Created
April 12, 2017 09:11
-
-
Save mjradwin/9e545681a4cc8aba2f19784a97a144f4 to your computer and use it in GitHub Desktop.
DigitalOcean cloud config template for VPN as per https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#cloud-config | |
package_upgrade: true | |
packages: | |
- strongswan | |
- strongswan-plugin-eap-mschapv2 | |
- moreutils | |
- iptables-persistent | |
- unattended-upgrades | |
write_files: | |
- path: /etc/ipsec.conf | |
permissions: '0644' | |
content: | | |
config setup | |
charondebug="ike 1, knl 1, cfg 0" | |
uniqueids=no | |
conn ikev2-vpn | |
auto=add | |
compress=no | |
type=tunnel | |
keyexchange=ikev2 | |
fragmentation=yes | |
forceencaps=yes | |
ike=aes256-sha1-modp1024,3des-sha1-modp1024! | |
esp=aes256-sha1,3des-sha1! | |
dpdaction=clear | |
dpddelay=300s | |
rekey=no | |
left=%any | |
leftid=@vpn.example.com | |
leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem | |
leftsendcert=always | |
leftsubnet=0.0.0.0/0 | |
right=%any | |
rightid=%any | |
rightauth=eap-mschapv2 | |
rightdns=8.8.8.8,8.8.4.4 | |
rightsourceip=10.10.10.0/24 | |
rightsendcert=never | |
eap_identity=%identity | |
- path: /etc/ipsec.secrets | |
permissions: '0644' | |
content: | | |
vpn.example.com : RSA "/etc/ipsec.d/private/vpn-server-key.pem" | |
your_username %any% : EAP "your_password" | |
runcmd: | |
- echo "***** Creating certificates and keys" | |
- mkdir -p /opt/vpn-certs | |
- cd /opt/vpn-certs | |
- ipsec pki --gen --type rsa --size 4096 --outform pem > server-root-key.pem | |
- chmod 600 server-root-key.pem | |
- ipsec pki --self --ca --lifetime 3650 --in server-root-key.pem --type rsa --dn "C=US, O=VPN Server, CN=vpn.example.com Server Root CA" --outform pem > server-root-ca.pem | |
- ipsec pki --gen --type rsa --size 4096 --outform pem > vpn-server-key.pem | |
- ipsec pki --pub --in vpn-server-key.pem --type rsa | ipsec pki --issue --lifetime 1825 --cacert server-root-ca.pem --cakey server-root-key.pem --dn "C=US, O=VPN Server, CN=vpn.example.com" --san vpn.example.com --flag serverAuth --flag ikeIntermediate --outform pem > vpn-server-cert.pem | |
- cp ./vpn-server-cert.pem /etc/ipsec.d/certs/vpn-server-cert.pem | |
- cp ./vpn-server-key.pem /etc/ipsec.d/private/vpn-server-key.pem | |
- chown root /etc/ipsec.d/private/vpn-server-key.pem | |
- chgrp root /etc/ipsec.d/private/vpn-server-key.pem | |
- chmod 600 /etc/ipsec.d/private/vpn-server-key.pem | |
- ipsec reload | |
- echo "***** Setting up firewall" | |
- ufw disable | |
- iptables -P INPUT ACCEPT | |
- iptables -P FORWARD ACCEPT | |
- iptables -F | |
- iptables -Z | |
- iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT | |
- iptables -A INPUT -i lo -j ACCEPT | |
- iptables -A INPUT -p udp --dport 500 -j ACCEPT | |
- iptables -A INPUT -p udp --dport 4500 -j ACCEPT | |
- iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s 10.10.10.10/24 -j ACCEPT | |
- iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.10.10.10/24 -j ACCEPT | |
- iptables -t nat -A POSTROUTING -s 10.10.10.10/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT | |
- iptables -t nat -A POSTROUTING -s 10.10.10.10/24 -o eth0 -j MASQUERADE | |
- iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.10/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 | |
- iptables -A INPUT -j DROP | |
- iptables -A FORWARD -j DROP | |
- netfilter-persistent save | |
- netfilter-persistent reload | |
- echo "***** Finalizing config" | |
- echo "unattended-upgrades unattended-upgrades/enable_auto_updates boolean true" | debconf-set-selections | |
- perl -pi -e 's/^.*PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config | |
- systemctl reload ssh.service | |
- echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf | |
- echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf | |
- echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf | |
- echo "net.ipv4.ip_no_pmtu_disc = 1" >> /etc/sysctl.conf | |
- sync | |
- echo "***** Rebooting in 3 sec..." | |
- sleep 3 | |
- reboot now |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment