Permalink
Cannot retrieve contributors at this time
#!/bin/sh | |
# | |
# voodoo-vpn.sh: Amazon EC2 user-data file for automatic configuration of a VPN | |
# on a Ubuntu server instance. Tested with 12.04. | |
# | |
# See http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md | |
# | |
# DO NOT RUN THIS SCRIPT ON YOUR MAC! THIS IS MEANT TO BE RUN WHEN | |
# YOUR AMAZON INSTANCE STARTS! | |
# | |
# Copyright Thomas Sarlandie 2012 | |
# | |
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 | |
# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ | |
# | |
# Attribution required: please include my name in any derivative and let me | |
# know how you have improved it! | |
if [[ "`uname`" == "Darwin" ]]; then | |
echo "Do not run this script on your mac! This script should only be run on a newly-created EC2 instance, after you have modified it to set the three variables below." | |
exit 1 | |
fi | |
# Please define your own values for those variables | |
IPSEC_PSK=very_unsecure_key | |
VPN_USER=johndoe | |
VPN_PASSWORD=unsecure | |
# Those two variables will be found automatically | |
PRIVATE_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4'` | |
PUBLIC_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4'` | |
apt-get install -y strongswan xl2tpd | |
cat > /etc/ipsec.conf <<EOF | |
version 2.0 | |
config setup | |
dumpdir=/var/run/pluto/ | |
nat_traversal=yes | |
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 | |
oe=off | |
protostack=netkey | |
nhelpers=0 | |
interfaces=%defaultroute | |
conn vpnpsk | |
auto=add | |
left=$PRIVATE_IP | |
leftid=$PUBLIC_IP | |
leftsubnet=$PRIVATE_IP/32 | |
leftnexthop=%defaultroute | |
leftprotoport=17/1701 | |
rightprotoport=17/%any | |
right=%any | |
rightsubnetwithin=0.0.0.0/0 | |
forceencaps=yes | |
authby=secret | |
pfs=no | |
type=transport | |
auth=esp | |
ike=3des-sha1 | |
phase2alg=3des-sha1 | |
dpddelay=30 | |
dpdtimeout=120 | |
dpdaction=clear | |
EOF | |
cat > /etc/ipsec.secrets <<EOF | |
$PUBLIC_IP %any : PSK "$IPSEC_PSK" | |
EOF | |
cat > /etc/xl2tpd/xl2tpd.conf <<EOF | |
[global] | |
port = 1701 | |
;debug avp = yes | |
;debug network = yes | |
;debug state = yes | |
;debug tunnel = yes | |
[lns default] | |
ip range = 192.168.42.10-192.168.42.250 | |
local ip = 192.168.42.1 | |
require chap = yes | |
refuse pap = yes | |
require authentication = yes | |
name = l2tpd | |
;ppp debug = yes | |
pppoptfile = /etc/ppp/options.xl2tpd | |
length bit = yes | |
EOF | |
cat > /etc/ppp/options.xl2tpd <<EOF | |
ipcp-accept-local | |
ipcp-accept-remote | |
ms-dns 8.8.8.8 | |
ms-dns 8.8.4.4 | |
noccp | |
auth | |
crtscts | |
idle 1800 | |
mtu 1280 | |
mru 1280 | |
lock | |
connect-delay 5000 | |
EOF | |
cat > /etc/ppp/chap-secrets <<EOF | |
# Secrets for authentication using CHAP | |
# client server secret IP addresses | |
$VPN_USER l2tpd $VPN_PASSWORD * | |
EOF | |
iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE | |
echo 1 > /proc/sys/net/ipv4/ip_forward | |
iptables-save > /etc/iptables.rules | |
cat > /etc/network/if-pre-up.d/iptablesload <<EOF | |
#!/bin/sh | |
iptables-restore < /etc/iptables.rules | |
echo 1 > /proc/sys/net/ipv4/ip_forward | |
exit 0 | |
EOF | |
chmod a+x /etc/network/if-pre-up.d/iptablesload | |
ipsec restart | |
/etc/init.d/xl2tpd restart |