DEV Community

fhorisberger for AWS Community Builders

Posted on • Updated on

AWS Client VPN

I wrote this article for explain as connect client vpn to our aws resources using a managed client-based vpn based on OpenVPN.

Details before you start to work:

  • A vpn subnet in our vpc must be create. ( or more for High Availability)

  • Choose a CIDR for Client vpn. It can't overlap with the our vpc.

  • Client CIDR ranges must have a block size between /22 and /12. It can't changed after was created.

  • You can't associate multiple subnets from the same Availability Zone with a Client VPN endpoint

  • Optional: Aws cli installed in your workstations ( upload certificates to ACM)

Let's go..

In this scenario we have created the followings components:
VPC (192.168.0.0/16): Private (192.168.0.0/24) and vpn (192.168.254.0/24) subnet.

One EC2 on private subnet for testing ssh access via vpn.

Two segurity-group: Inside-target-sg assigned to EC2 and VpnTarget-sg will be assigned to VPN Target Subnet on client vpn endpoint.

The followings Authentication methods are supported:

  • Active Directory (User-based)

  • Mutual Authentication (certificated-based)

  • Single Sign-on ( SAML-based federation authentication)(user-based)

In this case we use Mutual Authentication (certificated-based).

we will create server and client certificates using OpenVPN easy-rsa:

  • Clone The OpenVPN easy-rsa

git clone https://github.com/OpenVPN/easy-rsa.git

cd easy-rsa/easyrsa3

  • Initialize a new PKI enviroment

./easyrsa init-pki

  • To build a new certificate authority (CA)

./easyrsa build-ca nopass

  • Generate The server certificate and key

./easyrsa build-server-full server nopass

  • Generate the client certificate and key

./easyrsa build-client-full clientvpn nopass

  • Copy files to other folders

cp -rp pki/{ca.crt,issued/clientvpn.crt,private/clientvpn.key} /tmp/

cp -rp pki/{issued/server.crt,private/server.key} /tmp/

  • Upload certicifates and keys to ACM

aws acm import-certificate --certificate fileb://server.crt --private-key fileb://server.key --certificate-chain fileb://ca.crt

aws acm import-certificate --certificate fileb://clientvpn.crt --private-key fileb://clientvpn.key --certificate-chain fileb://ca.crt

Create AWS Client VPN EndPoint

you can search this section in VPC --> Virtual Private Network(VPN) --> Client Vpn Endpoints

  • Name vpn endpoint: "client-vpn-endpoint"

  • Client Ipv4 CIDR: 172.16.0.0/20

  • Server Certificate ARN: server.

  • Choose: Use mutual Authentication

  • Client Certificate ARN: clientvpn

Certificates and CIDR

  • Transport Protocol: TCP

  • Choose VPC ID: in this case 192.168.0.0/16

  • Segurity Group id: (Vpntarget-sg)

choose SG and VPCID

  • VPN Port: TCP 1194. You can choose 443, too.

Choose port number

Associate target subnet & Authorize Traffic

In this section, we select the client vpn endpoint created earlier for adding an authorization rule.

  • Associate Subnet Target Network (192.168.254.0/24)

Subnet target network

  • Rules to grant clients access to the networks. In this case we choose 192.168.0.0/16 that is our vpc but we would choose 0.0.0./0 for sending traffic to internet.

Authorization Rule

Last step: Download and update VPN configuration file

if you need OpenVPN client. It can be download in:

https://openvpn.net/community-downloads

  • Select Client VPN Endpoint and "Download Client configuration" to your local workstation.

  • Download or copy the client certificate ( clienvpn.crt, clientvpn.key)

  • Open this configuration File and add following lines:

    • cert /path/clientvpn.crt
    • key /path/clientvpn.key
  • Import file from OpenVpn Client

  • Connect and Enjoy :D

Monitoring Client Connection

We can monitor all our client connections from the console for a quick real-time view of our client connections.

Monitoring Connection

Conclusion

This vpn connection is a way easy, secure and fast for connecting us to our resources on AWS or on-premise DataCenter.

Top comments (0)