Tag: Mutual Authentication

Categories
AWS Development

How to setup AWS Client VPN using mutual authentication on Windows

Recently, my company is moving our web hosting to Amazon Web Services or more commonly known as AWS. For security purposes, it is always a good idea to only expose certain ports to the internal network only and not have it exposed to the entire internet. However, as a developer, I need those ports exposed so that I can upload files or easy access to the database through the database workbench software. This will require me to be authenticated to the internal network, so that I can get access to those ports.

To do this, I will need to setup Client VPN to the internal network using a method called mutual authentication. However, I have found that documentation on both AWS and other sites on the internet were outdated on EasyRSA and I had figure it out on my own. Below are the steps I took to do the setup:

Section 1: Generate server and client certificate keys

Step 1: As a prerequisite, OpenVPN needs to be installed with EasyRSA 3 Certificate Management Scripts selected. Go to OpenVPN community downloads: https://openvpn.net/community-downloads/
 
Step 2: Download the 64-bit MSI installer. Most computers nowadays should be running on a 64-bit processor, if you are sure that your processor is 32-bit, then download the 32-bit version.
 
Step 3: Run the MSI installer and you will arrive at the screen below. Choose Customize.
 
Step 4: By default, “OpenSSL Utilities” is not selected. Select “OpenSSL Utilities” and “EasyRSA 3 Certificate Management Scripts” and click “Install Now”.
 Step 5: After OpenVPN has been installed, run cmd.exe in Administrator mode. If you are not sure how to do that, the easiest way is to type cmd into the search bar and right click to see the option.
Step 6: Navigate to “\Programs Files\OpenVPN\easy-rsa” folder. Then run “EasyRSA-start.bat”. And you should see the EasyRSA Shell prompt.
EasyRSA Shell prompt

 Step 7: Run this command to initialize the environment and setup the folder structure for the client PKI.

./easyrsa init-pki

Step 8: Generate the Diffie–Hellman key. This key makes it possible to exchange cryptographic keys between the server and clients securely.

./easyrsa gen-dh
Step 9: Generate the Certificate Authority chain certificate.
./easyrsa build-ca nopass
Step 10: Generate the private and public keys of the server. In this tutorial, the server is named OVPN-SERVER, you may call the server another name.
./easyrsa build-server-full OVPN-SERVER nopass
Step 11: The command below will generate the client’s private key and it’s Certificate Signing Request (CSR). The client in this tutorial is called Client1. You may change this to be called something else to reflect the client.
./easyrsa gen-req Client1 nopass
Step 12: Now, sign the client CSR.
./easyrsa sign-req client Client1 nopass
 
Now all the required certificate files are generated. Check the files in the folders:
  • Client Key: C:\Program Files\OpenVPN\easy-rsa\pki\private\Client1.key
  • Server Key: C:\Program Files\OpenVPN\easy-rsa\pki\private\OVPN-SERVER.key
  • Client Cert: C:\Program Files\OpenVPN\easy-rsa\pki\issued\Client1.crt
  • Server Cert: C:\Program Files\OpenVPN\easy-rsa\pki\issued\OVPN-SERVER.crt
  • CA cert: C:\Program Files\OpenVPN\easy-rsa\pki\ca.crt

Section 2: Import Certificates into AWS Certificate Manager

Step 1: Goto https://console.aws.amazon.com/acm/home

Step 2: Choose “Import a certificate” to import the server certificate.

Step 3: On the Import a certificate page, copy/paste the content:

  • From the OVPN-SERVER.crt file to Certificate body.
  • From the OVPN-SERVER.key file to Certificate private key.
  • From the ca.crt file to Certificate chain.

Note: the crt and key files are text files, all you need to do is open them up in your favourite text editor and copy/paste the content.

Step 5: Choose “Import a certificate” again to import client certificate:

  • From the Client1.crt file to Certificate body.
  • From the Client1.key file to Certificate private key.
  • From the ca.crt file to Certificate chain.

Section 3: Create a new Client VPN endpoint

Step 1: Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

Step 2: In the navigation pane, choose “Client VPN Endpoints” and then choose “Create Client VPN Endpoint”. If you want, you can give the endpoint a name and description, but this is optional.

Step 3: For IPv4, specify an IP address range, in CIDR notation, from which to assign client IP addresses. For example, 10.0.0.0/22. I used 192.168.0.0/22 because the example IP address range clashed with my computer’s internal LAN IP address subnet.

Step 4: For Server certificate ARN, specify the ARN for the TLS certificate to be used by the server. If you have done section 2, correctly, both the server and client certificates you uploaded previously should be showing in the dropdown. Choose the server certificate.

Step 5: Specify “mutual authentication” as the method to be used to authenticate clients, and then for Client certificate ARN, specify the ARN of the client certificate that you uploaded previously in Section 2.

Step 6: Choose No for “Do you want to log the details on client connections?

Step 7: Leave the rest of the default settings, and choose “Create Client VPN Endpoint“.

Note: After you create the Client VPN endpoint, its state is “pending-associate”. You can immediately move on to Section 4 without waiting for anything else to happen.

Section 4: Enable VPN connectivity for clients

To enable clients to establish a VPN session, you must associate a target network with the Client VPN endpoint. A target network is a subnet in a VPC.

Step 1: Continuing from the previous section, after the VPC has been created, in the lower section of the screen, there should be an “Associations” tab. Click on it and then choose “Associate“.

Step 2: This should take you to a screen with 2 dropdowns. On the first dropdown labeled “VPC”, select the VPC that you have just created.

Step 3: For the “Choose a subnet to associate”, choose your preferred subnet to associate with the Client VPN endpoint.

Step 4: Choose “Associate”.

Note: It can take a few minutes for the association light to turn green, you can move on to the next section without waiting for this to happen.

Section 5: Authorize clients to access a network

To authorize clients to access the VPC in which the associated subnet is located, you must create an authorization rule. The authorization rule specifies which clients have access to the VPC. In this tutorial, you grant access to all users.

Step 1: Following the last section, now choose the “Authorization” tab, and then choose “Authorize Ingress“.

Step 2: For Destination network to enable, enter CIDR of the network that you entered in Section 3, Step 3.

Step 3: For Grant access to, choose Allow access to all users.

Step 4: Choose Add authorization rule.

Section 6: Download and setup the Client VPN endpoint configuration file

Step 1: Following section 5, on the VPC homepage you should see a Download Client Configuration button, choose it and download the file.

Step 2: Find the client certificate and key files that you generated in Section 1.

Step 3: Locate the configuration file that you downloaded in Step 1 and open it using your favourite text editor. Find the line just after the closing tag of the ca section “”.

Step 3:  Put the contents of the crt file between and the contents of the private key between . Paste the following into the configuration file:

Contents of client certificate (.crt) file



Contents of private key (.key) file

Step 4: Prepend a random string to the Client VPN endpoint DNS name. Locate the line that specifies the Client VPN endpoint DNS name, and prepend a random string to it so that the format is random_string.displayed_DNS_name. On the fourth line in the configuration file, you will find the endpoint dns name, for example:

remote cvpn-endpoint-0102bc4c2eEXAMPLE.prod.clientvpn.us-west-2.amazonaws.com 443

Change it to:

remote adwdertf.cvpn-endpoint-0102bc4c2eEXAMPLE.prod.clientvpn.us-west-2.amazonaws.com 443

Step 5: Save and close the configuration file.

Section 7: Setup and connect to VPN using OpenVPN Connect.

If you have installed OpenVPN correctly on your computer, you should have an app called OpenVPN GUI. If you are not sure where it is, user your Windows search bar to look for it.  Click on it to run it. You should now have the app running in the background in your taskbar.

Step 1: Run OpenVPN GUI. Find the icon in your Windows taskbar and right click on it.

Step 2: You should select “Import file…” and select the OpenVPN configuration file you saved in Section 6. The file should end with .ovpn extension.

Step 3: Once selected, the OpenVPN GUI app should start connecting to the VPN you created. Congrats!