Deploying AWS Client VPN endpoint with AWS CDK and Typescript
Greetings!
You can utilise the AWS CDK’s official getting started guide.
Let’s begin with a brief overview of the procedure:
With the help of the managed client-based VPN service known as AWS Client VPN, you can safely access AWS resources.
What is Client Authentication?
At the initial point of access to the AWS Cloud, client authentication is put into place. If clients are permitted to connect to the Client VPN endpoint, it is utilised to make that determination. Clients connect to the Client VPN endpoint and start a VPN session if authentication is successful. If the authentication process is unsuccessful, the connection is declined and the client is unable to start a VPN session.
The following forms of client authentication are available using client VPN:
- Active Directory authentication (user-based)
- Mutual authentication (certificate-based)
- Single sign-on (SAML-based federated authentication) (user-based)
Generating client and server certificates and keys:
In this blog, mutual authentication will be used.
Client VPN performs mutual authentication between clients and the Client VPN endpoint using certificates. Both a server certificate and key as well as at least one client certificate and key are required. When creating the Client VPN endpoint, the server certificate must at the very least be defined and imported into AWS Certificate Manager (ACM). It is not required to import the client certificate into ACM.
git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa build-server-full server nopassmkdir ~/demo_folder/
cp pki/ca.crt ~/demo_folder/
cp pki/issued/server.crt ~/demo_folder/
cp pki/private/server.key ~/demo_folder/
cp pki/issued/client1.domain.tld.crt ~/demo_folder
cp pki/private/client1.domain.tld.key ~/demo_folder/
cd ~/demo_folder/aws acm import-certificate --certificate fileb://server.crt --private-key fileb://server.key --certificate-chain fileb://ca.crtaws acm import-certificate --certificate fileb://client1.domain.tld.crt --private-key fileb://client1.domain.tld.key --certificate-chain fileb://ca.crt
Reference: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html
The client certificate does not always have to be uploaded to ACM. When creating the Client VPN endpoint, you can utilise the server certificate ARN for both the server and client if the server and client certificates were issued by the same Certificate Authority (CA).
The server certificate ARN can be copied into the CDK code for further usage
The code.
Explaination:
You would need VPC deployed in order to deploy this code, which you can find out here
You must set up the certificate as indicated below after a successful deployment in order to connect to the VPN.
Step 1: Download AWS VPN Client
Step 2: Go to Client VPN Endpoints-> Download Client Configuration
Step 3: Open the downloaded file and add
<cert></cert><key></key>
Step 4: Open “client1.domain.tld.crt” and “client1.domain.tld.key” separately generated using the easy-rsa script and add them into “downloaded-client-config.ovpn”
Only copy the data in the following format:
— — -BEGIN PRIVATE KEY — — -
…………………….
— — -END PRIVATE KEY — — -.crt file data should go inside <cert></cert> tags
.key file data should go inside <key></key> tags
Step 5: Launch the AWS Client VPN -> Go to File-> Managed Profiles-> Add Profile-> Select “downloaded-client-config.ovpn” path-> Add Profile-> Connect
We are connected now!
Conclusion
Please share your thoughts about this blog post in the comments box below. Reach out to me on Twitter at @adiintify if you have any questions or require access to the entire repository.
