#!/bin/bash sleep 60 export DEBIAN_FRONTEND=noninteractive apt -y update apt -yq install socat strongswan-starter libcharon-extra-plugins libstrongswan-extra-plugins libcharon-standard-plugins strongswan strongswan-pki iptables-persistent export MYDOMAIN="vpn.domain.com" sleep 60 iptables -t nat -A POSTROUTING -s 192.168.134.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.134.0/24 -o eth0 -j MASQUERADE iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 192.168.134.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 netfilter-persistent save cat <> /etc/sysctl.conf net.ipv4.ip_forward=1 net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.all.send_redirects=0 net.ipv4.ip_no_pmtu_disc=1 EOT sysctl -p cat < /etc/ipsec.conf config setup charondebug="ike 1, knl 1, cfg 0" uniqueids=no conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=@$MYDOMAIN leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=192.168.134.0/24 rightdns=8.8.4.4,1.1.1.1 rightsendcert=never eap_identity=%identity EOT cat < /etc/ipsec.secrets : RSA "privkey.pem" user : EAP "PassworD" EOT curl https://get.acme.sh | sh -s email=admin@vpn.domain.com sleep 15 .acme.sh/acme.sh --no-color --issue --standalone -d $MYDOMAIN --key-file /etc/ipsec.d/private/privkey.pem --ca-file /etc/ipsec.d/cacerts/chain.pem --cert-file /etc/ipsec.d/certs/cert.pem --fullchain-file /etc/ipsec.d/certs/fullchain.pem --post-hook "find /etc/ipsec.d/ -name '*.pem' -type f -exec chmod 600 {} \;" --renew-hook "find /etc/ipsec.d/ -name '*.pem' -type f -exec chmod 600 {} \; -exec /usr/bin/systemctl restart ipsec \;" sleep 5 systemctl enable ipsec systemctl enable netfilter-persistent ipsec restart ipsec statusall