Voiced by Amazon Polly
AWS Client VPN is a client-based VPN service that enables you to access resources in AWS and our on-premises network securely. With the help of a client VPN, we can access our resources from any location using OpenVPN software.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
Create Certificate & VPC
- Log in to your AWS Account and go to the EC2 service
- After that, launch and Linux instance with AWS CLI installed to generate a certificate and perform the below steps:
- Install git if not installed
- Git clone https://github.com/OpenVPN/easy-rsa.git
- cd easy-rsa/easyrsa3
- Initialize PKI environment (to initialize client and server certificate) execute the command “./easyrsa init-pki”
- Create a new Certification Authority (CA)- “./easyrsa build-ca nopass”
- Generate the server certificate and key- “./easyrsa build-server-full server nopass”
3. Now generate the Client certificate and key – “./easyrsa build-client-full client1.domain.tld nopass”
4. Once done with the above steps, copy server and client certificates and keys to one directory
$ mkdir ~/cert
$ cp pki/ca.crt ~/cert/
$ cp pki/issued/server.crt ~/cert/
$ cp pki/private/server.key ~/cert/
$ cp pki/issued/client1.domain.tld.crt ~/cert/
$ cp pki/private/client1.domain.tld.key ~/cert/
$ cd ~/cert
5. Now upload the key and certificates to ACM (before that, perform “AWS configure”)
- aws acm import-certificate –certificate fileb://server.crt –private-key fileb://server.key –certificate-chain fileb://ca.crt –region ap-south-1
- aws acm import-certificate –certificate fileb://client1.domain.tld.crt –private-key fileb://client1.domain.tld.key –certificate-chain fileb://ca.crt –region ap-south-1
6. Now create VPC with the below naming convention and standards
- Create VPC (name=VPC-Mumbai) with CIDR 10.10.0.0/16
- Create private subnet “vpc-Mumbai-subnet-private1” with CIDR 10.10.128.0/20
- Create corresponding route table “vpc-Mumbai-rtb-private1-ap-south-1” with just a local route & associate with subnet “vpc-Mumbai-subnet-private1”
- Create private subnet “vpc-Mumbai-subnet-private1” with CIDR 10.10.144.0/20
- Create corresponding route table “vpc-Mumbai–rtb-private2-ap-south-1” with just a local route & associate with subnet “vpc-Mumbai-subnet-private2”
- Create security group “vpn-client-sg”
- Do not add any inbound rules
- All outbound should be allowed (All traffic – 0.0.0.0/0)
7. Launch application EC2 instance in “vpc-Mumbai-subnet-private1” subnet
- Security group inbound rule should allow “All traffic” from security group “vpn-client-sg” created in step 6
Configure AWS client VPN endpoint
8. Go to VPV service and select “client VPN endpoints” service from the Virtual private network (VPN) section
- Provide the name “client-vpn-endpoint” and the appropriate description
- Client IPv4 CIDR: 10.20.0.0/16 as the client received IP from this pool while he tries to connect with AWS
- Server Certificate ARN: Choose the Server Certificate created earlier
- Authentication Options: Choose “Use Mutual Authentication”
- Client certificate ARN: Choose the Client Certificate created earlier
- Connection Logging: No
- Transport Protocol: TCP
- VPC ID: Choose “VPC-Mumbai” VPC created
- Security Group IDs: Select the “vpn-client-sg” created earlier
- VPN port: 443
9. Create Client VPN Endpoint
Associate Target Subnet & Allow traffic
10. Select the Client VPN endpoint created earlier
11. Go to Associations and associate the target subnet “vpc-Mumbai-subnet-private2”
12. Go to Authorizations and choose Authorize Ingress
- For Destination Networks to enable -> Enter the VPC IP address 10.10.0.0/16
- Grant access to -> Choose ”Allow access to all users”
13. Add Authorization Rule
Download the VPN configuration file and Update the changes
14. Select the Client VPN endpoint and “Download Client Configuration” to your local workstation.
15. Copy the client certificate and client key created in the above Steps to any folder in the local workstation.
16. Open the configuration file in a text editor and add the following lines
- cert /path/of/client.crt
- key /path/of/client.key
17. Also, modify the endpoint dns name by adding a random prefix
- Original: cvpn-endpoint-015f804a15c3db5e2.prod.clientvpn.ap-south-1.amazonaws.com
- Modified: xxxxxx.cvpn-endpoint-015f804a15c3db5e2.prod.clientvpn.ap-south-1.amazonaws.com
Connect OpenVPN and Testing
18. Pre-requisite: You should download and install the OpenVPN client https://openvpn.net/community-downloads/
19. Import configuration file.
20. Connect the OpenVPN
21. Now open cmd and ping the private IP of the instance created at step 7 above
If you can ping, you successfully created a client VPN between AWS and on-premises. There are many scenarios in which we have to work on the AWS cloud doing some execution and experiments or set up some Application Server. AWS client VPN provides Secure connectivity so that every individual connects remotely with a secure OpenVPN connection and performs his job. Thanks for reading this blog Setup guide for AWS Client VPN with On-premises machines.
Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.
- Cloud Training
- Customized Training
- Experiential Learning
CloudThat is also the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.
Drop a query if you have any questions regarding Client VPN Endpoint and I will get back to you quickly.
To get started, go through our Consultancy page and Managed Services Package that is CloudThat’s offerings.
1. What do you mean by Client VPN endpoint?
ANS: – The Client VPN endpoint is configured to use the service VPN service on AWS. The VPN sessions of the other side users establish at the Client VPN endpoint. As part of creating the Client VPN endpoint, you specify the authentication details, server/client certificate details, client IP address pool, logging options, and VPN port.
2. What do you mean by target network?
ANS: – The Target network you attach to the Client VPN endpoint provides secure access to your AWS services and on-premises.
3. What factors will affect the throughput of my VPN connection?
ANS: – VPN connection throughput depends on multiple factors, like the capacity of your customer gateway, the capacity of your network, average packet size, the protocol used, UDP vs. TCP, and the network latency between your virtual private gateway and customer gateway.
WRITTEN BY Mayank Bharawa
Click to Comment