AWS Client VPN ile Private VPC erişimi

16/04/2021 1:48

Mustafa Zeytin, Mobilist

What is AWS Client VPN?

AWS Client VPN is a client-based tool that allows you to securely access your resources on AWS.

In summary, you can now safely access your resources that you have kept out of your sight and have blocked direct access via the internet.

AWS Clint VPN provides authentication with both Simple Active Directory and Certificate. For now, we will only verify with the Certificate.

Creating Certificates

We will use the Open VPN easy RSA tool to generate server and client certificates.

First, let's copy the Easy RSA project from Github.

git clone https://github.com/OpenVPN/easy-rsa.git

Let's go into the easyrsa3 folder in the project and create a new PKI.

./easyrsa init-pki

We will get an output like this.

# Released
init-pki complete; you may now create a CA or requests.Your newly created PKI dir is: /Users/the1462/temp/easy-rsa/easyrsa3/pki

Then let's create Certificate Authority.

./easyrsa build-ca nopass

During this process, it will ask you for 'Common Name'; I used 'MOBILIST-CA' here.

We will get an output like this.

# Released
Using SSL: openssl OpenSSL 1.1.1h 22 Sep 2020
Generating RSA private key, 2048 bit long modulus
…………………………………………….+++
……………………………..+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:MOBILIST-CA

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/Users/the1462/temp/easy-rsa/easyrsa3/pki/ca.crt

Let's create the server certificate.

./easyrsa build-server-full MobilistSERVER nopass

We will get an output similar to this.

# Released
Using SSL: openssl OpenSSL 1.1.1h 22 Sep 2020
Generating a 2048 bit RSA private key
…………..+++
…………+++
writing new private key to '/Users/the1462/temp/easy-rsa/easyrsa3/pki/easy-rsa-56747.cqqBOD/tmp.0uFbSb'
—–
Using configuration from /Users/the1462/temp/easy-rsa/easyrsa3/pki/easy-rsa-56747.cqqBOD/tmp.OKgfef
Check that the request matches the signature
Signature arrow
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'MobilistSERVER'
Certificate is to be certified until Jun 18 01:25:46 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Now it's time to create the user certificate. When creating a user certificate, creating a separate certificate for each user will make it easier for you to remove the access authority of a particular user in the future.

./easyrsa build-client-full the1462.MobilistSERVER nopass

sample output

# Released
Using SSL: openssl OpenSSL 1.1.1h 22 Sep 2020
Generating a 2048 bit RSA private key
…………………..+++
……………………………………………………………………………………………………………….+++
writing new private key to '/Users/the1462/temp/easy-rsa/easyrsa3/pki/easy-rsa-82627.18fv4a/tmp.ovhqt6'
—–
Using configuration from /Users/the1462/temp/easy-rsa/easyrsa3/pki/easy-rsa-82627.18fv4a/tmp.z7AyqB
Check that the request matches the signature
Signature arrow
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'the1462.MobilistSERVER'
Certificate is to be certified until Jun 18 01:32:33 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Collect all required certificates in one folder.

mkdir acm-certs
cp pki/ca.crt acm-certs
cp pki/issued/MobilistSERVER.crt acm-certs
cp pki/issued/the1462.MobilistSERVER.crt acm-certs
cp pki/private/MobilistSERVER.key acm-certs
cp pki/private/the1462.MobilistSERVER.key acm-certs
….
cd acm-certs

All our certificates are ready, now it's time to upload them to ACM (AWS Certificate Manager).

We install the Server Certificate:

aws acm import-certificate –certificate fileb://MobilistSERVER.crt –private-key fileb://MobilistSERVER.key –certificate-chain fileb://ca.crt –region eu-central-1

We install the Client Certificate:

aws acm import-certificate –certificate fileb://the1462.MobilistSERVER.crt –private-key fileb://the1462.MobilistSERVER.key –certificate-chain fileb://ca.crt –region eu-central-1

When you select the region you installed in the AWS Console and enter the ACM page, you can see that the certificates are installed.

ACM instance in my AWS Account

VPN Endpoint Settings

We open the VPC management panel via AWS Console. We open the 'Client VPN Endpoints' page from the left menu and click 'Create Client VPN Endpoint'.

From the Client Ipv4 CIDR field, we determine which IP block users will receive IP from. IP range must be between /16 /22; The important point here is that the IP block you provide does not conflict with the IP block of your existing resources. Also note that once the VPN Endpoint is created, this field cannot be changed.

We select the server certificate we created as Server certificate ARN.

In the Authentication Options section, I only selected 'Use mutual authentication'. If you are going to use Active Directory, you can also select the 'Use user-based authentication' field and select your directory.

We select the user certificate we created as Client certificate ARN.

If you want to do connection reporting, you can select 'CloudWatch Log Group' by saying 'Yes' in the Connection Logging field.

I leave DNS Zones blank to use AWS default DNS services.

By selecting the Enable split-tunnel feature, I ensure that users use VPN when accessing AWS resources and disable it for external access. Thus, traffic will not go through AWS VPN when accessing services such as YouTube and Spotify.

You can create a separate 'Security Group' for the VPN, but I used the default.

The creation process may take some time, but it shouldn't take more than 1 minute.

The default status will be 'Pending-associate' since we haven't mapped the target VPC yet.

VPC Peering

To do this, we will go to the Associations tab and click 'Associate'.

Then we select VPC and Subnet. Repeat the process for all Subnets you want to match.

The pairing process may take approximately 5 minutes.

Target VPC Selection

We add the VPCs you want the VPN to access under 'Authorization'.

10.2.0.0/16 CIDR block of my offline VPC network

Target Subnet Selection

You can add the target Subnets you want to access with VPN under 'Route Table'.

We enter the Target VPC address as the route destination and select the subnet.

If you've made it this far in one piece, all that's left is to download the config file and make a small adjustment.

When you open the *.ovpn file you downloaded with your favorite text editor, it will look similar to the following.client
giant tun
proto udp
remote cvpn-endpoint-0dbfa55f40f69c20c.prod.clientvpn.eu-central-1.amazonaws.com 443
remote-random-hostname
resolve-retry infinite
nobind
remote-cert-tls server
cipher AES-256-GCM
verb 3
<ca>
—–BEGIN CERTIFICATE—–
MIIDSzCCAjOgAwIBAgIULBPB/kjluQTqqW7kOo1F2r/CWlowDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLTU9CSUxJU1QtQ0EwHhcNMjEwMzE1MDEyMTQ5WhcNMzEw
MzEzMDEyMTQ5WjAWMRQwEgYDVQQDDAtNT0JJTElTVC1DQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKnGj/zKMhjE1QdVHjqKZTioj0sdg7uq4POzLMiG
jmffMZkVADtyYpnIKD5oQyBT9l1Z5cCJL2q1KhnDkRzJR7OK91mqYfSzCdlPTARC
zdfNwMpXwQHlQJQ4SBkfCF1okmoQbi1QRl2orqIcR6xlb8HPTQANE1+tNvGeG5xW
Ihw06ZPXNIX3jyW7m2SjKAEP71SY/UGdKOTxSq51nX7gklHkq9DvOo91O5dk5Hbv
t+bZSCcYIQ8pVDXVRUfa3gLxXFJKRl4rhaAIpy0EzWdJM7R4GqAQo8pVafi6qnnw
MyYFdxkKIKQeUsREm39aSh6JyImZhj3mZat0tdu/9i5F9M0CAwEAAaOBkDCBjTAd
BgNVHQ4EFgQUz4TqDsE49EKn50Gh5HdzCPhaRYkwUQYDVR0jBEowSIAUz4TqDsE4
9EKn50Gh5HdzCPhaRYmhGqQYMBYxFDASBgNVBAMMC01PQklMSVNULUNBghQsE8H+
SOW5BOqpbuQ6jUXav8JaWjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq
hkiG9w0BAQsFAAOCAQEAOOjyKU8wr1OiQ7Z5eZZ8F+3CkBS4ZUYEg3G5V9vDO9/4
QhRyqdu2ATjy5qDN3Q/zUT3G4g/ZizvisZGHNg27qFsq6RB+mMI9scch2U58b++t
UrgN8HKM8bcMyTkcpKMnnhpU3mC5ZEO31slAg/t65i6EccbEOY9f/e6HpAZw4fcU
ldEcQ2CnRa6edbo5rD7KE7glciIVetVmHklWxIKvDW3IIzePCvb4DudHKZUF9CpG
KRiQTmEf3ayC1w2y4cq4bxzoF+HcM2W1Mhsx3pRyzyBfWcITYBXaerTa6tdL49Z4
OtC/Z1Fqj+KNRUbw0nN6zRuH+cfvKL8cddfbcbSXqg==
—–END CERTIFICATE—– reneg-sec 0cert /Users/the1462/temp/easy-rsa/easyrsa3/acm-certs/the1462.MobilistSERVER.crt
key /Users/the1462/temp/easy-rsa/easyrsa3/acm-certs/the1462.MobilistSERVER.key

You will open the following two labels at the bottom of the file and paste the contents of the relevant files between them.
— the1462.MobilistSERVER.crt file content —
<cert><key>
— the1462.MobilistSERVER.key file content —
<key>

After the edits you make, your *.opnv file will look similar to the following.client
giant tun
proto udp
remote cvpn-endpoint-0dbfa55f40f69c20c.prod.clientvpn.eu-central-1.amazonaws.com 443
remote-random-hostname
resolve-retry infinite
nobind
remote-cert-tls server
cipher AES-256-GCM
verb 3
<ca>
—–BEGIN CERTIFICATE—–
MIIDSzCCAjOgAwIBAgIULBPB/kjluQTqqW7kOo1F2r/CWlowDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLTU9CSUxJU1QtQ0EwHhcNMjEwMzE1MDEyMTQ5WhcNMzEw
MzEzMDEyMTQ5WjAWMRQwEgYDVQQDDAtNT0JJTElTVC1DQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKnGj/zKMhjE1QdVHjqKZTioj0sdg7uq4POzLMiG
jmffMZkVADtyYpnIKD5oQyBT9l1Z5cCJL2q1KhnDkRzJR7OK91mqYfSzCdlPTARC
zdfNwMpXwQHlQJQ4SBkfCF1okmoQbi1QRl2orqIcR6xlb8HPTQANE1+tNvGeG5xW
Ihw06ZPXNIX3jyW7m2SjKAEP71SY/UGdKOTxSq51nX7gklHkq9DvOo91O5dk5Hbv
t+bZSCcYIQ8pVDXVRUfa3gLxXFJKRl4rhaAIpy0EzWdJM7R4GqAQo8pVafi6qnnw
MyYFdxkKIKQeUsREm39aSh6JyImZhj3mZat0tdu/9i5F9M0CAwEAAaOBkDCBjTAd
BgNVHQ4EFgQUz4TqDsE49EKn50Gh5HdzCPhaRYkwUQYDVR0jBEowSIAUz4TqDsE4
9EKn50Gh5HdzCPhaRYmhGqQYMBYxFDASBgNVBAMMC01PQklMSVNULUNBghQsE8H+
SOW5BOqpbuQ6jUXav8JaWjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq
hkiG9w0BAQsFAAOCAQEAOOjyKU8wr1OiQ7Z5eZZ8F+3CkBS4ZUYEg3G5V9vDO9/4
QhRyqdu2ATjy5qDN3Q/zUT3G4g/ZizvisZGHNg27qFsq6RB+mMI9scch2U58b++t
UrgN8HKM8bcMyTkcpKMnnhpU3mC5ZEO31slAg/t65i6EccbEOY9f/e6HpAZw4fcU
ldEcQ2CnRa6edbo5rD7KE7glciIVetVmHklWxIKvDW3IIzePCvb4DudHKZUF9CpG
KRiQTmEf3ayC1w2y4cq4bxzoF+HcM2W1Mhsx3pRyzyBfWcITYBXaerTa6tdL49Z4
OtC/Z1Fqj+KNRUbw0nN6zRuH+cfvKL8cddfbcbSXqg==
—–END CERTIFICATE—– reneg-sec 0
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
23:97:df:a2:94:2c:17:2c:2c:99:6e:e1:c6:4f:ce
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=MOBILIST-CA
Validity
Not Before: Mar 15 01:32:33 2021 GMT
Not After : Jun 18 01:32:33 2023 GMT
Subject: CN=the1462.MobilistSERVER
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bits)
Modulus:
00:da:mm:6b:c4:26:f7:f1:30:df:eb:f3:78:31:37:
c3:92:ce:f2:e4:ab:64:bb:0e:06:19:36:84:04:ec:
92:3f:2b:2e:e9:a0:14:0e:7b:ce:90:f0:5a:6e:dc:
b4:f1:f7:dc:f3:88:3b:b9:eb:0a:84:ed:13:d0:40:
84:22:d6:a3:15:69:c7:8f:ab:f9:25:10:77:d8:84:
4b:7d:7b:45:28:4e:53:43:b8:e3:73:dd:df:ff:92:
5a:7d:50:61:43:2f:49:bc:02:c0:9c:f7:31:7c:4f:
90:cd:f8:84:ae:ab:32:77:ca:e8:c2:46:03:ca:88:
13:c4:f4:8a:c1:a3:39:9a:d1:e8:c0:be:01:f7:f7:
aa:fa:37:2a:54:c1:16:33:a0:de:d0:ae:b2:f7:7f:
a9:27:d5:03:7f:80:8d:1f:62:72:cb:b1:55:f5:0e:
82:48:cb:a4:22:e5:d3:d4:30:c1:8c:98:a8:8e:7c:
29:90:94:56:ce:bc:9a:e6:ee:54:e2:98:09:9a:14:
e7:78:1d:d4:32:7b:ae:ce:66:86:e1:e4:f6:d4:ba:
2e:be:43:e6:d7:ba:54:d1:85:c9:ba:55:87:c8:a8:
9c:65:ee:3e:e7:8b:7a:e0:82:6a:06:81:f1:0b:eb:
4b:5f:93:98:2d:56:58:cc:b1:11:71:61:0e:c8:e2:
53:95
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
F3:31:0F:3A:42:EE:FA:6F:7B:1A:F8:33:40:D8:CC:8F:94:E0:96:D0
X509v3 Authority Key Identifier:
keyid:CF:84:EA:0E:C1:38:F4:42:A7:E7:41:A1:E4:77:73:08:F8:5A:45:89
DirName:/CN=MOBILIST-CA
serial:2C:13:C1:FE:48:E5:B9:04:EA:A9:6E:E4:3A:8D:45:DA:BF:C2:5A:5AX509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
6a:0a:aa:3a:15:24:3d:31:26:2b:42:01:d7:8f:f6:c5:58:1a:
e2:7b:ea:27:03:7c:d4:c9:4c:35:49:0f:e9:f7:2c:0a:5c:3c:
76:92:c7:a0:e3:67:d9:03:33:ef:50:0b:10:23:89:6f:64:75:
21:mm:4f:2m:08:f6:89:f8:fb:f7:24:71:eb:80:54:mm:06:96:
73:ea:52:53:a3:a9:94:20:cf:2f:08:c3:c9:9e:3e:9b:bd:b5:
79:d4:e8:1f:5c:91:5e:c5:2a:3b:c8:60:10:db:07:d5:be:f4:
67:ea:2a:86:7b:30:e5:66:74:55:fa:f3:7e:c6:71:e4:a5:a5:
c9:40:6c:c3:34:e6:08:48:e8:a2:97:65:02:a7:0f:87:90:53:
81:68:11:57:8b:fe:ac:19:3e:93:6f:e7:7c:96:71:d4:ef:33:
a0:9d:6d:e9:9c:29:b1:9e:dc:a4:c1:84:56:3f:f7:93:49:9c:
eb:63:71:28:6d:9c:f3:7b:d8:c1:20:61:f3:23:07:88:16:eb:
00:ad:95:09:f3:7b:d0:0d:f9:23:44:bd:5a:56:56:df:e3:14:
84:23:55:2d:b8:eb:d7:78:05:2d:60:fb:cc:95:88:75:7d:49:
fc:98:ae:1a:53:bd:59:61:08:50:f4:f2:29:03:5f:71:e4:48:
a8:dc:73:aa
—–BEGIN CERTIFICATE—–
MIIDYzCCAkugAwIBAgIPI5ffopQsFywsmW7hxk/OMA0GCSqGSIb3DQEBCwUAMBYx
FDASBgNVBAMMC01PQklMSVNULUNBMB4XDTIxMDMxNTAxMzIzM1oXDTIzMDYxODAx
MzIzM1owITEfMB0GA1UEAwwWdGhlMTQ2Mi5Nb2JpbGlzdFNFUlZFUjCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANrda8Qm9/Ew3+vzeDE3w5LO8uSrZLsO
Bhk2hATskj8rLumgFA57zpDwWm7ctPH33POIO7nrCoTtE9BAhCLWoxVpx4+r+SUQ
d9iES317RShOU0O443Pd3/+SWn1QYUMvSbwCwJz3MXxPkM34hK6rMnfK6MJGA8qI
E8T0isGjOZrR6MC+Aff3qvo3KlTBFjOg3tCusvd/qSfVA3+AjR9icsuxVfUOgkjL
pCLl09QwwYyYqI58KZCUVs68mubuVOKYCZoU53gd1DJ7rs5mhuHk9tS6Lr5D5te6
VNGFybpVh8ionGXuPueLeuCCagaB8QvrS1+TmC1WWMyxEXFhDsjiU5UCAwEAAaOB
ojCBnzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTzMQ86Qu76b3sa+DNA2MyPlOCW0DBR
BgNVHSMESjBIgBTPhOoOwTj0QqfnQaHkd3MI+FpFiaEapBgwFjEUMBIGA1UEAwwL
TU9CSUxJU1QtQ0GCFCwTwf5I5bkE6qlu5DqNRdq/wlpaMBMGA1UdJQQMMAoGCCsG
AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAagqqOhUkPTEm
K0IB14/2xVga4nvqJwN81MlMNUkP6fcsClw8dpLHoONn2QMz71ALECOJb2R1Id1P
LQj2ifj79yRx64BU3QaWc+pSU6OplCDPLwjDyZ4+m721edToH1yRXsUqO8hgENsH
1b70Z+oqhnsw5WZ0VfrzfsZx5KWlyUBswzTmCEjoopdlAqcPh5BTgWgRV4v+rBk+
k2/nfJZx1O8zoJ1t6ZwpsZ7cpMGEVj/3k0mc62NxKG2c83vYwSBh8yMHiBbrAK2V
CfN70A35I0S9WlZW3+MUhCNVLbjr13gFLWD7zJWIdX1J/JiuGlO9WWEIUPTyKQNf
ceRIqNxzqg==
—–END CERTIFICATE—–
</cert><key>
—–BEGIN PRIVATE KEY—–
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDa3WvEJvfxMN/r
83gxN8OSzvLkq2S7DgYZNoQE7JI/Ky7poBQOe86Q8Fpu3LTx99zziDu56wqE7RPQ
QIQi1qMVacePq/klEHfYhEt9e0UoTlNDuONz3d//klp9UGFDL0m8AsCc9zF8T5DN
+ISuqzJ3yujCRgPKiBPE9IrBozma0ejAvgH396r6NypUwRYzoN7QrrL3f6kn1QN/
gI0fYnLLsVX1DoJIy6Qi5dPUMMGMmKiOfCmQlFbOvJrm7lTimAmaFOd4HdQye67O
Zobh5PbUui6+Q+bXulTRhcm6VYfIqJxl7j7ni3rggmoGgfEL60tfk5gtVljMsRFx
YQ7I4lOVAgMBAAECggEAa6krz8uTf7OZEsorP5q8u8TNOqsM2+7kFRb6DioJLsWh
SA8UjqNcU3PIKGytHbHdoHZNWwFBpW2xp2l1FmYaxvfH0Oa5of/d1EYPlGRE+rS8
xL14NZDZFTD7DlWx4oiqbq+z7AK09v90rb0oF3vjUYYgxSAH0WLqxqG8d9BBD+R0
p/ySaOA/1cpw9fVlXjFBQu3zA1h1yF5oMDNZswOlvc4/cT3qKQOt8XQ9d/swo6Nm
e/l4DpOPWGD5HqfYeiEqpa4kB7sHvZMfoKTPOnrrsdaoyu+H7kjZmXIbkSPkBXXM
yYqo+xUKbPnZ5pHAqPV4cpasRv+sz+2io6FMjSj7AQKBgQD6fsFjO+KY/XnIEiX1
hIuLZVUm02I8600qUKJnINm3WNj2J+j1/81xbDcK773O+4ZQGceYc+URPwAEPEHd
GISHKJhQz5ItpClx7tuQ9eqbeYd6Pd/kAZuoU0EkVIR6LJgqMVxby2m7G7HnjTf2
qYM2La2uJFVehKf/hjR2iYzsIQKBgQDfrLgaPI+8epn6Jrr9+Cqw+l9UMd9xWAVL
fvrIw8a+tXAhrO1tGgQA1eOh3myvZUj2W8Vq0gr5bJp6boFnNXjov2WcF0wchZA/
Ob+YHPjtFROmp97Vq3iEvRFCmj87f136v0E8HS4Lqw1IW9CheNSsAj5af1L+QUg2
Ov88ELlY9QKBgQCUCJis1lUhaJqxm9gG8h+tb2MVINLrgXsGyMRRAd7oNX9yaT+J
MXTt1K/qrKeVTJuhdrq347W5rWuLFTkvOjAH1/u7tg+DHYLIrAnh7xKIcxeXLD3F
9xVQMnNKzw/DS9tZA/a64MlJJCLM3m32PVMnj3MWeK5ivy6xGVSjwMIhQQKBgQC1
tYImxlZa3xrh7r7wfcBo4C27n3yPfttmVrTzjqCR46JBqVOE06K27wwrPx/6aYUZ
pro9qn+B2+mvVsDHkNg19O9eHEsXzKW/x3FP6RGMwReixzOvT8rrwxEXk2mVM0as
4tzjMi1rCz4SL4zQ8PGM/5GaQV+x8GTysYESUd/RVQKBgCYgAcvGrrmT9MOKkGf3
X5qkmfzqoIW97iovn/3Cx6ictmnpmwqwQxcp6İjeqarhsfytrJ3q7u1ftıhko4
66LiYr9tHH2vX8hRv+y9IasVV0NPvn3UxfI3jW6TYN++QlDWbqZ89YaPaUZrqlT7
YxVsFyqu2nZ4QZr1CT9aB+/H
—–END PRIVATE KEY—–
</key>