AWS VPN Client

Description

AWS Client VPN is a managed client-based VPN service that allows secure access to AWS resources. It supports any OpenVPN-based VPN client.

Solution is billed for each client VPN connection per hour. Billing is pro-rated for the hour.

Lab Schema

Preconfiguration

1.Clone easyrsa project do configure CA

$ git clone https://github.com/OpenVPN/easy-rsa.git

2. Initialise new PKI and create CA cert

$cd easy-rsa/easyrsa3$ ./easyrsa init-pki

$ ./easyrsa build-ca nopass

3. Generate server/client certs/keys

$./easyrsa build-server-full server.radkowski.local nopass$ ./easyrsa build-client-full client1.radkowski.local nopass

Configs

4. ACM config

Log to AWS Console, select Amazon Certificate Manager and click Import certificate

5. Certificate import

Import both certs created in step #2:

paste certificate located in issued directory into Certificate Body window
paste key located in private directory into Certificate Private Key window
paste ca.crt located in ./pki/ca.crt into Certificate Chain window

List of files:

server:
- ~/easy-rsa-easyrsa3/pki/ca.crt
- ~/easy-rsa-easyrsa3/pki/issued/serverVPN.crt
- ~/easy-rsa-easyrsa3/pki/provate/serverVPN.crt
client:
- ~/easy-rsa-easyrsa3/pki/ca.crt
- ~/easy-rsa-easyrsa3/pki/issued/me.radkowski.pro.crt
- ~/easy-rsa-easyrsa3/pki/provate/me.radkowski.cloud.key

6. Create Client VPN Endpoint

Log into AWS Console, select VPC -> Client VPC Endpoints

7. Configure Client VPN Endpoint

Configure VPN Endpoint using certificates imported in step 5

8. Download VPN config file

Use Console to download automaticaly generated VPN config (ovpn file)

9. Associate Client VPN to target network

Use Console (associations tab) to associate VPN with target subnets. Multiple associations can be provided in assumption that only one association per AZ is available