AWS Client VPN Setup Guide

This guide will help you set up AWS Client VPN to securely access your private resources (RDS, ElastiCache, MQ, EFS) from your local machine.

Overview

The VPN setup includes:

AWS Client VPN Endpoint with certificate-based authentication
Security group rules allowing VPN clients to access private resources
Network associations with private subnets
Authorization rules for VPC access
CloudWatch logging for connection monitoring

Prerequisites

1. SSL/TLS Certificates

You need two certificates for the VPN setup:

Server Certificate

Used by the AWS Client VPN endpoint
Must be imported into AWS Certificate Manager (ACM)
Can be a self-signed certificate for internal use

Client Root CA Certificate

Used to authenticate VPN clients
Must be imported into AWS Certificate Manager (ACM)
All client certificates must be signed by this CA

2. Certificate Creation Process

Option A: Using Easy-RSA (Recommended for testing)

# Install Easy-RSA
git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easyrsa3

# Initialize PKI
./easyrsa init-pki

# Build CA
./easyrsa build-ca nopass

# Generate server certificate
./easyrsa build-server-full server nopass

# Generate client certificate
./easyrsa build-client-full client1.domain.tld nopass

# Upload to ACM
aws acm import-certificate --certificate fileb://pki/issued/server.crt --private-key fileb://pki/private/server.key --certificate-chain fileb://pki/ca.crt --region us-east-2

aws acm import-certificate --certificate fileb://pki/ca.crt --private-key fileb://pki/private/ca.key --region us-east-2

Option B: Using OpenSSL

# Generate CA private key
openssl genrsa -out ca.key 2048

# Generate CA certificate
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

# Generate server private key
openssl genrsa -out server.key 2048

# Generate server certificate signing request
openssl req -new -key server.key -out server.csr

# Sign server certificate with CA
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

# Generate client private key
openssl genrsa -out client.key 2048

# Generate client certificate signing request
openssl req -new -key client.key -out client.csr

# Sign client certificate with CA
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt

Configuration Steps

1. Update Certificate ARNs

Edit infra/vpc/client-vpn.ts and replace the placeholder certificate ARNs:

serverCertificateArn: "arn:aws:acm:us-east-2:123456789012:certificate/YOUR_SERVER_CERT_ID",
rootCertificateChainArn: "arn:aws:acm:us-east-2:123456789012:certificate/YOUR_CLIENT_CERT_ID",

2. Deploy the Infrastructure

cd infra
pulumi up

3. Download VPN Configuration

After deployment, download the client configuration:

aws ec2 export-client-vpn-client-configuration --client-vpn-endpoint-id cvpn-endpoint-xxxxx --output text > client-config.ovpn

4. Add Client Certificate to Configuration

Edit the downloaded client-config.ovpn file and add your client certificate and key:

# Add at the end of the file
<cert>
-----BEGIN CERTIFICATE-----
[Your client certificate content]
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
[Your client private key content]
-----END PRIVATE KEY-----
</key>

Accessing Private Resources

Once connected to the VPN, you can access your private resources using their internal endpoints:

RDS (PostgreSQL)

# Connect to main database
psql -h your-rds-endpoint.region.rds.amazonaws.com -p 5432 -U username -d database_name

# Connect via RDS Proxy
psql -h your-rds-proxy-endpoint.proxy-xxxxx.region.rds.amazonaws.com -p 5432 -U username -d database_name

ElastiCache (Redis)

# Connect to Redis
redis-cli -h your-redis-endpoint.xxxxx.cache.amazonaws.com -p 6379 -a your_auth_token

Amazon MQ (RabbitMQ)

# Access RabbitMQ Management UI
# Use the console URL from the MQ broker output
# Connect programmatically using the broker endpoint

EFS (Elastic File System)

# Mount EFS (on EC2 instances)
sudo mount -t efs fs-xxxxx.efs.region.amazonaws.com:/ /mnt/efs

Network Configuration

VPN Client CIDR: `172.16.0.0/16`

This is the IP range assigned to VPN clients
Separate from your VPC CIDR to avoid conflicts

VPC CIDR: `10.0.0.0/16`

Your existing VPC network range
VPN clients can access resources in this range

Split Tunneling

Enabled by default
Only VPC traffic routes through the VPN
Internet traffic uses your local connection

Security Groups

The setup automatically configures security group rules to allow VPN clients access to:

RDS (PostgreSQL): Port 5432
ElastiCache (Redis): Port 6379
Amazon MQ (RabbitMQ): Port 5671
EFS: Port 2049

Monitoring and Logging

CloudWatch Logs

Connection logs are stored in: /aws/clientvpn/{stack}-{region}
Retention: 30 days
Monitor connection attempts, successes, and failures

Metrics to Monitor

Active connections
Connection attempts
Authentication failures
Data transfer

Troubleshooting

Common Issues

Certificate Import Errors
- Ensure certificates are in PEM format
- Check that client certificates are signed by the root CA
- Verify certificate validity dates
Connection Timeouts
- Check security group rules
- Verify route table configurations
- Ensure VPN endpoint is in available state
Authentication Failures
- Verify client certificate is correctly embedded in .ovpn file
- Check that root CA certificate matches the one used to sign client certs
- Ensure certificates haven't expired
Cannot Access Resources
- Verify security group rules allow VPN client access
- Check that resources are in the correct subnets
- Confirm route propagation is working

Useful Commands

# Check VPN endpoint status
aws ec2 describe-client-vpn-endpoints --client-vpn-endpoint-ids cvpn-endpoint-xxxxx

# Check active connections
aws ec2 describe-client-vpn-connections --client-vpn-endpoint-id cvpn-endpoint-xxxxx

# Check authorization rules
aws ec2 describe-client-vpn-authorization-rules --client-vpn-endpoint-id cvpn-endpoint-xxxxx

# Check routes
aws ec2 describe-client-vpn-routes --client-vpn-endpoint-id cvpn-endpoint-xxxxx

Cost Considerations

AWS Client VPN charges per endpoint per hour
Additional charges for client connections per hour
Data transfer charges apply
Consider using only when needed and terminating when not in use

Security Best Practices

Certificate Management
- Use strong private keys (2048-bit RSA minimum)
- Regularly rotate certificates
- Implement certificate revocation if needed
Access Control
- Use least privilege principle in security groups
- Monitor connection logs regularly
- Implement session timeouts
Network Segmentation
- Keep VPN client CIDR separate from VPC CIDR
- Consider using multiple authorization rules for different access levels
- Implement split tunneling to reduce attack surface

Next Steps

Generate and import certificates to ACM
Update certificate ARNs in the configuration
Deploy the infrastructure with pulumi up
Download and configure the VPN client
Test connections to your private resources
Set up monitoring and alerting for VPN usage

AWS Client VPN Setup Guide

Overview​

Prerequisites​

1. SSL/TLS Certificates​

Server Certificate​

Client Root CA Certificate​

2. Certificate Creation Process​

Option A: Using Easy-RSA (Recommended for testing)​

Option B: Using OpenSSL​

Configuration Steps​

1. Update Certificate ARNs​

2. Deploy the Infrastructure​

3. Download VPN Configuration​

4. Add Client Certificate to Configuration​

Accessing Private Resources​

RDS (PostgreSQL)​

ElastiCache (Redis)​

Amazon MQ (RabbitMQ)​

EFS (Elastic File System)​

Network Configuration​

VPN Client CIDR: 172.16.0.0/16​

VPC CIDR: 10.0.0.0/16​

Split Tunneling​

Security Groups​

Monitoring and Logging​

CloudWatch Logs​

Metrics to Monitor​

Troubleshooting​

Common Issues​

Useful Commands​

Cost Considerations​

Security Best Practices​

Next Steps​