Post

Latest AWS Managed Client VPN Connection

Abstract

Creating and managing VPN connections to AWS Cloud Networks is a regular task that we periodically face with. One of the communication channels is VPN connection. For a while if you want to establish VPN connection you have to spin up EC2 instance from AMI in the Marketplace that has preinstalled and configured OpenVPN, or DIY - setup OpenVPN from the scratch and configure it. It takes time and resources to manage such setups. But AWS has released managed vpn-client service. Let’s go through bootstrap process and check its compatibilities.

Target Architecture Diagram

Here is a Client VPN ecosystem and its integration point when auto provisioning as a managed service in AWS Cloud:

  • client VPN Endpoint (main entry point with 443 port)
  • AWS ACM with Client/Server certificates that are establishing secure connection
  • Target SN association to interact with resources
  • Internet GW, DNS server
  • Connection handler Lambda that can be easily integrated by ARN with connection requests

infra.png

Let’s go through setup process and look to each component.

Everything start with Certificate generation:

1
2
3
4
5
6
git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa build-client-full client1.domain.tld nopass

Copy server certificate and key and client cert and key to custom folder:

1
2
3
4
5
6
7
mkdir ~/custom_folder/
cp pki/ca.crt ~/custom_folder/
cp pki/issued/server.crt ~/custom_folder/
cp pki/private/server.key ~/custom_folder/
cp pki/issued/client1.domain.tld.crt ~/custom_folder
cp pki/private/client1.domain.tld.key ~/custom_folder/
cd ~/custom_folder/

Upload server cert and key and client cert and key to ACM

1
2
3
aws acm import-certificate --certificate fileb://server.crt --private-key fileb://server.key --certificate-chain fileb://ca.crt --region us-east-1                                   <aws:playgroud-ops:DevUser>
{
    "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/a828"
1
2
3
aws acm import-certificate --certificate fileb://client1.domain.tld.crt --private-key fileb://client1.domain.tld.key --certificate-chain fileb://ca.crt --region us-east-1           <aws:playgroud-ops:DevUser>
{
    "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/8ce1"

After uploading this certificates will be available at AWS ACM and are ready to be associated in authentication.

Create VPN Client

img_11.png

VPN connection authentication:

Now it’s time to attach uploaded certificates by ARN to client vpn.

img_6.png

Connection logging

Additionally, Client VPN support CloudWatch logging for multiple metrics.

img_7.png

Connection handling

We can enable connection handling and specify the lambda function that will be trigger on connection events. img_8.png

Enable split tunnel

Choose transport TCP or UDP. Split tunnel parameter controls either all traffic will be routed to AWS Cloud or only traffic related to AWS IP range. img_10.png

Create VPN client:

img_3.png On completing the wizard, vpn client status is in Pending-associate mode - we need associate SN with this endpoint

Create association:

img_13.png Once Target Subnet is associated, it will take 5-10 min to complete the setup.

Create authorization rules:

Authorization rules allow to narrow the NW addresses for connection to endpoint img_14.png

Download OVPN configuration file from AWS Console

Now it’s time to download ovpn file that can be directly imported into OpenVPN Client.

This configuration file does not have all required information, so we should manualy update host name, add sections with client certificates according to following instructions: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html

After importing configuration into OpenVPN Connect vpn channel is setup:

MACOS side: img.png

AWS side: img_17.png

Check CloudWatch metrics:

CloudWatch provides excellent views to monitor the data transfer per each connection, log individual sessions and connection pull. img_19.png

Double-Check Client-VPN status from CLI:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
aws ec2 describe-client-vpn-endpoints --region=us-west-1
{
    "ClientVpnEndpoints": [
        {
            "ClientVpnEndpointId": "cvpn-endpoint-123456789012",
            "Description": "Client VPN example",
            "Status": {
                "Code": "available"
            },
            "CreationTime": "2023-09-10T11:39:05",
            "DnsName": "*.cvpn-endpoint-123456789012.prod.clientvpn.us-west-1.amazonaws.com",
            "ClientCidrBlock": "10.20.0.0/22",
            "DnsServers": [
                "8.8.8.8"
            ],
            "SplitTunnel": false,
            "VpnProtocol": "openvpn",
            "TransportProtocol": "udp",
            "VpnPort": 443,
            "ServerCertificateArn": "arn:aws:acm:us-west-1:123456789012:certificate/7d00",
            "AuthenticationOptions": [
                {
                    "Type": "certificate-authentication",
                    "MutualAuthentication": {
                        "ClientRootCertificateChain": "arn:aws:acm:us-west-1:123456789012:certificate/cd2e"
                    }
                }
            ],
            "ConnectionLogOptions": {
                "Enabled": false
            },
            "Tags": [
                {
                    "Key": "environment",
                    "Value": "ovpn"
                }
            ],
            "SecurityGroupIds": [
                "sg-0bb8"
            ],
            "VpcId": "vpc-1",
            "ClientConnectOptions": {
                "Enabled": false,
                "Status": {
                    "Code": "applied"
                }
            },
            "SessionTimeoutHours": 24,
            "ClientLoginBannerOptions": {
                "Enabled": false
            }
        }
    ]
}

Conclusions:

AWS Client VPN makes process of vpn connection setup much more secure and easier compared to DIY EC2-based vpn server. In the next post Automating AWS Client VPN creation with Terraform and Scripts we will automate its setup using Terraform and scripts to make setup process even faster and robust.

This post is licensed under CC BY 4.0 by the author.