This Terraform module is used to create and configure a WireGuard reverse proxy server.
I created this module as a solution / personal project that would allow me access to home-assistant and other resources on my internal network, as I don't have access to the router and port forwarding is not an option.
The module will:
- Create an Ubuntu based EC2 instance
- Install WireGuard and generate the required configuration for NAT'ing
- Update the A record used for the proxy on instance startup
Note: This has only been tested on Ubuntu 20.04 LTS x64, though should still work on other versions/architectures.
- A Hosted Zone in Route 53
- Public/private keys for your sever and peer
- A pre-existing VPC and keypair
No requirements.
Name | Version |
---|---|
aws | n/a |
template | n/a |
No modules.
Name | Type |
---|---|
aws_iam_instance_profile.wireguard | resource |
aws_iam_role.wireguard | resource |
aws_iam_role_policy.wireguard-r53-access | resource |
aws_instance.wireguard | resource |
aws_security_group.nat-ports | resource |
aws_security_group.ssh-access | resource |
aws_security_group.vpn-access | resource |
template_file.userdata | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
hosted_zone_id | Route 53 Hosted Zone ID containing the domain name to be used for the VPN | string |
n/a | yes |
instance_ami | AMI to use for the instance | string |
"ami-0015a39e4b7c0966f" |
no |
keypair | Key Pair name to be used for SSH access to the WireGuard server | string |
n/a | yes |
peer_private_ip | Private IP of the peer WireGuard client used for traffic forwarding | string |
n/a | yes |
peer_public_ip | Public IP address used to permit inbound connections to WireGuard | string |
n/a | yes |
peer_public_key | Peers public key for configuring the VPN connection | string |
n/a | yes |
permitted_ssh_ips | List of CIDR ranges permitted to SSH to the WireGuard instance | list(string) |
[ |
no |
subnet_id | Subnet id used by the WireGuard instance | string |
n/a | yes |
vpc_id | VPC id of the VPC the WireGuard instance will be provisioned in | string |
n/a | yes |
vpn_domain_name | A Record to use for the WireGuard proxy | string |
n/a | yes |
wg_interface_cidr | The CIDR address used for the WireGuard interface on the server | string |
"10.6.0.1/32" |
no |
wg_listen_port | n/a | number |
51820 |
no |
wg_nat_ports | List of ports to be used for port forwarding | list(number) |
[ |
no |
wg_private_key | Private key used for the WireGuard server | string |
n/a | yes |
No outputs.
hosted_zone_id = "Z0123456789"
vpn_domain_name = "proxy.example.com"
vpc_id = "vpc-xxxxxxxxxxx"
subnet_id = "subnet-xxxxxxxxxxx"
keypair = "my-key-pair"
wg_private_key = "abcdef0123456789"
peer_public_key = "fedcba987654321"
peer_public_ip = "203.147.201.32"
peer_private_ip = "192.168.0.101"