1- # Welcome to your CDK TypeScript project!
1+ # AWS Pi-hole
22
3- This is a blank project for TypeScript development with CDK.
3+ [ Pi-hole] [ pi-hole ] running on AWS and provisioned with the [ AWS CDK] [ cdk ]
4+ (mostly)!
45
5- The ` cdk.json ` file tells the CDK Toolkit how to execute your app.
6+ # Features
7+ - Automatically provisions an EC2 container on Fargate running Pi-hole
8+ - The Pi-hole container is deployed in a private subnet of a VPC so no
9+ inbound internet access is allowed by default
10+ - Secures the Pi-hole container behind a VPN
11+ - Configures the VPN connection to use Pi-hole as the DNS server
612
7- ## Useful commands
13+ # Caveats
814
9- - ` npm run build ` compile typescript to js
10- - ` npm run watch ` watch for changes and compile
11- - ` npm run test ` perform the jest unit tests
12- - ` cdk deploy ` deploy this stack to your default AWS account/region
13- - ` cdk diff ` compare deployed stack with current state
14- - ` cdk synth ` emits the synthesized CloudFormation template
15+ - AWS Client VPN is [ expensive] [ clientvpnpricing ] ! As of 6/2020, each client VPN
16+ endpoint association costs at least $0.10 USD per hour and each client VPN
17+ connection costs at least $0.05 USD per hour, depending on the AWS region you
18+ use. That's \$ 72 USD per month just for maintaining the client VPN endpoint
19+ association alone. Running a VPN in another container (e.g.
20+ [ kylemanna/openvpn] [ kylemanna/openvpn ] ) instead of using AWS's
21+ infrastructure would eliminate this issue.
22+ - Setting up the VPN configuration requires manual work in provisioning CA,
23+ client, and server certificates as well as in creating and distributing the
24+ VPN client configuration. Running OpenVPN in another container may also
25+ reduce some of this manual effort.
26+ - Configuring the VPN DNS server requires provisioning the infrastructure first
27+ and then updating the VPN configuration with the Pi-hole task IP address. If
28+ the Pi-hole task is restarted, the VPN DNS configuration is not automatically
29+ updated with the new task IP address. There may be a way to setup an NLB with
30+ a fixed private IP address to resolve this issue.
31+ - The Pi-hole container does not have persistent storage because it is not
32+ currently possible to provision EFS volumes for ECS through CloudFormation
33+ (and therefore, the CDK). See [ aws-cdk #6918 ] [ aws-cdk-6918 ] for details.
1534
1635# Setting up VPN certs
1736
@@ -33,3 +52,9 @@ $ aws acm import-certificate --certificate fileb://pki/issued/$CLIENT_DOMAIN_NAM
3352$ CLIENT_VPN_ENDPOINT_ID=cvpn-endpoint-04cc056c459a8e837
3453$ aws ec2 export-client-vpn-client-configuration --client-vpn-endpoint-id $CLIENT_VPN_ENDPOINT_ID --output text --profile $AWS_PROFILE > pihole_vpn_config.ovpn
3554```
55+
56+ [ aws-cdk-6918 ] : https://github.com/aws/aws-cdk/issues/6918
57+ [ clientvpnpricing ] : https://aws.amazon.com/vpn/pricing/#AWS_Client_VPN_pricing
58+ [ cdk ] : https://github.com/aws/aws-cdk
59+ [ kylemanna/openvpn ] : https://hub.docker.com/r/kylemanna/openvpn
60+ [ pi-hole ] : https://pi-hole.net
0 commit comments