Skip to content
/ terraform-aws-tailscale-vpn Public
forked from d7oss/terraform-aws-tailscale-vpn

A Terraform module to manage a Tailscale VPN server - why not a bastion too - in your VPC.

License

MIT license
0 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kumbuca/terraform-aws-tailscale-vpn

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
.editorconfig
.editorconfig
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
user-data.yml.tpl
user-data.yml.tpl
 
 
variables.tf
variables.tf
 
 

Repository files navigation

tailscale-vpn

A Terraform module to manage a Tailscale VPN server - why not a bastion too - in your VPC.

You'll need a Tailscale account, and an auth key, to make use of the VPN.

The managed server also works as a bastion, fits nicely in use cases like allowing external access into a database from data extracting tools via SSH.

DON'T FORGET TO READ IMPORTANT NOTES BELOW.

Usage example

module "vpn" {
  source = "d7oss/tailscale-vpn/aws"
  version = "~> 0.0"
  
  # Some metadata
  env_name = "staging"
  hostname = "vpn.${local.DOMAIN_NAME}"

  # DNS (optional, manages "hostname" as a subdomain)
  dns_zone_id = module.dns.zone_id

  # Where to put the VPN server in the network
  vpc_id = module.vpc.vpc_id
  subnet_ids = module.vpc.public_subnets

  # SSH connections
  key_name = "my-ec2-key"  # Optional, if you want to use an EC2 key
  extra_ssh_users = [
    { name = "john", pubkey = "ssh-rsa ... john@john-laptop" },
    { name = "bi-tool", pubkey = "ssh-rsa ..." }
  ]

  # Allow extra CIDR blocks, e.g. some external BI tool IP addresses
  ingress_cidr_blocks = {
    "ssh-from-bi-vendor" = {
      cidr_blocks = [
        "1.2.3.4/32",
        "5.6.7.8/32",
      ]
      protocol = "tcp"
      port = 22
    }
  }

  # Tailscale authentication
  tailscale_auth_key = var.tailscale_auth_key
  tailscale_advertise_routes = [module.vpc.vpc_cidr_block]
}

module "database" {
  ...

  # Allow database connection from peers connected to the VPN
  ingress_security_groups = {
    "psql-from-vpn" = { port = 5432, security_group_id = module.vpn.security_group_id }
  }
}

Important notes

  • The Tailscale authentication key has to be REUSABLE and EPHEMERAL. This is because the VPN server may need to be replaced since we always use the latest Amazon Linux 2 AMI.
  • The Tailscale authentication key has a maximum expiry of 180 days. Take note of your key's expiry somewhere. Once your VPN stops working, this will likely be the reason. This can certainly be improved with the right time and effort.
  • Once the server authenticates to Tailscale, you'll need to enable its subnet routes in order to allow traffic from external nodes into resources in your private subnet. This can be done in the Machines page in Tailscale.

About

A Terraform module to manage a Tailscale VPN server - why not a bastion too - in your VPC.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • HCL 85.8%
  • Smarty 14.2%