==================== openvpn3-service-aws ==================== --------------------------------------------- OpenVPN 3 Linux - AWS VPC integration service --------------------------------------------- :Manual section: 8 :Manual group: OpenVPN 3 Linux SYNOPSIS ======== | ``openvpn3-service-aws`` ``[OPTIONS]`` | ``openvpn3-service-aws`` ``-h`` | ``--help`` DESCRIPTION =========== The ``openvpn3-service-aws`` is a backend service for OpenVPN 3 Linux, which enables hosts in VPN subnet to communicate to hosts in VPC subnet. Upon start, it reads its configuration file and subscribes to :code:`ROUTE_ADDED` and :code:`ROUTE_REMOVED` signals from ``openvpn3-service-netcfg`` service. On receiving those signals, service adds/deletes VPN routes to/from VPC subnet using Amazon EC2 API. This service is normally started automatically on boot, which is achieved by enabling it with provided **openvpn3-aws.service** *systemd* unit file. Alternatively service could be started manually on the command line. This process should run as the *@OPENVPN_USERNAME@* user and will automatically switch to this user account if it has the needed privileges to do so. Beware that changing this to another user account also requires updating the D-Bus policy for the ``net.openvpn.v3.aws`` service as well. CONFIGURATION ============= To use Amazon EC2 API, service uses temporary security credentials, which are retrieved from instance metadata. Credentials are tied to an IAM role, which must be assigned to the EC2 instance where the service is running. Below is a part of a CloudFormation template, which creates role and instance profile: :: "RouteManagerRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Policies": [ { "PolicyName": "RouteManagerPolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateRoute", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ReplaceRoute", "ec2:DeleteRoute" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2messages:GetMessages", "ssm:UpdateInstanceInformation", "ssm:ListInstanceAssociations", "ssm:ListAssociations", "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel" ], "Resource": "*" } ] } } ] } }, "InstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Roles": [ { "Ref": "RouteManagerRole" } ] } } An instance profile must be associated with the instance: :: "Resources": { "EC2Instance": { "Type": "AWS::EC2::Instance", "Properties": { "IamInstanceProfile": { "Ref": "InstanceProfile" } } } } In order to retrieve the credentials needed, the ``openvpn3-service-aws`` service requires a role name, which is read from the configuration file (:code:`/etc/openvpn/openvpn3-aws.json`). Here is a CloudFormation snippet which creates this file: :: "Metadata": { "AWS::CloudFormation::Init": { "config": { "files": { "/etc/openvpn3/openvpn3-aws.json": { "content": { "Fn::Join": [ "", [ "{\n", "\"role\": \"", { "Ref": "RouteManagerRole" }, "\"\n", "}\n" ] ] }, "mode": "000644", "owner": "root", "group": "root" } } } } } Below is an example of configuration file, generated by the script above: :: { "role": "lev1-RouteManagerRole-1QGQ76R9S4C11" } OPTIONS ======= -h, --help Print usage and help details to the terminal --version Prints the version of the program and exists -c FILE, --config FILE Path of configuration file from where role name is read. The default is :code:`/etc/openvpn/openvpn3-aws.json`. --log-level LEVEL Sets the default log verbosity for log events generated by this service. The default is :code:`3`. Valid values are :code:`0` to :code:`6`. Higher log levels results in more verbose logs and log level :code:`6` will contain all debug log events. --log-file LOG_DESTINATION By default, logging will go via the ``openvpn3-service-logger`` service. By providing this argument, logging will also be sent to *LOG_DESTINATION*, which can be either a filename or :code:`stdout:` where the latter one sends log data to the console. --colour This will add colours to log events when logging to file or console. Log events will be coloured based on the log level of the event. --signal-broadcast Normally, the ``openvpn3-service-aws`` will attach a log stream to the ``openvpn3-service-logger`` service. By providing this option, it will instead broadcast all log events to all listeners on the system. SEE ALSO ======== ``openvpn3-linux``\(7) ``openvpn3-service-netcfg``\(8)