DEV Community

muckitymuck
muckitymuck

Posted on

AWS VPN Client Endpoints

image
(Illustration credit AWS Documentation)
One of the underrated features of the VPC service in AWS is the ability to deliver secure VPN connection with the need for whitelists. This is very useful in the case of small, distributed companies that rely on a mobile workforce. You can go through the trouble of whitelisting your home/office public IP to the VPC but that has the downside of tying your VPN client can just be turned on from anywhere and provide end-to-end secure connections on the move.

In this post, I will go through the steps of making a VPN Client Endpoint on an existing VPC. An Official Tutorial exists and is fantastic but in typical fashion it is dry and the definitions and official names are easy to mix up.

Before anything can be done, we have to decide how we are going to Authenticate this connection. If you want to go with Active Directory, that might be the initially easy choice. If you have an On-Premises AD service running, you will need to use AD Connector to authenticate to the VPN. The other AD choice is the AWS Managed Microsoft AD. But that service comes with added costs and may not be appropriate given your organization's size or architecture.

The third choice is called Simple AD. Unfortunately it is not available in all regions. Also, you would need to have a dedicated server to host and manage it. Shogo Kobayashi has a better run down on how to do that.

Today, we will be using Mutual Authentication in the form of certificates. And rather than using AWS Certificate Manager to issue a certificate automatically, we will be generating one ourselves.

[1.] You will want to use an instance on EC2 to generate the certificates and keys. Head over to AWS Authentication Documentation page. It will walk you through the installation of OpenVPN and generation. You will end with 5 files for the authentication process.

ca.crt
server.crt
server.key
client1.DOMAIN.crt
client1.DOMAIN.key
Enter fullscreen mode Exit fullscreen mode

The ca.crt is the Certificate Authority relating to the keys and certificates for servers and clients issued. You can make more client files for however many clients you need.

[2.] Head over to AWS ACM page and hit the Import a Certificate button. On the following page you will copy/paste the body of the key and certificate to the server.

The parts of the files you need are and include:

-----BEGIN CERTIFICATE-----
and 
-----END CERTIFICATE-----
Enter fullscreen mode Exit fullscreen mode

image
The Certificate chain is for the ca.crt file body you also got.

After you are done, import the client files(using the same ca.crt file) and you will now have functioning authentication method.

[3.] Now you can go to AWS VPC and Client VPN Endpoints from the left Navigation pane. Select Create Client VPN Endpoint
image

Give it a Name and Description to distinguish it.

Be careful this part. You will not be able to change it after it is set.

Under Client IPv4 CIDR, you can set it to IP range you want clients to be set in. You must set the CIDR range between /12 and /22, DO NOT OVERLAP RANGES IN THE VPC CIDR.

[4.] The Server Certificate ARN should appear in the drop down as the certificate you created in Step 2.

[5.] Check Use Mutual Authentication. A dropdown for Client certificate ARN should appear. Choose the ARN for the client certificate you created in the last part of Step 2.

[6.] Choose No for Do you want to log the details on client connections?

[7.] Pick the VPC ID of your VPC in the last area.

[8.] Click Create Client VPN Endpoint. And go through the rest of the set up.

The Client VPN Endpoint should be ready in a few minutes.

You are now the proud owner of a AWS hosted VPN. But before it is useful, we need to make some changes to the configurations.

Fortunately, this AWS tutorial explains the rest of the process around Associations, Authorizations and changing the VPN Endpoint Config file. If you read this far we covered Step 1 and Step 2. The steps 3 and 4 are straight forward and necessary to get this working. All you need to know prior is the AWS subnet name and the Network CIDR you will need to allow access to.

Step 5 is optional and surrounds adding Route Tables. You can add 0.0.0.0/0, for instance and that adds internet accessibility.

Step 6 is downloading and modifying your endpoint file. On your main screen select the endpoint you just made.

[1.] Click Download Client Configuration, you will get a new file.

[2.] From the first part of this tutorial find the:

client1.DOMAIN.crt
client1.DOMAIN.key
Enter fullscreen mode Exit fullscreen mode

[3.] In the config file you just downloaded, and add the following:

<cert>
----------BEGIN CERTIFICATE-----
Contents of client certificate (.crt) file
----------END CERTIFICATE-----
</cert>

<key>
----------BEGIN PRIVATE KEY-----
Contents of private key (.key) file
----------END PRIVATE KEY-----
</key>
Enter fullscreen mode Exit fullscreen mode

[4.] Add some random characters before the Client DNS name. It will start with a "remote " and be followed by the ARN and then the port number of the Client Endpoint VPN you created here.

You will need the AWS VPN Client to finally use this.

[5.] Save that file and we will use it in a minute.

[6.] Go to this last page and you can download the Client and it will show you the steps to get it to work.

THAT'S IT.

You can now connect wherever you are to your AWS VPC directly.

Thank you, Cloud Friends. I will see you next time.

Top comments (0)