├── LICENCE
├── README.md
├── main.tf
├── outputs.tf
└── variables.tf


/LICENCE:
--------------------------------------------------------------------------------
 1 | Author:: Quentin Rousseau (<contact@quent.in>)
 2 | 
 3 | Copyright 2017 Quentin Rousseau
 4 | 
 5 | Licensed under the Apache License, Version 2.0 (the "License");
 6 | you may not use this file except in compliance with the License.
 7 | You may obtain a copy of the License at
 8 | 
 9 |     http://www.apache.org/licenses/LICENSE-2.0
10 | 
11 | Unless required by applicable law or agreed to in writing, software
12 | distributed under the License is distributed on an "AS IS" BASIS,
13 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 | See the License for the specific language governing permissions and
15 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # tf_aws_openvpn
 2 | 
 3 | Terraform module which creates OpenVPN on AWS
 4 | 
 5 | ## This module is creating the following resources:
 6 | 
 7 | 1. Two Route53 Records
 8 |   a. vpn-web.domain.com
 9 |   b. vpn.domain.com
10 | 2. One EC2 Load Balancer (ELB) using Amazon Certificate Manager (ACM)
11 | 3. One EC2 Security Group
12 | 4. One EC2 Instance
13 | 
14 | ## Architecture
15 | 
16 | ```plain
17 | 
18 | For Web only:
19 | 
20 |              +-[1/a]-+     +--[2]--+     +--[3]--+     +--[4]--+
21 |              |       |     |       |     |       |     |       |
22 | Internet --> |  DNS  | --> |  ELB  | --> |  SG   | --> |  EC2  |
23 |              |       |     |       |     |       |     |       |
24 |              +-------+     +-------+     +-------+     +-------+
25 |     vpn-web.domain.com  -->  TCP:443  -->  TCP:443  -->  TCP:443 OK
26 | 
27 | For VPN connection: (ELB does not support custom port 1194)
28 | 
29 |              +-[1/b]-+     +--[2]--+     +--[3]--+
30 |              |       |     |       |     |       |
31 | Internet --> |  DNS  | --> |  SG   | --> |  EC2  |
32 |              |       |     |       |     |       |
33 |              +-------+     +-------+     +-------+
34 |         vpn.domain.com -->  TCP:1194 -->  TCP:1194 OK
35 | ```
36 | 
37 | ## Usage
38 | 
39 | ```hcl
40 | module "openvpn" {
41 |   source             = "github.com/terraform-community-modules/tf_aws_openvpn"
42 |   name               = "openVPN"
43 |   # VPC Inputs
44 |   vpc_id             = "${var.vpc_id}"
45 |   vpc_cidr           = "${var.vpc_cidr}"
46 |   public_subnet_ids  = "${var.public_subnet_ids}"
47 |   # EC2 Inputs
48 |   key_name           = "${var.key_name}"
49 |   private_key        = "${var.private_key}"
50 |   ami                = "${var.ami}"
51 |   instance_type      = "${var.instance_type}"
52 |   # ELB Inputs
53 |   cert_arn           = "${var.cert_arn}"
54 |   # DNS Inputs
55 |   domain_name        = "${var.public_domain_name}"
56 |   route_zone_id      = "${var.route_zone_id}"
57 |   # OpenVPN Inputs
58 |   openvpn_user       = "${var.openvpn_user}"
59 |   openvpn_admin_user = "${var.openvpn_admin_user}" # Note: Don't choose "admin" username. Looks like it's already reserved.
60 |   openvpn_admin_pw   = "${var.openvpn_admin_pw}"
61 | }
62 | ```
63 | 
64 | ## Authors
65 | 
66 | Created and maintained by [Quentin Rousseau](https://github.com/kwent) (contact@quent.in).
67 | 
68 | ## License
69 | 
70 | Apache 2 Licensed. See LICENSE for full details.
71 | 


--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
  1 | #----------------------------------------------------------------
  2 | # This module creates all resources necessary for OpenVPN in AWS
  3 | #----------------------------------------------------------------
  4 | 
  5 | resource "aws_security_group" "openvpn" {
  6 |   name        = "${var.name}"
  7 |   vpc_id      = "${var.vpc_id}"
  8 |   description = "OpenVPN security group"
  9 | 
 10 |   tags {
 11 |     Name = "${var.name}"
 12 |   }
 13 | 
 14 |   ingress {
 15 |     protocol    = -1
 16 |     from_port   = 0
 17 |     to_port     = 0
 18 |     cidr_blocks = ["${var.vpc_cidr}"]
 19 |   }
 20 | 
 21 |   # For OpenVPN Client Web Server & Admin Web UI
 22 | 
 23 |   ingress {
 24 |     protocol    = "tcp"
 25 |     from_port   = 22
 26 |     to_port     = 22
 27 |     cidr_blocks = ["0.0.0.0/0"]
 28 |   }
 29 |   ingress {
 30 |     protocol    = "tcp"
 31 |     from_port   = 443
 32 |     to_port     = 443
 33 |     cidr_blocks = ["0.0.0.0/0"]
 34 |   }
 35 |   ingress {
 36 |     protocol    = "udp"
 37 |     from_port   = 1194
 38 |     to_port     = 1194
 39 |     cidr_blocks = ["0.0.0.0/0"]
 40 |   }
 41 |   egress {
 42 |     protocol    = -1
 43 |     from_port   = 0
 44 |     to_port     = 0
 45 |     cidr_blocks = ["0.0.0.0/0"]
 46 |   }
 47 | }
 48 | 
 49 | resource "aws_instance" "openvpn" {
 50 |   ami           = "${var.ami}"
 51 |   instance_type = "${var.instance_type}"
 52 |   key_name      = "${var.key_name}"
 53 |   subnet_id     = "${element(var.public_subnet_ids, count.index)}"
 54 | 
 55 |   vpc_security_group_ids = ["${aws_security_group.openvpn.id}"]
 56 | 
 57 |   tags {
 58 |     Name = "${var.name}"
 59 |   }
 60 | 
 61 |   # `admin_user` and `admin_pw` need to be passed in to the appliance through `user_data`, see docs -->
 62 |   # https://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/amazon-ec2-appliance-ami-quick-start-guide/
 63 |   user_data = <<USERDATA
 64 | admin_user=${var.openvpn_admin_user}
 65 | admin_pw=${var.openvpn_admin_pw}
 66 | USERDATA
 67 | 
 68 |   provisioner "remote-exec" {
 69 |     connection {
 70 |       user        = "${var.openvpn_user}"
 71 |       host        = "${self.public_ip}"
 72 |       private_key = "${var.private_key}"
 73 |       timeout     = "10m"
 74 |     }
 75 | 
 76 |     inline = [
 77 |       # Sleep 60 seconds until AMI is ready
 78 |       "sleep 60",
 79 | 
 80 |       # Set VPN network info
 81 |       "sudo /usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.network -v ${element(split("/", var.vpn_cidr), 0)} ConfigPut",
 82 | 
 83 |       "sudo /usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.netmask_bits -v ${element(split("/", var.vpn_cidr), 1)} ConfigPut",
 84 | 
 85 |       # Do a warm restart so the config is picked up
 86 |       "sudo /usr/local/openvpn_as/scripts/sacli start",
 87 |     ]
 88 |   }
 89 | }
 90 | 
 91 | resource "aws_elb" "openvpn" {
 92 |   name                        = "openvpn-elb"
 93 |   subnets                     = ["${var.public_subnet_ids}"]
 94 |   internal                    = false
 95 |   idle_timeout                = 30
 96 |   connection_draining         = true
 97 |   connection_draining_timeout = 30
 98 |   instances                   = ["${aws_instance.openvpn.id}"]
 99 |   security_groups             = ["${aws_security_group.openvpn.id}"]
100 | 
101 |   listener {
102 |     instance_port      = 443
103 |     instance_protocol  = "https"
104 |     lb_port            = 443
105 |     lb_protocol        = "https"
106 |     ssl_certificate_id = "${var.cert_arn}"
107 |   }
108 | 
109 |   health_check {
110 |     healthy_threshold   = 2
111 |     unhealthy_threshold = 2
112 |     timeout             = 5
113 |     target              = "TCP:443"
114 |     interval            = 20
115 |   }
116 | 
117 |   tags {
118 |     Name = "openvpn-elb"
119 |   }
120 | }
121 | 
122 | resource "aws_route53_record" "openvpn-web" {
123 |   zone_id = "${var.route_zone_id}"
124 |   name    = "vpn-web.${var.domain_name}"
125 |   type    = "A"
126 | 
127 |   alias {
128 |     name                   = "${aws_elb.openvpn.dns_name}"
129 |     zone_id                = "${aws_elb.openvpn.zone_id}"
130 |     evaluate_target_health = false
131 |   }
132 | }
133 | 
134 | resource "aws_route53_record" "openvpn" {
135 |   zone_id = "${var.route_zone_id}"
136 |   name    = "vpn.${var.domain_name}"
137 |   type    = "A"
138 |   ttl     = 300
139 |   records = ["${aws_instance.openvpn.public_ip}"]
140 | }
141 | 


--------------------------------------------------------------------------------
/outputs.tf:
--------------------------------------------------------------------------------
 1 | output "private_ip" {
 2 |   value = "${aws_instance.openvpn.private_ip}"
 3 | }
 4 | 
 5 | output "public_ip" {
 6 |   value = "${aws_instance.openvpn.public_ip}"
 7 | }
 8 | 
 9 | output "public_web_fqdn" {
10 |   value = "${aws_route53_record.openvpn-web.fqdn}"
11 | }
12 | 
13 | output "public_fqdn" {
14 |   value = "${aws_route53_record.openvpn.fqdn}"
15 | }
16 | 


--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "name" {
 2 |   default = "openvpn"
 3 | }
 4 | 
 5 | variable "vpc_id" {}
 6 | variable "vpc_cidr" {}
 7 | 
 8 | variable "public_subnet_ids" {
 9 |   type = "list"
10 | }
11 | 
12 | variable "cert_arn" {}
13 | variable "key_name" {}
14 | variable "private_key" {}
15 | variable "ami" {}
16 | variable "instance_type" {}
17 | variable "openvpn_user" {}
18 | variable "openvpn_admin_user" {}
19 | variable "openvpn_admin_pw" {}
20 | variable "vpn_cidr" {}
21 | variable "domain_name" {}
22 | variable "route_zone_id" {}
23 | 


--------------------------------------------------------------------------------