Last active
April 26, 2024 07:32
-
-
Save rogerbush8/842a3d29e68ad23cd9d8 to your computer and use it in GitHub Desktop.
install-libreswan-ipsec-vpn-regional-vpc-tunnel-on-aws-ec2_aws_linux_ami_201409
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| # Shell script for installation and setup of L2TP/IPsec VPN tunnel in site-to-site | |
| # mode (e.g. connecting two inter-regional VPCs). VPN software is libreswan. | |
| # | |
| # This should work on linux systems that are RHEL based. | |
| # | |
| # To install directly from this gist, you can curl the "raw" version and pipe that to | |
| # "bash -s" while also defining the environment variables: | |
| # | |
| # curl -s https://gist.githubusercontent.com/rogerbush8/.../raw/.../...whatever... | | |
| # PSK="a secret" EIP1=10... SUBNET1=10.../16 EIP2=10... SUBNET2=10.../16 bash -s | |
| # | |
| # This script should be run on two different instances (right, left) which are the ends of | |
| # the tunnel gateway, by flipping the values on EIP1 VPC1, and EIP2 VPC2 on the other machine. | |
| # | |
| # Helpful debugging (server-side): | |
| # | |
| # $ /etc/init.d/ipsec restart | |
| # $ tail -f /var/log/secure : see messages on restart | |
| # $ tail -f /var/log/messages : | |
| # $ ipsec version : printout version info | |
| # $ ipsec verify : check config and kernel properties | |
| # | |
| # Helpful debugging (server-side): | |
| # | |
| # $ route -n some_ip : shows gateway for some_ip (for IPs on private, should be VPN IP) | |
| # $ nslookup some_ip : should work for private IPs if DNS is right and Route 53 private hosted zone setup. | |
| # $ netstat -nr : shows all the routes. | |
| # $ ping some_ip : N.B. you must enable ICMP traffic on your private network. | |
| # | |
| # Original post by Thomas Sarlandie: | |
| # http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md | |
| # | |
| # Copyright (C) 2014 Lin Song | |
| # Based on the work of Thomas Sarlandie (Copyright 2012) | |
| # | |
| # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 | |
| # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ | |
| # | |
| # Attribution required: please include my name in any derivative and let me | |
| # know how you have improved it! | |
| if [ "$(uname)" = "Darwin" ]; then | |
| echo "DO NOT run this script on your Mac! It should only be run on a newly-created EC2 instance" | |
| echo "or other Dedicated Server / VPS, after you have modified it to set the variables below." | |
| echo "Please see detailed instructions at the URLs in the comments." | |
| exit 1 | |
| fi | |
| # Define these variables. You may either pass these in as variables to the script | |
| # or directly replace them here. | |
| IPSEC_PSK=$PSK # shared secret | |
| EIP1=$EIP1 | |
| SUBNET1=$SUBNET1 | |
| EIP2=$EIP2 | |
| SUBNET2=$SUBNET2 | |
| PUBLIC_IP=$(wget -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4') | |
| PRIVATE_IP=$(wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4') | |
| # Install necessary packages | |
| yum -y update | |
| yum -y install libreswan | |
| # Prepare various config files | |
| cat > /etc/ipsec.conf <<EOF | |
| version 2.0 | |
| config setup | |
| dumpdir=/var/run/pluto/ | |
| protostack=netkey | |
| nat_traversal=yes | |
| virtual_private= | |
| oe=off | |
| # nhelpers=0 | |
| # interfaces=%defaultroute | |
| include /etc/ipsec.d/*.conf | |
| EOF | |
| mkdir /etc/ipsec.d | |
| cat > /etc/ipsec.d/ipsec_tunnel_half.conf <<EOF | |
| conn ipsec_vpc_tunnel | |
| type=tunnel | |
| authby=secret | |
| left=%defaultroute | |
| leftid=$EIP1 | |
| leftnexthop=%defaultroute | |
| leftsubnet=$SUBNET1 | |
| right=$EIP2 | |
| rightsubnet=$SUBNET2 | |
| pfs=yes | |
| auto=start | |
| # leftprotoport=17/1701 | |
| # rightprotoport=17/%any | |
| # forceencaps=yes | |
| # connaddrfamily=ipv4 | |
| # auth=esp | |
| # ike=3des-sha1,aes-sha1 | |
| # phase2alg=3des-sha1,aes-sha1 | |
| # rekey=no | |
| # keyingtries=5 | |
| # dpddelay=30 | |
| # dpdtimeout=120 | |
| # dpdaction=clear | |
| # nat-keepalive=yes | |
| EOF | |
| cat > /etc/ipsec.secrets <<EOF | |
| $PUBLIC_IP %any : PSK "$IPSEC_PSK" | |
| EOF | |
| /bin/cp -f /etc/sysctl.conf /etc/sysctl.conf.old-$(date +%Y-%m-%d-%H:%M:%S) | |
| cat > /etc/sysctl.conf <<EOF | |
| kernel.sysrq = 0 | |
| kernel.core_uses_pid = 1 | |
| net.ipv4.tcp_syncookies = 1 | |
| kernel.msgmnb = 65536 | |
| kernel.msgmax = 65536 | |
| kernel.shmmax = 68719476736 | |
| kernel.shmall = 4294967296 | |
| net.ipv4.ip_forward = 1 | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| net.ipv4.conf.all.log_martians = 1 | |
| net.ipv4.conf.default.log_martians = 1 | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| net.ipv4.conf.all.send_redirects = 0 | |
| net.ipv4.conf.default.send_redirects = 0 | |
| net.ipv4.conf.all.rp_filter = 0 | |
| net.ipv4.conf.default.rp_filter = 0 | |
| net.ipv6.conf.all.disable_ipv6=1 | |
| net.ipv6.conf.default.disable_ipv6=1 | |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
| net.ipv4.conf.all.secure_redirects = 0 | |
| net.ipv4.conf.default.secure_redirects = 0 | |
| kernel.randomize_va_space = 1 | |
| net.core.wmem_max=12582912 | |
| net.core.rmem_max=12582912 | |
| net.ipv4.tcp_rmem= 10240 87380 12582912 | |
| net.ipv4.tcp_wmem= 10240 87380 12582912 | |
| EOF | |
| # Routing rules for forwarding packets to network beyond our new VPN gateway. | |
| /bin/cp -f /etc/iptables.rules /etc/iptables.rules.old-$(date +%Y-%m-%d-%H:%M:%S) | |
| cat > /etc/iptables.rules <<EOF | |
| *filter | |
| :INPUT ACCEPT [0:0] | |
| :FORWARD ACCEPT [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| :ICMPALL - [0:0] | |
| -A INPUT -m conntrack --ctstate INVALID -j DROP | |
| -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| -A INPUT -i lo -j ACCEPT | |
| -A INPUT -p icmp --icmp-type 255 -j ICMPALL | |
| -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT | |
| -A INPUT -p tcp --dport 22 -j ACCEPT | |
| -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT | |
| -A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT | |
| -A INPUT -p udp --dport 1701 -j DROP | |
| -A INPUT -j DROP | |
| -A FORWARD -m conntrack --ctstate INVALID -j DROP | |
| -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| -A FORWARD -i ppp+ -o eth+ -j ACCEPT | |
| -A FORWARD -j DROP | |
| -A ICMPALL -p icmp -f -j DROP | |
| -A ICMPALL -p icmp --icmp-type 0 -j ACCEPT | |
| -A ICMPALL -p icmp --icmp-type 3 -j ACCEPT | |
| -A ICMPALL -p icmp --icmp-type 4 -j ACCEPT | |
| -A ICMPALL -p icmp --icmp-type 8 -j ACCEPT | |
| -A ICMPALL -p icmp --icmp-type 11 -j ACCEPT | |
| -A ICMPALL -p icmp -j DROP | |
| COMMIT | |
| *nat | |
| :PREROUTING ACCEPT [0:0] | |
| :INPUT ACCEPT [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| :POSTROUTING ACCEPT [0:0] | |
| -A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source $PRIVATE_IP | |
| COMMIT | |
| EOF | |
| cat > /etc/network/if-pre-up.d/iptablesload <<EOF | |
| #!/bin/sh | |
| /sbin/iptables-restore < /etc/iptables.rules | |
| exit 0 | |
| EOF | |
| # Set to automatic start | |
| chkconfig ipsec on | |
| chkconfig iptables on | |
| if [ ! -f /etc/ipsec.d/cert8.db ] ; then | |
| echo > /var/tmp/libreswan-nss-pwd | |
| /usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d | |
| /bin/rm -f /var/tmp/libreswan-nss-pwd | |
| fi | |
| /sbin/sysctl -p | |
| /sbin/iptables-restore < /etc/iptables.rules | |
| /etc/init.d/iptables restart | |
| /etc/init.d/ipsec restart | |
| # Display some results | |
| ipsec verify | |
| ipsec version |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment