Skip to content

hazelops/terraform-aws-wireguard

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
examples
examples
 
 
templates
templates
 
 
.gitignore
.gitignore
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
iam.tf
iam.tf
 
 
main.tf
main.tf
 
 
sg.tf
sg.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

Repository files navigation

Terraform AWS WireGuard

A Terraform module to deploy a WireGuard VPN server on AWS.

Prerequisites

Before using this module, you'll need to:

  1. Install the WireGuard tools for your OS.

  2. Generate a key pair for each client with a WireGuard tool:

    wg genkey | tee client1-privatekey | wg pubkey > client1-publickey

  3. Generate a key pair for the server with a WireGuard tool:

    wg genkey | tee server-privatekey | wg pubkey > server-publickey

  4. Add each client's public key, along with the next available IP address to the wg_clients list.

  5. Add server's private key to the wg_server_private_key variable. You can use AWS SSM Parameter store to store and read server private key. 5.1 To store the private key you could use this command:

     aws ssm put-parameter --name /wireguard/wg-server-private-key --type SecureString --value <Your Server Private Key>

  6. To create working configuration for the GUI WireGuard client, you should create a conf file from this template:

[Interface]
PrivateKey = <Your Client Private Key>
ListenPort = 51820
Address = 10.0.0.4/32 # Set your client's local ip address 
DNS = 8.8.8.8

[Peer]
PublicKey = <Public Key of Your WireGuard Server>
AllowedIPs = 10.0.0.0/24
Endpoint = <IP or Domain Name of Your WireGuard Server>:51820
PersistentKeepalive = 25

Save this file as <Your VPN Name>.conf. Then you could import your configuration in WireGuard GUI client or share it with end users.

If you want to save or share more than one conf file - you can add them to single zip file without folders.

WireGuard GUI client support import of zipped configurations.

Requirements

Name Version
terraform >= 0.13.5
aws ~> 3.0

Providers

Name Version
aws ~> 3.0
template n/a

Modules

No modules.

Resources

Name Type
aws_autoscaling_group.wireguard_asg resource
aws_eip.wireguard resource
aws_iam_instance_profile.wireguard_profile resource
aws_iam_policy.wireguard_policy resource
aws_iam_role.wireguard_role resource
aws_iam_role_policy_attachment.wireguard_roleattach resource
aws_launch_configuration.wireguard_launch_config resource
aws_route53_record.wireguard resource
aws_security_group.sg_wireguard resource
aws_ami.ubuntu data source
aws_caller_identity.current data source
aws_iam_policy_document.ec2_assume_role data source
aws_iam_policy_document.wireguard_policy_doc data source
template_file.wg_client_data_json data source

Inputs

Name Description Type Default Required
env The name of environment for WireGuard. Used to differentiate multiple deployments. any n/a yes
instance_type The machine type to launch, some machines may offer higher throughput for higher use cases. string "t3.nano" no
region n/a string n/a yes
route53_hosted_zone_id Route53 Hosted zone ID. string null no
route53_record_name Route53 Record name. string null no
ssh_key_id A SSH public key ID to add to the VPN instance. any n/a yes
subnet_ids A list of subnets for the Autoscaling Group to use for launching instances. May be a single subnet, but it must be an element in a list. list(string) n/a yes
target_group_arns Running a scaling group behind an LB requires this variable, default null means it won't be included if not set. list(string) null no
use_eip Whether to enable Elastic IP switching code in user-data on wg server startup. If true, eip_id must also be set to the ID of the Elastic IP. bool false no
use_route53 Whether to use Route53 bool false no
vpc_id The VPC ID in which Terraform will launch the resources. any n/a yes
wg_clients List of client objects with IP and public key. See Usage in README for details. list(object({ client_friendly_name = string, client_public_key = string, client_allowed_cidr = string })) n/a yes
wg_persistent_keepalive Persistent Keepalive - useful for helping connection stability over NATs. number 25 no
wg_server_interface The default interface to forward network traffic to. string "eth0" no
wg_server_net IP range for vpn server - make sure your Client ips are in this range but not the specific ip i.e. not .1 string "10.0.0.1/24" no
wg_server_port Port for the vpn server. number 51820 no
wg_server_private_key WG server private key. string n/a yes

Outputs

No outputs.

About

No description, website, or topics provided.

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases 2

Terraform AWS Wireguard Latest
Aug 11, 2021
+ 1 release

Packages

No packages published

Languages