Modern and best practice infrastructure setup always put everything into a private network, without any entrypoint to rach server inside. So Github action won’t be able to connect to your server to perform deployment.

To do so, we will need to setup a VPN.

Why not using wireguard

Wireguard is simple to setup, and perform amazing. But they use the key to identify peer. So when run in Github action, if you use matrix jobs you won’t be able to make multiple VPN connection use the same key.

OpenVPN, on the other hand do allow multiple client to re-use the key with duplicate-cn instruction.

Setting up openvpn

There is a few settings you would want to enable on the openvpn.conf:

topology p2p
keepalive 10 60
duplicate-cn
max-clients 2000

Github action file

You can store the open vpn config file in github secret, or in aws s3 and download it in Github action.

Then put this step to establish connection

- name: Install OpenVPN
  run: |
    sudo apt-get update
    sudo apt-get --assume-yes --no-install-recommends install openvpn          

- name: Connect to vpn
  timeout-minutes: 1
  run: |
    sudo openvpn --config ".github/config.ovpn" --log "vpn.log" --daemon
    until ping -c1  vpn-private-ip; do echo wait for vpn; sleep 3; done

With the duplicate-cn multiple clients using the same profile can be connected so you can run matrix job concurrently.