OpenVPN terraform module
A terraform module to build an OpenVPN AS server with RDS as a backend for storing configurations. RDS support (enabled by default) can be disabled by setting use_rds
variable to false if needed. In order to restore the settings from an RDS backup you can pass snapshot_identifier
with the name of the backup identifier.
The openvpn instance is created using an autoscaling group of 1 instance; this makes it redundant and in the case of the instance failing for any reason, another one will be created and if using the RDS backend (default) it will keep the same configuration and settings. At boot time the instance is also attaching an EIP the module creates.
For cross-region redundancy the setup can use RDS replicas to setup a fully redundant setup or in the case of a cold setup it can use the RDS snapshot to create a new RDS instance if needed in a different region.
Basic Module usage
To use the default mode (RDS backend) and default vault settings you would only have to invoke it like:
module "openvpn" {
source = "git@github.com:nclouds/terraform-aws-openvpn.git?ref=v0.1.1"
domain_name = "vpn.domain.com"
vpc_id = "vpc-xxxxxxx"
openvpn_password = "xxxxxxxxxx"
}
Use a RDS snapshot backup
For redundancy reasons, if the RDS instance is to be recreated we can use a previous RDS snapshot to restore all the openvpn database (users, settings, etc.) by passing the snapshot_identifier
variable. This is disabled by default and without it the module will create a clean new install. The RDS snapshot can be an automated or final snapshot from an openvpn compatible RDS database.
module "openvpn" {
source = "app.terraform.io/ncodelibrary/openvpn/aws"
version = "0.1.2"
domain_name = "vpn.domain.com"
vpc_id = "vpc-xxxxxxx"
environment = "dev"
openvpn_password = "xxxxxxxxxx"
snapshot_identifier = "openvpndb-demo-final-f633c15acdcee37a0f936cd08c8acb3a"
}
Development/testing usage
For quick development and testing the module can be used without RDS like this:
module "openvpn" {
source = "app.terraform.io/ncodelibrary/openvpn/aws"
version = "0.1.2"
domain_name = "vpn.domain.com"
vpc_id = "vpc-xxxxxxx"
environment = "dev"
openvpn_password = "xxxxxxxxxx"
use_rds = false
}
Note: if using the official OpenVPN marketplace AMI you will have to subscribe first in the account.
Use the link (for BOY): https://aws.amazon.com/marketplace/pp/B00MI40CAE/
or (for 100 connected devices) https://aws.amazon.com/marketplace/pp/B01DE7Y902/
Requirements
No requirements.
Providers
Name | Version |
---|---|
aws | n/a |
random | n/a |
Modules
No Modules.
Resources
Inputs
Name | Description | Type | Default | Required |
---|---|---|---|---|
ami_id | The AMI to use for openvpn instance, optional. If undefined the official openvpn marketplace image will be used | string |
"" |
no |
append_workspace | Appends the terraform workspace at the end of resource names, |
bool |
true |
no |
apply_immediately | Specifies whether any database modifications are applied immediately, or during the next maintenance window. Default is false. | bool |
false |
no |
db_instance_type | The instance class to use for RDS | string |
"db.t2.medium" |
no |
domain_name | The dns name of your OpenVPN deployment | any |
n/a | yes |
ec2_instance_type | EC2 instance type for Openvpn server | string |
"t2.medium" |
no |
environment | Environment name | string |
"dev" |
no |
hosted_zone_id | The hosted zone id | string |
"" |
no |
key_name | EC2 Key name used for ssh access on the OpenVPN instance | string |
"" |
no |
openvpn_dns | Have VPN clients use these specific DNS servers | list(string) |
[ |
no |
openvpn_networks | Private subnets to which all clients should be given access | list(string) |
[ |
no |
openvpn_password | Initial password for the openvpn user | string |
n/a | yes |
private_subnet_ids | List of Private subnet IDs where RDS Instance will be created. | list(string) |
[] |
no |
public_subnet_ids | List of Public subnet IDs where VPN Instance will be created. | list(string) |
[] |
no |
rds_backup_retention_period | The days to retain backups for | string |
"7" |
no |
rds_master_name | Username for the master DB user | string |
"root" |
no |
rds_storage_encrypted | Specifies whether the DB cluster is encrypted | bool |
true |
no |
snapshot_identifier | (Optional) Specifies whether or not to restore the RDS from a snapshot; use the snapshot name | string |
"" |
no |
use_rds | Controls if RDS is used for storing OpenVPN configurations; default enabled | bool |
true |
no |
vpc_id | Id of the VPC where OpenVPN server will be deploy | string |
n/a | yes |
Outputs
Name | Description |
---|---|
adminurl | Admin Access URL for the OpenVPNServer |
openvpn_rds_security_group_id | The ID of the openvpn RDS security group |
openvpn_security_group_id | The ID of the openvpn security group |