AWS Client VPN - AWS Networking

AWS Client VPN - AWS Networking

AWS Client VPN - AWS Networking

More than ever today workers need to find a way to connect from their homes or offices to their workspace. For those working with AWS, the ability to remotely connect to AWS VPC and manage resources is essential.

AWS Client VPN allows you to connect from your home or on-premises network using an SSL/TLS connection. It is a managed service which removes a lot of overhead of managing 3rd party remote access VPN solutions. In this video, I’ll teach you everything you need to know about AWS Client VPN as well as show you how to set it up with an Amazon Workspaces desktop running Windows 10.

This video is an excerpt of the AWS Networking Masterclass from Digital Cloud Training. To access the full course, visit: https://digitalcloud.training/courses
Apply coupon code “youtube” for a 10% discount.

Code / Links:

—cert “D:\\Program Files\\OpenVPN\\easy-rsa\\pki\\issued\\client1.domain.tld.crt”

—key “D:\\Program Files\\OpenVPN\\easy-rsa\\pki\\private\\client1.domain.tld.key”

At Digital Cloud Training, our mission is to help you succeed in your #cloud career.

👉 Check out our popular training options for #AmazonWebServices, including

🔸On-Demand Courses https://digitalcloud.training/aws-tra
🔸Hands-on Challenge Labs https://digitalcloud.training/hands-o
🔸Cloud Mastery Bootcamps https://digitalcloud.training/cloud-m

💡 Explore FREE #AWS Training Resources at https://digitalcloud.training/free-aw

👍 Like, comment, and SUBSCRIBE to our channel for more videos from #digitalcloudtraining. We appreciate your support!    / digitalcloudtraining  


Content

5.12 -> Hi guys, welcome to this lesson. This  lesson is about the AWS Client VPN.  
10.96 -> So, it is exactly what it sounds like. This is  a way that you can connect your client computer  
16.48 -> to the AWS data center, to a VPC via a VPN  connection, a virtual private network connection.
24.56 -> So, let's say you've got a computer  which is Windows or Mac or Linux.  
28.88 -> You're able to set up a  client connection from there  
32.72 -> into a VPC, and that means you're then able  to communicate with resources in that VPC.  
38.56 -> So, you might be able to connect to an EC2  instance directly using private IP addresses.
43.84 -> Now, of course, it's a virtual private network,  
46.4 -> so that does mean that it's encrypted as well,  end to end. So, let's look at how you set them up.
51.92 -> So, here we have a region. In that region,  we have a VPC with a couple of subnets.  
57.04 -> Now, we create a VPN endpoint, and the  VPN endpoint is associated with subnets.  
64.32 -> So, the client VPN network interfaces are created  in the subnet, and that is the method by which  
71.12 -> the VPN connection is then able to communicate  with resources in the subnets because there is  
77.04 -> an association between this network adapter that's  provisioned into the subnet and the VPN endpoint.
83.84 -> We then have the client computer, and that's  going to be running some VPN software. The  
89.76 -> VPN software is not AWS software, so you need  to choose one of the available options. There  
95.413 -> are lots of free options. In the hands-on in  the next lesson, we're going to use OpenVPN.
100.8 -> The client software will establish a connection  
104.16 -> with the VPN endpoint over SSL/TLS, so port  443, and that's going to be via the internet.  
110.72 -> The VPN endpoint will actually perform source  network address translation from the CIDR block  
117.92 -> that's associated with the VPN client to the  CIDR block that's associated with the VPC.
124.72 -> On the client side, if you look in your route  table, you can run a command on Windows which is  
129.84 -> "route print," and you would then see your route  table, and you'd be able to see that you have  
135.2 -> a destination for the CIDR block of the VPC and  a gateway which is pointing at the VPN endpoint.  
142.96 -> So, that's the theory behind how a client VPN  works. Again, this is an encrypted connection over  
149.2 -> the internet from your computer, so your computer  is then able to communicate using private IP  
156.56 -> addresses over to your instances in your subnets  within your VPC. So, that's how it all works.
163.92 -> We're going to set this up using a Windows  client on Amazon WorkSpaces and a VPN endpoint.  
171.12 -> This is what we're going to do now. On the left  here, you can see I'm using Amazon WorkSpaces  
176.88 -> in one region, and then I'm setting up  a VPN endpoint in a different region.  
182.08 -> Now, the reason I wanted to  do this and use WorkSpaces  
185.36 -> is just to provide some instructions that are  the same for everyone. So, it doesn't matter if  
190 -> you're on Mac, if you're on Linux, or if you're on  Windows, you can use WorkSpaces and follow along.
196.32 -> Now, the good news is if you are using  Windows, then you don't need to use  
200.16 -> WorkSpaces, which will save you a bit  of time. But by all means, follow along  
204.08 -> if you want to learn a bit about WorkSpaces.  But you'll basically need a Windows client,  
209.68 -> and then we're going to follow some instructions  to install OpenVPN client software on  
216.08 -> the Windows computer. And we're also  going to use the Windows computer  
220.4 -> to generate some certificates, and we're going to  use the certificates for mutual authentication.
226.72 -> So, there are a couple of options for  authentication with the client VPN. One  
231.44 -> of them is mutual authentication using  certificates. Another option is that you  
236.24 -> can integrate a directory service like AWS  Directory Service. That takes a bit longer,  
241.6 -> it's a bit more work to set up, and a  bit outside of the scope of this course.  
245.44 -> So, I just wanted to use WorkSpaces  and we're going to use certificates.
249.12 -> So, this is the configuration, and  what should happen is once we've  
253.04 -> connected our client to the VPN, we're going  to have an instance running in a subnet  
258 -> within our VPC. And we're going to just test  that we can ping that instance, which will show  
262.4 -> that we have that connectivity using  private IP addresses via our connection.
269.2 -> Now, when I'm running WorkSpaces in another  region, we're definitely using the internet  
274.16 -> to connect to our VPN endpoints. There's  nothing going over the AWS backbone here.  
279.28 -> This is using a public internet connection  from one region to another region. Now,  
284.56 -> as I mentioned, if you're running Windows on  your computer, you can quite easily set this  
288.56 -> up from your own computer, and that will  be via the internet, obviously, as well.
292.96 -> Now, also, you can download the configuration. So,  even if you want to use WorkSpaces to set up and  
299.12 -> generate the certificates that  we're going to use, you can then  
302.88 -> use the VPN configuration and install that  on whatever computer you're running on.  
308.48 -> So, that's what we're going to do. Let's head  over to the console and start building this out.
312.64 -> I'm in the AWS Management Console, and I'm  just going to type "WorkSpaces" at the top here  
318.4 -> and then choose "WorkSpaces." So, this is  Desktops in the Cloud, so it means that we can run  
323.44 -> a client operating system in  the cloud. Now, when you see  
327.44 -> the main screen here, you just click  "Get Started," and then you choose  
331.68 -> "Quick Setup." Don't choose "Advanced" because  that will try and configure some options for  
336.32 -> using directory services, which we're not going  to do. So, use the quick setup, click "Launch,"  
342.64 -> and then what you want to do is it automatically  goes to Linux, but we want to use Windows. So,  
347.6 -> we just select this option: "Free Tier Eligible  - Standard with Windows 10." What you then do  
354.4 -> is put in your name or whatever your username  you want it to be. Then, I'm going to put in my  
360.24 -> full name and then my email address. Once I've  done that, I simply click "Launch WorkSpaces."
367.44 -> Now, it does take a bit of time. So, what  I've done, I'm just going to cancel out  
371.52 -> of there and head over to US East (North  Virginia) where I've already set it up.  
376.64 -> Now, notice that some regions are greyed out.  That's because it's not available in all regions.  
381.84 -> So, you can choose a different region if you like.  But I'm going to go to US East (North Virginia),  
386.16 -> and you'll only be able to select some of the  available options here. So, it can take about  
391.2 -> 20 minutes or so to actually become available.  When it does, just click on this down arrow here,  
397.92 -> and you'll find the clients link. So, let's copy  this address, and what we're going to do is then  
402.88 -> go to another browser window and navigate to this  web page. So, this is the web page you'll see. You  
408.64 -> need to download the client software, and it's  available for various different versions of the  
414.2 -> operating system. I use macOS, so I just download  this option. If you're on Windows, just download  
419.44 -> this one here. Once you've downloaded it, install  the software, and then you'll be ready to go.
426 -> Now, you'll notice that there's a registration  code here. What you need to do is copy this  
431.6 -> registration code and then head to the client  software that you just downloaded and installed.  
437.76 -> Then, in the WorkSpaces software, just  click on "Change Registration Code,"  
442.64 -> enter your registration code, and click on  "Register." We're now ready to connect. My  
448.56 -> username is "Neil," and then for the password,  what you'll find is an email should have come  
453.6 -> to your inbox. In that email, there's a link  you have to click on. The link will take you  
459.44 -> to a page where you get to reset your own password  or set your own password. Once you've done that,  
464.96 -> come back and enter your password here, and  you should be able to connect to your desktop.
469.12 -> So, I'm ready, and I'm going to click on "Sign  In," and that should start my workspace and  
473.52 -> connect me to my Windows 10 desktop. That's  it. I'm logged on to my Windows 10 desktop.  
479.84 -> Now, what I want to do is show you an article, and  I'm going to link this article to the lesson. This  
485.44 -> is going to have some instructions that we can  follow for actually generating the certificates  
491.28 -> we're going to use. So, you'll see on here that  the instructions, by the way, if you just come to  
496.56 -> the top of the article, just scroll down to mutual  authentication, then you'll see Linux, macOS,  
502.16 -> or Windows. So, we're going to choose Windows, and  then we're going to download the OpenVPN software,  
509.52 -> install it, and then we run a series  of commands. And those commands are  
513.04 -> going to generate the certificates that we're  going to use for mutual authentication. So,  
518.64 -> what I'm going to do is just copy this link,  come back, and use Firefox to connect. So, I'm  
526.8 -> on the OpenVPN webpage, and I'm going to download  the 64-bit Windows installer, and that's an MSI.  
534.4 -> Let's just save that locally, and then let's  look at that download. Let's double-click and  
540.64 -> run the MSI installer. Now, we're going to click  on customize. We need to make a couple of changes.  
546.96 -> Firstly, what I want to do is change the path to  install to D colon's backslash. The reason is,  
554.64 -> on workspaces, we are restricted from the  C drive, and we do need to go into this  
560.48 -> file location to use some of the utilities  and find some of the files we generate. So,  
566.56 -> change that to "D:" slash, and then the same path.  Click on "OK," scroll down to the bottom here,  
573.6 -> and we want to install the OpenSSL  utilities. That installs this EasyRSA  
579.76 -> free certificate manager scripts. And then click  on "Install." So, that's installed successfully.  
585.76 -> And now, what I want to do is head back to  this article, and we're going to start using  
589.92 -> some of these commands. So, we're starting  here at number five. The first command here,  
594.8 -> I'm just going to copy that to my clipboard,  come back, let's open a command prompt.
602.64 -> Paste that in. That changes  us to the EasyRSA directory.  
607.36 -> Then we're going to start EasyRSA.  Then come back and from here,  
612.32 -> the commands actually pick up. This hash, which  we don't need. So, rather than using the copy  
617.12 -> here, I'm just going to highlight it and copy  that across. And we just run each of these one  
623.44 -> after the other. Now, this one does ask for some  information. I'm just going to type "VPN server"  
628.56 -> here for the hostname. Hit Enter, and that's  finished. Let's come down to the next one.
637.28 -> Put this command in. And then, lastly, one  more command. We paste this in, and that should  
645.36 -> generate all of our certificates. Great,  so that all completed successfully.  
649.76 -> Now, what you'll notice now is there's a couple of  ways that we can then upload these certificates.  
654.16 -> So, we're going to upload them  to AWS Certificate Manager.  
658.8 -> And you can either do that manually,  which I'm going to show you how to do,  
662.48 -> or you can just follow this here and use the  AWS Command Line Interface. If you do that,  
668.08 -> just make sure you install the AWS Command Line  Interface, and then you need to run these commands  
675.04 -> to copy the files to a custom folder of your  choice. And then you can run a single command,  
681.12 -> which will actually then go and upload  those to AWS Certificate Manager for you.  
687.28 -> Now, I'm going to show you the manual way as well,  so that you can do it that way if you choose.
691.92 -> So, on the AWS Management Console,  I'm going to search for "certificate,"  
696.24 -> and that will bring up Certificate Manager. And I  need to change regions because I need to have the  
701.44 -> certificates installed in the same region where  my VPN endpoint will be. And I don't want my VPN  
707.36 -> endpoint to be the same region as my Workspaces.  So, I'm going to choose North California.  
713.52 -> In Certificate Manager,  let's click on "Get started."  
716.72 -> Under "Provision certificates," we're going  to choose "Import a certificate" at the top.  
721.6 -> And now we need to supply this information.  So, we need the certificate body first.
727.2 -> Now, we're going to do this for the server and  the client certificate. So, back in Workspaces,  
732.72 -> I'm going to open up File Explorer. I'm going  to go into the D drive, Program Files, OpenVPN,  
741.52 -> EasyRSA, PKI. And then in PKI, there's a few files  that we need. Firstly, we go into "issued," and we  
751.36 -> find the server certificate. Here, what I'm going  to do is open with, and let's choose Notepad.  
757.68 -> And then we just copy all of this  information to our clipboard.  
761.92 -> Come back over, paste it into the certificate  body. We next need the private key. So now we  
768 -> go up a level, back to PKI, go to "private,"  and "server.key." Again, we're going to  
776.4 -> open this with Notepad. Again, highlight it all,  copy to your clipboard, come back, paste that in.  
784.24 -> And then the certificate chain, certificate chain  is back up again. CA, so just choose the CA here.  
793.12 -> And again, open, let's open this with Notepad.  Copy that to our clipboard and paste that in.  
801.2 -> We'll need that for the next one, so I'll leave  that file open as well. We can now just click on  
805.6 -> "Review and Import," and click on "Import." So,  that's great. We now have our server certificate.  
812.4 -> Let's head back over, and we can leave this  one open. I'm going to need that in a moment.  
818.72 -> And what we want to do is go back to "issued,"  
822.32 -> open the client certificate, copy that to  our clipboard. And then let's come back,  
827.84 -> and we're going to import a certificate.  Paste that in. Come back for the private key.  
834.4 -> We can close this file again. We go up a level,  go to "private," choose the client certificate,  
843.52 -> open with Notepad. We paste this one in. And then,  lastly, we come back, and we've already got this  
849.36 -> file open. So, we just copy this again and paste  this in. And that gives us our certificate chain. 
856.48 -> Click on next review and import and import. So,  we now have our certificates. We've got our server  
863.2 -> and our client certificate. And what I  want to do is just connect over to the  
867.44 -> VPC management console. And we're going  to scroll down to VPN, and you'll find  
873.84 -> client VPN endpoints. We're going to create an  endpoint. I'll just call this 'my client VPN.'  
881.84 -> We need to give it a CIDR block. So, this is the  CIDR block for the computers that connect in. So,  
888.32 -> the computer that you connect in, whether  it's your computer or your workspace's client,  
892.32 -> will get an IP in this range. I'm going to  use a range that I know we haven't used.  
897.68 -> Now, for the server certificate, I'm going  to select this top one that says 'server.'  
902.4 -> I'm going to select mutual authentication and  then select the client certificate here. I'm not  
909.28 -> going to select logging or enable the connection  handler. Now, we can also supply a DNS server here  
915.52 -> for DNS resolution. I'm going to supply one which  could be in the subnet that we're connecting to.  
921.68 -> We next choose the VPC in this region. We've only  got one. We can select the security group. There's  
928.4 -> just a default security group at this stage. And  you can also enable the self-service portal if you  
933.36 -> want to. I'm not going to enable that at this  stage. Now, I'm going to create the client VPN  
939.84 -> endpoint. Our VPN endpoint is set up. We can see  that it's pending associate. So, remember, we need  
946.4 -> to associate it with a subnet. So, I'm going  to choose a VPC, choose a subnet to associate  
953.2 -> with. I'm going to choose US West 1a. Click on  associate and close. Another thing we need to do  
961.36 -> is we need to set up authorization. Now, this  is where you can set the destination networks  
967.28 -> that you want to allow your clients to connect to.  Now, I'm just going to open it up with the any IP  
974.08 -> address. You can also grant to specific users, so  you can actually do this in combination with AWS  
980.8 -> Directory Services if you use that instead of the  certificate-based authentication and allow access  
987.12 -> to users in a particular group. We'll just allow  it for everybody and just add that authorization  
992.8 -> rule. There's also a route table in here. You can  create your own, but it will create one for you,  
998.32 -> and that route table will allow access to the  subnet that we just connected to. You can see  
1004.4 -> that's in the state of creating, and it does take  a few minutes, so you might have to leave this for  
1010.08 -> five to ten minutes, and then everything should  be set up. Now, in the meantime, what we can do  
1015.76 -> is download the client configuration. So, just  click on download, and you'll get that file. We  
1022.32 -> then need to get the contents of that file over to  our WorkSpaces desktop. So, a couple of ways to do  
1028.16 -> that. You can find a way to actually upload  the file there if you like using, you know,  
1032.32 -> some kind of file sharing, or you can just open  it with a text editor, copy the contents, and  
1038.8 -> then create a file on the destination. I'm going  to do that, so I'll open my file with Notepad,  
1044.16 -> copy the contents, and then I'll show you where to  create the file on your Amazon WorkSpaces desktop. 
1050.48 -> Back on WorkSpaces, let's just  open up Notepad, and I'm pasting in  
1056.4 -> the information from the file which I downloaded.  So, this is the config. So what we need to do  
1062.32 -> now is just save this file somewhere. I'm  going to just put this onto the D drive.  
1068.72 -> In fact, no, I'll put it onto the desktop because  I'm not sure we have the rights to actually save  
1073.2 -> it there. I need to change to all files, and then  I'm just going to call this "client-config.dot."
1082.56 -> And let's save that file. Now, there are a couple  of lines that we need to add to this. It will  
1087.6 -> often not work in this particular state, so I'll  show you what those are. In the course download,  
1093.12 -> you'll find in the code directory, you'll find  "client-vpn" and then "openvpn-config," and  
1098.8 -> we've got these two lines here. And these will  actually provide the path to the certificate  
1105.68 -> and the certificate private key. So just copy  these two, and don't worry about the double  
1110.4 -> backslashes. That is required for the config  file. That's not a typo. And then back in here,  
1115.28 -> we can simply add a new line. We'll paste that  in, so we've got those two lines here, and then  
1123.84 -> save that file. Now, let's run the OpenVPN GUI,  and you might get this message here. That's okay.  
1131.52 -> Now, you'll find it in your system tray in  the bottom here, and if you right-click it,  
1137.12 -> you can then choose "import file." Let's go to our  desktop, and we've got our client config. So let's  
1145.12 -> import the file. That looks good. We've got this  all running. Now, the other thing we want to do is  
1152 -> just head over and launch an EC2 instance, which  is what we're going to ping to prove that we've  
1156.8 -> got the connectivity into our subnet. So, I'm in  the EC2 management console in North California. 
1163.92 -> I'm going to launch an instance.  Let's choose "launch instances."
1170.88 -> The usual options, the Linux 2  AMI, and the t2.micro. And then  
1177.28 -> there's only one VPC. Let's make sure we put it  in the right subnet because this is the subnet we  
1182.16 -> associated to the VPN endpoint. So, I'm using  US West 1a, so I'm going to choose that one.  
1188.88 -> Let's click on "Next," go through to security  group, and let's see if we've got a security  
1194.08 -> group. We don't have one in this region,  so I'm going to call this "web-access."  
1199.6 -> And then let's just add in an additional  rule because we want to be able to  
1204.48 -> ping this instance. So, I'm going to allow  ICMP from anywhere, and that will give us the  
1212.08 -> ability to ping this instance. And we've also got  SSH if we did want to connect in. So, that's it.  
1218.8 -> I'm going to launch. I do need to create a key  pair because I haven't used this region recently.  
1224.32 -> So, let's call this "ncal.kp," and I'm going to  download the key pair and launch the instance.  
1232.88 -> You'll want to go in and take note of the private  IP address for your instance. And then let's  
1238 -> head back and see if our VPN endpoint is ready.  Okay, things look good. It says it's available.  
1244.56 -> Let's check the association. That's associated.  The authorization is active. So, that all looks  
1251.2 -> good. Let's head back to WorkSpaces and see if  we can connect our VPN. Okay, so let's try and  
1257.68 -> connect now. So, in the system tray, I'm going  to right-click the OpenVPN, choose "Connect."  
1266.72 -> And it's running through. Looks good. And  there we are. We're now connected to the VPN,  
1274.16 -> so let's now try and connect to the EC2 instance  we launched. So, I'm going to try and ping the  
1280.96 -> EC2 instance, and that's not responding. So, let's  just go and check why that is. I'm pretty sure we  
1286.56 -> got it set up correctly. Let's check a few things.  So, we've got the route table that's definitely  
1292.08 -> set up and active. We have an authorization for  the destination CIDR. That definitely looks good.  
1299.44 -> The security group shouldn't apply.  The default security group will have an  
1302.88 -> outbound rule that allows all traffic.  And then we're associated with the 448D  
1310.48 -> network here, the subnet that ends in 448D. So,  we'll check that in a moment. But the first thing  
1315.44 -> I want to check is security groups because I  reckon that's most likely the problem here. So,  
1319.76 -> let's see. We've got web access. Let's have a  look. We've got echo reply. So actually, what  
1325.68 -> we want to do is we just want to go and add a rule  for all ICMPv4. So, if you've done the same as me,  
1333.6 -> then just go back in and edit your rule. And I  just need it for v4, so it should be "all ICMPv4."  
1342.08 -> So, with that applied, let's go back, and that  should take instant effects. And sure enough,  
1347.52 -> it does. So, that's great. We've now got an echo  response from our EC2 instance in a private subnet  
1355.44 -> using a private IP address. And remember, this  WorkSpaces desktop is running in North Virginia,  
1360.88 -> and we're accessing the EC2 instance over  a VPN connection using the public internet.  
1367.28 -> And the EC2 instance is running in California,  so that all looks great. Now, back in the console  
1374.24 -> here, if we just go back to Client VPN Endpoints,  another thing you'll be able to see is under  
1378.96 -> Connections, you can see your connections  here. I disconnected a couple of times, so  
1384.08 -> you can see I picked up a different IP address  once in the middle there. And you can monitor  
1390.16 -> your connections here. So, that's it, guys. I hope  you enjoyed that lab. Hope it all works for you.  
1395.28 -> So, we don't need this configuration anymore, so  I'm actually going to go and get rid of it. Now,  
1400.32 -> we do have to remove the association first and  then wait till that's disassociated. While that's  
1406.96 -> happening, let's go back to WorkSpaces, and I'm  going to remove my workspace so we don't end up  
1411.76 -> paying anything. So, in WorkSpaces, just select  your workspace and then choose "Remove Workspace,"  
1418.24 -> and that will remove that workspace for you. And  then back in the Client VPN, just wait until this  
1423.68 -> is disassociated, and then you should be able to  go in and choose "Delete Client VPN Endpoint."

Source: https://www.youtube.com/watch?v=St8y0xZSn3c