Read on:

AWS for Beginners: Understanding AWS Terminologies: Part 1
AWS for Beginners: What is AWS EC2: Part 2
AWS for Beginners: AWS Compute Services: Part 3
Read More

AWS Client VPN is a managed client-based VPN solution that enables you to securely access your AWS resources and resources in your on-premises network. With Client VPN, you can access your resources from anywhere using an OpenVPN-based VPN client. It will automatically scale up, or down, based on demand. It integrates with existing AWS services, including AWS Directory Service and Amazon VPC.

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

Architecture to follow

AWS Client VPN

How Client VPN works

It’s a fully managed solution by AWS. All the back-end infrastructure for client VPN is managed by AWS. The working principle of client VPN is shown below:

AWS Client VPN

Source – AWS documentation

Download Banner

Client VPN Authentication Options

Client authentication is implemented at the first point of entry into the AWS Cloud. It determines whether clients are allowed to connect to the Client VPN endpoint. If authentication succeeds, clients can connect to the Client VPN endpoint and establish a VPN session.

AWS Client VPN offers the following types of client authentication mechanism:

  1. Active Directory authentication (user-based)
  2. Mutual authentication (certificate-based)
  3. Single sign-on (SAML-based federated authentication) (user-based)

You can use one of the methods listed above alone, or a combination of mutual authentication with a user-based method.
In our demo, we are going to use the Mutual authentication (certificate-based) option.

Prerequisite

  1. AWS Account with required permission (Client VPN, Certificate Manager)
  2. 1 VPC – VPC A(10.10.0.0/23)
  3. 3 Subnets in VPC A
  4. Internet Gateway in VPC A, clients can also access the internet via AWS
  5. NAT Gateway in VPC A
  6. Application Instances in each VPC to check the connectivity over the client VPN
  7. CloudWatch log group for connection logging
  • VPC A with CIDR
  • AWS Client VPN

  • Subnets for VPC A
  • AWS Client VPN

  • Application Instances in each VPC
  • AWS Client VPN

  • Internet Gateway in VPC A
  • AWS Client VPN

  • log group for connection logging
  • AWS Client VPN

Steps to follow

  1. Generate server and client certificates and keys
  2. Create a Client VPN endpoint
  3. Associate a target network
  4. Add authorization rules for the VPC
  5. Provide access to the internet
  6. Verify security group requirements
  7. Create route association for Internet, Other VPCs over transit gateway
  8. Download the Client VPN endpoint configuration file
  9. Connect to the Client VPN endpoint

Deploying Client VPN solution with Transit Gateway

Generate server and client certificates and keys

We are using mutual authentication, Client VPN uses certificates to perform authentication between clients and the Client VPN endpoint. You will need to have a server certificate and key, and at least one client certificate and key. We will import the server certificate into AWS Certificate Manager (ACM) and specify when you create the Client VPN endpoint.

We will use the OpenVPN easy-RSA utility to generate server and client-side certificates. In Windows systems use gitbash or PowerShell, cmd may not work.

1. clone https://github.com/OpenVPN/easy-rsa.git
2. cd easy-rsa/easyrsa3
3. Initialize PKI environment — ./easyrsa init-pki
4. Create new certificate authority (CA) — ./easyrsa build-ca nopass
5. Generate the server certificate and key — ./easyrsa build-server-full server nopass
6. Generate the client certificate and key — ./easyrsa build-client-full client1.domain.tld nopass
7. Copy server and client certificates and keys to one directory

$mkdir ~/vpn
$ cp pki/ca.crt ~/vpn/
$ cp pki/issued/server.crt ~/vpn/
$ cp pki/private/server.key ~/vpn/
$ cp pki/issued/client1.domain.tld.crt ~/vpn/
$ cp pki/private/client1.domain.tld.key ~/vpn/
$ cd ~/vpn

8. Upload the server certificate to ACM

“aws acm import-certificate — certificate fileb://server.crt — private-key fileb://server.key — certificate-chain fileb://ca.crt — region ap-south-1”

“aws acm import-certificate — certificate fileb://client1.domain.tld.crt — private-key fileb://client1.domain.tld.key — certificate-chain fileb://ca.crt — region ap-south-1”

Create a Client VPN endpoint

Navigate to the VPC section in the AWS Management Console, and choose Client VPN endpoints from the left navigation panel. Click on create client VPN endpoint.

Enter a name, description, and Client IPv4 CIDR(address range must be between /12 and /22 CIDR block size).

AWS Client VPN

In the next section, we will provide authentication information(click mutual authentication) which we created earlier and uploaded to ACM.

For connection logging, enable log details on client connections and choose the cloudWatch logs log group name.

AWS Client VPN

Keep the rest parameter as default and click on create client VPN endpoint.
Split-tunnel: by default split-tunnel is disabled. All traffic from the client device is routed over the VPN tunnel. you need to enable it when you want your specific traffic to route over the VPN tunnel.

AWS Client VPN

Associate client VPN endpoint to a target network

You can associate one or more target networks (subnets in your VPC) with a client VPN endpoint.

Under Client VPN endpoints, Click on Associate target network. Choose the VPC and subnet to associate.

AWS Client VPN

AWS Client VPN

Add authorization rules for the VPC

Authorization rules act as firewall rules that grant access to networks. Authorization rules will help specific clients access to the specified network. For each Network we have to add authorization rules.

Under Client VPN endpoints, Click on Add authorization rule. Provide the destination CIDR(VPC A), and leave all other options as default.

AWS Client VPN

If you want to add any other VPC or Network to be communicated over VPN, then add authorization rules like above.

AWS Client VPN

Provide access to the internet

for Internet traffic access over the client VPN endpoint, you need to add an authorization rule for 0.0.0.0/0 and create a NAT gateway in your VPC for internet access. We will wait to add this rule as we want to test VPC destination traffic from Clients over client VPN endpoints.

AWS Client VPN

Verify security group requirements

When you create a client VPN endpoint, you can specify the security groups from a specific VPC to apply to the client VPN endpoint.

AWS Client VPN

I have added a default security group. But you can limit the security rules with desired ports.

Create route association for Internet, Other VPCs over transit gateway

Each client VPN endpoint has a routing table that describes the available destination network routes. When you associate a subnet from a VPC with a client VPN endpoint, a route for the VPC is automatically added to the client VPN endpoint’s route table. To enable access to additional networks, such as peered VPCs, on-premises networks, or the internet, you must manually add additional routes to the endpoint’s route table.

We created the client VPN endpoint in VPC A. VPC A CIDR is already added in the Route table. If you want to add any other VPC or Network to be communicated over VPN, then add a route like below.

Provide the CIDR for VPC B and choose the subnet of VPC A as the traffic will flow over the transit gateway attachment.

AWS Client VPN

AWS Client VPN

Download the Client VPN endpoint configuration file

Now the infrastructure is ready. Now download the client configuration

AWS Client VPN

Keep the client certificate ready that we created earlier.
Open the configuration file with any editor and add the following lines

cert /path/to/client1.crt
key /path/to/client1.key
or

— — -BEGIN CERTIFICATE — — –
***Paste Your Cert Text Here***
— — -END CERTIFICATE — — –


— — -BEGIN PRIVATE KEY — — –
***Paste Your Cert Private Key Here***
— — -END PRIVATE KEY — — –

Also, modify the endpoint DNS name by adding a random prefix

Original: cvpn-endpoint-0c2c9d41ee76a29fa.prod.clientvpn.ap-south-1.amazonaws.com

Modified: xxxxxx.cvpn-endpoint-0c2c9d41ee76a29fa.prod.clientvpn.ap-south-1.amazonaws.com

Download OpenVPN Client from https://openvpn.net/community-downloads/

Import the edited VPN configuration file in the OpenVPN client. Click on browse and import the configuration file. The VPN will automatically connect.

AWS Client VPN

AWS Client VPN

Navigate to the connection section under the Client VPN endpoint – you will see the active and history of connections. The client is getting IP from the VPN CIDR range which is 192.168.0.0/22.

AWS Client VPN

AWS Client VPN

Test the Application instance in VPC A. Try to ping the Application instances created earlier. The client VPN is deployed in VPC A We can ping all the instances in each VPC over the Client VPN endpoint.

VPC A Application Instance IP: 10.10.1.90

AWS Client VPN

Conclusion

We saw it’s easy to deploy an AWS Client VPN. It also took a few hours to set up the whole architecture. It’s always better and easy compared to a self-managed or third-party Client VPN solution. Using a single Client VPN endpoint we can connect multiple EC2 Instances hosted in different VPCs. Using Transit gateway it makes simple to connect different VPCs. You can include more security features by using proper security rules in security groups and AD groups.

AWS for Beginners: How to Protect AWS Security Tools: Part 4
AWS for Beginners: What is IAM (Identity and Access Management) and Best Practices: Part 5
AWS for Beginners: Provisioning IAM Users and Programmatic Access in AWS: Part 6
AWS for Beginners: Securing Root account using MFA: Part 7
AWS for Beginners: Amazon S3 Overview, Security and Best Practices : Part 8
AWS for Beginners: Creating and managing IAM groups: Part 9
AWS for Beginners: AWS Managed Policies and In-line Policies: Part 10
AWS for Beginners: Create and Attach a policy to an IAM User: Part 11
AWS for Beginners: How to Create a Customer Managed Policy: Part 12
AWS for Beginners: What are EC2 Placement groups: Part 13
AWS for Beginners: ALB vs NLB vs GLB – Which AWS Load Balancer Should You Choose: Part 14
AWS for Beginners: What is AWS Elastic IP Address: Part 15
AWS for Beginners: How to add secondary IP to EC2 Instance using Elastic Network Interfaces (ENI): Part 16
AWS for Beginners: How to Enable Multi-Attach for Amazon EBS Volumes: Part 17
AWS for Beginners: How to encrypt an unencrypted AWS EBS root volume: Part 18
AWS for Beginners – What is Application Load Balancer and How it Works: Part 19

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

Rate this post