ec2 instance with openvpn

1. resource "aws_instance" "openvpn" {
2.  
3. subnet_id = aws_subnet.main_vpc_public_subnet_1.id
4.  
5. ami = data.aws_ami.al2023.id
6. instance_type = local.openvpn.instance.type
7. key_name = local.aws_account.keypair_name
8. security_groups = [aws_security_group.openvpn.id]
9.  
10. user_data = <<-EOF
11. #!/bin/bash
12.  
13. sudo su -
14.  
15. yum update -y && yum install -y openvpn
16.  
17. # Setup Easy-RSA for OpenVPN
18. mkdir -p /etc/openvpn/easy-rsa
19. curl -L -o /etc/openvpn/easy-rsa.tar.gz https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.5/EasyRSA-3.1.5.tgz
20. tar -xzvf /etc/openvpn/easy-rsa.tar.gz -C /etc/openvpn/easy-rsa --strip-components=1
21.  
22. ln -nfs /etc/openvpn/easy-rsa/easyrsa /usr/local/bin/easyrsa
23.  
24. # Initialize PKI
25. cd /etc/openvpn/easy-rsa
26. easyrsa init-pki
27.  
28. # Build CA (Certificate Authority)
29. echo -e "\n\n" | easyrsa build-ca nopass
30.  
31. # Generate Server Certificate and Key
32. echo -e "\n\n" | easyrsa gen-req server nopass
33. easyrsa sign-req server server <<< "yes"
34.  
35. # Generate Diffie-Hellman Parameters
36. easyrsa gen-dh
37.  
38. # Copy generated files to OpenVPN directory
39. cp pki/ca.crt /etc/openvpn/ && cp pki/issued/server.crt /etc/openvpn/ && cp pki/private/server.key /etc/openvpn/ && cp pki/dh.pem /etc/openvpn/
40. mkdir -p /etc/openvpn/client-configs && chmod 777 /etc/openvpn/client-configs
41.  
42. # Configure OpenVPN
43. cat <<EOT > /etc/openvpn/server/server.conf
44. port 1194
45. proto udp
46. dev tun
47. ca /etc/openvpn/ca.crt
48. cert /etc/openvpn/server.crt
49. key /etc/openvpn/server.key
50. dh /etc/openvpn/dh.pem
51. server 10.8.0.0 255.255.255.0
52. push "route 3.14.17.0 255.255.255.0"
53. push "dhcp-option DNS 8.8.8.8"
54. push "dhcp-option DNS 8.8.4.4"
55. keepalive 10 120
56. cipher AES-256-CBC
57. persist-key
58. persist-tun
59. #use telnet localhost 7505 to check logs & run "status"
60. management 127.0.0.1 7505
61. verb 3
62. EOT
63.  
64. # Enable and start OpenVPN service
65. sysctl -w net.ipv4.ip_forward=1 && sysctl -p
66. systemctl enable openvpn-server@server && systemctl start openvpn-server@server
67.  
68. #Add a NAT rule to enable routing between the VPN and private subnet.
69. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
70. iptables-save > /etc/iptables.rules
71.  
72. EOF
73.  
74. tags = {
75. Name = local.openvpn.instance.name
76. }
77. }
78.  
79. output "openvpn_endpoint" {
80. value = aws_instance.openvpn.public_ip
81. }
82.  
83. resource "aws_route53_record" "openvpn" {
84. zone_id = data.aws_route53_zone.main.zone_id
85. name = format("%s.%s", local.openvpn.endpoint, local.aws_account.platform_main_domain)
86. type = "CNAME"
87. ttl = 300
88. records = [aws_instance.openvpn.public_dns]
89. }