我正在尝试使用 Terraform 在 AWS 上构建 VPN 客户端。
这是我的 TF 代码:
resource "aws_acm_certificate" "client_vpn_cert" {
domain_name = "vpn.example.com" # Update with your domain name
validation_method = "DNS"
lifecycle {
create_before_destroy = true
}
}
resource "aws_acm_certificate" "server_vpn_cert" {
domain_name = "vpn.example.com" # Update with your domain name
validation_method = "DNS"
lifecycle {
create_before_destroy = true
}
}
resource "aws_security_group" "vpn_secgroup" {
name = "vpn-sg"
vpc_id = "vpc-111111111111" #module.vpc.vpc_id
description = "Allow inbound traffic from port 443, to the VPN"
ingress {
protocol = "tcp"
from_port = 443
to_port = 443
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
egress {
protocol = "-1"
from_port = 0
to_port = 0
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
resource "aws_ec2_client_vpn_endpoint" "my_client_vpn" {
description = "My client vpn"
server_certificate_arn = aws_acm_certificate.server_vpn_cert.arn
client_cidr_block = "10.100.0.0/22"
vpc_id = "vpc-11111111111" # module.vpc.vpc_id
security_group_ids = [aws_security_group.vpn_secgroup.id]
split_tunnel = true
# Client authentication
authentication_options {
type = "certificate-authentication"
root_certificate_chain_arn = aws_acm_certificate.client_vpn_cert.arn
}
connection_log_options {
enabled = false
}
depends_on = [
aws_acm_certificate.server_vpn_cert,
aws_acm_certificate.client_vpn_cert
]
}
resource "aws_ec2_client_vpn_network_association" "client_vpn_association_private" {
client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.my_client_vpn.id
subnet_id = "subnet-bbbbbbbbbbbbbb" # tolist(module.vpc.private_subnets)[0]
}
resource "aws_ec2_client_vpn_network_association" "client_vpn_association_public" {
client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.my_client_vpn.id
subnet_id = "subnet-bbbbbbbbbbbbbb" # tolist(module.vpc.public_subnets)[1]
}
resource "aws_ec2_client_vpn_authorization_rule" "authorization_rule" {
client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.my_client_vpn.id
target_network_cidr = "10.0.0.0/16"
authorize_all_groups = true
}
一切看起来都配置得很好。当我进入
AWS console -> Client VPN endpoints -> Download client configuration
时,我得到这个 ovpn 文件:
client
dev tun
proto udp
remote cvpn-endpoint-<.....>.eu-north-1.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
remote-cert-tls server
cipher AES-256-GCM
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIEXjCCA0agAwI.........
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwI.........
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwI.........
-----END CERTIFICATE-----
</ca>
reneg-sec 0
verify-x509-name vpn.example.com name
从网上阅读,我发现我需要将
<cert>
和 <key>
添加到 ovpn 文件中。获取 aws vpn 的 cert
和 key
最简单的方法是什么?
@Yagel 请遵循 AWS 提供的此文档,https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html