Azure VPN Gateway OpenVPN
| resource "random_string" "random" { | |
| length = 8 | |
| special = false | |
| upper = false | |
| number = false | |
| } | |
| resource "azurerm_public_ip" "vpn_ip" { | |
| name = "vpn-ip" | |
| location = var.region | |
| resource_group_name = var.resource_group_name | |
| domain_name_label = random_string.random.result | |
| allocation_method = "Dynamic" | |
| tags = var.tags | |
| } | |
| resource "tls_private_key" "example" { | |
| algorithm = "RSA" | |
| rsa_bits = "2048" | |
| } | |
| # Create the root certificate | |
| resource "tls_self_signed_cert" "ca" { | |
| key_algorithm = tls_private_key.example.algorithm | |
| private_key_pem = tls_private_key.example.private_key_pem | |
| # Certificate expires after 1 year | |
| validity_period_hours = 8766 | |
| # Generate a new certificate if Terraform is run within three | |
| # hours of the certificate's expiration time. | |
| early_renewal_hours = 200 | |
| # Allow to be used as a CA | |
| is_ca_certificate = true | |
| allowed_uses = [ | |
| "key_encipherment", | |
| "digital_signature", | |
| "server_auth", | |
| "client_auth", | |
| "cert_signing" | |
| ] | |
| dns_names = [ azurerm_public_ip.vpn_ip.domain_name_label ] | |
| subject { | |
| common_name = "CAOpenVPN" | |
| organization = "dev env" | |
| } | |
| } | |
| resource "local_file" "ca_pem" { | |
| filename = "caCert.pem" | |
| content = tls_self_signed_cert.ca.cert_pem | |
| } | |
| resource "null_resource" "cert_encode" { | |
| provisioner "local-exec" { | |
| # Bootstrap script called with private_ip of each node in the clutser | |
| command = "openssl x509 -in caCert.pem -outform der | base64 -w0 > caCert.der" | |
| } | |
| depends_on = [ local_file.ca_pem ] | |
| } | |
| data "local_file" "ca_der" { | |
| filename = "caCert.der" | |
| depends_on = [ | |
| null_resource.cert_encode | |
| ] | |
| } | |
| resource "tls_private_key" "client_cert" { | |
| algorithm = "RSA" | |
| rsa_bits = "2048" | |
| } | |
| resource "tls_cert_request" "client_cert" { | |
| key_algorithm = tls_private_key.client_cert.algorithm | |
| private_key_pem = tls_private_key.client_cert.private_key_pem | |
| # dns_names = [ azurerm_public_ip.vpn_ip.domain_name_label ] | |
| subject { | |
| common_name = "ClientOpenVPN" | |
| organization = "dev env" | |
| } | |
| } | |
| resource "tls_locally_signed_cert" "client_cert" { | |
| cert_request_pem = tls_cert_request.client_cert.cert_request_pem | |
| ca_key_algorithm = tls_private_key.example.algorithm | |
| ca_private_key_pem = tls_private_key.example.private_key_pem | |
| ca_cert_pem = tls_self_signed_cert.ca.cert_pem | |
| validity_period_hours = 43800 | |
| allowed_uses = [ | |
| "key_encipherment", | |
| "digital_signature", | |
| "server_auth", | |
| "key_encipherment", | |
| "client_auth", | |
| ] | |
| } | |
| resource "azurerm_virtual_network_gateway" "vpn-gateway" { | |
| name = "vpn-gateway" | |
| location = var.region | |
| resource_group_name = var.resource_group_name | |
| type = "Vpn" | |
| active_active = false | |
| enable_bgp = false | |
| sku = "VpnGw1" | |
| ip_configuration { | |
| name = "vnetGatewayConfig" | |
| public_ip_address_id = azurerm_public_ip.vpn_ip.id | |
| private_ip_address_allocation = "Dynamic" | |
| subnet_id = azurerm_subnet.yoursubnethere.id | |
| } | |
| vpn_client_configuration { | |
| address_space = ["10.1.0.0/16"] | |
| vpn_client_protocols = ["OpenVPN"] | |
| root_certificate { | |
| name = "terraformselfsignedder" | |
| public_cert_data = data.local_file.ca_der.content | |
| } | |
| } | |
| } | |
| output "client_cert" { | |
| value = tls_locally_signed_cert.client_cert.cert_pem | |
| } | |
| output "client_key" { | |
| value = tls_private_key.client_cert.private_key_pem | |
| } | |
| output "vpn_id" { | |
| value = azurerm_virtual_network_gateway.vpn-gateway.id | |
| } |
| #!/bin/bash | |
| set -e | |
| # Get vars from TF State | |
| VPN_ID=`terraform output vpn_id` | |
| VPN_CLIENT_CERT=`terraform output client_cert` | |
| VPN_CLIENT_KEY=`terraform output client_key` | |
| # Replace newlines with \n so sed doesn't break | |
| VPN_CLIENT_CERT="${VPN_CLIENT_CERT//$'\n'/\\n}" | |
| VPN_CLIENT_KEY="${VPN_CLIENT_KEY//$'\n'/\\n}" | |
| CONFIG_URL=`az network vnet-gateway vpn-client generate --ids $VPN_ID -o tsv` | |
| wget $CONFIG_URL -O "vpnconfig.zip" | |
| # Ignore complaint about backslash in filepaths | |
| unzip -o "vpnconfig.zip" -d "./vpnconftemp"|| true | |
| OPENVPN_CONFIG_FILE="./vpnconftemp/OpenVPN/vpnconfig.ovpn" | |
| echo "Updating file $OPENVPN_CONFIG_FILE" | |
| sed -i "s~\$CLIENTCERTIFICATE~$VPN_CLIENT_CERT~" $OPENVPN_CONFIG_FILE | |
| sed -i "s~\$PRIVATEKEY~$VPN_CLIENT_KEY~g" $OPENVPN_CONFIG_FILE | |
| cp $OPENVPN_CONFIG_FILE openvpn.ovpn | |
| rm -r ./vpnconftemp | |
| rm vpnconfig.zip |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment