This is Infrastructure as Code applied to VPN. You can automate deployment of VPN tunneling servers for personal use with Terraform and Ansible executed in GitHub Actions.
- fully automated deployment and removal of VPN servers
- multicloud support
- VPN connections on TCP port 443 (typically used for HTTPS) and UDP port 53 (typically used for DNS)
- completely personal VPN servers at locations of your choice
sequenceDiagram
actor you
participant gh as GitHub
participant ht as HCP Terraform
participant cs as cloud service
participant srv as server
rect rgb(191, 223, 255, .5)
you ->> you: edit config.yml
you ->> gh: open a pull request
gh ->> ht: request to run terraform
ht ->> cs: `terraform plan`
cs ->> ht: plan
ht ->> gh: plan
gh ->> you: see the plan
end
rect rgb(191, 223, 255, .5)
you ->> gh: merge the pull request
gh ->> ht: request to run terraform
ht ->> cs: `terraform apply`
cs ->> srv: create a<br/>compute instance
srv ->> cs:
cs ->> ht: server information
ht ->> gh: server information
gh ->> srv: run ansible
srv ->> srv: start a VPN server
srv ->> gh: client files
gh ->> you: download the client files
end
rect rgb(191, 223, 255, .5)
you ->> srv: establish a VPN connection
end
- AWS
- Lightsail
- Google Cloud
- Compute Engine
- Ubuntu 24.04
- OpenVPN
Note
WireGuard is planned
- TCP (port 443)
- UDP (port 53)
- IPv4
- IPv6
- accounts
- GitHub
- HCP Terraform
- one or more of
- VPN client application
see https://developer.hashicorp.com/terraform/cloud-docs/dynamic-provider-credentials/aws-configuration
see https://developer.hashicorp.com/terraform/cloud-docs/dynamic-provider-credentials/gcp-configuration
1.3. set workspace-specific variables as follows
Note
replace **** with your values
| category | key | value | sensitive |
|---|---|---|---|
| environment | TFC_AWS_PROVIDER_AUTH | true |
no |
| environment | TFC_AWS_RUN_ROLE_ARN | arn:aws:iam::****:role/**** |
no |
| category | key | value | sensitive |
|---|---|---|---|
| environment | TFC_GCP_PROVIDER_AUTH | true |
no |
| environment | TFC_GCP_RUN_SERVICE_ACCOUNT_EMAIL | ****@developer.gserviceaccount.com |
no |
| environment | TFC_GCP_WORKLOAD_PROVIDER_NAME | projects/****/locations/global/workloadIdentityPools/****/providers/**** |
no |
2.1. create a team API token of HCP Terraform
| name | value |
|---|---|
HCP_TERRAFORM_TEAM_TOKEN |
HCP Terraform team API token |
-
go to the GitHub Actions page and manually run the workflow to create an SSH key pair
-
The artifact in GitHub will be automatically deleted in 1 day.
-
unzip the downloaded file
A file with the
.pubextension is a public key. The other file is a private key.
3.2.1. set a repository secret
| name | value |
|---|---|
SSH_PRIVATE_KEY |
SSH private key |
3.2.2. set a repository variable
| name | value |
|---|---|
SSH_PUBLIC_KEY |
SSH public key |
- add or edit
config.yml
See config-example.yml for example.
Tip
You can use get-blueprints and get-bundles commands in
CloudShell to
list Lightsail blueprints and bundles.
- open a pull request
- check the plan at the summary on the GitHub Actions page
- merge the pull request if the plan is fine
- check the deployment on the GitHub Actions page
Tip
You can add more servers or clients by running the same steps.
Tip
to remove the existing servers, remove them in the servers section in config.yml
and follow the same steps as to add servers
- download VPN client files from the GitHub Actions page
- optionally, edit the files as you like
- move the files to each client
- make a VPN connection on each client using the VPN application