From 2c9069a8b1ba2ae1b74a82cea2cfc2db5515e582 Mon Sep 17 00:00:00 2001
From: jaredhaight <jared@ibm.com>
Date: Fri, 30 Nov 2018 10:16:34 -0800
Subject: [PATCH 01/14] Get default interface instead of defaulting to eth0

---
 nodes/aws/configs/node_setup.bash | 3 ++-
 setup/install.sh                  | 5 +++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/nodes/aws/configs/node_setup.bash b/nodes/aws/configs/node_setup.bash
index f5ca671..111bf26 100644
--- a/nodes/aws/configs/node_setup.bash
+++ b/nodes/aws/configs/node_setup.bash
@@ -1,3 +1,4 @@
 #! /bin/bash
 sudo sysctl -w net.ipv4.ip_forward=1
-sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+DEFAULTETH=`ip route | grep default | sed -e "s/^.*dev.//" -e "s/.proto.*//"``
+sudo iptables -t nat -A POSTROUTING -o $DEFAULTETH -j MASQUERADE
diff --git a/setup/install.sh b/setup/install.sh
index 72f17cc..2d57144 100755
--- a/setup/install.sh
+++ b/setup/install.sh
@@ -70,8 +70,9 @@ echo "50        loadb" >> /etc/iproute2/rt_tables
 # set rule for openvpn client source network to use the second routing table
 ip rule add from 10.10.10.0/24 table loadb
 
-# always snat from eth0
-iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+# always snat from default ethernet
+DEFAULTETH=`ip route | grep default | sed -e "s/^.*dev.//" -e "s/.proto.*//"`
+iptables -t nat -A POSTROUTING -o $DEFAULTETH -j MASQUERADE
 
 ############################
 # post install instructions

From 4b906592df5b31a2d5b6ed1e27ecf93e27dcb216 Mon Sep 17 00:00:00 2001
From: jaredhaight <jared@ibm.com>
Date: Fri, 30 Nov 2018 10:23:01 -0800
Subject: [PATCH 02/14] use the AWS metadata service to determin subnetid

---
 setup/install.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/setup/install.sh b/setup/install.sh
index 72f17cc..8d7563d 100755
--- a/setup/install.sh
+++ b/setup/install.sh
@@ -73,6 +73,13 @@ ip rule add from 10.10.10.0/24 table loadb
 # always snat from eth0
 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
+##################################
+# update subnet id in variables.tf
+##################################
+MAC=`curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/`
+SUBNETID=`curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/$MAC/subnet-id`
+sed -i "s/subnet-XXXXXXXX/$SUBNETID/" ../nodes/aws/variables.tf
+
 ############################
 # post install instructions
 ############################

From 69b305d5af8e587dd0cc723519f721c5fd07063c Mon Sep 17 00:00:00 2001
From: jaredhaight <jared@ibm.com>
Date: Fri, 30 Nov 2018 10:27:35 -0800
Subject: [PATCH 03/14] moved before directory change

---
 setup/install.sh | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/setup/install.sh b/setup/install.sh
index 8d7563d..e1265e6 100755
--- a/setup/install.sh
+++ b/setup/install.sh
@@ -21,6 +21,14 @@ rm -rf terraform
 mkdir ~/.aws
 touch ~/.aws/credentials
 
+##################################
+# update subnet id in variables.tf
+##################################
+MAC=`curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/`
+SUBNETID=`curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/$MAC/subnet-id`
+sed -i "s/subnet-XXXXXXXX/$SUBNETID/" ../nodes/aws/variables.tf
+
+
 ################
 # setup openvpn
 ################
@@ -73,12 +81,6 @@ ip rule add from 10.10.10.0/24 table loadb
 # always snat from eth0
 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
-##################################
-# update subnet id in variables.tf
-##################################
-MAC=`curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/`
-SUBNETID=`curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/$MAC/subnet-id`
-sed -i "s/subnet-XXXXXXXX/$SUBNETID/" ../nodes/aws/variables.tf
 
 ############################
 # post install instructions

From 4bd314cc457261df0010f2502b8c09be6d1cc048 Mon Sep 17 00:00:00 2001
From: jaredhaight <jared@ibm.com>
Date: Fri, 30 Nov 2018 10:49:16 -0800
Subject: [PATCH 04/14] collects vpn client files to ~/proxycannon-vpn-client
 for easy download

---
 setup/install.sh | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/setup/install.sh b/setup/install.sh
index 72f17cc..a3d349a 100755
--- a/setup/install.sh
+++ b/setup/install.sh
@@ -8,7 +8,7 @@
 # update and install deps
 apt update
 apt -y upgrade
-apt -y install unzip git openvpn easy-rsa
+apt -y install zip unzip git openvpn easy-rsa
 
 # install terraform
 wget https://releases.hashicorp.com/terraform/0.11.10/terraform_0.11.10_linux_amd64.zip
@@ -73,11 +73,25 @@ ip rule add from 10.10.10.0/24 table loadb
 # always snat from eth0
 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
+#######################################
+# collect vpn config files to one place
+#######################################
+mkdir ~/proxycannon-vpn
+cp /etc/openvpn/easy-rsa/keys/ta.key ~/proxycannon-vpn-client/
+cp /etc/openvpn/easy-rsa/keys/ca.crt ~/proxycannon-vpn-client/
+cp /etc/openvpn/easy-rsa/keys/client01.crt ~/proxycannon-vpn-client/
+cp /etc/openvpn/easy-rsa/keys/client01.key ~/proxycannon-vpn-client/
+mv ~/proxycannon-client.conf ~/proxycannon-vpn-client/
+chown $SUDO_USER:$SUDO_USER ~/proxycannon-vpn-client/*
+
+
+
 ############################
 # post install instructions
 ############################
 
-echo "Copy /etc/openvpn/easy-rsa/keys/ta.key, /etc/openvpn/easy-rsa/keys/ca.crt, /etc/openvpn/easy-rsa/keys/client01.crt, /etc/openvpn/easy-rsa/keys/client01.key, and ~/proxycannon-client.conf to your workstation."
+echo "A folder containing the OpenVPN client config has been created at /home/$SUDO_USER/proxycannon-vpn-client."
+echo "Download these files by running the following from your workstation (including the trailing period): scp -i proxycannon.pem $SUDO_USER@$EIP:/home/$SUDO_USER/proxycannon-vpn-client/* ."
 
 echo "####################### OpenVPN client config [proxycannon-client.conf] ################################"
 cat ~/proxycannon-client.conf

From 2dd83d613359539640d898821b1644a84dd68182 Mon Sep 17 00:00:00 2001
From: jaredhaight <jared@ibm.com>
Date: Fri, 30 Nov 2018 10:51:03 -0800
Subject: [PATCH 05/14] fixed folder name

---
 setup/install.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/install.sh b/setup/install.sh
index a3d349a..dc09aae 100755
--- a/setup/install.sh
+++ b/setup/install.sh
@@ -76,7 +76,7 @@ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 #######################################
 # collect vpn config files to one place
 #######################################
-mkdir ~/proxycannon-vpn
+mkdir ~/proxycannon-vpn-client
 cp /etc/openvpn/easy-rsa/keys/ta.key ~/proxycannon-vpn-client/
 cp /etc/openvpn/easy-rsa/keys/ca.crt ~/proxycannon-vpn-client/
 cp /etc/openvpn/easy-rsa/keys/client01.crt ~/proxycannon-vpn-client/

From f97fe14aeb804d3d166a42e74a256e4fd3c8ed07 Mon Sep 17 00:00:00 2001
From: jaredhaight <jared@ibm.com>
Date: Fri, 30 Nov 2018 10:53:07 -0800
Subject: [PATCH 06/14] fixed message and filepath

---
 setup/install.sh | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/setup/install.sh b/setup/install.sh
index dc09aae..c7aea29 100755
--- a/setup/install.sh
+++ b/setup/install.sh
@@ -91,10 +91,12 @@ chown $SUDO_USER:$SUDO_USER ~/proxycannon-vpn-client/*
 ############################
 
 echo "A folder containing the OpenVPN client config has been created at /home/$SUDO_USER/proxycannon-vpn-client."
-echo "Download these files by running the following from your workstation (including the trailing period): scp -i proxycannon.pem $SUDO_USER@$EIP:/home/$SUDO_USER/proxycannon-vpn-client/* ."
-
+echo "Download these files by running the following from your workstation (including the trailing period): "
+echo
+echo "scp -i proxycannon.pem $SUDO_USER@$EIP:/home/$SUDO_USER/proxycannon-vpn-client/* ."
+echo 
 echo "####################### OpenVPN client config [proxycannon-client.conf] ################################"
-cat ~/proxycannon-client.conf
+cat ~/proxycannon-vpn-client/proxycannon-client.conf
 
 echo "####################### Be sure to add your AWS API keys and SSH keys to the following locations ###################"
 echo "copy your aws ssh private key to ~/.ssh/proxycannon.pem and chmod 600"

From 6ee7ed4dd516e1f51265535e19275253816249d4 Mon Sep 17 00:00:00 2001
From: jaredhaight <jared@ibm.com>
Date: Fri, 30 Nov 2018 10:54:37 -0800
Subject: [PATCH 07/14] fixed chown cmd

---
 setup/install.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/install.sh b/setup/install.sh
index c7aea29..0907c09 100755
--- a/setup/install.sh
+++ b/setup/install.sh
@@ -82,7 +82,7 @@ cp /etc/openvpn/easy-rsa/keys/ca.crt ~/proxycannon-vpn-client/
 cp /etc/openvpn/easy-rsa/keys/client01.crt ~/proxycannon-vpn-client/
 cp /etc/openvpn/easy-rsa/keys/client01.key ~/proxycannon-vpn-client/
 mv ~/proxycannon-client.conf ~/proxycannon-vpn-client/
-chown $SUDO_USER:$SUDO_USER ~/proxycannon-vpn-client/*
+chown -R $SUDO_USER:$SUDO_USER ~/proxycannon-vpn-client
 
 
 

From 37a504f66f73739bab9f03afeb0bbe63d96449cd Mon Sep 17 00:00:00 2001
From: jaredhaight <jared@ibm.com>
Date: Fri, 30 Nov 2018 11:04:00 -0800
Subject: [PATCH 08/14] moved size and ami values to variables.tf

---
 nodes/aws/main.tf      | 4 ++--
 nodes/aws/variables.tf | 7 +++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/nodes/aws/main.tf b/nodes/aws/main.tf
index 4fd2121..f4377e8 100644
--- a/nodes/aws/main.tf
+++ b/nodes/aws/main.tf
@@ -4,8 +4,8 @@ provider "aws" {
 }
 
 resource "aws_instance" "exit-node" {
-  ami           = "ami-0f65671a86f061fcd"
-  instance_type = "t2.micro"
+  ami           = "${var.ami}"
+  instance_type = "${var.size}"
   key_name      = "proxycannon"
   vpc_security_group_ids = ["${aws_security_group.exit-node-sec-group.id}"]
   subnet_id	= "${var.subnet_id}"
diff --git a/nodes/aws/variables.tf b/nodes/aws/variables.tf
index 4808505..fc8d7aa 100644
--- a/nodes/aws/variables.tf
+++ b/nodes/aws/variables.tf
@@ -7,6 +7,13 @@ variable "count" {
   default = 2
 }
 
+variable "ami" {
+  default = "ami-0f65671a86f061fcd"
+}
+variable "size" {
+  default = "t2.micro"
+}
+
 # launch all exit nodes in the same subnet id
 # this should be the same subnet id that your control server is in
 # you can get this value from the AWS console when viewing the details of the control-server instance

From eaa61e93d177b0ece986a8b5f7498a83cae37c9a Mon Sep 17 00:00:00 2001
From: jaredhaight <jared@ibm.com>
Date: Fri, 30 Nov 2018 11:07:22 -0800
Subject: [PATCH 09/14] moved node size and ami to variables.tf

---
 nodes/aws/variables.tf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/nodes/aws/variables.tf b/nodes/aws/variables.tf
index fc8d7aa..1365e6b 100644
--- a/nodes/aws/variables.tf
+++ b/nodes/aws/variables.tf
@@ -7,9 +7,12 @@ variable "count" {
   default = 2
 }
 
+# AMI image to use for exit nodes
 variable "ami" {
   default = "ami-0f65671a86f061fcd"
 }
+
+# Size of EC2 VM to spin up for exit nodes
 variable "size" {
   default = "t2.micro"
 }

From 2caecad82168a4da0d6346c7333d0719062b244f Mon Sep 17 00:00:00 2001
From: jaredhaight <jared@ibm.com>
Date: Fri, 30 Nov 2018 11:17:03 -0800
Subject: [PATCH 10/14] updated readme instructions on downloading vpn client
 info

---
 README.md | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 557d6a3..93ca3d5 100644
--- a/README.md
+++ b/README.md
@@ -72,12 +72,10 @@ Perform the following on the control-server:
 2. Run `terraform init` to download the AWS modules. (you only need to do this once)
 
 #### 5. Copy OpenVPN files to your workstation
-Copy the following files from the control-server to the `/etc/openvpn` directory on your workstation:
-- ~/proxycannon-client.conf
-- /etc/openvpn/easy-rsa/keys/ta.key
-- /etc/openvpn/easy-rsa/keys/ca.crt
-- /etc/openvpn/easy-rsa/keys/client01.crt
-- /etc/openvpn/easy-rsa/keys/client01.key  
+Copy the contents of the ~/proxycannon-vpn-client folder on your workstation:
+```
+scp -i proxycannon.pem ubuntu@<external_ip>:/home/ubuntu/proxycannon-vpn-client/* .
+```
 
 Test OpenVPN connectivity from your workstation by running:
 ```

From 79ea7f4d654cd0393f889efc09ca2a8da1af111b Mon Sep 17 00:00:00 2001
From: jaredhaight <jared@ibm.com>
Date: Fri, 30 Nov 2018 12:32:47 -0800
Subject: [PATCH 11/14] create aws creds file and set permissions

---
 setup/install.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/setup/install.sh b/setup/install.sh
index 72f17cc..f20f12f 100755
--- a/setup/install.sh
+++ b/setup/install.sh
@@ -20,6 +20,13 @@ rm -rf terraform
 # create directory for our aws credentials
 mkdir ~/.aws
 touch ~/.aws/credentials
+cat << EOF >> ~/.aws/credentials
+[default]
+aws_access_key_id = REPLACE_WITH_YOUR_OWN
+aws_secret_access_key = REPLACE_WITH_YOUR_OWN
+region = us-east-2
+EOF
+chown -R $SUDO_USER:$SUDO_USER ~/.aws
 
 ################
 # setup openvpn

From ab7973f4960702a40d37dc5cc7a1767aa97d8818 Mon Sep 17 00:00:00 2001
From: jaredhaight <jared@ibm.com>
Date: Fri, 30 Nov 2018 12:56:08 -0800
Subject: [PATCH 12/14] locking firewall for nodes down to control server

---
 nodes/aws/variables.tf | 6 ++++++
 setup/install.sh       | 9 +++++----
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/nodes/aws/variables.tf b/nodes/aws/variables.tf
index 1365e6b..eb510e7 100644
--- a/nodes/aws/variables.tf
+++ b/nodes/aws/variables.tf
@@ -17,6 +17,12 @@ variable "size" {
   default = "t2.micro"
 }
 
+variable "allowedips" {
+  default = [
+    "CONTROLSERVERPRIVATEIP/32"
+  ]
+}
+
 # launch all exit nodes in the same subnet id
 # this should be the same subnet id that your control server is in
 # you can get this value from the AWS console when viewing the details of the control-server instance
diff --git a/setup/install.sh b/setup/install.sh
index 3e62976..e9108e0 100755
--- a/setup/install.sh
+++ b/setup/install.sh
@@ -28,13 +28,14 @@ region = us-east-2
 EOF
 chown -R $SUDO_USER:$SUDO_USER ~/.aws
 
-##################################
-# update subnet id in variables.tf
-##################################
+####################################################
+# update subnet id and firewall rule in variables.tf
+####################################################
 MAC=`curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/`
 SUBNETID=`curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/$MAC/subnet-id`
 sed -i "s/subnet-XXXXXXXX/$SUBNETID/" ../nodes/aws/variables.tf
-
+PRIVATEIP=`curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/$MAC/local-ipv4s`
+sed -i "s/CONTROLSERVERPRIVATEIP/$PRIVATEIP/" ../nodes/aws/variables.tf
 
 ################
 # setup openvpn

From 1da93962b735829488f3b97173f9a0edf9badf4a Mon Sep 17 00:00:00 2001
From: jaredhaight <jared@ibm.com>
Date: Fri, 30 Nov 2018 13:21:06 -0800
Subject: [PATCH 13/14] fixing the dumb typo here too

---
 nodes/aws/configs/node_setup.bash | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nodes/aws/configs/node_setup.bash b/nodes/aws/configs/node_setup.bash
index 111bf26..fe9c689 100644
--- a/nodes/aws/configs/node_setup.bash
+++ b/nodes/aws/configs/node_setup.bash
@@ -1,4 +1,4 @@
 #! /bin/bash
 sudo sysctl -w net.ipv4.ip_forward=1
-DEFAULTETH=`ip route | grep default | sed -e "s/^.*dev.//" -e "s/.proto.*//"``
+DEFAULTETH=`ip route | grep default | sed -e "s/^.*dev.//" -e "s/.proto.*//"`
 sudo iptables -t nat -A POSTROUTING -o $DEFAULTETH -j MASQUERADE

From 13c645de12e5afe6b8709bef77b38a8a23d4447f Mon Sep 17 00:00:00 2001
From: jaredhaight <jared@ibm.com>
Date: Fri, 30 Nov 2018 13:39:13 -0800
Subject: [PATCH 14/14] more sed swaps

---
 nodes/aws/main.tf      | 2 +-
 nodes/aws/variables.tf | 1 +
 setup/install.sh       | 3 ++-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/nodes/aws/main.tf b/nodes/aws/main.tf
index f4377e8..71f537f 100644
--- a/nodes/aws/main.tf
+++ b/nodes/aws/main.tf
@@ -67,7 +67,7 @@ resource "aws_security_group" "exit-node-sec-group" {
     from_port   = 0
     to_port     = 0 
     protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = "${var.allowedips}"
   }
 }
 
diff --git a/nodes/aws/variables.tf b/nodes/aws/variables.tf
index eb510e7..e40a28f 100644
--- a/nodes/aws/variables.tf
+++ b/nodes/aws/variables.tf
@@ -19,6 +19,7 @@ variable "size" {
 
 variable "allowedips" {
   default = [
+    "CONTROLSERVERPUBLICIP/32",
     "CONTROLSERVERPRIVATEIP/32"
   ]
 }
diff --git a/setup/install.sh b/setup/install.sh
index e9108e0..d4e2dd7 100755
--- a/setup/install.sh
+++ b/setup/install.sh
@@ -36,6 +36,8 @@ SUBNETID=`curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/$
 sed -i "s/subnet-XXXXXXXX/$SUBNETID/" ../nodes/aws/variables.tf
 PRIVATEIP=`curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/$MAC/local-ipv4s`
 sed -i "s/CONTROLSERVERPRIVATEIP/$PRIVATEIP/" ../nodes/aws/variables.tf
+EIP=`curl -s http://169.254.169.254/latest/meta-data/public-ipv4`
+sed -i "s/CONTROLSERVERPUBLICIP/$EIP/" ../nodes/aws/variables.tf
 
 ################
 # setup openvpn
@@ -67,7 +69,6 @@ systemctl start openvpn@node-server.service
 systemctl start openvpn@client-server.service
 
 # modify client config with remote IP of this server
-EIP=`curl -s http://169.254.169.254/latest/meta-data/public-ipv4`
 sed -i "s/REMOTE_PUB_IP/$EIP/" ~/proxycannon-client.conf
 
 ###################