Skip to main content

OpenVPN

Deploy an OpenVPN Server on AWS.

View on GitHub

Reference

  • alarms_sns_topic_arn The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications.
  • allow_manage_key_permissions_with_iam If true, both the CMK's Key Policy and IAM Policies (permissions) can be used to grant permissions on the CMK. If false, only the CMK's Key Policy can be used to grant permissions on the CMK. False is more secure (and generally preferred), but true is more flexible and convenient.
  • allow_ssh_from_cidr_list The IP address ranges in CIDR format from which to allow incoming SSH requests to the OpenVPN server.
  • allow_vpn_from_cidr_list A list of IP address ranges in CIDR format from which VPN access will be permitted. Attempts to access the OpenVPN Server from all other IP addresses will be blocked.
  • ami The AMI to run on the OpenVPN Server. This should be built from the Packer template under openvpn-server.json. One of var.ami or ami_filters is required. Set to null if looking up the ami with filters.
  • ami_filters Properties on the AMI that can be used to lookup a prebuilt AMI for use with the OpenVPN server. You can build the AMI using the Packer template openvpn-server.json. Only used if var.ami is null. One of var.ami or ami_filters is required. Set to null if passing the ami ID directly.
  • backup_bucket_name The name of the S3 bucket that will be used to backup PKI secrets. This is a required variable because bucket names must be globally unique across all AWS customers.
  • base_domain_name The base domain name to use for the OpenVPN server. Used to lookup the Hosted Zone ID to use for creating the Route 53 domain entry. Only used if create_route53_entry is true.
  • ca_cert_fields An object with fields for the country, state, locality, organization, organizational unit, and email address to use with the OpenVPN CA certificate.
  • cmk_administrator_iam_arns A list of IAM ARNs for users who should be given administrator access to this CMK (e.g. arn:aws:iam::<aws-account-id>:user/<iam-user-arn>). If this list is empty, and kms_key_arn is null, the ARN of the current user will be used.
  • cmk_external_user_iam_arns A list of IAM ARNs for users from external AWS accounts who should be given permissions to use this CMK (e.g. arn:aws:iam::<aws-account-id>:root).
  • cmk_user_iam_arns A list of IAM ARNs for users who should be given permissions to use this KMS Master Key (e.g. arn:aws:iam::1234567890:user/foo).
  • default_user The default OS user for the OpenVPN AMI. For AWS Ubuntu AMIs, which is what the Packer template in openvpn-server.json uses, the default OS user is 'ubuntu'.
  • enable_cloudwatch_alarms Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using alarms_sns_topic_arn.
  • enable_fail2ban Enable fail2ban to block brute force log in attempts. Defaults to true.
  • enable_ip_lockdown Enable ip-lockdown to block access to the instance metadata. Defaults to true.
  • external_account_arns The ARNs of external AWS accounts where your IAM users are defined. This module will create IAM roles that users in those accounts will be able to assume to get access to the request/revocation SQS queues.
  • external_account_ssh_grunt_role_arn Since our IAM users are defined in a separate AWS account, this variable is used to specify the ARN of an IAM role that allows ssh-grunt to retrieve IAM group and public SSH key info from that account.
  • force_destroy When a terraform destroy is run, should the backup s3 bucket be destroyed even if it contains files. Should only be set to true for testing/development
  • instance_type The type of instance to run for the OpenVPN Server
  • keypair_name The name of a Key Pair that can be used to SSH to this instance. Leave blank if you don't want to enable Key Pair auth.
  • name The name of the OpenVPN Server and the other resources created by these templates
  • request_queue_name The name of the sqs queue that will be used to receive new certificate requests.
  • revocation_queue_name The name of the sqs queue that will be used to receive certification revocation requests. Note that the queue name will be automatically prefixed with 'openvpn-requests-'.
  • ssh_grunt_iam_group If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this OpenVPN server. This value is only used if enable_ssh_grunt=true.
  • ssh_grunt_iam_group_sudo If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this OpenVPN server with sudo permissions. This value is only used if enable_ssh_grunt=true.
  • subnet_ids The ids of the subnets where this server should be deployed.
  • tenancy The tenancy of this server. Must be one of: default, dedicated, or host.
  • vpc_id The ID of the VPC in which to deploy the OpenVPN server.
  • vpn_search_domains A list of domains to push down to the client to resolve over VPN. This will configure the OpenVPN server to pass through domains that should be resolved over the VPN connection (as opposed to the locally configured resolver) to the client. Note that for each domain, all subdomains will be resolved as well. E.g., if you pass in 'mydomain.local', subdomains such as 'hello.world.mydomain.local' and 'example.mydomain.local' will also be forwarded to through the VPN server.
  • vpn_subnet The subnet IP and mask vpn clients will be assigned addresses from. For example, 172.16.1.0 255.255.255.0. This is a non-routed network that only exists between the VPN server and the client. Therefore, it should NOT overlap with VPC addressing, or the client won't be able to access any of the VPC IPs. In general, we recommend using internal, non-RFC 1918 IP addresses, such as 172.16.xx.yy.