Create a vpn server on AWS in its own vpc using terraform
Table of Contents
- Getting started macOS tldr version
- Getting Started
- FAQ and Considerations
- How much does it cost?
- Should I stop the instance to save money?
- Can I use a variable to not use an Elastic IP?
- How much time does it take to provision all of this?
- How can I stop and start my instance from command line
- How much time does it take for the vpn to start when I start the instance?
- Will the credentials be the same each time?
- Will this work from everywhere?
- Will I be invisible on the internets?
- Troubleshooting terraform
- What can I do to improve this project?
- Development
- License
If you're used to this stuff, here's the I don't need to know what's going on version:
brew install terraform jq awscli
aws configure
export AWS_PROFILE=default
git clone git@github.com:GabLeRoux/terraform-aws-vpn.git
cd terraform-aws-vpn
cp .env.vpn.example .env.vpn
vim .env.vpn
terraform init
terraform apply
./scripts/vpn_status.shThen see Setup VPN clients
- The amazing
jqcommand line - The
awscliconfigured with youraws profile.
- Terraform documentation
- How to install terraform
- Setup awscli profile using env vars
- Setup VPN clients
- VPN Important notes
- The VPN Install script
git clone git@github.com:GabLeRoux/terraform-aws-vpn.git
cd terraform-aws-vpncp .env.example .env
cp .env.vpn.example .env.vpnThen edit .env and .env.vpn to fit your needs
I like to use the following function to quickly load environment variables:
function loadenv() {
export $(cat ${$1:-.env} | xargs)
}
loadenvIn our case, this will export the AWS_PROFILE to the one defined in .env. π. You could skip this and execute export AWS_profile=my_aws_profile_name instead and it would be just fine.
terraform initterraform planterraform applyWrite yes in the prompt if you're fine with this. Wait a few minutes and that's it, configure your vpn client and you're good to go! π.
It depends of your usage. AWS offers a free tier and if you only use what's inside, it shouldn't cost you anything when using a t2.micro instance.
If you're like me and have a bunch of instances running, you're passed the free tier so yes, stopping the instance will save you money when not using it. Caution tho, Elastic IPs are billed when attached to a stopped instance so you may want to detach it and delete it otherwise it will cost you 0.01$/h.
Contributions are welcome βοΈ, see #1, workaround inside.
I don't have exact numbers, but it took me ~7 minutes to run including vpn script execution on the first time. Once this is done, there is no more delays.
export AWS_PROFILE=your_awesome_aws_profile
./scripts/vpn_stop.sh
./scripts/vpn_start.sh
./scripts/vpn_status.shThe status script will display instance's public IP for convenience. Just run the script until it says soomething like that before you try to connect:
[
{
"state": "running",
"PublicIpAddress": "aaa.bbb.ccc.ddd",
"PublicDnsName": "ec2-aaa-bbb-ccc-ddd.your-region-1.compute.amazonaws.com"
}
]π
A few seconds
Yes, unless you've set empty values in .env.vpn, but creds are generated at provision (install) time.
Tricky question.
- For the initial setup, you will require ssh port open. Some internet cafes or business firewalls have this blocked. But once it's installed, all you need is udp ports 500 and 4500 open. You should be able to stop and start the vpn from the scripts without these.
- If you're in china, it may be harder. Have a look to the available aws regions and pick the right one for you, there's a variable for this.
No, you're never invisible on the internets. Don't do bad things cuz Illuminatis are confirmed /o. Glad you made it this far in the readme! 
In case you get an unclear error message
TF_LOG=TRACE terraform your_commandHave a look at the issues, suggest things or contribute, I'm open to changes.
terraform graph -draw-cycles | dot -Tsvg -o graph.svggenerated with DocToc
doctoc --github ReadMe.md