Created
April 6, 2019 20:18
-
-
Save Tantas/899cb6bc5bda14c98af0b1b47c9add47 to your computer and use it in GitHub Desktop.
IKEv2 VPN server on Amazon linux
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Installs an IKEv2 VPN server on Amazon linux. | |
| # Reference: | |
| # https://hub.zhovner.com/geek/universal-ikev2-server-configuration/ | |
| # https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/ | |
| # Operates well on a t2.nano instance for administrative use. t2 allows full CPU | |
| # usage as long as < 5% of daily operation time which is perfect for an | |
| # administrative VPN. The server fits well inside the ram requirements and uses | |
| # very little disk and minimal IOPS. Can be built following the steps below in | |
| # less than 20 minutes. Centos was selected as the distribution because the | |
| # package strongswan is not available on Amazon linux. | |
| # Expects ports UDP 500, UDP 4500 and ESP 50 to be open in the security group. | |
| # Prevent the file from being executed directly. Commands should be understood | |
| # and populated with the environment specifics. | |
| exit -1 | |
| # SSH into the server. | |
| ssh -i "<key>.pem" centos@<ip-address> | |
| # Install strongswan. | |
| sudo yum -y install epel-release stongswan | |
| sudo yum upgrade | |
| # Become root while writing files. | |
| sudo su - | |
| # Backup the original config file. | |
| cp /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.orig | |
| # Create a self signed certificate. | |
| # A signed SSL certificate related to the environment would be ideal. | |
| # Create the certificate authority. | |
| cd /etc/strongswan/ipsec.d | |
| strongswan pki --gen --type rsa --size 4096 --outform pem > private/vpnCAKey.pem | |
| chmod 600 private/vpnCAKey.pem | |
| strongswan pki --self --ca --lifetime 3650 \ | |
| --in private/vpnCAKey.pem --type rsa \ | |
| --dn "C=CH, O=vpn, CN=VPN Root CA" \ | |
| --outform pem > cacerts/vpnCA.pem | |
| strongswan pki --print --in cacerts/vpnCA.pem | |
| # Create the server certificate. | |
| strongswan pki --gen --type rsa --size 2048 \ --outform pem > private/vpnHostKey.pem | |
| chmod 600 private/vpnHostKey.pem | |
| strongswan pki --pub --in private/vpnHostKey.pem --type rsa | \ | |
| strongswan pki --issue --lifetime 730 \ | |
| --cacert cacerts/vpnCA.pem \ | |
| --cakey private/vpnCAKey.pem \ | |
| --dn "C=CH, O=vpn, CN=vpn_server.ca" \ | |
| --san vpn_server.ca \ | |
| --flag serverAuth --flag ikeIntermediate \ | |
| --outform pem > certs/vpnHostCert.pem | |
| strongswan pki --print --in certs/vpnHostCert.pem | |
| # Fetch the server certificate to be installed on VPN clients. | |
| sudo cp /etc/strongswan/ipsec.d/certs/vpnHostCert.pem /home/centos/ | |
| sudo chown centos:centos ~/vpnHostCert.pem | |
| # Then from local machine (must install into local certificates and mark trusted.) | |
| scp -i "<key>.pem" centos@<host>:~/vpnHostCert.pem ./vpnHostCert.pem | |
| # Write the config file. Check references for specifics. | |
| # Restricting the leftsubnet to the cloud subnet creates a split tunnel. | |
| cat <<EOF > /etc/strongswan/ipsec.conf | |
| config setup | |
| uniqueids=no | |
| conn %default | |
| dpdaction=clear | |
| dpddelay=35s | |
| dpdtimeout=2000s | |
| keyexchange=ikev2 | |
| auto=add | |
| rekey=no | |
| reauth=no | |
| fragmentation=yes | |
| leftcert=vpnHostCert.pem | |
| leftsendcert=always | |
| leftsubnet=10.0.0.0/24 | |
| eap_identity=%identity | |
| rightsourceip=10.1.1.0/24 | |
| rightdns=8.8.8.8 | |
| conn ikev2-mschapv2 | |
| rightauth=eap-mschapv2 | |
| conn ikev2-mschapv2-apple | |
| rightauth=eap-mschapv2 | |
| leftid=vpn_server.ca | |
| EOF | |
| # Write the VPN accounts and load them. Replace users and passwords as needed. | |
| cat <<EOF > /etc/strongswan/ipsec.secrets | |
| : RSA vpnHostKey.pem | |
| user1 : EAP "password1" | |
| user2 : EAP "password2" | |
| EOF | |
| # Restart the ipsec service. | |
| service strongswan restart | |
| # Verify the config. | |
| strongswan listall | |
| # The firewall does not need to configure NAT because the partial tunnel should | |
| # never forward anything. | |
| # Leave root. | |
| logout | |
| # Debug the connection. | |
| sudo tail -f /var/log/messages |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In Amazon Linux 2 the strongswan package is available through
amazon-linux-extraspackage. Here is a quick guide on how to install it.amazon-linux-extrasis installed$ which amazon-linux-extras /usr/bin/amazon-linux-extras # If the amazon-linux-extras package isn't installed, use yum to install it $ sudo yum install amazon-linux-extras -yamazon-linux-extrasto install EPELstrongswanpackage should now be available, use yum to install it: