Secure Remote Access – AWS Client VPN & Endpoint Deployment

by arun danielin VPNon Posted on

Introduction

AWS Client VPN is a managed client-based VPN service that enables end-users to securely access your AWS resources. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client.

Overview

Create VPC

  1. VPC
    a. Navigate to VPC Console
    b. Create a VPC
    c. Provide a name for this VPC
    d. Enter an IPV4 CIDR
  2. Subnet(s)
    a. Navigate to Subnet
    b. Click Create a Subnet
    c. Select the VPC created above
    d. Provide a subnet name
    e. Enter an IPV4 CIDR that is part of the larger VPC CIDR

Authentication

There are three ways the client VPN can use authentication as the first entry to AWS:

  • Active Directory – user based
  • Mutual Authentication – certificate based
  • SSO via SAML – user based

For this exercise, we will use the certificate based option using a Linux OS to create certificates and keys

  1. Create a file with the contents of the below
  2. Make the file executable by running chmod +x [filename]
  3. Run the file by running ./[filename]
#!/bin/bash
echo "Enter a folder name"
read folder
if [ -d "$folder" ] 
then
  echo "This folder exists"
else
  mkdir ~/$folder
fi
git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa build-client-full client1.domain.tld nopass
cp pki/ca.crt ~/$folder/
cp pki/issued/server.crt ~/$folder/
cp pki/private/server.key ~/$folder/
cp pki/issued/client1.domain.tld.crt ~/$folder
cp pki/private/client1.domain.tld.key ~/$folder/
cd ~/$folder/
exec bash

Creating Certificate and Keys

  1. When you run the executable, you will be asked for a name of a folder to be created which will store all the certificate files and keys
  2. Once you provide a folder name and hit Enter, you will be asked for the common name for the certificate. You can name this anything you desire and hit enter
  3. A review will be presented to you and the script will ask you to confirm by typing ‘yes’; hit enter
  4. Another review will be presented to you for the next set of keys and the script will ask you to confirm by typing ‘yes’; hit enter
  5. Once completed you will be placed in the new folder which will contain your crt and key files which will be used to import into AWS:
    • ca.crt – this is your certificate chain
    • client1.domain.tld.crt – this is your client certificate
    • client1.domain.tld.key – this is your client private key
    • server.crt – this is your server certificate
    • server.key – this is your server private key

Upload Certificate and Keys

There are a few ways to upload the certificates and files to AWS:

CLI

Provided you installed AWS CLI and have configured your AWS profile for CLI you can run these commands to upload the certificate, key, and chain:

Server Certificate, Key, and Chain

aws acm import-certificate --certificate fileb://server.crt --private-key fileb://server.key --certificate-chain fileb://ca.crt

Client Certificate, Key, and Chain

aws acm import-certificate --certificate fileb://client1.domain.tld.crt --private-key fileb://client1.domain.tld.key --certificate-chain fileb://ca.crt
AWS Console
  1. Navigate to ACM Console
  2. Import a certificate
  3. Server Certificate, Key, and Chain
    1. Open the contents of the server.crt file using a text based editor
    2. Copy the contents into the Certificate body field of the Certificate details in the console
    3. Open the contents of the server.key file using a text based editor
    4. Copy the contents into the Certificate private key field of the Certificate details in the console
    5. Open the contents of the ca.crt file using a text based editor
    6. Copy the contents into the Certificate chain field of the Certificate details in the console
    7. Click on Next
    8. Add any Tags you desire and click on Next
    9. Click on Import at the Review and Import section
  4. Client Certificate, Key, and Chain
    1. Navigate back to ACM Console and click on Import a certificate
    2. Open the contents of the client1.domain.tld.crt file using a text based editor
    3. Copy the contents into the Certificate body field of the Certificate details in the console
    4. Open the contents of the client1.domain.tld.key file using a text based editor
    5. Copy the contents into the Certificate private key field of the Certificate details in the console
    6. Open the contents of the ca.crt file using a text based editor
    7. Copy the contents into the Certificate chain field of the Certificate details in the console
    8. Click on Next
    9. Add any Tags you desire and click on Next
    10. Click on Import at the Review and Import section

Client VPN Endpoint

  1. Go to VPC Console
  2. Client VPN endpoints
  3. Create client VPN endpoint
  4. Provide a name and description if desired
  5. Enter a IPv4 CIDR that is not overlapping with the target network CIDR that you have or created earlier in this exercise. This client range has to have a range between /12 and /22
  6. Under Server certificate ARN, click the drop down and choose the Server certificate
  7. Check Use mutual authentication
  8. Under Client certificate ARN, click the drop down and choose client certificate
  9. Outside of selecting Enable split-tunnel, leave the rest of the default settings, and choose Create Client VPN Endpoint

VPN Connectivity Enablement

  1. Navigate to VPC Console
  2. Client VPN Endpoints
  3. Choose Client VPN Endpoint (click on the blue link)
  4. Click Associate target network
  5. Select the VPC (same VPC as in the Create VPC task above) and a subnet in the same VPC
  6. Click on Associate target network
  7. You can repeat the process for other subnets if you desire
  8. The state of the endpoint will go to Pending-associate to Available which will result in the creation of two objects in the endpoint object:
    • a route table being created to allow the VPC CIDR
      • you can adjust this for your routing needs
    • a security group being created with the default VPC security group applied to it
      • you can adjust this for your security needs

VPN Network Authorization Enablement

  1. Navigate to VPC Console
  2. Client VPN Endpoints
  3. Choose the newly created Client VPN Endpoint
  4. Click Authorization rules
  5. Click Add authorization rule
  6. Enter the VPC CIDR you created earlier (same VPC as in the Create VPC task above)
    • You can enable access to additional networks connected to the VPC, such as AWS services, peered VPCs, and on-premises networks. For each additional network, you must add a route to the network and configure an authorization rule to give clients access.
  7. Allow access to all users
  8. Click Add authorization rule

Client VPN Configuration File

  1. Navigate to VPC Console
  2. Client VPN Endpoints
  3. Click Download client Configuration
  4. Once downloaded, open the configuration file, and add the contents of the client certificate and client private key between respective tags <cert></cert> and <key></key> as shown in Figure 1
  5. Prepend a random string to the Client VPN endpoint DNS name and add it to Client VPN endpoint configuration file as shown in Figure 2
  6. Save the file
  7. You could distribute this Client VPN endpoint configuration file to others if desired
Figure 1
Figure 2

Client VPN

You can use most client VPN applications that can read the ovpn configuration file; however, for this exercise, we will use the Amazon VPN Client.

Download

The latest version for supported operating systems are found here: https://aws.amazon.com/vpn/client-vpn-download/

VPN Client Configuration

  1. Open AWS VPN Client
  2. Choose File
  3. Manage Profiles
  4. Add Profile
  5. Input a Display Name
  6. Browse and select the Client VPN Configuration file
  7. Click Add Profile
  8. Click Done
  9. Read to connect will have your new profile
  10. Click Connect

Testing

When the connectivity is established, you can see OpenVPN Statistics by:

Client VPN

  1. Clicking on Connection
  2. Show Details

AWS

  1. Navigate to VPC Console
  2. Client VPN Endpoints
  3. Click on the newly created endpoint
  4. Click on Connections

Connectivity from Client to AWS

  1. Test connectivity to destination AWS service (e.g., EC2) by running SSH or RDP

Conclusion

In today’s remote work environment, creating a Client VPN in your AWS environment is essential. It provides increased security, improved productivity, and is cost-effective. With the steps outlined above, you can create a Client VPN in your AWS environment and provide your remote workers with secure access to the resources they need to get their work done.

Leave a Comment

Your email address will not be published. Required fields are marked *