Skip to content

Instantly share code, notes, and snippets.

@0x-2a

0x-2a/vpn-cfm.json

Last active May 9, 2017 18:39
Show Gist options
  • Save 0x-2a/fc236cae7c2823623ddbc56b79c1a872 to your computer and use it in GitHub Desktop.
Save 0x-2a/fc236cae7c2823623ddbc56b79c1a872 to your computer and use it in GitHub Desktop.
Download ZIP
AWS Cloud Formation JSON
Raw
vpn-cfm.json
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Private vpn",
"Mappings": {
"AWSInstanceType2Arch": {
"High.Speed.VPN-Paid": {
"InstanceType": "t2.medium"
},
"Standard.VPN-Free": {
"InstanceType": "t2.micro"
},
"Ultra.High.Speed.VPN-Paid": {
"InstanceType": "m3.xlarge"
}
},
"AWSRegionArch2AMI": {
"ap-northeast-1": {
"HVM64": "ami-20b6aa21"
},
"ap-southeast-1": {
"HVM64": "ami-ca381398"
},
"ap-southeast-2": {
"HVM64": "ami-abeb9e91"
},
"eu-central-1": {
"HVM64": "ami-9a380b87"
},
"eu-west-1": {
"HVM64": "ami-234ecc54"
},
"sa-east-1": {
"HVM64": "ami-69f54974"
},
"us-east-1": {
"HVM64": "ami-9a562df2"
},
"us-west-1": {
"HVM64": "ami-5c120b19"
},
"us-west-2": {
"HVM64": "ami-29ebb519"
},
"ap-south-1": {
"HVM64": "ami-815625ee"
},
"eu-west-2": {
"HVM64": "ami-d6cbc1b2"
},
"eu-west-2": {
"HVM64": "ami-45eae021"
},
"us-east-2": {
"HVM64": "ami-41d48e24"
}
}
},
"Outputs": {
"VPNServerAddress": {
"Description": "Use the IP as Server Address or VPN Host",
"Value": {
"Fn::Join": [
"",
[
"",
{
"Fn::GetAtt": [
"VPNServerInstance",
"PublicIp"
]
}
]
]
}
}
},
"Parameters": {
"Speed": {
"AllowedValues": [
"Standard.VPN-Free",
"High.Speed.VPN-Paid",
"Ultra.High.Speed.VPN-Paid"
],
"Default": "Standard.VPN-Free",
"Description": "Network Speed of VPN Server. Standard should do for most browsing and video.",
"Type": "String"
},
"Username": {
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
"ConstraintDescription": "must begin with a letter and contain only alphanumeric characters.",
"Description": "VPN Username",
"MaxLength": "255",
"MinLength": "1",
"Type": "String"
},
"VPNPassword": {
"ConstraintDescription": "must contain atleast 4 characters.",
"Description": "VPN Password (Min 4 characters)",
"MaxLength": "255",
"MinLength": "4",
"NoEcho": "true",
"Type": "String"
},
"VPNPhrase": {
"ConstraintDescription": "must contain atleast 4 characters.",
"Description": "Passphrase for IPSEC PSK (Min 4 characters)",
"MaxLength": "255",
"MinLength": "4",
"NoEcho": "true",
"Type": "String"
}
},
"Resources": {
"VPNSecurityGroup": {
"Properties": {
"GroupDescription": "VPN Security Groups",
"SecurityGroupIngress": [
{
"CidrIp": "0.0.0.0/0",
"FromPort": "500",
"IpProtocol": "tcp",
"ToPort": "500"
},
{
"CidrIp": "0.0.0.0/0",
"FromPort": "500",
"IpProtocol": "udp",
"ToPort": "500"
},
{
"CidrIp": "0.0.0.0/0",
"FromPort": "4500",
"IpProtocol": "udp",
"ToPort": "4500"
},
{
"CidrIp": "0.0.0.0/0",
"FromPort": "1723",
"IpProtocol": "tcp",
"ToPort": "1723"
},
{
"CidrIp": "0.0.0.0/0",
"FromPort": "1723",
"IpProtocol": "udp",
"ToPort": "1723"
}
]
},
"Type": "AWS::EC2::SecurityGroup"
},
"VPNServerInstance": {
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"AWSRegionArch2AMI",
{
"Ref": "AWS::Region"
},
"HVM64"
]
},
"InstanceType": {
"Fn::FindInMap": [
"AWSInstanceType2Arch",
{
"Ref": "Speed"
},
"InstanceType"
]
},
"SecurityGroups": [
{
"Ref": "VPNSecurityGroup"
}
],
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"#!/bin/sh\n",
"VPN_USER=",
{
"Ref": "Username"
},
"\n",
"VPN_PASSWORD=",
{
"Ref": "VPNPassword"
},
"\n",
"IPSEC_PSK=",
{
"Ref": "VPNPhrase"
},
"\n",
"\n",
"# Update server\n",
"apt-get update && apt-get upgrade -y\n",
"\n",
"# VPN 1 - Setup L2TP-IPSEC\n",
"PRIVATE_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4'`\n",
"PUBLIC_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4'`\n",
"\n",
"apt-get install -y openswan xl2tpd\n",
"\n",
"cat > /etc/ipsec.conf <<EOF\n",
"version 2.0\n",
"\n",
"config setup\n",
" dumpdir=/var/run/pluto/\n",
" nat_traversal=yes\n",
" virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10\n",
" oe=off\n",
" protostack=netkey\n",
" nhelpers=0\n",
" interfaces=%defaultroute\n",
"\n",
"conn vpnpsk\n",
" auto=add\n",
" left=$PRIVATE_IP\n",
" leftid=$PUBLIC_IP\n",
" leftsubnet=$PRIVATE_IP/32\n",
" leftnexthop=%defaultroute\n",
" leftprotoport=17/1701\n",
" rightprotoport=17/%any\n",
" right=%any\n",
" rightsubnetwithin=0.0.0.0/0\n",
" forceencaps=yes\n",
" authby=secret\n",
" pfs=no\n",
" type=transport\n",
" auth=esp\n",
" ike=3des-sha1\n",
" phase2alg=3des-sha1\n",
" dpddelay=30\n",
" dpdtimeout=120\n",
" dpdaction=clear\n",
"EOF\n",
"\n",
"cat > /etc/ipsec.secrets <<EOF\n",
"$PUBLIC_IP %any : PSK \"$IPSEC_PSK\"\n",
"EOF\n",
"\n",
"cat > /etc/xl2tpd/xl2tpd.conf <<EOF\n",
"[global]\n",
"port = 1701\n",
"\n",
";debug avp = yes\n",
";debug network = yes\n",
";debug state = yes\n",
";debug tunnel = yes\n",
"\n",
"[lns default]\n",
"ip range = 192.168.42.10-192.168.42.250\n",
"local ip = 192.168.42.1\n",
"require chap = yes\n",
"refuse pap = yes\n",
"require authentication = yes\n",
"name = l2tpd\n",
";ppp debug = yes\n",
"pppoptfile = /etc/ppp/options.xl2tpd\n",
"length bit = yes\n",
"EOF\n",
"\n",
"cat > /etc/ppp/options.xl2tpd <<EOF\n",
"ipcp-accept-local\n",
"ipcp-accept-remote\n",
"ms-dns 8.8.8.8\n",
"ms-dns 8.8.4.4\n",
"noccp\n",
"auth\n",
"crtscts\n",
"idle 1800\n",
"mtu 1280\n",
"mru 1280\n",
"lock\n",
"connect-delay 5000\n",
"EOF\n",
"\n",
"cat > /etc/ppp/chap-secrets <<EOF\n",
"# Secrets for authentication using CHAP\n",
"# client\tserver\tsecret\t\t\tIP addresses\n",
"\n",
"$VPN_USER\tl2tpd $VPN_PASSWORD *\n",
"EOF\n",
"\n",
"iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE\n",
"echo 1 > /proc/sys/net/ipv4/ip_forward\n",
"\n",
"iptables-save > /etc/iptables.rules\n",
"\n",
"cat > /etc/network/if-pre-up.d/iptablesload <<EOF\n",
"#!/bin/sh\n",
"iptables-restore < /etc/iptables.rules\n",
"echo 1 > /proc/sys/net/ipv4/ip_forward\n",
"exit 0\n",
"EOF\n",
"\n",
"chmod a+x /etc/network/if-pre-up.d/iptablesload\n",
"\n",
"/etc/init.d/ipsec restart\n",
"/etc/init.d/xl2tpd restart\n",
"\n",
"#VPN 2 - Setup PPTP Server\n",
"apt-get install pptpd -y\n",
"echo \"localip 10.0.0.1\" >> /etc/pptpd.conf\n",
"echo \"remoteip 10.0.0.100-200\" >> /etc/pptpd.conf\n",
"echo \"$VPN_USER pptpd $VPN_PASSWORD *\" >> /etc/ppp/chap-secrets\n",
"echo \"ms-dns 8.8.8.8\" >> /etc/ppp/pptpd-options\n",
"echo \"ms-dns 8.8.4.4\" >> /etc/ppp/pptpd-options\n",
"service pptpd restart\n",
"\n",
"echo \"net.ipv4.ip_forward = 1\" >> /etc/sysctl.conf\n",
"sysctl -p\n",
"iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE && iptables-save\n"
]
]
}
}
},
"Type": "AWS::EC2::Instance"
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment