Create a VPN-secured VPC with Packer and Terraform

What Is a VPN?

Do I Need a VPN?

Preparing the Deployment

Generate and Upload Your Key

Using Packer to Generate the ECS Image

{
"variables": {
"access_key": "{{env `ALICLOUD_ACCESS_KEY`}}",
"region": "{{env `ALICLOUD_REGION`}}",
"secret_key": "{{env `ALICLOUD_SECRET_KEY`}}"
},
"builders": [
{
"type": "alicloud-ecs",
"access_key": "{{user `access_key`}}",
"secret_key": "{{user `secret_key`}}",
"region": "{{user `region`}}",
"image_name": "openvpn-stretch",
"source_image": "debian_9_02_64_20G_alibase_20171023.vhd",
"ssh_username": "root",
"instance_type": "ecs.t5-lc1m1.small",
"internet_charge_type": "PayByTraffic",
"io_optimized": "true"
}
],
"provisioners": [
{
"type": "shell",
"script": "base-setup.sh"
}
]
}
#!/bin/bash
export DEBIAN_FRONTEND=noninteractive
echo "nameserver 1.1.1.1" >> /etc/resolv.conf
apt-get update && apt-get upgrade -y && apt-get install -y net-tools
wget -nv -O /opt/openvpn.deb http://swupdate.openvpn.org/as/openvpn-as-2.5.2-Debian9.amd_64.deb
cat <<- 'EOF' > /opt/start.sh
#!/bin/bash
dpkg -i /opt/openvpn.deb
EOF

Creating the Terraform Infrastructure Files

provider "alicloud" {}variable "vpn_ecs_password" {
default = "Test1234!"
}
data "alicloud_zones" "default" {}resource "alicloud_vpc" "vpc" {
name = "vpn_secured"
cidr_block = "172.16.0.0/12"
}
resource "alicloud_vswitch" "vswitch" {
name = "vsw_vpn"
availability_zone = "${data.alicloud_zones.default.zones.0.id}"
cidr_block = "172.16.0.0/16"
vpc_id = "${alicloud_vpc.vpc.id}"
depends_on = [
"alicloud_vpc.vpc"
]
}
resource "alicloud_security_group" "vpn_sg" {
name = "sg_vpn"
vpc_id = "${alicloud_vpc.vpc.id}"
}
resource "alicloud_security_group_rule" "vpn_ssh" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "22/22"
priority = 1
security_group_id = "${alicloud_security_group.vpn_sg.id}"
cidr_ip = "0.0.0.0/0"
}
resource "alicloud_security_group_rule" "vpn_web" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "943/943"
priority = 1
security_group_id = "${alicloud_security_group.vpn_sg.id}"
cidr_ip = "0.0.0.0/0"
}
resource "alicloud_security_group_rule" "vpn_client" {
type = "ingress"
ip_protocol = "udp"
nic_type = "intranet"
policy = "accept"
port_range = "1194/1194"
priority = 1
security_group_id = "${alicloud_security_group.vpn_sg.id}"
cidr_ip = "0.0.0.0/0"
}
data "alicloud_images" "vpn_packer_image" {
name_regex = "openvpn-stretch"
}
resource "alicloud_instance" "vpn_server" {
instance_name = "vpn-server"
image_id = "${data.alicloud_images.vpn_packer_image.images.0.id}"
instance_type = "ecs.t5-lc1m1.small"
vswitch_id = "${alicloud_vswitch.vswitch.id}"
internet_max_bandwidth_out = 100
security_groups = [
"${alicloud_security_group.vpn_sg.id}"
]
key_name = "personal" provisioner "remote-exec" {
inline = [
"sh /opt/start.sh"
]
connection {
host = "${alicloud_instance.vpn_server.public_ip}"
private_key = "${file("~/.ssh/id_rsa")}"
}
}
}
resource "alicloud_security_group" "secret_machine_sg" {
name = "sg_vpn"
vpc_id = "${alicloud_vpc.vpc.id}"
}
resource "alicloud_security_group_rule" "ssh_from_vpn" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "22/22"
priority = 1
security_group_id = "${alicloud_security_group.secret_machine_sg.id}"
cidr_ip = "${alicloud_vswitch.vswitch.cidr_block}"
}
data "alicloud_images" "debian_9" {
name_regex = "^debian_9*"
}
resource "alicloud_instance" "secret_machine" {
instance_name = "secret-machine"
image_id = "${data.alicloud_images.debian_9.images.0.id}"
instance_type = "ecs.t5-lc1m1.small"
vswitch_id = "${alicloud_vswitch.vswitch.id}"
security_groups = [
"${alicloud_security_group.secret_machine_sg.id}"
]
key_name = "personal"
}
output "do_next" {
value = "Go to https://${alicloud_instance.vpn_server.public_ip}:943/admin"
}
output "secret_machine_ip" {
value = "${alicloud_instance.secret_machine.private_ip}"
}

Build the Image and Deploy the Infrastructure

Create a VPN Profile

Connect to the VPN

SSH Into the Web Server Using Its Private IP

--

--

--

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Adding HTML support to UITextView with custom CSS.

Gopher — The game-changing decentralized storage network[Series 3]

678. Valid Parenthesis String.

Linux desktop environment for VM shootout

Expert talk…

4 Considerations To Keep In Mind When Writing Your Mobile App PRD

The easiest way to build flavors in Flutter (Android & iOS)

1046. Last Stone Weight

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

More from Medium

[Terraform] Elasticache Redis doesn’t match if auth token has changed

How to create a Static Outbound IP for Google Cloud Functions using Terraform

ArgoCD + Minikube + Ngrok + Github Webhook

Deploy AWS ECS based Applications without DownTime Using Rollback Methodology