Repository: sarfata/voodooprivacy Branch: master Commit: cbf706d14761 Files: 7 Total size: 17.0 KB Directory structure: gitextract_txtrgtkc/ ├── README.md ├── create-voodoo-vpn.py ├── pyenv/ │ ├── README.md │ └── requirements.txt ├── voodoo-pf.conf ├── voodoo-vpn.sh └── voodoo.sh ================================================ FILE CONTENTS ================================================ ================================================ FILE: README.md ================================================ Voodoo Privacy ============== Protect your computer from unsecure environment with a very strict firewall and a strong VPN through Amazon EC2. ## Update - July 2016 Thanks for your interest in this project! [Lin Song](https://www.linkedin.com/in/linsongui) has built a newer version which is tested with 2016 releases of Ubuntu/Debian/CentOS/RHEL and includes VPN setup instructions for a lot more platforms. [It is available under the same license here](https://github.com/hwdsl2/setup-ipsec-vpn). ## The firewall Voodoo privacy firewall gives you absolute control over your computer firewall so that you can control very precisely what is allowed in your computer, but also what is allowed out of your computer. This is very useful to protect your privacy, because it will allow you to block all broadcast packets that your computer might send when you turn it on. The firewall rules are defined in `voodoo-pf.conf`, feel free to edit them. You need to at least define the interface that you will use to connect to an unsecure network. The other interfaces will be blocked. When you run `sudo ./voodoo.sh hostile`, the rules in voodoo-pf.conf will be loaded and will replace all default rules of your Mac (including Network sharing, Application firewall, etc). To get back to Apple default settings, run `sudo ./voodoo.sh safe`. To see what packets get blocked, run `sudo ./voodoo.sh log`. To find more information about how to write firewall rules for Open BSD packet-filter, run `man pf.conf`. For more information, read the introduction article: http://www.sarfata.org/posts/secure-your-mac.md. ## The VPN Voodoo privacy also makes it very easy to set up a secure VPN gateway on Amazon EC2. ### Setting up the VPN gateway (option 1: manually) * Create a new security group (EC2 Management interface -> Security groups) * Allow traffic to TCP port 500, and UDP ports 500 and 4500. * It might be helpful to add a rule to allow SSH but you dont really need it. I like to limit SSH login from my home/office IP but if you are really brave you can let everyone find your SSH. * Change the default value for the three variables `IPSEC_PSK`, `VPN_USER` and `VPN_PASSWORD` at the top of launch script and copy everything into your clipboard. * In amazon console Click on Instances -> Launch Instance -> Classic Wizard -> Ubuntu 12.04 -> 1 micro instance. * In the user data field, paste the launch script you have just adapted. * Select your keypair. * Select the security group you created earlier. * Give the machine a name. * Click launch. And that's it! Your server is now ready to accept connection from your mac. Get the public DNS name of your new server and resolve it to an IP address. You will need it in the next step. ### Setting up the VPN gateway (option 2: automatically) * Ensure you have the python module "boto" installed, for communicating with AWS. (You can install it globally with `sudo pip install boto`, or locally by following the instructiosn in pyenv/.) * Within `create-voodoo-vpn.py`, set the region_name to your desired AWS region, e.g., us-west-1. * Set your AWS credentials either in environmental variables, in `~/.boto`, or in `create-voodoo-vpn.py`. * Run `create-voodoo-vpn.py`. ### Configure the VPN on your Mac This should also work on other types of OS but I have not tried yet. * Open your network settings. * Click on the "+" button in the top-left corner of the interfaces list. * Select a VPN interface, with 'IPSec L2TP' and give it a name. * In the address field, put the public IP of your server (you can get from the amazon console). * In the account name field, put the value of the `VPN_USER` variable that you defined earlier. * Click on auth settings, fill your `VPN_PASSWORD` in the first field and your `IPSEC_PSK` in the second box. Click Ok * Click on Advanced Settings, select "Send all traffic" and click ok. * If you are also using voodoo firewall, update the VPN server address at the top of the script and re-run it to allow VPN traffic to go through to your server. * Click Connect, it should take a few seconds and you should be online. * Ask google about your IP address: https://www.google.com/search?q=what+is+my+ip+address, you should see the IP address of your Amazon EC2 box. ### For more information For more explaination and help debugging, read my initial blog post about this: http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md. ### Compatibility with other OSs #### Windows 8 Paul Tromans writes (in the comments on my blog): > To get this working with the built-in VPN client in Windows 8 I had to apply the registry tweak described here: http://support.microsoft.com/kb/926179/en-us. If anyone finds a better way to do this, then please post in the comments. ## License Copyright Thomas Sarlandie 2012 This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License: http://creativecommons.org/licenses/by-sa/3.0/. Attribution required: please include my name in any derivative and let me know how you have improved it! ## About Voodoo Privacy Voodoo Privacy was born during Defcon XX to protect my very own privacy. The name comes from the rooftop bar of the Rio hotel where the conference was held. ## Contributors - [Thomas Sarlandie](https://github.com/sarfata) - [Alexis Gallagher](https://github.com/algal) - [Shiv Deepak](https://github.com/idlecool) ================================================ FILE: create-voodoo-vpn.py ================================================ #!/usr/bin/env python """Creates an IPSec-over-L2TP VPN server on Amazon EC2. This module creates a security group "voodoovpn" if necessary, creates a new t1.micro instance, uses the shell script voodoo-vpn.sh to set it up as a VPN server, and tags it with the name VoodooVPN. It thens print out the host name of the server, the VPN username, and a randomly generated Pre-Shared Key and VPN user password, for you to use to configure your computer or devices. Dependencies: - the shell script voodoo-vpn.sh - the external python module boto (installed globally via "sudo pip install boto") - your AWS credentials, set in environmental variables, in ~/.boto, or in this script - (optional) the name of an EC2 keypair for SSH access to the server This module is known good with boto version=2.11.0 and AWS services as of 2013-09-02. """ import os import random import string import re import base64 import time import sys import boto import boto.ec2 #################### # INPUT PARAMS region_name='us-west-1' # None, if no need to ssh into the box later key_name = None # None, if we want to get AWS creds from ~/.boto or environmental variables aws_access_key_id=None aws_secret_access_key=None #################### # start user_data_template_filename = 'voodoo-vpn.sh' if not os.path.isfile(user_data_template_filename): exit(1) # Canonical's AMI images for Ubuntu 12.04 LTS, as of 20130827 regionToAMIs = {"ap-northeast-1":"ami-b99b09b8", "ap-southeast-1":"ami-44135816", "ap-southeast-2":"ami-c526b4ff", "eu-west-1":"ami-1babb06f", "sa-east-1":"ami-c705a1da", "us-east-1":"ami-1b135e72", "us-west-1":"ami-1cf1db59", "us-west-2":"ami-f8ec70c8"} image_id = regionToAMIs[region_name] print(u"Connecting to EC2 in region %s" % region_name) ec2 = boto.ec2.connect_to_region(region_name=region_name, aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key) print(u"Establishing security group voodoovpn") voodoovpngroup_name = u'voodoovpn' matching_security_groups = [sg for sg in ec2.get_all_security_groups() if sg.name==voodoovpngroup_name] if len(matching_security_groups) > 0: print(u"Found security group voodoovpn") voodoovpngroup = matching_security_groups[0] else: print(u"Creating security group voodoovpn") voodoovpngroup = ec2.create_security_group(voodoovpngroup_name,'Voodoo VPN access') voodoovpngroup.authorize('tcp',500,500,'0.0.0.0/0') voodoovpngroup.authorize('udp',500,500,'0.0.0.0/0') voodoovpngroup.authorize('udp',4500,4500,'0.0.0.0/0') if key_name is not None: # open an ssh port, if we provided an ssh key voodoovpngroup.authorize('tcp',22,22,'0.0.0.0/0') voodoovpngroup.authorize('udp',22,22,'0.0.0.0/0') print(u"Generating VPN credentials") # generate IPSEC_PSK, VPN_USER = 'voodoouser' IPSEC_PSK = ''.join(random.choice(string.ascii_lowercase + string.ascii_uppercase + string.digits ) for x in range(32)) VPN_PASSWORD = ''.join(random.choice(string.ascii_lowercase + string.ascii_uppercase + string.digits ) for x in range(32)) print(u"Constructing script to configure EC2 VPN instance") # for AWS, generate one-time user-data script with open(user_data_template_filename) as f: user_data_template = f.read() user_data = user_data_template user_data = re.sub(r'VPN_USER=.*\n','VPN_USER="' + VPN_USER + '"\n',user_data) user_data = re.sub(r'IPSEC_PSK=.*\n','IPSEC_PSK="' + IPSEC_PSK + '"\n',user_data) user_data = re.sub(r'VPN_PASSWORD=.*\n','VPN_PASSWORD="' + VPN_PASSWORD + '"\n',user_data) sys.stdout.write(u"Creating EC2 instance") # on AWS, create the instance reservation = ec2.run_instances(image_id=image_id, key_name=key_name, instance_type='t1.micro', security_groups=[voodoovpngroup_name], user_data=user_data) instance = reservation.instances[0] # Check up on its status every so often status = instance.update() while status == 'pending': time.sleep(1) sys.stdout.write('.') sys.stdout.flush() status = instance.update() print(u".") if status != 'running': print('Instance ' + instance.id + ' never reached status "running". Instance status: ' + status) exit(1) print(u"Tagging instance") ec2.create_tags([instance.id],{"Name": "VoodooVPN"}) print(u"VPN instance created and now running") results = {"region_name":region_name, "instance_id":instance.id, "public_dns_name":instance.public_dns_name, "securitygroup_id":voodoovpngroup.id, "IPSEC_PSK":IPSEC_PSK, "VPN_USER":VPN_USER, "VPN_PASSWORD":VPN_PASSWORD} print(results) # return region_name, instance id, PSK, user/pass creds # add VPN settings on the mac # https://gist.github.com/kebot/5517680 ================================================ FILE: pyenv/README.md ================================================ ## Installing boto locally ## `create-voodoo-vpn.py` depends on the external python module boto. Although it's not part of the standard library, it's pretty standard, since it's the module which Amazon recommends for interacting with Amazon Web Services. You can install it globally with pip doing `sudo pip install boto`. In case you don't want to tamper with your global python install, this directory is here only to facilitate using a python virtual environment to install the boto locally, so that it doesn't affect the global python installation already on your system. You must already have virtualenv installed on your system. Then the steps are: 1. $ cd pyenv 2. $ virtualenv --no-site-packages . 3. $ pip install -r requirements.txt 4. $ source bin/activate 5. $ cd .. Now you can do `./create-voodoo-vpn.py` ================================================ FILE: pyenv/requirements.txt ================================================ boto==2.11.0 wsgiref==0.1.2 ================================================ FILE: voodoo-pf.conf ================================================ # voodoo-pf.conf # # Firewall rules. Use with voodoo-safe.sh # # http://www.sarfata.org/posts/secure-your-mac.md # # Copyright Thomas Sarlandie 2012 # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ # # Attribution required: please include my name in any derivative and let me # know how you have improved it! # The interface that you will use to connect to an unsecure network ext_if = "en1" # your VPN server (if you intend to use one) ipsec_server = "42.42.42.42" # drop everything by default set block-policy drop # we do not want to filter traffic on "internal" interfaces set skip on lo0 set skip on vmnet1 set skip on vmnet8 set skip on vboxnet0 # Normalize all incoming traffic scrub in on $ext_if all fragment reassemble # Block and log everything by default - Use pf-lockdown.sh log to see the logs block drop log all # Block silently some traffic - otherwise the logs get very clogged up # I have disabled those lines to let you see the logs and realize all the stuff your # computer shares... #block on $ext_if proto udp from any port 5353 to any port 5353 #block out inet6 #block out on $ext_if proto udp from any to port 137 # Allow ipsec traffic pass out on $ext_if proto tcp from any to $ipsec_server port 500 pass out on $ext_if proto udp from any to $ipsec_server port 500 pass out on $ext_if proto udp from any to $ipsec_server port 4500 pass out on $ext_if proto tcp from any to $ipsec_server port 1701 pass out on $ext_if proto udp from any to $ipsec_server port 1701 # Allow dhcp traffic pass in on $ext_if proto udp from port 68 to any port 67 pass in on $ext_if proto udp from port 67 to any port 68 pass out on $ext_if proto udp from port 67 to any port 68 # Allow ping to test connection pass out on $ext_if inet proto icmp all icmp-type echoreq # Allow ssh out pass out on $ext_if inet proto tcp to port 22 # Allow all on vpn pass out on ppp0 ================================================ FILE: voodoo-vpn.sh ================================================ #!/bin/sh # # voodoo-vpn.sh: Amazon EC2 user-data file for automatic configuration of a VPN # on a Ubuntu server instance. Tested with 12.04. # # See http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md # # DO NOT RUN THIS SCRIPT ON YOUR MAC! THIS IS MEANT TO BE RUN WHEN # YOUR AMAZON INSTANCE STARTS! # # Copyright Thomas Sarlandie 2012 # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ # # Attribution required: please include my name in any derivative and let me # know how you have improved it! if [[ "`uname`" == "Darwin" ]]; then echo "Do not run this script on your mac! This script should only be run on a newly-created EC2 instance, after you have modified it to set the three variables below." exit 1 fi # Please define your own values for those variables IPSEC_PSK=very_unsecure_key VPN_USER=johndoe VPN_PASSWORD=unsecure # Those two variables will be found automatically PRIVATE_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4'` PUBLIC_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4'` apt-get install -y strongswan xl2tpd cat > /etc/ipsec.conf < /etc/ipsec.secrets < /etc/xl2tpd/xl2tpd.conf < /etc/ppp/options.xl2tpd < /etc/ppp/chap-secrets < /proc/sys/net/ipv4/ip_forward iptables-save > /etc/iptables.rules cat > /etc/network/if-pre-up.d/iptablesload < /proc/sys/net/ipv4/ip_forward exit 0 EOF chmod a+x /etc/network/if-pre-up.d/iptablesload ipsec restart /etc/init.d/xl2tpd restart ================================================ FILE: voodoo.sh ================================================ #!/bin/sh # # http://www.sarfata.org/posts/secure-your-mac.md # # Copyright Thomas Sarlandie 2012 # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ # # Attribution required: please include my name in any published derivative and # let me know how you have improved it! COMMAND="$1" shift case $COMMAND in hostile) echo "Going into hostile mode. You will be protected." # Load pf rules from custom file - Skip Apple default stuff pfctl -f voodoo-pf.conf # Enable packet filtering pfctl -e ;; safe) echo "Going back to Apple default mode" pfctl -f /etc/pf.conf pfctl -d # note: it would be better to use pfctl -X but getting the token # requires parsing the output of 'pfctl -s References' ;; log) ifconfig pflog0 create tcpdump -v -n -e -ttt -i pflog0 ;; *) echo "$0: " echo " Use hostile when you are on an unsecured network." echo " Use safe when you are back on a safe network. This will reset everything back to Apple's default" ;; esac