Basic Terraform for provisioning VPN connectivity between Ubiquiti Unifi Security Gateway and AWS site to site VPN connection. Its possible this may also work for Edge routers running EdgeOS but this has not been tested.
Uses Terraform to
- Create a VPC with a site to site VPN configuration and deploys an example syslog EC2 instance with cloudwatch integration
- Generate shell scripts to configure Unifi USG to connect to AWS
- Create a syslog EC2 instance to capture USG and USW log events
- Creates a route53 resolver to enable dns resolution against USG
Key points
- For simplicity, uses BGP rather than static routes
- Currently only establishes a single tunnel
- VPN configuration is based on Vyatta configuration exported from AWS Console site to site
Two things
- Create keys to support automation
- Configure variables specifying network topology and keys
Ensure terraform.tfvars contains the following configuration:
| Param | Description | Example |
|---|---|---|
| usg_priv_key_path | Path to Unifi USG device | ~/.ssh/id_rsa |
| usg_admin_user | Administrator username of USG | administrator |
| usg_ip | IP address of USG device | 192.168.1.1 |
| env | Namespace for environment | dev, prod |
| prod_access_key | AWS API access key | |
| prod_secret_key | AWS API secret key | |
| vpc_cidr | CIDR block for VPC | 172.16.0.0/16 |
| sn1_cidr | CIDR block for subnet 1 | 172.16.0.0/24 |
| sn2_cidr | CIDR block for subnet 2 | 172.16.32.0/24 |
| pub_sn_cidr | CIDR block for public subnet | 172.16.64.0/24 |
| aws_bgp_asn | BGP ASN for AWS side | 64513 |
| usg_bgp_asn | BGP ASN for USG side | 65001 |
| wan_ip | Public IP of USG | |
| usg_cidr | CIDR block for USG network | 192.168.0.1/24 |
| syslog_ip | Private IP of EC2 Syslog instance |
SSH keys to authenticate with Unifi devices
Generate AWS API keys, create an IAM user (e.g. terraform) with following AWS managed policies attached
- AmazonEC2FullAccess
- AmazonVPCFullAccess
- AWSMarketplaceRead-only
- AWSIAMFullAccess
- AmazonRoute53ResolverFullAccess
$ terraform init
$ terraform apply
and magic should happen.
- Align the generated shell scripts to Ubiquiti commands rather than AWS Vyatta config.
- Put ALB infront of syslog EC2 instance for redundancy and consistent endpoint for syslog clients - except that neither NLB nor ALB support UDP ffs.
- Replace template generation with Terraform provisioner for USG using an API - see https://github.com/paultyng/terraform-provider-unifi
- Move to IKEv2