In this blog, we will configure the AWS VPN Client, enabling a local network computer to securely communicate with an AWS EC2 instance using its private IP
Demonstration Purposes: Our client had a dynamic WAN IP for their home internet, meaning each time the modem was restarted, a new IP address was assigned. This made it hectic to manually update the IP address every time.
It's mainly used for secure remote access and ensures your connection is encrypted and protected.
- The permissions required to work with Client VPN endpoints.
- The permissions required to import certificates into AWS Certificate Manager.
- A VPC with at least one subnet and an internet gateway. The route table that's associated with your subnet must have a route to the internet gateway.
Step 1: Generate server and client certificates and keys
- https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html
Enable mutual authentication for AWS Client VPN
- https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-auth-mutual-enable.html
- git clone https://github.com/OpenVPN/easy-rsa.git
- cd easy-rsa/easyrsa3
- ./easyrsa init-pki
- ./easyrsa build-ca nopass
- ./easyrsa --san=DNS:server build-server-full server nopass
- ./easyrsa build-client-full client1.domain.tld nopass
- mkdir ~/custom_folder/
- cp pki/ca.crt ~/custom_folder/
- cp pki/issued/server.crt ~/custom_folder/
- cp pki/private/server.key ~/custom_folder/
- cp pki/issued/client1.domain.tld.crt ~/custom_folder
- cp pki/private/client1.domain.tld.key ~/custom_folder/
- cd ~/custom_folder/
Upload certificate to ACM
You May Do It with Two Ways Manually and by CLI
Import Certificate
- Certificate body : server.cert
- Certificate private key : server.key
- Certificate chain : ca.crt
Again, Import Certificate
- Certificate body : client1.domain.tld.crt
- Certificate private key : client1.domain.tld.key
- Certificate chain : ca.crt
By AWS CLI:
- aws configure
- aws acm import-certificate --certificate fileb://server.crt --private-key fileb://server.key --certificate-chain fileb://ca.crt
- aws acm import-certificate --certificate fileb://client1.domain.tld.crt --private-key fileb://client1.domain.tld.key --certificate-chain fileb://ca.crt
Step 2: Create a Client VPN endpoint
- Name : client-vpn-prod
- Client IPv4 CIDR : 10.0.0.0/16
- Server certificate ARN : server certificate from dropdown
- Authentication options : Use mutual authentication
- Client certificate ARN : domain certificate from dropdown
- Enable split-tunnel : Enable It
- VPC ID : select from dropdown
- Security group IDs : select from dropdown (But Identical)
Tab 1 🔖
- Target network association : Associate target network
- VPC : select vpc
- Choose a subnet to associate : select subnet (where your resources running)
Tab 2 🔖
- Security groups : automatically added no need to edit(but importtant for later)
Tab 3 🔖
- Authorization rules : Add authorization rule
- Destination network to enable access: 0.0.0.0/0
- Allow access to all users : select "Allow access to all users"
Tab 4 🔖
- Route table : automatically added no need to edit
Step 3: Again, Go to Client VPN endpoint
- Select vpn : client-vpn-prod
- Download : Click On Download client configuration
- Edit Downloadable file : Go to the Bottom
- Paste "client1.domain.tld.crt" file Content under <cert> </cert> html tag
- Paste "client1.domain.tld.key" file Content under <key> </key> html tag
Step 3: Download aws vpn client .deb package file for ubuntu
- https://docs.aws.amazon.com/vpn/latest/clientvpn-user/client-vpn-connect-linux-install.html
- curl https://d20adtppz83p9s.cloudfront.net/GTK/latest/awsvpnclient_amd64.deb -o awsvpnclient_amd64.deb
- sudo dpkg -i awsvpnclient_amd64.deb
Step 4: Make VPN New Connection
Open the Application
Click on file ➡️ Manage Profiles ➡️ Add Profiles
Write Profile Name ➡️ Attach That .ovpn File
Step 5: For Demo create a EC2 Instance
a) Assigne Different Security Group
b) In Security Group add new rule
- Protocol : SSH/22 Or ICMP
- Allow Ip : VPN Security Group ID
Step 6: Make Ping and SSH Via EC2 Private ip
No comments:
Post a Comment
testing