EC2 VPN server builder with multiple VPN support including L2TP, Shadowsocks, V2ray, Brook and Trojan.
Works in Ubuntu(Xenial and above), Mac OSX(Yosemite and above) and Debian(Buster and above) variants including Raspbian. Running in Windows with dind (Docker in docker) container is possible, but not yet verified.
Command vlp creates EC2 instance with VPN services installed out of box. Command lproxy creates proxy (SOCKS/HTTP/DNS) container running locally on your PC, Mac or Raspberry Pi, which tunneling all traffic through the VPN server on EC2. AWS account ID/key are necessary.
$ sudo apt-get update; sudo apt-get install docker.io git dnsutils curl whois
...
$ sudo usermod -aG docker `whoami`; exit
Note: It is necessary to log out current session and back to get docker group setting take effect.
Note: For Raspberry Pi users, please update to Raspbian Buster before Docker installation as Docker version earlier than 18.09 is not supported any more.
$ git clone --recurse-submodules https://github.com/samuelhbne/vpn-launchpad.git
$ cd vpn-launchpad
$ ./vlp init
AWS Access Key ID [None]: INPUT-YOUR-AWS-ID-HERE
AWS Secret Access Key [None]: INPUT-YOUR-AWS-KEY-HERE
Default region name [ap-northeast-1]:
Default output format [json]:
Done.
$
Note: './vlp init' need to download docker image(about 100MB) during the 1st time execution. However hub.docker.com might be 'throttled' mysteriously in certain country. Please try './vlp --from-src init' instead to build the docker image from source in case './vlp init' stuck on downloading over 10 minutes without progress.
$ ./vlp build --without-random --with-sslibev
...
Shadowsocks-URI: ss://YWVzLTI1Ni1nY206U1NTTElCRVYtUEFTUw==@13.231.224.253:28388#VLP-shadowsocks
...
Scan QR code above from Shadowsocks compatible mobile app to connect your mobile phone/tablet.
Done.
$
Scan the QR code generated above from Shadowsocks compatible mobile app (Shadowrocket for iOS or Shadowsocks for Android etc.) to connect your mobile phone/tablet and enjoy.
Please jump to step 8 if PC/Mac browser connection is not your goal.
$ ./lproxy build v2ray
...
Setting up local proxy daemon...
Done.
Starting up local proxy daemon...
Done.
Wait 15s for local proxy initialisation...
Done.
Local proxy is running.
VPN sever address: 13.231.224.253
Checking SOCKS5 proxy on 127.0.0.1:1080 TCP ...
curl -sSx socks5h://127.0.0.1:1080 https://checkip.amazonaws.com
13.231.224.253
SOCKS5 proxy check passed.
Checking HTTP proxy on 127.0.0.1:8123 TCP ...
curl -sSx http://127.0.0.1:8123 https://checkip.amazonaws.com
13.231.224.253
HTTP proxy check passed.
Checking DNS server on 127.0.0.1:65353 UDP ...
dig +short @127.0.0.1 -p 65353 twitter.com
104.244.42.1
104.244.42.193
Checking 104.244.42.1 IP owner ...
docker exec -it proxy-sslibev whois 104.244.42.1|grep OrgId
OrgId: TWITT
DNS server check passed.
Done.
$
Note: './lproxy build' need to download docker image(about 90MB) during the 1st time execution. However hub.docker.com might be 'throttled' mysteriously in certain country. Please try './lproxy build --from-src' instead to build the docker image from source in case './lproxy build' stuck on downloading over 10 minutes without progress.
Now modify connnection settings for Firefox, Safari or Chrome according to the proxy port settings given above.
$ ./lproxy purge
Local proxy found. Purging...
Done.
$
$ ./vlp purge
...
Waiting Instance shutdown...
Done.
Removing Security Group of vlp-bionic...
Security Group Removed.
Deleting SSH Key-Pair of vlp-bionic...
Done.
$
Note: Terminating VPN server instance from AWS after surfing is always recommended. It removes the potential trails from cloud to protect your privacy as well as reduces the cost for AWS service hiring in case you are not AWS free tier user.
- Create an new AWS free account here if you don't have. I'm not affiliate.
- Login into AWS IAM console with your account.
- Click "User" from left side then click "Add user" button on the top
- Input the "User name" and tick "Programmatic access" box below
- Click "Next: Permissions" button
- Click "Create group" button
- Fill "Group name" with "vlpadmin" and tick "AmazonEC2FullAccess" selection box which on the top of the policy list
- Click "Create group" blue button at the bottom right of the page.
- Tick the "vlpadmin" selection box in "Add user to group" page
- Click "Next: Tags", click "Next: Review" then click "Create user" button
- Click "Show" link
- Now you get the "Access key ID" and "Secret access key" that necessary for vpn-launchpad running
Follow the official AWS doc page for more details
$ ./vlp
vlp [--from-src] <command> [options]
--from-src -- Build dependency container from source rather than docker image downloading
init -- Init aws account credential.
build -- Build VPN server.
--from-src -- Build VPN server from source rather than docker image downloading
--with-brook -- Build VPN server with Brook services installed
--with-l2tp -- Build VPN server with L2TP services installed
--with-v2ray -- Build VPN server with V2Ray services installed
--with-trojan -- Build VPN server with Trojan services installed
--with-sslibev -- Build VPN server with Shadowsocks services installed
--with-random -- Build VPN server with VPN passwords randomisation.
--without-random -- Build VPN server without VPN passwords randomisation.
status -- Check VPN server status.
--with-qrcode -- Print Shadowsocks and V2Ray connection QR Code.
purge -- Destory VPN server instance.
random -- Randomise VPN passwords.
ssh -- SSH login into VPN server instance.
$ ./lproxy
lproxy <command> [options]
build -- Build local proxy container.
--from-src -- Build local proxy container from source rather than docker image downloading.
brook -- Build local proxy container that connect to VPN server via Brook connector
sslibev -- Build local proxy container that connect to VPN server via Shadowsocks connector
trojan -- Build local proxy container that connect to VPN server via Trojan connector
v2ray -- Build local proxy container that connect to VPN server via V2ray connector
status -- Check local proxy container status.
purge -- Destory local proxy container.
Note: Please build VPN server before local proxy building.
Note: Component depency fetching from golang.org is necessary during the progress of building v2ray/brook with '--from-src' switch. However, golang.org access might be blocked in cetain country hence lead to the consequent building failure. Please remove '--from-src' switch (which means build from docker hub images fetching) if that is your case.
$ cat server-sslibev/server-sslibev.env
SGTCP="28388"
SGUDP="28388"
SSPORT="28388"
SSPASS="SSSLIBEV-PASS"
SSMTHD="aes-256-gcm"
$
NOTE: Please ensure SGTCP/SGUDP and SSPORT are the same value to guarantee that AWS enabled the specific TCP/UDP port for incoming connection which server-sslibev service listened.
NOTE: Please run './vlp purge; ./vlp build' to get the new Shadowsocks server configuration applied.
Credits to shadowsocks-libev
$ cat server-v2ray/server-v2ray.env
SGTCP="10086"
V2RAYPORT="10086"
V2RAYUUID="2633f6b5-0032-4f9e-ae1d-c21d9010cd27"
V2RAYLEVEL="1"
V2RAYAID="64"
$
NOTE: Please ensure SGTCP/SGUDP and V2RAYPORT are the same value to guarantee that AWS enabled the specific TCP/UDP port for incoming connection which server-v2ray service listened.
NOTE: Please run './vlp purge; ./vlp build' to get the new V2Ray server configuration applied.
Credits to V2Ray
$ cat server-trojan/server-trojan.env
SGTCP="443:8443"
TRJPORT="443"
TRJPASS="TROJAN_PASSWORD"
TRJFAKEDOMAIN="www.microsoft.com"
DUCKDNSTOKEN="6ad424a4-1cc3-4cf7-87ec-0f61ce2c9416"
DUCKDNSDOMAIN="myduckdomain"
DUCKSUBDOMAINS="wildcard"
$
NOTE: You need to register a free domain name on duckdns.org first.
NOTE: Please replace DUCKDNSTOKEN with the token obtained from the top of your duckdns.org home page after login.
NOTE: Please replace DUCKDNSDOMAIN with the domain name you registered on duckdns.org.
NOTE: Please run './vlp purge; ./vlp build' to get the new Trojan server configuration applied.
Credits to Trojan
$ cat server-softether/server-softether.env
...
PSK=YOUR-SHARED-SECRET
USERS=user0:pass0;user1:pass1;
...
$
NOTE: Please run './vlp purge && ./vlp build' to get the new L2TP server configuration applied.
Credits to Tomohisa Kusano and SoftEtherVPN
$ cat proxy-sslibev/proxy-sslibev.env
SOCKSPORT="1080"
HTTPPORT="8123"
DNSPORT="65353"
$
NOTE: Please run './lproxy build' to get the new Shadowsocks client configuration applied.
Credits to shadowsocks-libev
Docker installation is necessary for running vlp and lproxy. curl and dig will be used by 'lproxy status' for connection test and diagnosis but not compulsory.
$ sudo apt-get update; sudo apt-get install docker.io git dnsutils curl whois
...
$ sudo usermod -aG docker `whoami`; exit
https://store.docker.com/editions/community/docker-ce-desktop-mac
Both "vlp build" and "vlp status --with-qrcode" spit QR codes (for Shadowsocks, V2Ray and Trojan) to facilitate the connection from mobile devices via QR supported app like Shadowrocket for iOS, or Shadowsocks, v2rayNG and Igniter (QR code scanning is unavailable so far) for Android. Simply scanning the QR code from these apps will create a new connection entry. Connect to it and Enjoy.
All credits to qrcode-terminal
https://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server
Image/container names may changed after upgrading. Please do the following before upgrading:
- purge VPN server(s) and local proxy container you previously created via 'vlp' and 'lproxy';
- Stop and remove existing vpnlaunchpad and lproxy containers;
- Remove existing vpnlaunchpad and lproxy images.
Please follow the instructions here to do the cleaning:
$ ./vlp purge
...
$ ./lproxy purge
...
$ docker stop `docker ps -a|grep samuelhbne|awk '{print $1}'`
$ docker rm `docker ps -a|grep samuelhbne|awk '{print $1}'`
$ docker rmi `docker images |grep samuelhbne|awk '{print $3}'`
It is possible to run vpn-launchpad in dind container if Ubuntu is not your option. The following instructions will start a dind container with necessary local proxy port mappings, install package dependencies inside the container, create a non-root user with docker service access, and start vlp/lproxy consiquently.
$ docker run --privileged --name vlpdind -p 1080:1080 -p 8123:8123 -p 65353:65353 -d docker:stable-dind
$ docker exec -it vlpdind sh
/ # apk add bash shadow git curl bind-tools whois
/ # adduser -s /bin/bash -D vlp
/ # usermod -aG root vlp
/ # su - vlp
72d645e47cb2:~$ git clone https://github.com/samuelhbne/vpn-launchpad
72d645e47cb2:~$ cd vpn-launchpad/
72d645e47cb2:~/vpn-launchpad$ ./vlp init
72d645e47cb2:~/vpn-launchpad$ ./vlp build --without-random --with-v2ray
72d645e47cb2:~/vpn-launchpad$ ./lproxy build v2ray
...