I wrote this article for explain as connect client vpn to our aws resources using a managed client-based vpn based on OpenVPN.
Details before you start to work:
A vpn subnet in our vpc must be create. ( or more for High Availability)
Choose a CIDR for Client vpn. It can't overlap with the our vpc.
Client CIDR ranges must have a block size between /22 and /12. It can't changed after was created.
You can't associate multiple subnets from the same Availability Zone with a Client VPN endpoint
Optional: Aws cli installed in your workstations ( upload certificates to ACM)
Let's go..
In this scenario we have created the followings components:
VPC (192.168.0.0/16): Private (192.168.0.0/24) and vpn (192.168.254.0/24) subnet.
One EC2 on private subnet for testing ssh access via vpn.
Two segurity-group: Inside-target-sg assigned to EC2 and VpnTarget-sg will be assigned to VPN Target Subnet on client vpn endpoint.
The followings Authentication methods are supported:
Active Directory (User-based)
Mutual Authentication (certificated-based)
Single Sign-on ( SAML-based federation authentication)(user-based)
In this case we use Mutual Authentication (certificated-based).
we will create server and client certificates using OpenVPN easy-rsa:
- Clone The OpenVPN easy-rsa
git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easyrsa3
- Initialize a new PKI enviroment
./easyrsa init-pki
- To build a new certificate authority (CA)
./easyrsa build-ca nopass
- Generate The server certificate and key
./easyrsa build-server-full server nopass
- Generate the client certificate and key
./easyrsa build-client-full clientvpn nopass
- Copy files to other folders
cp -rp pki/{ca.crt,issued/clientvpn.crt,private/clientvpn.key} /tmp/
cp -rp pki/{issued/server.crt,private/server.key} /tmp/
- Upload certicifates and keys to ACM
aws acm import-certificate --certificate fileb://server.crt --private-key fileb://server.key --certificate-chain fileb://ca.crt
aws acm import-certificate --certificate fileb://clientvpn.crt --private-key fileb://clientvpn.key --certificate-chain fileb://ca.crt
Create AWS Client VPN EndPoint
you can search this section in VPC --> Virtual Private Network(VPN) --> Client Vpn Endpoints
Name vpn endpoint: "client-vpn-endpoint"
Client Ipv4 CIDR: 172.16.0.0/20
Server Certificate ARN: server.
Choose: Use mutual Authentication
Client Certificate ARN: clientvpn
Transport Protocol: TCP
Choose VPC ID: in this case 192.168.0.0/16
Segurity Group id: (Vpntarget-sg)
- VPN Port: TCP 1194. You can choose 443, too.
Associate target subnet & Authorize Traffic
In this section, we select the client vpn endpoint created earlier for adding an authorization rule.
- Associate Subnet Target Network (192.168.254.0/24)
- Rules to grant clients access to the networks. In this case we choose 192.168.0.0/16 that is our vpc but we would choose 0.0.0./0 for sending traffic to internet.
Last step: Download and update VPN configuration file
if you need OpenVPN client. It can be download in:
https://openvpn.net/community-downloads
Select Client VPN Endpoint and "Download Client configuration" to your local workstation.
Download or copy the client certificate ( clienvpn.crt, clientvpn.key)
-
Open this configuration File and add following lines:
- cert /path/clientvpn.crt
- key /path/clientvpn.key
Import file from OpenVpn Client
Connect and Enjoy :D
Monitoring Client Connection
We can monitor all our client connections from the console for a quick real-time view of our client connections.
Conclusion
This vpn connection is a way easy, secure and fast for connecting us to our resources on AWS or on-premise DataCenter.
Top comments (0)