With the release of the Desktop Clients for AWS Client VPN earlier this month, there has been renewed interest in the managed VPN service. Given that AWS has released the Desktop VPN client, this means that any support you require is now under the AWS support banner giving customers an end to end solution. Before this announcement, AWS customers would have 3rd party clients to connect. So given this renewed interest in the service, I have decided to document a simple setup scenario. If you require a more complex setup, please get in touch with our sales team.

Note: The AWS resources that have been created in this lab exceed AWS’s free tier.  You will be charged for resources if you follow this blog. Please investigate the resource costs prior to deploying the solution detailed in this article.

For this scenario, we will create 1 VPC with 3 Private Subnets so that we are distributing our application workloads over 3 availability zones. I’ve chosen to use the range for my VPC. Engage your network administrator to ensure that your IP address ranges meet your requirements for available hosts and don’t overlap with networks that require interconnectivity.  In addition to the VPC, we need to define a remote access IP pool for our VPN clients, I’ve chosen  Note, a /22 CIDR is currently the minimum address pool that we can assign. Below is a diagram of the straightforward architecture we will be building.

Step 1: Create the VPC that the VPN will connect to.

In the VPC console navigate to VPC > Your VPCs > Create VPC. Name the VPC using the Name Tag and apply the IP address range to the IPv4 CIDR block* field. We won’t be using IPv6 for this scenario, and the Default Tenancy is sufficient for our needs. Click the Create button and then click Close.

Now that we have our VPC created navigate to the Subnets context and click Create Subnet. For the subnet details, I’ve divided them up as follows:

Name Tag VPC Availability Zone IPv4 CIDR Block
subnet-az-a VPC ID of the previously created VPC ap-southeast-2a
subnet-az-b VPC ID of the previously created VPC ap-southeast-2b
subnet-az-c VPC ID of the previously created VPC ap-southeast-2c

Fill in the details as per the screenshot above and repeat for all subnets (that you require) using the example IP plan above or the IP plan assigned to you by your network administrator. When completed, you should have 3 subnets spread across all availability zones. Note all subnets created have connectivity between as they have a default association to the main route table.

Step 2: Create the Directory Services for username and password authentication

There are 2 methods of authentication with the VPN service that can be utilised:

  • Use Active Directory authentication
  • Use Mutual Authentication

These authentication methods can be used on their own or in conjunction with each other. For the purposes of this scenario, we will use both together. Firstly, let’s create the directory services. From the Services menu, select Directory Service. Assuming you don’t have a previous directory setup, select the Set up directory. Then select Simple AD and click Next.

Note it is also possible to use your on-premise AD using AD Connector or the AWS Managed AD

In the directory information, set the Directory DNS NameDirectory NetBIOS name and select the small directory size.

Also, set a strong password for the directory administrator. Select a VPC and Subnet for you directory services to live in. I’ve chosen the VPC and Subnets that I created earlier. Then click Next and Create Directory to commence the creation of the directory service. Note: Creating the Directory can take anywhere up to the 15 minutes.

Step 3: Create and Upload Certificates for Mutual Authentication

To generate the client and server certificates, we will use easy-rsa. Easy-rsa is a command-line tool to build and manage public key infrastructure and certificate authorities. It’s available from the OpenVPN GitHub page located at https://github.com/OpenVPN/easy-rsa. I’m using WSL2 to generate these certificates so mileage may vary on different operating systems. To generate and upload the certificate, use the following commands:

mkdir ~/certs
mkdir ~/temp
cd ~/temp
git clone https://github.com/OpenVPN/easy-rsa.git

cd easyrsa3
./easyrsa init-pki

./easyrsa build-ca nopass

You can take the opportunity to create your own common name for the certificate. However, I’ve utilised the default options

./easyrsa build-server-full server nopass

./easyrsa build-client-full client1.example.com nopass

Let’s copy all the relevant certificates to the certs directory

cp pki/ca.crt ~/certs/
cp pki/issued/server.crt ~/certs/
cp pki/private/server.key ~/certs/
cp pki/issued/client1.example.com.crt ~/certs/
cp pki/private/client1.example.com.key ~/certs/
cd ~/certs

Replace region and the profile to meet your requirements and upload the server certificates

aws acm import-certificate --certificate file://server.crt --private-key file://server.key --certificate-chain file://ca.crt --region ap-southeast-2 --profile {{ profile }}

Again replace region and the profile to meet your requirements and upload the client certificates

aws acm import-certificate --certificate
file://client1.example.com.crt --private-key
file://client1.example.com.key --certificate-chain file://ca.crt --
region ap-southeast-2 --profile {{ profile }}

Take note of the ARNs for the client and server certificate these will be required when configuring the VPN in the AWS console. Note, these are also available in the Certificate Manager console in the region you have uploaded the certificates to.

Step 4: Create a VPN in the AWS Console

Now that our VPC and Subnets have been created, and we have certificates and a directory service, we can set up our VPN connection.

Under the section Virtual Private Network (VPN) section of the VPC dashboard, select Client VPN Endpoints. Click Create Client VPN Endpoint  Enter the Name of the VPN. Under the Authentication Information select the Server Certificate ARN which we created earlier. Enable both Active Directory and Mutual Authentication and select the Directory ID and the Client certificate ARN of the certificate we created earlier.

Additional options include settings logging for connection, implementing custom DNS servers, enable split tunnel and setting the port and protocol. Once configured click Create Client VPN Endpoint and then click Close.

Now that VPN has been created it hasn’t been associated with a VPC. To associate with the VPC, we created earlier, select the VPN connection and select the Associations tab. Then click the button Associate.

Select the VPC we created earlier and then chose a subnet to associate with. Note, at the time of writing this article, ap-southeast-2b was not supported for my account. However, both ap-southeast-2a and ap-southeast-2c were available.

Click close once the Association ID has been assigned. Note, the status of the association can be obtained from the Associations tab. It may take several minutes for the association to complete.

Once the association has been completed, we can set up the client VPN configuration.

Step 5: Client VPN Configuration

Firstly we need to download two items.

The first is the AWS Client VPN which is publicly available. The binary is located at the following link: https://aws.amazon.com/vpn/client-vpn-download/ Note the binary is only available for macOS and Windows variants at this time. Installation of the MSI is a straight forward installation on Windows assuming you have the appropriate permissions to install applications.

The second item is the ovpn (Open VPN) client configuration file. This will need to be distributed to our VPN client users. To retrieve this, select the VPN from the AWS console and click on the Download Client Configuration button. This will provide us with an OpenVPN (.ovpn) client file which we will need to edit and append our certificates to.

Open the VPN configuration file in your favourite editor of choice. We are going to append the client cert and key to the configuration file inline.

Client Certificate Configuration

  • Under </ca> section create a stanza with <cert></cert> and append the client certificated data. If you are following this guide, this certificate and certificate data is included in the file client.example.com.crt.
  • Under the </cert> section create another stanza with the tags <key></key> and between these tags add the client key, the contents of client key is in the file client.example.com.key if you are following this guide.
  • One last parameter to change is the remote parameter at the top of of the configuration file, doing an NSLOOKUP or a DIG on the domain will yield no results. To rectify this append a prefix to the domain URL, e.g. change the following URL to the prefixed URL.
    • cvpn-endpoint-uniqueid.prod.clientvpn.ap-southeast-2.amazonaws.com
    • cvpn-endpoint-uniqueid.prod.clientvpn.ap-southeast-2.amazonaws.com

Save the ovpn configuration and open the AWS VPN Client. Import the open VPN configuration file VPN by navigating to File > Manage Profiles > Add Profile. Input a display name of your choice and input the path to the VPN configuration file.

Test the connection by click on Add Profile > Done > Connect, when prompted input the username and password for the VPN connection. i.e. Administrator and that password that was set when creating the simple directory service. Note adding new users to the directory service is outside the scope of this article.

Once my username and password have been entered. The VPN is now connected.

Step 6: Test connectivity to the VPC

To test connectivity to our VPC, I have created an Ec2 Linux instance in the VPC. The Ec2 instance is configured with the VPN security group attached. This allows any entity that is a member of the security group to connect on port 22/SSH to any other entity in the security group.

To add our VPN to the security group, navigate to the VPC console. Select Client VPN Endpoint, and select our VPN, then select the tab Security Groups > Apply Security Groups.  Select the Security Group assigned to the Ec2 instances and click Apply Security Groups.

Lastly, we need to add an authorisation rule. Click on the Authorization > Authorize Ingress

Enable access to the, or replace with your own address space, and click Add authorization rule > Close.

Wait for the Authorisation to become active and attempt a connection to the Ec2 instances

We can now connect to our management port without exposing TCP/22 to the world. This allows us to effectively separate our management and production traffic from each other.