"Resources": {
"VpnVpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": ""
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "0a162613-8f2e-4864-be99-75d946934a4a"
"VpnSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VpnVpc"
"CidrBlock": "",
"MapPublicIpOnLaunch": true,
"AvailabilityZone": {
"Fn::Sub": "${AWS::Region}a"
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2"
"DependsOn": [
"VpnRouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VpnVpc"
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "4731d93c-f3fc-420a-b535-f0b99840f356"
"DependsOn": [
"PublicInternetRoute": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationCidrBlock": "",
"RouteTableId": {
"Ref": "VpnRouteTable"
"GatewayId": {
"Ref": "VpcInternetGateway"
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "5262ea47-2337-4be8-a4d1-1f0af38a1731"
"DependsOn": [
"VpnInstance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"#!/bin/bash -x\n",
"export VPN_IPSEC_PSK='",
"Ref": "VpnIpsecPsk"
"export VPN_USER='",
"Ref": "VpnUser"
"export VPN_PASSWORD='",
"Ref": "VpnPassword"
"sleep 60\n",
"wget -O && sh\n"
"SecurityGroupIds": [
"Fn::GetAtt": [
"SubnetId": {
"Ref": "VpnSubnet"
"AvailabilityZone": {
"Fn::Sub": "${AWS::Region}a"
"InstanceType": {
"Ref": "InstanceType"
"KeyName": {
"Fn::GetAtt": [
"ImageId": {
"Fn::GetAtt": [
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "40c2d4e7-f01a-45b2-8878-a06680aa2216"
"DependsOn": [
"VpnSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "The VPN Security Group, allowing ingress UDP traffic at port 4500 and 500.",
"GroupName": "VpnSecurityGroup",
"VpcId": {
"Ref": "VpnVpc"
"SecurityGroupIngress": [
"CidrIp": "",
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22
"CidrIp": "",
"IpProtocol": "udp",
"FromPort": 500,
"ToPort": 500
"CidrIp": "",
"IpProtocol": "udp",
"FromPort": 4500,
"ToPort": 4500
"SecurityGroupEgress": [
"CidrIp": "",
"IpProtocol": -1
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "ec256f27-66c3-423c-9d98-b9f0f634e7b8"
"VpnServerVolume": {
"Type": "AWS::EC2::Volume",
"Properties": {
"AvailabilityZone": {
"Fn::Sub": "${AWS::Region}a"
"Size": 8
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "9d4cbbc2-f521-436d-bb4a-85b82cf22a2a"
"VpcInternetGateway": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "464ea4ae-199c-4917-9404-aed674a8615a"
"DependsOn": [
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "VpnRouteTable"
"SubnetId": {
"Ref": "VpnSubnet"
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "5bb16646-dc1e-4661-9164-6ecc6848dc83"
"KeyPairCreation": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Handler": "index.handler",
"Runtime": "python3.7",
"Role": {
"Fn::GetAtt": [
"Timeout": 30,
"Code": {
"ZipFile": {
"Fn::Join": [
"import boto3",
"import cfnresponse",
"import string",
"import random",
"This python program should be embedded into its designated cloudformation",
"template as the inline code of one of the lambda functions.",
"def handler(event, context):",
" try:",
" keyName = ''.join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(10))",
" region = event['ResourceProperties']['Region']",
" ec2 = boto3.client('ec2',region)",
" response = ec2.create_key_pair(",
" KeyName=keyName",
" )",
" keyMaterial = response['KeyMaterial']",
" cfnresponse.send(event, context, cfnresponse.SUCCESS, {'KeyMaterial':keyMaterial, 'KeyName':keyName}, 'KeyPairInfo')",
" except Exception:",
" cfnresponse.send(event, context, cfnresponse.FAILED, {})"
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "99fce86e-18b8-4b1b-a572-7bef3c5cece7"
"DependsOn": [
"AMIInfo": {
"Type": "Custom::AMIInfo",
"Properties": {
"Region": {
"Ref": "AWS::Region"
"ServiceToken": {
"Fn::GetAtt": [
"Distribution": {
"Ref": "OS"
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "2c5cc5a9-5a17-4d54-80ea-56e204c9c1a1"
"DependsOn": [
"AMIInfoFunction": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Handler": "index.handler",
"Runtime": "python3.7",
"Role": {
"Fn::GetAtt": [
"Code": {
"ZipFile": {
"Fn::Join": [
"import boto3",
"import cfnresponse",
"def creation_date(e):",
" return e['CreationDate']",
"def handler(event, context):",
" try:",
" regionName = event['ResourceProperties']['Region']",
" distribution = event['ResourceProperties']['Distribution']",
" ec2 = boto3.client('ec2',regionName)",
" IAMName = ''",
" if distribution == 'Ubuntu16.04':",
" IAMName = 'ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*'",
" elif distribution == 'Ubuntu18.04':",
" IAMName = 'ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*'",
" elif distribution == 'Ubuntu20.04':",
" IAMName = 'ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*'",
" elif distribution == 'Debian9':",
" IAMName = 'debian-stretch-hvm-x86_64-gp2-*'",
" elif distribution == 'Debian10':",
" IAMName = 'debian-10-amd64-*'",
" response = ec2.describe_images(Filters=[{'Name':'name', 'Values':[IAMName]}])",
" images = response['Images']",
" images.sort(key=creation_date,reverse=True)",
" AMIId = images[0]['ImageId']",
" cfnresponse.send(event, context, cfnresponse.SUCCESS, {'AMIId':AMIId}, 'AMIInfo')",
" except Exception:",
" cfnresponse.send(event, context, cfnresponse.FAILED, {})"
"Timeout": 30
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "58a1ab6f-49ac-4ffa-93c7-3f708bf65871"
"DependsOn": [
"LambdaExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal": {
"Service": ""
"Action": [
"Effect": "Allow",
"Principal": {
"Service": [
"Action": [
"Path": "/",
"Policies": [
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "*",
"Resource": "*"
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "d3fab7a7-d694-435e-930d-ff7693dffbbc"
"KeyPairInfo": {
"Type": "Custom::KeyPairInfo",
"Properties": {
"Region": {
"Ref": "AWS::Region"
"ServiceToken": {
"Fn::GetAtt": [
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "e81dfbbc-e8ee-4f4b-adb0-b314056ab0b3"
"DependsOn": [
"InternetGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"InternetGatewayId": {
"Ref": "VpcInternetGateway"
"VpcId": {
"Ref": "VpnVpc"
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "9d3d19ab-d561-4f59-89de-73498eeeebda"
"EC2VA41EUF": {
"Type": "AWS::EC2::VolumeAttachment",
"Properties": {
"Device": "/dev/sdh",
"VolumeId": {
"Ref": "VpnServerVolume"
"InstanceId": {
"Ref": "VpnInstance"
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "361e0035-6c5a-48df-8339-3e31f19bf032"
"Parameters": {
"VpnUser": {
"Type": "String",
"Description": "Your VPN username"
"VpnIpsecPsk": {
"Type": "String",
"Description": "Your IpSec PSK(Pre-shared Key) for the VPN server."
"VpnPassword": {
"Type": "String",
"Description": "Your VPN password."
"OS": {
"Type": "String",
"Description": "The OS of your VPN server. Choose the default value if you don't know what it is.",
"Default": "Ubuntu16.04",
"AllowedValues": [
"InstanceType": {
"Type": "String",
"Description": "The instance type of VPN server. If you want to build your server within AWS free usage tier, select t2.micro.",
"AllowedValues": [
"Default": "t2.micro"
"Outputs": {
"VPNAddress": {
"Description": "This is the Public IP of your newly-launched VPN server",
"Value": {
"Fn::GetAtt": [
"VPNUsername": {
"Description": "Your VPN username",
"Value": {
"Ref": "VpnUser"
"VPNPassword": {
"Description": "Your VPN password",
"Value": {
"Ref": "VpnPassword"
"VPNKey": {
"Description": "Your IPSec VPN PSK(pre-shared key)",
"Value": {
"Ref": "VpnIpsecPsk"
"EC2PrivateKeyMaterial": {
"Description": "The content of your private key for accessing the VPN server via SSH. Save it as a file and use it when you connect to your server via SSH.",
"Value": {
"Fn::GetAtt": [
"NextStep": {
"Description": "Go to this page for how to configure to VPN clients.",
"Value": ""