AWS Client VPN: Using the iOS OpenVPN Client

In a previous Medium article, I presented the AWS Client VPN as a method of gaining secure access from a client machine into your AWS VPC.

This is a follow up to that article, presenting how to set up the iOS OpenVPN client and connect to your AWS Client VPN. While Apple has moved to iPadOS as the operating system for the iPad, I am going to use the generic term iOS to refer to both iOS and iPadOS.

Apple provides a built-in VPN client as part of the iOS operating system, which is accessed from the General menu in the Settings app.

Image of the General section in the Settings app
Image of the General section in the Settings app

The native VPN client only supports the IKEv2, IPSec, and L2TP VPN protocols. In the majority of cases, one of these will work in a given situation. However, the AWS Client VPN doesn’t support any of these VPN implementations; instead of supporting the OpenVPN protocol standard. The lack of support in the AWS Client VPN for these other VPN protocols and the lack of support for OpenVPN in iOS is what makes this challenging.

There is a solution.

OpenVPN Technologies provides the OpenVPN Connect client for iOS. The client is available from the Apple App Store.

The OpenVPN client in the App Store
The OpenVPN client in the App Store

The client requires an OpenVPN configuration file that provides the specifics for the connection and the appropriate authentication certificates. OpenVPN uses TLS for transport layer security.

There are only two options for getting the profile into the application:

  • by URL, assuming the VPN provider offers this service;
  • file import, with the file being delivered via Mail, or through iTunes sync.

If the profile is being sent through URL, care must be taken to ensure only the person authorized to retrieve that profile is able to get to it. Mail is considered to be a less secure delivery mechanism.

If your VPN provider provides you with a link to the profile, then you can import from URL. This method requires providing a user name and password as part of the import process. Because of this requirement, using client side certificates for the authentication process isn’t an option.

If the profile is sent via email, it is just a matter of touching the profile and opening it with the OpenVPN client.

Importing the Profile from the Mail app
Importing the Profile from the Mail app

Here is a sample OpenVPN profile (with some comments).

client
dev tun
proto udp
remote HOSTNAME PORT
remote-random-hostname
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
verb 3
<key>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC87I/O2BQEML54
...
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
MIIDVjCCAj6gAwIBAgIRAIW1QznUifplm5fpNu1EmHIwDQYJKoZIhvcNAQELBQAw
...
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
MIIDLzCCAhegAwIBAgIJAPVmruGkmjOsMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
...
-----END CERTIFICATE-----
</ca>

reneg-sec 0

When I discussed using the OpenVPN configuration file in my previous article, I explained you could insert the key and certificate file names.

This is not the best way on iOS because of application sandboxing. In this example, I put the certificates and keys directly in the file between the <key></key>, <cert></cert> and <ca></ca> tags. This is a little more tedious to set up but is more likely to function correctly.

The HOSTNAME and PORT keywords need to be replaced with your specific OpenVPN or SSL VPN server and port number. With the AWS Client VPN, these would look like

remote *.cvpn-endpoint-02.clientvpn.us-east-1.amazonaws.com 443

The * in the hostname allows for a random string assigned by the VPN server for the connection. This randomization only works if the remote-random-hostname parameter is included in the configuration file.

Once the OpenVPN Client is installed and the profile imported, open the OpenVPN application, and initiate the connection.

Start the OpenVPN application and turn on the selected VPN connection by touching the switch icon next to the desired connection.

Activating and Monitoring the VPN Connection
Activating and Monitoring the VPN Connection

Once connected, use whatever application you need to interact with the remotes resource over the VPN. While connected, the OpenVPN client will display information about the traffic sent and received, including numerical statistics and a traffic graph.

Now that we have a VPN connection, let’s connect to an EC2 in the remote network using the iOS app Terminus to ssh to the EC2 instance.

Using Terminus to connect to our EC2
Using Terminus to connect to our EC2

Worth noting is that this example connects to the client VPN in one region and accesses the EC2 instance in a different region using VPC peering. This negates the need for a client VPN in every region. However, if the VPC you are trying to access is not associated with the Client VPN or in a peering arrangement, an additional Client VPN will be needed.

Many people in support roles may need to access their AWS infrastructure from anywhere at any time. This often means carrying a laptop with them to perform work. However, using the AWS Client VPN and the OpenVPN Client for iOS, it is possible to use an iPad or iPhone to get access to the AWS VPC network.

Let’s not ignore the fact there are security ramifications to allowing this. Organizations may choose to restrict this access, if implemented, to only key individuals, only from company-owned devices, etc. Smaller organizations or even individuals who want to use the VPN to simplify access to their resources instead of allowing inbound ssh from the internet will find this very useful and reduce the attack vectors on their infrastructure.

Despite the potential usefulness of the OpenVPN client on iOS, the practicality of doing any real work on an iPhone due to the screen size is dubious.

OpenVPN Connection iOS Client

AWS Client VPN

Remote Access to AWS with the Client VPN

OpenVPN Technologies

Chris is a highly-skilled Information Technology, AWS Cloud, Training and Security Professional bringing cloud, security, training, and process engineering leadership to simplify and deliver high-quality products. He is the co-author of seven books and author of more than 70 articles and book chapters in technical, management, and information security publications. His extensive technology, information security, and training experience make him a key resource who can help companies through technical challenges.

This article is Copyright © 2020, Chris Hare.

Written by

Chris is the co-author of seven books and author of more than 70 articles and book chapters in technical, management, and information security publications.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store