This Terraform module provides a convenient solution for deploying AWS client vpn solution with the ability to manage multuple users using self-signed certificated. 
- AWS Client vpn endpoint
- Subnet associations
- Certificates for each user stored in aws parameter store
- ACM certificates
- S3 bucket for storing the Openvpn config files
- Openvpn config file for each user
| Name | Description | Type | Default | Required |
| ---------------------- | ------------------------------------------------------------------------------------------------------ | ------------------- | ------- | :------: | --- | ------------------------------------------- | --------- | ---- | --- |
| organization_name | Name of the organization | string | {} | yes |
| project-name | Name of the project | string | {} | yes |
| aws-vpn-client-list | Set of users (example "john"), the firrst item of the list will be the certificate of the server | set(string) | {} | yes |
| vpc_id | Id of the VPC | string | {} | yes |
| subnets_id | List of the subnets to deploy the vpn endpoint | list(string) | {} | yes |
| client_cidr_block | CIDR block for vpn users | string | {} | yes |
| split_tunnel | Flag to indicate if split tunnel must be used | bool | {} | yes |
| vpn_inactive_period | Flag to indicate (in minutes) when a user should be disconnected if there is no activity in the tunnel | numeric | {} | yes |
| session_timeout_hours | Flag to indicate (in hours) the session timeout | numeric | {} | yes |
| logs_retention_in_days | Retention perior for vpn logs in cloudwatch | numeric | {} | yes |
| additional_routes | List of additional routes | list(map(string)) | {} | yes | | Retention perior for vpn logs in cloudwatch | numeric | {} | yes |
locals {
cliet_vpn = {
organization_name = "mycompany"
project-name = "client-vpn"
aws-vpn-client-list = ["root", "john", "michael", "clara"]
client_cidr_block = "172.24.0.0/22"
split_tunnel = true
vpn_inactive_period = 1800
session_timeout_hours = 8
logs_retention_in_days = 7
additional_routes = [{
destination_cidr = "10.100.0.0/16"
description = "strging"
subnet_id = subnet-0b509a1c548112f26
}]
}
}
module "client-vpn" {
source = "eanselmi/client-vpn-multiple-users/aws"
version = "1.0.2"
organization_name = local.cliet_vpn.organization_name
project-name = local.cliet_vpn.project-name
aws-vpn-client-list = local.cliet_vpn.aws-vpn-client-list
vpc_id = vpc-0a959fbbb6e218299
subnets_id = [subnet-0b509a1c548112f30]
client_cidr_block = local.cliet_vpn.client_cidr_block
split_tunnel = local.cliet_vpn.split_tunnel
vpn_inactive_period = local.cliet_vpn.vpn_inactive_period
session_timeout_hours = local.cliet_vpn.session_timeout_hours
logs_retention_in_days = local.cliet_vpn.logs_retention_in_days
additional_routes = local.cliet_vpn.additional_routes
}
An important part is how to delete or revoke a user; it is not enough to remove them from the list and delete their certificate. The certificate must be revoked, and this must be done outside of Terraform, and the VPN must be updated. These are the steps:
- From AWS-Parameter-Store, download the certificate and private key of the CA
- From AWS-Parameter-Store, download the certificate that we want to revoke
- We open a terminal and go to the directory where we are going to manage the downloaded certificates
- Adjust the default_crl_days variable in your openssl.cnf config file (default value is 30 days, you can find the file with openssl version -d )
- To revoke the certificate, please execute "openssl ca -revoke user.cer -keyfile ca.key -cert ca.cer"
- Now update the CRL "openssl ca -gencrl -out revocations.crl -keyfile ca.key -cert ca.cer"
- We import the CRL to our VPN endpoint "aws ec2 import-client-vpn-client-certificate-revocation-list --certificate-revocation-list file://revocations.crl --client-vpn-endpoint-id endpoint_id --region region" We can import the CRL using the AWS console
- Validate CRL expiration date using "openssl crl -in revocations.crl -text"
| Name | Version |
|---|---|
| terraform | >= 1.1.7 |
| aws | >= 4.4.0 |
| tls | 3.1.0 |
| Name | Version |
|---|---|
| aws | >= 4.4.0 |
| tls | 3.1.0 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_routes | Additional Routes | list(map(string)) |
[] |
no |
| aws-vpn-client-list | VPN client list | set(string) |
n/a | yes |
| client_cidr_block | AWS VPN client cidr block | string |
n/a | yes |
| logs_retention_in_days | VPN client list | number |
n/a | yes |
| organization_name | Organization name | string |
n/a | yes |
| project-name | Project name | string |
n/a | yes |
| session_timeout_hours | Session timeout hours | number |
n/a | yes |
| split_tunnel | Split tunnel traffic | bool |
n/a | yes |
| subnets_id | Subnet list for client vpn network association | list(string) |
n/a | yes |
| vpc_id | VPC ID | string |
n/a | yes |
| vpn_inactive_period | VPN inactive period in seconds | number |
n/a | yes |
No outputs.
