From f4ea08c29d6f45abde4d31e7cb8f72ef1b0cda92 Mon Sep 17 00:00:00 2001
From: hwdsl2 <sl85mail@hotmail.com>
Date: Sat, 15 Feb 2014 23:15:11 -0800
Subject: [PATCH]

---
 ...tall Script for Ubuntu 12.04 on Amazon EC2 | 247 ++++++++++++++++++
 1 file changed, 247 insertions(+)
 create mode 100644 IPSec L2TP VPN Auto Install Script for Ubuntu 12.04 on Amazon EC2

diff --git a/IPSec L2TP VPN Auto Install Script for Ubuntu 12.04 on Amazon EC2 b/IPSec L2TP VPN Auto Install Script for Ubuntu 12.04 on Amazon EC2
new file mode 100644
index 0000000..35c8ab0
--- /dev/null
+++ b/IPSec L2TP VPN Auto Install Script for Ubuntu 12.04 on Amazon EC2	
@@ -0,0 +1,247 @@
+#!/bin/sh
+#
+# Amazon EC2 user-data file for automatic configuration of a VPN
+# on a Ubuntu server instance. Tested with 12.04.
+#
+# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS MEANT TO BE RUN WHEN 
+# YOUR AMAZON EC2 INSTANCE STARTS!
+#
+# Copyright (C) 2014 Lin Song. Based on the work of Thomas Sarlandie (Copyright 2012)
+# For detailed instructions, see my tech blog article:
+# 
+# Also see: http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md
+#
+# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 
+# Unported License: http://creativecommons.org/licenses/by-sa/3.0/
+#
+# Attribution required: please include my name in any derivative and let me
+# know how you have improved it! 
+
+# Please define your own values for those variables
+IPSEC_PSK=your_very_secure_key
+VPN_USER=your_username
+VPN_PASSWORD=your_very_secure_password
+
+# Install necessary packages
+apt-get update
+apt-get install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
+        libcap-ng-dev libcap-ng-utils libselinux1-dev \
+        libcurl4-nss-dev libgmp3-dev flex bison gcc make \
+        libunbound-dev libnss3-tools -y
+apt-get install xl2tpd -y
+
+# Compile and install Libreswan
+mkdir -p /opt/src
+cd /opt/src
+wget -qO- https://download.libreswan.org/libreswan-3.8.tar.gz | tar xvz
+cd libreswan-3.8
+make programs
+make install
+
+# Those two variables will be found automatically
+PRIVATE_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4'`
+PUBLIC_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4'`
+
+# Prepare various config files
+cat > /etc/ipsec.conf <<EOF
+version 2.0
+
+config setup
+  dumpdir=/var/run/pluto/
+  nat_traversal=yes
+  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
+  oe=off
+  protostack=netkey
+  nhelpers=0
+  interfaces=%defaultroute
+
+conn vpnpsk
+  connaddrfamily=ipv4
+  auto=add
+  left=$PRIVATE_IP
+  leftid=$PUBLIC_IP
+  leftsubnet=$PRIVATE_IP/32
+  leftnexthop=%defaultroute
+  leftprotoport=17/1701
+  rightprotoport=17/%any
+  right=%any
+  rightsubnetwithin=0.0.0.0/0
+  forceencaps=yes
+  authby=secret
+  pfs=no
+  type=transport
+  auth=esp
+  ike=3des-sha1,aes-sha1
+  phase2alg=3des-sha1,aes-sha1
+  rekey=no
+  keyingtries=5
+  dpddelay=30
+  dpdtimeout=120
+  dpdaction=clear
+EOF
+
+cat > /etc/ipsec.secrets <<EOF
+$PUBLIC_IP  %any  : PSK "$IPSEC_PSK"
+EOF
+
+cat > /etc/xl2tpd/xl2tpd.conf <<EOF
+[global]
+port = 1701
+
+;debug avp = yes
+;debug network = yes
+;debug state = yes
+;debug tunnel = yes
+
+[lns default]
+ip range = 192.168.42.10-192.168.42.250
+local ip = 192.168.42.1
+require chap = yes
+refuse pap = yes
+require authentication = yes
+name = l2tpd
+;ppp debug = yes
+pppoptfile = /etc/ppp/options.xl2tpd
+length bit = yes
+EOF
+
+cat > /etc/ppp/options.xl2tpd <<EOF
+ipcp-accept-local
+ipcp-accept-remote
+ms-dns 8.8.8.8
+ms-dns 8.8.4.4
+noccp
+auth
+crtscts
+idle 1800
+mtu 1280
+mru 1280
+lock
+lcp-echo-failure 10
+lcp-echo-interval 60
+connect-delay 5000
+EOF
+
+cat > /etc/ppp/chap-secrets <<EOF
+# Secrets for authentication using CHAP
+# client  server  secret  IP addresses
+
+$VPN_USER  l2tpd  $VPN_PASSWORD  *
+EOF
+
+/bin/cp -f /etc/sysctl.conf /etc/sysctl.conf.old
+cat > /etc/sysctl.conf <<EOF
+kernel.sysrq = 0
+kernel.core_uses_pid = 1
+net.ipv4.tcp_syncookies = 1
+kernel.msgmnb = 65536
+kernel.msgmax = 65536
+kernel.shmmax = 68719476736
+kernel.shmall = 4294967296
+net.ipv4.ip_forward = 1
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.conf.all.rp_filter = 0
+net.ipv4.conf.default.rp_filter = 0
+net.ipv6.conf.all.disable_ipv6=1
+net.ipv6.conf.default.disable_ipv6=1
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+kernel.randomize_va_space = 1
+net.core.wmem_max=12582912
+net.core.rmem_max=12582912
+net.ipv4.tcp_rmem= 10240 87380 12582912
+net.ipv4.tcp_wmem= 10240 87380 12582912
+EOF
+
+cat > /etc/iptables.rules <<EOF
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:ICMPALL - [0:0]
+:ZREJ - [0:0]
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p icmp --icmp-type 255 -j ICMPALL
+-A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
+-A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
+-A INPUT -p udp --dport 1701 -j DROP
+-A INPUT -j ZREJ
+-A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i ppp+ -o eth+ -j ACCEPT
+-A FORWARD -j ZREJ
+-A ICMPALL -p icmp --fragment -j DROP        
+-A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
+-A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
+-A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
+-A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
+-A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
+-A ICMPALL -j DROP
+-A ZREJ -p tcp -j REJECT --reject-with tcp-reset 
+-A ZREJ -p udp -j REJECT --reject-with icmp-port-unreachable
+-A ZREJ -j REJECT --reject-with icmp-proto-unreachable
+COMMIT
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source ${PRIVATE_IP}
+COMMIT
+EOF
+
+cat > /etc/network/if-pre-up.d/iptablesload <<EOF
+#!/bin/sh
+/sbin/iptables-restore < /etc/iptables.rules
+exit 0
+EOF
+
+cat > /etc/rc.local <<EOF
+#!/bin/sh -e
+#
+# rc.local
+#
+# This script is executed at the end of each multiuser runlevel.
+# Make sure that the script will "exit 0" on success or any other
+# value on error.
+#
+# In order to enable or disable this script just change the execution
+# bits.
+#
+# By default this script does nothing.
+/usr/sbin/service ipsec restart
+/usr/sbin/service xl2tpd restart
+exit 0
+EOF
+
+if [ ! -f /etc/ipsec.d/cert8.db ] ; then
+   echo > /var/tmp/libreswan-nss-pwd
+   /usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
+   /bin/rm -f /var/tmp/libreswan-nss-pwd
+fi
+
+/sbin/sysctl -p
+/bin/chmod +x /etc/network/if-pre-up.d/iptablesload
+/sbin/iptables-restore < /etc/iptables.rules
+
+/usr/sbin/service ipsec restart
+/usr/sbin/service xl2tpd restart