[GUIDE]: Setting up an AWS VPC Client VPN

AWS Client VPN is a AWS client-based VPN service that enables we to securely access our resources in AWS and our on-premises network. With Client VPN, we can access our resources from any location using an OpenVPN-based VPN client.

Below are the step to implement AWS VPC Client VPN.

Server and Client Certificate and keys:

Generate Server and Client Certificates and Keys using below steps on any Linux system

 

  • git clone https://github.com/OpenVPN/easy-rsa.git
  • cd easy-rsa/easyrsa3
  • ./easyrsa init-pki
  • ./easyrsa build-ca nopass
  • ./easyrsa build-server-full server nopass (This step will generate server certificate and key)
  • ./easyrsa build-client-full client1.domain.tld nopass (This step will generate client certificate and the client private key)
  • Store/Copy the server and client certificates and keys in specified location as these are important
  • mkdir /custom_folder/
  • cp pki/ca.crt /custom_folder/
  • cp pki/issued/server.crt /custom_folder/
  • cp pki/private/server.key /custom_folder/
  • cp pki/issued/client1.domain.tld.crt /custom_folder
  • cp pki/private/client1.domain.tld.key /custom_folder/

Upload the Certificate to AWS ACM:

Once the certificate creation is completed, login to the AWS console and import the certificates through ACM.

[GUIDE]: Setting up an AWS VPC Client VPN 1

Note: Certificate body content will be server.crt | Certificate key content will be server.key

Create Client VPN EndPoint:

Open the Amazon VPC console, In the navigation pane, choose Client VPN Endpoints and choose Create Client VPN Endpoint. Use the certificates which are uploaded in previous step while configuring EndPoint.

[GUIDE]: Setting up an AWS VPC Client VPN 2

  • For Client IPv4 CIDR, specify an IP address range, in CIDR notation, from which to assign client IP addresses
  • For Server certificate ARN, specify the ARN for the TLS certificate to be used by the server. Clients use the server certificate to authenticate the Client VPN endpoint to which they are connecting
  • Specify the authentication method to be used to authenticate clients when they establish a VPN connection. To use mutual certificate authentication select Use mutual authentication, and then for Client certificate ARN
  • Click on “Create Client VPN endpoint” and Select Associations to associate VPC with Subnet And Associate the same wait till Client VPN endpoint becomes available

[GUIDE]: Setting up an AWS VPC Client VPN 3

VPC Subnet Association:

To enable clients to establish a VPN session, you must associate a target network with the Client VPN endpoint. A target network is a subnet in a VPC

Select the Associations column and specify the VPC and Subnet to associate and then click on Associate

[GUIDE]: Setting up an AWS VPC Client VPN 4

Authorize Clients to Access a Network:

To authorize clients to access the VPC in which the associated subnet is located, you must create an authorization rule. The authorization rule specifies which clients have access to the VPC. In this document, we grant access to all users by clicking Authorize Ingress and specify Destination CIDR as 0.0.0.0/0

[GUIDE]: Setting up an AWS VPC Client VPN 5

You can enable access to additional networks connected to the VPC, such as AWS services, peered VPCs, and on-premises networks. For each additional network, you must add a route to the network and configure an authorization rule to give clients access. This is Optional selection and can be achieved by selecting “Create Route” option under Route table

[GUIDE]: Setting up an AWS VPC Client VPN 6

Once all the steps are completed in AWS, Download the Client configuration

[GUIDE]: Setting up an AWS VPC Client VPN 7

Once client configuration is downloaded appended the client certificate and key in the file at the end which was generated in step #1, (client1.domain.tld.crt abd client1.domain.tld.key) with below syntax

<cert>

Enter Certificate here

</cert>

<key>

Enter key here

</key>

Configuring OpenVPN Client:

Download the OpenVPN software in your Local machine and Import the file

[GUIDE]: Setting up an AWS VPC Client VPN 8

  • Connect to Client VPN using the configuration file

[GUIDE]: Setting up an AWS VPC Client VPN 8[GUIDE]: Setting up an AWS VPC Client VPN 10

  • Try connecting the Instance with private IP which is in the same VPC

With this we have successfully established an AWS VPC Client VPN.

North America

+1-(917)-793-2500

Europe

+49-(621)-400-676-00

Asia-Pacific

+91-(80)-466-58999

Email

connect@smartshifttech.com
AboutVittal Mhaladekar

Leave a Reply

Your email address will not be published. Required fields are marked *