{"id":18746065,"url":"https://github.com/fscm/packer-aws-openvpn","last_synced_at":"2025-10-06T13:11:13.058Z","repository":{"id":202050298,"uuid":"83602599","full_name":"fscm/packer-aws-openvpn","owner":"fscm","description":"Packer Template to build a AWS OpenVPN AMI","archived":false,"fork":false,"pushed_at":"2022-01-03T16:05:49.000Z","size":27,"stargazers_count":23,"open_issues_count":0,"forks_count":16,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-04-19T22:34:00.465Z","etag":null,"topics":["aws","openvpn","packer"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fscm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2017-03-01T21:16:58.000Z","updated_at":"2023-02-16T23:16:11.000Z","dependencies_parsed_at":null,"dependency_job_id":"e1a02c4c-4808-4ae7-a747-339e1135d4ce","html_url":"https://github.com/fscm/packer-aws-openvpn","commit_stats":null,"previous_names":["fscm/packer-aws-openvpn"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/fscm/packer-aws-openvpn","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fscm%2Fpacker-aws-openvpn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fscm%2Fpacker-aws-openvpn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fscm%2Fpacker-aws-openvpn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fscm%2Fpacker-aws-openvpn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fscm","download_url":"https://codeload.github.com/fscm/packer-aws-openvpn/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fscm%2Fpacker-aws-openvpn/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278615202,"owners_count":26016126,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-06T02:00:05.630Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","openvpn","packer"],"created_at":"2024-11-07T16:20:43.582Z","updated_at":"2025-10-06T13:11:13.030Z","avatar_url":"https://github.com/fscm.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OpenVPN AMI\n\nAMI that should be used to create virtual machines with OpenVPN installed.\n\n## Synopsis\n\nThis script will create an AMI with OpenVPN installed and with all of the\nrequired initialization scripts.\n\nThe AMI resulting from this script should be the one used to instantiate a\nOpenVPN server.\n\nThis AMI can also be used as a NAT instance but extra configurations are\nrequired.\nTo use this AMI as a NAT instance the \"Change Source / Dest. Check\" option\nof the resulting EC2 instance needs to be disabled.\n\n## Getting Started\n\nThere are a couple of things needed for the script to work.\n\n### Prerequisites\n\nPacker and AWS Command Line Interface tools need to be installed on your local\ncomputer.\nTo build a base image you have to know the id of the latest Debian AMI files\nfor the region where you wish to build the AMI.\n\n#### Packer\n\nPacker installation instructions can be found\n[here](https://www.packer.io/docs/installation.html).\n\n#### AWS Command Line Interface\n\nAWS Command Line Interface installation instructions can be found [here](http://docs.aws.amazon.com/cli/latest/userguide/installing.html)\n\n#### Debian AMI's\n\nThis AMI will be based on an official Debian AMI. The latest version of that\nAMI will be used.\n\nA list of all the Debian AMI id's can be found at the Debian official page:\n[Debian official Amazon EC2 Images](https://wiki.debian.org/Cloud/AmazonEC2Image/)\n\n### Usage\n\nIn order to create the AMI using this packer template you need to provide a\nfew options.\n\n```\nUsage:\n  packer build \\\n    -var 'aws_access_key=AWS_ACCESS_KEY' \\\n    -var 'aws_secret_key=\u003cAWS_SECRET_KEY\u003e' \\\n    -var 'aws_region=\u003cAWS_REGION\u003e' \\\n    [-var 'option=value'] \\\n    openvpn.json\n```\n\n#### Script Options\n\n- `aws_access_key` - *[required]* The AWS access key.\n- `aws_ami_name` - The AMI name (default value: \"openvpn\").\n- `aws_ami_name_prefix` - Prefix for the AMI name (default value: \"\").\n- `aws_instance_type` - The instance type to use for the build (default value: \"t2.micro\").\n- `aws_region` - *[required]* The regions were the build will be performed.\n- `aws_secret_key` - *[required]* The AWS secret key.\n- `easyrsa_req_city` - The City value to be used on the CA certificate (default value: \"San Francisco\").\n- `easyrsa_req_country` - The Country value to be used on the CA certificate (default value: \"US\".)\n- `easyrsa_req_email` - The Email value to be used on the CA certificate (default value: \"private\").\n- `easyrsa_req_org` - The Organization Name value to be used on the CA certificate (default value: \"Private Company\").\n- `easyrsa_req_ou` - The Organizational Unit value to be used on the CA certificate (default value: \"IT\").\n- `easyrsa_req_state` - The State value to be used on the CA certificate (default value: \"California\").\n- `easyrsa_version` - The EasyRSA version to install (default value:  \"3.0.1\").\n- `system_locale` - Locale for the system (default value: \"en_US\").\n\n### Instantiate a Server\n\nIn order to end up with a functional OpenVPN service some configurations have\nto be performed after instantiating the servers.\n\nTo help perform those configurations a small set of scripts is included on the\nAWS image.\n\n- `ovpn_initpki` - This script will initialize the CA using the EasyRSA toolset.\n- `ovpn_config` - This script will configure the OpenVPN service.\n- `ovpn_addclient` - This script will create the required credentials for a client using the EasyRSA toolset.\n- `ovpn_delclient` - This script will revoke the credentials for a given client using the EasyRSA toolset. This script will restart the OpenVPN service.\n- `ovpn_getclient` - This script will create the configuration file for a given client.\n- `ovpn_status` - This script will show the OpenVPN service status. Will include active connections.\n\n#### CA Configuration Script\n\nThe OpenVPN service will require clients to authenticate using certificates.\nThe EasyRSA tools installed on the AMI will allow for the creation of the\nclient-side certificates.\n\nTo be able to manage the certificates a CA needs to be created and configured.\nThat can be done using the **ovpn_initpki** script.\n\n```\nUsage: ovpn_initpki [options]\n```\n\n##### Options\n\n* `-c \u003cCN\u003e` - The Common Name to use for the CA certificate.\n\n#### Configuring a CA\n\nTo create/initialize a CA that can be used to manage the client authentication\ncredentials the following steps need to be performed.\n\nRun the configuration tool (*ovpn_initpki*) to create/initialize the CA.\n\n```\novpn_initpki -c vpn.mydomain.tld\n```\n\nAfter this steps a new CA should be configured and ready to be used to create client credentials.\nThis also created the required certificates for the OpenVPN service.\n\n#### OpenVPN Configuration Script\n\nThe OpenVPN service will require clients to authenticate using certificates.\n\nAfter taking care of that part (see the [Configuring a CA](#configuring-a-ca)\nsection for more details), configuring the OpenVPN service can be done using\nthe **ovpn_config** script.\n\n```\nUsage: ovpn_config [options]\n```\n\n##### Options\n\n* `-c` - Enables the client-to-client option.\n* `-d` - Disables the built in external DNS.\n* `-D` - Disables the OpenVPN service from start at boot time.\n* `-E` - Enables the OpenVPN service to start at boot time.\n* `-g` - Disables the NAT routing and Default Gateway.\n* `-n \u003cADDRESS\u003e` - Sets a Name Server to be pushed to the clients. Several Name Server endpoints can be set by using extra `-n` options.\n* `-N` - Configures NAT to access external server network.\n* `-p \u003cRULE\u003e` - Sets a rule to be pushed to the clients. Several rules can be set by using extra `-p` options.\n* `-r \u003cROUTE\u003e` - Sets a route to be added on the client side (e.g.: '10.0.0.0/16'). Several routes can be set by using extra `-r` options.\n* `-s \u003cCIDR\u003e` - The OpenVPN service subnet (e.g.: '172.16.0.0/12').\n* `-S` - Starts the OpenVPN service after performing the required configurations.\n* `-W \u003cSECONDS\u003e` - Waits the specified amount of seconds before starting the OpenVPN service (default value is '0').\n* `-u \u003cADDRESS\u003e` - The OpenVPN server public DNS name. Should be in the form of (udp|tcp)://\u003cserver_dns_name\u003e:\u003cserver_port\u003e .\n\nMost likely the `-u` option will have the value used for the `-c` option on the\n*ovpn_initpki* script (see the [Configuring a CA](#configuring-a-ca) section\nfor more details).\n\n#### Configuring the OpenVPN service\n\nTo configure the OpenVPN service the following steps need to be performed.\n\nRun the configuration tool (*ovpn_config*) to configure the OpenVPN service\nand have it starting at boot time.\n\n```\novpn_config -d -E -n 8.8.8.8 -n 8.8.4.4 -p \"route 10.0.0.0 255.255.0.0\" -s 172.16.0.0/12 -S -u udp://vpn.mydomain.tld:1194\n```\n\nAfter this steps a OpenVPN service should be running and configured to start on\nserver boot.\n\nMore options can be used on the service configuration, see the\n[OpenVPN Configuration Script](#openvpn-configuration-script) section for more\ndetails.\n\n#### Adding OpenVPN Users\n\nCreating credentials for the OpenVPN service can be done using the\n**ovpn_addclient** script.\n\n```\nUsage: ovpn_addclient [options]\n```\n\n##### Options\n\n* `-u` - The username for the OpenVPN client.\n\n#### Deleting OpenVPN Users\n\nRemoving credentials from the OpenVPN service can be done using the\n**ovpn_delclient** script.\n\n```\nUsage: ovpn_delclient [options]\n```\n\n##### Options\n\n* `-u` - The username for the OpenVPN client.\n\n#### Obtain the OpenVPN Client Configurations\n\nGetting the OpenVPN client configurations for one user can be done using the\n**ovpn_getclient** script.\n\n```\nUsage: ovpn_getclient [options] \u003e myuser-vpn_mydomain_tld.ovpn\n```\n\nThe resulting *.ovpn* file should be the one used by the user to configure the\nOpenVPN client.\n\n##### Options\n\n* `-u` - The username for the OpenVPN client.\n\n### Maintaining the OpenVPN service\n\nIt is possible to add, delete, and/or get a user's credentials to the OpenVPN\nservice from outside the server (assuming that SSH access is possible).\n\nTo perform the maintenance tasks there are a set of scripts on the *scripts*\nfolder of this recipe.\n\n- `ovpn-add-user.sh` - This script will create a user on the OpenVPN server.\n- `ovpn-del-user.sh` - This script will revoke a user's access to the OpenVPN server.\n- `ovpn-get-user.sh` - This script will obtain the OpenVPN user configurations.\n\nThis scripts will execute the respective *ovpn* script through an SSH\nconnection.\n\n#### Adding OpenVPN Users\n\nCreating credentials for the OpenVPN service can be done using the\n**ovpn-add-user.sh** script.\n\n```\nUsage: ovpn-add-user.sh [options]\n```\n\n##### Options\n\n* `-i \u003cFILE\u003e` - The SSH authentication key.\n* `-p \u003cPORT\u003e` - The SSH server port (default value: 222).\n* `-s \u003cADDRESS\u003e` - The SSH server address.\n* `-u \u003cUSERNAME\u003e` - The SSH username.\n* `-v \u003cUSERNAME\u003e` - The OpenVPN username.\n\n#### Deleting OpenVPN Users\n\nRemoving credentials from the OpenVPN service can be done using the\n**ovpn-del-user.sh** script.\n\n```\nUsage: ovpn-del-user.sh [options]\n```\n\n##### Options\n\n* `-i \u003cFILE\u003e` - The SSH authentication key.\n* `-p \u003cPORT\u003e` - The SSH server port (default value: 222).\n* `-s \u003cADDRESS\u003e` - The SSH server address.\n* `-u \u003cUSERNAME\u003e` - The SSH username.\n* `-v \u003cUSERNAME\u003e` - The OpenVPN username.\n\n#### Obtain the OpenVPN Client Configurations\n\nGetting the OpenVPN client configurations for one user can be done using the\n**ovpn-get-user.sh** script.\n\n```\nUsage: ovpn-get-user.sh [options]\n```\n\nThe resulting *.ovpn* file should be the one used by the user to configure the\nOpenVPN client.\n\n##### Options\n\n* `-i \u003cFILE\u003e` - The SSH authentication key.\n* `-p \u003cPORT\u003e` - The SSH server port (default value: 222).\n* `-s \u003cADDRESS\u003e` - The SSH server address.\n* `-u \u003cUSERNAME\u003e` - The SSH username.\n* `-v \u003cUSERNAME\u003e` - The OpenVPN username.\n\n## Services\n\nThis AMI will have the SSH service running as well as the OpenVPN services.\nThe following ports will have to be configured on Security Groups.\n\n| Service    | Port      | Protocol |\n|------------|:---------:|:--------:|\n| SSH        | 222       |    TCP   |\n| OpenVPN    | 1194      |    UDP   |\n\nIf this image is tu be used as a NAT instance other ports may have to be\nadded to the Security groups.\n\n## Contributing\n\n1. Fork it!\n2. Create your feature branch: `git checkout -b my-new-feature`\n3. Commit your changes: `git commit -am 'Add some feature'`\n4. Push to the branch: `git push origin my-new-feature`\n5. Submit a pull request\n\nPlease read the [CONTRIBUTING.md](CONTRIBUTING.md) file for more details on how\nto contribute to this project.\n\n## Versioning\n\nThis project uses [SemVer](http://semver.org/) for versioning. For the versions\navailable, see the [tags on this repository](https://github.com/fscm/packer-aws-openvpn/tags).\n\n## Authors\n\n* **Frederico Martins** - [fscm](https://github.com/fscm)\n\nSee also the list of [contributors](https://github.com/fscm/packer-aws-openvpn/contributors)\nwho participated in this project.\n\n## License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE)\nfile for details\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffscm%2Fpacker-aws-openvpn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffscm%2Fpacker-aws-openvpn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffscm%2Fpacker-aws-openvpn/lists"}