OpenVPN terraform module

A terraform module to build an OpenVPN AS server with RDS as a backend for storing configurations. RDS support (enabled by default) can be disabled by setting use_rds variable to false if needed. In order to restore the settings from an RDS backup you can pass snapshot_identifier with the name of the backup identifier.

The openvpn instance is created using an autoscaling group of 1 instance; this makes it redundant and in the case of the instance failing for any reason, another one will be created and if using the RDS backend (default) it will keep the same configuration and settings. At boot time the instance is also attaching an EIP the module creates.

For cross-region redundancy the setup can use RDS replicas to setup a fully redundant setup or in the case of a cold setup it can use the RDS snapshot to create a new RDS instance if needed in a different region.

Basic Module usage

To use the default mode (RDS backend) and default vault settings you would only have to invoke it like:

module "openvpn" {
  source           = "git@github.com:nclouds/terraform-aws-openvpn.git?ref=v0.1.1"
  domain_name      = "vpn.domain.com"
  vpc_id           = "vpc-xxxxxxx"
  openvpn_password = "xxxxxxxxxx"
}

Use a RDS snapshot backup

For redundancy reasons, if the RDS instance is to be recreated we can use a previous RDS snapshot to restore all the openvpn database (users, settings, etc.) by passing the snapshot_identifier variable. This is disabled by default and without it the module will create a clean new install. The RDS snapshot can be an automated or final snapshot from an openvpn compatible RDS database.

module "openvpn" {
  source              = "app.terraform.io/ncodelibrary/openvpn/aws"
  version             = "0.1.2"
  domain_name         = "vpn.domain.com"
  vpc_id              = "vpc-xxxxxxx"
  environment         = "dev"
  openvpn_password    = "xxxxxxxxxx"
  snapshot_identifier = "openvpndb-demo-final-f633c15acdcee37a0f936cd08c8acb3a"
}

Development/testing usage

For quick development and testing the module can be used without RDS like this:

module "openvpn" {
  source           = "app.terraform.io/ncodelibrary/openvpn/aws"
  version          = "0.1.2"
  domain_name      = "vpn.domain.com"
  vpc_id           = "vpc-xxxxxxx"
  environment      = "dev"
  openvpn_password = "xxxxxxxxxx"
  use_rds          = false
}

Note: if using the official OpenVPN marketplace AMI you will have to subscribe first in the account.
Use the link (for BOY): https://aws.amazon.com/marketplace/pp/B00MI40CAE/ or (for 100 connected devices) https://aws.amazon.com/marketplace/pp/B01DE7Y902/

Requirements

No requirements.

Providers

Name Version
aws n/a
random n/a

Modules

No Modules.

Resources

Name
aws_ami
aws_autoscaling_group
aws_availability_zones
aws_db_subnet_group
aws_eip
aws_iam_instance_profile
aws_iam_policy
aws_iam_policy_document
aws_iam_role
aws_iam_role_policy_attachment
aws_launch_configuration
aws_rds_cluster
aws_rds_cluster_instance
aws_region
aws_security_group
aws_security_group_rule
aws_subnet_ids
aws_vpc
random_password

Inputs

Name Description Type Default Required
ami_id The AMI to use for openvpn instance, optional. If undefined the official openvpn marketplace image will be used string "" no
append_workspace Appends the terraform workspace at the end of resource names, - bool true no
apply_immediately Specifies whether any database modifications are applied immediately, or during the next maintenance window. Default is false. bool false no
db_instance_type The instance class to use for RDS string "db.t2.medium" no
domain_name The dns name of your OpenVPN deployment any n/a yes
ec2_instance_type EC2 instance type for Openvpn server string "t2.medium" no
environment Environment name string "dev" no
hosted_zone_id The hosted zone id string "" no
key_name EC2 Key name used for ssh access on the OpenVPN instance string "" no
openvpn_dns Have VPN clients use these specific DNS servers list(string)
[
“10.0.0.20”,
“10.0.0.21”
]
no
openvpn_networks Private subnets to which all clients should be given access list(string)
[
“10.0.0.0/16”,
“192.168.0.0/24”
]
no
openvpn_password Initial password for the openvpn user string n/a yes
private_subnet_ids List of Private subnet IDs where RDS Instance will be created. list(string) [] no
public_subnet_ids List of Public subnet IDs where VPN Instance will be created. list(string) [] no
rds_backup_retention_period The days to retain backups for string "7" no
rds_master_name Username for the master DB user string "root" no
rds_storage_encrypted Specifies whether the DB cluster is encrypted bool true no
snapshot_identifier (Optional) Specifies whether or not to restore the RDS from a snapshot; use the snapshot name string "" no
use_rds Controls if RDS is used for storing OpenVPN configurations; default enabled bool true no
vpc_id Id of the VPC where OpenVPN server will be deploy string n/a yes

Outputs

Name Description
adminurl Admin Access URL for the OpenVPNServer
openvpn_rds_security_group_id The ID of the openvpn RDS security group
openvpn_security_group_id The ID of the openvpn security group