AWS VPN (Pritunl) Terraform Module

Terraform module with create instance with Pritunl VPN on AWS.

Usage

module "vpn" {
  source = "git@github.com:<repository_name>/terraform-aws-pritunl-vpn.git?ref=v0.0.0"
  prefix             = "example"
  environment        = "dev"
  vpc_id             = "vpc-xxx"
  public_subnet_ids  = ["subnet-xxx", "subnet-xxx", "subnet-xxx"]
  private_subnet_ids = ["subnet-xxx", "subnet-xxx", "subnet-xxx"]
  instance_type             = "t3a.small"
  is_create_route53_reccord = true
  route53_zone_name         = "example.com"
  public_lb_vpn_domain      = "vpn" #vpn.example.com
  private_lb_vpn_domain     = "vpn-console" #vpn-console.example.com
  is_enabled_https_public = true
  security_group_ingress_rules = {
    allow_to_connect_vpn = {
      port        = "12383"
      cidr_blocks = ["0.0.0.0/0"]
      protocol    = "udp"
    }
  }
  tags = {
    workspace = "local-test"
  }
}

HOW TO SET UP PRITUNL-VPN

GO TO SSM CONSOLE FOR SESSION MANAGER

GET Default Password

  sudo pritunl default-password # save for first login

Login

Server Setting

Require

• Public Address : Set to Public DNS name or Public Loadbalancer for VPN Client ACCESS

Optional

• Username : New Username for Connect to VPN server
• New Password : New Password For For Connect to VPN server

Create organization

• click on "Users" in nav bar
• click on "Add Organization"

Create Server

• click on "Servers" in nav bar

• Click on "Add Server" Button

• Config Server

  • name: anything
  • port: default must be 12383 (must be match with ingress policy)
  • DNS Server: Default 8.8.8.8
  • Virtual Network: Leave Default (CIDR must be avalible)

Attach Origanization to Server

• Click on "Attach Organization" Button

Start VPN Server

• Click on "Start Server" Button

• Done

Add User To Access VPN

Create User

• Click on Users in NavBar
• Clicl on "Add User" Button

Config User

• Config User
  • Name: anything
  • Pin: password to access VPN

Download VPN File

Set VPN Server to Private

module "pritunl_vpn" {
  . . .
  is_enabled_https_public = false
}

Migration

Mount New EFS to Old Pritunl VPN

Config Security Group Client

add security goups efs-client of new efs to old pritunl VPN

• go to ec2 console
• select old pritunl-vpn -> Actions -> Security -> Change security groups
• add security group client for mount EFS

Mount New EFS To Old Pritunl VPN

• remote to old pritunl-vpn
• mount EFS

sudo mkdir /efs
sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport <efs_dns_name>:/ /efs

Config MongoDB

Dump Mongodb From Old Pritunl VPN

mongodump --db=pritunl #dump
mv dump/ /efs/dump #move dump to efs

Restore MongoDB in New Pritunl VPN

mongorestore /efs/dump

Requirements

Name	Version
terraform	>= 1.0
aws	>= 4.0.0

Providers

Name	Version
aws	4.36.0

Modules

Name	Source	Version
efs	oozou/efs/aws	1.0.4
launch_template	oozou/launch-template/aws	1.0.3

Resources

Name	Type
aws_autoscaling_group.this	resource
aws_autoscaling_policy.this	resource
aws_iam_instance_profile.this	resource
aws_iam_role.this	resource
aws_iam_role_policy.this	resource
aws_iam_role_policy_attachment.this	resource
aws_lb.private	resource
aws_lb.public	resource
aws_lb_listener.private	resource
aws_lb_listener.public	resource
aws_lb_target_group.private	resource
aws_lb_target_group.public	resource
aws_route53_record.private	resource
aws_route53_record.public	resource
aws_security_group.this	resource
aws_security_group_rule.ingress	resource
aws_ami.amazon_linux	data source
aws_iam_policy_document.this	data source
aws_iam_policy_document.this_assume_role	data source
aws_route53_zone.this	data source
aws_vpc.this	data source

Inputs

Name	Description	Type	Default	Required
additional_sg_attacment_ids	(Optional) The ID of the security group.	list(string)	[]	no
ami	(Optional) AMI to use for the instance. Required unless launch_template is specified and the Launch Template specifes an AMI. If an AMI is specified in the Launch Template, setting ami will override the AMI specified in the Launch Template	string	""	no
custom_https_allow_cidr	cidr block for config pritunl vpn	list(string)	null	no
efs_backup_policy_enabled	If true, it will turn on automatic backups.	bool	true	no
enable_ec2_monitoring	Enables/disables detailed monitoring	bool	false	no
enabled_backup	Enable Backup EFS	bool	true	no
environment	Environment Variable used as a prefix	string	n/a	yes
instance_type	(Optional) The instance type to use for the instance. Updates to this field will trigger a stop/start of the EC2 instance.	string	"t2.medium"	no
is_create_private_lb	if true this module will not create private lb for cost optimization	bool	true	no
is_create_route53_reccord	if true will create route53 reccord for vpn, vpn console	bool	false	no
is_create_security_group	Flag to toggle security group creation	bool	true	no
is_enabled_https_public	if true will enable https to public loadbalancer else enable to private loadbalancer	bool	true	no
key_name	Key name of the Key Pair to use for the vpn instance; which can be managed using	string	null	no
prefix	The prefix name of customer to be displayed in AWS console and resource	string	n/a	yes
private_lb_vpn_domain	domain of vpn console output will be <var.vpn_domain>.<var.route53_zone_name>	string	"vpn-console"	no
private_rule	private rule for run connect vpn	list(object({ port = number protocol = string health_check_port = number health_check_protocol = string }))	[]	no
private_subnet_ids	The List of the private subnet ID to deploy instance and private lb for vpn relate to VPC	list(string)	n/a	yes
public_lb_vpn_domain	domain of vpn output will be <var.vpn_domain>.<var.route53_zone_name>	string	"vpn"	no
public_rule	public rule for run connect vpn	list(object({ port = number protocol = string health_check_port = number health_check_protocol = string }))	[ { "health_check_port": 443, "health_check_protocol": "TCP", "port": 12383, "protocol": "UDP" } ]	no
public_subnet_ids	The List of the subnet ID to deploy Public Loadbalancer relate to VPC	list(string)	n/a	yes
route53_zone_name	This is the name of the hosted zone	string	""	no
security_group_ingress_rules	Map of ingress and any specific/overriding attributes to be created	any	{ "allow_to_connect_vpn": { "cidr_blocks": [ "0.0.0.0/0" ], "port": "12383", "protocol": "udp" } }	no
tags	Tags to add more; default tags contian {terraform=true, environment=var.environment}	map(string)	{}	no
vpc_id	The ID of the VPC	string	n/a	yes

Outputs

Name	Description
efs_dns_name	The DNS name for the filesystem
efs_id	The ID that identifies the file system for pritunl vpn
lb_private_dns	The DNS name of the private load balancer.
lb_public_dns	The DNS name of the public load balancer.
security_group_arn	ARN of the security group associated to this ec2
security_group_id	ID of the security group associated to this ec2
vpn_private_dns	private dns for connect vpn server
vpn_public_dns	public dns for connect vpn server