AWS, Cloud Computing

4 Mins Read

A Setup Guide for AWS Client VPN with On-Premises Machines

Voiced by Amazon Polly

Introduction

AWS Client VPN is a client-based VPN service that enables you to access resources in AWS and our on-premises network securely. With the help of a client VPN, we can access our resources from any location using OpenVPN software.

It’s a fully managed remote access VPN, fully elastic service. It automatically scales up/down based on traffic. AWS Client VPN supports OpenVPN protocol. This solution is also helpful for WFH (Work From Home) employees who want to connect to AWS VPC from a remote location.

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Prerequisites

AWS Account

Create Certificate & VPC

  1. Log in to your AWS Account and go to the EC2 service
  2. After that, launch and Linux instance with AWS CLI installed to generate a certificate and perform the below steps:

step1

  • cd easy-rsa/easyrsa3
  • Initialize PKI environment (to initialize client and server certificate) execute the command “./easyrsa init-pki”
  • Create a new Certification Authority (CA)- “./easyrsa build-ca nopass”
  • Generate the server certificate and key- “./easyrsa build-server-full server nopass”

step2

3. Now generate the Client certificate and key – “./easyrsa build-client-full client1.domain.tld nopass”

4. Once done with the above steps, copy server and client certificates and keys to one directory

step4

5. Now upload the key and certificates to ACM (before that, perform “AWS configure”)

  • aws acm import-certificate –certificate fileb://server.crt –private-key fileb://server.key –certificate-chain fileb://ca.crt –region ap-south-1
  • aws acm import-certificate –certificate fileb://client1.domain.tld.crt –private-key fileb://client1.domain.tld.key –certificate-chain fileb://ca.crt –region ap-south-1

step5

6. Now create VPC with the below naming convention and standards

  • Create VPC (name=VPC-Mumbai) with CIDR 10.10.0.0/16
  • Create private subnet “vpc-Mumbai-subnet-private1” with CIDR 10.10.128.0/20
  • Create corresponding route table “vpc-Mumbai-rtb-private1-ap-south-1” with just a local route & associate with subnet “vpc-Mumbai-subnet-private1”
  • Create private subnet “vpc-Mumbai-subnet-private1” with CIDR 10.10.144.0/20
  • Create corresponding route table “vpc-Mumbai–rtb-private2-ap-south-1” with just a local route & associate with subnet “vpc-Mumbai-subnet-private2”
  • Create security group “vpn-client-sg”
  • Do not add any inbound rules
  • All outbound should be allowed (All traffic – 0.0.0.0/0)

7. Launch application EC2 instance in “vpc-Mumbai-subnet-private1” subnet

  • Security group inbound rule should allow “All traffic” from security group “vpn-client-sg” created in step 6

Configure AWS client VPN endpoint

8. Go to VPV service and select “client VPN endpoints” service from the Virtual private network (VPN) section

  • Provide the name “client-vpn-endpoint” and the appropriate description
  • Client IPv4 CIDR: 10.20.0.0/16 as the client received IP from this pool while he tries to connect with AWS

step8

  • Server Certificate ARN: Choose the Server Certificate created earlier
  • Authentication Options: Choose “Use Mutual Authentication”
  • Client certificate ARN: Choose the Client Certificate created earlier

step8b

  • Connection Logging: No
  • Transport Protocol: TCP
  • VPC ID: Choose “VPC-Mumbai” VPC created
  • Security Group IDs: Select the “vpn-client-sg” created earlier
  • VPN port: 443

step8c

9. Create Client VPN Endpoint

Associate Target Subnet & Allow traffic

10. Select the Client VPN endpoint created earlier

step10

11. Go to Associations and associate the target subnet “vpc-Mumbai-subnet-private2”

step11

12. Go to Authorizations and choose Authorize Ingress

  • For Destination Networks to enable -> Enter the VPC IP address 10.10.0.0/16
  • Grant access to -> Choose ”Allow access to all users”

13. Add Authorization Rule

step13

Download the VPN configuration file and Update the changes

14. Select the Client VPN endpoint and “Download Client Configuration” to your local workstation.

step14

15. Copy the client certificate and client key created in the above Steps to any folder in the local workstation.

step15

16. Open the configuration file in a text editor and add the following lines

  • cert /path/of/client.crt
  • key /path/of/client.key

17. Also, modify the endpoint dns name by adding a random prefix

  • Original: cvpn-endpoint-015f804a15c3db5e2.prod.clientvpn.ap-south-1.amazonaws.com
  • Modified: xxxxxx.cvpn-endpoint-015f804a15c3db5e2.prod.clientvpn.ap-south-1.amazonaws.com

Connect OpenVPN and Testing

18. Pre-requisite: You should download and install the OpenVPN client https://openvpn.net/community-downloads/

19. Import configuration file.

step19

20. Connect the OpenVPN

step20

21. Now open cmd and ping the private IP of the instance created at step 7 above

step21

Conclusion

If you can ping, you successfully created a client VPN between AWS and on-premises. There are many scenarios in which we have to work on the AWS cloud doing some execution and experiments or set up some Application Server. AWS client VPN provides Secure connectivity so that every individual connects remotely with a secure OpenVPN connection and performs his job. Thanks for reading this blog Setup guide for AWS Client VPN with On-premises machines.

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training PartnerAWS Migration PartnerAWS Data and Analytics PartnerAWS DevOps Competency PartnerAWS GenAI Competency PartnerAmazon QuickSight Service Delivery PartnerAmazon EKS Service Delivery Partner AWS Microsoft Workload PartnersAmazon EC2 Service Delivery PartnerAmazon ECS Service Delivery PartnerAWS Glue Service Delivery PartnerAmazon Redshift Service Delivery PartnerAWS Control Tower Service Delivery PartnerAWS WAF Service Delivery PartnerAmazon CloudFront Service Delivery PartnerAmazon OpenSearch Service Delivery PartnerAWS DMS Service Delivery PartnerAWS Systems Manager Service Delivery PartnerAmazon RDS Service Delivery PartnerAWS CloudFormation Service Delivery PartnerAWS ConfigAmazon EMR and many more.

FAQs

1. What do you mean by Client VPN endpoint?

ANS: – The Client VPN endpoint is configured to use the service VPN service on AWS. The VPN sessions of the other side users establish at the Client VPN endpoint. As part of creating the Client VPN endpoint, you specify the authentication details, server/client certificate details, client IP address pool, logging options, and VPN port.

2. What do you mean by target network?

ANS: – The Target network you attach to the Client VPN endpoint provides secure access to your AWS services and on-premises.

3. What factors will affect the throughput of my VPN connection?

ANS: – VPN connection throughput depends on multiple factors, like the capacity of your customer gateway, the capacity of your network, average packet size, the protocol used, UDP vs. TCP, and the network latency between your virtual private gateway and customer gateway.

WRITTEN BY Mayank Bharawa

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!