Skip to content

Latest commit

 

History

History
253 lines (188 loc) · 28.6 KB

README.md

File metadata and controls

253 lines (188 loc) · 28.6 KB
Raw

AWS VPN (Pritunl) Terraform Module

Terraform module with create instance with Pritunl VPN on AWS.

Usage

module "vpn" {
  source = "git@github.com:<repository_name>/terraform-aws-pritunl-vpn.git?ref=v0.0.0"
  prefix             = "example"
  environment        = "dev"
  vpc_id             = "vpc-xxx"
  public_subnet_ids  = ["subnet-xxx", "subnet-xxx", "subnet-xxx"]
  private_subnet_ids = ["subnet-xxx", "subnet-xxx", "subnet-xxx"]
  instance_type             = "t3a.small"
  is_create_route53_reccord = true
  route53_zone_name         = "example.com"
  public_lb_vpn_domain      = "vpn" #vpn.example.com
  private_lb_vpn_domain     = "vpn-console" #vpn-console.example.com
  is_enabled_https_public = true
  security_group_ingress_rules = {
    allow_to_connect_vpn = {
      port        = "12383"
      cidr_blocks = ["0.0.0.0/0"]
      protocol    = "udp"
    }
  }
  tags = {
    workspace = "local-test"
  }
}

HOW TO SET UP PRITUNL-VPN

GO TO SSM CONSOLE FOR SESSION MANAGER

SessionManager

GET Default Password

  sudo pritunl default-password # save for first login

GetPassword

Login

Login

Server Setting

Require

  • Public Address : Set to Public DNS name or Public Loadbalancer for VPN Client ACCESS

Optional

  • Username : New Username for Connect to VPN server
  • New Password : New Password For For Connect to VPN server

ServerSetting

Create organization

  • click on "Users" in nav bar
  • click on "Add Organization"

Add Org

Create Server

  • click on "Servers" in nav bar

  • Click on "Add Server" Button

  • Config Server

    • name: anything
    • port: default must be 12383 (must be match with ingress policy)
    • DNS Server: Default 8.8.8.8
    • Virtual Network: Leave Default (CIDR must be avalible)

Add Server

Attach Origanization to Server

  • Click on "Attach Organization" Button Attach Org

Start VPN Server

  • Click on "Start Server" Button Start Server

  • Done Started Server

Add User To Access VPN

Create User

  • Click on Users in NavBar
  • Clicl on "Add User" Button AddUser

Config User

  • Config User
    • Name: anything
    • Pin: password to access VPN

ConfigUser

Download VPN File

Set VPN Server to Private

module "pritunl_vpn" {
  . . .
  is_enabled_https_public = false
}

Migration

Mount New EFS to Old Pritunl VPN

Config Security Group Client

add security goups efs-client of new efs to old pritunl VPN

  • go to ec2 console
  • select old pritunl-vpn -> Actions -> Security -> Change security groups
  • add security group client for mount EFS

Mount New EFS To Old Pritunl VPN

  • remote to old pritunl-vpn
  • mount EFS
sudo mkdir /efs
sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport <efs_dns_name>:/ /efs

Config MongoDB

Dump Mongodb From Old Pritunl VPN

mongodump --db=pritunl #dump
mv dump/ /efs/dump #move dump to efs

Restore MongoDB in New Pritunl VPN

mongorestore /efs/dump

DownloadConfig

Requirements

Name Version
terraform >= 1.0
aws >= 4.0.0

Providers

Name Version
aws 4.36.0

Modules

Name Source Version
efs oozou/efs/aws 1.0.4
launch_template oozou/launch-template/aws 1.0.3

Resources

Name Type
aws_autoscaling_group.this resource
aws_autoscaling_policy.this resource
aws_iam_instance_profile.this resource
aws_iam_role.this resource
aws_iam_role_policy.this resource
aws_iam_role_policy_attachment.this resource
aws_lb.private resource
aws_lb.public resource
aws_lb_listener.private resource
aws_lb_listener.public resource
aws_lb_target_group.private resource
aws_lb_target_group.public resource
aws_route53_record.private resource
aws_route53_record.public resource
aws_security_group.this resource
aws_security_group_rule.ingress resource
aws_ami.amazon_linux data source
aws_iam_policy_document.this data source
aws_iam_policy_document.this_assume_role data source
aws_route53_zone.this data source
aws_vpc.this data source

Inputs

Name Description Type Default Required
additional_sg_attacment_ids (Optional) The ID of the security group. list(string) [] no
ami (Optional) AMI to use for the instance. Required unless launch_template is specified and the Launch Template specifes an AMI. If an AMI is specified in the Launch Template, setting ami will override the AMI specified in the Launch Template string "" no
custom_https_allow_cidr cidr block for config pritunl vpn list(string) null no
efs_backup_policy_enabled If true, it will turn on automatic backups. bool true no
enable_ec2_monitoring Enables/disables detailed monitoring bool false no
enabled_backup Enable Backup EFS bool true no
environment Environment Variable used as a prefix string n/a yes
instance_type (Optional) The instance type to use for the instance. Updates to this field will trigger a stop/start of the EC2 instance. string "t2.medium" no
is_create_private_lb if true this module will not create private lb for cost optimization bool true no
is_create_route53_reccord if true will create route53 reccord for vpn, vpn console bool false no
is_create_security_group Flag to toggle security group creation bool true no
is_enabled_https_public if true will enable https to public loadbalancer else enable to private loadbalancer bool true no
key_name Key name of the Key Pair to use for the vpn instance; which can be managed using string null no
prefix The prefix name of customer to be displayed in AWS console and resource string n/a yes
private_lb_vpn_domain domain of vpn console output will be <var.vpn_domain>.<var.route53_zone_name> string "vpn-console" no
private_rule private rule for run connect vpn 
list(object({
    port                  = number
    protocol              = string
    health_check_port     = number
    health_check_protocol = string
  }))
 [] no
private_subnet_ids The List of the private subnet ID to deploy instance and private lb for vpn relate to VPC list(string) n/a yes
public_lb_vpn_domain domain of vpn output will be <var.vpn_domain>.<var.route53_zone_name> string "vpn" no
public_rule public rule for run connect vpn 
list(object({
    port                  = number
    protocol              = string
    health_check_port     = number
    health_check_protocol = string
  }))
 
[
  {
    "health_check_port": 443,
    "health_check_protocol": "TCP",
    "port": 12383,
    "protocol": "UDP"
  }
]
 no
public_subnet_ids The List of the subnet ID to deploy Public Loadbalancer relate to VPC list(string) n/a yes
route53_zone_name This is the name of the hosted zone string "" no
security_group_ingress_rules Map of ingress and any specific/overriding attributes to be created any 
{
  "allow_to_connect_vpn": {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "port": "12383",
    "protocol": "udp"
  }
}
 no
tags Tags to add more; default tags contian {terraform=true, environment=var.environment} map(string) {} no
vpc_id The ID of the VPC string n/a yes

Outputs

Name Description
efs_dns_name The DNS name for the filesystem
efs_id The ID that identifies the file system for pritunl vpn
lb_private_dns The DNS name of the private load balancer.
lb_public_dns The DNS name of the public load balancer.
security_group_arn ARN of the security group associated to this ec2
security_group_id ID of the security group associated to this ec2
vpn_private_dns private dns for connect vpn server
vpn_public_dns public dns for connect vpn server