AWS Client VPN: Your Step-by-Step Setup Guide

AWS Client VPN: Your Step-by-Step Setup Guide

Introduction

Amazon Web Services (AWS) offers a robust and flexible platform for creating a secure, scalable, and highly available virtual private network. The AWS Client VPN is a key component in ensuring secure remote access to your AWS resources. In this blog, we'll walk through a comprehensive step-by-step guide to setting up an AWS Client VPN, perfect for system administrators, network engineers, or anyone looking to establish a secure connection to their AWS environment.

Step 1: Create a Virtual Private Cloud (VPC)

The first step in setting up your AWS Client VPN is to create a Virtual Private Cloud (VPC). A VPC is a virtual network dedicated to your AWS account, isolated from other virtual networks in the AWS Cloud. It's where you'll launch your AWS resources, like EC2 instances.

How to Create a VPC:

  • Log in to your AWS Management Console.

  • Navigate to the VPC Dashboard and click 'Create VPC'.

  • Enter the details for your VPC, such as Name tag, IPv4 CIDR block, and Tenancy.

  • Click 'Create'.


Step 2: Create Test Subnets

Subnets are subdivisions of your VPC where you can launch AWS resources. You'll need at least two subnets for redundancy and high availability.

Creating Subnets:

  • In the VPC Dashboard, go to 'Subnets' and click 'Create subnet'.

  • Select your VPC, assign a Name tag, and specify the IPv4 CIDR block.

  • Create two subnets (Test Subnet 01 and Test Subnet 02) in different Availability Zones for better reliability.


Step 3: Generate Server and Client Certificates with EasyRSA

Server and client certificates are vital for the security of your VPN connection. EasyRSA is a widely-used tool for creating these certificates. Here, we'll generate the server and client certificates and then upload them to AWS.

Generating Certificates Using EasyRSA:

  • Download and Install EasyRSA:

  • Initialize a new PKI Environment:

    • Run ./easyrsa init-pki to initialize the Public Key Infrastructure (PKI).
  • Build a New Certificate Authority (CA):

    • Execute ./easyrsa build-ca nopass to create a new CA. You will be prompted to enter a name for the CA.
  • Generate the Server Certificate:

    • Use ./easyrsa build-server-full server nopass to generate a server certificate and key. The 'server' is a common name that can be replaced as per your preference.
  • Generate the Client Certificate:

Create a client certificate with ./easyrsa build-client-full client1 nopass. Replace 'client1' with your desired common name.


Uploading Certificates to AWS

Certificate Components

  • Certificate Body: This is the actual certificate itself. In the context of EasyRSA (as used in your guide), this would be the ca.crt for the CA certificate, server.crt for the server certificate, and client1.crt for the client certificate.

  • Certificate Private Key: This is the private key associated with the certificate. For the CA certificate, this is ca.key. For the server certificate, it’s server.key, and for the client certificate, it’s client1.key.

  • Certificate Chain: This is a chain of certificates that are used to establish trust from the certificate to a root certificate. In many setups, especially those using self-signed certificates like with EasyRSA, you might not have a separate certificate chain. If you're using a certificate signed by a well-known Certificate Authority (CA), they would provide this chain. For EasyRSA, if a chain is required, it might just be the ca.crt.

Uploading Steps

  • Open the AWS Management Console and navigate to ACM (AWS Certificate Manager).

  • Select “Import a certificate”.

  • In the import dialog:

    • For the Certificate body, copy and paste the contents of your .crt file (like ca.crt, server.crt, or client1.crt).

    • For the Certificate private key, copy and paste the contents of your .key file (like ca.key, server.key, or client1.key).

    • If required, for the Certificate chain, copy and paste the contents of your CA certificate (ca.crt) or the provided chain by a third-party CA.

Remember, the handling and storage of these certificates and keys are critical for the security of your VPN. Ensure they are securely managed and access to them is restricted to authorized personnel only.


Step 4: Create a Client VPN Endpoint

Creating a Client VPN Endpoint in AWS involves several crucial configurations, including setting a name tag, description, specifying client IPv4 CIDR, selecting the server certificate, and more. Here's how to do it:

Configuring the VPN Endpoint:

  • Access the AWS Management Console:

    • Log in to your AWS account and navigate to the VPC (Virtual Private Cloud) section.
  • Navigate to Client VPN Endpoints:

    • Inside the VPC dashboard, find and click on the 'Client VPN Endpoints' section.
  • Initiate the Creation Process:

    • Click on the 'Create Client VPN Endpoint' button to start configuring your VPN endpoint.
  • Basic Details:

    • Name tag: Assign a meaningful name tag to your VPN endpoint for easy identification.

    • Description: Provide a brief description of the VPN endpoint's purpose.

  • Client IPv4 CIDR:

    • Specify the client IPv4 CIDR block. Ensure that it is not larger than /12 and not smaller than /22 to comply with AWS standards.
  • Authentication Information:

    • Server certificate ARN: Select the appropriate server certificate ARN that you uploaded earlier in the AWS Certificate Manager (ACM).

    • Authentication Options: Choose 'Mutual authentication' as your authentication method.

  • Transport Protocol:

    • Select 'TCP' as your transport protocol. This is a common choice for VPNs due to its reliability.
  • Enable Split Tunneling:

    • Choose 'Yes' to enable split tunneling. This allows network traffic destined for the internet to not pass through the VPN server, which can be beneficial for bandwidth and speed.
  • Select the VPC:

    • Choose the VPC that you created earlier from the dropdown list.
  • Tagging:

    • Tags are essential for resource management, especially in larger setups. Assign relevant tags to your VPN endpoint for better organization and management.
  • Review and Create:

    • Once all details are filled in and reviewed, click 'Create Client VPN Endpoint'.

Step 5: Attach Test Subnet 01 as the Target Network

After creating the Client VPN endpoint, the next step is to attach a subnet to it. This allows the VPN to communicate with the resources within that subnet.

Detailed Steps for Attaching a Subnet:

  • Navigate to Client VPN Endpoints: In the AWS Management Console, go back to the 'Client VPN Endpoints' section within the VPC dashboard.

  • Select Your VPN Endpoint: Identify and select the VPN endpoint you have just created.

  • Go to Association Tab: Find and click on the 'Association' tab.

  • Start the Association Process: Click on 'Associate' to begin attaching a subnet.

  • Select Subnet: Choose 'Test Subnet 01' from the list of available subnets.

  • Confirm Association: Review your selection and confirm the association.

  • Monitor Association Status: After confirming, monitor the status to ensure the subnet is successfully associated with your VPN endpoint.

By completing these steps, your VPN endpoint will be linked to 'Test Subnet 01', allowing for communication between the VPN and resources within this subnet.


Step 6: Create an Authorization Rule

Authorization rules are crucial for controlling access to your VPN. They define who can access your VPN and which resources they can reach.

Detailed Steps for Creating an Authorization Rule:

  • Access VPN Endpoint Settings: In the AWS Management Console, go to your Client VPN endpoint settings.

  • Navigate to Authorization Rules: Click on the 'Authorization' tab.

  • Initiate Rule Creation: Select 'Add Authorization Rule'.

  • Specify Access Details:

    • Destination CIDR: Enter the CIDR block for the network that users will access through the VPN. This could be the CIDR of your VPC or specific subnets.

    • Grant Access: Specify the group of users or clients that should have access. This could be based on user authentication details.

  • Add Conditions: If needed, add any specific conditions or constraints for access.

  • Review and Add Rule: Double-check the details of your rule, then click 'Add' to implement it.

  • Verify Rule Implementation: Once added, ensure that the rule appears in your authorization rules list and is configured as intended.

By setting up these authorization rules, you control access to your network resources through the VPN, enhancing the security of your network.


Step 7: Download the VPN Configuration File

The VPN configuration file is essential for clients to connect to the VPN. This file contains all the necessary settings required for the VPN client software.

Detailed Steps for Downloading the Configuration File:

  • Access Your VPN Endpoint: In the AWS Management Console, navigate to your Client VPN endpoint.

  • Go to the Configuration Tab: Find and click on the 'Configuration' tab within the VPN endpoint settings.

  • Locate the Configuration File: Look for the option to download the Client Configuration.

  • Download the File: Click on the download link or button. This will download a .ovpn file, which is the configuration file.

  • Store the File Securely: Ensure that this file is stored securely, as it contains sensitive information needed to connect to your VPN.

By following these steps, you will have successfully downloaded the configuration file necessary for clients to establish a VPN connection.


Modifying the .ovpn File with Client Certificate and Key

After downloading the VPN configuration file (.ovpn), you need to insert the client certificate and key into the file. This is necessary for the authentication process when connecting to the VPN.

Detailed Steps for Modifying the .ovpn File:

  1. Open the .ovpn File: Locate the .ovpn file you downloaded in Step 7 and open it with a text editor (like Notepad, TextEdit, or similar).

  2. Insert the Client Certificate:

    • Find the <cert> and </cert> tags in the file. If these tags are not present, you will need to add them.

    • Between these tags, insert the contents of your client certificate file (client1.domain.tld.crt). It should look like this:

        cssCopy code<cert>
        -----BEGIN CERTIFICATE-----
        [Contents of client1.domain.tld.crt]
        -----END CERTIFICATE-----
        </cert>
      
  3. Insert the Client Key:

    • Locate or add the <key> and </key> tags in the file.

    • Between these tags, insert the contents of your client key file (client1.domain.tld.key). It should be formatted as follows:

        vbnetCopy code<key>
        -----BEGIN PRIVATE KEY-----
        [Contents of client1.domain.tld.key]
        -----END PRIVATE KEY-----
        </key>
      
  4. Save the Modified File: After inserting the certificate and key, save the changes to the .ovpn file.

  5. Test the Configuration:

    • Import this modified .ovpn file into your AWS VPN Client as described in Step 8.

    • Attempt to connect to the VPN to ensure the setup is working correctly.

By incorporating the client certificate and key into the .ovpn file, you are enhancing the security of your VPN connection. This process is crucial for ensuring that only authenticated clients can access your VPN.


Step 8: Install the AWS VPN Client on Desktop

To establish a VPN connection, users need to install the AWS VPN client on their desktop and configure it using the downloaded VPN configuration file.

Detailed Steps for Installing the VPN Client:

  • Download the AWS VPN Client:

    • Visit the AWS website or the specific link provided by AWS for the VPN client download.

    • Select the version compatible with your desktop operating system (Windows, macOS, etc.).

  • Install the AWS VPN Client:

    • Run the downloaded installer file.

    • Follow the on-screen instructions to complete the installation.

  • Import the VPN Configuration File:

    • Open the AWS VPN Client application.

    • Look for an option to import a configuration file or profile.

    • Select and import the .ovpn file you downloaded in Step 7.

  • Test the Connection:

    • Once the configuration file is imported, attempt to connect to the VPN.

    • Verify if the connection is successful and stable.

  • Troubleshooting:

    • If there are issues in connecting, refer to the client logs for errors.

    • Ensure that the configuration file is correct and matches the VPN endpoint settings.

By completing these steps, you will have installed the AWS VPN Client on your desktop and configured it for connecting to your AWS environment. This will allow for secure access to your AWS resources.

Reference :

  1. https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html