rogerbush8 · April 26, 2024 07:32
diff --git a/install-libreswan-ipsec-vpn-regional-vpc-tunnel-on-aws-ec2_aws_linux_ami_201409 b/install-libreswan-ipsec-vpn-regional-vpc-tunnel-on-aws-ec2_aws_linux_ami_201409
 #!/bin/sh
 #
 # Shell script for installation and setup of L2TP/IPsec VPN tunnel in site-to-site
 # mode (e.g. connecting two inter-regional VPCs).  VPN software is libreswan.
 #
 # This should work on linux systems that are RHEL based.
 #
 # To install directly from this gist, you can curl the "raw" version and pipe that to
 # "bash -s" while also defining the environment variables:
 #
 #     curl -s https://gist.githubusercontent.com/rogerbush8/.../raw/.../...whatever... |
 #         PSK="a secret" EIP1=10... SUBNET1=10.../16 EIP2=10... SUBNET2=10.../16 bash -s
 #
 # This script should be run on two different instances (right, left) which are the ends of
 # the tunnel gateway, by flipping the values on EIP1 VPC1, and EIP2 VPC2 on the other machine.
 #
 # Helpful debugging (server-side):
 #
 #     $ /etc/init.d/ipsec restart
 #     $ tail -f /var/log/secure : see messages on restart
 #     $ tail -f /var/log/messages : 
 #     $ ipsec version : printout version info
 #     $ ipsec verify : check config and kernel properties
 # 
 # Helpful debugging (server-side):
 #   
 #     $ route -n some_ip : shows gateway for some_ip (for IPs on private, should be VPN IP)
 #     $ nslookup some_ip : should work for private IPs if DNS is right and Route 53 private hosted zone setup.
 #     $ netstat -nr : shows all the routes.
 #     $ ping some_ip : N.B. you must enable ICMP traffic on your private network.
 # 
 # Original post by Thomas Sarlandie: 
 # http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md
 #
 # Copyright (C) 2014 Lin Song
 # Based on the work of Thomas Sarlandie (Copyright 2012)
 #
 # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 
 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/
 #
 # Attribution required: please include my name in any derivative and let me
 # know how you have improved it! 
 
 if [ "$(uname)" = "Darwin" ]; then
    echo "DO NOT run this script on your Mac! It should only be run on a newly-created EC2 instance"
    echo "or other Dedicated Server / VPS, after you have modified it to set the variables below."
    echo "Please see detailed instructions at the URLs in the comments."
    exit 1
 fi
 
 # Define these variables.  You may either pass these in as variables to the script
 # or directly replace them here.

 IPSEC_PSK=$PSK                     # shared secret
 EIP1=$EIP1
 SUBNET1=$SUBNET1
 EIP2=$EIP2
 SUBNET2=$SUBNET2

 PUBLIC_IP=$(wget -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4')
 PRIVATE_IP=$(wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4')
 
 # Install necessary packages
 yum -y update
 yum -y install libreswan


 # Prepare various config files
 cat > /etc/ipsec.conf <<EOF
 version 2.0
 config setup
  dumpdir=/var/run/pluto/
  protostack=netkey
  nat_traversal=yes
  virtual_private=
  oe=off
  # nhelpers=0
  # interfaces=%defaultroute

 include /etc/ipsec.d/*.conf
 EOF
 
 mkdir /etc/ipsec.d

 cat > /etc/ipsec.d/ipsec_tunnel_half.conf <<EOF
 conn ipsec_vpc_tunnel
  type=tunnel
  authby=secret
  
  left=%defaultroute
  leftid=$EIP1
  leftnexthop=%defaultroute
  leftsubnet=$SUBNET1
  right=$EIP2
  rightsubnet=$SUBNET2
  pfs=yes
  auto=start
  
  # leftprotoport=17/1701
  # rightprotoport=17/%any
  # forceencaps=yes
  # connaddrfamily=ipv4
  
 
  # auth=esp
  # ike=3des-sha1,aes-sha1
  # phase2alg=3des-sha1,aes-sha1
  # rekey=no
  # keyingtries=5
  # dpddelay=30
  # dpdtimeout=120
  # dpdaction=clear
 
  # nat-keepalive=yes
 EOF
 
 cat > /etc/ipsec.secrets <<EOF
 $PUBLIC_IP %any : PSK "$IPSEC_PSK"
 EOF

 /bin/cp -f /etc/sysctl.conf /etc/sysctl.conf.old-$(date +%Y-%m-%d-%H:%M:%S)
 cat > /etc/sysctl.conf <<EOF
 kernel.sysrq = 0
 kernel.core_uses_pid = 1
 net.ipv4.tcp_syncookies = 1
 kernel.msgmnb = 65536
 kernel.msgmax = 65536
 kernel.shmmax = 68719476736
 kernel.shmall = 4294967296
 net.ipv4.ip_forward = 1
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv4.conf.default.accept_source_route = 0
 net.ipv4.conf.all.log_martians = 1
 net.ipv4.conf.default.log_martians = 1
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0
 net.ipv4.conf.all.rp_filter = 0
 net.ipv4.conf.default.rp_filter = 0
 net.ipv6.conf.all.disable_ipv6=1
 net.ipv6.conf.default.disable_ipv6=1
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 net.ipv4.conf.all.secure_redirects = 0
 net.ipv4.conf.default.secure_redirects = 0
 kernel.randomize_va_space = 1
 net.core.wmem_max=12582912
 net.core.rmem_max=12582912
 net.ipv4.tcp_rmem= 10240 87380 12582912
 net.ipv4.tcp_wmem= 10240 87380 12582912
 EOF
 
 # Routing rules for forwarding packets to network beyond our new VPN gateway.

 /bin/cp -f /etc/iptables.rules /etc/iptables.rules.old-$(date +%Y-%m-%d-%H:%M:%S)
 cat > /etc/iptables.rules <<EOF
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :ICMPALL - [0:0]
 -A INPUT -m conntrack --ctstate INVALID -j DROP
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -p icmp --icmp-type 255 -j ICMPALL
 -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
 -A INPUT -p tcp --dport 22 -j ACCEPT
 -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
 -A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
 -A INPUT -p udp --dport 1701 -j DROP
 -A INPUT -j DROP
 -A FORWARD -m conntrack --ctstate INVALID -j DROP
 -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i ppp+ -o eth+ -j ACCEPT
 -A FORWARD -j DROP
 -A ICMPALL -p icmp -f -j DROP 
 -A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
 -A ICMPALL -p icmp -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 -A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source $PRIVATE_IP
 COMMIT
 EOF
 
 cat > /etc/network/if-pre-up.d/iptablesload <<EOF
 #!/bin/sh
 /sbin/iptables-restore < /etc/iptables.rules
 exit 0
 EOF
 
 # Set to automatic start
 chkconfig ipsec on
 chkconfig iptables on

 if [ ! -f /etc/ipsec.d/cert8.db ] ; then
 echo > /var/tmp/libreswan-nss-pwd
 /usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
 /bin/rm -f /var/tmp/libreswan-nss-pwd
 fi
 
 /sbin/sysctl -p
 /sbin/iptables-restore < /etc/iptables.rules
 
 /etc/init.d/iptables restart
 /etc/init.d/ipsec restart

 # Display some results
 ipsec verify
 ipsec version
	#!/bin/sh
	#
	# Shell script for installation and setup of L2TP/IPsec VPN tunnel in site-to-site
	# mode (e.g. connecting two inter-regional VPCs). VPN software is libreswan.
	#
	# This should work on linux systems that are RHEL based.
	#
	# To install directly from this gist, you can curl the "raw" version and pipe that to
	# "bash -s" while also defining the environment variables:
	#
	# curl -s https://gist.githubusercontent.com/rogerbush8/.../raw/.../...whatever... \|
	# PSK="a secret" EIP1=10... SUBNET1=10.../16 EIP2=10... SUBNET2=10.../16 bash -s
	#
	# This script should be run on two different instances (right, left) which are the ends of
	# the tunnel gateway, by flipping the values on EIP1 VPC1, and EIP2 VPC2 on the other machine.
	#
	# Helpful debugging (server-side):
	#
	# $ /etc/init.d/ipsec restart
	# $ tail -f /var/log/secure : see messages on restart
	# $ tail -f /var/log/messages :
	# $ ipsec version : printout version info
	# $ ipsec verify : check config and kernel properties
	#
	# Helpful debugging (server-side):
	#
	# $ route -n some_ip : shows gateway for some_ip (for IPs on private, should be VPN IP)
	# $ nslookup some_ip : should work for private IPs if DNS is right and Route 53 private hosted zone setup.
	# $ netstat -nr : shows all the routes.
	# $ ping some_ip : N.B. you must enable ICMP traffic on your private network.
	#
	# Original post by Thomas Sarlandie:
	# http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md
	#
	# Copyright (C) 2014 Lin Song
	# Based on the work of Thomas Sarlandie (Copyright 2012)
	#
	# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
	# Unported License: http://creativecommons.org/licenses/by-sa/3.0/
	#
	# Attribution required: please include my name in any derivative and let me
	# know how you have improved it!

	if [ "$(uname)" = "Darwin" ]; then
	echo "DO NOT run this script on your Mac! It should only be run on a newly-created EC2 instance"
	echo "or other Dedicated Server / VPS, after you have modified it to set the variables below."
	echo "Please see detailed instructions at the URLs in the comments."
	exit 1
	fi

	# Define these variables. You may either pass these in as variables to the script
	# or directly replace them here.

	IPSEC_PSK=$PSK # shared secret
	EIP1=$EIP1
	SUBNET1=$SUBNET1
	EIP2=$EIP2
	SUBNET2=$SUBNET2

	PUBLIC_IP=$(wget -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4')
	PRIVATE_IP=$(wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4')

	# Install necessary packages
	yum -y update
	yum -y install libreswan


	# Prepare various config files
	cat > /etc/ipsec.conf <<EOF
	version 2.0
	config setup
	dumpdir=/var/run/pluto/
	protostack=netkey
	nat_traversal=yes
	virtual_private=
	oe=off
	# nhelpers=0
	# interfaces=%defaultroute

	include /etc/ipsec.d/*.conf
	EOF

	mkdir /etc/ipsec.d

	cat > /etc/ipsec.d/ipsec_tunnel_half.conf <<EOF
	conn ipsec_vpc_tunnel
	type=tunnel
	authby=secret

	left=%defaultroute
	leftid=$EIP1
	leftnexthop=%defaultroute
	leftsubnet=$SUBNET1
	right=$EIP2
	rightsubnet=$SUBNET2
	pfs=yes
	auto=start

	# leftprotoport=17/1701
	# rightprotoport=17/%any
	# forceencaps=yes
	# connaddrfamily=ipv4


	# auth=esp
	# ike=3des-sha1,aes-sha1
	# phase2alg=3des-sha1,aes-sha1
	# rekey=no
	# keyingtries=5
	# dpddelay=30
	# dpdtimeout=120
	# dpdaction=clear

	# nat-keepalive=yes
	EOF

	cat > /etc/ipsec.secrets <<EOF
	$PUBLIC_IP %any : PSK "$IPSEC_PSK"
	EOF

	/bin/cp -f /etc/sysctl.conf /etc/sysctl.conf.old-$(date +%Y-%m-%d-%H:%M:%S)
	cat > /etc/sysctl.conf <<EOF
	kernel.sysrq = 0
	kernel.core_uses_pid = 1
	net.ipv4.tcp_syncookies = 1
	kernel.msgmnb = 65536
	kernel.msgmax = 65536
	kernel.shmmax = 68719476736
	kernel.shmall = 4294967296
	net.ipv4.ip_forward = 1
	net.ipv4.conf.all.accept_source_route = 0
	net.ipv4.conf.default.accept_source_route = 0
	net.ipv4.conf.all.log_martians = 1
	net.ipv4.conf.default.log_martians = 1
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv4.conf.default.accept_redirects = 0
	net.ipv4.conf.all.send_redirects = 0
	net.ipv4.conf.default.send_redirects = 0
	net.ipv4.conf.all.rp_filter = 0
	net.ipv4.conf.default.rp_filter = 0
	net.ipv6.conf.all.disable_ipv6=1
	net.ipv6.conf.default.disable_ipv6=1
	net.ipv4.icmp_echo_ignore_broadcasts = 1
	net.ipv4.icmp_ignore_bogus_error_responses = 1
	net.ipv4.conf.all.secure_redirects = 0
	net.ipv4.conf.default.secure_redirects = 0
	kernel.randomize_va_space = 1
	net.core.wmem_max=12582912
	net.core.rmem_max=12582912
	net.ipv4.tcp_rmem= 10240 87380 12582912
	net.ipv4.tcp_wmem= 10240 87380 12582912
	EOF

	# Routing rules for forwarding packets to network beyond our new VPN gateway.

	/bin/cp -f /etc/iptables.rules /etc/iptables.rules.old-$(date +%Y-%m-%d-%H:%M:%S)
	cat > /etc/iptables.rules <<EOF
	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	:ICMPALL - [0:0]
	-A INPUT -m conntrack --ctstate INVALID -j DROP
	-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -i lo -j ACCEPT
	-A INPUT -p icmp --icmp-type 255 -j ICMPALL
	-A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
	-A INPUT -p tcp --dport 22 -j ACCEPT
	-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
	-A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
	-A INPUT -p udp --dport 1701 -j DROP
	-A INPUT -j DROP
	-A FORWARD -m conntrack --ctstate INVALID -j DROP
	-A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A FORWARD -i ppp+ -o eth+ -j ACCEPT
	-A FORWARD -j DROP
	-A ICMPALL -p icmp -f -j DROP
	-A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
	-A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
	-A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
	-A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
	-A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
	-A ICMPALL -p icmp -j DROP
	COMMIT
	*nat
	:PREROUTING ACCEPT [0:0]
	:INPUT ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	:POSTROUTING ACCEPT [0:0]
	-A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source $PRIVATE_IP
	COMMIT
	EOF

	cat > /etc/network/if-pre-up.d/iptablesload <<EOF
	#!/bin/sh
	/sbin/iptables-restore < /etc/iptables.rules
	exit 0
	EOF

	# Set to automatic start
	chkconfig ipsec on
	chkconfig iptables on

	if [ ! -f /etc/ipsec.d/cert8.db ] ; then
	echo > /var/tmp/libreswan-nss-pwd
	/usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
	/bin/rm -f /var/tmp/libreswan-nss-pwd
	fi

	/sbin/sysctl -p
	/sbin/iptables-restore < /etc/iptables.rules

	/etc/init.d/iptables restart
	/etc/init.d/ipsec restart

	# Display some results
	ipsec verify
	ipsec version