From 0a5565d513b7114b28c77f565f0d5e28dbf5d433 Mon Sep 17 00:00:00 2001 From: Yunkon Kim Date: Mon, 6 Jan 2025 18:22:01 +0900 Subject: [PATCH] Add a testbed for client-to-site VPN * as known as SSL VPN --- examples/aws/client-to-site-vpn/init.sh | 29 ++++ examples/aws/client-to-site-vpn/main.tf | 215 ++++++++++++++++++++++++ go.mod | 2 +- go.sum | 4 +- 4 files changed, 247 insertions(+), 3 deletions(-) create mode 100644 examples/aws/client-to-site-vpn/init.sh create mode 100644 examples/aws/client-to-site-vpn/main.tf diff --git a/examples/aws/client-to-site-vpn/init.sh b/examples/aws/client-to-site-vpn/init.sh new file mode 100644 index 0000000..214da4e --- /dev/null +++ b/examples/aws/client-to-site-vpn/init.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +# 1. Set up Docker's apt repository. +# Add Docker's official GPG key: +sudo apt-get update +sudo apt-get install ca-certificates curl +sudo install -m 0755 -d /etc/apt/keyrings +sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc +sudo chmod a+r /etc/apt/keyrings/docker.asc + +# Add the repository to Apt sources: +echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ + $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ + sudo tee /etc/apt/sources.list.d/docker.list > /dev/null +sudo apt-get update + +# 2. Install the Docker packages. +sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin + +# 3. Verify that the installation is successful by running the hello-world image: +sudo docker run --rm hello-world + +# 4. Update Docker Compose +sudo apt-get update +sudo apt-get install docker-compose-plugin + +# 5. Verify that the installation is successful by the following command: +docker compose version diff --git a/examples/aws/client-to-site-vpn/main.tf b/examples/aws/client-to-site-vpn/main.tf new file mode 100644 index 0000000..89c5e8c --- /dev/null +++ b/examples/aws/client-to-site-vpn/main.tf @@ -0,0 +1,215 @@ +# Define the required version of Terraform and the providers that will be used in the project +terraform { + # Required Tofu version + required_version = "~>1.8.3" + + required_providers { + # AWS provider is specified with its source and version + aws = { + source = "registry.opentofu.org/hashicorp/aws" + version = "~>5.42" + } + } +} + +# Provider block for AWS specifies the configuration for the provider +provider "aws" { + region = "ap-northeast-2" +} + +# Define the VPC resource block +resource "aws_vpc" "secure_testbed" { + cidr_block = "10.0.0.0/16" + + tags = { + Name = "secure-testbed" + } +} + +# Define the subnets resource blocks with the desired CIDR blocks and associate them with the route table +resource "aws_subnet" "public" { + vpc_id = aws_vpc.secure_testbed.id + cidr_block = "10.0.0.0/24" + map_public_ip_on_launch = true + availability_zone = "ap-northeast-2a" + tags = { + Name = "secure-testbed-public-subnet" + } +} + +resource "aws_subnet" "private" { + vpc_id = aws_vpc.secure_testbed.id + cidr_block = "10.0.1.0/24" + map_public_ip_on_launch = false + availability_zone = "ap-northeast-2b" + tags = { + Name = "secure-testbed-private-subnet" + } +} + +# Internet Gateway +resource "aws_internet_gateway" "igw" { + vpc_id = aws_vpc.secure_testbed.id + tags = { + Name = "secure-testbed-igw" + } +} + +# Route Table for Public Subnet +resource "aws_route_table" "public" { + vpc_id = aws_vpc.secure_testbed.id + tags = { + Name = "public-rtb" + } +} +# Add default routing table for the public subnet +resource "aws_route" "public_internet_access" { + route_table_id = aws_route_table.public.id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.igw.id +} +# Connect the route table to the public subnet +resource "aws_route_table_association" "public" { + subnet_id = aws_subnet.public.id + route_table_id = aws_route_table.public.id +} + +# Elastic IP for NAT Gateway +resource "aws_eip" "nat" { + tags = { + Name = "nat-eip" + } +} + +# NAT Gateway +resource "aws_nat_gateway" "nat" { + allocation_id = aws_eip.nat.id + subnet_id = aws_subnet.public.id + tags = { + Name = "nat-gateway" + } +} + +# Private Route Table +resource "aws_route_table" "private" { + vpc_id = aws_vpc.secure_testbed.id + tags = { + Name = "private-rtb" + } +} +# Add a routing table for the private subnet +resource "aws_route" "private_route" { + route_table_id = aws_route_table.private.id + destination_cidr_block = "0.0.0.0/0" + nat_gateway_id = aws_nat_gateway.nat.id +} + +resource "aws_route_table_association" "private" { + subnet_id = aws_subnet.private.id + route_table_id = aws_route_table.private.id +} + +# Security Group for Private Subnet +resource "aws_security_group" "allow_ssh_from_public_subnet" { + vpc_id = aws_vpc.secure_testbed.id + name = "allow-ssh-from-public-subnet" + + ingress { + description = "Allow traffic from Public Subnet" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["10.0.0.0/24"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "allow-ssh-from-public-subnet" + } +} + +# Security Group to allow SSH traffic +resource "aws_security_group" "allow_ssh_and_wg" { + name = "allow-tls" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.secure_testbed.id + + ingress { + description = "SSH from VPC" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + description = "WireGuard UDP traffic" + from_port = 51820 + to_port = 51820 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + description = "WireGuard TCP traffic" + from_port = 51821 + to_port = 51821 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + + tags = { + Name = "allow-ssh-and-wg" + } +} + +resource "aws_instance" "wg-server" { + ami = "ami-042e76978adeb8c48" # Ubuntu 22.04 LTS + instance_type = "t3.micro" + key_name = "secure-testbed-keypair" + vpc_security_group_ids = [aws_security_group.allow_ssh_and_wg.id] + availability_zone = "ap-northeast-2a" + subnet_id = aws_subnet.public.id + user_data = file("./init.sh") + + + root_block_device { + volume_size = 30 + } + + tags = { + Name = "wg-server" + } +} + +resource "aws_instance" "secure-server" { + ami = "ami-042e76978adeb8c48" # Ubuntu 22.04 LTS + instance_type = "t3.micro" + key_name = "secure-testbed-keypair" + vpc_security_group_ids = [aws_security_group.allow_ssh_from_public_subnet.id] + availability_zone = "ap-northeast-2b" + subnet_id = aws_subnet.private.id + + + root_block_device { + volume_size = 30 + } + + tags = { + Name = "secure-server" + } +} diff --git a/go.mod b/go.mod index e3c04ab..14fa177 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.21.4 require ( github.com/fsnotify/fsnotify v1.7.0 - github.com/labstack/echo/v4 v4.13.2 + github.com/labstack/echo/v4 v4.13.3 github.com/rs/zerolog v1.32.0 github.com/spf13/viper v1.18.2 github.com/swaggo/echo-swagger v1.4.1 diff --git a/go.sum b/go.sum index 4c6b36e..52f3eaf 100644 --- a/go.sum +++ b/go.sum @@ -40,8 +40,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/labstack/echo/v4 v4.13.2 h1:9aAt4hstpH54qIcqkuUXRLTf+v7yOTfMPWzDtuqLmtA= -github.com/labstack/echo/v4 v4.13.2/go.mod h1:uc9gDtHB8UWt3FfbYx0HyxcCuvR4YuPYOxF/1QjoV/c= +github.com/labstack/echo/v4 v4.13.3 h1:pwhpCPrTl5qry5HRdM5FwdXnhXSLSY+WE+YQSeCaafY= +github.com/labstack/echo/v4 v4.13.3/go.mod h1:o90YNEeQWjDozo584l7AwhJMHN0bOC4tAfg+Xox9q5g= github.com/labstack/gommon v0.4.2 h1:F8qTUNXgG1+6WQmqoUWnz8WiEU60mXVVw0P4ht1WRA0= github.com/labstack/gommon v0.4.2/go.mod h1:QlUFxVM+SNXhDL/Z7YhocGIBYOiwB0mXm1+1bAPHPyU= github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=