spawn-guy/vpn-ec2-install.sh

## vpn-ec2-install.sh
#!/bin/bash -x

# Please define your own values for those variables
# these will be injected into that script by the CFN template bootstrap script
#IPSEC_PSK=SharedSecret
#VPN_USER=username
#VPN_PASSWORD=password

# Those two variables will be found automatically
for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14; do
  PRIVATE_IP=`wget -q -O - 'http://instance-data/latest/meta-data/local-ipv4'`
  if [ ${PRIVATE_IP} != "" ]; then break; fi
  PRIVATE_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4'`
  if [ ${PRIVATE_IP} != "" ]; then break; fi
  sleep 2
done


#the following does not work in VPC
#PUBLIC_IP=`wget -q -O - 'http://instance-data/latest/meta-data/public-ipv4'`
#
# use http://169.254.169.254/latest/meta-data/network/interfaces/macs/06:79:3f:b2:49:20/ipv4-associations/ instead but depends on mac address :-(
#
PUBLIC_IP=`wget -q -O - 'checkip.amazonaws.com'`


# send std out to log file
exec &>> /home/ec2-user/bootstrap-vpn.log

function error_exit() {
    echo "{\"Reason\": \"$1\"}"
    exit $2
}

if [ ${PRIVATE_IP} == "" ]; then
    error_exit "failed to get PRIVATE_IP" 137
fi

if [ ${PUBLIC_IP} == "" ]; then
    error_exit "failed to get PUBLIC_IP" 137
fi

RETURN_CODE=$(/usr/bin/yum install -y --enablerepo=epel openswan xl2tpd)
if [ ${RETURN_CODE} -ne 0 ]; then
    error_exit "yum install openswan xl2tpd failed" ${RETURN_CODE}
fi

cat > /etc/ipsec.conf <<EOF
version 2.0

config setup
        dumpdir=/var/run/pluto/
        nat_traversal=yes
#        virtual_private=%v4:!10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        virtual_private=%v4:192.168.42.0/24
        oe=off
        protostack=netkey
        nhelpers=0
        interfaces=%defaultroute

conn vpnpsk
        auto=add
        left=${PRIVATE_IP}
        leftid=${PUBLIC_IP}
        leftsubnet=${PRIVATE_IP}/32
        leftnexthop=%defaultroute
        leftprotoport=17/1701
        rightprotoport=17/%any
        right=%any
        rightsubnetwithin=0.0.0.0/0
        forceencaps=yes
        authby=secret
        pfs=no
        type=transport
        auth=esp
        ike=3des-sha1
        phase2alg=3des-sha1
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
EOF

cat > /etc/ipsec.secrets <<EOF
${PUBLIC_IP} %any : PSK "${IPSEC_PSK}"
EOF

# append a new host key for the machine
# ipsec newhostkey --output /etc/ipsec.secrets --bits 2048 --verbose --configdir /etc/pki/nssdb/

cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[global]
port = 1701

;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes

[lns default]
ip range = 192.168.42.10-192.168.42.250
local ip = 192.168.42.1
; leave chap unspecified for maximum compatibility with windows, iOS, etc
; require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpd
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
EOF

cat > /etc/ppp/options.xl2tpd <<EOF
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
noccp
auth
crtscts
idle 1800
mtu 1280
mru 1280
lock
proxyarp
connect-delay 5000
EOF

cat > /etc/ppp/chap-secrets <<EOF
# Secrets for authentication using CHAP
# client server secret IP addresses

${VPN_USER} l2tpd ${VPN_PASSWORD} *
EOF

iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables-save > /etc/iptables.rules

# Ignore ICMP Redirects:
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > ${f}; done

# Don't send ICMP Redirects:
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > ${f}; done

mkdir -p /etc/network/if-pre-up.d
cat > /etc/network/if-pre-up.d/iptablesload <<EOF
#!/bin/sh
iptables-restore < /etc/iptables.rules
echo 1 > /proc/sys/net/ipv4/ip_forward
exit 0
EOF

chkconfig ipsec on
chkconfig xl2tpd on

RETURN_CODE=$(service ipsec start)
if [ ${RETURN_CODE} -ne 0 ]; then
    error_exit "Can not start ipsec" ${RETURN_CODE}
fi

RETURN_CODE=$(service xl2tpd start)
if [ ${RETURN_CODE} -ne 0 ]; then
    error_exit "Can not start xl2tpd" ${RETURN_CODE}
fi
	#!/bin/bash -x

	# Please define your own values for those variables
	# these will be injected into that script by the CFN template bootstrap script
	#IPSEC_PSK=SharedSecret
	#VPN_USER=username
	#VPN_PASSWORD=password

	# Those two variables will be found automatically
	for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14; do
	PRIVATE_IP=`wget -q -O - 'http://instance-data/latest/meta-data/local-ipv4'`
	if [ ${PRIVATE_IP} != "" ]; then break; fi
	PRIVATE_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4'`
	if [ ${PRIVATE_IP} != "" ]; then break; fi
	sleep 2
	done


	#the following does not work in VPC
	#PUBLIC_IP=`wget -q -O - 'http://instance-data/latest/meta-data/public-ipv4'`
	#
	# use http://169.254.169.254/latest/meta-data/network/interfaces/macs/06:79:3f:b2:49:20/ipv4-associations/ instead but depends on mac address :-(
	#
	PUBLIC_IP=`wget -q -O - 'checkip.amazonaws.com'`


	# send std out to log file
	exec &>> /home/ec2-user/bootstrap-vpn.log

	function error_exit() {
	echo "{\"Reason\": \"$1\"}"
	exit $2
	}

	if [ ${PRIVATE_IP} == "" ]; then
	error_exit "failed to get PRIVATE_IP" 137
	fi

	if [ ${PUBLIC_IP} == "" ]; then
	error_exit "failed to get PUBLIC_IP" 137
	fi

	RETURN_CODE=$(/usr/bin/yum install -y --enablerepo=epel openswan xl2tpd)
	if [ ${RETURN_CODE} -ne 0 ]; then
	error_exit "yum install openswan xl2tpd failed" ${RETURN_CODE}
	fi

	cat > /etc/ipsec.conf <<EOF
	version 2.0

	config setup
	dumpdir=/var/run/pluto/
	nat_traversal=yes
	# virtual_private=%v4:!10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
	virtual_private=%v4:192.168.42.0/24
	oe=off
	protostack=netkey
	nhelpers=0
	interfaces=%defaultroute

	conn vpnpsk
	auto=add
	left=${PRIVATE_IP}
	leftid=${PUBLIC_IP}
	leftsubnet=${PRIVATE_IP}/32
	leftnexthop=%defaultroute
	leftprotoport=17/1701
	rightprotoport=17/%any
	right=%any
	rightsubnetwithin=0.0.0.0/0
	forceencaps=yes
	authby=secret
	pfs=no
	type=transport
	auth=esp
	ike=3des-sha1
	phase2alg=3des-sha1
	dpddelay=30
	dpdtimeout=120
	dpdaction=clear
	EOF

	cat > /etc/ipsec.secrets <<EOF
	${PUBLIC_IP} %any : PSK "${IPSEC_PSK}"
	EOF

	# append a new host key for the machine
	# ipsec newhostkey --output /etc/ipsec.secrets --bits 2048 --verbose --configdir /etc/pki/nssdb/

	cat > /etc/xl2tpd/xl2tpd.conf <<EOF
	[global]
	port = 1701

	;debug avp = yes
	;debug network = yes
	;debug state = yes
	;debug tunnel = yes

	[lns default]
	ip range = 192.168.42.10-192.168.42.250
	local ip = 192.168.42.1
	; leave chap unspecified for maximum compatibility with windows, iOS, etc
	; require chap = yes
	refuse pap = yes
	require authentication = yes
	name = l2tpd
	;ppp debug = yes
	pppoptfile = /etc/ppp/options.xl2tpd
	length bit = yes
	EOF

	cat > /etc/ppp/options.xl2tpd <<EOF
	ipcp-accept-local
	ipcp-accept-remote
	ms-dns 8.8.8.8
	ms-dns 8.8.4.4
	noccp
	auth
	crtscts
	idle 1800
	mtu 1280
	mru 1280
	lock
	proxyarp
	connect-delay 5000
	EOF

	cat > /etc/ppp/chap-secrets <<EOF
	# Secrets for authentication using CHAP
	# client server secret IP addresses

	${VPN_USER} l2tpd ${VPN_PASSWORD} *
	EOF

	iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
	echo 1 > /proc/sys/net/ipv4/ip_forward

	iptables-save > /etc/iptables.rules

	# Ignore ICMP Redirects:
	for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > ${f}; done

	# Don't send ICMP Redirects:
	for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > ${f}; done

	mkdir -p /etc/network/if-pre-up.d
	cat > /etc/network/if-pre-up.d/iptablesload <<EOF
	#!/bin/sh
	iptables-restore < /etc/iptables.rules
	echo 1 > /proc/sys/net/ipv4/ip_forward
	exit 0
	EOF

	chkconfig ipsec on
	chkconfig xl2tpd on

	RETURN_CODE=$(service ipsec start)
	if [ ${RETURN_CODE} -ne 0 ]; then
	error_exit "Can not start ipsec" ${RETURN_CODE}
	fi

	RETURN_CODE=$(service xl2tpd start)
	if [ ${RETURN_CODE} -ne 0 ]; then
	error_exit "Can not start xl2tpd" ${RETURN_CODE}
	fi