Skip to content

Latest commit

 

History

History
208 lines (162 loc) · 10.5 KB

README.md

File metadata and controls

208 lines (162 loc) · 10.5 KB

Input variables

  • aws_key_name: SSH Key pair for VPN instance; can be empty if you prefer to use SSM Connect feature
  • vpc_id: The VPC id
  • public_subnet_id: One of the public subnets to create the instance
  • instance_type: Instance type of the VPN box (t3a.small for amd64 or t4g.small for arm64 are enough)
  • internal_cidrs: List of CIDRs that will be whitelisted to access the VPN server internally.
  • resource_name_prefix: All the resources will be prefixed with the value of this variable
  • volume_size: Instance EBS volume size (default is 30GB)
  • public_domain_name: Public domain name to lookup for A record
  • private_domain_name: Private domain name to lookup for A record
  • ovpn_udp_port: Port for pritunl OpenVPN UDP connections (default is 13403)
  • ovpn_udp_port: Port for pritunl Wireguard UDP connections (default is 15403)
  • additional_security_group: Additional security (created outside of module) group(s)
  • aws_iam_instance_profile: Name of iam_instance_profile to assign to EC2 instance (will be created if not supplied)
  • tags: A map of tags to add to all resources
  • whitelist_ip: Whitelist this IP for initial ssh connection; can be empty
  • platform: Choose platform type: amd64 (default) or arm64; arm64 will require you to indicate an additional custom_ami_id variable
  • custom_ami_id: custom AMI for ARM platform: should be Oracle 8.8 (see notes below)

Outputs

  • pritunl_private_ip: Private IP address of the instance
  • pritunl_public_ip: EIP of the VPN box
  • pritunl_dns_alias: Route53 DNS record created for Pritunl instance
  • aws_instance_id: EC2 instance ID
  • main_security_group_id: Main security group ID

ARM64 Notes

Module supports custom compilation of Pritunl on ARM64 (using provision_arm64.sh script). However, for that it will need a compatible AMI which should be based on Oracle Linux 8. I've used the following article to prepare such an image: Oracle Linux on AWS Graviton2/3

Basically you would need to:

  • Boot a Rocky Linux 8 ARM64 AMI from the AWS Marketplace
  • SSH into the instance using the private key, as per standard EC2 practice, with the user being "rocky"
  • Obtain the centos2ol.sh script from the Oracle Github page page via the command:
curl -O https://raw.githubusercontent.com/oracle/centos2ol/main/centos2ol.sh
  • Once you've downloaded the script, run it using the command:
sudo bash centos2ol.sh
  • Wait for the process to complete before rebooting with /sbin/reboot
  • Once the instance is up and running, SSH back in and validate that the upgrade was successful by executing the command:
cat /etc/oracle-release

You can also check the instance type using the command:

curl http://169.254.169.254/latest/meta-data/instance-type

With these steps, you'll now have Oracle Linux running on your AWS Graviton processor.

Make sure to create AMI out of the instance you've just configured and supply the AMI ID to the module for further Pritunl installation.

Pritunl version: 1.32.3571.58

Python version: 3.9.16

Golang version: 1.20.5

MongoDB: 6.0

Module Usage

Standard example for amd64 platform:

provider "aws" {
  region  = "us-east-2"
}

module "pritunl" {
  source = "slitsevych/pritunl/aws"

  aws_key_name         = "my_ssh_key"
  vpc_id               = module.vpc.vpc_id
  public_subnet_id     = element(module.vpc.public_subnets, 0)
  instance_type        = "t3a.small"
  resource_name_prefix = "pritunl"
  public_domain_name   = "example.com"
  private_domain_name  = "example.com"
  whitelist_ip         = "1.2.3.4"
}

Example for arm64 platform:

provider "aws" {
  region  = "us-east-2"
}

module "pritunl" {
  source = "slitsevych/pritunl/aws"

  platform                 = "arm64"
  aws_key_name             = "my_ssh_key"
  vpc_id                   = module.vpc.vpc_id
  public_subnet_id         = element(module.vpc.public_subnets, 0)
  instance_type            = "t4g.small"
  custom_ami_id            = "ami-0123456789ab" # provide your AMI ID (see ARM64 Notes)
  resource_name_prefix     = "pritunl-arm"
  public_domain_name       = "example.com"
  private_domain_name      = "example.com"
  whitelist_ip             = "1.2.3.4"
  ovpn_udp_port            = 15414
  wireguard_udp_port       = 15415
  aws_iam_instance_profile = "ec2-ssm-role"  # example of providing existing IAM instance profile
}

Please note that it can take few minutes (ideally 10-15 minutes) for provisioner to complete after terraform completes its process. Once completed, you should ssh to the server and run the following commands:

sudo pritunl setup-key

Once you get the key, open the Pritunl app in browser at its domain URL or IP and use the key to setup DB. After that use the following command to obtain default credentials:

sudo pritunl default-password

Once done, you can proceed with configuring the server.

Requirements

Name Version
terraform >= 1.5.0
aws >= 5.0

Providers

Name Version
aws >= 5.0

Modules

No modules.

Resources

Name Type
aws_eip.pritunl resource
aws_iam_instance_profile.ssm_profile resource
aws_iam_role.ec2_ssm_role resource
aws_iam_role_policy_attachment.ssm_policy_attach resource
aws_instance.pritunl resource
aws_route53_record.vpn resource
aws_route53_record.vpn_private resource
aws_security_group.pritunl resource
aws_security_group_rule.ssh resource
aws_ami.oracle data source
aws_iam_policy_document.assume_role data source
aws_route53_zone.private_zone data source
aws_route53_zone.public_zone data source
aws_vpc.selected data source

Inputs

Name Description Type Default Required
additional_security_group Additional security (created outside of module) group(s) list(any) [] no
aws_iam_instance_profile Name of iam_instance_profile to assign to EC2 instance string "" no
aws_key_name SSH keypair name for the VPN instance string "" no
custom_ami_id custom AMI for ARM platform: should be Oracle 8.8 string "" no
instance_type Instance type for VPN Box string "t3a.small" no
ovpn_udp_port port for pritunl OpenVPN UDP between 10000 and 19999 number 13403 no
platform Platform: amd64 or arm64 string "amd64" no
private_domain_name Private domain name to lookup for A record string "" no
public_domain_name Public domain name to lookup for A record string "" no
public_subnet_id One of the public subnet id for the VPN instance string n/a yes
resource_name_prefix All the resources will be prefixed with the value of this variable string "vpn" no
tags A map of tags to add to all resources map(any) {} no
volume_size ec2 volume size number 30 no
vpc_id Which VPC VPN server will be created in string n/a yes
whitelist_ip Whitelist of IP for initial ssh connection string "" no
wireguard_udp_port port for pritunl OpenVPN UDP between 10000 and 19999 number 15403 no

Outputs

Name Description
aws_instance_id n/a
main_security_group_id n/a
pritunl_dns_alias n/a
pritunl_private_ip n/a
pritunl_public_ip n/a