diff --git a/CHANGELOG.md b/CHANGELOG.md
index 87b6813..dbe5e41 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -42,3 +42,7 @@
 * v1.1.3 -- 20210708
   - subnets
     - add per-subnet tags
+
+* v1.1.4 -- 20210709
+  - vpn
+    - add custom_preshared_keys
diff --git a/common/version.tf b/common/version.tf
index 7d60583..1261327 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.1.3"
+  _module_version = "1.1.4"
 }
diff --git a/vpn/README.md b/vpn/README.md
index f917bad..eaed00c 100644
--- a/vpn/README.md
+++ b/vpn/README.md
@@ -71,6 +71,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_custom_preshared_keys"></a> [custom\_preshared\_keys](#input\_custom\_preshared\_keys) | List of one or two pre-shared keys to use for the two tunnels.  If only one provided, it will use it for both tunnels. If missing, pre-shared keys will be generated. | `list(string)` | `[]` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_route_table_ids"></a> [route\_table\_ids](#input\_route\_table\_ids) | List of created route table IDs for privating routing to be used for VPN route propagation | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
diff --git a/vpn/main.tf b/vpn/main.tf
index ea29750..fc651b8 100644
--- a/vpn/main.tf
+++ b/vpn/main.tf
@@ -109,8 +109,8 @@ resource "aws_vpn_connection" "vpn" {
   type                  = "ipsec.1"
   vpn_gateway_id        = aws_vpn_gateway.vpn.id
   customer_gateway_id   = aws_customer_gateway.vpn[each.key].id
-  tunnel1_preshared_key = random_string.tunnel_preshared_key[each.key].result
-  tunnel2_preshared_key = random_string.tunnel_preshared_key[each.key].result
+  tunnel1_preshared_key = length(var.custom_preshared_keys) == 0 ? random_string.tunnel_preshared_key[each.key].result : element(var.custom_preshared_keys, 0)
+  tunnel2_preshared_key = length(var.custom_preshared_keys) == 0 ? random_string.tunnel_preshared_key[each.key].result : element(var.custom_preshared_keys, 1)
   #  static_routes_only    = var.vpc_vpn_dynamic_routing ? false : true
   static_routes_only = false
 
diff --git a/vpn/variables.tf b/vpn/variables.tf
index dba92e8..79b3f1b 100644
--- a/vpn/variables.tf
+++ b/vpn/variables.tf
@@ -29,3 +29,9 @@ variable "route_table_ids" {
   default     = []
 }
 
+
+variable "custom_preshared_keys" {
+  description = "List of one or two pre-shared keys to use for the two tunnels.  If only one provided, it will use it for both tunnels. If missing, pre-shared keys will be generated."
+  type        = list(string)
+  default     = []
+}