/sec-vpc

Secure VPC for personal needs

Primary LanguageHCLMIT LicenseMIT

Sec VPC

๐Ÿ” Secure VPC for personal needs. Helps you create your own VPN server in a separate VPC in a few simple steps.

๐Ÿ— Like [Crash CDK] (https://github.com/hex22a/crash-cdk) but in Terraform!

๐Ÿ’ธ Suits for AWS Free Tier instances

โ˜€๏ธ Fast, but verbose setup

๐Ÿ‘ฏโ€ Mostly copy-pasting

๐Ÿ’ฅ Easy to destroy

Pre-requirements

๐Ÿšœ Tarraform. tfswitch is recomended to manage Terraform versions

๐Ÿงพ AWS Account

๐Ÿšœ AWS CLI

๐Ÿ”Œ EC2 Instance Connect CLI

๐Ÿค– IAM User with following policies:

  1. AmazonEC2FullAccess

  2. EC2InstanceConnect

๐Ÿ’ญ Important: Create a separate user instead of using default sudo-level access.

๐Ÿ’ญ Important 2: Best practice is to attach permissions to a group and then add users to that group, rather than giving permissions to user directly. In this particular case there's not much difference, so you can do either.

Configure AWS CLI

aws configure

The tool will prompt for an IAM credentials. Fill in ones, created before.

Deploy

# Make sure you're on correct version of terraform
tfswich

# Init terraform state
terraform init

# Plan your infra
terraform plan

# Deploy
tarraform apply

Get the admin password

If you properly setup EC2InstanceConnect you should be able to SSH into the instance throuh AWS Console.

# One you connected to the instance output the content of /usr/local/openvpn_as/init.log and look for openvpn default superuser password
sudo cat /usr/local/openvpn_as/init.log

๐Ÿ’ญ Important 3 Don't forget to change your admin password after first login!

Instance configuration is complete ๐ŸŽ‰

Set up VPN

Server

Log in as openvpn user at https://PUBLIC_IP/admin. Ignore SSL warning, or add SSL Cert as trusted to the keychain. You can find your public ip in AWS Console. To bypass Google Chrome's "Not Secure" warning, just type in "thisisunsafe" while the tab is open.

Update Hostname or IP Address at Network Settings (https://PUBLIC_IP/admin/network_settings). Value in the field should be your PUBLIC_IP.

Create ๐Ÿ‘ฉโ€๐Ÿ’ป VPN users, click "More Settings" to set password, enable auto-login

Don't forget to "Update Running Server"

Client

Login as a ๐Ÿ‘ฉโ€๐Ÿ’ป VPN user https://PUBLIC_IP/?src=connect

Download client app if you haven't yet

Click Yourself (autologin profile) to download client.ovpn file. Use this file to establish your custom VPN connection.

๐Ÿšจ Destroy

terraform destroy

Troubleshooting

Unrecognized option or missing or extra parameter(s) in configuration: (line 4): dhcp-pre-release (2.4.4)

If you're configuring WiFi router with .ovpn autologin profile like above, try adding following lines to the .ovpn file in your favorite text editor

## Add this right after comments block, just for better arrangemnt
pull-filter ignore "dhcp-pre-release"
pull-filter ignore "dhcp-renew"
pull-filter ignore "dhcp-release"
pull-filter ignore "register-dns"
pull-filter ignore "block-ipv6"