You are on page 1of 13

{

"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Configurando VPN",
"Parameters": {
"Username": {
"Description": "VPN Username",
"Type": "String",
"MinLength": "1",
"MaxLength": "255",
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
"ConstraintDescription": "must begin with a letter and contain only
alphanumeric characters."
},
"VPNPassword": {
"NoEcho": "true",
"Description": "VPN Password (Min 4 characters)",
"Type": "String",
"MinLength": "4",
"MaxLength": "255",
"ConstraintDescription": "must contain atleast 4 characters."
},
"VPNPhrase": {
"NoEcho": "true",
"Description": "Passphrase for IPSEC PSK (Min 4 characters)",
"Type": "String",
"MinLength": "4",
"MaxLength": "255",
"ConstraintDescription": "must contain atleast 4 characters."
},
"Speed": {
"Description": "Network Speed of VPN Server. Standard should do for most
browsing and video.",
"Type": "String",
"Default": "Standard.VPN-Free",
"AllowedValues": [
"Standard.VPN-Free",
"High.Speed.VPN-Paid",
"Ultra.High.Speed.VPN-Paid"
]
}
},
"Mappings": {
"AWSInstanceType2Arch": {
"Standard.VPN-Free": {
"InstanceType": "t2.nano"
},
"High.Speed.VPN-Paid": {
"InstanceType": "t2.medium"
},
"Ultra.High.Speed.VPN-Paid": {
"InstanceType": "m3.xlarge"
}
},
"AWSRegionArch2AMI": {
"us-east-1": {
"HVM64": "ami-80861296"
},
"us-east-2": {
"HVM64": "ami-618fab04"
},
"us-west-1": {
"HVM64": "ami-2afbde4a"
},
"us-west-2": {
"HVM64": "ami-efd0428f"
},
"eu-west-1": {
"HVM64": "ami-a8d2d7ce"
},
"eu-west-2": {
"HVM64": "ami-f1d7c395"
},
"eu-west-3": {
"HVM64": "ami-c1cf79bc"
},
"eu-central-1": {
"HVM64": "ami-060cde69"
},
"ap-northeast-1": {
"HVM64": "ami-afb09dc8"
},
"ap-northeast-2": {
"HVM64": "ami-66e33108"
},
"ap-southeast-1": {
"HVM64": "ami-8fcc75ec"
},
"ap-southeast-2": {
"HVM64": "ami-96666ff5"
},
"sa-east-1": {
"HVM64": "ami-4090f22c"
},
"ap-south-1": {
"HVM64": "ami-c2ee9dad"
},
"ca-central-1": {
"HVM64": "ami-b3d965d7"
}
}
},
"Resources": {
"VPNServerInstance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"AWSRegionArch2AMI",
{
"Ref": "AWS::Region"
},
"HVM64"
]
},
"InstanceType": {
"Fn::FindInMap": [
"AWSInstanceType2Arch",
{
"Ref": "Speed"
},
"InstanceType"
]
},
"SecurityGroups": [
{
"Ref": "VPNSecurityGroup"
}
],
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"#!/bin/sh\n",
"\n",
"#Passing variables to shell\n",
"YOUR_IPSEC_PSK=",
{
"Ref": "VPNPhrase"
},
"\n",
"YOUR_USERNAME=",
{
"Ref": "Username"
},
"\n",
"YOUR_PASSWORD=",
{
"Ref": "VPNPassword"
},
"\n",
"\n",
"# VPN 1 - Setup L2TP-IPSEC\n",
"export
PATH=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"\n",
"SYS_DT=\"$(date +%Y-%m-%d-%H:%M:%S)\"; export SYS_DT\n",
"\n",
"exiterr() { echo \"Error: $1\" >&2; exit 1; }\n",
"exiterr2() { echo \"Error: 'apt-get install' failed.\" >&2; exit
1; }\n",
"conf_bk() { /bin/cp -f \"$1\" \"$1.old-$SYS_DT\"
2>/dev/null; }\n",
"bigecho() { echo; echo \"## $1\"; echo; }\n",
"\n",
"check_ip() {\n",
" IP_REGEX=\"^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-
5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$\"\n",
" printf %s \"$1\" | tr -d '\\n' | grep -Eq \"$IP_REGEX\"\n",
"}\n",
"\n",
"os_type=\"$(lsb_release -si 2>/dev/null)\"\n",
"if [ -z \"$os_type\" ]; then\n",
" [ -f /etc/os-release ] && os_type=\"$(. /etc/os-release &&
echo \"$ID\")\"\n",
" [ -f /etc/lsb-release ] && os_type=\"$(. /etc/lsb-release &&
echo \"$DISTRIB_ID\")\"\n",
"fi\n",
"if ! printf %s \"$os_type\" | head -n 1 | grep -qiF -e ubuntu -e
debian -e raspbian; then\n",
" exiterr \"This script only supports Ubuntu/Debian.\"\n",
"fi\n",
"\n",
"if [ -f /proc/user_beancounters ]; then\n",
" echo \"Error: This script does not support OpenVZ VPS.\" >&2\n",
" echo \"Try OpenVPN: https://github.com/Nyr/openvpn-install\"
>&2\n",
" exit 1\n",
"fi\n",
"\n",
"if [ \"$(id -u)\" != 0 ]; then\n",
" exiterr \"Script must be run as root. Try 'sudo sh $0'\"\n",
"fi\n",
"\n",
"NET_IFACE=${VPN_NET_IFACE:-'eth0'}\n",
"DEF_IFACE=\"$(route | grep '^default' | grep -o '[^ ]*$')\"\n",
"\n",
"if_state1=$(cat \"/sys/class/net/$DEF_IFACE/operstate\"
2>/dev/null)\n",
"if [ -z \"$VPN_NET_IFACE\" ] && [ -n \"$if_state1\" ] &&
[ \"$if_state1\" != \"down\" ]; then\n",
" if ! grep -qs raspbian /etc/os-release; then\n",
" case \"$DEF_IFACE\" in\n",
" wlan*)\n",
"cat 1>&2 <<EOF\n",
"Error: Default network interface '$DEF_IFACE' detected.\n",
"\n",
"DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!\n",
"\n",
"If you are certain that this script is running on a server,\n",
"you may re-run it using the following command:\n",
" sudo VPN_NET_IFACE=\"$DEF_IFACE\" sh \"$0\"\n",
"EOF\n",
" exit 1\n",
" ;;\n",
" esac\n",
" fi\n",
" NET_IFACE=\"$DEF_IFACE\"\n",
"fi\n",
"\n",
"if_state2=$(cat \"/sys/class/net/$NET_IFACE/operstate\"
2>/dev/null)\n",
"if [ -z \"$if_state2\" ] || [ \"$if_state2\" = \"down\" ] ||
[ \"$NET_IFACE\" = \"lo\" ]; then\n",
" printf \"Error: Network interface '%s' is not available.\\n\\n\"
\"$NET_IFACE\" >&2\n",
" if [ -z \"$VPN_NET_IFACE\" ]; then\n",
"cat 1>&2 <<EOF\n",
"This script is unable to detect your server's default network
interface.\n",
"You may manually re-run it using the following command:\n",
" sudo VPN_NET_IFACE=\"YOUR_DEFAULT_NETWORK_INTERFACE\"
sh \"$0\"\n",
"EOF\n",
" fi\n",
" exit 1\n",
"fi\n",
"\n",
"[ -n \"$YOUR_IPSEC_PSK\" ] &&
VPN_IPSEC_PSK=\"$YOUR_IPSEC_PSK\"\n",
"[ -n \"$YOUR_USERNAME\" ] && VPN_USER=\"$YOUR_USERNAME\"\n",
"[ -n \"$YOUR_PASSWORD\" ] && VPN_PASSWORD=\"$YOUR_PASSWORD\"\n",
"\n",
"if [ -z \"$VPN_IPSEC_PSK\" ] && [ -z \"$VPN_USER\" ] && [
-z \"$VPN_PASSWORD\" ]; then\n",
" bigecho \"VPN credentials not set by user. Generating random PSK
and password...\"\n",
" VPN_IPSEC_PSK=\"$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' <
/dev/urandom | head -c 16)\"\n",
" VPN_USER=vpnuser\n",
" VPN_PASSWORD=\"$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' <
/dev/urandom | head -c 16)\"\n",
"fi\n",
"\n",
"if [ -z \"$VPN_IPSEC_PSK\" ] || [ -z \"$VPN_USER\" ] || [
-z \"$VPN_PASSWORD\" ]; then\n",
" exiterr \"All VPN credentials must be specified. Edit the script
and re-enter them.\"\n",
"fi\n",
"\n",
"if printf %s \"$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD\" | LC_ALL=C
grep -q '[^ -~]\\+'; then\n",
" exiterr \"VPN credentials must not contain non-ASCII
characters.\"\n",
"fi\n",
"\n",
"case \"$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD\" in\n",
" *[\\\\\\\"\\']*)\n",
" exiterr \"VPN credentials must not contain the following
characters: \\\\ \\\" '\"\n",
" ;;\n",
"esac\n",
"\n",
"if [ \"$(sed 's/\\..*//' /etc/debian_version)\" = \"7\" ];
then\n",
"cat <<'EOF'\n",
"IMPORTANT: Workaround required for Debian 7 (Wheezy).\n",
"You must first run the script at: https://git.io/vpndeb7\n",
"If not already done so, press Ctrl-C to interrupt now.\n",
"\n",
"Continuing in 30 seconds ...\n",
"\n",
"EOF\n",
" sleep 30\n",
"fi\n",
"\n",
"bigecho \"VPN setup in progress... Please be patient.\"\n",
"\n",
"# Create and change to working dir\n",
"mkdir -p /opt/src\n",
"cd /opt/src || exiterr \"Cannot enter /opt/src.\"\n",
"\n",
"bigecho \"Populating apt-get cache...\"\n",
"\n",
"export DEBIAN_FRONTEND=noninteractive\n",
"apt-get -yq update || exiterr \"'apt-get update' failed.\"\n",
"\n",
"bigecho \"Installing packages required for setup...\"\n",
"\n",
"apt-get -yq install wget dnsutils openssl || exiterr2\n",
"apt-get -yq install iproute gawk grep sed net-tools ||
exiterr2\n",
"\n",
"bigecho \"Trying to auto discover IP of this server...\"\n",
"\n",
"cat <<'EOF'\n",
"In case the script hangs here for more than a few minutes,\n",
"use Ctrl-C to interrupt. Then edit it and manually enter IP.\n",
"EOF\n",
"\n",
"# In case auto IP discovery fails, enter server's public IP
here.\n",
"PUBLIC_IP=${VPN_PUBLIC_IP:-''}\n",
"\n",
"# Try to auto discover IP of this server\n",
"[ -z \"$PUBLIC_IP\" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t
A -4 myip.opendns.com +short)\n",
"\n",
"# Check IP for correct format\n",
"check_ip \"$PUBLIC_IP\" || PUBLIC_IP=$(wget -t 3 -T 15 -qO-
http://ipv4.icanhazip.com)\n",
"check_ip \"$PUBLIC_IP\" || exiterr \"Cannot find valid public IP.
Edit the script and manually enter it.\"\n",
"\n",
"bigecho \"Installing packages required for the VPN...\"\n",
"\n",
"apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-
dev \\\n",
" libcap-ng-dev libcap-ng-utils libselinux1-dev \\\n",
" libcurl4-nss-dev flex bison gcc make \\\n",
" libunbound-dev libnss3-tools libevent-dev || exiterr2\n",
"apt-get -yq --no-install-recommends install xmlto || exiterr2\n",
"apt-get -yq install ppp xl2tpd || exiterr2\n",
"\n",
"bigecho \"Installing Fail2Ban to protect SSH...\"\n",
"\n",
"apt-get -yq install fail2ban || exiterr2\n",
"\n",
"bigecho \"Compiling and installing Libreswan...\"\n",
"\n",
"swan_ver=3.20\n",
"swan_file=\"libreswan-$swan_ver.tar.gz\"\n",

"swan_url1=\"https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz\"\n",
"swan_url2=\"https://download.libreswan.org/$swan_file\"\n",
"if ! { wget -t 3 -T 30 -nv -O \"$swan_file\" \"$swan_url1\" ||
wget -t 3 -T 30 -nv -O \"$swan_file\" \"$swan_url2\"; }; then\n",
" exiterr \"Cannot download Libreswan source.\"\n",
"fi\n",
"/bin/rm -rf \"/opt/src/libreswan-$swan_ver\"\n",
"tar xzf \"$swan_file\" && /bin/rm -f \"$swan_file\"\n",
"cd \"libreswan-$swan_ver\" || exiterr \"Cannot enter Libreswan
source dir.\"\n",
"echo \"WERROR_CFLAGS =\" > Makefile.inc.local\n",
"if [ \"$(packaging/utils/lswan_detect.sh init)\" = \"systemd\" ];
then\n",
" apt-get -yq install libsystemd-dev || exiterr2\n",
"fi\n",
"make -s programs && make -s install\n",
"\n",
"# Verify the install and clean up\n",
"cd /opt/src || exiterr \"Cannot enter /opt/src.\"\n",
"/bin/rm -rf \"/opt/src/libreswan-$swan_ver\"\n",
"if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep
-qF \"$swan_ver\"; then\n",
" exiterr \"Libreswan $swan_ver failed to build.\"\n",
"fi\n",
"\n",
"bigecho \"Creating VPN configuration...\"\n",
"\n",
"L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'}\n",
"L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'}\n",
"L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'}\n",
"XAUTH_NET=${VPN_XAUTH_NET:-'192.168.43.0/24'}\n",
"XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'}\n",
"DNS_SRV1=${VPN_DNS_SRV1:-'8.8.8.8'}\n",
"DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}\n",
"\n",
"# Create IPsec (Libreswan) config\n",
"conf_bk \"/etc/ipsec.conf\"\n",
"cat > /etc/ipsec.conf <<EOF\n",
"version 2.0\n",
"\n",
"config setup\n",
" virtual_private=
%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!
$XAUTH_NET\n",
" protostack=netkey\n",
" nhelpers=0\n",
" interfaces=%defaultroute\n",
" uniqueids=no\n",
"\n",
"conn shared\n",
" left=%defaultroute\n",
" leftid=$PUBLIC_IP\n",
" right=%any\n",
" encapsulation=yes\n",
" authby=secret\n",
" pfs=no\n",
" rekey=no\n",
" keyingtries=5\n",
" dpddelay=30\n",
" dpdtimeout=120\n",
" dpdaction=clear\n",
" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-
sha2;modp1024,aes256-sha2_512\n",
" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-
sha2_512\n",
" sha2-truncbug=yes\n",
"\n",
"conn l2tp-psk\n",
" auto=add\n",
" leftprotoport=17/1701\n",
" rightprotoport=17/%any\n",
" type=transport\n",
" phase2=esp\n",
" also=shared\n",
"\n",
"conn xauth-psk\n",
" auto=add\n",
" leftsubnet=0.0.0.0/0\n",
" rightaddresspool=$XAUTH_POOL\n",
" modecfgdns1=$DNS_SRV1\n",
" modecfgdns2=$DNS_SRV2\n",
" leftxauthserver=yes\n",
" rightxauthclient=yes\n",
" leftmodecfgserver=yes\n",
" rightmodecfgclient=yes\n",
" modecfgpull=yes\n",
" xauthby=file\n",
" ike-frag=yes\n",
" ikev2=never\n",
" cisco-unity=yes\n",
" also=shared\n",
"EOF\n",
"\n",
"# Specify IPsec PSK\n",
"conf_bk \"/etc/ipsec.secrets\"\n",
"cat > /etc/ipsec.secrets <<EOF\n",
"%any %any : PSK \"$VPN_IPSEC_PSK\"\n",
"EOF\n",
"\n",
"# Create xl2tpd config\n",
"conf_bk \"/etc/xl2tpd/xl2tpd.conf\"\n",
"cat > /etc/xl2tpd/xl2tpd.conf <<EOF\n",
"[global]\n",
"port = 1701\n",
"\n",
"[lns default]\n",
"ip range = $L2TP_POOL\n",
"local ip = $L2TP_LOCAL\n",
"require chap = yes\n",
"refuse pap = yes\n",
"require authentication = yes\n",
"name = l2tpd\n",
"pppoptfile = /etc/ppp/options.xl2tpd\n",
"length bit = yes\n",
"EOF\n",
"\n",
"# Set xl2tpd options\n",
"conf_bk \"/etc/ppp/options.xl2tpd\"\n",
"cat > /etc/ppp/options.xl2tpd <<EOF\n",
"ipcp-accept-local\n",
"ipcp-accept-remote\n",
"ms-dns $DNS_SRV1\n",
"ms-dns $DNS_SRV2\n",
"noccp\n",
"auth\n",
"mtu 1280\n",
"mru 1280\n",
"proxyarp\n",
"lcp-echo-failure 4\n",
"lcp-echo-interval 30\n",
"connect-delay 5000\n",
"EOF\n",
"\n",
"# Create VPN credentials\n",
"conf_bk \"/etc/ppp/chap-secrets\"\n",
"cat > /etc/ppp/chap-secrets <<EOF\n",
"# Secrets for authentication using CHAP\n",
"# client server secret IP addresses\n",
"\"$VPN_USER\" l2tpd \"$VPN_PASSWORD\" *\n",
"EOF\n",
"\n",
"conf_bk \"/etc/ipsec.d/passwd\"\n",
"VPN_PASSWORD_ENC=$(openssl passwd -1 \"$VPN_PASSWORD\")\n",
"cat > /etc/ipsec.d/passwd <<EOF\n",
"$VPN_USER:$VPN_PASSWORD_ENC:xauth-psk\n",
"EOF\n",
"\n",
"bigecho \"Updating sysctl settings...\"\n",
"\n",
"if ! grep -qs \"hwdsl2 VPN script\" /etc/sysctl.conf; then\n",
" conf_bk \"/etc/sysctl.conf\"\n",
"cat >> /etc/sysctl.conf <<EOF\n",
"\n",
"# Added by hwdsl2 VPN script\n",
"kernel.msgmnb = 65536\n",
"kernel.msgmax = 65536\n",
"kernel.shmmax = 68719476736\n",
"kernel.shmall = 4294967296\n",
"\n",
"net.ipv4.ip_forward = 1\n",
"net.ipv4.tcp_syncookies = 1\n",
"net.ipv4.conf.all.accept_source_route = 0\n",
"net.ipv4.conf.default.accept_source_route = 0\n",
"net.ipv4.conf.all.accept_redirects = 0\n",
"net.ipv4.conf.default.accept_redirects = 0\n",
"net.ipv4.conf.all.send_redirects = 0\n",
"net.ipv4.conf.default.send_redirects = 0\n",
"net.ipv4.conf.lo.send_redirects = 0\n",
"net.ipv4.conf.$NET_IFACE.send_redirects = 0\n",
"net.ipv4.conf.all.rp_filter = 0\n",
"net.ipv4.conf.default.rp_filter = 0\n",
"net.ipv4.conf.lo.rp_filter = 0\n",
"net.ipv4.conf.$NET_IFACE.rp_filter = 0\n",
"net.ipv4.icmp_echo_ignore_broadcasts = 1\n",
"net.ipv4.icmp_ignore_bogus_error_responses = 1\n",
"\n",
"net.core.wmem_max = 12582912\n",
"net.core.rmem_max = 12582912\n",
"net.ipv4.tcp_rmem = 10240 87380 12582912\n",
"net.ipv4.tcp_wmem = 10240 87380 12582912\n",
"EOF\n",
"fi\n",
"\n",
"bigecho \"Updating IPTables rules...\"\n",
"\n",
"# Check if IPTables rules need updating\n",
"ipt_flag=0\n",
"IPT_FILE=\"/etc/iptables.rules\"\n",
"if ! grep -qs \"hwdsl2 VPN script\" \"$IPT_FILE\" \\\n",
" || ! iptables -t nat -C POSTROUTING -s \"$L2TP_NET\"
-o \"$NET_IFACE\" -j MASQUERADE 2>/dev/null \\\n",
" || ! iptables -t nat -C POSTROUTING -s \"$XAUTH_NET\"
-o \"$NET_IFACE\" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null;
then\n",
" ipt_flag=1\n",
"fi\n",
"\n",
"# Add IPTables rules for VPN\n",
"if [ \"$ipt_flag\" = \"1\" ]; then\n",
" service fail2ban stop >/dev/null 2>&1\n",
" iptables-save > \"$IPT_FILE.old-$SYS_DT\"\n",
" iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol
none -j DROP\n",
" iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP\n",
" iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED
-j ACCEPT\n",
" iptables -I INPUT 4 -p udp -m multiport --dports 500,4500 -j
ACCEPT\n",
" iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol
ipsec -j ACCEPT\n",
" iptables -I INPUT 6 -p udp --dport 1701 -j DROP\n",
" iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP\n",
" iptables -I FORWARD 2 -i \"$NET_IFACE\" -o ppp+ -m conntrack
--ctstate RELATED,ESTABLISHED -j ACCEPT\n",
" iptables -I FORWARD 3 -i ppp+ -o \"$NET_IFACE\" -j ACCEPT\n",
" iptables -I FORWARD 4 -i ppp+ -o ppp+ -s \"$L2TP_NET\"
-d \"$L2TP_NET\" -j ACCEPT\n",
" iptables -I FORWARD 5 -i \"$NET_IFACE\" -d \"$XAUTH_NET\" -m
conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\n",
" iptables -I FORWARD 6 -s \"$XAUTH_NET\" -o \"$NET_IFACE\" -j
ACCEPT\n",
" # Uncomment if you wish to disallow traffic between VPN clients
themselves\n",
" # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s \"$L2TP_NET\"
-d \"$L2TP_NET\" -j DROP\n",
" # iptables -I FORWARD 3 -s \"$XAUTH_NET\" -d \"$XAUTH_NET\" -j
DROP\n",
" iptables -A FORWARD -j DROP\n",
" iptables -t nat -I POSTROUTING -s \"$XAUTH_NET\"
-o \"$NET_IFACE\" -m policy --dir out --pol none -j MASQUERADE\n",
" iptables -t nat -I POSTROUTING -s \"$L2TP_NET\"
-o \"$NET_IFACE\" -j MASQUERADE\n",
" echo \"# Modified by hwdsl2 VPN script\" > \"$IPT_FILE\"\n",
" iptables-save >> \"$IPT_FILE\"\n",
"\n",
" # Update rules for iptables-persistent\n",
" IPT_FILE2=\"/etc/iptables/rules.v4\"\n",
" if [ -f \"$IPT_FILE2\" ]; then\n",
" conf_bk \"$IPT_FILE2\"\n",
" /bin/cp -f \"$IPT_FILE\" \"$IPT_FILE2\"\n",
" fi\n",
"fi\n",
"\n",
"bigecho \"Enabling services on boot...\"\n",
"\n",
"mkdir -p /etc/network/if-pre-up.d\n",
"cat > /etc/network/if-pre-up.d/iptablesload <<'EOF'\n",
"#!/bin/sh\n",
"iptables-restore < /etc/iptables.rules\n",
"exit 0\n",
"EOF\n",
"\n",
"for svc in fail2ban ipsec xl2tpd; do\n",
" update-rc.d \"$svc\" enable >/dev/null 2>&1\n",
" systemctl enable \"$svc\" 2>/dev/null\n",
"done\n",
"if ! grep -qs \"hwdsl2 VPN script\" /etc/rc.local; then\n",
" if [ -f /etc/rc.local ]; then\n",
" conf_bk \"/etc/rc.local\"\n",
" sed --follow-symlinks -i '/^exit 0/d' /etc/rc.local\n",
" else\n",
" echo '#!/bin/sh' > /etc/rc.local\n",
" fi\n",
"cat >> /etc/rc.local <<'EOF'\n",
"\n",
"# Added by hwdsl2 VPN script\n",
"service ipsec start\n",
"service xl2tpd start\n",
"echo 1 > /proc/sys/net/ipv4/ip_forward\n",
"exit 0\n",
"EOF\n",
" if grep -qs raspbian /etc/os-release; then\n",
" sed --follow-symlinks -i '/hwdsl2 VPN script/a sleep 15'
/etc/rc.local\n",
" fi\n",
"fi\n",
"\n",
"bigecho \"Starting services...\"\n",
"\n",
"# Reload sysctl.conf\n",
"sysctl -e -q -p\n",
"\n",
"# Update file attributes\n",
"chmod +x /etc/rc.local /etc/network/if-pre-up.d/iptablesload\n",
"chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets*
/etc/ipsec.d/passwd*\n",
"\n",
"# Apply new IPTables rules\n",
"iptables-restore < \"$IPT_FILE\"\n",
"\n",
"# Restart services\n",
"service fail2ban restart 2>/dev/null\n",
"service ipsec restart 2>/dev/null\n",
"service xl2tpd restart 2>/dev/null\n",
"\n",
"#VPN 2 - Setup PPTP Server\n",
"apt-get install pptpd -y\n",
"echo \"localip 10.0.0.1\" >> /etc/pptpd.conf\n",
"echo \"remoteip 10.0.0.100-200\" >> /etc/pptpd.conf\n",
"echo \"$VPN_USER pptpd $VPN_PASSWORD *\" >> /etc/ppp/chap-
secrets\n",
"echo \"ms-dns 8.8.8.8\" >> /etc/ppp/pptpd-options\n",
"echo \"ms-dns 8.8.4.4\" >> /etc/ppp/pptpd-options\n",
"service pptpd restart\n",
"\n",
"echo \"net.ipv4.ip_forward = 1\" >> /etc/sysctl.conf\n",
"sysctl -p\n",
"iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE && iptables-
save\n"
]
]
}
}
}
},
"VPNSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "VPN Security Groups",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "500",
"ToPort": "500",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "udp",
"FromPort": "500",
"ToPort": "500",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "udp",
"FromPort": "4500",
"ToPort": "4500",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "1723",
"ToPort": "1723",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "udp",
"FromPort": "1723",
"ToPort": "1723",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "udp",
"FromPort": "1701",
"ToPort": "1701",
"CidrIp": "0.0.0.0/0"
}
]
}
}
},
"Outputs": {
"VPNServerAddress": {
"Description": "Use the IP as Server Address or VPN Host",
"Value": {
"Fn::Join": [
"",
[
"",
{
"Fn::GetAtt": [
"VPNServerInstance",
"PublicIp"
]
}
]
]
}
},
"WebdigiNotes": {
"Description": "Espera 5 minutos despues de la instalación para conectarte",
"Value": "Comments"
}
}
}