Skip to content

Latest commit

 

History

History
145 lines (102 loc) · 6.91 KB

README.md

File metadata and controls

145 lines (102 loc) · 6.91 KB

OpenVPN IaC

If you're an expat, you've probably missed consuming local content from your home country 🇧🇷. Some streaming services and certain content are only available within the territory of your former country. Based on this issue, I decided to implement my own VPN using OpenVPN, AWS, and Terraform.

All this code was based on another repository (https://github.com/dumrauf/openvpn-terraform-install), with just a few changes. I added a different way to send credentials to the AWS provider. I also added an option to define the availability zone, as I was facing some deployment issues with my EC2 instance in the São Paulo region (sa-east-1).

You Have

Before you can use the Terraform module in this repository out of the box, you need

Moreover, you probably had enough of people snooping on you and want some privacy back or just prefer to have a long lived static IP.

You Want

After running the Terraform module in this repository you get

  • an EC2 node running in a dedicated VPC and subnet
  • an OpenVPN server bootstrapped on the EC2 node by the excellent openvpn-install.sh Bash script from https://github.com/angristan/openvpn-install
  • SSH access to the OpenVPN sever locked down to the IP address of the machine executing the Terraform module (see the FAQs for how to handle drift over time)
  • the list of users supplied as input to the Terraform module readily provisioned on the OpenVPN server
  • the configuration of each user supplied in the Terraform configuration downloaded onto the local machine and ready for use
  • the option to provision and revoke users from the OpenVPN server by simply re-running the Terraform module

Setup

The minimal setup leverages as much of the default settings in variables.tf as possible. However some input is required.

Providing SSH Keys

In order to bootstrap as well as manage the OpenVPN server, the Terraform module needs to SSH into the EC2 node. By default, it uses the public key in settings/openvpn.pub and the private key in settings/openvpn. Both can be created by executing the following command from the root directory of this repository

cd settings
ssh-keygen -f openvpn -t rsa

Here, hit return when prompted for a password in order to make the SSH keys passwordless.

Configuring Your Settings

The minimum input variables for the module are defined in settings/example.tfvars to be

aws_region = "<your-region>"

shared_credentials_file = "/path/to/.aws/credentials"

profile = "<your-profile>"

ovpn_users = ["userOne", "userTwo", "userThree"]

Here, you need to replace the example values with your settings.

Moreover, note that users userOne, userTwo, and userThree will be provisioned with access to the OpenVPN sever and their configurations downloaded to the default location generated/ovpn-config.

Each user provisioned via input ovpn_users should preferably be defined as a single word (i.e., no whitespace), consisting only of ASCII letters and numbers with underscores as delimiters; in technical terms, each user should adhere to ^[a-zA-Z0-9_]+$.

Execution

All Terraform interactions are wrapped in helper Bash scripts for convenience.

Initialising Terraform

Initialise Terraform by running

./terraform-bootstrap.sh

Applying the Terraform Configuration

The OpenVPN server can be created and updated by running

./terraform-apply.sh <input-file-name>

where <input-file-name> references input file settings/<input-file-name>.tfvars. When using input file settings/example.tfvars configured above, the command becomes

./terraform-apply.sh example

Under the bonnet, the terraform-apply.sh Bash script with input example

  • selects or creates a new workspace called example
  • executes terraform apply where the inputs are taken from input file settings/example.tfvars
  • does not ask for permission to proceed as it uses -auto-approve when running the underlying terraform apply command

Terraform Outputs

By default, all .ovpn configurations for the users provisioned with access to the OpenVPN server in input ovpn_users are automatically downloaded to generated/ovpn-config.

Additionally, the Terraform module also outputs

  • the ec2_instance_dns
  • the ec2_instance_ip and
  • a connection_string that can be used to SSH into the EC2 node

Deletion

The OpenVPN server can be deleted by running

./terraform-destroy.sh <input-file-name>

where <input-file-name> again references input file settings/<input-file-name>.tfvars. When using input file settings/example.tfvars configured above, the command becomes

./terraform-destroy.sh example

Under the bonnet, the terraform-destroy.sh Bash script with input example

  • selects the example workspace
  • executes terraform destroy where the inputs are taken from file settings/example.tfvars
  • does ask for permission to proceed when running the terraform apply command

Testing VPN Connectivity

Once the Terraform module execution has successfully completed, the connection to the OpenVPN can be tested as follows.

While below instructions are specific to a recent Mac using Homebrew as a package manager, the actual underlying openvpn command should be fairly transferable to other platforms as well.

If not already present, install openvpn via brew by executing

brew install openvpn

Follow the instructions on screen and if the installation may need a little final nudge, try running

sudo brew services start openvpn

In case openvpn isn't readily available from the terminal after the installation above, a StackOverflow answer suggests to add the openvpn executable to the $PATH environment variable by executing

export PATH=$(brew --prefix openvpn)/sbin:$PATH

Assuming a valid OpenVPN configuration has been downloaded to generated/ovpn-config/userOne.ovpn , the connection can be tested by initiating the actual openvpn connection by running

How Do I Configure OpenVPN Access on My Mac?

Please refer to the excellent guide on Downloading and Installing Tunnelblick.

How Do I Configure OpenVPN Access On My iPhone?

Please refer to the excellent guide on how to Install OpenVPN on iOS. For transferring .ovpn configurations onto your iPhone, please refer to Transfer Files to Your Mobile By Scanning a QR Code.

sudo openvpn --config generated/ovpn-config/userOne.ovpn 

Note that the above command will actually change your network settings and hence public IP.