This module makes it easy to deploy an OpenVPN server in an auto-scaling group (size 1) for fault tolerance --along with the all the resources it typically needs:
- The Auto-Scaling Group.
- An EC2 Instance
- An Elastic IP (EIP) address.
- IAM Role and IAM instance profile.
- Simple Queuing Services (SQS) Queues
- An S3 Bucket for certificate backups
- Security groups.
- See the root README for instructions on using Terraform modules.
- See the examples folder for example usage.
- See vars.tf for all the variables you can set on this module.
This module include several Terraform outputs, including:
public_ip
: The public IP address of the server (via its EIP)
One of the other important outputs of this module is the security_group_id
, which is the id of the server's Security
Group. You can add custom rules to this Security Group using the aws_security_group_rule
resource:
module "openvpn" {
source = "git::git@github.com:gruntwork-io/terraform-aws-openvpn.git//modules/openvpn-server?ref=v0.0.40"
# (... options omitted...)
}
# Custom rule to allow inbound HTTPS traffic from anywhere
resource "aws_security_group_rule" "allow_inbound_https_all" {
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = "${module.openvpn.security_group_id}"
}
This module creates an IAM role for your EC2 instance and exports the id of that role as the output iam_role_id
. You
can attach custom policies to this IAM role using the aws_iam_policy_attachment
resource:
module "openvpn" {
source = "git::git@github.com:gruntwork-io/terraform-aws-openvpn.git//modules/openvpn-server?ref=v0.0.40"
# (... options omitted...)
}
resource "aws_iam_policy" "my_custom_policy" {
name = "my-custom-policy"
policy = " (... omitted ...) "
}
resource "aws_iam_policy_attachment" "attachment" {
name = "example-attachment"
roles = ["${module.openvpn.iam_role_id}"]
policy_arn = "${aws_iam_policy.my_custom_policy.arn}"
}
The scripts init-openvpn and install-openvpn support setting up the duo_openvpn plugin for 2FA authentication. To enable the duo plugin, you need to:
-
Build an AMI that has the
duo_openvpn
plugin installed. You can useinstall-openvpn
to install the plugin alongside openvpn by passing in the argument--duo-version
. For example:sudo /usr/local/bin/install-openvpn --duo-version 2.2
-
In the
user_data
script for the server, pass in the duo keys toinit-openvpn
using the arguments--duo-ikey
,--duo-skey
, and--duo-host
to configure the integration key, secret key, and API hostname respectively. You can obtain these by following the Duo setup instructions for OpenVPN.
See the packer-duo and openvpn-host-duo examples for an example configuration to deploy the OpenVPN server with Duo enabled.
Once the plugin is setup, all authentication for the client will result in a password prompt. To authenticate, you pass
in the MFA token in the password prompt, or push
if you have push authentication enabled in duo. Note that in order
for 2FA to work, the certificate username (the value for --username
when running openvpn-admin request
) should
exactly match the duo username.