Last active
May 9, 2017 18:39
-
-
Save 0x-2a/fc236cae7c2823623ddbc56b79c1a872 to your computer and use it in GitHub Desktop.
Revisions
-
y3sh revised this gist
May 9, 2017 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,5 @@ { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Private vpn", "Mappings": { "AWSInstanceType2Arch": { -
May 9, 2017 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,326 @@ { "AWSTemplateFormatVersion": "2017-01-01", "Description": "Private vpn", "Mappings": { "AWSInstanceType2Arch": { "High.Speed.VPN-Paid": { "InstanceType": "t2.medium" }, "Standard.VPN-Free": { "InstanceType": "t2.micro" }, "Ultra.High.Speed.VPN-Paid": { "InstanceType": "m3.xlarge" } }, "AWSRegionArch2AMI": { "ap-northeast-1": { "HVM64": "ami-20b6aa21" }, "ap-southeast-1": { "HVM64": "ami-ca381398" }, "ap-southeast-2": { "HVM64": "ami-abeb9e91" }, "eu-central-1": { "HVM64": "ami-9a380b87" }, "eu-west-1": { "HVM64": "ami-234ecc54" }, "sa-east-1": { "HVM64": "ami-69f54974" }, "us-east-1": { "HVM64": "ami-9a562df2" }, "us-west-1": { "HVM64": "ami-5c120b19" }, "us-west-2": { "HVM64": "ami-29ebb519" }, "ap-south-1": { "HVM64": "ami-815625ee" }, "eu-west-2": { "HVM64": "ami-d6cbc1b2" }, "eu-west-2": { "HVM64": "ami-45eae021" }, "us-east-2": { "HVM64": "ami-41d48e24" } } }, "Outputs": { "VPNServerAddress": { "Description": "Use the IP as Server Address or VPN Host", "Value": { "Fn::Join": [ "", [ "", { "Fn::GetAtt": [ "VPNServerInstance", "PublicIp" ] } ] ] } } }, "Parameters": { "Speed": { "AllowedValues": [ "Standard.VPN-Free", "High.Speed.VPN-Paid", "Ultra.High.Speed.VPN-Paid" ], "Default": "Standard.VPN-Free", "Description": "Network Speed of VPN Server. Standard should do for most browsing and video.", "Type": "String" }, "Username": { "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", "ConstraintDescription": "must begin with a letter and contain only alphanumeric characters.", "Description": "VPN Username", "MaxLength": "255", "MinLength": "1", "Type": "String" }, "VPNPassword": { "ConstraintDescription": "must contain atleast 4 characters.", "Description": "VPN Password (Min 4 characters)", "MaxLength": "255", "MinLength": "4", "NoEcho": "true", "Type": "String" }, "VPNPhrase": { "ConstraintDescription": "must contain atleast 4 characters.", "Description": "Passphrase for IPSEC PSK (Min 4 characters)", "MaxLength": "255", "MinLength": "4", "NoEcho": "true", "Type": "String" } }, "Resources": { "VPNSecurityGroup": { "Properties": { "GroupDescription": "VPN Security Groups", "SecurityGroupIngress": [ { "CidrIp": "0.0.0.0/0", "FromPort": "500", "IpProtocol": "tcp", "ToPort": "500" }, { "CidrIp": "0.0.0.0/0", "FromPort": "500", "IpProtocol": "udp", "ToPort": "500" }, { "CidrIp": "0.0.0.0/0", "FromPort": "4500", "IpProtocol": "udp", "ToPort": "4500" }, { "CidrIp": "0.0.0.0/0", "FromPort": "1723", "IpProtocol": "tcp", "ToPort": "1723" }, { "CidrIp": "0.0.0.0/0", "FromPort": "1723", "IpProtocol": "udp", "ToPort": "1723" } ] }, "Type": "AWS::EC2::SecurityGroup" }, "VPNServerInstance": { "Properties": { "ImageId": { "Fn::FindInMap": [ "AWSRegionArch2AMI", { "Ref": "AWS::Region" }, "HVM64" ] }, "InstanceType": { "Fn::FindInMap": [ "AWSInstanceType2Arch", { "Ref": "Speed" }, "InstanceType" ] }, "SecurityGroups": [ { "Ref": "VPNSecurityGroup" } ], "UserData": { "Fn::Base64": { "Fn::Join": [ "", [ "#!/bin/sh\n", "VPN_USER=", { "Ref": "Username" }, "\n", "VPN_PASSWORD=", { "Ref": "VPNPassword" }, "\n", "IPSEC_PSK=", { "Ref": "VPNPhrase" }, "\n", "\n", "# Update server\n", "apt-get update && apt-get upgrade -y\n", "\n", "# VPN 1 - Setup L2TP-IPSEC\n", "PRIVATE_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4'`\n", "PUBLIC_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4'`\n", "\n", "apt-get install -y openswan xl2tpd\n", "\n", "cat > /etc/ipsec.conf <<EOF\n", "version 2.0\n", "\n", "config setup\n", " dumpdir=/var/run/pluto/\n", " nat_traversal=yes\n", " virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10\n", " oe=off\n", " protostack=netkey\n", " nhelpers=0\n", " interfaces=%defaultroute\n", "\n", "conn vpnpsk\n", " auto=add\n", " left=$PRIVATE_IP\n", " leftid=$PUBLIC_IP\n", " leftsubnet=$PRIVATE_IP/32\n", " leftnexthop=%defaultroute\n", " leftprotoport=17/1701\n", " rightprotoport=17/%any\n", " right=%any\n", " rightsubnetwithin=0.0.0.0/0\n", " forceencaps=yes\n", " authby=secret\n", " pfs=no\n", " type=transport\n", " auth=esp\n", " ike=3des-sha1\n", " phase2alg=3des-sha1\n", " dpddelay=30\n", " dpdtimeout=120\n", " dpdaction=clear\n", "EOF\n", "\n", "cat > /etc/ipsec.secrets <<EOF\n", "$PUBLIC_IP %any : PSK \"$IPSEC_PSK\"\n", "EOF\n", "\n", "cat > /etc/xl2tpd/xl2tpd.conf <<EOF\n", "[global]\n", "port = 1701\n", "\n", ";debug avp = yes\n", ";debug network = yes\n", ";debug state = yes\n", ";debug tunnel = yes\n", "\n", "[lns default]\n", "ip range = 192.168.42.10-192.168.42.250\n", "local ip = 192.168.42.1\n", "require chap = yes\n", "refuse pap = yes\n", "require authentication = yes\n", "name = l2tpd\n", ";ppp debug = yes\n", "pppoptfile = /etc/ppp/options.xl2tpd\n", "length bit = yes\n", "EOF\n", "\n", "cat > /etc/ppp/options.xl2tpd <<EOF\n", "ipcp-accept-local\n", "ipcp-accept-remote\n", "ms-dns 8.8.8.8\n", "ms-dns 8.8.4.4\n", "noccp\n", "auth\n", "crtscts\n", "idle 1800\n", "mtu 1280\n", "mru 1280\n", "lock\n", "connect-delay 5000\n", "EOF\n", "\n", "cat > /etc/ppp/chap-secrets <<EOF\n", "# Secrets for authentication using CHAP\n", "# client\tserver\tsecret\t\t\tIP addresses\n", "\n", "$VPN_USER\tl2tpd $VPN_PASSWORD *\n", "EOF\n", "\n", "iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE\n", "echo 1 > /proc/sys/net/ipv4/ip_forward\n", "\n", "iptables-save > /etc/iptables.rules\n", "\n", "cat > /etc/network/if-pre-up.d/iptablesload <<EOF\n", "#!/bin/sh\n", "iptables-restore < /etc/iptables.rules\n", "echo 1 > /proc/sys/net/ipv4/ip_forward\n", "exit 0\n", "EOF\n", "\n", "chmod a+x /etc/network/if-pre-up.d/iptablesload\n", "\n", "/etc/init.d/ipsec restart\n", "/etc/init.d/xl2tpd restart\n", "\n", "#VPN 2 - Setup PPTP Server\n", "apt-get install pptpd -y\n", "echo \"localip 10.0.0.1\" >> /etc/pptpd.conf\n", "echo \"remoteip 10.0.0.100-200\" >> /etc/pptpd.conf\n", "echo \"$VPN_USER pptpd $VPN_PASSWORD *\" >> /etc/ppp/chap-secrets\n", "echo \"ms-dns 8.8.8.8\" >> /etc/ppp/pptpd-options\n", "echo \"ms-dns 8.8.4.4\" >> /etc/ppp/pptpd-options\n", "service pptpd restart\n", "\n", "echo \"net.ipv4.ip_forward = 1\" >> /etc/sysctl.conf\n", "sysctl -p\n", "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE && iptables-save\n" ] ] } } }, "Type": "AWS::EC2::Instance" } } }