将 <cert> 和 <key> 添加到使用 Terraform 从 AWS 客户端 VPN 终端节点下载的 OpenVPN 客户端配置

问题描述 投票:0回答:1

我正在尝试使用 Terraform 在 AWS 上构建 VPN 客户端。

这是我的 TF 代码:

resource "aws_acm_certificate" "client_vpn_cert" {
  domain_name       = "vpn.example.com"  # Update with your domain name
  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_acm_certificate" "server_vpn_cert" {
  domain_name       = "vpn.example.com"  # Update with your domain name
  validation_method = "DNS"    
  lifecycle {
    create_before_destroy = true
  }
}


resource "aws_security_group" "vpn_secgroup" {
  name   = "vpn-sg"
  vpc_id = "vpc-111111111111" #module.vpc.vpc_id
  description = "Allow inbound traffic from port 443, to the VPN"

  ingress {
   protocol         = "tcp"
   from_port        = 443
   to_port          = 443
   cidr_blocks      = ["0.0.0.0/0"]
   ipv6_cidr_blocks = ["::/0"]
  }

  egress {
   protocol         = "-1"
   from_port        = 0
   to_port          = 0
   cidr_blocks      = ["0.0.0.0/0"]
   ipv6_cidr_blocks = ["::/0"]
  }
}

resource "aws_ec2_client_vpn_endpoint" "my_client_vpn" {
  description            = "My client vpn"
  server_certificate_arn = aws_acm_certificate.server_vpn_cert.arn
  client_cidr_block      = "10.100.0.0/22"
  vpc_id                 = "vpc-11111111111" # module.vpc.vpc_id

  security_group_ids     = [aws_security_group.vpn_secgroup.id]
  split_tunnel           = true

  # Client authentication
  authentication_options {
    type                       = "certificate-authentication"
    root_certificate_chain_arn = aws_acm_certificate.client_vpn_cert.arn
  }

  connection_log_options {
    enabled = false
   }

  depends_on = [
    aws_acm_certificate.server_vpn_cert,
    aws_acm_certificate.client_vpn_cert
  ]
}

resource "aws_ec2_client_vpn_network_association" "client_vpn_association_private" {
  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.my_client_vpn.id
  subnet_id              = "subnet-bbbbbbbbbbbbbb" # tolist(module.vpc.private_subnets)[0]
}

resource "aws_ec2_client_vpn_network_association" "client_vpn_association_public" {
  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.my_client_vpn.id
  subnet_id              = "subnet-bbbbbbbbbbbbbb" # tolist(module.vpc.public_subnets)[1]
}

resource "aws_ec2_client_vpn_authorization_rule" "authorization_rule" {
  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.my_client_vpn.id

  target_network_cidr    = "10.0.0.0/16"
  authorize_all_groups   = true
}

一切看起来都配置得很好。当我进入 

AWS console -> Client VPN endpoints -> Download client configuration
时,我得到这个 ovpn 文件:

client
dev tun
proto udp
remote cvpn-endpoint-<.....>.eu-north-1.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
remote-cert-tls server
cipher AES-256-GCM
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIEXjCCA0agAwI.........
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwI.........
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwI.........
-----END CERTIFICATE-----
</ca>

reneg-sec 0

verify-x509-name vpn.example.com name

从网上阅读,我发现我需要将 

<cert>
<key>
添加到 ovpn 文件中。获取 aws vpn 的 
cert
key
最简单的方法是什么?

amazon-web-services terraform terraform-provider-aws vpn
1个回答
0
投票

@Yagel 请遵循 AWS 提供的此文档,https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.