This module setups an openvpn server with 2 load balancers, 1 for user logins for retrieval or profile, and 1 for vpn client connection and admin access
module "ovpn"{
name = "my-openvpn"
openvpn_hostname = "example-connection.com"
openvpn_pool_ip = "172.40.200.0/22"
openvpn_ami_id = "ami-xxx" # From your openvpn marketplace subscription
domain_name = "example.com"
route53_zone_id = "xx" # For ACM creation
vpc_id = "vpc-xx"
s3_bucket_access_logs = "my-bucket"
public_subnet_ids = ["subnet-xxx"]
private_subnet_ids = ["subnet-yyy"]
key_name = "my-ssh-key-pair"
# Your VPC cidr for clients to access private network
vpn_private_network_cidrs = [
"172.111.111.0/22"
]
}
- RDS MySQL setup separately
- RDS username and password in secrets manager with the following key/values
- username
- password
If you wish to use RDS with this module for backing up your openvpn settings remotely, please note the following
- certain variables will cause a change in user-data script, this will cause a recreation of your EC2 primary server instance. If you have yet to be connected to the RDS succesfully, this will result in a loss of your current settings (Please see here if you are migrating from a local sqlite to rds mysql)
- When using RDS, a custom user data script will be ran, do take a look at the template before using it to see if it fits your needs
- This module does not set your linux admin user password as that is not a safe practice. Therefore on initial setup, you have to ssh in to set the admin password before you can manage via the admin web server. Run
passwd openvpnto set your password in the server
WIP## Requirements
No requirements.
| Name | Version |
|---|---|
| aws | n/a |
| template | n/a |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admin_allowed_ips | Map of User and IP for tcp admin_port admin web | map(object({ |
{} |
no |
| admin_port | Port number which openvpn admin website wil be hosted on | number |
943 |
no |
| aws_region | AWS region. | string |
"ap-southeast-1" |
no |
| conn_allow_public | Allow public vpn clients to connect to the vpn server? | bool |
true |
no |
| conn_allowed_ips | Map of User and IP for openvpn connection | map(object({ |
{} |
no |
| conn_port | Port number which openvpn clients will use to establish a vpn connection to the server with, 1-65535 | number |
1194 |
no |
| domain_name | domain name to serve site on | string |
n/a | yes |
| extra_iam_policy_arns | Extra IAM policies to include (e.g cloudwatch, session manager) | list(string) |
[] |
no |
| key_name | SSH Key pair name | string |
"" |
no |
| nacl_udp_port_allow_list | Creating NACL rules for openvpn UDP connection | map(object({ |
{} |
no |
| name | Name prefix for various resources created | string |
n/a | yes |
| openvpn_ami_id | Openvpn AMI id from marketplace subscription | string |
n/a | yes |
| openvpn_hostname | openvpn connection url, different from the web url | string |
n/a | yes |
| openvpn_pool_ip | IP Pool range for clients | string |
"172.27.200.0/22" |
no |
| openvpn_secret_manager_credentials_arn | ARN of AWS Secret Manager secret that contains ths password to use for openvpn admin user | string |
"" |
no |
| permissions_boundary | Permissions boundary that will be added to the created roles. | string |
null |
no |
| private_subnet_ids | List of private subnet ids for launch configuration to create ec2 instances in | list(string) |
n/a | yes |
| public_subnet_ids | List of public subnet ids for elastic load balancer | list(string) |
n/a | yes |
| rds_fqdn | Hostname of RDS | string |
"" |
no |
| rds_secret_manager_credentials_arn | ARN of AWS Secret Manager secret that contains ths password to use to connect to RDS with | string |
"" |
no |
| rds_secret_manager_id | Path of AWS Secret Manager secret that contains ths password to use to connect to RDS with | string |
"" |
no |
| route53_zone_id | Route53 Zone ID | string |
"" |
no |
| s3_bucket_access_logs | S3 bucket for storing access logs | string |
n/a | yes |
| s3_prefix | Prefix for access logs if you want to change the object folder. remember to add a prevailing '/' e.g 'nlb/ | string |
"" |
no |
| ssh_allowed_ips | Map of User and IP for ssh | map(object({ |
n/a | yes |
| tags | Tags to include | map |
{} |
no |
| use_rds | Toggle to use RDS or local sqlite db | bool |
false |
no |
| vpc_id | VPC ID | string |
n/a | yes |
| vpn_private_network_cidrs | Private network cidr which clients will be able to access, typically your VPC cidr | list(string) |
[] |
no |
| web_allow_public | Allow public to access the web UI? | bool |
true |
no |
| web_allowed_ips | Map of User and IP for tcp 443 web | map(object({ |
{} |
no |
| web_port | Port number which openvpn website wil be hosted on | number |
443 |
no |
| Name | Description |
|---|---|
| acm_arn | n/a |
| acm_domain_name | n/a |
| asg_arn | n/a |
| aws_lb_connection_arn | n/a |
| aws_lb_connection_dns | n/a |
| aws_lb_web_arn | n/a |
| aws_lb_web_dns | n/a |
| instance_primary_arn | n/a |
| instance_profile_arn | n/a |
| instance_root_block_id | n/a |
| launch_configuration_arn | n/a |
| security_group_id_connection | n/a |
| security_group_id_ec2 | n/a |
| security_group_id_web | n/a |
