Permalink
Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign up
972d0ba
Apr 30, 2018
5 contributors
Users who have contributed to this file
| #!/bin/sh | |
| # | |
| # voodoo-vpn.sh: Amazon EC2 user-data file for automatic configuration of a VPN | |
| # on a Ubuntu server instance. Tested with 12.04. | |
| # | |
| # See http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md | |
| # | |
| # DO NOT RUN THIS SCRIPT ON YOUR MAC! THIS IS MEANT TO BE RUN WHEN | |
| # YOUR AMAZON INSTANCE STARTS! | |
| # | |
| # Copyright Thomas Sarlandie 2012 | |
| # | |
| # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 | |
| # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ | |
| # | |
| # Attribution required: please include my name in any derivative and let me | |
| # know how you have improved it! | |
| if [[ "`uname`" == "Darwin" ]]; then | |
| echo "Do not run this script on your mac! This script should only be run on a newly-created EC2 instance, after you have modified it to set the three variables below." | |
| exit 1 | |
| fi | |
| # Please define your own values for those variables | |
| IPSEC_PSK=very_unsecure_key | |
| VPN_USER=johndoe | |
| VPN_PASSWORD=unsecure | |
| # Those two variables will be found automatically | |
| PRIVATE_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4'` | |
| PUBLIC_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4'` | |
| apt-get install -y strongswan xl2tpd | |
| cat > /etc/ipsec.conf <<EOF | |
| version 2.0 | |
| config setup | |
| dumpdir=/var/run/pluto/ | |
| nat_traversal=yes | |
| virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 | |
| oe=off | |
| protostack=netkey | |
| nhelpers=0 | |
| interfaces=%defaultroute | |
| conn vpnpsk | |
| auto=add | |
| left=$PRIVATE_IP | |
| leftid=$PUBLIC_IP | |
| leftsubnet=$PRIVATE_IP/32 | |
| leftnexthop=%defaultroute | |
| leftprotoport=17/1701 | |
| rightprotoport=17/%any | |
| right=%any | |
| rightsubnetwithin=0.0.0.0/0 | |
| forceencaps=yes | |
| authby=secret | |
| pfs=no | |
| type=transport | |
| auth=esp | |
| ike=3des-sha1 | |
| phase2alg=3des-sha1 | |
| dpddelay=30 | |
| dpdtimeout=120 | |
| dpdaction=clear | |
| EOF | |
| cat > /etc/ipsec.secrets <<EOF | |
| $PUBLIC_IP %any : PSK "$IPSEC_PSK" | |
| EOF | |
| cat > /etc/xl2tpd/xl2tpd.conf <<EOF | |
| [global] | |
| port = 1701 | |
| ;debug avp = yes | |
| ;debug network = yes | |
| ;debug state = yes | |
| ;debug tunnel = yes | |
| [lns default] | |
| ip range = 192.168.42.10-192.168.42.250 | |
| local ip = 192.168.42.1 | |
| require chap = yes | |
| refuse pap = yes | |
| require authentication = yes | |
| name = l2tpd | |
| ;ppp debug = yes | |
| pppoptfile = /etc/ppp/options.xl2tpd | |
| length bit = yes | |
| EOF | |
| cat > /etc/ppp/options.xl2tpd <<EOF | |
| ipcp-accept-local | |
| ipcp-accept-remote | |
| ms-dns 8.8.8.8 | |
| ms-dns 8.8.4.4 | |
| noccp | |
| auth | |
| crtscts | |
| idle 1800 | |
| mtu 1280 | |
| mru 1280 | |
| lock | |
| connect-delay 5000 | |
| EOF | |
| cat > /etc/ppp/chap-secrets <<EOF | |
| # Secrets for authentication using CHAP | |
| # client server secret IP addresses | |
| $VPN_USER l2tpd $VPN_PASSWORD * | |
| EOF | |
| iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE | |
| echo 1 > /proc/sys/net/ipv4/ip_forward | |
| iptables-save > /etc/iptables.rules | |
| cat > /etc/network/if-pre-up.d/iptablesload <<EOF | |
| #!/bin/sh | |
| iptables-restore < /etc/iptables.rules | |
| echo 1 > /proc/sys/net/ipv4/ip_forward | |
| exit 0 | |
| EOF | |
| chmod a+x /etc/network/if-pre-up.d/iptablesload | |
| ipsec restart | |
| /etc/init.d/xl2tpd restart |