Implementing AWS Client VPN

In this blog post I will showcase how to implement AWS Client VPN.

AWS Client VPN is a fully-managed remote access VPN solution used by your remote workforce to securely access resources within both AWS and your on-premises network. Fully elastic, it automatically scales up, or down, based on demand. When migrating applications to AWS, your users access them the same way before, during, and after the move. AWS Client VPN, including the software client, supports the OpenVPN protocol.

Step 1 – Create Simple AD instance

This section I created Simple AD setup.

 

 

-I selected small (for larger deployments, selecting large might be a better option)
-Directory DNS Name, I used: corp.awssimplified.org
-Directory NetBIOS name, I used: CORP
-I made sure I created a complex password.
-I selected 2 private subnets pre-configured.

The directory will start provisioning, it will need to completed and moved into the active state before continuing to stage 2.

Step 2 – Create RSA server certificate

I will explain how to create the certificate.
As I am using Windows operating system these are the steps I followed.
I opened the OpenVPN Community Downloads page and download the Windows installer for my  version of Windows, and run the installer (https://openvpn.net/community-downloads).

I opened the EasyRSA releases page and download the ZIP file for my version of Windows. Extract the zip file and copy the EasyRSA folder to the \Program Files\OpenVPN folder (https://github.com/OpenVPN/easy-rsa/releases).

I opened the command prompt as an administrator, navigated to the \Program Files\OpenVPN\EasyRSA directory, and run the following command to open the EasyRSA shell.

EasyRSA-Start
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa build-client-full client1.domain.tld nopass
exit

This is where I built the certificate.

 

Step 3 – Create VPN Endpoint

In this section I created the VPN endpoint.
Type VPC in the services search box at the top of the screen, right click and open in a new tab.
Under Virtual Private Network (VPN) on the menu on the left, locate and click create VPN endpoint.

For Name Tag enter: A4L Client VPN.
Client IPv4 CIDR enter: 192.168.12.0/22.
For the server certificate ARN, I selected the server certificate I created in step 2.
Under authentication options, I ticked use user-based authentication.
I also ticked check active directory authentication.
For DNS Server 1 IP address and DNS Server 2 IP address I entered the IP addresses of the directory service instance.

 

At this stage, the VPN endpoint is ready for configuration in the next stage.

 

Step 4 – Configure VPN Endpoint & Associations

I clicked the associations tab and clicked associate.
Clicked the VPC dropdown and selected A4L-VPC.
I located the subnet ID for the 3 private subnets in the A4L VPC.
Click associate, then I click close the VPN endpoint.
From there I had to pause and wait for the state of the VPN endpoint to change from pending-associate to available.

 

Step 5 – Download, Install & Test

I clicked download client configuration.

I went to aws.amazon.com/vpn/client-vpn-download and downloaded the client for my operating system.

 

I installed the VPN application, started the application, went to manage profiles, and added my profile which I downloaded.

I needed to ensure I authorize the connection, or the VPN would not work.
From the client VPN console click the authorization rules tab and click add authorize rule.
For destination network to enable enter 10.16.0.0/16.
For grant access to, I ticked allow access to all users.
Click add authorization Rule.

 

 

Resource: https://github.com/acantril/learn-cantrill-io-labs/tree/master/aws-client-vpn