Skip to content

ukautz/roadwarrior-vpn

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
keys
keys
 
 
stack
stack
 
 
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

Road Warrior VPN in Terraform CDK

Playing around with Terraform CDK again. This time I am creating a Wireguard based "Road Warrior" VPN setup, that I intend to use with my Mac.

Provided are commands to start VPN servers in either DigitalOcean or Hetzner Cloud infrastructures.

This tooling could be easily adapted to use with about any other cloud provider for which a Terraform provider exists and that offers VMs which can be configured via cloud-init.

!!BE AWARE!! USING THIS TOOLING WILL USE RESOURCES WITH YOUR CLOUD PROVIDER THAT COST MONEY !!BE AWARE!!

Usage

To use this tooling you need to have a recent, working NodeJS environment so that npx and npm are available in PATH. Also make and of course wg (from wireguard tools) must be there.

Select and configure provider

As for any CDK application you will need to configure the

The provider context determines which cloud provider is being used. Currently supported:

  • hetzner, requires additionally hcloudToken in context
  • digitalocean, requires additionally digitalOceanToken in context

You can set the context values either by creating stack/provider.json or by exporting them in CDKTF_CONTEXT_<name> environment variables:

{
  "provider": "hetzner",
  "hcloudToken": "my-token.."
}

or

export CDKTF_CONTEXT_provider=hetzner
export CDKTF_CONTEXT_hcloudToken=my-token...

or a mixture of both variants.

Note: Find all configurable context in stack/main.ts. Unless specified otherwise, servers are started in German locations at smallest available sizes - I hope.

Start VPN

$ make up
Deploying Stack: VpnStack
Resources
 ✔ CLOUDINIT_CONFIG     WireguardCloudInit  cloudinit_config.WireguardCloudInit
 ✔ HCLOUD_SERVER        VpnServer           hcloud_server.VpnServer
 ✔ HCLOUD_SSH_KEY       SshKey              hcloud_ssh_key.SshKey

Summary: 3 created, 0 updated, 0 destroyed.

Output: client-vpn-address = 192.168.123.10/24
        server-id = 16498950
        server-ip = 123.123.123.123
        server-status = running
        server-vpn-network = 192.168.123.1/24
        server-vpn-port = 51397

Use private key for client: 123abc345ABC...AB=
Use public key for server:  678xyz789XYZ...XZ=

With the above, you can create your local wireguard client configuration file. For the above output it would look like:

[Interface]
PrivateKey = 123abc345ABC...AB=
Address = 192.168.123.10/24
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = 678xyz789XYZ...XZ=
AllowedIPs = 0.0.0.0/0
Endpoint = 123.123.123.123:51397

Note: The first execution creates the server and client key files in the keys/ sub-directory, where you can find them at any time later.

Stop VPN server

$ make down
Destroying Stack: VpnStack
Resources
 ✔ CLOUDINIT_CONFIG     WireguardCloudInit  cloudinit_config.WireguardCloudInit
 ✔ HCLOUD_SERVER        VpnServer           hcloud_server.VpnServer
 ✔ HCLOUD_SSH_KEY       SshKey              hcloud_ssh_key.SshKey

Summary: 3 destroyed.

Structure

  • /: Makefile and README to document all commands
  • stack/: all Terraform CDK related code
  • keys/: all private and public keys used

Resources

About

A Wireguard based Road Warrior VPN deployed with Terraform CDK

ulrichkautz.com/posts/2021-12-05_roadwarrior-wireguard-vpn-in-terraform-cdk/

Topics

digitalocean terraform vpn wireguard cdk tfcdk

Resources

Readme
Activity

Stars

7 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages