Browse the Repo

file-type-icon.circleci
file-type-icon.github
file-type-icon.patcher
file-type-iconexamples
file-type-iconmodules
file-type-iconbackup-openvpn-pki
file-type-iconinit-openvpn
file-type-iconinstall-openvpn
file-type-iconopenvpn-admin
file-type-icon_ci
file-type-iconscripts
file-type-iconsrc
file-type-icon.dockerignore
file-type-iconDockerfile
file-type-iconREADME.md
file-type-icondocker-compose.yml
file-type-icongo.mod
file-type-icongo.sum
file-type-iconopenvpn-request-flow-diagram.svg
file-type-iconopenvpn-revoke-flow-diagram.png
file-type-iconopenvpn-server
file-type-iconstart-openvpn-admin
file-type-icontest
file-type-icon.gitignore
file-type-icon.pre-commit-config.yaml
file-type-iconCODEOWNERS
file-type-iconLICENSE.txt
file-type-iconREADME.md
file-type-iconterraform-cloud-enterprise-private-module-...

Browse the Repo

file-type-icon.circleci
file-type-icon.github
file-type-icon.patcher
file-type-iconexamples
file-type-iconmodules
file-type-iconbackup-openvpn-pki
file-type-iconinit-openvpn
file-type-iconinstall-openvpn
file-type-iconopenvpn-admin
file-type-icon_ci
file-type-iconscripts
file-type-iconsrc
file-type-icon.dockerignore
file-type-iconDockerfile
file-type-iconREADME.md
file-type-icondocker-compose.yml
file-type-icongo.mod
file-type-icongo.sum
file-type-iconopenvpn-request-flow-diagram.svg
file-type-iconopenvpn-revoke-flow-diagram.png
file-type-iconopenvpn-server
file-type-iconstart-openvpn-admin
file-type-icontest
file-type-icon.gitignore
file-type-icon.pre-commit-config.yaml
file-type-iconCODEOWNERS
file-type-iconLICENSE.txt
file-type-iconREADME.md
file-type-iconterraform-cloud-enterprise-private-module-...
OpenVPN

OpenVPN

Deploy an OpenVPN server. Supports auto healing, public key infrastructure (PKI), cert backup, and managing user accounts using IAM groups.

Code Preview

Preview the Code

mobile file icon

README.md

down

openvpn-admin

This module contains a command-line utility that allows users to request new certificates, administrators to revoke certificates and the OpenVPN server to process those requests.

How do you use this module?

Examples

  1. Build the binaries for this module or download the relevant release binary (for your desired distro) on your client machine from the releases page.
  2. Run the command you need on your client machine
$ openvpn-admin request --aws-region us-east-1
$ openvpn-admin revoke --aws-region us-east-1 --username john.doe
$ openvpn-admin process-requests --aws-region us-east-1
$ openvpn-admin process-revokes --aws-region us-east-1

N.B.: If the above doesn't work, check if the openvpn-admin binary is in your path, and that it's called openvpn-admin, and ensure that it has the execute permission set (chmod +x openvpn-admin).

N.B.: To use the openvpn-admin commands above, you'll need to authenticate to AWS. For examples and guidance on how to do so, check out our blog post: A Comprehensive Guide to Authenticating to AWS on the Command Line

Install openvpn-admin on your servers

openvpn-admin consists of a single binary. The easiest way to get it onto your servers is to use the Gruntwork Installer:

gruntwork-install --binary-name openvpn-admin --repo https://github.com/gruntwork-io/terraform-aws-openvpn --tag v0.5.4

Alternatively, you can download the binary from the Releases Page.

Commandline Options

There are several sub-commands and switches that control the behavior of this utility.

Command Description
request Requests a new OpenVPN configuration from the server and writes it locally to disk as username.ovpn
revoke Revokes a user's certificate so that they may no longer connect to the OpenVPN server
process-requests A server-side process to respond to requests by generating a new user certificate request, signing it, generating a new OpenVPN configuration file and returning it to the requestor.
process-revokes A server-side process to respond to revocation requests by revoking the user's valid certificate
Option Description Required Default
--debug Enable verbose logging to the console Optional
--aws-region The region OpenVPN is installed in request, revoke, process-requests, process-revokes
--username The name of the user you are making a certificate request or revocation request for. revoke (required). request (optional) IAM username (request command)
--request-url The url for the SQS queue used for making OpenVPN configuration (certificate) requests Optional finds url automatically
--revoke-url The url for the SQS queue used for making revocation requests Optional find url automatically
--host-for-mssfix The host to ping when determining the mssfix value Optional 1.1.1.1
Permissions
  • Users requesting a new OpenVPN request must be a member of the OpenVPNUsers IAM group.
  • Users requesting a certificate revocation must a member of the OpenVPNAdmins IAM group.

Using openvpn-admin for read-only users

Users who have read only access to AWS will not be able to submit requests to the SQS requests queue used by openvpn-admin. Read only users can temporarily assume the openvpn-allow-certificate-requests-for-external-accounts role which grants write access to the queue. To do so, they should add a profile to their ~/.aws/config file as follows:

[profile foo-vpn]
region=us-west-2
role_arn=arn:aws:iam::11111111111:role/openvpn-allow-certificate-requests-for-external-accounts
mfa_serial=arn:aws:iam::22222222222:mfa/user@company.com
source_profile=foo-security

The user can assume the role defined by this profile (using aws-auth or aws-vault, run the openvpn-admin request --aws-region us-east-1 --username foo command, and then run subsequent commands using the read only role once again.

Using profiles

To use a named profile, set the AWS_PROFILE environment variable. This tool does not implement CLI flags (e.g. the --profile flag in the AWS CLI) for setting named profiles.

New Certificate Request Workflow

openvpn-request-flow-diagram

Revoke Certificate Workflow

openvpn-revoke-flow-diagram

Questions? Ask away.

We're here to talk about our services, answer any questions, give advice, or just to chat.

Ready to hand off the Gruntwork?