{"id":26299231,"url":"https://github.com/trackit/terraform-aws-client-vpn","last_synced_at":"2025-07-06T08:36:39.091Z","repository":{"id":54939263,"uuid":"310447184","full_name":"trackit/terraform-aws-client-vpn","owner":"trackit","description":"Terraform module which creates Client VPN resources on AWS","archived":false,"fork":false,"pushed_at":"2021-01-20T11:09:25.000Z","size":75,"stargazers_count":14,"open_issues_count":1,"forks_count":9,"subscribers_count":6,"default_branch":"main","last_synced_at":"2023-02-27T20:27:56.105Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trackit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-11-06T00:06:42.000Z","updated_at":"2022-10-10T15:09:45.000Z","dependencies_parsed_at":"2022-08-14T07:10:10.283Z","dependency_job_id":null,"html_url":"https://github.com/trackit/terraform-aws-client-vpn","commit_stats":null,"previous_names":[],"tags_count":null,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trackit%2Fterraform-aws-client-vpn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trackit%2Fterraform-aws-client-vpn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trackit%2Fterraform-aws-client-vpn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trackit%2Fterraform-aws-client-vpn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trackit","download_url":"https://codeload.github.com/trackit/terraform-aws-client-vpn/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243695495,"owners_count":20332626,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-03-15T06:47:51.238Z","updated_at":"2025-03-15T06:47:51.885Z","avatar_url":"https://github.com/trackit.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS Client VPN Terraform module\n\nTerraform module which creates Client VPN Endpoint resources on AWS.\n\nThese type of resources are supported:\n- ACM Certificate\n- EC2 Client VPN Endpoint\n- EC2 Client VPN Network association\n- CloudWatch Log Group\n- CloudWatch Log Stream\n\n## Terraform versions\n\nTerraform 0.12 and newer.\n\n## Requirements\n\n| Name | Version |\n|------|---------|\n| terraform | \u003e= 0.12 |\n| aws | \u003e= 2.49 |\n| bash |  |\n\n## Upcoming features\n- Client certificate revocation list\n- Self Service VPN Portal\n\n\n## Terraform\n\nThis project is using terraform to deploy infrastructure, you can download it here: https://learn.hashicorp.com/tutorials/terraform/install-cli\n\n### Deploy\n\n```sh\n$ cd ./tf\n$ terraform init\n$ terraform plan\n$ terraform apply\n```\nYou may need to add execution permission :\n```sh\nchmod u+x .terraform/modules/client_vpn/scripts/*\n```\n\n### Destroy\n\n```sh\n$ terraform destroy\n```\n\n## Example\n\n### Using federated authentification (best security) :\n- AWS VPN Client download link : https://aws.amazon.com/vpn/client-vpn-download/\n- You can find the generated Client VPN configuration into your terraform folder.\n- Each user have a login/password to authenticate.\n\n```hcl\nmodule \"client_vpn\" {\n  source                = \"github.com/trackit/terraform-aws-client-vpn?ref=v0.2.0\"\n  region                = \"us-east-1\"\n  env                   = \"production\"\n  cert_issuer           = \"mycompany.internal\"\n  cert_server_name      = \"mycompany\"\n  aws_tenant_name       = \"aws\"\n  clients               = [\"client\"]\n  subnet_id             = \"subnet-12345678\"\n  client_cidr_block     = \"10.250.0.0/16\"\n  target_cidr_block     = \"10.0.0.0/16\"\n  vpn_name              = \"My VPN Endpoint\"\n  client_auth           = \"federated-authentication\"\n  saml_provider_arn     = \"arn:12345678\"\n}\n```\n\n### Server certificate authentification only (less secure)\n- You can find the generated Client VPN configuration into your terraform folder.\n- Be carefull no user/password needed. Only the configuration file so do not lost it.\n\n```hcl\nmodule \"client_vpn\" {\n  source                = \"github.com/trackit/terraform-aws-client-vpn?ref=v0.2.0\"\n  region                = \"us-east-1\"\n  env                   = \"production\"\n  cert_issuer           = \"mycompany.internal\"\n  cert_server_name      = \"mycompany\"\n  aws_tenant_name       = \"aws\"\n  clients               = [\"client\"]\n  subnet_id             = \"subnet-12345678\"\n  client_cidr_block     = \"10.250.0.0/16\"\n  target_cidr_block     = \"10.0.0.0/16\"\n  vpn_name              = \"My VPN Endpoint\"\n  client_auth           = \"certificate-authentication\"\n}\n```\n\n### Variable list\n\n| Name | Description | Type | Default |\n|------|-------------|------|---------|\n| region | Region to work on. | string | |\n| env | The environment (e.g. prod, dev, stage) | string | \"prod\" |\n| clients | A list of client certificate name | list(string) | [\"client\"] |\n| cert_issuer | Common Name for CA Certificate | list(string) | \"CA\" |\n| cert_server_name | Name for the Server Certificate | string | \"Server\" |\n| aws_tenant_name | Name for the AWS Tenant | string | \"AWS\" |\n| key_save_folder | Where to store keys (relative to pki folder) | string | \"clientvpn_keys\" |\n| subnet_id | The subnet ID to which we need to associate the VPN Client Connection. | string | |\n| target_cidr_block | The CIDR block to wich the client will have access to. Might be VPC CIDR's block for example. | string | |\n| dns_servers | Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. | list(string) | null |\n| vpn_name | The name of the VPN Client Connection. | string | \"VPN\" |\n| cloudwatch_enabled | Indicates whether connection logging is enabled. | bool | true |\n| cloudwatch_log_group | The name of the cloudwatch log group. | string | vpn_endpoint_cloudwatch_log_group |\n| cloudwatch_log_stream | The name of the cloudwatch log stream. | string | vpn_endpoint_cloudwatch_log_stream |\n| aws_cli_profile_name | The name of the aws cli profile used in scripts | string | default |\n| client_auth | the type of client authentication to be used : certificate-authentication / directory-service-authentication / federated-authentication | string | certificate-authentication |\n| active_directory_id | The ID of the Active Directory to be used for authentication if type is directory-service-authentication | string | null |\n| root_certificate_chain_arn | The ARN of the client certificate. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Only necessary when type is set to certificate-authentication. | string | null |\n| saml_provider_arn | The ARN of the IAM SAML identity provider if type is federated-authentication | string | null |\n\n### Output\n| Name | Description |\n|------|-------------|\n| kms_sops_arn | |\n| decrypt_command | Output of the decrypt script |\n| encrypt_command | Output of the encrypt script |\n| server_certificate_arn | The ARN of the generated Server Certificate |\n| env | Environment variable |\n| pki_folder_name | Generated certificate folder |\n| client_vpn_endpoint_id | The ID of the Client VPN endpoint. |\n| client_vpn_endpoint_arn | The ARN of the Client VPN endpoint. |\n| client_vpn_endpoint_dns_name | The DNS name to be used by clients when establishing their VPN session. |\n| client_vpn_endpoint_status | The current state of the Client VPN endpoint. |\n\n## How does it work ?\n\n### Server certificate generation (scripts/prepare_easyrsa.sh)\n1. Clone the latest [easy-rsa](https://github.com/OpenVPN/easy-rsa.git) repo.\n2. Generate the CA and Server certificates and keys.\n3. Copy the files to the defined KEY_SAVE_FOLDER.\n4. the Server certificate is uploaded into AWS ACM.\n\n### Client certificate generation (scripts/create_client.sh)\n1. Using the previous created PKI, generate a client certificate / key pair.\n2. Then move it to the KEY_SAVE_FOLDER.\n\n### Create a VPN Endpoint Ressource\n\n```hcl\nresource \"aws_ec2_client_vpn_endpoint\" \"client_vpn\" {\n  depends_on             = [aws_acm_certificate.server_cert]\n  description            = var.vpn_name\n  server_certificate_arn = aws_acm_certificate.server_cert.arn\n  client_cidr_block      = var.client_cidr_block\n  split_tunnel           = true\n  dns_servers            = var.dns_servers\n\n  lifecycle {\n    ignore_changes = [server_certificate_arn, authentication_options]\n  }\n\n  authentication_options {\n    type                        = var.client_auth\n    active_directory_id         = var.active_directory_id\n    root_certificate_chain_arn  = var.root_certificate_chain_arn\n    saml_provider_arn           = var.saml_provider_arn\n  }\n\n  connection_log_options {\n    enabled               = var.cloudwatch_enabled\n    cloudwatch_log_group  = aws_cloudwatch_log_group.client_vpn.name\n    cloudwatch_log_stream = aws_cloudwatch_log_stream.client_vpn.name\n  }\n\n  provisioner \"local-exec\" {\n    environment = merge(local.provisioner_base_env, {\n      \"CLIENT_VPN_ID\" = self.id\n    })\n    command = \"${path.module}/scripts/authorize_client.sh\"\n  }\n\n  tags = {\n    Name = var.vpn_name\n  }\n}\n```\n\n### Authorize the VPN Traffic (scripts/authorize_client.sh)\n1. With aws-cli allow traffic to TARGET_CIDR from CLIENT_VPN_ID\n\n### Generate the vpn configuration (scripts/export_client_vpn_config.sh)\n1. With aws-cli export the ovpn configuration file.\n2. Add the client certificate to end of it.\n3. Add the opvn configuration to AWS VPN Client.\n4. Start the VPN.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrackit%2Fterraform-aws-client-vpn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrackit%2Fterraform-aws-client-vpn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrackit%2Fterraform-aws-client-vpn/lists"}