diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9e98e16..31680c3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -187,3 +187,8 @@
 * 2.2.1 -- 2022-09-28
   - security-groups
     - add variable: enable_manage_default_sg
+
+* 2.3.0 -- 2022-10-06
+  - vpn-transit-gateway
+    - add variable use_single_cgw to use only one CGW per site instead of one per site per VPN
+
diff --git a/common/version.tf b/common/version.tf
index 44ea5cf..de52fea 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.2.1"
+  _module_version = "2.3.1"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 
diff --git a/vpn-transit-gateway/README.md b/vpn-transit-gateway/README.md
index 70b8238..06fcd69 100644
--- a/vpn-transit-gateway/README.md
+++ b/vpn-transit-gateway/README.md
@@ -70,6 +70,7 @@ No modules.
 |------|------|
 | [aws_cloudwatch_log_group.log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_customer_gateway.vpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/customer_gateway) | resource |
+| [aws_customer_gateway.vpn_single](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/customer_gateway) | resource |
 | [aws_ec2_tag.vpn_tag_created_by](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
 | [aws_ec2_tag.vpn_tag_environment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
 | [aws_ec2_tag.vpn_tag_name](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
@@ -83,6 +84,7 @@ No modules.
 | [null_resource.directory_setup](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.generate_configs](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [random_string.tunnel_preshared_key](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [random_string.tunnel_preshared_key_single](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
diff --git a/vpn-transit-gateway/main.tf b/vpn-transit-gateway/main.tf
index eab667d..8615209 100644
--- a/vpn-transit-gateway/main.tf
+++ b/vpn-transit-gateway/main.tf
@@ -95,7 +95,7 @@ locals {
 # customer gateway, one per vpc per site
 #---
 resource "aws_customer_gateway" "vpn" {
-  for_each   = var.create ? local.vpn_settings : {}
+  for_each   = var.create && ! var.use_single_cgw ? local.vpn_settings : {}
   bgp_asn    = each.value.bgp_asn_id
   ip_address = each.value.ip_address
   type       = "ipsec.1"
@@ -110,11 +110,35 @@ resource "aws_customer_gateway" "vpn" {
   )
 }
 
+# use a single CGW
+resource "aws_customer_gateway" "vpn_single" {
+  for_each   = var.create && var.use_single_cgw ? { for k, v in local.vpn_settings : v.site => v if v.sequence == 1 } : {}
+  bgp_asn    = each.value.bgp_asn_id
+  ip_address = each.value.ip_address
+  type       = "ipsec.1"
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    {
+      Name                  = format("%v%v%v-%v", (var.use_tgw_prefixes ? local._prefixes["transit-gateway-vpn"] : ""), local._prefixes["customer-gateway"], each.key, lower(each.value.environment))
+      "boc:tgw_environment" = var.tgw_environment
+    },
+  )
+}
+
 #---
 # vpn pre-shared key (same for each tunnel per site, one per site)
 #---
 resource "random_string" "tunnel_preshared_key" {
-  for_each         = var.create ? local.vpn_settings : {}
+  for_each         = var.create && ! var.use_single_cgw ? local.vpn_settings : {}
+  length           = 32
+  special          = true
+  override_special = "._"
+}
+
+resource "random_string" "tunnel_preshared_key_single" {
+  for_each         = var.create && var.use_single_cgw ? { for k, v in local.vpn_settings : v.site => v if v.sequence == 1 } : {}
   length           = 32
   special          = true
   override_special = "._"
@@ -125,14 +149,14 @@ resource "random_string" "tunnel_preshared_key" {
 #---
 resource "aws_vpn_connection" "vpn" {
   for_each = var.create ? local.vpn_settings : {}
-  type     = aws_customer_gateway.vpn[each.key].type
+  type     = var.use_single_cgw ? aws_customer_gateway.vpn_single[each.value.site].type : aws_customer_gateway.vpn[each.key].type
 
   transit_gateway_id  = var.transit_gateway_id
-  customer_gateway_id = aws_customer_gateway.vpn[each.key].id
+  austomer_gateway_id = var.use_single_cgw ? aws_customer_gateway.vpn_single[each.value.site].id : aws_customer_gateway.vpn[each.key].id
   enable_acceleration = false
 
-  tunnel1_preshared_key = length(each.value.preshared_keys) == 0 ? random_string.tunnel_preshared_key[each.key].result : element(each.value.preshared_keys, 0)
-  tunnel2_preshared_key = length(each.value.preshared_keys) == 0 ? random_string.tunnel_preshared_key[each.key].result : element(each.value.preshared_keys, 1)
+  tunnel1_preshared_key = length(each.value.preshared_keys) == 0 ? (var.use_single_cgw ? random_string.tunnel_preshared_key_single[each.value.site].result : random_string.tunnel_preshared_key[each.key].result) : element(each.value.preshared_keys, 0)
+  tunnel2_preshared_key = length(each.value.preshared_keys) == 0 ? (var.use_single_cgw ? random_string.tunnel_preshared_key_single[each.value.site].result : random_string.tunnel_preshared_key[each.key].result) : element(each.value.preshared_keys, 0)
 
   tunnel1_inside_cidr = length(each.value.tunnel_ips) == 0 ? null : element(each.value.tunnel_ips, 0)
   tunnel2_inside_cidr = length(each.value.tunnel_ips) == 0 ? null : element(each.value.tunnel_ips, 1)
diff --git a/vpn-transit-gateway/outputs.tf b/vpn-transit-gateway/outputs.tf
index 715ebf8..7986b64 100644
--- a/vpn-transit-gateway/outputs.tf
+++ b/vpn-transit-gateway/outputs.tf
@@ -47,10 +47,10 @@ output "vpn_labels" {
 
 output "customer_gateway_arns" {
   description = "AWS Customer Gateway ARNs"
-  value       = var.create ? { for k, v in aws_customer_gateway.vpn : k => v.arn } : {}
+  value       = var.create ? (var.use_single_cgw ? { for k, v in aws_customer_gateway.vpn_single : k => v.arn } : { for k, v in aws_customer_gateway.vpn : k => v.arn }) : {}
 }
 
 output "customer_gateway_ids" {
   description = "AWS Customer Gateway IDs"
-  value       = var.create ? { for k, v in aws_customer_gateway.vpn : k => v.id } : {}
+  value       = var.create ? (var.use_single_cgw ? { for k, v in aws_customer_gateway.vpn_single : k => v.id } : { for k, v in aws_customer_gateway.vpn : k => v.id }) : {}
 }
diff --git a/vpn-transit-gateway/vpn-config.tf b/vpn-transit-gateway/vpn-config.tf
index 4db8876..0167558 100644
--- a/vpn-transit-gateway/vpn-config.tf
+++ b/vpn-transit-gateway/vpn-config.tf
@@ -6,8 +6,9 @@ locals {
     sequence          = v.sequence
     label             = v.label
     full_label        = format("aws:%v:%v:%v:%v", local.region, local.account_id, aws_vpn_connection.vpn[k].id, v.label)
-    customer_address  = aws_customer_gateway.vpn[k].ip_address
-    bgp_asn           = aws_customer_gateway.vpn[k].bgp_asn
+    customer_address  = var.use_single_cgw ? aws_customer_gateway.vpn_single[v.site].ip_address : aws_customer_gateway.vpn[k].ip_address
+    bgp_asn           = var.use_single_cgw ? aws_customer_gateway.vpn_single[v.site].bgp_asn : aws_customer_gateway.vpn[k].bgp_asn
+    use_single_cgw    = var.use_single_cgw
     vpn_connection_id = aws_vpn_connection.vpn[k].id
     vpc_cidr_block    = data.aws_vpc.vpc.cidr_block
     vpc_name          = var.vpc_name