Access AWS Resources Securely Using Client VPN Endpoint
In this guide , We will learn how to setup a Client VPN endpoint to securely access and manage AWS Services.
What Is AWS Client VPN?
- It is a AWS managed client-based VPN service which will help us to access the AWS resources Securely.
- Client VPN endpoint can also be used for On-premise servers as well.
- We can access AWS resources from any locations using OpenVPN client with AWS client VPN.
Features Of Client VPN
Managed Service – As It is AWS managed service , We don’t need to deploy and manage any VPN solutions.
Authentication – It supports client authentication using Active directory , federated authentication and certificate-based authentications.
Secure Connections – It provides secure TLS connections using OpenVPN clients from any locations.
Deep Integration – It can be easily integrated with existing AWS services such as VPC and AWS Directory service.
Manageability – We can manage the active client connections and also we have the ability to terminate the active client connections. We can check connection logs with the information about client connections attempts.
High Availability & Elasticity – It has the capability to scale based on the number of users connections to AWS and On-premise resources.
Key Components Of Client VPN
- Client VPN Endpoint – This the resources that we create and configure to enable and manage Client VPN connections.
- Client VPN network interfaces – We will create the client VPN endpoint in the subnet that is associated with .Any traffic to the VPC will be sent through the Client VPN network interface with the help of client VPN endpoint.
- Client VPN Ports – Client VPN supports ports 443 and 1194 for TCP and UDP.
- Client – The end user from any location connection to the Client VPN endpoint to create a VPN session.
- Routes – The Client VPN endpoints will have route tables that will have the information about the available destination network interfaces.
- Authorization Rules – It restricts the users who can access the network.
- Target Network – Target network is the network interfaces that we associate with the Client VPN endpoint with the help of Routes.
Generating Server & Client Certificates
Lets create a Client VPC endpoint using AWS Console. Make sure to create the client VPN endpoint in the same region as of VPC.
We Can use 2 modes of authentication with the VPN endpoint service.
- Manual Authentication
- Active Directory Authentication
In this guide , We are going to use Manual authentication.
For manual Authentication we need to create Server and Client certificates using easy-rsa.
Easy-rsa is a tool to build and manage certificate Authorities and public keys.
The easy-rsa project is located at OpenVPN GitHub
https://github.com/OpenVPN/easy-rsa
First Lets clone the repository to the local system.
Lets create a folder named easy-rsa and clone the repo there.
mkdir easy-rsa
git clone https://github.com/OpenVPN/easy-rsa
Once the package is downloaded , Go to easyrsa3 folder and then run the below commands.
To create or to re-initialize a new PKI ,
./easyrsa init-pki
In order to sign requests to produce certificates , We need CA. To create a new CA in a PKI ,
./easyrsa build-ca
If you wish to generate CA without password , Run the below command.
./easyrsa build-ca nopass
Next we have to generate Server certificate.
./easyrsa build-server-full server nopass
Lets generate client certificate.
./easyrsa build-client-full client1 nopass
Lets create a folder and store all the certificates there.
mkdir certificates
cp pki/ca.crt certificates/ cp pki/issued/server.crt certificates/ cp pki/issued/client1.crt certificates/ cp pki/private/server.key certificates/ cp pki/private/client1.key certificates/
We have copied all the certificates to certificates folder.
We need to upload the server certificates to ACM which can used while we configure Client VPN Endpoint.
To upload the certificates to AWS Certificate Manager , Login to ACM.
Click Get Started and then choose Import a certificate
Under Select Certificate , We need to provide the server certificate details.
You will asked three details.
We need to copy and paste the certificates accordingly as shown below.
Certificate body –> server.crt
Certificate private key –> server.key
Certificate chain –> ca.crt
Once the certificates are pasted , Click Next and Import.
Now the Status of the certificate is issued.
Now Following the same procedure We need to import the Client certificates.
Once the server and the client certificates are imported.
Make a note of the server and client ARN’s , We will be using it while configuring client VPN endpoint.
Creating Client VPN Endpoint
Login to VPC Console, In the navigation pane , Under VIRTUAL PRIVATE GATEWAY Choose Client VPN Endpoints.
Click Create Client VPN Endpoint
Provide a name for the VPN Endpoint.
The Client IPV4 CIDR , this is the subnet from which remove users will get IP addresses.For example , the remote IP for my system is 172.16.5.184 and the subnet is be 172.16.5.0/22.
So Before providing the Client IPV4 CIDR , We should check with the Network team and get the right subnet details and create client VPN Endpoints.
Under Authentication information , Choose the Server certificate ARN , This will be taken from the ACM.
For Authentication Options , Use mutual authentication and then choose the Client certificate ARN.
For Connection Logging, If you wish to log the details on client connections and push the logs to cloudwatch , Choose Yes and provide the Cloudwatch Log group and Cloudwatch Log log stream.
and then Choose the VPC ID for which the Client VPN endpoint will be created.
Once all the required details are provided , Click Create Client VPN Endpoint
Once the client VPN endpoint is created , It will be in pending-associate state.
We need to associate the Client VPN endpoint with the VPC and the subnet.
Choose Associations and Click Associate
Select the VPC and the subnet to be associated with the VPN endpoint.
and then click Associate.The status of the endpoint will be in Associating state.
It will take few minutes for the VPN endpoint to be Associated.
Client VPN Configuration
Once the Client VPN endpoint is ready , We need vpn client to establish vpn connection with the vpn endpoint.
For that we need to install VPN client tool on the user’s system.
On Ubuntu , We can install OpenVPN client using the below command,
sudo apt-get install openvpn
For Windows and MacOS , The client VPN can be downloaded from the below URL.
https://aws.amazon.com/vpn/client-vpn-download/
Once the VPN client is installed on the end users system, We need .ovpn file , OpenVPn client configuration file.
We can download the .ovpn file from AWS Console. Go to VPC Console, Choose Client VPN Endpoints , Select the VPN endpoint and then click Download client configuration.
We can distribute the Client certificate and the Keys (Which we have generated earlier) to the end users along with the .ovpn configuration file.
Open the .ovpn configuration file and add the below configurations to the end of the file/
cert pathto/client.crt
key pathto/client.key
Once the cert and the key are added to the configuration file.Save and close the file.
On Linux systems , use the below command to establish the VPN connection.
sudo openvpn --config downloaded-client-config.ovpn
you should get the response as shown below.
We have established connection to the VPC endpoint and now we are able to access the AWS resources in the VPC.
Finally , We need to configure the Authorize Ingress on the Client VPN Endpoints page.
Here we are going to mention the target network where all the AWS resources are hosted.
The destination network is the CIDR range of the VPC itself. As we’re using mutual authentication , Grant access to Allow access to all users
Now the VPC is authorized.
We are now able to access the AWS resources with the help of VPN Endoints.
With the help of Client VPN endpoints , We are able to access the Private server such as EC2 , RDS etc.
Conclusion
We have implemented a solution to securely access the AWS resources with the help of Client VPN Endpoints.
Hope you find it helpful.Please do check out my other publications.