Introduction
In this post we are going to look into the point to site VPN configuration using AWS client VPN. The clientVPN enables the endusers connect to securely the AWS hosted network with mutual authentication and user authentication.
Before diving into the configuration steps. Let us discuss the typical network architecture. As illustrated in the cover image. The network architecture has one hub/transit account which is a demilitarized zone (DMZ) for accessing the spoke accounts. Typically hub/transit is uses the inspect services like firewall for any incoming traffic from internet. In our scenario, we are hosting the AWS client VPN. It uses the AWS certificate manager for mutual authentication and managed active directory for user authentication.
Step 1) Generate server and client certificates for mutual authentication
In the hub/transit account. Run the following commands to configure client VPN.
Run the below command to clone the openVPN easy-rsa repo on your laptop/local machine.
git clone https://github.com/OpenVPN/easy-rsa.git
Run the below command to switch to the easyrsa3 directory
cd easy-rsa/easyrsa3
Initialize the new PKI environment.
./easyrsa init-pki
Build a new certificate authority (CA) by running the below command.
./easyrsa build-ca nopass
To generate the server certificate and key run the below command.
./easyrsa --san=DNS:server build-server-full server nopass
Generate the client certificate and key.
./easyrsa build-client-full client1.domain.tld nopass
Copy the server certificate, key, chain and client certificate and key to a custom folder “awsclientvpn”.
mkdir ~/awsclientvpn/
cp pki/ca.crt ~/awsclientvpn/
cp pki/issued/server.crt ~/awsclientvpn/
cp pki/private/server.key ~/awsclientvpn/
cp pki/issued/client1.domain.tld.crt ~/awsclientvpn
cp pki/private/client1.domain.tld.key ~/awsclientvpn/
cd ~/awsclientvpn/
Zip the custom directory and upload the zip file to the cloud shell in the account where client VPN will be configured.In this scenario, upload the zip file to the hub/transit AWS account.
zip -r awsclientvpn.zip awsclientvpn
Upload the zipfile to the cloudshell in the account where client VPN will be configured, unzip.
Run the below command from the directory where files are downloaded and then import the server certificates to AWS certificate manager.
aws acm import-certificate --certificate fileb://server.crt --private-key fileb://server.key --certificate-chain fileb://ca.crt
Run the below command to import the client certificates to AWS certificate manager.
aws acm import-certificate --certificate fileb://client1.domain.tld.crt --private-key fileb://client1.domain.tld.key --certificate-chain fileb://ca.crt
In the AWS console verify that the certificates are imported.
Step 2) Create the directory service for user authentication
In the spoke/shared services account, create a new managed AD for integrating with client VPN for user authentication.
aws ds create-microsoft-ad \
--name <your-domain-name> \
--short-name <your-netbios-name> \
--password <your-admin-password> \
--vpc-settings VpcId=<your-spoke-vpc-id>,SubnetIds=<spoke-subnet-id-1>,<spoke-subnet-id-2> \
--edition STANDARD \
--description "My AWS Managed Microsoft AD Standard"
Step 3) Create client VPN endpoint
Navigate to the VPC section from AWS console and enter the Name, description and CIDR that will be assigned for the client machines by VPN client.
Select the server certificate ARN. Choose authentication both options "mutual authentication" and "user-based authentication". Select client certificate ARN. In the user based authentication select Active directory authentication. Then select the directory ID from the dropdown menu.
Enter the DNS Server details. If you are using route 53 as a DNS. Use VPC+2 IP as the DNS address. If VPC CIDR is 10.10.10.0/24, then the DNS IP address is 10.10.10.2.
Select the transport protocol as UDP. Select the VPC from the dropdown. Create a dedicated security group and open port 443 to allow access for target IP address.
Associate target VPC to the client VPN.
Select the VPC to which the client VPN need to be associated. Choose public subnet for users to access VPN over the internet. The VPC endpoint ENI will be created in the subnet selected.
Add Authorization Rule. In this demo, I am whitelisting for all users. Use the a separate AD group to allow access only to the specific users.
Authorization rule is the instructions that will allow users to access VPN from a specific network. In the below screenshot 0.0.0.0/0 was entered to allow all users from internet. Preferably, select a specific access group.
Now the client VPN configuration was completed.
Step 4) Configure client on local machine
Download the client configuration file to the local machine/laptop.
On your laptop, download and install open VPN. click here to download the client.
open client and upload the profile (*.ovpn file). Make sure to place the client cert, key in the same folder where *.ovpn profile file is located.
After the profile was successfully imported, the endpoint details will appear on the openVPN client.
Connect to the client. When prompted enter the password.
When connected to the VPN, the status on the client will change to connected.
Connect EC2 servers in the spoke accounts using their private IP address.
Reference:
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-auth-mutual-enable.html
Top comments (0)