#!/bin/bash
apt update && apt upgrade -y
apt install strongswan strongswan-pki libcharon-extra-plugins net-tools wget certbot -y
DEBIAN_FRONTEND=noninteractive apt-get -y install iptables-persistent

HOST_NAME="vpn.example.com"
read -e -i "$HOST_NAME" -p "VPN host name: " HOST_NAME
HOST_NAME="${input:-$HOST_NAME}"

LOCAL_SUBNET="172.19.240.0/20"
read -e -i "$LOCAL_SUBNET" -p "NAT subnet info for clients of this VPN: " LOCAL_SUBNET
LOCAL_SUBNET="${input:-$LOCAL_SUBNET}"

VPN_USER="VPN"
read -e -i "$VPN_USER" -p "VPN user name: " VPN_USER
VPN_USER="${input:-$VPN_USER}"

VPN_PASS="PASSWORD"
read -e -i "$VPN_PASS" -p "VPN password: " VPN_PASS
VPN_PASS="${input:-$VPN_PASS}"

DEFAULT_IP="$(ip -o route get to 1.1.1.1 | sed -n 's/.*src \([0-9.]\+\).*/\1/p')"
DEFAULT_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')"

wget https://letsencrypt.org/certs/lets-encrypt-r3.pem -O /etc/ipsec.d/cacerts/lets-encrypt-r3.pem
certbot certonly --standalone -d ${HOST_NAME} --rsa-key-size 2048 --staple-ocsp --agree-tos --register-unsafely-without-email
chmod 755 -R /etc/letsencrypt
ln -L -f /etc/letsencrypt/live/${HOST_NAME}/cert.pem /etc/ipsec.d/certs 
ln -L -f /etc/letsencrypt/live/${HOST_NAME}/chain.pem /etc/ipsec.d/cacerts
ln -L -f /etc/letsencrypt/live/${HOST_NAME}/privkey.pem /etc/ipsec.d/private

cat > /etc/ipsec.secrets<<-EOF
${HOST_NAME} : RSA privkey.pem
${VPN_USER} %any : EAP "${VPN_PASS}"
EOF

cat > /etc/ipsec.conf<<-EOF
config setup
    uniqueids=never
    strictcrlpolicy=no
conn vpn
      auto=add
      compress=no
      type=tunnel
      keyexchange=ikev2
      fragmentation=yes
      forceencaps=yes

      dpdaction=clear
      dpddelay=300s
      rekey=no

      left=%any
      leftid=@${HOST_NAME}
      leftcert=cert.pem
      leftsendcert=always
      leftsubnet=0.0.0.0/0

      right=%any
      rightid=%any
      rightauth=eap-mschapv2
      rightdns=1.1.1.1,8.8.8.8
      rightsourceip=${LOCAL_SUBNET}
      rightsendcert=never
      eap_identity=%identity

EOF

cat > /etc/sysctl.d/ipsec.conf<<-EOF
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.ip_no_pmtu_disc=1
net.ipv4.conf.all.rp_filter=1
EOF
sysctl -p /etc/sysctl.d/ipsec.conf

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s ${LOCAL_SUBNET} -j ACCEPT
iptables -A INPUT -i ${DEFAULT_IFACE} -p esp -j ACCEPT
#iptables -A INPUT -i ${DEFAULT_IFACE} -p udp --dport 500 -j ACCEPT
#iptables -A INPUT -i ${DEFAULT_IFACE} -p tcp --dport 500 -j ACCEPT
#iptables -A INPUT -i ${DEFAULT_IFACE} -p udp --dport 4500 -j ACCEPT
iptables -t nat -A POSTROUTING -s ${LOCAL_SUBNET} -o ${DEFAULT_IFACE} -j SNAT --to-source ${DEFAULT_IP}

iptables-save > /etc/iptables/rules.v4

ipsec restart