AWS Client VPN

I wrote this article for explain as connect client vpn to our aws resources using a managed client-based vpn based on OpenVPN.

Details before you start to work:

• A vpn subnet in our vpc must be create. ( or more for High Availability)

• Choose a CIDR for Client vpn. It can't overlap with the our vpc.

• Client CIDR ranges must have a block size between /22 and /12. It can't changed after was created.

• You can't associate multiple subnets from the same Availability Zone with a Client VPN endpoint

• Optional: Aws cli installed in your workstations ( upload certificates to ACM)

Let's go..

In this scenario we have created the followings components:
VPC (192.168.0.0/16): Private (192.168.0.0/24) and vpn (192.168.254.0/24) subnet.

One EC2 on private subnet for testing ssh access via vpn.

Two segurity-group: Inside-target-sg assigned to EC2 and VpnTarget-sg will be assigned to VPN Target Subnet on client vpn endpoint.

The followings Authentication methods are supported:

• Active Directory (User-based)

• Mutual Authentication (certificated-based)

• Single Sign-on ( SAML-based federation authentication)(user-based)

In this case we use Mutual Authentication (certificated-based).

we will create server and client certificates using OpenVPN easy-rsa:

• Clone The OpenVPN easy-rsa

git clone https://github.com/OpenVPN/easy-rsa.git

cd easy-rsa/easyrsa3

• Initialize a new PKI enviroment

./easyrsa init-pki

• To build a new certificate authority (CA)

./easyrsa build-ca nopass

• Generate The server certificate and key

./easyrsa build-server-full server nopass

• Generate the client certificate and key

./easyrsa build-client-full clientvpn nopass

• Copy files to other folders

cp -rp pki/{ca.crt,issued/clientvpn.crt,private/clientvpn.key} /tmp/

cp -rp pki/{issued/server.crt,private/server.key} /tmp/


• Upload certicifates and keys to ACM

aws acm import-certificate --certificate fileb://server.crt --private-key fileb://server.key --certificate-chain fileb://ca.crt

aws acm import-certificate --certificate fileb://clientvpn.crt --private-key fileb://clientvpn.key --certificate-chain fileb://ca.crt

Create AWS Client VPN EndPoint

you can search this section in VPC --> Virtual Private Network(VPN) --> Client Vpn Endpoints

• Name vpn endpoint: "client-vpn-endpoint"

• Client Ipv4 CIDR: 172.16.0.0/20

• Server Certificate ARN: server.

• Choose: Use mutual Authentication

• Client Certificate ARN: clientvpn

• Transport Protocol: TCP

• Choose VPC ID: in this case 192.168.0.0/16

• Segurity Group id: (Vpntarget-sg)

• VPN Port: TCP 1194. You can choose 443, too.

Associate target subnet & Authorize Traffic

In this section, we select the client vpn endpoint created earlier for adding an authorization rule.

• Associate Subnet Target Network (192.168.254.0/24)

• Rules to grant clients access to the networks. In this case we choose 192.168.0.0/16 that is our vpc but we would choose 0.0.0./0 for sending traffic to internet.

Last step: Download and update VPN configuration file

if you need OpenVPN client. It can be download in:

https://openvpn.net/community-downloads

• Select Client VPN Endpoint and "Download Client configuration" to your local workstation.

• Download or copy the client certificate ( clienvpn.crt, clientvpn.key)

• Open this configuration File and add following lines:

  • cert /path/clientvpn.crt
  • key /path/clientvpn.key

• Import file from OpenVpn Client

• Connect and Enjoy :D

Monitoring Client Connection

We can monitor all our client connections from the console for a quick real-time view of our client connections.

Conclusion

This vpn connection is a way easy, secure and fast for connecting us to our resources on AWS or on-premise DataCenter.