In a previous Medium article, I presented the AWS Client VPN as a method of gaining secure access from a client machine into your AWS VPC.
This is a follow up to that article, presenting how to set up the iOS OpenVPN client and connect to your AWS Client VPN. While Apple has moved to iPadOS as the operating system for the iPad, I am going to use the generic term iOS to refer to both iOS and iPadOS.
Connecting to AWS from an iOS device
Apple provides a built-in VPN client as part of the iOS operating system, which is accessed from the General menu in the Settings app.
The native VPN client only supports the IKEv2, IPSec, and L2TP VPN protocols. In the majority of cases, one of these will work in a given situation. However, the AWS Client VPN doesn’t support any of these VPN implementations; instead of supporting the OpenVPN protocol standard. The lack of support in the AWS Client VPN for these other VPN protocols and the lack of support for OpenVPN in iOS is what makes this challenging.
There is a solution.
The OpenVPN iOS Client
OpenVPN Technologies provides the OpenVPN Connect client for iOS. The client is available from the Apple App Store.
The client requires an OpenVPN configuration file that provides the specifics for the connection and the appropriate authentication certificates. OpenVPN uses TLS for transport layer security.
There are only two options for getting the profile into the application:
- by URL, assuming the VPN provider offers this service;
- file import, with the file being delivered via Mail, or through iTunes sync.
If the profile is being sent through URL, care must be taken to ensure only the person authorized to retrieve that profile is able to get to it. Mail is considered to be a less secure delivery mechanism.
If your VPN provider provides you with a link to the profile, then you can import from URL. This method requires providing a user name and password as part of the import process. Because of this requirement, using client side certificates for the authentication process isn’t an option.
If the profile is sent via email, it is just a matter of touching the profile and opening it with the OpenVPN client.
Contents of the OpenVPN Profile
Here is a sample OpenVPN profile (with some comments).
remote HOSTNAME PORT
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
When I discussed using the OpenVPN configuration file in my previous article, I explained you could insert the key and certificate file names.
This is not the best way on iOS because of application sandboxing. In this example, I put the certificates and keys directly in the file between the
<ca></ca> tags. This is a little more tedious to set up but is more likely to function correctly.
PORT keywords need to be replaced with your specific OpenVPN or SSL VPN server and port number. With the AWS Client VPN, these would look like
remote *.cvpn-endpoint-02.clientvpn.us-east-1.amazonaws.com 443
* in the hostname allows for a random string assigned by the VPN server for the connection. This randomization only works if the
remote-random-hostname parameter is included in the configuration file.
Using the OpenVPN Client
Once the OpenVPN Client is installed and the profile imported, open the OpenVPN application, and initiate the connection.
Start the OpenVPN application and turn on the selected VPN connection by touching the switch icon next to the desired connection.
Once connected, use whatever application you need to interact with the remotes resource over the VPN. While connected, the OpenVPN client will display information about the traffic sent and received, including numerical statistics and a traffic graph.
Now that we have a VPN connection, let’s connect to an EC2 in the remote network using the iOS app Terminus to ssh to the EC2 instance.
Worth noting is that this example connects to the client VPN in one region and accesses the EC2 instance in a different region using VPC peering. This negates the need for a client VPN in every region. However, if the VPC you are trying to access is not associated with the Client VPN or in a peering arrangement, an additional Client VPN will be needed.
Many people in support roles may need to access their AWS infrastructure from anywhere at any time. This often means carrying a laptop with them to perform work. However, using the AWS Client VPN and the OpenVPN Client for iOS, it is possible to use an iPad or iPhone to get access to the AWS VPC network.
Let’s not ignore the fact there are security ramifications to allowing this. Organizations may choose to restrict this access, if implemented, to only key individuals, only from company-owned devices, etc. Smaller organizations or even individuals who want to use the VPN to simplify access to their resources instead of allowing inbound ssh from the internet will find this very useful and reduce the attack vectors on their infrastructure.
Despite the potential usefulness of the OpenVPN client on iOS, the practicality of doing any real work on an iPhone due to the screen size is dubious.
About the Author
Chris is a highly-skilled Information Technology, AWS Cloud, Training and Security Professional bringing cloud, security, training, and process engineering leadership to simplify and deliver high-quality products. He is the co-author of seven books and author of more than 70 articles and book chapters in technical, management, and information security publications. His extensive technology, information security, and training experience make him a key resource who can help companies through technical challenges.
This article is Copyright © 2020, Chris Hare.