')
#
(
/bin/cat <<CONF > /usr/local/etc/racoon/racoon.conf
### ### ### PLITC ### ### ###
#
path    include "/usr/local/etc/racoon";
path    certificate "/usr/local/etc/racoon/certs";      #location of cert files
path    pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log     debug;                                          #log verbosity setting: set to 'notify' when testing and debugging is complete
#
### ### ### ##### ### ### ###

padding # options are not to be changed
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}
 
timer   # timing options. change as needed
{
        counter         5;
        interval        20 sec;
        persend         1;
        natt_keepalive  20 sec;
        phase1          120 sec;
        phase2          60 sec;
}
 
listen  # address [port] that racoon will listening on
{
#
### CHANGEME // ###
        isakmp          $EASYIPSECGETIFIPCONF [500];
        isakmp_natt     $EASYIPSECGETIFIPCONF [4500];
### // CHANGEME ###
#
}

remote $EASYIPSECSERVERIPVALUE
{
        # ph1id 1;
        exchange_mode   main;
        doi             ipsec_doi;
        situation       identity_only;

        peers_identifier address $EASYIPSECSERVERIPVALUE;
        verify_identifier on;
        verify_cert off;
        weak_phase1_check on;

        passive         off;
        proposal_check  strict;

        ike_frag on;
        nonce_size 16;
        support_proxy on;
        generate_policy off;

        nat_traversal   force;
	dpd_delay 30;
	dpd_retry 10;
	dpd_maxfail 10;

                        proposal {
                                dh_group                16;
                                lifetime time           600 sec;
                                encryption_algorithm    aes 256;
                                hash_algorithm          sha512;
                                authentication_method   pre_shared_key;
                        }
}

sainfo (address $EASYIPSECCLIENTIPVALUE/32 any address $EASYIPSECDESTNETVALUE/24 any)
{
        # remoteid 1;
        pfs_group       16;
        lifetime        time       300 sec;
        encryption_algorithm       aes 256;
        authentication_algorithm   hmac_sha512;
        compression_algorithm      deflate;
}

#
### ### ### ### ### ### ### ### ###
# EOF
CONF
)
#
/bin/chmod 0600 /usr/local/etc/racoon/racoon.conf
#
### // modify /usr/local/etc/racoon/racoon.conf

### start ipsec //
#
(
dialog --title "Delete Racoon-Logs" --backtitle "Delete Racoon-Logs" --yesno "syslog can be very slow, do you want delete racoon logs before ?" 7 60

response=$?
case $response in
   0)
      /bin/echo "" > /var/log/racoon.log
      /bin/echo ""
      /bin/echo "System-Logs deleted!"
;;
   1)
      /bin/echo ""
      /bin/echo "System-Logs not deleted."
;;
   255)
      /bin/echo ""
      /bin/echo "[ESC] key pressed."
;;
esac
#
)
#
(
/bin/echo ""
/bin/echo "Starting IPsec"
sleep 1
/bin/echo ""
/usr/sbin/service racoon stop
/usr/sbin/service ipsec stop
sleep 1
/bin/echo ""
/usr/sbin/service ipsec start
/usr/sbin/service racoon start
sleep 1
/bin/echo ""
)
#

### ipsec test //
#
#(
EASYIPSECSERVERTEST="/tmp/easy_ipsec_server_test.txt"
touch $EASYIPSECSERVERTEST
/bin/chmod 0600 $EASYIPSECSERVERTEST

dialog --inputbox "Enter your VPN IPsec Server forwarding interface IP: (for example 172.31.254.254)" 8 85 2>$EASYIPSECSERVERTEST

EASYIPSECSERVERTESTVALUE=$(sed 's/#//g' $EASYIPSECSERVERTEST | sed 's/%//g')

/sbin/ping -q -c5 "$EASYIPSECSERVERTESTVALUE" > /dev/null
if [ $? -eq 0 ]
then
      dialog --title "VPN IPsec Gateway Test" --backtitle "VPN IPsec Gateway Test" --msgbox "It works!" 0 0
      exit 0
else
      dialog --title "VPN IPsec Gateway Test" --backtitle "VPN IPsec Gateway Test" --msgbox "ERROR: can't ping!" 0 0
      /bin/echo ""
      /bin/echo "ERROR: server isn't responsive"
      exit 1
fi
#)
#
### // ipsec test

/bin/echo ""
/bin/echo "prepare racoon log ... wait a minute"
/bin/echo ""
sleep 15

egrep "established|WARNING" /var/log/racoon.log | tail -n 10 > /tmp/easy_ipsec_racoon_log.txt
#
RACOONLOG="/tmp/easy_ipsec_racoon_log.txt"
#
(
dialog --textbox "$RACOONLOG" 0 0
)
#
/bin/rm -rf "$EASYIPSECSERVERTEST"
#
### // start ipsec

### // stage2 ###

### stage3 // ###

### ipsec/openvpn relay setup // ###
#
#(
dialog --title "IPsec/OpenVPN Relay Network" --backtitle "IPsec/OpenVPN Relay Network" --yesno "if you have an IPsec/OpenVPN Relay Server-Setup Go ahead!" 7 70

OPENVPN=$?
case $OPENVPN in
   0)
      /bin/echo ""
;;
   1)
      /bin/echo ""
      #/bin/echo "no thanks!"
      /bin/echo "Have a nice day with IPsec"
###
# clean up
/bin/rm -rf /tmp/easy_ipsec*.txt
###
      exit 1
;;
   255)
      /bin/echo ""
      /bin/echo "[ESC] key pressed."
;;
esac
#)
#
(
dialog --title "IPsec/OpenVPN Relay Network" --backtitle "IPsec/OpenVPN Relay Network" --msgbox "its time now to establish a successful connection! ... than press OK" 8 80
)
#
### // ipsec/openvpn relay setup ###

### openvpn server // ###
#
EASYIPSECSERVEROVPNTEST="/tmp/easy_ipsec_server_openvpn_test.txt"
touch $EASYIPSECSERVEROVPNTEST
/bin/chmod 0600 $EASYIPSECSERVEROVPNTEST

dialog --inputbox "Enter your VPN OpenVPN Server forwarding interface IP: (for example 172.31.253.1)" 8 85 2>$EASYIPSECSERVEROVPNTEST

EASYIPSECSERVEROVPNTESTVALUE=$(sed 's/#//g' $EASYIPSECSERVEROVPNTEST | sed 's/%//g')
(
/sbin/ping -q -c5 "$EASYIPSECSERVEROVPNTESTVALUE" > /dev/null
if [ $? -eq 0 ]
then
      dialog --title "VPN OpenVPN Gateway Test" --backtitle "VPN OpenVPN Gateway Test" --msgbox "It works!" 0 0
      exit 0
else
      dialog --title "VPN OpenVPN Gateway Test" --backtitle "VPN OpenVPN Gateway Test" --msgbox "ERROR: can't ping!" 0 0
      /bin/echo ""
      /bin/echo "ERROR: server isn't responsive"
      exit 1
fi
)
##/bin/rm -rf $EASYIPSECSERVEROVPNTEST
#
### // openvpn server ###

### new default gateway // ###
#
EASYIPSECNETSTATOVPN="/tmp/easy_ipsec_server_openvpn_netstat.txt"
touch $EASYIPSECNETSTATOVPN
/bin/chmod 0600 $EASYIPSECNETSTATOVPN
#
dialog --title "IPsec/OpenVPN Relay Network" --backtitle "IPsec/OpenVPN Relay Network" --msgbox "it seems to work, lets change the default gateway!" 8 70
#
/sbin/route delete default > /dev/null 2>&1
/sbin/route delete 128.0.0.0/1 > /dev/null 2>&1
/sbin/route delete 0.0.0.0/1 > /dev/null 2>&1
#
/sbin/route add -net 128.0.0.0/1 "$EASYIPSECSERVEROVPNTESTVALUE" > /dev/null 2>&1
/sbin/route add -net 0.0.0.0/1 "$EASYIPSECSERVEROVPNTESTVALUE" > /dev/null 2>&1
#
###
/usr/bin/netstat -rn -f inet > "$EASYIPSECNETSTATOVPN"
###
#
dialog --textbox "$EASYIPSECNETSTATOVPN" 0 0
#
###
/bin/echo ""
/bin/echo "Have a nice day with IPsec and OpenVPN"
###
#
/bin/rm -rf $EASYIPSECNETSTATOVPN
#
### // new default gateway ###

### // stage3 ###

### stage4 // ###
#
(
# clean up
/bin/rm -rf /tmp/easy_ipsec*.txt
)
#
### // stage4 ###

### ### ### ### ### ### ### ### ###
   ;;
Linux)
   ### Linux ###
#
DEBIAN=$(grep "ID" /etc/os-release | egrep -v "VERSION" | sed 's/ID=//g')
DEBVERSION=$(grep "VERSION_ID" /etc/os-release | sed 's/VERSION_ID=//g' | sed 's/"//g')
#
case $DEBIAN in
debian)
### stage2 // ###
#
DEBPING=$(/usr/bin/dpkg -l | grep "iputils-ping" | awk '{print $2}')
DEBDIALOG=$(/usr/bin/which dialog)
DEBSTRONGSWAN=$(/usr/bin/dpkg -l | grep "strongswan-ikev1" | awk '{print $2}')
DEBOPENVPN=$(/usr/bin/dpkg -l | grep "openvpn" | awk '{print $2}')
DEBSPEAK1=$(/usr/bin/dpkg -l | grep "espeak" | awk '{print $2}')
DEBSPEAK2=$(/usr/bin/dpkg -l | grep "mbrola" | awk '{print $2}')
#
#/ spinner
spinner()
{
    local pid=$1
    local delay=0.01
    local spinstr='|/-\'
    while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do
          local temp=${spinstr#?}
          printf " [%c]  " "$spinstr"
          local spinstr=$temp${spinstr%"$temp"}
          sleep $delay
          printf "\b\b\b\b\b\b"
    done
    printf "    \b\b\b\b"
}
#
### ### ### ### ### ### ### ### ###

if [ "$MYNAME" = root ]; then
   echo "" # dummy
else
   echo "<--- --- --->"
   echo ""
   echo "ERROR: You must be root to run this script"
   exit 1
fi

if [ "$DEBVERSION" = "8" ]; then
   : # dummy
else
   if [ "$DEBVERSION" = "9" ]; then
      : # dummy
   else
      echo "<--- --- --->"
      echo ""
      echo "ERROR: You need Debian 8 (Jessie) or 9 (Stretch) Version"
      exit 1
   fi
fi

if [ -z "$DEBPING" ]; then
    echo "<--- --- --->"
    echo "need iputils-ping"
    echo "<--- --- --->"
    # (
         apt-get update
         apt-get -y install iputils-ping
    # )
    echo "<--- --- --->"
    ### break // ###
    #/ echo ""
    #/ read "Press [Enter] key to continue..."
    ### // break ###
else
    : # dummy
fi

if [ -z "$DEBDIALOG" ]; then
   echo "<--- --- --->"
   echo "need dialog"
   echo "<--- --- --->"
   # (
        apt-get update
        apt-get -y install dialog
   # )
   echo "<--- --- --->"
   ### break // ###
   #/ echo ""
   #/ read "Press [Enter] key to continue..."
   ### // break ###
else
   : # dummy
fi

if [ -z "$DEBSTRONGSWAN" ]; then
   echo "<--- --- --->"
   echo "need strongswan-ikev1"
   echo "<--- --- --->"
   # (
        apt-get update
        apt-get -y install strongswan libstrongswan libstrongswan-standard-plugins libstrongswan-extra-plugins strongswan-charon strongswan-ike strongswan-ikev1 strongswan-ikev2
   # )
   echo "<--- --- --->"
   ### break // ###
   #/ echo ""
   #/ read "Press [Enter] key to continue..."
   ### // break ###
else
   : # dummy
fi

if [ -z "$DEBOPENVPN" ]; then
   echo "<--- --- --->"
   echo "need openvpn"
   echo "<--- --- --->"
   # (
        apt-get update
        apt-get -y install openvpn
   # )
   echo "<--- --- --->"
   ### break // ###
   #/ echo ""
   #/ read "Press [Enter] key to continue..."
   ### // break ###
else
   : # dummy
fi

if [ -z "$DEBSPEAK1" ]; then
   echo "<--- --- --->"
   echo "need espeak"
   echo "<--- --- --->"
   # (
        apt-get update
        apt-get -y install espeak
   # )
   echo "<--- --- --->"
   ### break // ###
   #/ echo ""
   #/ read "Press [Enter] key to continue..."
   ### // break ###
else
   : # dummy
fi

if [ -z "$DEBSPEAK2" ]; then
   echo "<--- --- --->"
   echo "need mbrola"
   echo "<--- --- --->"
   # (
        apt-get update
        apt-get -y install mbrola mbrola-us1 mbrola-us2 mbrola-us3
   # )
   echo "<--- --- --->"
   ### break // ###
   #/ echo ""
   #/ read "Press [Enter] key to continue..."
   ### // break ###
else
   : # dummy
fi

(
# clean up
/bin/rm -rf /tmp/easy_ipsec*.txt
)

(
### clean up - openvpn iptable rules // ##
#
CHECKIPSECIPTABLERULES0=$(iptables -S | grep -c "EASYIPSEC")
if [ "$CHECKIPSECIPTABLERULES0" = "1" ]
then
   ### ACCEPT // ###
   ###/ v4
   iptables -P INPUT ACCEPT
   iptables -P FORWARD ACCEPT
   iptables -P OUTPUT ACCEPT
   ##/ v6
   ip6tables -P INPUT ACCEPT
   ip6tables -P FORWARD ACCEPT
   ip6tables -P OUTPUT ACCEPT
   ### // ACCEPT ###


   ### flush // ###
   ##/ v4
   iptables -F INPUT
   iptables -F FORWARD
   iptables -F OUTPUT
   iptables -t nat -F PREROUTING
   iptables -t nat -F POSTROUTING
   ##/ v6
   ip6tables -F INPUT
   ip6tables -F FORWARD
   ip6tables -F OUTPUT
   ip6tables -t nat -F PREROUTING
   ip6tables -t nat -F POSTROUTING
   ### // flush ###


   ### info // ###
   iptables -X EASYIPSEC > /dev/null 2>&1
   ip6tables -X EASYIPSEC > /dev/null 2>&1
   ###
   ip6tables -F ICMPv6 > /dev/null 2>&1
   ip6tables -D INPUT -p ipv6-icmp -j ICMPv6 > /dev/null 2>&1
   ip6tables -D OUTPUT -p ipv6-icmp -j ACCEPT > /dev/null 2>&1
   ip6tables -X ICMPv6 > /dev/null 2>&1
   ### // info ###
else
   : # dummy
fi
#
### // clean up - openvpn iptable rules ###
)

### stage2 // ###

EASYIPSECINTERFACE="/tmp/easy_ipsec_interface.txt"
touch $EASYIPSECINTERFACE

/bin/su -m pulse -c 'espeak -v mb-us1 "choose your public transport interface: (for example wlan0)"' > /dev/null 2>&1 &
dialog --inputbox "choose your public transport interface: (for example wlan0)" 8 70 2>$EASYIPSECINTERFACE

EASYIPSECINTERFACEVALUE=$(sed 's/#//g' $EASYIPSECINTERFACE | sed 's/%//g')

CHECKINTERFACE=$(ip a | egrep "UP" | awk '{print $2}' | sed 's/://' | egrep -v "lo" | tr '\n' ' ' | grep -Fc "$EASYIPSECINTERFACEVALUE")
if [ "$CHECKINTERFACE" = "1" ]; then
   : # dummy
else
   echo "" # dummy
   echo "" # dummy
   echo "[ERROR] interface not usable!"
   exit 1
fi

EASYIPSECCLIENTIP="/tmp/easy_ipsec_client_ip.txt"
touch $EASYIPSECCLIENTIP

/bin/su -m pulse -c 'espeak -v mb-us1 "Enter your Roadwarrior Client IP: (for example 10.0.0.1)"' > /dev/null 2>&1 &
dialog --inputbox "Enter your Roadwarrior Client IP: (for example 10.0.0.1)" 8 40 2>$EASYIPSECCLIENTIP

EASYIPSECDESTNET="/tmp/easy_ipsec_destination_net.txt"
touch $EASYIPSECDESTNET

/bin/su -m pulse -c 'espeak -v mb-us1 "Enter your VPN destination network: (for example 172.31.254.0)"' > /dev/null 2>&1 &
dialog --inputbox "Enter your VPN destination network: (for example 172.31.254.0)" 8 40 2>$EASYIPSECDESTNET

EASYIPSECCLIENTIPVALUE=$(sed 's/#//g' $EASYIPSECCLIENTIP | sed 's/%//g')
EASYIPSECDESTNETVALUE=$(sed 's/#//g' $EASYIPSECDESTNET | sed 's/%//g')
OLDINTERFACE=$(/bin/ip a | grep "$EASYIPSECCLIENTIPVALUE" | awk '{print $5}')

GIF2=50
(
while test $GIF2 != 150
do
echo $GIF2
echo "XXX"
echo "set ipsec local subnet address: ($GIF2 percent)"
echo "XXX"
#
### run //
/bin/ip addr del "$EASYIPSECCLIENTIPVALUE" dev "$OLDINTERFACE" > /dev/null 2>&1
/bin/ip addr add "$EASYIPSECCLIENTIPVALUE"/32 dev "$EASYIPSECINTERFACEVALUE" > /dev/null 2>&1
### // run
#
GIF2=$((GIF2 + 50))
sleep 1
done
) | dialog --title "set ipsec local subnet address" --gauge "set ipsec local subnet address" 20 70 0

EASYIPSECSERVERIP="/tmp/easy_ipsec_server_ip.txt"
touch $EASYIPSECSERVERIP

/bin/su -m pulse -c 'espeak -v mb-us1 "Enter your VPN IPsec Server IP:"' > /dev/null 2>&1 &
dialog --inputbox "Enter your VPN IPsec Server IP:" 8 40 2>$EASYIPSECSERVERIP

EASYIPSECLOCALGATEWAY="/tmp/easy_ipsec_local_gateway.txt"
touch $EASYIPSECLOCALGATEWAY

/bin/su -m pulse -c 'espeak -v mb-us1 "Enter your local gateway IP:"' > /dev/null 2>&1 &
dialog --inputbox "Enter your local gateway IP:" 8 40 2>$EASYIPSECLOCALGATEWAY

EASYIPSECSERVERIPVALUE=$(sed 's/#//g' $EASYIPSECSERVERIP | sed 's/%//g')
EASYIPSECLOCALGATEWAYVALUE=$(sed 's/#//g' $EASYIPSECLOCALGATEWAY | sed 's/%//g')

GIF3=50
(
while test $GIF3 != 150
do
echo $GIF3
echo "XXX"
echo "set direct vpn server route: ($GIF3 percent)"
echo "XXX"
#
### run //
/bin/netstat -rn4 | grep "$EASYIPSECSERVERIPVALUE" | awk '{print $2}' | xargs -L1 route del -host "$EASYIPSECSERVERIPVALUE" > /dev/null 2>&1
/sbin/route del -host "$EASYIPSECSERVERIPVALUE" > /dev/null 2>&1
/sbin/route add -host "$EASYIPSECSERVERIPVALUE" gw "$EASYIPSECLOCALGATEWAYVALUE" dev "$EASYIPSECINTERFACEVALUE" > /dev/null 2>&1
### // run
#
GIF3=$((GIF3 + 50))
sleep 1
done
) | dialog --title "generic tunnel interface" --gauge "set direct vpn server route" 20 70 0

### check vpn server //
#
/bin/echo ""

### initial "routed" connection // ###
(
/bin/ping -q -c4 "$EASYIPSECSERVERIPVALUE" > /dev/null
)
### // initial "routed" connection ###

/bin/ping -q -c5 "$EASYIPSECSERVERIPVALUE" > /dev/null
if [ $? -eq 0 ]
then
      /bin/echo ""
      #/ /bin/echo "server is responsive"
      /bin/su -m pulse -c 'espeak -v mb-us1 "server is responsive"' > /dev/null 2>&1 &
      printf "\033[1;32m[OK]\033[0m server is responsive \n"
      sleep 3
else
      /bin/echo ""
      #/ /bin/echo "ERROR: server isn't responsive"
      /bin/su -m pulse -c 'espeak -v mb-us1 "server is not responsive"' > /dev/null 2>&1 &
      printf "\033[1;33m[WARNING]\033[0m server isn't responsive \n"
      exit 1
fi

#
### // check vpn server

### modify /etc/ipsec.conf //
#
(
EASYIPSECGETIFIP=$(/bin/netstat -rnW4 | grep "$EASYIPSECSERVERIPVALUE" | awk '{print $8}' | xargs -L1 ifconfig | grep -w "inet" | awk '{print $2}' | sed 's/Adresse://g')

/bin/cat <<IPSECCONF > /etc/ipsec.conf
### ### ### PLITC ### ### ###

config setup
       strictcrlpolicy=yes

conn %default
     ikelifetime=10m
     keylife=5m
     rekeymargin=1m
     keyingtries=1
     keyexchange=ikev1

conn roadwarrior
     left=%any
     leftsubnet=$EASYIPSECCLIENTIPVALUE/32
     leftauth=psk
     leftsendcert=never
     leftfirewall=yes
     type=tunnel
     right=$EASYIPSECSERVERIPVALUE
     rightsubnet=$EASYIPSECDESTNETVALUE/24
     rightauth=psk
     auto=route
     forceencaps=yes
     compress=no
     dpddelay=30
     dpdtimeout=10
     dpdaction=clear
     ike=aes256-sha512-modp4096!
     esp=aes256-sha512-modp4096!
     leftikeport=4500
     rightikeport=4500

### ### ### PLITC ### ### ###
# EOF
IPSECCONF
)
#
/bin/chmod 0600 /etc/ipsec.conf
#
### // modify /etc/ipsec.conf

### modify /etc/ipsec.secrets //
#
(
EASYIPSECSERVERPSK="/tmp/easy_ipsec_server_psk.txt"
touch $EASYIPSECSERVERPSK
/bin/chmod 0600 $EASYIPSECSERVERPSK

/bin/su -m pulse -c 'espeak -v mb-us1 "Enter your VPN IPsec Server Pre-shared key: (without spaces and pound)"' > /dev/null 2>&1 &
dialog --inputbox "Enter your VPN IPsec Server Pre-shared key: (without spaces and pound)" 8 85 2>$EASYIPSECSERVERPSK

EASYIPSECSERVERPSKVALUE=$(sed 's/#//g' $EASYIPSECSERVERPSK | sed 's/%//g')

/bin/cat <<PSK > /etc/ipsec.secrets
### ### ### PLITC ### ### ###
#
$EASYIPSECSERVERIPVALUE : PSK "$EASYIPSECSERVERPSKVALUE"
#
### ### ### PLITC ### ### ###
# EOF
PSK

/bin/chmod 0600 /etc/ipsec.secrets > /dev/null 2>&1
if [ $? -eq 0 ]
then
   : # dummy
else
   CHECKATTRIPSECSECRETS=$(lsattr /etc/ipsec.secrets | awk '{print $1}' | grep -c "i")
   if [ "$CHECKATTRIPSECSECRETS" = "1" ]; then
      echo "" # dummy
      /bin/su -m pulse -c 'espeak -v mb-us1 "WARNING your ipsec.secrets file has an immutable flag!"' > /dev/null 2>&1 &
      printf "\033[1;31m[WARNING] /etc/ipsec.secrets has immutable flag!\033[0m\n"
      echo "" # dummy
      sleep 4
   fi
fi
/bin/rm $EASYIPSECSERVERPSK
)
#
### // modify /etc/ipsec.secrets

### start ipsec //
#
(
/bin/echo ""
/bin/echo "Starting IPsec"
sleep 1
/bin/echo ""
/bin/systemctl restart strongswan
sleep 1
/bin/echo ""
/bin/systemctl status strongswan
sleep 1
/bin/echo ""
/usr/sbin/ipsec statusall
sleep 5
/bin/echo ""
)
#

### ipsec test //
#
#(
EASYIPSECSERVERTEST="/tmp/easy_ipsec_server_test.txt"
touch $EASYIPSECSERVERTEST
/bin/chmod 0600 $EASYIPSECSERVERTEST

/bin/su -m pulse -c 'espeak -v mb-us1 "Enter your VPN IPsec Server forwarding interface IP: (for example 172.31.254.254)"' > /dev/null 2>&1 &
dialog --inputbox "Enter your VPN IPsec Server forwarding interface IP: (for example 172.31.254.254)" 8 85 2>$EASYIPSECSERVERTEST

EASYIPSECSERVERTESTVALUE=$(sed 's/#//g' $EASYIPSECSERVERTEST | sed 's/%//g')

/bin/ping -q -c5 "$EASYIPSECSERVERTESTVALUE" > /dev/null
if [ $? -eq 0 ]
then
      #/ dialog --title "VPN IPsec Gateway Test" --backtitle "VPN IPsec Gateway Test" --msgbox "It works!" 0 0
      echo "" # dummy
      echo "" # dummy
      /bin/su -m pulse -c 'espeak -v mb-us1 "server is responsive"' > /dev/null 2>&1 &
      printf "\033[1;32m[OK]\033[0m server is responsive \n"
      sleep 2
else
      #/ dialog --title "VPN IPsec Gateway Test" --backtitle "VPN IPsec Gateway Test" --msgbox "ERROR: can't ping!" 0 0
      echo "" # dummy
      echo "" # dummy
      /bin/su -m pulse -c 'espeak -v mb-us1 "server is not responsive"' > /dev/null 2>&1 &
      printf "\033[1;33m[WARNING]\033[0m server isn't responsive \n"
      exit 1
fi
#)
#
### // ipsec test


systemctl status strongswan > /tmp/easy_ipsec_racoon_log.txt
#
RACOONLOG="/tmp/easy_ipsec_racoon_log.txt"
#
(
dialog --textbox "$RACOONLOG" 0 0
)
#
/bin/rm -rf "$EASYIPSECSERVERTEST"
#
### // start ipsec

### // stage2 ###

### ipsec iptable rules // ###
#
#(
/bin/su -m pulse -c 'espeak -v mb-us1 "do you want allow (ipv4) ipsec only traffic?"' > /dev/null 2>&1 &
dialog --title "IPsec restrictive Firewall Rules" --backtitle "IPsec restrictive Firewall Rules" --yesno "do you want allow (ipv4) ipsec only traffic?" 7 70

IPSECFIREWALL=$?
case $IPSECFIREWALL in
  0)
     #/ ###
     #/ #/ clean up
     #/ /bin/rm -rf /tmp/easy_ipsec*.txt
     #/ ###
     #
     sleep 2
     #
### ACCEPT // ###
###/ v4
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
##/ v6
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
### // ACCEPT ###


### flush // ###
##/ v4
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
##/ v6
ip6tables -F INPUT
ip6tables -F FORWARD
ip6tables -F OUTPUT
ip6tables -t nat -F PREROUTING
ip6tables -t nat -F POSTROUTING
### // flush ###


### ALLOW: loopback interface // ###
##/ v4
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
##/ v6
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
### // ALLOW: loopback interface ###


### ALLOW: from any to me DHCP // ###
iptables -A INPUT -i "$EASYIPSECINTERFACEVALUE" -p udp --dport 67:68 --sport 67:68 -j ACCEPT
iptables -A OUTPUT -o "$EASYIPSECINTERFACEVALUE" -p udp --dport 67:68 --sport 67:68 -j ACCEPT
### // ALLOW: from any to me DHCP ###


### ALLOW: Internet Protocol v6 ICMP // ###
ip6tables -N ICMPv6
ip6tables -A INPUT -i "$EASYIPSECINTERFACEVALUE" -p icmpv6 -j ICMPv6
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type redirect -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 141 -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 142 -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 148 -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 149 -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 151 -s fe80::/10 -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 152 -s fe80::/10 -j ACCEPT
ip6tables -A ICMPv6 -p icmpv6 --icmpv6-type 153 -s fe80::/10 -j ACCEPT
ip6tables -A ICMPv6 -j RETURN
ip6tables -A OUTPUT -o "$EASYIPSECINTERFACEVALUE" -p icmpv6 -j ACCEPT
### // ALLOW: Internet Protocol v6 ICMP ###


### ALLOW: from me to any SSH // ###
##/ v4
iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
##/ v6
ip6tables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
### // ALLOW: from me to any SSH ###


### ALLOW: from me to any SMB/CIFS // ###
##/ v4
iptables -A INPUT -p tcp --sport 445 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
##/ v6
ip6tables -A INPUT -p tcp --sport 445 -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -p tcp --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
### // ALLOW: from me to any SMB/CIFS ###


### ALLOW: from any to any ICMP // ###
iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s 0/0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -s 0/0 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
if [ $? -eq 0 ]
then
   : # dummy
else
    iptables -A OUTPUT -p icmp --icmp-type 8 -s 0/0 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
fi
iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP
### // ALLOW: from any to any ICMP ###


### ALLOW: ipsec encapsulation // ###
##/ v4
##/ IKE negotiations
iptables -A INPUT  -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
##/ IKE negotiations over nat
iptables -A INPUT  -p udp --sport 4500 --dport 4500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
##/ ESP encrypton and authentication
iptables -A INPUT  -p 50 -j ACCEPT
iptables -A OUTPUT -p 50 -j ACCEPT
##/ uncomment for AH authentication header
#/ iptables -A INPUT  -p 51 -j ACCEPT
#/ iptables -A OUTPUT -p 51 -j ACCEPT
##/ v6
##/ IKE negotiations
ip6tables -A INPUT  -p udp --sport 500 --dport 500 -j ACCEPT
ip6tables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
##/ IKE negotiations over nat
#/ iptables -A INPUT  -p udp --sport 4500 --dport 4500 -j ACCEPT
#/ iptables -A OUTPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
##/ ESP encrypton and authentication
ip6tables -A INPUT  -p 50 -j ACCEPT
ip6tables -A OUTPUT -p 50 -j ACCEPT
##/ uncomment for AH authentication header
#/ iptables -A INPUT  -p 51 -j ACCEPT
#/ iptables -A OUTPUT -p 51 -j ACCEPT
### // ALLOW: ipsec encapsulation ###


### ALLOW: ipsec policy // ###
iptables -A FORWARD -s "$EASYIPSECDESTNETVALUE"/24 -d "$EASYIPSECCLIENTIPVALUE"/32 -i "$EASYIPSECINTERFACEVALUE" -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
iptables -A FORWARD -s "$EASYIPSECCLIENTIPVALUE"/32 -d "$EASYIPSECDESTNETVALUE"/24 -o "$EASYIPSECINTERFACEVALUE" -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
### // ALLOW: ipsec policy ###


### ALLOW: through ipsec // ###
iptables -A INPUT -m policy --pol ipsec --dir in -j ACCEPT
iptables -A OUTPUT -m policy --pol ipsec --dir out -j ACCEPT
### // ALLOW: through ipsec ###


### info // ###
iptables -N EASYIPSEC > /dev/null 2>&1
ip6tables -N EASYIPSEC > /dev/null 2>&1
### // info ###


### DROP: igmp // ###
##/ v4
iptables -A INPUT -p igmp -j DROP
iptables -A OUTPUT -p igmp -j DROP
##/ v6
ip6tables -A INPUT -p igmp -j DROP
ip6tables -A OUTPUT -p igmp -j DROP
### // DROP: igmp ###


### DROP: broadcast/multicast // ###
##/ v4
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -m pkttype --pkt-type multicast -j DROP
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
iptables -A OUTPUT -s 224.0.0.0/4 -j DROP
iptables -A OUTPUT -d 224.0.0.0/4 -j DROP
iptables -A OUTPUT -s 240.0.0.0/5 -j DROP
iptables -A OUTPUT -m pkttype --pkt-type multicast -j DROP
iptables -A OUTPUT -m pkttype --pkt-type broadcast -j DROP
##/ v6
ip6tables -A INPUT -m pkttype --pkt-type multicast -j DROP
ip6tables -A OUTPUT -m pkttype --pkt-type multicast -j DROP
### // DROP: broadcast/multicast ###


### DROP // ###
##/ v4
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
##/ v6
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
### // DROP ###
     #
;;
  1)
     /bin/echo "" # dummy
     printf "\033[1;31mIPsec finished\033[0m\n"
     ###
     #/ clean up
     /bin/rm -rf /tmp/easy_ipsec*.txt
     ###
;;
255)
     /bin/echo "" # dummy
     /bin/echo "[ESC] key pressed."
     /bin/echo "" # dummy
     printf "\033[1;31mIPsec finished\033[0m\n"
     ###
     #/ clean up
     /bin/rm -rf /tmp/easy_ipsec*.txt
     ###
;;
esac
#)
#
### // ipsec iptable rules ###

### stage3 // ###

### ipsec/openvpn relay setup // ###
#
#(
/bin/su -m pulse -c 'espeak -v mb-us1 "if you have an IPsec/OpenVPN Relay Server-Setup Go ahead!"' > /dev/null 2>&1 &
dialog --title "IPsec/OpenVPN Relay Network" --backtitle "IPsec/OpenVPN Relay Network" --yesno "if you have an IPsec/OpenVPN Relay Server-Setup Go ahead!" 7 70

OPENVPN=$?
case $OPENVPN in
  0)
     /bin/echo "" # dummy
     /bin/echo "" # dummy
;;
  1)
     /bin/echo "" # dummy
     /bin/echo "" # dummy
     printf "\033[1;31mHave a nice day with IPsec\033[0m\n"
     ###
     #/ clean up
     /bin/rm -rf /tmp/easy_ipsec*.txt
     ###
     exit 0
;;
255)
     /bin/echo "" # dummy
     /bin/echo "" # dummy
     /bin/echo "[ESC] key pressed."
;;
esac
#)
#
(
/bin/su -m pulse -c 'espeak -v mb-us1 "its time now to establish a successful connection! ... than press OK"' > /dev/null 2>&1 &
dialog --title "IPsec/OpenVPN Relay Network" --backtitle "IPsec/OpenVPN Relay Network" --msgbox "its time now to establish a successful connection! ... than press OK" 8 80
)
#
### // ipsec/openvpn relay setup ###

### openvpn connection // ###
#
EASYIPSECOVPNCONFIG1="/tmp/easy_ipsec_server_openvpn_config1.txt"
EASYIPSECOVPNCONFIG2="/tmp/easy_ipsec_server_openvpn_config2.txt"
EASYIPSECOVPNCONFIG3="/tmp/easy_ipsec_server_openvpn_config3.txt"
EASYIPSECOVPNCONFIG4="/tmp/easy_ipsec_server_openvpn_config4.txt"
EASYIPSECOVPNCONFIG5="/tmp/easy_ipsec_server_openvpn_config5.txt"

(
# clean up - systemctl
systemctl reset-failed
sleep 1
systemctl daemon-reload
sleep 1
)

systemctl --all | grep openvpn | awk '{print $1}' | egrep -v "system" > "$EASYIPSECOVPNCONFIG1"
nl "$EASYIPSECOVPNCONFIG1" | sed 's/ //g' > "$EASYIPSECOVPNCONFIG2"
/bin/sed 's/$/ off/' "$EASYIPSECOVPNCONFIG2" > "$EASYIPSECOVPNCONFIG3"

/bin/su -m pulse -c 'espeak -v mb-us1 "Choose one OpenVPN Service:"' > /dev/null 2>&1 &
dialog --radiolist "Choose one OpenVPN Service:" 45 80 60 --file "$EASYIPSECOVPNCONFIG3" 2>"$EASYIPSECOVPNCONFIG4"
list1=$?
case $list1 in
    0)
       echo "" # dummy
       echo "" # dummy
       awk 'NR==FNR {h[$1] = $2; next} {print $1,$2,h[$1]}' "$EASYIPSECOVPNCONFIG3" "$EASYIPSECOVPNCONFIG4" | awk '{print $2}' | sed 's/"//g' > "$EASYIPSECOVPNCONFIG5"
       GETSERVICE=$(cat "$EASYIPSECOVPNCONFIG5")
       systemctl restart "$GETSERVICE"
       (echo "systemctl restart $GETSERVICE"; sleep 10) & spinner $!
       : # dummy
    ;;
    1)
       echo "" # dummy
       echo "" # dummy
       exit 0
    ;;
  255)
       echo "" # dummy
       echo "" # dummy
       echo "[ESC] key pressed."
       exit 0
    ;;
esac
#
### // openvpn connection ###

### openvpn server // ###
#
EASYIPSECSERVEROVPNTEST="/tmp/easy_ipsec_server_openvpn_test.txt"
touch $EASYIPSECSERVEROVPNTEST
/bin/chmod 0600 $EASYIPSECSERVEROVPNTEST

/bin/su -m pulse -c 'espeak -v mb-us1 "Enter your VPN OpenVPN Server forwarding interface IP: (for example 172.31.253.1)"' > /dev/null 2>&1 &
dialog --inputbox "Enter your VPN OpenVPN Server forwarding interface IP: (for example 172.31.253.1)" 8 85 2>$EASYIPSECSERVEROVPNTEST

EASYIPSECSERVEROVPNTESTVALUE=$(sed 's/#//g' $EASYIPSECSERVEROVPNTEST | sed 's/%//g')

/bin/ping -q -c5 "$EASYIPSECSERVEROVPNTESTVALUE" > /dev/null
if [ $? -eq 0 ]
then
      #/ dialog --title "VPN OpenVPN Gateway Test" --backtitle "VPN OpenVPN Gateway Test" --msgbox "It works!" 0 0
      echo "" # dummy
      echo "" # dummy
      /bin/su -m pulse -c 'espeak -v mb-us1 "server is responsive"' > /dev/null 2>&1 &
      printf "\033[1;32m[OK]\033[0m server is responsive \n"
      sleep 2
else
      #/ dialog --title "VPN OpenVPN Gateway Test" --backtitle "VPN OpenVPN Gateway Test" --msgbox "ERROR: can't ping!" 0 0
      echo "" # dummy
      echo "" # dummy
      /bin/su -m pulse -c 'espeak -v mb-us1 "server is not responsive"' > /dev/null 2>&1 &
      printf "\033[1;33m[WARNING]\033[0m server isn't responsive \n"
      exit 1
fi

##/bin/rm -rf $EASYIPSECSERVEROVPNTEST
#
### // openvpn server ###

### new default gateway // ###
#
EASYIPSECNETSTATOVPN1="/tmp/easy_ipsec_server_openvpn_netstat1.txt"
touch $EASYIPSECNETSTATOVPN1
/bin/chmod 0600 $EASYIPSECNETSTATOVPN1
EASYIPSECNETSTATOVPN2="/tmp/easy_ipsec_server_openvpn_netstat2.txt"
touch $EASYIPSECNETSTATOVPN2
/bin/chmod 0600 $EASYIPSECNETSTATOVPN2
#
/bin/su -m pulse -c 'espeak -v mb-us1 "it seems to work, lets change the default gateway!"' > /dev/null 2>&1 &
dialog --title "IPsec/OpenVPN Relay Network" --backtitle "IPsec/OpenVPN Relay Network" --msgbox "it seems to work, lets change the default gateway!" 8 70
#
#/ /sbin/route del default > /dev/null 2>&1
/sbin/route del -net 128.0.0.0/1 > /dev/null 2>&1
/sbin/route del -net 0.0.0.0/1 > /dev/null 2>&1
#
#/ EASYIPSECOVPNSUBNET=$(echo "$EASYIPSECSERVEROVPNTESTVALUE" | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.' | sed 's/$/0/')
EASYIPSECOVPNSUBNETSMALL=$(echo "$EASYIPSECSERVEROVPNTESTVALUE" | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
EASYIPSECOVPNINTERFACE=$(netstat -rn4 | grep "$EASYIPSECOVPNSUBNETSMALL" | head -n1 | awk '{print $8}')
/bin/ip r a "$EASYIPSECSERVEROVPNTESTVALUE"/32 dev "$EASYIPSECOVPNINTERFACE"
/bin/ip r a 0.0.0.0/1 via "$EASYIPSECSERVEROVPNTESTVALUE" > /dev/null 2>&1
/bin/ip r a 128.0.0/1 via "$EASYIPSECSERVEROVPNTESTVALUE" > /dev/null 2>&1
#

### openvpn iptable rules // ##
#
CHECKIPSECIPTABLERULES=$(iptables -S | grep -c "EASYIPSEC")
if [ "$CHECKIPSECIPTABLERULES" = "1" ]
then
    ##/ v4
    iptables -A INPUT -i "$EASYIPSECOVPNINTERFACE" -j ACCEPT
    iptables -A OUTPUT -o "$EASYIPSECOVPNINTERFACE" -j ACCEPT
    ##/ v6
    ip6tables -A INPUT -i "$EASYIPSECOVPNINTERFACE" -j ACCEPT
    ip6tables -A OUTPUT -o "$EASYIPSECOVPNINTERFACE" -j ACCEPT
    #/ check minidlna
    CHECKIPSECOVPNMINIDLNA=$(dpkg -l | grep -c "minidlna")
    if [ "$CHECKIPSECOVPNMINIDLNA" = "1" ]
    then
       CHECKIPSECOVPNMINIDLNASERVICE=$(systemctl status minidlna | grep -c "running")
       if [ "$CHECKIPSECOVPNMINIDLNASERVICE" = "1" ]
       then
          iptables -A INPUT -i "$EASYIPSECINTERFACEVALUE" -p udp --dport 1900 -j ACCEPT
          iptables -A OUTPUT -o "$EASYIPSECINTERFACEVALUE" -p udp --sport 1900 -j ACCEPT
          iptables -A INPUT -i "$EASYIPSECINTERFACEVALUE" -p tcp --dport 8200 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
          iptables -A OUTPUT -o "$EASYIPSECINTERFACEVALUE" -p tcp --sport 8200 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
          ip6tables -A INPUT -i "$EASYIPSECINTERFACEVALUE" -p udp --dport 1900 -j ACCEPT
          ip6tables -A OUTPUT -o "$EASYIPSECINTERFACEVALUE" -p udp --sport 1900 -j ACCEPT
          ip6tables -A INPUT -i "$EASYIPSECINTERFACEVALUE" -p tcp --dport 8200 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
          ip6tables -A OUTPUT -o "$EASYIPSECINTERFACEVALUE" -p tcp --sport 8200 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
          ##/ v4
          iptables -D INPUT -s 224.0.0.0/4 -j DROP
          iptables -D INPUT -d 224.0.0.0/4 -j DROP
          iptables -D INPUT -s 240.0.0.0/5 -j DROP
          iptables -D INPUT -m pkttype --pkt-type multicast -j DROP
          iptables -D INPUT -m pkttype --pkt-type broadcast -j DROP
          iptables -D OUTPUT -s 224.0.0.0/4 -j DROP
          iptables -D OUTPUT -d 224.0.0.0/4 -j DROP
          iptables -D OUTPUT -s 240.0.0.0/5 -j DROP
          iptables -D OUTPUT -m pkttype --pkt-type multicast -j DROP
          iptables -D OUTPUT -m pkttype --pkt-type broadcast -j DROP
          ##/ v6
          ip6tables -D INPUT -m pkttype --pkt-type multicast -j DROP
          ip6tables -D OUTPUT -m pkttype --pkt-type multicast -j DROP
       fi
    fi
    #/ check local unbound
    CHECKIPSECOVPNUNBOUND=$(dpkg -l | grep -c "unbound")
    if [ "$CHECKIPSECOVPNUNBOUND" = "1" ]
    then
       CHECKIPSECOVPNUNBOUNDSERVICE=$(systemctl status unbound | grep -c "running")
       if [ "$CHECKIPSECOVPNUNBOUNDSERVICE" = "1" ]
       then
          #/ systemctl restart unbound
          systemctl stop unbound
          sleep 2
          systemctl start unbound
       fi
    fi
    #/ static ARP
    GETIPSECSERVERGATEWAYFORMAT=$(echo "$EASYIPSECSERVERIPVALUE" | grep -cEo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
    if [ "$GETIPSECSERVERGATEWAYFORMAT" = "0" ]
    then
       #/ fqdn
       GETIPSECGATEWAYFQDN=$(netstat -r4 | awk '{print $1,$2}' | grep "$(echo "$EASYIPSECSERVERIPVALUE" | cut -c 1,2,3,4,5,6)" | awk '{print $2}')
       GETIPSECGATEWAYFQDNMAC=$(arp -n | grep "$GETIPSECGATEWAYFQDN" | awk '{print $3}')
       arp -s "$GETIPSECGATEWAYFQDN" "$GETIPSECGATEWAYFQDNMAC"
    else
       #/ ip address
       GETIPSECGATEWAY=$(netstat -rn4 | grep "$EASYIPSECSERVERIPVALUE" | awk '{print $2}')
       GETIPSECGATEWAYMAC=$(arp -n | grep "$GETIPSECGATEWAY" | awk '{print $3}')
       arp -s "$GETIPSECGATEWAY" "$GETIPSECGATEWAYMAC"
   fi
else
    : # dummy
fi
#
### // openvpn iptable rules ###

###
/bin/netstat -rn4 > "$EASYIPSECNETSTATOVPN1"
/bin/netstat -rn6 > "$EASYIPSECNETSTATOVPN2"
###
#
dialog --textbox "$EASYIPSECNETSTATOVPN1" 0 0
dialog --textbox "$EASYIPSECNETSTATOVPN2" 0 0
#
###
/bin/echo "" # dummy
/bin/echo "" # dummy
/bin/su -m pulse -c 'espeak -v mb-us1 "Have a nice day with Internet Protocol Security and OpenVPN"' > /dev/null 2>&1 &
printf "\033[1;31mHave a nice day with IPsec and OpenVPN\033[0m\n"
###
#
#HUHU /bin/rm -rf "$EASYIPSECNETSTATOVPN1"
#
### // new default gateway ###

### // stage3 ###

### stage4 // ###
#
(
# clean up
/bin/rm -rf /tmp/easy_ipsec*.txt
)
#
### // stage4 ###

### ### ### ### ### ### ### ### ###
   ;;
*)
   # error 1
   echo "<--- --- --->"
   echo ""
   echo "ERROR: Plattform = unknown"
   exit 1
   ;;
esac
### ### ### ### ### ### ### ### ###
   ;;
*)
   # error 1
   echo "<--- --- --->"
   echo ""
   echo "ERROR: Plattform = unknown"
   exit 1
   ;;
esac

#
### // stage1 ###


### ### ### PLITC ### ### ###
# EOF