Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/jmhale/terraform-aws-wireguard
Terraform module to deploy WireGuard on AWS
https://github.com/jmhale/terraform-aws-wireguard
aws terraform terraform-modules vpn wireguard
Last synced: about 11 hours ago
JSON representation
Terraform module to deploy WireGuard on AWS
- Host: GitHub
- URL: https://github.com/jmhale/terraform-aws-wireguard
- Owner: jmhale
- License: gpl-3.0
- Created: 2018-09-18T14:10:27.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2024-06-24T14:29:53.000Z (6 months ago)
- Last Synced: 2024-12-16T06:03:01.002Z (8 days ago)
- Topics: aws, terraform, terraform-modules, vpn, wireguard
- Language: HCL
- Homepage:
- Size: 111 KB
- Stars: 131
- Watchers: 5
- Forks: 137
- Open Issues: 7
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE.md
Awesome Lists containing this project
- awesome-wireguard - terraform-aws-wireguard - Terraform module to deploy WireGuard on AWS. (Projects / Deployment)
README
# terraform-aws-wireguard
A Terraform module to deploy a WireGuard VPN server on AWS. Can also used to run one or more servers behind a loadbalancer, for redundancy.
## Prerequisites
Before using this module, you'll need to generate a key pair for your server and client, and store the server's private key and client's public key in AWS SSM, which cloud-init will source and add to WireGuard's configuration.- Install the WireGuard tools for your OS: https://www.wireguard.com/install/
- Generate a key pair for each client
- `wg genkey | tee client1-privatekey | wg pubkey > client1-publickey`
- Generate a key pair for the server
- `wg genkey | tee server-privatekey | wg pubkey > server-publickey`
- Add the server private key to the AWS SSM parameter: `/wireguard/wg-server-private-key`
- `aws ssm put-parameter --name /wireguard/wg-server-private-key --type SecureString --value $ServerPrivateKeyValue`
- Add each client's public key, along with the next available IP address as a key:value pair to the wg_client_public_keys map. See Usage for details.## Variables
| Variable Name | Type | Required |Description |
|---------------|-------------|-------------|-------------|
|`subnet_ids`|`list`|Yes|A list of subnets for the Autoscaling Group to use for launching instances. May be a single subnet, but it must be an element in a list.|
|`ssh_key_id`|`string`|Yes|A SSH public key ID to add to the VPN instance.|
|`vpc_id`|`string`|Yes|The VPC ID in which Terraform will launch the resources.|
|`env`|`string`|Optional - defaults to `prod`|The name of environment for WireGuard. Used to differentiate multiple deployments.|
|`use_eip`|`bool`|Optional|Whether to attach an [Elastic IP](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html) address to the VPN server. Useful for avoiding changing IPs.|
|`eip_id`|`string`|Optional|When `use_eip` is enabled, specify the ID of the Elastic IP to which the VPN server will attach.|
|`target_group_arns`|`string`|Optional|The Loadbalancer Target Group to which the vpn server ASG will attach.|
|`additional_security_group_ids`|`list`|Optional|Used to allow added access to reach the WG servers or allow loadbalancer health checks.|
|`asg_min_size`|`integer`|Optional - default to `1`|Number of VPN servers to permit minimum, only makes sense in loadbalanced scenario.|
|`asg_desired_capacity`|`integer`|Optional - default to `1`|Number of VPN servers to maintain, only makes sense in loadbalanced scenario.|
|`asg_max_size`|`integer`|Optional - default to `1`|Number of VPN servers to permit maximum, only makes sense in loadbalanced scenario.|
|`instance_type`|`string`|Optional - defaults to `t2.micro`|Instance Size of VPN server.|
|`wg_server_net`|`cidr address and netmask`|Yes|The server ip allocation and net - wg_client_public_keys entries MUST be in this netmask range.|
|`wg_client_public_keys`|`list`|Yes|List of maps of client IP/netmasks and public keys. See Usage for details. See Examples for formatting.|
|`wg_server_port`|`integer`|Optional - defaults to `51820`|Port to run wireguard service on, wireguard standard is 51820.|
|`wg_persistent_keepalive`|`integer`|Optional - defaults to `25`|Regularity of Keepalives, useful for NAT stability.|
|`wg_server_private_key_param`|`string`|Optional - defaults to `/wireguard/wg-server-private-key`|The Parameter Store key to use for the VPN server Private Key.|
|`ami_id`|`string`|Optional - defaults to the newest Ubuntu 16.04 AMI|AMI to use for the VPN server.|
|`wg_server_interface`|`string`|Optional - defaults to eth0|Server interface to route traffic to for installations forwarding traffic to private networks.|## Examples
Please see the following examples to understand usage with the relevant options.
### Simple Elastic IP/public subnet usage
See [examples/simple_eip/main.tf](examples/simple_eip/main.tf) file.
### Complex Elastic Load Balancer/private subnet usage
See [examples/complex_elb/main.tf](examples/complex_elb/main.tf) file.
## Outputs
| Output Name | Description |
|---------------|-------------|
|`vpn_asg_name`|The name of the wireguard Auto Scaling Group|
|`vpn_sg_admin_id`|ID of the internal Security Group to associate with other resources needing to be accessed on VPN.|
|`vpn_sg_external_id`|ID of the external Security Group to associate with the VPN.|## Caveats
- I would strongly recommend forking this repo or cloning it locally and change the `source` definition to be something that you control. You really don't want your infra to be at the mercy of my changes.