terraform-aws-vpn-ec2-libreswan-example

What it is

A Terraform configuration for an AWS Site-to-Site VPN connected to a Libreswan software VPN running on an EC2 instance.

What it does

Demonstrates the following:

• How to provision an AWS site-to-site VPN with Terraform
• How to connect Libreswan VPN software to a site-to-site VPN in Amazon Web Services

Prerequisites

• An AWS account
• Administrative privileges in the AWS account (e.g. access to an IAM user or role that has the AdministratorAccess AWS managed IAM policy attached)
• The following software:
  • Git
  • Terraform (version 1.3 or later)
  • SSH
  • AWS CLI configured with credentials for the aforementioned privileges

How to use it

The following instructions use AWS CloudShell, a browser-based shell that simplifies deployment by providing a predictable, reproducible environment.

1. Log into the AWS Management Console and launch CloudShell.
2. Install plugin for DNF.

   sudo dnf install -y 'dnf-command(config-manager)'
       

3. Add the Terraform repository.

   sudo dnf config-manager \
        --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
       

4. Install the terraform package.

   sudo dnf install -y terraform
       

5. Clone the repository.

   git clone https://github.com/RhubarbSin/terraform-aws-vpn-ec2-libreswan-example.git
       

6. Change to the repository’s directory.

   cd terraform-aws-vpn-ec2-libreswan-example
       

7. Initialize the working directory.

   terraform init
       

8. Validate the configuration.

   terraform validate
       

9. Generate an execution plan to see what actions Terraform would take to apply the current configuration.

   terraform plan
       

10. Create the infrastructure.

    terraform apply -auto-approve
        

11. After a few minutes, the VPN tunnel should be active and can be inspected and tested in various ways.
    • Show the status of the AWS VPN tunnel:

      aws ec2 describe-vpn-connections \
          --output text \
          --query VpnConnections[0].VgwTelemetry[0].Status \
          --region $(terraform output -raw vpn_region) \
          --vpn-connection-ids $(terraform output -raw vpn_connection_id)
              

    • Show the status of the Libreswan VPN tunnel:

      ssh -o StrictHostKeyChecking=no \
          -i $(terraform output -raw ssh_key_file_name) \
          ec2-user@$(terraform output -raw libreswan_instance_public_ip) \
          sudo ipsec auto status
              

    • Ping the EC2 instance on the AWS VPN end of the tunnel from the EC2 instance running Libreswan:

      ssh -o StrictHostKeyChecking=no \
          -i $(terraform output -raw ssh_key_file_name) \
          ec2-user@$(terraform output -raw libreswan_instance_public_ip) \
          ping -c 3 $(terraform output -raw vpn_instance_private_ip)
              

    • Ping the EC2 instance running Libreswan from the EC2 instance on the AWS VPN end of the tunnel:

      ssh -o StrictHostKeyChecking=no \
          -i $(terraform output -raw ssh_key_file_name) \
          ec2-user@$(terraform output -raw vpn_instance_public_ip) \
          ping -c 3 $(terraform output -raw libreswan_instance_private_ip)
              

    The status of the AWS VPN can also be viewed via the AWS Management Console by selecting Site-to-Site VPN connections on the VPC Console.

12. When finished, delete all of the resources by destroying the infrastructure.

    terraform apply -destroy -auto-approve
        

Details

The resources deployed include the following:

• Two VPCs in separate regions
• One key pair to connect to the instances using SSH
• One EC2 instance with an Elastic IP in each VPC
• One site-to-site VPN connection communicating with Libreswan running on the EC2 instance in the other region