How to setup AWS Client VPN - toge510/homelab GitHub Wiki
Architecture
- Create certificates/keys for Mutual Authentication
- d
1. Create certificates/keys for Mutual Authentication
- Create server and client Certificates and keys
- Upload to ACM
Create server and client Certificates and keys
Run the following commands from my linux machine where AWS Cli has been installed.
git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easyrsa3
ls -l
total 216
-rwxrwxr-x 1 goto goto 161724 Jan 13 18:16 easyrsa
-rw-rw-r-- 1 goto goto 30457 Jan 13 18:16 easyrsa-tools.lib
-rw-rw-r-- 1 goto goto 5145 Jan 13 18:16 openssl-easyrsa.cnf
-rw-rw-r-- 1 goto goto 9039 Jan 13 18:16 vars.example
drwxrwxr-x 2 goto goto 4096 Jan 13 18:16 x509-types
Initialize PKI environment
./easyrsa init-pki
Notice
------
'init-pki' complete; you may now create a CA or requests.
Your newly created PKI dir is:
* /home/goto/easy-rsa/easyrsa3/pki
Using Easy-RSA configuration:
* undefined
Create new Certification Authority(CA)
./easyrsa build-ca nopass
.+..............+.........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+...........+.+.....+....+...+.....+......+.+...........+....+...+.................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+..+................+..+......+.+...+...+...+...............+....................+....+........+.......+........+....+...+..+.........+.......+.....+....+.....+....+.....+......+.+...+.....+....+..+...+......+....+......+..............+.......+...............+........+......+.+...+......+.....+.+.........+......+...+..+.+..+...+..........+........+.......+..+...+....+...........+....+..................+.....+............+.+..+......+.......+..............+.+........+................+...+..+....+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+.....+.......+.....+.+....................+.......+...+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+............+...........+............+.+...........+...+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:"Demo CA"
Notice
------
CA creation complete. Your new CA certificate is at:
* /home/goto/easy-rsa/easyrsa3/pki/ca.crt
Create an OpenVPN TLS-AUTH|TLS-CRYPT-V1 key now: See 'help gen-tls'
Build-ca completed successfully.
Generate the server certificate and key
./easyrsa --san=DNS:server build-server-full server nopass
......+..+.+..+................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+......+.........+......+...........+...+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+...+.+.....+......+....+......+...+.....+............+....+...+.....+.+..............+...+....+...+...+..+.+.....+..........+......+.....+.........+.+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.....+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.....+......+......+...............+...+....+.....+...+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /home/goto/easy-rsa/easyrsa3/pki/reqs/server.req
* key: /home/goto/easy-rsa/easyrsa3/pki/private/server.key
You are about to sign the following certificate:
Requested CN: 'server'
Requested type: 'server'
Valid for: '825' days
subject=
commonName = server
X509v3 Subject Alternative Name:
DNS:server
Type the word 'yes' to continue, or any other input to abort.
Confirm requested details: yes
Using configuration from /home/goto/easy-rsa/easyrsa3/pki/f884fd3d/temp.7.1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Apr 18 09:35:49 2027 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Notice
------
Inline file created:
* /home/goto/easy-rsa/easyrsa3/pki/inline/private/server.inline
Notice
------
Certificate created at:
* /home/goto/easy-rsa/easyrsa3/pki/issued/server.crt
Generate the client certificate and key
./easyrsa build-client-full client1.domain.tld nopass
......+....+.....+....+..+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+........+....+......+.........+......+.....+....+...+........+....+.....+......+......+....+.....+....+.....+.......+.........+.........+.................+...+.+............+...+..+...+.+.....+.+.................+..........+..+.+..+......+......+.+.....+..........+..+.+..+............+.......+...+.....+...+.........+....+......+......+..+............+...+...+...+....+..+......+.........+.+.....+....+...+.....+...+...............+.......+..+.........+.......+.....+.......+.....+............+.+...+..+.........+.+..+...............+...+.............+.....+..........+.....+.......+.........+......+..+...+....+.....+...............+....+...............+.........+.....+.+.....+......+.+..+......+.......+..+...+...............+...+......+....+.........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+......+......+.........+............+....+...+..+....+..+...+....+.....+................+.....+.+......+...+..+....+.....+.+..+.+...............+..+...+.+.....+.+.....+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...+...................+..+.+........+.......+.....+....+...+.....+......+.........+...+....+...+...+..............+.+..+......+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..................+...+...+..+.......+..+......+...+.......+............+..+...+.......+.....+.+..+.+..............................+.....+......+...+...+....+...+........+...+.+......+..+.......+...+...........+.+.....+....+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /home/goto/easy-rsa/easyrsa3/pki/reqs/client1.domain.tld.req
* key: /home/goto/easy-rsa/easyrsa3/pki/private/client1.domain.tld.key
You are about to sign the following certificate:
Requested CN: 'client1.domain.tld'
Requested type: 'client'
Valid for: '825' days
subject=
commonName = client1.domain.tld
Type the word 'yes' to continue, or any other input to abort.
Confirm requested details: yes
Using configuration from /home/goto/easy-rsa/easyrsa3/pki/fb13494b/temp.6.1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client1.domain.tld'
Certificate is to be certified until Apr 18 09:22:16 2027 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Notice
------
Inline file created:
* /home/goto/easy-rsa/easyrsa3/pki/inline/private/client1.domain.tld.inline
Notice
------
Certificate created at:
* /home/goto/easy-rsa/easyrsa3/pki/issued/client1.domain.tld.crt
Copy server and client certificates and keys to one directory
mkdir ~/demo
cp pki/ca.crt ~/demo/
cp pki/issued/server.crt ~/demo
cp pki/private/server.key ~/demo
cp pki/issued/client1.domain.tld.crt ~/demo
cp pki/private/client1.domain.tld.key ~/demo
cd ~/demo
ls -l
-rw------- 1 goto goto 1196 Jan 13 16:05 ca.crt
-rw------- 1 goto goto 4514 Jan 13 16:06 client1.domain.tld.crt
-rw------- 1 goto goto 1704 Jan 13 16:06 client1.domain.tld.key
-rw------- 1 goto goto 4499 Jan 13 16:09 server.crt
-rw------- 1 goto goto 1704 Jan 13 16:06 server.key
Upload the certificate and keys to ACM
aws acm import-certificate --certificate fileb://server.crt --private-key fileb://server.key --certificate-chain fileb://ca.crt --region ap-northeast-1
{
"CertificateArn": "arn:aws:acm:ap-northeast-1:624838222411:certificate/50ffd3d8-79c0-4268-90cf-e410eed1e5e5"
}
aws acm import-certificate --certificate fileb://client1.domain.tld.crt --private-key fileb://client1.domain.tld.key --certificate-chain fileb://ca.crt --region ap-northeast-1
{
"CertificateArn": "arn:aws:acm:ap-northeast-1:624838222411:certificate/971acb25-5779-4d93-9042-9043e6061d37"
}
2. Setup VPC
Create VPC and 2 Subnets(private) and route tables
Crate VPC (name=demo) with CIDR 192.168.0.0/16
Create private subnet "demo-app-1" with CIDR 192.168.0.0/24
Create corresponding route table "demo-app" with just a local route & associate with subnet "demo-app-1"
Create private subnet "demo-client-vpn-1" with 192.168.100.0/24
Create corresponding route table "demo-client-vpn-rt" with just a local route & associate with subnet "demo-client-vpn-1"
Create security group "demo-client-vpn-sg"
Launch application EC2 instance in "demo-app-1" subnet
- DemoApp
- SG: DemoAppSG
3. Create AWS Client VPN Endpoint
Provide name "demo-client-vpn-endpoint"
Associate subnet
Authorize rule
created automatically route table
add the following to config
cert '/Users/goto/Documents/clientvpn/client1.domain.tld.crt'
key '/Users/goto/Documents/clientvpn/client1.domain.tld.key'
install OpenVPN client
https://aws.amazon.com/jp/vpn/client-vpn-download/
ifconfig on my mac book
utun6: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.10.0.34 --> 10.10.0.34 netmask 0xffffffe0
ping EC2
ping 192.168.0.54 -c 4
PING 192.168.0.54 (192.168.0.54): 56 data bytes
64 bytes from 192.168.0.54: icmp_seq=0 ttl=254 time=15.046 ms
64 bytes from 192.168.0.54: icmp_seq=1 ttl=254 time=12.099 ms
64 bytes from 192.168.0.54: icmp_seq=2 ttl=254 time=10.620 ms
64 bytes from 192.168.0.54: icmp_seq=3 ttl=254 time=20.456 ms
--- 192.168.0.54 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 10.620/14.555/20.456/3.761 ms
Can't access internet from my laptop with VPN client !!!