Setting Up the Client VPN

The following steps take you through creating certificates on your on-premise Linux box, importing the certificates into AWS, and then creating the client VPN endpoint in AWS so that you can create a mount point from your on-premise Linux box. The steps have been adapted from the AWS documentation, which can be found here: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#mutual.

Creating Authentication Certificates

To create the certificate files:

  1. On the on-premise Linux box, open a terminal.

  2. Install Git so you can clone the OpenVPN repository. The command you use depends on the version of Linux you are using. Here is an example command for CentOs:

    sudo yum install git
  3. Run the following command to clone the OpenVPN easy-rsa git repository to your machine:

    git clone https://github.com/OpenVPN/easy-rsa.git
  4. Navigate to the easyrsa3 folder:

    cd easy-rsa/easyrsa3
  5. Initialize a new PKI environment:

    ./easyrsa init-pki
  6. Build a new certificate authority by running the following command and following the prompts:

    ./easyrsa build-ca nopass
  7. Generate a server certificate and key:

    ./easyrsa build-server-full server nopass
  8. Generate a client certificate and key:

    ./easyrsa build-client-full client1.domain.tld nopass

After you have completed the above steps, make sure the following 5 files were created:

  • pki/ca.crt

  • pki/issued/server.crt

  • pki/private/server.key

  • pki/issued/client1.domain.tld.crt

  • pku/private/client1.domain.tld.key

You need to have access to these files in Importing Authentication Certificates to import them into AWS.

Importing Authentication Certificates

You may import the server and client certificates using either the AWS CLI or the AWS Management Console (ACM).

To import the certificates using ACM, refer to the AWS documentation here: https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-api-cli.html.

To import the certificates using AWS CLI, run the following commands:

aws acm import-certificate --certificate fileb://server.crt --private-key fileb://server.key --certificate-chain fileb://ca.crt
aws acm import-certificate --certificate fileb://client1.domain.tld.crt --private-key fileb://client1.domain.tld.key --certificate-chain fileb://ca.crt

Creating a Client VPN Endpoint

To create the Client VPN endpoint:

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation panel, select Client VPN Endpoints and then select Create Client VPN Endpoint.

  3. Give the endpoint a name.

  4. Select the Server certificate ARN for the server certificate that you imported.

  5. Select mutual authentication.

  6. Select the Client certificate ARN for the client certificate that you imported.

  7. Select UDP port 443 for the protocol and port.

  8. Associate the endpoint with the VPC and Subnet for the EFS instance.

  9. Add an authorization rule allowing access to all users for the associated VPC subnet CIDR. This is done by taking the VPC subnet IPv4 CIDR information and creating an authorization rule on the client VPN endpoint and entering in the VPC subnet IPv4 CIDR as the Destination CIDR of the authorization rule.

  10. Ensure that UDP port 443 and NFS port 2049 inbound rules are present in the client VPN endpoint security group.

  11. Download the client configuration for the client VPN endpoint security group. It downloads an aws.ovpn file. You need this file to connect to the client VPN endpoint.

  12. Continue with Connecting to the Client VPN EndPoint.