Skip to content

GovTechSG/terraform-openvpn

Repository files navigation

OpenVPN

This module setups an openvpn server with 2 load balancers, 1 for user logins for retrieval or profile, and 1 for vpn client connection and admin access

Design

Architecture

Usage

module "ovpn"{
  name = "my-openvpn"

  openvpn_hostname          = "example-connection.com"
  openvpn_pool_ip           = "172.40.200.0/22"
  openvpn_ami_id            = "ami-xxx" # From your openvpn marketplace subscription
  domain_name               = "example.com"
  route53_zone_id           = "xx" # For ACM creation
  vpc_id                    = "vpc-xx"
  s3_bucket_access_logs     = "my-bucket"
  public_subnet_ids         = ["subnet-xxx"]
  private_subnet_ids        = ["subnet-yyy"]
  key_name                  = "my-ssh-key-pair"

  # Your VPC cidr for clients to access private network
  vpn_private_network_cidrs = [
    "172.111.111.0/22"
  ]
}

Notes

Use RDS

Requirements

  1. RDS MySQL setup separately
  2. RDS username and password in secrets manager with the following key/values
    1. username
    2. password

If you wish to use RDS with this module for backing up your openvpn settings remotely, please note the following

  1. certain variables will cause a change in user-data script, this will cause a recreation of your EC2 primary server instance. If you have yet to be connected to the RDS succesfully, this will result in a loss of your current settings (Please see here if you are migrating from a local sqlite to rds mysql)
  2. When using RDS, a custom user data script will be ran, do take a look at the template before using it to see if it fits your needs
  3. This module does not set your linux admin user password as that is not a safe practice. Therefore on initial setup, you have to ssh in to set the admin password before you can manage via the admin web server. Run passwd openvpn to set your password in the server

Autoscaling cluster

WIP## Requirements

No requirements.

Providers

Name Version
aws n/a
template n/a

Modules

No modules.

Resources

Name Type
aws_acm_certificate.cert resource
aws_acm_certificate_validation.cert resource
aws_autoscaling_group.ovpn-ext-asg resource
aws_iam_instance_profile.openvpn-ec2-profile resource
aws_iam_role.openvpn resource
aws_instance.primary resource
aws_launch_configuration.ovpn-launch resource
aws_lb.connection resource
aws_lb.web resource
aws_lb_listener.connection resource
aws_lb_listener.connection-admin resource
aws_lb_listener.connection-udp resource
aws_lb_listener.web-front-end resource
aws_lb_target_group.conn-admin-to-ec2 resource
aws_lb_target_group.conn-to-ec2 resource
aws_lb_target_group.conn-to-ec2-udp resource
aws_lb_target_group.web-to-ec2 resource
aws_lb_target_group_attachment.primary-conn resource
aws_lb_target_group_attachment.primary-conn-admin resource
aws_lb_target_group_attachment.primary-conn-udp resource
aws_lb_target_group_attachment.primary-web resource
aws_network_acl_rule.allow-udp-connection resource
aws_network_acl_rule.allow-udp-connection-egress resource
aws_route53_record.conn resource
aws_route53_record.openvpn resource
aws_route53_record.web resource
aws_security_group.ec2 resource
aws_security_group.openvpn-conn resource
aws_security_group.openvpn-web resource
aws_security_group_rule.allow-1194-to-ec2 resource
aws_security_group_rule.allow-943-from-cidr resource
aws_security_group_rule.allow-conn-to-ec2 resource
aws_security_group_rule.allow-from-elb resource
aws_security_group_rule.allow-individual-1194-to-ec2 resource
aws_security_group_rule.allow-outbound resource
aws_security_group_rule.allow-ssh resource
aws_security_group_rule.allow-web-internal resource
aws_security_group_rule.conn-egress resource
aws_security_group_rule.conn-ingress-individual resource
aws_security_group_rule.conn-ingress-public resource
aws_security_group_rule.web-egress resource
aws_security_group_rule.web-ingress-individual-443 resource
aws_security_group_rule.web-ingress-individual-80 resource
aws_security_group_rule.web-ingress-public-443 resource
aws_security_group_rule.web-ingress-public-80 resource
template_file.ovpn_ext_tpl_primary data source
template_file.ovpn_ext_tpl_secondary data source

Inputs

Name Description Type Default Required
admin_allowed_ips Map of User and IP for tcp admin_port admin web
map(object({
name = string,
ip_addr = set(string)
}))
{} no
admin_port Port number which openvpn admin website wil be hosted on number 943 no
aws_region AWS region. string "ap-southeast-1" no
conn_allow_public Allow public vpn clients to connect to the vpn server? bool true no
conn_allowed_ips Map of User and IP for openvpn connection
map(object({
name = string,
ip_addr = set(string)
}))
{} no
conn_port Port number which openvpn clients will use to establish a vpn connection to the server with, 1-65535 number 1194 no
domain_name domain name to serve site on string n/a yes
extra_iam_policy_arns Extra IAM policies to include (e.g cloudwatch, session manager) list(string) [] no
key_name SSH Key pair name string "" no
nacl_udp_port_allow_list Creating NACL rules for openvpn UDP connection
map(object({
nacl_id = string,
rule_number = number
}))
{} no
name Name prefix for various resources created string n/a yes
openvpn_ami_id Openvpn AMI id from marketplace subscription string n/a yes
openvpn_hostname openvpn connection url, different from the web url string n/a yes
openvpn_pool_ip IP Pool range for clients string "172.27.200.0/22" no
openvpn_secret_manager_credentials_arn ARN of AWS Secret Manager secret that contains ths password to use for openvpn admin user string "" no
permissions_boundary Permissions boundary that will be added to the created roles. string null no
private_subnet_ids List of private subnet ids for launch configuration to create ec2 instances in list(string) n/a yes
public_subnet_ids List of public subnet ids for elastic load balancer list(string) n/a yes
rds_fqdn Hostname of RDS string "" no
rds_secret_manager_credentials_arn ARN of AWS Secret Manager secret that contains ths password to use to connect to RDS with string "" no
rds_secret_manager_id Path of AWS Secret Manager secret that contains ths password to use to connect to RDS with string "" no
route53_zone_id Route53 Zone ID string "" no
s3_bucket_access_logs S3 bucket for storing access logs string n/a yes
s3_prefix Prefix for access logs if you want to change the object folder. remember to add a prevailing '/' e.g 'nlb/ string "" no
ssh_allowed_ips Map of User and IP for ssh
map(object({
name = string,
ip_addr = set(string)
}))
n/a yes
tags Tags to include map {} no
use_rds Toggle to use RDS or local sqlite db bool false no
vpc_id VPC ID string n/a yes
vpn_private_network_cidrs Private network cidr which clients will be able to access, typically your VPC cidr list(string) [] no
web_allow_public Allow public to access the web UI? bool true no
web_allowed_ips Map of User and IP for tcp 443 web
map(object({
name = string,
ip_addr = set(string)
}))
{} no
web_port Port number which openvpn website wil be hosted on number 443 no

Outputs

Name Description
acm_arn n/a
acm_domain_name n/a
asg_arn n/a
aws_lb_connection_arn n/a
aws_lb_connection_dns n/a
aws_lb_web_arn n/a
aws_lb_web_dns n/a
instance_primary_arn n/a
instance_profile_arn n/a
instance_root_block_id n/a
launch_configuration_arn n/a
security_group_id_connection n/a
security_group_id_ec2 n/a
security_group_id_web n/a