Cloudformation template improvements (#1435)
This commit is contained in:
Scottpedia
GitHub
parent
a0dc2dde9d
commit
49c974f831
@ -39,12 +39,27 @@
|
||||
|
||||
要指定一个 AWS 区域,你可以使用导航栏上你的帐户信息右侧的选择器。当你在最后一步中点击 "create stack" 之后,请等待堆栈创建和 VPN 安装完成,可能需要最多 15 分钟。一旦堆栈的部署状态变成 **"CREATE_COMPLETE"** ,你就可以连接到 VPN 服务器了。单击 **Outputs** 选项卡以查看你的 VPN 登录信息,然后继续下一步:[配置 VPN 客户端](../README-zh.md#下一步)。
|
||||
|
||||
> **注:** IKEv2 模式的客户端配置文件可以在你的 VPN 服务器的 `/root` 目录中找到。要使用 SSH 连接到服务器,请参见下面的 "常见问题" 小节。
|
||||
|
||||
> **注:** 如果你删除使用此模板部署的 CloudFormation 堆栈,在部署期间添加的密钥对将不会自动被清理。要管理你的密钥对,请转到 EC2 控制台 -> 密钥对。
|
||||
|
||||
## 常见问题
|
||||
|
||||
<details>
|
||||
<summary>
|
||||
如何在部署结束后提取 IKEv2 连接配置文件?
|
||||
</summary>
|
||||
|
||||
部署结束以后,生成的 IKEv2 配置文件已经被上传到了一个预先创建好的 AWS Simple Storage Service(S3) 储存桶。下载配置文件的链接可以在 **Outputs** 页面下找到。
|
||||
|
||||
点击下载链接下载名为 `profiles.zip` 的压缩包文件。解压密码为**你之前配置好的 VPN 连接密码。**
|
||||
|
||||
值得注意的是,配置文件下载链接将会在**1天后过期**,从堆栈部署完成时算起。如果你将堆栈删除,存放配置文件的储存桶不会被删除。
|
||||
|
||||
关于如何在 IKEv2 模式下配置你的客户端,请参见: [IKEv2 VPN 配置和使用指南](../docs/ikev2-howto-zh.md#管理-ikev2-客户端)。
|
||||
|
||||
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
<summary>
|
||||
部署后如何通过 SSH 连接到服务器?
|
||||
@ -85,4 +100,4 @@ $ ssh -i path/to/your/key-file.pem instance-username@instance-ip-address
|
||||
|
||||
## 作者
|
||||
|
||||
版权所有 (C) 2020-2023 [S. X. Liang](https://github.com/scottpedia)
|
||||
版权所有 (C) 2020-2023 [Scott X. L.](https://github.com/scottpedia) <[wtanglef@pm.me](mailto:wtanglef@pm.me)>
|
||||
|
||||
@ -39,12 +39,27 @@ Click the icon below to start:
|
||||
|
||||
You may choose an AWS region using the selector to the right of your account information on the navigation bar. After you click "create stack" in the final step, please wait for the stack creation and VPN setup to complete, which may take up to 15 minutes. As soon as the stack's status changes to **"CREATE_COMPLETE"**, you are ready to connect to the VPN server. Click the **Outputs** tab to view your VPN login details. Then continue to [Next steps: Configure VPN Clients](../README.md#next-steps).
|
||||
|
||||
> **Note:** Client configuration files for IKEv2 mode can be found in the `/root` folder of your VPN server. To connect to the VPN server using SSH, refer to the FAQs section below.
|
||||
|
||||
> **Note:** If you delete a CloudFormation stack deployed using this template, the key pair that was added during deployment won't be automatically cleaned up. To manage your key pairs, go to EC2 console -> Key Pairs.
|
||||
|
||||
## FAQs
|
||||
|
||||
<details>
|
||||
<summary>
|
||||
How to retrieve the IKEv2 credentials following the deployment?
|
||||
</summary>
|
||||
|
||||
After the deployment completes, connection credentials generated for IKEv2 mode are uploaded to a specific AWS Simple Storage Service(S3) Bucket. The download link is then provided under the **Outputs** tab.
|
||||
|
||||
Simply click on the link to download a compressed package named `profiles.zip`. To extract the content from the file, you will be prompted to enter a password. And that password is the **same one used to connect to your VPN server.**
|
||||
|
||||
It's important to note that the link provided for downloading the credential package **will expire in 1 day** following the successful deployment of the stack. If you delete the stack, the bucket that stores the crendentials will not be deleted.
|
||||
|
||||
To learn more about how to configure your clients using IKEv2 mode, please refer to: [Guide: How to Set Up and Use IKEv2 VPN](../docs/ikev2-howto.md#configure-ikev2-vpn-vlients).
|
||||
|
||||
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
<summary>
|
||||
How to connect to the server via SSH after deployment?
|
||||
@ -85,4 +100,4 @@ $ ssh -i path/to/your/key-file.pem instance-username@instance-ip-address
|
||||
|
||||
## Author
|
||||
|
||||
Copyright (C) 2020-2023 [S. X. Liang](https://github.com/scottpedia)
|
||||
Copyright (C) 2020-2023 [Scott X. L.](https://github.com/scottpedia) <[wtanglef@pm.me](mailto:wtanglef@pm.me)>
|
||||
|
||||
@ -1,32 +1,135 @@
|
||||
{
|
||||
"Metadata": {
|
||||
"README": {
|
||||
"Fn::Join": [
|
||||
"\n",
|
||||
[
|
||||
"",
|
||||
"AWS Cloudformation Template for deploying IPSec VPN Servers on AWS EC2,",
|
||||
"based on the work of Lin Song <linsongui@gmail.com> : https://github.com/hwdsl2/setup-ipsec-vpn",
|
||||
"The latest version of this template can be found at : https://github.com/hwdsl2/setup-ipsec-vpn/aws",
|
||||
"",
|
||||
"Copyright (C) 2020-2023 Scott X. L. <wtanglef@pm.me>",
|
||||
"",
|
||||
"This work is licensed under the Creative Commons Attribution-ShareAlike 3.0",
|
||||
"Unported License: http://creativecommons.org/licenses/by-sa/3.0/",
|
||||
"",
|
||||
"Attribution required: Please include my name in any derivative and let me",
|
||||
"know how you have improved it!",
|
||||
""
|
||||
]
|
||||
]
|
||||
}
|
||||
},
|
||||
"AWSTemplateFormatVersion": "2010-09-09",
|
||||
"Mappings": {
|
||||
"OS": {
|
||||
"Ubuntu2004": {
|
||||
"HelperInstallationCommands": "export DEBIAN_FRONTEND=noninteractive\napt-get -yq update\napt-get -yq install python3-pip\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n"
|
||||
"HelperInstallationCommands": "export DEBIAN_FRONTEND=noninteractive\napt-get -yq update\napt-get -yq install python3-pip zip awscli\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n"
|
||||
},
|
||||
"Ubuntu2204": {
|
||||
"HelperInstallationCommands": "export DEBIAN_FRONTEND=noninteractive\napt-get -yq update\napt-get -yq install python3-pip\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n"
|
||||
"HelperInstallationCommands": "export DEBIAN_FRONTEND=noninteractive\napt-get -yq update\napt-get -yq install python3-pip zip awscli\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n"
|
||||
},
|
||||
"Debian10": {
|
||||
"HelperInstallationCommands": "export DEBIAN_FRONTEND=noninteractive\napt-get -yq update\napt-get -yq install python3-pip\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n"
|
||||
"HelperInstallationCommands": "export DEBIAN_FRONTEND=noninteractive\napt-get -yq update\napt-get -yq install python3-pip zip\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n"
|
||||
},
|
||||
"Debian11": {
|
||||
"HelperInstallationCommands": "export DEBIAN_FRONTEND=noninteractive\napt-get -yq update\napt-get -yq install python3-pip\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n"
|
||||
"HelperInstallationCommands": "export DEBIAN_FRONTEND=noninteractive\napt-get -yq update\napt-get -yq install python3-pip zip\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n"
|
||||
},
|
||||
"Debian12": {
|
||||
"HelperInstallationCommands": "export DEBIAN_FRONTEND=noninteractive\nrm -rf /usr/lib/python3.*/EXTERNALLY-MANAGED\napt-get -yq update\napt-get -yq install python3-pip\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n"
|
||||
"HelperInstallationCommands": "export DEBIAN_FRONTEND=noninteractive\nrm -rf /usr/lib/python3.*/EXTERNALLY-MANAGED\napt-get -yq update\napt-get -yq install python3-pip zip\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n"
|
||||
},
|
||||
"CentOS7": {
|
||||
"HelperInstallationCommands": "yum -y install python3 wget\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n"
|
||||
"HelperInstallationCommands": "yum -y install python3 wget zip awscli\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n"
|
||||
},
|
||||
"AmazonLinux2": {
|
||||
"HelperInstallationCommands": "export PATH=\"$PATH:/opt/aws/bin\"\n"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Metadata": {},
|
||||
"Resources": {
|
||||
"IAMInstanceProfile": {
|
||||
"Type": "AWS::IAM::InstanceProfile",
|
||||
"Properties": {
|
||||
"InstanceProfileName": {
|
||||
"Fn::GetAtt": [
|
||||
"KeyPairInfo",
|
||||
"KeyName"
|
||||
]
|
||||
},
|
||||
"Path": "/setup-ipsec-vpn/",
|
||||
"Roles": [
|
||||
{
|
||||
"Ref": "S3ExecutionRole"
|
||||
}
|
||||
]
|
||||
},
|
||||
"DependsOn": [
|
||||
"S3ExecutionRole",
|
||||
"KeyPairInfo"
|
||||
]
|
||||
},
|
||||
"Ikev2S3Bucket": {
|
||||
"Type": "AWS::S3::Bucket",
|
||||
"DeletionPolicy": "Retain",
|
||||
"Properties": {
|
||||
"PublicAccessBlockConfiguration": {
|
||||
"BlockPublicAcls": false,
|
||||
"BlockPublicPolicy": false,
|
||||
"IgnorePublicAcls": false,
|
||||
"RestrictPublicBuckets": false
|
||||
},
|
||||
"LifecycleConfiguration": {
|
||||
"Rules": [
|
||||
{
|
||||
"Id": "DeletionAfterOneDay",
|
||||
"Status": "Enabled",
|
||||
"ExpirationInDays": 1
|
||||
}
|
||||
]
|
||||
},
|
||||
"BucketName": {
|
||||
"Fn::GetAtt": [
|
||||
"KeyPairInfo",
|
||||
"KeyName"
|
||||
]
|
||||
}
|
||||
},
|
||||
"Metadata": {},
|
||||
"DependsOn": [
|
||||
"KeyPairInfo"
|
||||
]
|
||||
},
|
||||
"OpenBucketPolicy": {
|
||||
"Type": "AWS::S3::BucketPolicy",
|
||||
"Properties": {
|
||||
"Bucket": {
|
||||
"Ref": "Ikev2S3Bucket"
|
||||
},
|
||||
"PolicyDocument": {
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Principal": "*",
|
||||
"Action": "s3:GetObject",
|
||||
"Resource": {
|
||||
"Fn::Join": [
|
||||
"",
|
||||
[
|
||||
"arn:aws:s3:::",
|
||||
{
|
||||
"Ref": "Ikev2S3Bucket"
|
||||
},
|
||||
"/*"
|
||||
]
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
"VpnVpc": {
|
||||
"Type": "AWS::EC2::VPC",
|
||||
"Properties": {
|
||||
@ -95,6 +198,9 @@
|
||||
}
|
||||
},
|
||||
"Properties": {
|
||||
"IamInstanceProfile": {
|
||||
"Ref": "IAMInstanceProfile"
|
||||
},
|
||||
"UserData": {
|
||||
"Fn::Base64": {
|
||||
"Fn::Join": [
|
||||
@ -139,6 +245,18 @@
|
||||
"'\n",
|
||||
"wget -t 3 -T 30 -nv -O vpn.sh https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup.sh\n",
|
||||
"sh vpn.sh\n",
|
||||
"mkdir /root/profiles\n",
|
||||
"cp /root/vpnclient* /root/profiles\n",
|
||||
"cd /root/ && zip -er --password '",
|
||||
{
|
||||
"Ref": "VpnPassword"
|
||||
},
|
||||
"' profiles.zip ./profiles\n",
|
||||
"aws s3 cp /root/profiles.zip s3://",
|
||||
{
|
||||
"Ref": "Ikev2S3Bucket"
|
||||
},
|
||||
"/\n",
|
||||
"cfn-signal -e 0 ",
|
||||
" --stack ",
|
||||
{
|
||||
@ -195,7 +313,9 @@
|
||||
"VpnServerVolume",
|
||||
"KeyPairCreation",
|
||||
"AMIInfoFunction",
|
||||
"VpnSecurityGroup"
|
||||
"VpnSecurityGroup",
|
||||
"Ikev2S3Bucket",
|
||||
"IAMInstanceProfile"
|
||||
]
|
||||
},
|
||||
"VpnSecurityGroup": {
|
||||
@ -274,7 +394,7 @@
|
||||
"Type": "AWS::Lambda::Function",
|
||||
"Properties": {
|
||||
"Handler": "index.handler",
|
||||
"Runtime": "python3.7",
|
||||
"Runtime": "python3.8",
|
||||
"Role": {
|
||||
"Fn::GetAtt": [
|
||||
"LambdaExecutionRole",
|
||||
@ -297,7 +417,7 @@
|
||||
"'''",
|
||||
"def handler(event, context):",
|
||||
" try:",
|
||||
" keyName = 'setup-ipsec-vpn-' + ''.join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(10))",
|
||||
" keyName = 'setup-ipsec-vpn-' + ''.join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(10)).lower()",
|
||||
" region = event['ResourceProperties']['Region']",
|
||||
" ec2 = boto3.client('ec2',region)",
|
||||
" response = ec2.create_key_pair(",
|
||||
@ -342,7 +462,7 @@
|
||||
"Type": "AWS::Lambda::Function",
|
||||
"Properties": {
|
||||
"Handler": "index.handler",
|
||||
"Runtime": "python3.7",
|
||||
"Runtime": "python3.8",
|
||||
"Role": {
|
||||
"Fn::GetAtt": [
|
||||
"LambdaExecutionRole",
|
||||
@ -442,6 +562,59 @@
|
||||
},
|
||||
"Metadata": {}
|
||||
},
|
||||
"S3ExecutionRole": {
|
||||
"Type": "AWS::IAM::Role",
|
||||
"Properties": {
|
||||
"AssumeRolePolicyDocument": {
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Principal": {
|
||||
"Service": [
|
||||
"s3.amazonaws.com"
|
||||
]
|
||||
},
|
||||
"Action": [
|
||||
"sts:AssumeRole"
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"Path": "/",
|
||||
"Policies": [
|
||||
{
|
||||
"PolicyName": "s3-bucket-specific-policy",
|
||||
"PolicyDocument": {
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": "s3:UploadObject",
|
||||
"Resource": [
|
||||
{
|
||||
"Fn::Join": [
|
||||
"",
|
||||
[
|
||||
{
|
||||
"Fn::GetAtt": [
|
||||
"Ikev2S3Bucket",
|
||||
"Arn"
|
||||
]
|
||||
},
|
||||
"/*"
|
||||
]
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"Metadata": {}
|
||||
},
|
||||
"KeyPairInfo": {
|
||||
"Type": "Custom::KeyPairInfo",
|
||||
"Properties": {
|
||||
@ -577,6 +750,24 @@
|
||||
"WarningForDebianUsers": {
|
||||
"Description": "Please be noted that due to Debian images on AWS EC2 using cloud kernels, you are unable to use IPSec/L2TP mode if your server is running Debian. For more information, please refer to the link to the left.",
|
||||
"Value": "https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#debian-kernel"
|
||||
},
|
||||
"RetrieveYourIkev2Credentials": {
|
||||
"Description": "Please use the following link to download your IKEv2 connection credentials. The password to the ZIP file that stores the credentials, is the same password used to connect to your VPN server. The download link for the credentials will expire in ONE day.",
|
||||
"Value": {
|
||||
"Fn::Join": [
|
||||
"",
|
||||
[
|
||||
"https://",
|
||||
{
|
||||
"Fn::GetAtt": [
|
||||
"Ikev2S3Bucket",
|
||||
"RegionalDomainName"
|
||||
]
|
||||
},
|
||||
"/profiles.zip"
|
||||
]
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
BIN
aws/images/credentials.png
Normal file
BIN
aws/images/credentials.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 290 KiB |
Loading…
Reference in New Issue
Block a user