A Terraform module to deploy a WireGuard VPN server on AWS.
Before using this module, you'll need to:
-
Install the WireGuard tools for your OS.
-
Generate a key pair for each client with a WireGuard tool:
wg genkey | tee client1-privatekey | wg pubkey > client1-publickey
-
Generate a key pair for the server with a WireGuard tool:
wg genkey | tee server-privatekey | wg pubkey > server-publickey
-
Add each client's public key, along with the next available IP address to the
wg_clientslist. -
Add server's private key to the
wg_server_private_keyvariable. You can use AWS SSM Parameter store to store and read server private key. 5.1 To store the private key you could use this command:aws ssm put-parameter --name /wireguard/wg-server-private-key --type SecureString --value <Your Server Private Key>
-
To create working configuration for the GUI WireGuard client, you should create a conf file from this template:
[Interface]
PrivateKey = <Your Client Private Key>
ListenPort = 51820
Address = 10.0.0.4/32 # Set your client's local ip address
DNS = 8.8.8.8
[Peer]
PublicKey = <Public Key of Your WireGuard Server>
AllowedIPs = 10.0.0.0/24
Endpoint = <IP or Domain Name of Your WireGuard Server>:51820
PersistentKeepalive = 25Save this file as <Your VPN Name>.conf. Then you could import your configuration in WireGuard GUI client or share it with end users.
If you want to save or share more than one conf file - you can add them to single zip file without folders.
WireGuard GUI client support import of zipped configurations.
| Name | Version |
|---|---|
| terraform | >= 0.13.5 |
| aws | ~> 3.0 |
| Name | Version |
|---|---|
| aws | ~> 3.0 |
| template | n/a |
No modules.
| Name | Type |
|---|---|
| aws_autoscaling_group.wireguard_asg | resource |
| aws_eip.wireguard | resource |
| aws_iam_instance_profile.wireguard_profile | resource |
| aws_iam_policy.wireguard_policy | resource |
| aws_iam_role.wireguard_role | resource |
| aws_iam_role_policy_attachment.wireguard_roleattach | resource |
| aws_launch_configuration.wireguard_launch_config | resource |
| aws_route53_record.wireguard | resource |
| aws_security_group.sg_wireguard | resource |
| aws_ami.ubuntu | data source |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.ec2_assume_role | data source |
| aws_iam_policy_document.wireguard_policy_doc | data source |
| template_file.wg_client_data_json | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| env | The name of environment for WireGuard. Used to differentiate multiple deployments. | any |
n/a | yes |
| instance_type | The machine type to launch, some machines may offer higher throughput for higher use cases. | string |
"t3.nano" |
no |
| region | n/a | string |
n/a | yes |
| route53_hosted_zone_id | Route53 Hosted zone ID. | string |
null |
no |
| route53_record_name | Route53 Record name. | string |
null |
no |
| ssh_key_id | A SSH public key ID to add to the VPN instance. | any |
n/a | yes |
| subnet_ids | A list of subnets for the Autoscaling Group to use for launching instances. May be a single subnet, but it must be an element in a list. | list(string) |
n/a | yes |
| target_group_arns | Running a scaling group behind an LB requires this variable, default null means it won't be included if not set. | list(string) |
null |
no |
| use_eip | Whether to enable Elastic IP switching code in user-data on wg server startup. If true, eip_id must also be set to the ID of the Elastic IP. | bool |
false |
no |
| use_route53 | Whether to use Route53 | bool |
false |
no |
| vpc_id | The VPC ID in which Terraform will launch the resources. | any |
n/a | yes |
| wg_clients | List of client objects with IP and public key. See Usage in README for details. | list(object({ client_friendly_name = string, client_public_key = string, client_allowed_cidr = string })) |
n/a | yes |
| wg_persistent_keepalive | Persistent Keepalive - useful for helping connection stability over NATs. | number |
25 |
no |
| wg_server_interface | The default interface to forward network traffic to. | string |
"eth0" |
no |
| wg_server_net | IP range for vpn server - make sure your Client ips are in this range but not the specific ip i.e. not .1 | string |
"10.0.0.1/24" |
no |
| wg_server_port | Port for the vpn server. | number |
51820 |
no |
| wg_server_private_key | WG server private key. | string |
n/a | yes |
No outputs.