The WireGuard® terraform module combines WireGuard® kernel module (core component) and Subspace UI utilized to manage WireGuard's Peer keys, to provide high-available VPN server with the self-service user portal.
This module utilizes AWS ECS platform and ASG (AutoScalingGroup) in order to provide scalable API, AWS EFS to store peer keys and Route53 to route the network traffic globally. In order to provide high security standard, in-transit encryption is enabled both for internet (between clients and a server) and intra-net communication (between a server and EFS). Moreover, EFS encrypts data at-rest and allows access only to a WireGuard's ECS instance.
- Self-healing WireGuard/Subspace API
- MultiAZ scaling support
- Encrypted and HighAvailable EFS (regional) storage
- Subspace UI with self-service option (SAML authentication must be enabled)
Although we aim to achieve the highest data security standards, we are aware that our approach has certain drawbacks, so please use this module with caution.
module "vpn" {
source = "../"
# General settings, used for resource identifiers and tags
namespace = "Project"
env_code = "ops"
environment = "Operations"
cost_center = "Infrastructure"
# domain configuration:
# fqdn = subspace_subdomain.root_domain = vpn.example.com
subspace_subdomain = "vpn"
root_domain = "example.com"
# subnet must be in the public subnet
subnet_ids = ["subnet-public12345"]
# wireguard internal network CIDR.
# NOTE: DO NOT overlap Wireguard network CIDR with the AWS VPC network CIDR
wg_ipv4_network = "10.250.0.0/24"
}
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | ~> 3.40 |
| Name | Version |
|---|---|
| aws | ~> 3.40 |
| random | n/a |
| template | n/a |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_tags | n/a | map(string) |
{} |
no |
| cost_center | Resource tag for easier billing search and reports | string |
n/a | yes |
| env_code | Short environment name tag (e.g. dev, stg, prod) | string |
n/a | yes |
| environment | Full environment name tag (e.g. Development, Staging, Production) | string |
n/a | yes |
| instance_type | EC2 instance type | string |
"t3.nano" |
no |
| logs_retention_period | Number of days how long the WireGuard logs will be kept in the CloudWatch storage. | number |
90 |
no |
| namespace | Project namespace | any |
n/a | yes |
| per_region_domain_name | Per region domain name means that Subspace UI domain will be accessible on vpn..<root_domain> instead of regular vpn.<root_domain> | bool |
false |
no |
| root_domain | Domain name used to generate URL for Subspace UI | string |
n/a | yes |
| security_group_id | List of Security Groups associated to the Wireguard instance | list(string) |
[] |
no |
| subnet_ids | VPC subnet(s) identifier where to instantiate VPN server. Min 1 subnet id is required | list(string) |
n/a | yes |
| subspace_container_cpu | n/a | number |
1500 |
no |
| subspace_container_memory | n/a | number |
420 |
no |
| subspace_image | Subspace UI docker image | string |
"subspacecommunity/subspace" |
no |
| subspace_nameservers | n/a | list(string) |
[] |
no |
| subspace_subdomain | n/a | string |
"vpn" |
no |
| subspace_theme | n/a | string |
"green" |
no |
| subspace_version | Version of the Subspace UI docker image. | string |
"1.5.0" |
no |
| wg_allowed_ips | CIDR format of allowed ip addresses used on the WireGuard client to route the traffic correctly. By default, VPC CIDR will be used. | list(string) |
[] |
no |
| wg_ipv4_network | Internal VPN network space utilized by Wireguard server to maintain clients' identifiers. | any |
n/a | yes |
| Name | Description |
|---|---|
| vpn_fqdn | n/a |
| vpn_sg_id | n/a |