Voiced by Amazon Polly |
Introduction
AWS Client VPN is a client-based VPN service that enables you to access resources in AWS and our on-premises network securely. With the help of a client VPN, we can access our resources from any location using OpenVPN software.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
Prerequisites
AWS Account
Create Certificate & VPC
- Log in to your AWS Account and go to the EC2 service
- After that, launch and Linux instance with AWS CLI installed to generate a certificate and perform the below steps:
- Install git if not installed
- Git clone https://github.com/OpenVPN/easy-rsa.git
- cd easy-rsa/easyrsa3
- Initialize PKI environment (to initialize client and server certificate) execute the command “./easyrsa init-pki”
- Create a new Certification Authority (CA)- “./easyrsa build-ca nopass”
- Generate the server certificate and key- “./easyrsa build-server-full server nopass”
3. Now generate the Client certificate and key – “./easyrsa build-client-full client1.domain.tld nopass”
4. Once done with the above steps, copy server and client certificates and keys to one directory
1 2 3 4 5 6 7 8 9 10 11 12 13 |
$ mkdir ~/cert $ cp pki/ca.crt ~/cert/ $ cp pki/issued/server.crt ~/cert/ $ cp pki/private/server.key ~/cert/ $ cp pki/issued/client1.domain.tld.crt ~/cert/ $ cp pki/private/client1.domain.tld.key ~/cert/ $ cd ~/cert |
5. Now upload the key and certificates to ACM (before that, perform “AWS configure”)
- aws acm import-certificate –certificate fileb://server.crt –private-key fileb://server.key –certificate-chain fileb://ca.crt –region ap-south-1
- aws acm import-certificate –certificate fileb://client1.domain.tld.crt –private-key fileb://client1.domain.tld.key –certificate-chain fileb://ca.crt –region ap-south-1
6. Now create VPC with the below naming convention and standards
- Create VPC (name=VPC-Mumbai) with CIDR 10.10.0.0/16
- Create private subnet “vpc-Mumbai-subnet-private1” with CIDR 10.10.128.0/20
- Create corresponding route table “vpc-Mumbai-rtb-private1-ap-south-1” with just a local route & associate with subnet “vpc-Mumbai-subnet-private1”
- Create private subnet “vpc-Mumbai-subnet-private1” with CIDR 10.10.144.0/20
- Create corresponding route table “vpc-Mumbai–rtb-private2-ap-south-1” with just a local route & associate with subnet “vpc-Mumbai-subnet-private2”
- Create security group “vpn-client-sg”
- Do not add any inbound rules
- All outbound should be allowed (All traffic – 0.0.0.0/0)
7. Launch application EC2 instance in “vpc-Mumbai-subnet-private1” subnet
- Security group inbound rule should allow “All traffic” from security group “vpn-client-sg” created in step 6
Configure AWS client VPN endpoint
8. Go to VPV service and select “client VPN endpoints” service from the Virtual private network (VPN) section
- Provide the name “client-vpn-endpoint” and the appropriate description
- Client IPv4 CIDR: 10.20.0.0/16 as the client received IP from this pool while he tries to connect with AWS
- Server Certificate ARN: Choose the Server Certificate created earlier
- Authentication Options: Choose “Use Mutual Authentication”
- Client certificate ARN: Choose the Client Certificate created earlier
- Connection Logging: No
- Transport Protocol: TCP
- VPC ID: Choose “VPC-Mumbai” VPC created
- Security Group IDs: Select the “vpn-client-sg” created earlier
- VPN port: 443
9. Create Client VPN Endpoint
Associate Target Subnet & Allow traffic
10. Select the Client VPN endpoint created earlier
11. Go to Associations and associate the target subnet “vpc-Mumbai-subnet-private2”
12. Go to Authorizations and choose Authorize Ingress
- For Destination Networks to enable -> Enter the VPC IP address 10.10.0.0/16
- Grant access to -> Choose ”Allow access to all users”
13. Add Authorization Rule
Download the VPN configuration file and Update the changes
14. Select the Client VPN endpoint and “Download Client Configuration” to your local workstation.
15. Copy the client certificate and client key created in the above Steps to any folder in the local workstation.
16. Open the configuration file in a text editor and add the following lines
- cert /path/of/client.crt
- key /path/of/client.key
17. Also, modify the endpoint dns name by adding a random prefix
- Original: cvpn-endpoint-015f804a15c3db5e2.prod.clientvpn.ap-south-1.amazonaws.com
- Modified: xxxxxx.cvpn-endpoint-015f804a15c3db5e2.prod.clientvpn.ap-south-1.amazonaws.com
Connect OpenVPN and Testing
18. Pre-requisite: You should download and install the OpenVPN client https://openvpn.net/community-downloads/
19. Import configuration file.
20. Connect the OpenVPN
21. Now open cmd and ping the private IP of the instance created at step 7 above
Conclusion
If you can ping, you successfully created a client VPN between AWS and on-premises. There are many scenarios in which we have to work on the AWS cloud doing some execution and experiments or set up some Application Server. AWS client VPN provides Secure connectivity so that every individual connects remotely with a secure OpenVPN connection and performs his job. Thanks for reading this blog Setup guide for AWS Client VPN with On-premises machines.
Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.
- Cloud Training
- Customized Training
- Experiential Learning
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront Service Delivery Partner, Amazon OpenSearch Service Delivery Partner, AWS DMS Service Delivery Partner, AWS Systems Manager Service Delivery Partner, Amazon RDS Service Delivery Partner, AWS CloudFormation Service Delivery Partner, AWS Config, Amazon EMR and many more.
FAQs
1. What do you mean by Client VPN endpoint?
ANS: – The Client VPN endpoint is configured to use the service VPN service on AWS. The VPN sessions of the other side users establish at the Client VPN endpoint. As part of creating the Client VPN endpoint, you specify the authentication details, server/client certificate details, client IP address pool, logging options, and VPN port.
2. What do you mean by target network?
ANS: – The Target network you attach to the Client VPN endpoint provides secure access to your AWS services and on-premises.
3. What factors will affect the throughput of my VPN connection?
ANS: – VPN connection throughput depends on multiple factors, like the capacity of your customer gateway, the capacity of your network, average packet size, the protocol used, UDP vs. TCP, and the network latency between your virtual private gateway and customer gateway.

WRITTEN BY Mayank Bharawa
Comments