[
  {
    "path": "README.md",
    "content": "Voodoo Privacy\n==============\n\nProtect your computer from unsecure environment with a very strict firewall and a strong VPN through Amazon EC2.\n\n\n## Update - July 2016\n\nThanks for your interest in this project! [Lin\nSong](https://www.linkedin.com/in/linsongui) has built a newer version which is\ntested with 2016 releases of Ubuntu/Debian/CentOS/RHEL and includes VPN setup\ninstructions for a lot more platforms. [It is available under the same license\nhere](https://github.com/hwdsl2/setup-ipsec-vpn).\n\n\n## The firewall\n\nVoodoo privacy firewall gives you absolute control over your computer firewall so that you can control very precisely what is allowed in your computer, but also what is allowed out of your computer. This is very useful to protect your privacy, because it will allow you to block all broadcast packets that your computer might send when you turn it on.\n\nThe firewall rules are defined in `voodoo-pf.conf`, feel free to edit them. You need to at least define the interface that you will use to connect to an unsecure network. The other interfaces will be blocked.\n\nWhen you run `sudo ./voodoo.sh hostile`, the rules in voodoo-pf.conf will be loaded and will replace all default rules of your Mac (including Network sharing, Application firewall, etc).\n\nTo get back to Apple default settings, run `sudo ./voodoo.sh safe`.\n\nTo see what packets get blocked, run `sudo ./voodoo.sh log`.\n\nTo find more information about how to write firewall rules for Open BSD packet-filter, run `man pf.conf`.\n\nFor more information, read the introduction article: http://www.sarfata.org/posts/secure-your-mac.md.\n\n## The VPN\n\nVoodoo privacy also makes it very easy to set up a secure VPN gateway on Amazon EC2.\n\n### Setting up the VPN gateway (option 1: manually)\n\n* Create a new security group (EC2 Management interface -> Security groups) \n  * Allow traffic to TCP port 500, and UDP ports 500 and 4500. \n  * It might be helpful to add a rule to allow SSH but you dont really need it. I like to limit SSH login from my home/office IP but if you are really brave you can let everyone find your SSH.\n* Change the default value for the three variables `IPSEC_PSK`, `VPN_USER` and `VPN_PASSWORD` at the top of launch script and copy everything into your clipboard.\n* In amazon console Click on Instances -> Launch Instance -> Classic Wizard -> Ubuntu 12.04 -> 1 micro instance.\n  * In the user data field, paste the launch script you have just adapted.\n  * Select your keypair.\n  * Select the security group you created earlier.\n  * Give the machine a name.\n* Click launch.\n\nAnd that's it! Your server is now ready to accept connection from your mac. Get the public DNS name of your new server and resolve it to an IP address. You will need it in the next step.\n\n### Setting up the VPN gateway (option 2: automatically)\n\n* Ensure you have the python module \"boto\" installed, for communicating with AWS. (You can install it globally with `sudo pip install boto`, or locally by following the instructiosn in pyenv/.)\n* Within `create-voodoo-vpn.py`, set the region_name to your desired AWS region, e.g., us-west-1.\n* Set your AWS credentials either in environmental variables, in `~/.boto`, or in `create-voodoo-vpn.py`.\n* Run  `create-voodoo-vpn.py`.\n\n### Configure the VPN on your Mac\n\nThis should also work on other types of OS but I have not tried yet.\n\n* Open your network settings.\n* Click on the \"+\" button in the top-left corner of the interfaces list.\n* Select a VPN interface, with 'IPSec L2TP' and give it a name.\n* In the address field, put the public IP of your server (you can get from the amazon console).\n* In the account name field, put the value of the `VPN_USER` variable that you defined earlier.\n* Click on auth settings, fill your `VPN_PASSWORD` in the first field and your `IPSEC_PSK` in the second box. Click Ok\n* Click on Advanced Settings, select \"Send all traffic\" and click ok.\n* If you are also using voodoo firewall, update the VPN server address at the top of the script and re-run it to allow VPN traffic to go through to your server.\n* Click Connect, it should take a few seconds and you should be online.\n* Ask google about your IP address: https://www.google.com/search?q=what+is+my+ip+address, you should see the IP address of your Amazon EC2 box.\n\n### For more information\n\nFor more explaination and help debugging, read my initial blog post about this: http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md.\n\n### Compatibility with other OSs\n\n#### Windows 8\n\nPaul Tromans writes (in the comments on my blog):\n> To get this working with the built-in VPN client in Windows 8 I had to apply the registry tweak described here: http://support.microsoft.com/kb/926179/en-us. If anyone finds a better way to do this, then please post in the comments. \n\n## License\n\nCopyright Thomas Sarlandie 2012\n\nThis work is licensed under the Creative Commons Attribution-ShareAlike 3.0 \nUnported License: http://creativecommons.org/licenses/by-sa/3.0/.\n\nAttribution required: please include my name in any derivative and let me know how you have improved it!\n\n## About Voodoo Privacy\n\nVoodoo Privacy was born during Defcon XX to protect my very own privacy. The name comes from the rooftop bar of the Rio hotel where the conference was held.\n\n## Contributors\n\n- [Thomas Sarlandie](https://github.com/sarfata)\n- [Alexis Gallagher](https://github.com/algal)\n- [Shiv Deepak](https://github.com/idlecool)\n"
  },
  {
    "path": "create-voodoo-vpn.py",
    "content": "#!/usr/bin/env python\n\"\"\"Creates an IPSec-over-L2TP VPN server on Amazon EC2.\n\nThis module creates a security group \"voodoovpn\" if necessary, creates\na new t1.micro instance, uses the shell script voodoo-vpn.sh to set it\nup as a VPN server, and tags it with the name VoodooVPN. It thens\nprint out the host name of the server, the VPN username, and a\nrandomly generated Pre-Shared Key and VPN user password, for you to\nuse to configure your computer or devices.\n\nDependencies:\n- the shell script voodoo-vpn.sh\n- the external python module boto (installed globally via \"sudo pip install boto\")\n- your AWS credentials, set in environmental variables, in ~/.boto, or in this script\n- (optional) the name of an EC2 keypair for SSH access to the server\n\nThis module is known good with boto version=2.11.0 and AWS services as of 2013-09-02.\n\n\"\"\"\nimport os\nimport random\nimport string\nimport re\nimport base64\nimport time\nimport sys\n\nimport boto\nimport boto.ec2\n\n\n####################\n# INPUT PARAMS\nregion_name='us-west-1'\n# None, if no need to ssh into the box later\nkey_name = None\n# None, if we want to get AWS creds from ~/.boto or environmental variables\naws_access_key_id=None\naws_secret_access_key=None\n\n####################\n# start\n\nuser_data_template_filename = 'voodoo-vpn.sh'\nif not os.path.isfile(user_data_template_filename):\n    exit(1)\n\n# Canonical's AMI images for Ubuntu 12.04 LTS, as of 20130827\nregionToAMIs = {\"ap-northeast-1\":\"ami-b99b09b8\",\n                \"ap-southeast-1\":\"ami-44135816\",\n                \"ap-southeast-2\":\"ami-c526b4ff\",\n                \"eu-west-1\":\"ami-1babb06f\",\n                \"sa-east-1\":\"ami-c705a1da\",\n                \"us-east-1\":\"ami-1b135e72\",\n                \"us-west-1\":\"ami-1cf1db59\",\n                \"us-west-2\":\"ami-f8ec70c8\"}\n\nimage_id = regionToAMIs[region_name]\n\nprint(u\"Connecting to EC2 in region %s\" % region_name)\nec2 = boto.ec2.connect_to_region(region_name=region_name,\n                                 aws_access_key_id=aws_access_key_id,\n                                 aws_secret_access_key=aws_secret_access_key)\n\nprint(u\"Establishing security group voodoovpn\")\nvoodoovpngroup_name = u'voodoovpn'\nmatching_security_groups = [sg for sg in ec2.get_all_security_groups() if sg.name==voodoovpngroup_name]\nif len(matching_security_groups) > 0:\n    print(u\"Found security group voodoovpn\")\n    voodoovpngroup = matching_security_groups[0]\nelse:\n    print(u\"Creating security group voodoovpn\")\n    voodoovpngroup = ec2.create_security_group(voodoovpngroup_name,'Voodoo VPN access')\n    voodoovpngroup.authorize('tcp',500,500,'0.0.0.0/0')\n    voodoovpngroup.authorize('udp',500,500,'0.0.0.0/0')\n    voodoovpngroup.authorize('udp',4500,4500,'0.0.0.0/0')\n    if key_name is not None:\n        # open an ssh port, if we provided an ssh key\n        voodoovpngroup.authorize('tcp',22,22,'0.0.0.0/0')\n        voodoovpngroup.authorize('udp',22,22,'0.0.0.0/0')\n        \n\nprint(u\"Generating VPN credentials\")\n# generate IPSEC_PSK, \nVPN_USER = 'voodoouser'\nIPSEC_PSK = ''.join(random.choice(string.ascii_lowercase + string.ascii_uppercase + string.digits ) for x in range(32))\nVPN_PASSWORD = ''.join(random.choice(string.ascii_lowercase + string.ascii_uppercase + string.digits ) for x in range(32))\n\nprint(u\"Constructing script to configure EC2 VPN instance\")\n# for AWS, generate one-time user-data script\nwith open(user_data_template_filename) as f:\n    user_data_template = f.read()\n\nuser_data = user_data_template\nuser_data = re.sub(r'VPN_USER=.*\\n','VPN_USER=\"' + VPN_USER + '\"\\n',user_data)\nuser_data = re.sub(r'IPSEC_PSK=.*\\n','IPSEC_PSK=\"' + IPSEC_PSK + '\"\\n',user_data)\nuser_data = re.sub(r'VPN_PASSWORD=.*\\n','VPN_PASSWORD=\"' + VPN_PASSWORD + '\"\\n',user_data)\n\nsys.stdout.write(u\"Creating EC2 instance\")\n# on AWS, create the instance\nreservation = ec2.run_instances(image_id=image_id,\n                                key_name=key_name,\n                                instance_type='t1.micro',\n                                security_groups=[voodoovpngroup_name],\n                                user_data=user_data)\n\ninstance = reservation.instances[0]\n\n# Check up on its status every so often\nstatus = instance.update()\nwhile status == 'pending':\n    time.sleep(1)\n    sys.stdout.write('.')\n    sys.stdout.flush()\n    status = instance.update()\nprint(u\".\")\n\nif status != 'running':\n    print('Instance ' + instance.id + ' never reached status \"running\". Instance status: ' + status)\n    exit(1)\n\nprint(u\"Tagging instance\")\nec2.create_tags([instance.id],{\"Name\": \"VoodooVPN\"})\n\nprint(u\"VPN instance created and now running\")\n\nresults = {\"region_name\":region_name,\n           \"instance_id\":instance.id,\n           \"public_dns_name\":instance.public_dns_name,\n           \"securitygroup_id\":voodoovpngroup.id,\n           \"IPSEC_PSK\":IPSEC_PSK,\n           \"VPN_USER\":VPN_USER,\n           \"VPN_PASSWORD\":VPN_PASSWORD}\n\nprint(results)\n\n# return region_name, instance id, PSK, user/pass creds\n\n# add VPN settings on the mac\n# https://gist.github.com/kebot/5517680\n"
  },
  {
    "path": "pyenv/README.md",
    "content": "## Installing boto locally ##\n\n`create-voodoo-vpn.py` depends on the external python module\nboto. Although it's not part of the standard library, it's pretty\nstandard, since it's the module which Amazon recommends for\ninteracting with Amazon Web Services. You can install it globally with\npip doing `sudo pip install boto`.\n\nIn case you don't want to tamper with your global python install, this\ndirectory is here only to facilitate using a python virtual\nenvironment to install the boto locally, so that it doesn't affect the\nglobal python installation already on your system.\n\nYou must already have virtualenv installed on your system. Then the steps are:\n\n1. $ cd pyenv \n2. $ virtualenv --no-site-packages .\n3. $ pip install -r requirements.txt\n4. $ source bin/activate\n5. $ cd ..\n\nNow you can do `./create-voodoo-vpn.py`\n"
  },
  {
    "path": "pyenv/requirements.txt",
    "content": "boto==2.11.0\nwsgiref==0.1.2\n"
  },
  {
    "path": "voodoo-pf.conf",
    "content": "# voodoo-pf.conf\n# \n# Firewall rules. Use with voodoo-safe.sh\n#\n# http://www.sarfata.org/posts/secure-your-mac.md\n#\n# Copyright Thomas Sarlandie 2012\n#\n# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 \n# Unported License: http://creativecommons.org/licenses/by-sa/3.0/\n#\n# Attribution required: please include my name in any derivative and let me\n# know how you have improved it! \n\n# The interface that you will use to connect to an unsecure network\next_if = \"en1\"\n# your VPN server (if you intend to use one)\nipsec_server = \"42.42.42.42\"\n\n# drop everything by default\nset block-policy drop\n# we do not want to filter traffic on \"internal\" interfaces\nset skip on lo0\nset skip on vmnet1\nset skip on vmnet8\nset skip on vboxnet0\n\n# Normalize all incoming traffic\nscrub in on $ext_if all fragment reassemble\n\n# Block and log everything by default - Use pf-lockdown.sh log to see the logs\nblock drop log all\n\n# Block silently some traffic - otherwise the logs get very clogged up\n# I have disabled those lines to let you see the logs and realize all the stuff your\n# computer shares...\n#block on $ext_if proto udp from any port 5353 to any port 5353\n#block out inet6\n#block out on $ext_if proto udp from any to port 137\n\n# Allow ipsec traffic\npass out on $ext_if proto tcp from any to $ipsec_server port 500\npass out on $ext_if proto udp from any to $ipsec_server port 500\npass out on $ext_if proto udp from any to $ipsec_server port 4500\npass out on $ext_if proto tcp from any to $ipsec_server port 1701\npass out on $ext_if proto udp from any to $ipsec_server port 1701\n\n# Allow dhcp traffic\npass in on $ext_if proto udp from port 68 to any port 67\npass in on $ext_if proto udp from port 67 to any port 68\npass out on $ext_if proto udp from port 67 to any port 68\n\n# Allow ping to test connection\npass out on $ext_if inet proto icmp all icmp-type echoreq\n# Allow ssh out\npass out on $ext_if inet proto tcp to port 22\n\n# Allow all on vpn\npass out on ppp0\n"
  },
  {
    "path": "voodoo-vpn.sh",
    "content": "#!/bin/sh\n#\n# voodoo-vpn.sh: Amazon EC2 user-data file for automatic configuration of a VPN\n# on a Ubuntu server instance. Tested with 12.04.\n#\n# See http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md\n#\n# DO NOT RUN THIS SCRIPT ON YOUR MAC! THIS IS MEANT TO BE RUN WHEN \n# YOUR AMAZON INSTANCE STARTS!\n#\n# Copyright Thomas Sarlandie 2012\n#\n# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 \n# Unported License: http://creativecommons.org/licenses/by-sa/3.0/\n#\n# Attribution required: please include my name in any derivative and let me\n# know how you have improved it! \n\nif [[ \"`uname`\" == \"Darwin\" ]]; then\n    echo \"Do not run this script on your mac! This script should only be run on a newly-created EC2 instance, after you have modified it to set the three variables below.\"\n    exit 1\nfi\n\n# Please define your own values for those variables\nIPSEC_PSK=very_unsecure_key\nVPN_USER=johndoe\nVPN_PASSWORD=unsecure\n\n# Those two variables will be found automatically\nPRIVATE_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4'`\nPUBLIC_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4'`\n\napt-get install -y strongswan xl2tpd\n\ncat > /etc/ipsec.conf <<EOF\nversion 2.0\n\nconfig setup\n  dumpdir=/var/run/pluto/\n  nat_traversal=yes\n  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10\n  oe=off\n  protostack=netkey\n  nhelpers=0\n  interfaces=%defaultroute\n\nconn vpnpsk\n  auto=add\n  left=$PRIVATE_IP\n  leftid=$PUBLIC_IP\n  leftsubnet=$PRIVATE_IP/32\n  leftnexthop=%defaultroute\n  leftprotoport=17/1701\n  rightprotoport=17/%any\n  right=%any\n  rightsubnetwithin=0.0.0.0/0\n  forceencaps=yes\n  authby=secret\n  pfs=no\n  type=transport\n  auth=esp\n  ike=3des-sha1\n  phase2alg=3des-sha1\n  dpddelay=30\n  dpdtimeout=120\n  dpdaction=clear\nEOF\n\ncat > /etc/ipsec.secrets <<EOF\n$PUBLIC_IP  %any  : PSK \"$IPSEC_PSK\"\nEOF\n\ncat > /etc/xl2tpd/xl2tpd.conf <<EOF\n[global]\nport = 1701\n\n;debug avp = yes\n;debug network = yes\n;debug state = yes\n;debug tunnel = yes\n\n[lns default]\nip range = 192.168.42.10-192.168.42.250\nlocal ip = 192.168.42.1\nrequire chap = yes\nrefuse pap = yes\nrequire authentication = yes\nname = l2tpd\n;ppp debug = yes\npppoptfile = /etc/ppp/options.xl2tpd\nlength bit = yes\nEOF\n\ncat > /etc/ppp/options.xl2tpd <<EOF\nipcp-accept-local\nipcp-accept-remote\nms-dns 8.8.8.8\nms-dns 8.8.4.4\nnoccp\nauth\ncrtscts\nidle 1800\nmtu 1280\nmru 1280\nlock\nconnect-delay 5000\nEOF\n\ncat > /etc/ppp/chap-secrets <<EOF\n# Secrets for authentication using CHAP\n# client\tserver\tsecret\t\t\tIP addresses\n\n$VPN_USER\tl2tpd   $VPN_PASSWORD   *\nEOF\n\niptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE\necho 1 > /proc/sys/net/ipv4/ip_forward\n\niptables-save > /etc/iptables.rules\n\ncat > /etc/network/if-pre-up.d/iptablesload <<EOF\n#!/bin/sh\niptables-restore < /etc/iptables.rules\necho 1 > /proc/sys/net/ipv4/ip_forward\nexit 0\nEOF\n\nchmod a+x /etc/network/if-pre-up.d/iptablesload\n\nipsec restart\n/etc/init.d/xl2tpd restart\n"
  },
  {
    "path": "voodoo.sh",
    "content": "#!/bin/sh\n#\n# http://www.sarfata.org/posts/secure-your-mac.md\n#\n# Copyright Thomas Sarlandie 2012\n#\n# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 \n# Unported License: http://creativecommons.org/licenses/by-sa/3.0/\n#\n# Attribution required: please include my name in any published derivative and\n# let me know how you have improved it! \n\nCOMMAND=\"$1\"\nshift\n\ncase $COMMAND in\nhostile)\n  echo \"Going into hostile mode. You will be protected.\"\n  # Load pf rules from custom file - Skip Apple default stuff\n  pfctl -f voodoo-pf.conf\n  # Enable packet filtering\n  pfctl -e\n  ;;\nsafe)\n  echo \"Going back to Apple default mode\"\n  pfctl -f /etc/pf.conf\n  pfctl -d\n  # note: it would be better to use pfctl -X <token> but getting the token \n  # requires parsing the output of 'pfctl -s References'\n  ;;\nlog)\n  ifconfig pflog0 create\n  tcpdump -v -n -e -ttt -i pflog0\n  ;;\n*)\n  echo \"$0: <hostile|safe|log>\"\n  echo \" Use hostile when you are on an unsecured network.\"\n  echo \" Use safe when you are back on a safe network. This will reset everything back to Apple's default\"\n  ;;\nesac\n"
  }
]