Skip to content

Latest commit

 

History

History
114 lines (88 loc) · 7.36 KB

README.md

File metadata and controls

114 lines (88 loc) · 7.36 KB

Terraform AWS WireGuard

A Terraform module to deploy a WireGuard VPN server on AWS.

Prerequisites

Before using this module, you'll need to:

  1. Install the WireGuard tools for your OS.

  2. Generate a key pair for each client with a WireGuard tool:

    wg genkey | tee client1-privatekey | wg pubkey > client1-publickey
  3. Generate a key pair for the server with a WireGuard tool:

    wg genkey | tee server-privatekey | wg pubkey > server-publickey
  4. Add each client's public key, along with the next available IP address to the wg_clients list.

  5. Add server's private key to the wg_server_private_key variable. You can use AWS SSM Parameter store to store and read server private key. 5.1 To store the private key you could use this command:

     aws ssm put-parameter --name /wireguard/wg-server-private-key --type SecureString --value <Your Server Private Key>
  6. To create working configuration for the GUI WireGuard client, you should create a conf file from this template:

[Interface]
PrivateKey = <Your Client Private Key>
ListenPort = 51820
Address = 10.0.0.4/32 # Set your client's local ip address 
DNS = 8.8.8.8

[Peer]
PublicKey = <Public Key of Your WireGuard Server>
AllowedIPs = 10.0.0.0/24
Endpoint = <IP or Domain Name of Your WireGuard Server>:51820
PersistentKeepalive = 25

Save this file as <Your VPN Name>.conf. Then you could import your configuration in WireGuard GUI client or share it with end users.

If you want to save or share more than one conf file - you can add them to single zip file without folders.

WireGuard GUI client support import of zipped configurations.

Requirements

Name Version
terraform >= 0.13.5
aws ~> 3.0

Providers

Name Version
aws ~> 3.0
template n/a

Modules

No modules.

Resources

Name Type
aws_autoscaling_group.wireguard_asg resource
aws_eip.wireguard resource
aws_iam_instance_profile.wireguard_profile resource
aws_iam_policy.wireguard_policy resource
aws_iam_role.wireguard_role resource
aws_iam_role_policy_attachment.wireguard_roleattach resource
aws_launch_configuration.wireguard_launch_config resource
aws_route53_record.wireguard resource
aws_security_group.sg_wireguard resource
aws_ami.ubuntu data source
aws_caller_identity.current data source
aws_iam_policy_document.ec2_assume_role data source
aws_iam_policy_document.wireguard_policy_doc data source
template_file.wg_client_data_json data source

Inputs

Name Description Type Default Required
env The name of environment for WireGuard. Used to differentiate multiple deployments. any n/a yes
instance_type The machine type to launch, some machines may offer higher throughput for higher use cases. string "t3.nano" no
region n/a string n/a yes
route53_hosted_zone_id Route53 Hosted zone ID. string null no
route53_record_name Route53 Record name. string null no
ssh_key_id A SSH public key ID to add to the VPN instance. any n/a yes
subnet_ids A list of subnets for the Autoscaling Group to use for launching instances. May be a single subnet, but it must be an element in a list. list(string) n/a yes
target_group_arns Running a scaling group behind an LB requires this variable, default null means it won't be included if not set. list(string) null no
use_eip Whether to enable Elastic IP switching code in user-data on wg server startup. If true, eip_id must also be set to the ID of the Elastic IP. bool false no
use_route53 Whether to use Route53 bool false no
vpc_id The VPC ID in which Terraform will launch the resources. any n/a yes
wg_clients List of client objects with IP and public key. See Usage in README for details. list(object({ client_friendly_name = string, client_public_key = string, client_allowed_cidr = string })) n/a yes
wg_persistent_keepalive Persistent Keepalive - useful for helping connection stability over NATs. number 25 no
wg_server_interface The default interface to forward network traffic to. string "eth0" no
wg_server_net IP range for vpn server - make sure your Client ips are in this range but not the specific ip i.e. not .1 string "10.0.0.1/24" no
wg_server_port Port for the vpn server. number 51820 no
wg_server_private_key WG server private key. string n/a yes

Outputs

No outputs.