This project automates the setup of a private VPN using Terraform. It provides a command-line interface through manage.py to simplify the creation, configuration, and management of the VPN infrastructure.
The system uses Terraform to provision the necessary resources on a cloud provider (likely AWS, given the module names). A manage.py script acts as a wrapper around Terraform commands to provide a more user-friendly experience.
- Python 3
clickandpyyamlPython libraries (pip install click pyyaml)- Terraform installed and configured with your cloud provider credentials.
Configuration is managed through a config.yaml file. You can create your own config.yaml by copying the config_example.yaml. This file defines the instances, clients, and other variables for your VPN setup.
The script manage.py reads config.yaml and generates a .terraform.tfvars.json file, which is then used by Terraform.
The manage.py script is the main entry point for managing the VPN infrastructure.
Initializes the configuration. It reads the specified --config file (defaulting to config.yaml) and creates/updates the .terraform.tfvars.json file.
python manage.py init-configGenerates the necessary Terraform modules based on the configuration.
python manage.py genIf the generated directory already exists, it will prompt you to delete it and start fresh.
Creates or updates the infrastructure. It first loads the configuration, generates the modules (if they don't exist), and then runs terraform apply.
python manage.py applyYou can specify a different config file:
python manage.py apply --config my_custom_config.yamlDestroys all the resources created by Terraform.
python manage.py destroyThis is a utility to help clean up resources if the Terraform state gets corrupted. It generates a temporary Terraform configuration to remove the resources and then cleans up after itself.
python manage.py rm-stateOnce the VPN is deployed, you can access the WireGuard Easy UI to manage clients and download configuration files. The UI is available at http://<your_instance_ip>:51821.
- Username: admin
- Password: The password you set in your
config.yaml(wg_easy_password_hash).
From the UI, you can add, remove, and manage client configurations. To connect a new device, create a new client and download the corresponding configuration file.
aws_vpn_instance_module: Manages the main VPN instance.aws_vpn_network_module: Manages the network resources (VPC, subnets, etc.).aws_vpn_proxy_module: Manages a proxy instance.templates: Contains templates for provisioning scripts.generated: This directory is created by thegencommand and contains the generated Terraform modules for each instance. It should not be manually edited.
For clients that need manual configuration, you can create a file at /etc/wireguard/work.conf with the following format. The values in <> should be replaced with the corresponding values from your config.yaml and your deployed instance's IP address.
[Interface]
PrivateKey = <your_client_private_key>
Address = 10.1.1.2/24
DNS = 1.1.1.1
[Peer]
PublicKey = <server_public_key>
PresharedKey = <client_preshared_key_from_config.yaml>
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 0
Endpoint = <instance_public_ip>:51820
Variable Mapping:
<your_client_private_key>: Theprivate_keyfor the specific client from thewg_clientslist in yourconfig.yaml.<server_public_key>: The public key of the WireGuard server. This is generated during the server setup. You can retrieve it from the WireGuard Easy UI.<client_preshared_key_from_config.yaml>: Thepreshared_keyfor the specific client from thewg_clientslist in yourconfig.yaml.<instance_public_ip>: The public IP address of your deployed VPN instance.