Remote Access to AWS with the Client VPN

Many organizations get access to their AWS resources using Direct Connect or a site to site VPN. This is great if you have an on-premise network where you want your employees to have access to AWS services and resources without needing to go out to the Internet.

Image for post

Image from Wikipedia

What if all your employees are remote and you effectively have no corporate network?

In this situation, a Direct Connect makes no sense as there is no corporate network. The same is true for a site to site VPN. Your DevOps teams may have access to the console, or to services through the AWS Command Line Interface (CLI) and software development kit (SDK).

The applications your employees use and the services you provide your customers may all be Internet-facing. However, the situation will arise when you need access to an EC2 or some other resource where you need a command line to resolve some issues. This is where the AWS Client VPN comes to the rescue.

Before you jump into the console and try creating your Client VPN, there are some things you need to know and have available first:

  1. A server-side certificate;
  2. A client-side certificate if you are going to use mutual authentication;
  3. Information about your Active Directory server if you want to use username/password authentication;
  4. A Virtual Private Cloud (VPC) with at least one subnet;
  5. A CPN client application; and,
  6. Details about the networking configuration in your VPC.

We will walk through all the prerequisites as we embark on configuring the Client VPN. I should point out I will be discussing the use of mutual authentication in this article, and not Active Directory authentication.

AWS Client VPN allows a VPN connection from a device running VPN client software to the Client VPN endpoint created in your VPC. AWS Client VPN uses OpenVPN, so the native VPN services on systems like Microsoft Windows, and Apple macOS will not get you connected.

For example, on Apple macOS Mojave, the supported VPN types are IKEv2, Layer 2 Tunneling Protocol (L2TP) over IPSec, and Cisco IPSec services. None of these VPN options work with AWS Client VPN. We will come back to the client software later in the article.

The VPN client on the device connects to the AWS Client VPN endpoint, authenticates, and establishes an encrypted tunnel through the Internet to the AWS VPC. This allows the user to work on resources in the AWS network without having to expose systems, which are not publicly visible, to possible attack.

Before we get started within configuring the Client VPN endpoint, we need certificates. The OpenVPN service uses Transport Layer Security (TLS) as the encryption protocol and uses a server-side, and possibly a client-side, certificate as part of the authentication process.

Before you are tempted to jump into AWS Certificate Manager (ACM) to create your certificates, let me save you some frustration and say that won’t work. Not even the AWS Client VPN documentation suggests using the Easy-RSA application to create your certificates.

I went down the path of using ACM, and I can tell you from personal experience, don’t do it that way — especially if you are going to use mutual authentication.

While some of the steps I am going to discuss here are in the AWS Client VPN Documentation, there are a few “gotchas’ I will be pointing out, especially as it relates to the OpenVPN client configuration.

First, we need to get the Easy-RSA application, which can be copied to your local computer using the command:

Once you have the application on your machine, navigate to the easyrsa3 directory:

We then have to initialize a new PKI environment:

Now, build a new certification authority (CA):

You will need to follow the prompts to complete the CA setup. Note, that when we are uploading the certificates we will be creating into ACM, you will need the resulting ca.crt file which is created in this step, as it forms the certificate chain to validate the authenticity of the certificate.

NOTE: Initializing the PKI environment, and creating the Certification Authority only needs to be done once.

We now generate the server-side certificate and key:

The server.crt and server.key files generated from the certificate which is used on the Client VPN endpoint.

We now generate the client-side certificate and key:

In this command, replace client1.domain.tld with whatever is appropriate for your organization. In the Client VPN Documentation, it is suggested to create a client-side key for every user, making it easy to revoke their access when they leave the organization. One possible naming convention is

if your organization’s domain name is ‘example.com’. This also makes it clear in ACM what the key is for. You should repeat making the client-side certificates for as many clients as you need.

A little shell scripting and this process is a lot easier!

The last step before uploading the certificates to ACM is to put everything in a convenient place as the files we just created are scattered in the easyrsa3 directory structure.

With everything in a convenient place, we can upload the certificates to ACM.

First, let’s look at uploading the certificates using the AWS Command Line Interface. For the server certificates, execute:

Replacing the region with the region where the certificate is to be loaded. If you will be copying this key to multiple regions, then execute this command for each region.

Next, we upload the client certificate:

Remember to replace the client1.domain.tld in the command with whatever your actual file name is, and select the appropriate region. Repeat this command for each of the certificates you created.

While it is more tedious if you have many certificates to upload, let’s walk through the steps to upload the certificate into ACM through the console.

To use these certificates for the Client VPN, they need to be imported into ACM. This can be accomplished using the CLI by a user with the appropriate permissions (see previous section). Alternatively, the certificates can be imported directly into ACM through the console.

  1. Navigate to the AWS Certificate Manager (ACM) in the console.
  2. Click on the “Import Certificate” button to import the new client certificate. You will need to open each of the named files and copy the contents into the appropriate fields.
Image for post
  1. Click the “Review and Import” button and complete the workflow to import the certificate.
  2. Repeat this for all of the certificates to be loaded into ACM.

You will need to upload the server certificate for the VPN Client Endpoint, and the Client certificate for every user authorized to use the endpoint. This could get tedious doing it through the Console, so I would recommend uploading them through the CLI. Again, a little shell scripting could be done to simplify this process.

The actual definition of the client VPN endpoint can be accomplished in both the AWS console and using CloudFormation.

After logging into the AWS Management Console, navigate to the “VPC Dashboard”, and make sure to select the region where the client VPN endpoint is to be created.

Image for post

Scroll down the page to find the “Virtual Private Network (VPN) section in the left navigation bar, and click on the “Client VPN Endpoints” item from the list.

Image for post

Click on the “Create Client VPN Endpoint” button. This displays the form to create the client VPN endpoint definition.

Image for post

We will examine each of these fields.

Image for post

The “Name” field is the name you are going to assign the endpoint. “Description”, allows you to provide information about the endpoint. “Client IPv4 CIDR” is the CIDR block the client addresses, that is the client-side connections to the endpoint.

The Client IPv4 CIDR must be different from the VPC CIDR the endpoint is connected to.

Image for post

The Server Certificate ARN field is where we will select the server-side certificate we created previously. This is a drop-down list. If the certificate is not in the list, verify in ACM you uploaded the certificate to the same region you are creating the VPN endpoint in.

Authentication of the client-side can be either Active Directory or mutual authentication. If Active Directory is chosen, the Directory ID must be selected from the dropdown list which is displayed after choosing this option. Mutual authentication requires a client certificate. Each user will have their certificate for authenticating to the endpoint when the client VPN software connects.

Image for post

If you want to log the details on client connections, choose yes, and select the CloudWatch log group and/or log stream from the drop-down lists. The Log Group is required: the Log stream is not.

You must create the Log Group before getting to this point, as there is no option to create a new log group.

The final section is any other optional parameters.

Image for post

You can provide DNS server information, as there are no default DNS servers provided to the client connection. Transport protocol should be “udp”, which handles the connection better than “tcp”.

The final option “split-tunneling”, which if enabled, sends internet traffic out the client’s local internet connection and only send data destined to the AWS network through the VPN connection. If this is not enabled, all traffic is sent through the VPN endpoint.

At this point, click “Create” to instantiate the client VPN endpoint.

There are two remaining steps to complete: associating the VPN endpoint with a subnet and authorizing ingress.

Image for post

First, we need to associate the VPN endpoint with one or more subnets. Access the “Associations” tab on the VPN endpoint, and select the VPC and subnet to associate. You can have one subnet per availability zone.

Image for post

The second step is authorizing ingress. Click on the “Authorizations” tab from the VPN endpoint page. This typically only needs to be done once, as the destination network is the CIDR range for the VPC. You can choose to allow everyone access, which is necessary if using mutual authentication, or restrict to specific Active Directory groups if using Active Directory authentication.

I am going to demonstrate setting up the TunnelBlick VPN client, which is available for Linux, macOS and Windows platforms. There are also OpenVPN clients for mobile devices, which will not be discussed in this article.

Before starting to configure the client, you should download the Client Configuration file from the Client VPN configuration page.

The downloaded Client VPN configuration is incomplete and will not work “out of the box”.

TunnelBlick is an OpenVPN, which is one of several AWS recommends for use with the Client VPN service. Once the Client VPN endpoint is configured, the OpenVPN client configuration can be downloaded through the AWS Management Console.

Image for post

However, the downloaded configuration file is missing specific directives to negotiate a successful connection, and it requires packing the certificates and keys into a TunnelBlick configuration package.

The configuration package used to configure TunnelBlick consists of the OpenVPN configuration file, the server certificate, and key files, the root CA certificate, along with the user-specific certificate and key.

When you download the client configuration file, it will look like this:

The configuration file has the VPN endpoint URL and the CA certificate. However, it does not include the information needed to provide the mutual authentication components, specifically the key and certificate to provide to the server. Therefore, we need to add the following elements,

The entries need the path to the key and certificate files. Since these will be in the TunnelBlick configuration file, relative file names are sufficient. so the file we use in the final configuration file looks like this.

The configuration file is now ready to provide a mutually authenticated connection.

Previously, we copied all of the certificates and keys into a directory.

We copy the configuration file into this directory as well. Once all of the files are in this directory, it will look like this:

Image for post

Rename the directory and add a “.tblk”, and it is ready to be used in TunnelBlick.

If you haven’t done it already, download the TunnelBlick client for macOS here.

  1. Install the TunnelBlick Software.
Image for post
  1. Double-click on the TunnelBlick icon to start the application. When it is running, it will show an icon in the system tray or menu bar.
Image for post
  1. Locate the TunnelBlick configuration file.
Image for post
  1. Drag the configuration file onto the TunnelBlick window. You will be prompted to install for only you” or “all users. Select Only You.
Image for post
  1. Click the Connect button to start the VPN. You may receive warnings about the IP address not changing or DNS. You can safely ignore these.
Image for post
  1. The VPN is now operational. You can interact with it through the system tray or toolbar icon.
Image for post

Pricing for the Client VPN is composed of two parts: the subnet association and the per-client connection charge. As we discussed in this article, the Client VPN must be associated with a VPN. Within the U.S. and E.U. regions, there is a $0.10 per hour charge for the association. The Asia-Pacific region is charged $0.15 per hour. This means there is a charge every day, whether the VPN is used or not.

Secondly, there is a per hour charge for each client connection of $0.05 per hour, regardless of the region. If you have 10 clients connecting for 1 hour, the charge is $0.50.

The AWS Client VPN is a great solution for connectivity to the AWS network for companies operating with a large number of remote users, or smaller companies who would rather provide connectivity to their corporate network and services by using this approach than operating their own VPN equipment.

AWS Client VPN Overview

AWS Client VPN Pricing

AWS CLI

OpenVPN

OpenVPN Configuration File Directives

Creating OpenVPN Configuration Files

OpenVPN EasyRSA

OpenVPN client for iOS

TunnelBlick

TunnelBlick Client Downloads

Chris is a highly-skilled Information Technology AWS Cloud, Training and Security Professional bringing cloud, security, training and process engineering leadership to simplify and deliver high-quality products. He is the co-author of more than seven books and author of more than 70 articles and book chapters in technical, management and information security publications. His extensive technology, information security, and training experience makes him a key resource who can help companies through technical challenges.

This article is Copyright © 2019, Chris Hare.

Written by

Chris is the co-author of seven books and author of more than 70 articles and book chapters in technical, management, and information security publications.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store