Introduction:
In this blog post, we will guide you through the process of setting up an AWS Client VPN connection with a peered VPC.
This step-by-step tutorial will walk you through the necessary prerequisites and configuration steps to establish a secure VPN connection between your client and an AWS environment, while also enabling connectivity to resources in a peered VPC.
Prerequisites:
Before we begin, make sure you have the following prerequisites in place:
Download Open VPN from the following link: https://openvpn.net/client-connect-vpn-for-windows/
Refer to the AWS Documentation here for detailed instructions: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html
Step 1: Generate AWS Certificates
To start, follow these steps to create the required certificates:
(For Windows)
Download the "EasyRSA releases" from the AWS documentation and extract the files to your Desktop (not on a drive).
Open the command prompt as an administrator and execute the following commands:
.\EasyRSA-Start.bat
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa build-client-full client1.domain.tld nopass
exitOpen the AWS Certificate Manager (ACM) and import two certificates: one for the server and one for the client.
Server files
Certificate body: EasyRSA-3.1.2 > pki > issued > server.crt
Certificate private key: EasyRSA-3.1.2 > pki > private > server.key
Certificate chain: EasyRSA-3.1.2 > pki > ca.crt
Client files
Certificate body: EasyRSA-3.1.2 > pki > issued > client1.domain.tld.crt
Certificate private key: EasyRSA-3.1.2 > pki > private > client1.domain.tld.key
Certificate chain: EasyRSA-3.1.2 > pki > ca.crt
Step 2: Create an AWS Client VPN
Now, let's create the AWS Client VPN with the following configuration:
Name: My-VPN
Client IPv4 CIDR: Define an address range that does not overlap with the target network, VPC address range, or any associated routes.
Server certificate ARN: Choose the server certificate you imported earlier.
Authentication options: Select "Use mutual authentication."
Client certificate ARN: Choose the client certificate you imported earlier.
Enable log details on client connections: Yes
CloudWatch logs log group name: Create a new CloudWatch log group.
Client connect handler: keep default
DNS server 1 & 2: keep default
Transport protocol: TCP
Enable split-tunnel: Yes (to maintain local internet connectivity)
Security group IDs: Create a new security group allowing all traffic from 0.0.0.0/0
VPN port: 1194
Enable self-service portal: Not allowed for mutual authentication.
Enable client login banner: "Welcome to companyVPN".
Step 3: Configure AWS Client VPN Service
Next, configure the AWS Client VPN service as follows:
Target network associations: Associate the target VPC and subnets you want to connect to.
Authorization rules: Add an authorization rule allowing all users from the VPC CIDR.
Route table: The route table will be added automatically.
Step 4: Download Client Configuration
Download the client configuration file from the AWS console.
Open the file in a text editor (e.g., Notepad or VSCode) and make the following changes:
- Add the client certificate file "client1.domain.tld.crt" in line 2: Contents of client certificate (.crt) file
- Add the client key file "client1.domain.tld.key" in line 2: Contents of private key (.key) file
- Add a subdomain (e.g., "company") before ".cvpn" in line 4: remote company.cvpn-endpoint-0366a1a56fdf0ef53.prod.clientvpn.ap-south-1.amazonaws.com 1194
Note:
After completing the configuration, share the client configuration file with your team members who will be using the VPN to access the AWS environment. They can then connect by uploading the file to OpenVPN and clicking "Connect."
Connect Client VPN to Peered VPC:
If you want to connect your Client VPN to another VPC, follow these additional steps:
Step 1: Create a VPC peering between both VPCs:
Go to "Peering connections" and create a peering connection.
Choose the "Requester" and "Accepter" VPCs, and fill in the required details.
Accept the peering request.
Step 2: Configure VPN Client-to-Server (C2S):
In the Client VPN configuration, go to Authorization rules and add an authorization rule for the peered VPC.
Create a route for the other VPC CIDR and choose a subnet in the Client VPN VPC for the target network association.
Step 3: VPN Route Table:
Create a route in the VPN route table for the destination VPC CIDR.
Add the subnets in the Client VPN VPC as the target network association.
Step 4: Subnets Route Table:
In all the subnets connected with the Client VPN in the Client VPN VPC, add a route for the full destination VPC CIDR with the VPC peering as the target.
In all the subnets connected with the peered VPC, add a route for the full Client VPN VPC CIDR with the VPC peering as the target.
Step 5: Security Groups:
For the server or service you want to connect to using the Client VPN, add an inbound rule allowing all traffic from the Client VPN VPC CIDR as the source.
By following these steps, you can establish a VPN connection between your Client VPN and another VPC, enabling secure communication between the two environments.
Remember to modify the instructions and configurations according to your specific requirements and AWS region.
Conclusion:
In this blog post, we have provided a comprehensive step-by-step guide to creating an AWS Client VPN connection with a peered VPC. By following these instructions, you can set up a secure VPN connection and enable communication between your client and the AWS environment, as well as connect to resources in a peered VPC. Enjoy seamless and secure connectivity to your AWS resources!
Top comments (0)