AWS VPN Client

Description

AWS Client VPN is a managed client-based VPN service that allows secure access to AWS resources. It supports any OpenVPN-based VPN client.

Solution is billed for each client VPN connection per hour. Billing is pro-rated for the hour.

Lab Schema

Preconfiguration

1.Clone easyrsa project do configure CA

 

$ git clone https://github.com/OpenVPN/easy-rsa.git

2. Initialise new PKI and create CA cert

 

$ cd easy-rsa/easyrsa3

$ ./easyrsa init-pki

$ ./easyrsa build-ca nopass

3. Generate server/client certs/keys

 

$ ./easyrsa build-server-full server.radkowski.local  nopass

$ ./easyrsa build-client-full client1.radkowski.local  nopass

Configs

4. ACM config

Log to AWS Console, select Amazon Certificate Manager and click Import certificate

5. Certificate import

 

Import both certs created in step #2:

  • paste certificate located in issued directory into Certificate Body window
  • paste key located in private directory into Certificate Private Key window
  • paste ca.crt located in ./pki/ca.crt into Certificate Chain window

 

List of files:

  • server:
    • ~/easy-rsa-easyrsa3/pki/ca.crt
    • ~/easy-rsa-easyrsa3/pki/issued/serverVPN.crt
    • ~/easy-rsa-easyrsa3/pki/provate/serverVPN.crt
  • client:
    • ~/easy-rsa-easyrsa3/pki/ca.crt
    • ~/easy-rsa-easyrsa3/pki/issued/me.radkowski.pro.crt
    • ~/easy-rsa-easyrsa3/pki/provate/me.radkowski.cloud.key

6. Create Client VPN Endpoint

 

Log into AWS Console, select VPC -> Client VPC Endpoints

7. Configure Client VPN Endpoint

 

Configure VPN Endpoint using certificates imported in step 5

8. Download VPN config file

 

Use Console to download automaticaly generated VPN config (ovpn file)

9. Associate Client VPN to target network

 

Use Console (associations tab) to associate VPN with target subnets. Multiple associations can be provided in assumption that only one association per AZ is available

10. Authorize ingress

 

Use Console (authorization tab) to define networks which clients can connect from

11. Update config

 

Using editor update ovpn config downloaded in step #8 by adding two sections:

  • cert (client certificate generated in step #3)
  • key (client key generated in step #3)

Both cert and key should be added using <cert> </cert> and <key> </key> blocks

12. Download AWS VPN Client

 

Using following link, download AWS VPN Client

https://aws.amazon.com/vpn/client-vpn-download/

Alternatively any openvpn client can be used:

  • https://tunnelblick.net/
  • https://openvpn.net/download-open-vpn/

13. Create AWS VPN Client Profile

 

Create profile using config file, updated in step #11

me@radkowski.pro