├── vpn-ec2.id
├── vpn-ec2-terminate.sh
├── README.md
├── vpn-ec2-start.sh
└── vpn-ec2-install.sh


/vpn-ec2.id:
--------------------------------------------------------------------------------
1 | i-2e357364
2 | 


--------------------------------------------------------------------------------
/vpn-ec2-terminate.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | #to be run on my laptop
 3 | 
 4 | 
 5 | # create and start an instance
 6 | 
 7 | INSTANCE_FILE=$HOME/vpn-ec2.id
 8 | 
 9 | if [ ! -e $INSTANCE_FILE ]
10 | then
11 |     echo Missing $INSTANCE_FILE file
12 |     exit -1
13 | fi
14 | 
15 | 
16 | echo "Terminating Instance..."
17 | INSTANCE_ID=`cat $INSTANCE_FILE`
18 | 
19 | if [ -z $INSTANCE_ID ]
20 | then
21 |     echo Missing instance ID in $INSTANCE_FILE
22 |     exit -1
23 | fi
24 | 
25 | aws ec2 terminate-instances --instance-ids $INSTANCE_ID
26 | rm $INSTANCE_FILE
27 | 
28 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | AWSVPN
 2 | ======
 3 | 
 4 | License
 5 | -------
 6 | 
 7 | Licensed under the BSD 3 Clauses License (http://opensource.org/licenses/BSD-3-Clause)
 8 | 
 9 | Distributed on an "AS IS" basis without warranties or conditions of any kind, either express or implied.
10 | 
11 | Known Issue
12 | -----------
13 | 
14 | Modify the startup script to adapt to the AMI ID available in your region
15 | 
16 | How To ?
17 | --------
18 |   
19 | Start a private VPN server in the cloud. 
20 | 
21 | - vpn-ec2-start script is run from your computer.  It starts a machine on EC2
22 | - vpn-ec2-install script will be run from AWS' EC2 instance to setup VPN
23 | - vpn-ec2-terminate script is run from your computer to terminate (shutdown) the VPN server
24 | 
25 | THESE SCRIPTS MUST BE MODIFIED TO RUN IN YOUR ENVIRONMENT - PLEASE READ BELOW
26 | 
27 | The vpn-ec2-start script requires AWS CLI command line interface.
28 | - Intallation instructions : http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-set-up.html
29 | - Configuration Instructions : http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
30 | 
31 | Here is an example of my $HOME/.aws/config
32 | ```bash
33 | [default]
34 | aws_access_key_id = AK..OQ
35 | aws_secret_access_key = gj...T8
36 | region = eu-west-1
37 | ```
38 | 
39 | You also need the following 
40 | 
41 | - an account on AWS EC2 :-)
42 | - to define a ssh key pair in AWS console (or through the command line)
43 | - to define an AWS Security Group with the following rules :
44 |   - TCP 500 0.0.0.0/0
45 |   - UDP 500 0.0.0.0/0
46 |   - UDP 4500 0.0.0.0/0
47 | 
48 | vpn-ec2-start.sh must be modified 
49 | 
50 | - KEY_ID : change the name of the ssh key pair (line 9)
51 | - SEC_ID : change the name of the Security Group (line 10)
52 | 
53 | vpn-ec2-install.sh must be modified to include your VPN credentials 
54 | 
55 | - IPSEC_PSK - your shared secret (line 4)
56 | - VPN_USER - your VPN username (line 5)
57 | - VPN_PASSWORD - your VPN password (line 6)
58 | 
59 | Details about why and how to use these scripts are provided at http://www.stormacq.com/?p=534
60 | 


--------------------------------------------------------------------------------
/vpn-ec2-start.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -x
 2 | #to be run on my laptop
 3 | 
 4 | 
 5 | # create and start an instance
 6 | #AMI = AMZN Linux 64 Bits
 7 | #As of 24 dec 2013, the 64 Bits AMZN Linux AMI are
 8 | #"Mappings": {
 9 | #        "AWSRegionToAMI": {
10 | #            "us-east-1": { "AMI": "ami-bba18dd2" },
11 | #            "us-west-2": { "AMI": "ami-ccf297fc" },
12 | #            "us-west-1": { "AMI": "ami-a43909e1" },
13 | #            "eu-west-1": { "AMI": "ami-5256b825" },
14 | #            "ap-southeast-1": { "AMI": "ami-b4baeee6" },
15 | #            "ap-northeast-1": { "AMI": "ami-0d13700c" },
16 | #            "ap-southeast-2": { "AMI": "ami-5ba83761" },
17 | #            "sa-east-1": { "AMI": "ami-c99130d4" },
18 | #            "us-gov-west-1": { "AMI": "ami-97fb9fb4" }
19 | #        }
20 | #    }
21 | 
22 | AMI_ID=ami-5256b825 #must be adapted to your region (Amazon Linux, PV, 64 Bits, 2013.09.02, eu-west)
23 | KEY_ID=sst-aws
24 | SEC_ID=VPN
25 | BOOTSTRAP_SCRIPT=vpn-ec2-install.sh 
26 | 
27 | echo "Starting Instance..."
28 | INSTANCE_DETAILS=`aws ec2 run-instances --image-id $AMI_ID --key-name $KEY_ID --security-groups $SEC_ID --instance-type t1.micro --user-data file://./$BOOTSTRAP_SCRIPT --output text | grep INSTANCES`
29 | 
30 | INSTANCE_ID=`echo $INSTANCE_DETAILS | awk '{print $8}'`
31 | echo $INSTANCE_ID > $HOME/vpn-ec2.id 
32 | 
33 | # wait for instance to be started
34 | STATUS=`aws ec2 describe-instance-status --instance-ids $INSTANCE_ID --output text | grep INSTANCESTATUS | grep -v INSTANCESTATUSES | awk '{print $2}'`
35 | 
36 | while [ "$STATUS" != "ok" ]
37 | do
38 |     echo "Waiting for instance to start...."
39 |     sleep 5
40 |     STATUS=`aws ec2 describe-instance-status --instance-ids $INSTANCE_ID --output text | grep INSTANCESTATUS | grep -v INSTANCESTATUSES | awk '{print $2}'`
41 | done
42 | 
43 | echo "Instance started"
44 | 
45 | echo "Instance ID = " $INSTANCE_ID
46 | DNS_NAME=`aws ec2 describe-instances --instance-ids $INSTANCE_ID --output text | grep INSTANCES | awk '{print $15}'`
47 | AVAILABILITY_ZONE=`aws ec2 describe-instances --instance-ids $INSTANCE_ID --output text | grep PLACEMENT | awk '{print $2}'`
48 | echo "DNS = " $DNS_NAME " in availability zone " $AVAILABILITY_ZONE
49 | 
50 | 
51 | 


--------------------------------------------------------------------------------
/vpn-ec2-install.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/sh
  2 |  
  3 | # Please define your own values for those variables
  4 | IPSEC_PSK=SharedSecret
  5 | VPN_USER=username
  6 | VPN_PASSWORD=password
  7 |  
  8 | # Those two variables will be found automatically
  9 | PRIVATE_IP=`wget -q -O - 'http://instance-data/latest/meta-data/local-ipv4'`
 10 |  
 11 | #the following does not work in VPC
 12 | #PUBLIC_IP=`wget -q -O - 'http://instance-data/latest/meta-data/public-ipv4'`
 13 | #
 14 | # use http://169.254.169.254/latest/meta-data/network/interfaces/macs/06:79:3f:b2:49:20/ipv4-associations/ instead but depends on mac address :-(
 15 | #
 16 | PUBLIC_IP=`wget -q -O - 'checkip.amazonaws.com'`
 17 |  
 18 | yum install -y --enablerepo=epel openswan xl2tpd
 19 |  
 20 | cat > /etc/ipsec.conf <<EOF
 21 | version 2.0
 22 |  
 23 | config setup
 24 | 	dumpdir=/var/run/pluto/
 25 | 	nat_traversal=yes
 26 | 	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
 27 | 	oe=off
 28 | 	protostack=netkey
 29 | 	nhelpers=0
 30 | 	interfaces=%defaultroute
 31 | 
 32 | conn vpnpsk
 33 | 	auto=add
 34 | 	left=$PRIVATE_IP
 35 | 	leftid=$PUBLIC_IP
 36 | 	leftsubnet=$PRIVATE_IP/32
 37 | 	leftnexthop=%defaultroute
 38 | 	leftprotoport=17/1701
 39 | 	rightprotoport=17/%any
 40 | 	right=%any
 41 | 	rightsubnetwithin=0.0.0.0/0
 42 | 	forceencaps=yes
 43 | 	authby=secret
 44 | 	pfs=no
 45 | 	type=transport
 46 | 	auth=esp
 47 | 	ike=3des-sha1
 48 | 	phase2alg=3des-sha1
 49 | 	dpddelay=30
 50 | 	dpdtimeout=120
 51 | 	dpdaction=clear
 52 | EOF
 53 |  
 54 | cat > /etc/ipsec.secrets <<EOF
 55 | $PUBLIC_IP %any : PSK "$IPSEC_PSK"
 56 | EOF
 57 |  
 58 | cat > /etc/xl2tpd/xl2tpd.conf <<EOF
 59 | [global]
 60 | port = 1701
 61 |  
 62 | ;debug avp = yes
 63 | ;debug network = yes
 64 | ;debug state = yes
 65 | ;debug tunnel = yes
 66 | 
 67 | [lns default]
 68 | ip range = 192.168.42.10-192.168.42.250
 69 | local ip = 192.168.42.1
 70 | require chap = yes
 71 | refuse pap = yes
 72 | require authentication = yes
 73 | name = l2tpd
 74 | ;ppp debug = yes
 75 | pppoptfile = /etc/ppp/options.xl2tpd
 76 | length bit = yes
 77 | EOF
 78 |  
 79 | cat > /etc/ppp/options.xl2tpd <<EOF
 80 | ipcp-accept-local
 81 | ipcp-accept-remote
 82 | ms-dns 8.8.8.8
 83 | ms-dns 8.8.4.4
 84 | noccp
 85 | auth
 86 | crtscts
 87 | idle 1800
 88 | mtu 1280
 89 | mru 1280
 90 | lock
 91 | connect-delay 5000
 92 | EOF
 93 |  
 94 | cat > /etc/ppp/chap-secrets <<EOF
 95 | # Secrets for authentication using CHAP
 96 | # client server secret IP addresses
 97 |  
 98 | $VPN_USER l2tpd $VPN_PASSWORD *
 99 | EOF
100 |  
101 | iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
102 | echo 1 > /proc/sys/net/ipv4/ip_forward
103 |  
104 | iptables-save > /etc/iptables.rules
105 | 
106 | mkdir -p /etc/network/if-pre-up.d
107 | cat > /etc/network/if-pre-up.d/iptablesload <<EOF
108 | #!/bin/sh
109 | iptables-restore < /etc/iptables.rules
110 | echo 1 > /proc/sys/net/ipv4/ip_forward
111 | exit 0
112 | EOF
113 |  
114 | service ipsec start
115 | service xl2tpd start
116 | chkconfig ipsec on
117 | chkconfig xl2tpd on
118 | 
119 | 


--------------------------------------------------------------------------------