AWS Client VPN allows users to connect to their VPC securely over the Internet. On AWS side, we configure client VPN endpoint. On the user side, we install the AWS VPN client software.
Here is a diagram demonstrating how we can use AWS Client VPN to connect to multiple VPCs.
Read on to see how it’s set up.
Generated keys and certificates
First use the easy-rsa scripts to generate a bunch of keys and certs
git clone https://github.com/OpenVPN/easy-rsa.git
# ca cert in pki/ca.crt
./easyrsa build-ca nopass
# server cert in pki/private/server.key pki/issued/server.crt
./easyrsa build-server-full server nopass
# client cert, generate more if needed. Use an FQDN that represents the user.
# This FQDN is shown in the connection table and also logged in cloudwatch logs.
# creates pki/private/office-users.domain.local.key pki/issued/office-users.domain.local.crt
./easyrsa build-client-full office-users.domain.local nopass
Once they are generated, import the server and client certs into AWS certificate manager. Use pki/ca.crt as the chain cert.
Configure client VPN endpoint
Next, go to AWS VPN console and create a client VPN endpoint. Select the server and client certs, assign a security group to this endpoint. This SG needs to be referenced on target resources to allow access. Then go to association and associate a VPC and subnet. One can only associate subnets in one VPC. Additional subnets can be added for redundancy.
Next, authorize access by going to the authorization tab. Allow access to a CIDR range in the directly connected VPC. If you are using directory service authentication, enter the AD group SID to be allowed to a specific CIDR range. For example, users in AD group “developers” are allowed to access the “DEV” VPC. Users in “devops” group are allowed to access both DEV and PROD. Obtain the group SID using the Get-ADGroup powershell command, then put the group SID here.
# To get group SID for Administrators PS> Get-ADGroup -Identity Administrators ... SID : S-1-5-32-544
If there are additional VPCs peered to the directly connected VPC, add their CIDR ranges here.
Next setup the route tables. This is only needed if there are peered VPCs. The route for the directly connected VPC is automatically populated. Add routes here so packets for the peered VPC are routed through the directly connected VPC.
Lastly, go to the target resources and edit the security group. Allow access from the VPN endpoint SG as source.
The user side
Download and install AWS VPN client, which can be obtained here. Once installed, go to AWS VPN console and download the client VPN profile. If using certificate-based authentication, edit the profile config file and add the following sections to the file.
content of pki/private/office-users.domain.local.key
content of pki/issued/office-users.domain.local.crt
Add the profile to the VPN client, click connect and that’s it!
Linux openvpn client
If your client machine is Linux, AWS does not provide a client. We will need to use the openvpn client. First, install the openvpn package
apt install openvpn
Save the connection profile under /etc/openvpn/awsvpn.conf, and then make the following changes. Even though I’m using AD authentication, I’m still required to supply the client cert and key.
# tell openvpn where the username and password is auth-user-pass /etc/openvpn/cred.txt # and add the followings tls-client cert /etc/openvpn/client.crt key /etc/openvpn/client.key pull # to enable split tunnel, add the routes to your VPC CIDRs manually route-nopull route 172.30.0.0 255.255.0.0 route 172.26.0.0 255.255.0.0
Create the credential file with 2 lines of text
Once the config and credential file are made, test it with the following command
openvpn --config /etc/openvpn/awsvpn.conf
If it all goes well, create a systemd service so this VPN can be started on boot.
systemctl enable openvpn@awsvpn
systemctl start openvpn@awsvpn
Read https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/troubleshooting.html#resolve-host-name for troubleshooting.
Check out my wiki page if you want to enable MFA for AWS client vpn.