Merge pull request #121 from yunkon-kim/250106-13

Add a testbed for client-to-site VPN

examples/aws/client-to-site-vpn/init.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# 1. Set up Docker's apt repository.
+# Add Docker's official GPG key:
+sudo apt-get update
+sudo apt-get install ca-certificates curl
+sudo install -m 0755 -d /etc/apt/keyrings
+sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
+sudo chmod a+r /etc/apt/keyrings/docker.asc
+
+# Add the repository to Apt sources:
+echo \
+  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
+  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
+  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+sudo apt-get update
+
+# 2. Install the Docker packages.
+sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+
+# 3. Verify that the installation is successful by running the hello-world image:
+sudo docker run --rm hello-world
+
+# 4. Update Docker Compose
+sudo apt-get update
+sudo apt-get install docker-compose-plugin
+
+# 5. Verify that the installation is successful by the following command:
+docker compose version

examples/aws/client-to-site-vpn/main.tf

@@ -0,0 +1,215 @@
+# Define the required version of Terraform and the providers that will be used in the project
+terraform {
+  # Required Tofu version
+  required_version = "~>1.8.3"
+
+  required_providers {
+    # AWS provider is specified with its source and version
+    aws = {
+      source  = "registry.opentofu.org/hashicorp/aws"
+      version = "~>5.42"
+    }
+  }
+}
+
+# Provider block for AWS specifies the configuration for the provider
+provider "aws" {
+  region = "ap-northeast-2"
+}
+
+# Define the VPC resource block
+resource "aws_vpc" "secure_testbed" {
+  cidr_block = "10.0.0.0/16"
+
+  tags = {
+    Name = "secure-testbed"
+  }
+}
+
+# Define the subnets resource blocks with the desired CIDR blocks and associate them with the route table
+resource "aws_subnet" "public" {
+  vpc_id                  = aws_vpc.secure_testbed.id
+  cidr_block              = "10.0.0.0/24"
+  map_public_ip_on_launch = true
+  availability_zone       = "ap-northeast-2a"
+  tags = {
+    Name = "secure-testbed-public-subnet"
+  }
+}
+
+resource "aws_subnet" "private" {
+  vpc_id                  = aws_vpc.secure_testbed.id
+  cidr_block              = "10.0.1.0/24"
+  map_public_ip_on_launch = false
+  availability_zone       = "ap-northeast-2b"
+  tags = {
+    Name = "secure-testbed-private-subnet"
+  }
+}
+
+# Internet Gateway
+resource "aws_internet_gateway" "igw" {
+  vpc_id = aws_vpc.secure_testbed.id
+  tags = {
+    Name = "secure-testbed-igw"
+  }
+}
+
+# Route Table for Public Subnet
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.secure_testbed.id
+  tags = {
+    Name = "public-rtb"
+  }
+}
+# Add default routing table for the public subnet
+resource "aws_route" "public_internet_access" {
+  route_table_id         = aws_route_table.public.id
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = aws_internet_gateway.igw.id
+}
+# Connect the route table to the public subnet
+resource "aws_route_table_association" "public" {
+  subnet_id      = aws_subnet.public.id
+  route_table_id = aws_route_table.public.id
+}
+
+# Elastic IP for NAT Gateway
+resource "aws_eip" "nat" {
+  tags = {
+    Name = "nat-eip"
+  }
+}
+
+# NAT Gateway
+resource "aws_nat_gateway" "nat" {
+  allocation_id = aws_eip.nat.id
+  subnet_id     = aws_subnet.public.id
+  tags = {
+    Name = "nat-gateway"
+  }
+}
+
+# Private Route Table
+resource "aws_route_table" "private" {
+  vpc_id = aws_vpc.secure_testbed.id
+  tags = {
+    Name = "private-rtb"
+  }
+}
+# Add a routing table for the private subnet
+resource "aws_route" "private_route" {
+  route_table_id         = aws_route_table.private.id
+  destination_cidr_block = "0.0.0.0/0"
+  nat_gateway_id         = aws_nat_gateway.nat.id
+}
+
+resource "aws_route_table_association" "private" {
+  subnet_id      = aws_subnet.private.id
+  route_table_id = aws_route_table.private.id
+}
+
+# Security Group for Private Subnet
+resource "aws_security_group" "allow_ssh_from_public_subnet" {
+  vpc_id = aws_vpc.secure_testbed.id
+  name   = "allow-ssh-from-public-subnet"
+
+  ingress {
+    description = "Allow traffic from Public Subnet"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["10.0.0.0/24"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "allow-ssh-from-public-subnet"
+  }
+}
+
+# Security Group to allow SSH traffic
+resource "aws_security_group" "allow_ssh_and_wg" {
+  name        = "allow-tls"
+  description = "Allow TLS inbound traffic"
+  vpc_id      = aws_vpc.secure_testbed.id
+
+  ingress {
+    description = "SSH from VPC"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "WireGuard UDP traffic"
+    from_port   = 51820
+    to_port     = 51820
+    protocol    = "udp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "WireGuard TCP traffic"
+    from_port   = 51821
+    to_port     = 51821
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  tags = {
+    Name = "allow-ssh-and-wg"
+  }
+}
+
+resource "aws_instance" "wg-server" {
+  ami                    = "ami-042e76978adeb8c48" # Ubuntu 22.04 LTS
+  instance_type          = "t3.micro"
+  key_name               = "secure-testbed-keypair"
+  vpc_security_group_ids = [aws_security_group.allow_ssh_and_wg.id]
+  availability_zone      = "ap-northeast-2a"
+  subnet_id              = aws_subnet.public.id
+  user_data              = file("./init.sh")
+
+
+  root_block_device {
+    volume_size = 30
+  }
+
+  tags = {
+    Name = "wg-server"
+  }
+}
+
+resource "aws_instance" "secure-server" {
+  ami                    = "ami-042e76978adeb8c48" # Ubuntu 22.04 LTS
+  instance_type          = "t3.micro"
+  key_name               = "secure-testbed-keypair"
+  vpc_security_group_ids = [aws_security_group.allow_ssh_from_public_subnet.id]
+  availability_zone      = "ap-northeast-2b"
+  subnet_id              = aws_subnet.private.id
+
+
+  root_block_device {
+    volume_size = 30
+  }
+
+  tags = {
+    Name = "secure-server"
+  }
+}

go.mod

@@ -4,7 +4,7 @@ go 1.21.4
 
 require (
 	github.com/fsnotify/fsnotify v1.7.0
-	github.com/labstack/echo/v4 v4.13.2
+	github.com/labstack/echo/v4 v4.13.3
 	github.com/rs/zerolog v1.32.0
 	github.com/spf13/viper v1.18.2
 	github.com/swaggo/echo-swagger v1.4.1

go.sum

@@ -40,8 +40,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/labstack/echo/v4 v4.13.2 h1:9aAt4hstpH54qIcqkuUXRLTf+v7yOTfMPWzDtuqLmtA=
-github.com/labstack/echo/v4 v4.13.2/go.mod h1:uc9gDtHB8UWt3FfbYx0HyxcCuvR4YuPYOxF/1QjoV/c=
+github.com/labstack/echo/v4 v4.13.3 h1:pwhpCPrTl5qry5HRdM5FwdXnhXSLSY+WE+YQSeCaafY=
+github.com/labstack/echo/v4 v4.13.3/go.mod h1:o90YNEeQWjDozo584l7AwhJMHN0bOC4tAfg+Xox9q5g=
 github.com/labstack/gommon v0.4.2 h1:F8qTUNXgG1+6WQmqoUWnz8WiEU60mXVVw0P4ht1WRA0=
 github.com/labstack/gommon v0.4.2/go.mod h1:QlUFxVM+SNXhDL/Z7YhocGIBYOiwB0mXm1+1bAPHPyU=
 github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=