A Setup Guide for AWS Client VPN with On-Premises Machines

Introduction

AWS Client VPN is a client-based VPN service that enables you to access resources in AWS and our on-premises network securely. With the help of a client VPN, we can access our resources from any location using OpenVPN software.

Prerequisites

AWS Account

Create Certificate & VPC

1. Log in to your AWS Account and go to the EC2 service
2. After that, launch and Linux instance with AWS CLI installed to generate a certificate and perform the below steps:

• Install git if not installed
• Git clone https://github.com/OpenVPN/easy-rsa.git

• cd easy-rsa/easyrsa3
• Initialize PKI environment (to initialize client and server certificate) execute the command “./easyrsa init-pki”
• Create a new Certification Authority (CA)- “./easyrsa build-ca nopass”
• Generate the server certificate and key- “./easyrsa build-server-full server nopass”

3. Now generate the Client certificate and key – “./easyrsa build-client-full client1.domain.tld nopass”

4. Once done with the above steps, copy server and client certificates and keys to one directory

5. Now upload the key and certificates to ACM (before that, perform “AWS configure”)

• aws acm import-certificate –certificate fileb://server.crt –private-key fileb://server.key –certificate-chain fileb://ca.crt –region ap-south-1
• aws acm import-certificate –certificate fileb://client1.domain.tld.crt –private-key fileb://client1.domain.tld.key –certificate-chain fileb://ca.crt –region ap-south-1

6. Now create VPC with the below naming convention and standards

• Create VPC (name=VPC-Mumbai) with CIDR 10.10.0.0/16
• Create private subnet “vpc-Mumbai-subnet-private1” with CIDR 10.10.128.0/20
• Create corresponding route table “vpc-Mumbai-rtb-private1-ap-south-1” with just a local route & associate with subnet “vpc-Mumbai-subnet-private1”
• Create private subnet “vpc-Mumbai-subnet-private1” with CIDR 10.10.144.0/20
• Create corresponding route table “vpc-Mumbai–rtb-private2-ap-south-1” with just a local route & associate with subnet “vpc-Mumbai-subnet-private2”
• Create security group “vpn-client-sg”
• Do not add any inbound rules
• All outbound should be allowed (All traffic – 0.0.0.0/0)

7. Launch application EC2 instance in “vpc-Mumbai-subnet-private1” subnet

• Security group inbound rule should allow “All traffic” from security group “vpn-client-sg” created in step 6

Configure AWS client VPN endpoint

8. Go to VPV service and select “client VPN endpoints” service from the Virtual private network (VPN) section

• Provide the name “client-vpn-endpoint” and the appropriate description
• Client IPv4 CIDR: 10.20.0.0/16 as the client received IP from this pool while he tries to connect with AWS

• Server Certificate ARN: Choose the Server Certificate created earlier
• Authentication Options: Choose “Use Mutual Authentication”
• Client certificate ARN: Choose the Client Certificate created earlier

• Connection Logging: No
• Transport Protocol: TCP
• VPC ID: Choose “VPC-Mumbai” VPC created
• Security Group IDs: Select the “vpn-client-sg” created earlier
• VPN port: 443

9. Create Client VPN Endpoint

Associate Target Subnet & Allow traffic

10. Select the Client VPN endpoint created earlier

11. Go to Associations and associate the target subnet “vpc-Mumbai-subnet-private2”

12. Go to Authorizations and choose Authorize Ingress

• For Destination Networks to enable -> Enter the VPC IP address 10.10.0.0/16
• Grant access to -> Choose ”Allow access to all users”

13. Add Authorization Rule

Download the VPN configuration file and Update the changes

14. Select the Client VPN endpoint and “Download Client Configuration” to your local workstation.

15. Copy the client certificate and client key created in the above Steps to any folder in the local workstation.

16. Open the configuration file in a text editor and add the following lines

• cert /path/of/client.crt
• key /path/of/client.key

17. Also, modify the endpoint dns name by adding a random prefix

• Original: cvpn-endpoint-015f804a15c3db5e2.prod.clientvpn.ap-south-1.amazonaws.com
• Modified: xxxxxx.cvpn-endpoint-015f804a15c3db5e2.prod.clientvpn.ap-south-1.amazonaws.com

Connect OpenVPN and Testing

18. Pre-requisite: You should download and install the OpenVPN client https://openvpn.net/community-downloads/

19. Import configuration file.

20. Connect the OpenVPN

21. Now open cmd and ping the private IP of the instance created at step 7 above

Conclusion

If you can ping, you successfully created a client VPN between AWS and on-premises. There are many scenarios in which we have to work on the AWS cloud doing some execution and experiments or set up some Application Server. AWS client VPN provides Secure connectivity so that every individual connects remotely with a secure OpenVPN connection and performs his job. Thanks for reading this blog Setup guide for AWS Client VPN with On-premises machines.

About CloudThat

CloudThat is also the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding Client VPN Endpoint and I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package that is CloudThat’s offerings.