AWS Client VPN is a managed VPN service that allows users to securely access AWS resources and on-premises networks. Recently, I had to set one up for a customer. In this guide I will explain all the steps to create an aws client vpn with mutual authentication and access an EC2 using client vpn.
I'm using following basic aws network architecture to act as an application environment. Here I am using multi az architecture but it is not a must. You can proceed with a single az architecture.
Prerequisites
- AWS account with basic VPC, subnet configurations.
- AWS and Client network must not having overlapping CIDR.
- AWS EC2 in a private subnet for test connection. (act as application EC2)
- Local server connected to a private network.(In this lab I'm using a windows EC2 in 172.20.0.0/16 VPC in another account. It represents a local machine in a private network. )
For this Lab, I'm using 10.0.0.0/16 as AWS VPC CIDR and 172.20.0.0/16 as client side CIDR.
Create Client VPN Subnets and Security Groups
First I'm creating two aws private subnets representing in two availability zones to associate with client vpn endpoint in the next steps. I created that subnets with 10.0.128.0/20 and 10.0.144.0/20 because I have big IP range. You can select it align with your IP plan. Then create a route table with just local route and attach it to these subnets.
Then create a security group without adding any inboud rule and allowing all outbound traffic. This security group use as client vpn endpoint security group in the next steps.
Then we need to add a inbound rule to application ec2 security group which we created earlier in prerequisites section. Add a inbound rule to allow all the traffic from client vpn security group which we created last step.
Create Client and Server Certificates
In this lab I'm using mutual authentication for authenticate users connect users to client vpn. Therefore, we need to create client and server certificates. For that I'm using EasyRSA.
- Clone the OpenVPN easy-rsa repo to our local computer
git clone https://github.com/OpenVPN/easy-rsa.git
- Move to the easy-rsa/easyrsa3 folder
cd easy-rsa/easyrsa3
- Initialize a new PKI environment - It sets up the foundational directory structure and tracking system for your new Certificate Authority
./easyrsa init-pki
- build a new certificate authority (CA)
./easyrsa build-ca nopass
- Generate the server certificate and key
./easyrsa --san=DNS:server build-server-full server nopass
- Generate the client certificate and key.
./easyrsa build-client-full client1.domain.tld nopass
Then copy the server certificate and key and the client certificate and key to a custom folder(in this lab client-vpn). Use following commands.
mkdir ~/client-vpn/
cp pki/ca.crt ~/client-vpn/
cp pki/issued/server.crt ~/client-vpn/
cp pki/private/server.key ~/client-vpn/
cp pki/issued/client1.domain.tld.crt ~/client-vpn
cp pki/private/client1.domain.tld.key ~/client-vpn/
cd ~/client-vpn/
After that import these client and server certificates to AWS ACM. For this lab I'm using aws cli to import certificates to certificate manager. You can use aws cli with aws configure command and access keys.
aws acm import-certificate --region <client vpn creating region> --certificate fileb://server.crt --private-key fileb://server.key --certificate-chain fileb://ca.crt
aws acm import-certificate --region <client vpn creating region> --certificate fileb://client1.domain.tld.crt --private-key fileb://client1.domain.tld.key --certificate-chain fileb://ca.crt
Create Client VPN Endpoint
Now we have completed all the dependencies that need to create AWS Client VPN Endpoint.
- In the first section of client vpn endpoint creation, we need to add client IPv4 CIDR. This CIDR must be within /12 and /22. In this lab our client CIDR is 172.20.0.0/16.
- In the authentication information section, first select server certificate that we have imported to certificate manager. For authentication options, select use mutual authentication. Then select client certificate that we have imported to certificate manager.
- Connection logging and Client connect handler is not necessary to enable for this lab.
- In other parameters section I'm choosing TCP as the transport protocol and enable split tunnel. Split tunnel is very useful to route only traffic that's destined for the VPC (172.20.0.0/16) over the Client VPN tunnel. Traffic that's destined for on-premises resources or internet is not routed over the Client VPN tunnel. Then select our application vpc in the VPC ID section and select client vpn security group that we created in earlier steps.
Then create Client VPN Endpoint.
Target Network Association
Now we can see our client vpn endpoint is create but it is still in pending associate state. We need to associate subnets that we created for client vpn. For that, move to target network association section in the client vpn endpoint options.
Then select associate target network and add vpc and subnet. We should add two subnets as two associations.
It will take few minutes to associate subnets and change state from pending associate to available state.
Authorization Rules
Now our client vpn endpoint is in available state. In this step we should authorization rules. For that move to authorization rule tab and add authorization rule. Add application VPC CIDR as destination network and select Allow access to all users.
Now we have successfully created client vpn endpoint. Then download client configuration file to your local machine.
Configure OpenVPN
Use below url to download open vpn software to your local machine and install it.
Then copy following files to a directory in your local machine.
- client1.domain.tld.crt (created earlier)
- client1.domain.tld.key (created earlier)
- downloaded-client-config.ovpn (downloaded from the aws console)
Then open client configuration file and add following lines.
cert /path/to/client1.domain.tld.crt
key /path/to/client1.domain.tld.key
Modify the endpoint dns name by adding random prefix. Modified configuration file should be previewed as follows.
client
dev tun
proto tcp
remote test.cvpn-endpoint-00d4ab3a058dab099.prod.clientvpn.us-east-1.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
remote-cert-tls server
cipher AES-256-GCM
verb 3
cert C:/Users/Administrator/Desktop/client-vpn/client1.domain.tld.crt
key C:/Users/Administrator/Desktop/client-vpn/client1.domain.tld.key
<ca>
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIUIATgMiViFxGskuHn1fYH2SoseKMwDQYJKoZIhvcNAQEL
BQAwHDEaMBgGA1UEAwwRZHJ0ZWNoLWNsaWVudC12cG4wHhcNMjUwNjIyMDE0NDEy
WhcNMzUwNjIwMDE0NDEyWjAcMRowGAYDVQQDDBFkcnRlY2gtY2xpZW50LXZwbjCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALkiFl3yn637L0TKzQdXavXX
9kT42MYSbxYRMhgY8B6KosJUGFQYWHTkz512PIgC6ijdPzCgcrwwL2op/Y8vmIHl
xe+FQ6QDDmXLTUEoOb/aK1C0q/VVQrKDfQVgKcG2xTKzhE1BHJRUUfMoJC4qA+9r
W/O2aiqnHJAu+KwUZc8vBnH7n/Sw24qYVq2GzLcmmTN5MvmYzSNe2lS5eMmi5/14
Bp2JtChCnioJ6lSRKodJosNTfcEULgmtl2RNue5BKiNwkQLsLnRGPepnTCsqNnN7
ZuE3opMWsvgfRq19rHdoRBGRfSpdyGSPvd9VrLlqGN1PoZgmHAKK0I8nXlVHAqzf
kKrJ9jNVboARJmLRgZ0t+4iuWAJHeVs3Swa0CeDM0p2LUVX1kPRoYxT04cG70UDL
wOavHAOwZYvaAWZaRPKXUr9bHWtL/gxkMWje7mm6RdAYkIXzl49Ax3ZJy1+dng4R
TOQdK56+iYgtArZZJtSJK2zmZjNyO6LUV9x0PTK2jZz8GEAIsOkvl8Ga8ZlwDN1t
nmaGFv3urzadECJAO9mtXGU+UDuXz7Wh4+5QotU2/Xn7dcBZ7HU0zVUvddbxlGvO
9w==
-----END CERTIFICATE-----
</ca>
reneg-sec 0
verify-x509-name server name
Connect to AWS Client VPN
Open installed client VPN software and move to upload file section. Then drag and drop or upload the modified configurations file to openvpn software. Then connect it.
Connectivity Check
Now we have connected to AWS environment with client vpn connection. For check the connectivity, I'm trying SSH to application EC2.
In this article you have learned to connect aws resources using aws client vpn with mutual authentication method. My next article will be the same use case with active directory authentication.
Follow me for more articles. Stay Connect with me on linkedin https://www.linkedin.com/in/dilusha-rasanjana/
Top comments (0)