How to Create an AWS Client VPN Endpoint using AWS SSO and Terraform

Virtual Private Network (VPN) — Richard Patterson CC BY 2.0

The aim of this article is to create a Client VPN Endpoint using AWS-SSO as the identity provider and a Terraform module to create the configuration.

Prerequisites :

• AWS Admin Account.
• Ability to execute bash script.

In the following steps, you will be able to remotely and securely connect to your AWS Infrastructure as your local network. You will be able to connect to your EC2 instances without the risk to open access publicly. You can easily manage users’ access and force multi-factor authentication. Finally, with Terraform, you can review and change your infrastructure as you need.

AWS Single Sign-On

AWS Single Sign-On is a cloud-based single sign-on (SSO) service that makes it easy to centrally manage SSO access to all of your AWS accounts and cloud applications.

AWS SSO — AWS

AWS Client VPN

AWS Client VPN is a managed client-based VPN service that enables you to securely access BOTH your AWS and on-premise network resources. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client.

Authentication Process Overview

VPN Authentication Process — TrackIt

Step 1: Enable and Configure AWS-SSO

1. Go to your “AWS SSO” console services.
2. The prerequisite is to enable AWS Organizations

What is AWS Organizations?

AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.

3. Create a group for VPN Users

4. Add a new SAML application

5. Configure the application :

• Download the metadata file for the next section
• Configure Application metadata:

URL: http://127.0.0.1:35001

URN: urn:amazon:webservices:clientvpn

• Add attribute mappings :

• Assigned users: Add the VPN group created previously

• Go to the users section to add a new user :

• Add the user to the VPN Group :

Step 2: Add an Identity Provider to IAM

1. From the IAM Console add a new identity provider :

2. Select the metadata file we created previously

3. Save the ARN value for the next section.

Step 3: Terraform Configuration

Terraform is an open-source infrastructure as code software tool that enables you to safely and predictably create, change, and improve infrastructure.

You can download it here: https://www.terraform.io/

You will also need aws-cli to interact remotely with your aws environment:

https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html

Why use Terraform?

While the authentication configuration needs to be performed only once (the only thing you will need to do afterwards is add news users) the VPN configuration could change based on your needs. For example, you might want to add a new authorization, route, or security group.

Terraform not only provides the ability to easily deploy and replicate a configuration on other environments (prod, dev, …) or region, but it also helps keep track of what has been done. It will provide you a clear understanding of all your infrastructure in a single place. Additionally Terraform is now, in TrackIt’s opinion, the fastest and most flexible tool compatible with all major cloud providers.

For more information about our VPN module :

trackit/terraform-aws-client-vpn

1. Create a Terraform configuration file.

Once you have downloaded Terraform and set up AWS-CLI you can paste this code into a Terraform file and adapt it to your environment.

module “client_vpn” {
source = “github.com/trackit/terraform-aws-client-vpn?ref=v0.2.0”
region = “us-east-1”
subnet_id = “subnet-12345678”
client_cidr_block = “10.250.0.0/16”
target_cidr_block = “10.0.0.0/16”
client_auth = “federated-authentication”
saml_provider_arn = “arn:12345678”
}

• source : Source of the VPN module. Check the ref value on git repo if you want to use a newer version.
• region : Your AWS VPN Region.
• subnet_id : The subnet ID to which we need to associate the VPN Client Connection.
• client_cidr_block : VPN CIDR block, must not overlap with VPC CIDR. Client cidr block must be at least a /22 range.
• target_cidr_block : The CIDR block to which the client will have access to. Might be VPC CIDR’s block for example.
• client_authentication_options : the type of client authentication to be used, in our case : federated-authentication
• saml_provider_arn : the ARN of the IAM SAML Identity Provider you created in step 2.

This is a basic configuration. For more additional variable configuration please see git repo reference.

2. Apply the configuration

Use the following Terraform commands:

“Terraform init”: to initiate Terraform

“Terraform plan”: to validate the configuration

“Terraform apply”: to apply the configuration

For help with Terraform commands: https://learn.hashicorp.com/tutorials/terraform/aws-build?in=terraform/aws-get-started

3. You can go to the AWS Console, download the client configuration, and wait for the VPN’s State to be ‘Available’ (which usually takes around 15 minutes).

Step 4 (Optional): Using Console

1. For this, you will need to generate a certificate on your own and upload it into the AWS Certificate Manager console. This link will show you how to generate a certificate: https://github.com/OpenVPN/easy-rsa

In the Terraform module we do it automatically for you, you can see the details on the git repo: https://github.com/trackit/terraform-aws-client-vpn

2. From the AWS VPC Management Console, select ‘Client VPN Endpoints’:

3. Create a new VPN Endpoint: select the ARN created in Step 2.

4. Once the VPN is created, associate it with a subnet

5. Create authorization to reach your network from the VPN

6. Download the client configuration file

Step 5: Connect Using AWS Client VPN

1. Download the client here: https://aws.amazon.com/vpn/client-vpn-download/
2. From the “File” menu add a new profile
3. Select the “.ovpn” configuration file you created previously

Step 6 (Optional/Recommended): Configure Client MFA settings

1. From “AWS-SSO” console into the “settings” section:

• For a stronger security select Prompt MFA “every time” or at least “context change”
• Select one or multiple MFA types
• Allow users to use email without a MFA registered yet and allow them to register one

About TrackIt

TrackIt is an Amazon Web Services Advanced Consulting Partner specializing in cloud management, consulting, and software development solutions based in Venice, CA.

TrackIt specializes in Modern Software Development, DevOps, Infrastructure-As-Code, Serverless, CI/CD, and Containerization with specialized expertise in Media & Entertainment workflows, High-Performance Computing environments, and data storage.

TrackIt’s forté is cutting-edge software design with deep expertise in containerization, serverless architectures, and innovative pipeline development. The TrackIt team can help you architect, design, build, and deploy customized solutions tailored to your exact requirements.

In addition to providing cloud management, consulting, and modern software development services, TrackIt also provides an open-source AWS cost management tool that allows users to optimize their costs and resources on AWS.