/terraform-ibm-client-to-site-vpn

Creates a client-to-site VPN gateway in a VPC

Primary LanguageHCLApache License 2.0Apache-2.0

Client to Site VPN Module

Stable (With quality checks) Build status pre-commit latest release Renovate enabled semantic-release

This module automates the provisioning of a client-to-site VPN in a VPC cluster. For more information, see About client-to-site VPN servers in the IBM Cloud docs.

Network topology

The VPN server is deployed in a selected multizone (MZR) region and VPC.

img.png

Considerations

  • Scaling considerations: The aggregation bandwidth for the stand-alone VPN is 600 Mbps and for the high availability VPN is 1200 Mbps.
  • Client IPv4 address pool: The client-to-site VPN assigns an IP address to the connecting client from the client IPv4 address pool (CIDR Range). This CIDR range must not overlap with VPC address prefixes.
  • Subnets: This module supports creation of both stand-alone and high availability VPN servers. The stand-alone VPN server needs one subnet while the two subnets are required for High availability VPN servers.
  • VPN Server authentication: The VPN server certificate is needed at the time of provisioning of the VPN server. The server certificate CRN in the IBM Cloud Secrets Manager is required.
  • VPN Client authentication: The client authentication method is required at the time of provisioning of the VPN server. The VPN server supports "username" based authentication. There is no support for the "certificate" based authentication at this point of time.
  • Split tunnel mode: This module provisions a client-to-site VPN with the split tunnel mode. When the VPN connection is set up, an encrypted tunnel is created over the internet to the VPN server. The split tunnel mode supports sending private traffic that is destined to the VPC inside the VPN tunnel and sending public traffic (internet traffic) outside the VPN tunnel.

Setting up a client VPN environment and connecting to a VPN server

This module has an option to provision access group, policy and users to connect to the VPN when create_policy flag is true. Provide list of users needed Client to Site VPN access in the cts_vpn_access_group_users variable.

Once Client to Site VPN is deployed with access groups, follow these steps:

  1. On the VPN server page, go to the Clients tab, and then click Download client profile to download the client configuration file (<vpn_server>.ovpn).
  2. Download and install the OpenVPN client.
  3. Import this configuration file in the OpenVPN client and connect to the client-to-site VPN server.
  4. Add users to the access group either in IAM dashboard or by adding users' email id to var.vpn_client_access_group_users.
  5. Go to https://iam.cloud.ibm.com/identity/passcode to generate the passcode.

VPN server limitations

For more information about the current VPN server limitations, see VPN server limitations.

Usage

# Replace "master" with a GIT release version to lock into a specific release
module "client-to-site-vpn" {
  source            = "git::https://github.com/terraform-ibm-module/terraform-ibm-client-to-site-vpn.git?ref=main"
  server_cert_crn   = "crn:<...>" # CRN to a server secret or certificate in Secrets Manager
  vpn_gateway_name  = "example-vpn"
  resource_group_id = "65xxxxxxxxxxxxxxxa3fd"
  secret_manager_instance_guid = "839fxxxx-xxxx-xxxx-xxxx-xxxxxxx913b9"
  subnet_ids        = ["0726-ec96c7cd-46f4-4969-9009-7613f8e9e93"] # A list of IDs of subnets dedicated to the VPN in the VPC.
}

Required IAM access policies

You need the following permissions to run this module.

  • IAM services
    • VPC Infrastructure services
      • Editor platform access
    • No service access
      • Resource Group <your resource group>
      • Viewer resource group access

For more information about the access you need to run all the GoldenEye modules, see GoldenEye IAM permissions.

Examples

Requirements

Name Version
terraform >= 1.0.0
ibm >= 1.51.0

Modules

No modules.

Resources

Name Type
ibm_iam_access_group.cts_vpn_access_group resource
ibm_iam_access_group_members.cts_vpn_access_group_users resource
ibm_iam_access_group_policy.cts_vpn_access_group_policy resource
ibm_iam_authorization_policy.policy resource
ibm_is_vpn_server.vpn resource
ibm_is_vpn_server_route.server_route resource

Inputs

Name Description Type Default Required
access_group_name Name of the IAM Access Group to create if var.create_policy is true string "client-to-site-vpn-access-group" no
client_auth_methods Client authentication method string "username" no
client_dns_server_ips DNS server addresses that will be provided to VPN clients connected to this VPN server list(string) [] no
client_idle_timeout The seconds a VPN client can be idle before this VPN server will disconnect it. Default set to 30m (1800 secs). Specify 0 to prevent the server from disconnecting idle clients. number 1800 no
client_ip_pool Client IP pool for the VPN string "10.0.0.0/20" no
create_policy Set to true to create a new access group (using the value of var.access_group_name) with a VPN Client role bool true no
create_s2s_auth_policy Create IAM Service to Service Authorization to allow communication between all VPN Servers (scoped to the given resource group) and the given Secrets Manager instance. Currently not possible to scope the policy to the exact VPN server ID since the policy is needed before the instance exists as it uses the cert stored in secrets manager during the provisioning process. bool true no
enable_split_tunneling Enables split tunnel mode for the Client to Site VPN Creation bool true no
resource_group_id ID of the resource group to use when creating the VPC string n/a yes
secrets_manager_id ID of the Secrets Manager that contains the certificate to use for the VPN, only required when create_s2s_auth_policy is true. string null no
server_cert_crn CRN of a secret in Secrets Manager that contains the certificate to use for the VPN string n/a yes
subnet_ids List must have at least 1 subnet ID for standalone VPN and at least 2 subnet IDs for the High Availability mode. list(string) n/a yes
vpn_client_access_group_users List of users to optionally add to the Client to Site VPN Access Group if var.create_policy is true list(string) [] no
vpn_gateway_name Name of the VPN string "test" no
vpn_server_routes Map of server routes to be added to created VPN server. 
map(object({
    destination = string
    action      = string
  }))
 {} no

Outputs

Name Description
vpn_server_certificate_secret_crn CRN of the client to site vpn server certificate secret stored in Secrets Manager
vpn_server_id Client to Site VPN ID

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.