zipcode/log.txt

## log.txt
New instance somewhere in the cloud, using Ubuntu:

#cloud-config
packages:
 - strongswan
package_upgrade: true


Create root cert locally:

openssl req -x509 -newkey rsa:4096 -days 90 -subj "/CN=ginko-rootca.zip.sexy" -out root.crt


Create openssl.cnf locally:

cat > openssl.cnf << EOF
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName=email:move
EOF


Create server key on server:

openssl genrsa -out server.pem 2048
openssl req -new -subj "/CN=ginko.do.zip.sexy" -key server.pem -out server.req


Copy server.req to local machine.  Sign:

openssl x509 -req -CAcreateserial -days 90 -in server.req -CAkey privkey.pem -CA root.crt -out server.crt -extensions usr_cert -extfile <(cat openssl.cnf <(echo "subjectAltName=DNS:ginko.do.zip.sexy"))


Copy server.crt and root.crt to server. Emplace files:

mv server.crt /etc/ipsec.d/certs/server.crt
mv server.pem /etc/ipsec.d/private/server.pem
mv root.crt /etc/ipsec.d/cacerts/root.crt
echo ": RSA server.pem" > /etc/ipsec.secrets

cat > /etc/ipsec.conf << EOF
ca root
    cacert=root.crt
    auto=add

conn vpn
    auto=add
    keyexchange=ikev2
    leftauth=pubkey
    leftcert=server.crt
    leftid="@ginko.do.zip.sexy"
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    rightauth=pubkey
    rightca="CN=ginko-rootca.zip.sexy"
    rightdns=8.8.8.8
    rightsourceip=10.0.98.0/24
EOF

ipsec restart

cat > /tmp/nat.rules << EOF

# NAT rules
*nat
:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -s 10.0.98.0/24 -o eth0 -j MASQUERADE
COMMIT
EOF

cat > /tmp/filter.rules << EOF

# Pass encapsulated packets
-A ufw-before-forward -s 10.0.98.0/24 -m policy --pol ipsec --dir in -j ACCEPT
-A ufw-before-forward -d 10.0.98.0/24 -m policy --pol ipsec --dir out -j ACCEPT
EOF

sed -i "1 r /tmp/nat.rules" /etc/ufw/before.rules
sed -i "/^# End required lines$/r /tmp/filter.rules" /etc/ufw/before.rules
sed -i 's|^#\(net/ipv4/ip_forward=1\)|\1|' /etc/ufw/sysctl.conf
ufw allow proto udp to any port 500
ufw allow proto udp to any port 4500
ufw allow proto ah to any
ufw allow proto esp to any
ufw allow ssh
ufw enable


Create a user certificate on local machine:

export PASS=`dd if=/dev/random of=/dev/stdout bs=1 count=10 | base64`
openssl req -newkey rsa:2048 -new -subj "/CN=ipad@ginko.do.zip.sexy/emailAddress=ipad@ginko.do.zip.sexy" -keyout user.pem -out user.req -passout env:PASS
openssl x509 -req -CAcreateserial -days 90 -in user.req -CAkey privkey.pem -CA root.crt -out user.crt -extensions usr_cert -extfile openssl.cnf
openssl pkcs12 -export -certfile root.crt -out user.p12 -inkey user.pem -in user.crt -passin env:PASS


MacOS/iOS note: apple is REAL finicky about what it does.  Make sure you install the both root CA and the user cert or it'll barf and it *won't even fucking log anywhere to tell you why*.  All that shit about Alternative Subject Names above is ALSO because Apple hates you.
	New instance somewhere in the cloud, using Ubuntu:

	#cloud-config
	packages:
	- strongswan
	package_upgrade: true


	Create root cert locally:

	openssl req -x509 -newkey rsa:4096 -days 90 -subj "/CN=ginko-rootca.zip.sexy" -out root.crt


	Create openssl.cnf locally:

	cat > openssl.cnf << EOF
	[ usr_cert ]
	basicConstraints=CA:FALSE
	nsComment = "OpenSSL Generated Certificate"
	subjectKeyIdentifier=hash
	authorityKeyIdentifier=keyid,issuer
	subjectAltName=email:move
	EOF


	Create server key on server:

	openssl genrsa -out server.pem 2048
	openssl req -new -subj "/CN=ginko.do.zip.sexy" -key server.pem -out server.req


	Copy server.req to local machine. Sign:

	openssl x509 -req -CAcreateserial -days 90 -in server.req -CAkey privkey.pem -CA root.crt -out server.crt -extensions usr_cert -extfile <(cat openssl.cnf <(echo "subjectAltName=DNS:ginko.do.zip.sexy"))


	Copy server.crt and root.crt to server. Emplace files:

	mv server.crt /etc/ipsec.d/certs/server.crt
	mv server.pem /etc/ipsec.d/private/server.pem
	mv root.crt /etc/ipsec.d/cacerts/root.crt
	echo ": RSA server.pem" > /etc/ipsec.secrets

	cat > /etc/ipsec.conf << EOF
	ca root
	cacert=root.crt
	auto=add

	conn vpn
	auto=add
	keyexchange=ikev2
	leftauth=pubkey
	leftcert=server.crt
	leftid="@ginko.do.zip.sexy"
	leftsendcert=always
	leftsubnet=0.0.0.0/0
	rightauth=pubkey
	rightca="CN=ginko-rootca.zip.sexy"
	rightdns=8.8.8.8
	rightsourceip=10.0.98.0/24
	EOF

	ipsec restart

	cat > /tmp/nat.rules << EOF

	# NAT rules
	*nat
	:POSTROUTING ACCEPT [0:0]

	-A POSTROUTING -s 10.0.98.0/24 -o eth0 -j MASQUERADE
	COMMIT
	EOF

	cat > /tmp/filter.rules << EOF

	# Pass encapsulated packets
	-A ufw-before-forward -s 10.0.98.0/24 -m policy --pol ipsec --dir in -j ACCEPT
	-A ufw-before-forward -d 10.0.98.0/24 -m policy --pol ipsec --dir out -j ACCEPT
	EOF

	sed -i "1 r /tmp/nat.rules" /etc/ufw/before.rules
	sed -i "/^# End required lines$/r /tmp/filter.rules" /etc/ufw/before.rules
	sed -i 's\|^#\(net/ipv4/ip_forward=1\)\|\1\|' /etc/ufw/sysctl.conf
	ufw allow proto udp to any port 500
	ufw allow proto udp to any port 4500
	ufw allow proto ah to any
	ufw allow proto esp to any
	ufw allow ssh
	ufw enable


	Create a user certificate on local machine:

	export PASS=`dd if=/dev/random of=/dev/stdout bs=1 count=10 \| base64`
	openssl req -newkey rsa:2048 -new -subj "/CN=ipad@ginko.do.zip.sexy/emailAddress=ipad@ginko.do.zip.sexy" -keyout user.pem -out user.req -passout env:PASS
	openssl x509 -req -CAcreateserial -days 90 -in user.req -CAkey privkey.pem -CA root.crt -out user.crt -extensions usr_cert -extfile openssl.cnf
	openssl pkcs12 -export -certfile root.crt -out user.p12 -inkey user.pem -in user.crt -passin env:PASS


	MacOS/iOS note: apple is REAL finicky about what it does. Make sure you install the both root CA and the user cert or it'll barf and it won't even fucking log anywhere to tell you why. All that shit about Alternative Subject Names above is ALSO because Apple hates you.