This is Infrastructure as Code applied to VPN. You can automate deployment of VPN tunneling servers for personal use with Terraform and Ansible executed in GitHub Actions.
- fully automated deployment and removal of VPN servers
- multicloud support
- VPN connections on TCP port 443 (typically used for HTTPS) and UDP port 53 (typically used for DNS)
- completely personal VPN servers at locations of your choice
sequenceDiagram
actor you
participant gh as GitHub
participant ht as HCP Terraform
participant cs as cloud service
participant srv as server
rect rgb(191, 223, 255, .5)
you ->> you: edit config.yml
you ->> gh: open a pull request
gh ->> ht: request to run terraform
ht ->> cs: `terraform plan`
cs ->> ht: plan
ht ->> gh: plan
gh ->> you: see the plan
end
rect rgb(191, 223, 255, .5)
you ->> gh: merge the pull request
gh ->> ht: request to run terraform
ht ->> cs: `terraform apply`
cs ->> srv: create a<br/>compute instance
srv ->> cs:
cs ->> ht: server information
ht ->> gh: server information
gh ->> srv: run ansible
srv ->> srv: start a VPN server
srv ->> gh: client files
gh ->> you: download the client files
end
rect rgb(191, 223, 255, .5)
you ->> srv: establish a VPN connection
end
- AWS
- Lightsail
- Google Cloud
- Compute Engine
- Ubuntu 24.04
- OpenVPN
Note
WireGuard is planned
- TCP (port 443)
- UDP (port 53)
- IPv4
- IPv6
- accounts
- GitHub
- HashiCorp Cloud Platform or HCP Terraform
- one or more of
- VPN client application on each client
- create an organization
- create a workspace in the CLI-driven workflow
- create a project if you deploy servers to Google Cloud
- enable the Compute Engine API
See Use dynamic credentials with the AWS provider for details.
Add a Workload Identity Pool and Provider
Additionally set this attribute mapping on the provider.
| OIDC | |
|---|---|
attribute.terraform_organization_name |
assertion.terraform_organization_name |
See Configure attribute mapping for details.
Add Permissions to the Workload Identity Principal
The principal should look like the following.
principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.terraform_organization_name/ORGANIZATION_NAME
Select Compute Admin when assigning roles to the workload identity pool principal.
1.2. set workspace-specific variables as follows
See Required Environment Variables.
See Required Environment Variables.
2.1. create a team API token of HCP Terraform
| name | value |
|---|---|
HCP_TERRAFORM_TEAM_TOKEN |
HCP Terraform team API token |
-
go to the GitHub Actions page and manually run the workflow to create an SSH key pair
-
The artifact in GitHub will be automatically deleted in 1 day.
-
unzip the downloaded file
A file with the
.pubextension is a public key. The other file is a private key.
3.2.1. set a repository secret
| name | value |
|---|---|
SSH_PRIVATE_KEY |
SSH private key |
3.2.2. set a repository variable
| name | value |
|---|---|
SSH_PUBLIC_KEY |
SSH public key |
- add or edit
config.yml
See config-example.yml for example.
Tip
You can use get-blueprints and get-bundles commands in
CloudShell to
list Lightsail blueprints and bundles.
- open a pull request
- check the plan at the summary on the GitHub Actions page
- merge the pull request if the plan is fine
- check the deployment on the GitHub Actions page
Tip
You can add more servers or clients by running the same steps.
Tip
to remove all the existing servers, make config.yml look like the one below
and follow the same steps as to add servers
terraform_cloud:
organization:
name: my_organization_2558
workspace: my_workspace
google_cloud:
project_id: my-project-147248
servers:- download the artifact for VPN client files from the GitHub Actions page
- optionally, edit the files as you like
- move the files to each client
- make a VPN connection on each client using the VPN application