In the dynamic landscape of remote work, the process of accessing business resources on the cloud has been undergoing a remarkable transformation. The rise of remote work has compelled organizations to rethink their operational strategies. In this era of digital-first workplaces, maintaining secure, reliable, and scalable access to enterprise resources is not just a necessity but a strategic advantage. This is where Amazon Web Services (AWS) Client VPN comes in.
The Need for a Versatile and Secure Connection
Traditional on-premises VPN solutions often face limitations of physical hardware, unable to adapt swiftly to the changing scales of demand.
Additionally, many are familiar with the slow internet speeds experienced when connecting to traditional VPN solutions like oVPN.
AWS Client VPN shatters these constraints, offering a cloud-based service that provides a secure way to connect to resources within a VPC.
Moreover, in an environment where security and compliance are paramount, AWS Client VPN stands tall. It supports a variety of authentication methods, including multi-factor authentication (MFA) and federated authentication, ensuring that only authorized personnel gain access to critical resources. This is crucial for businesses aiming to maintain a high-security posture in a remote work setting.
It’s the perfect VPN solution if your infrastructure is hosted on AWS. In the following sections, we’ll uncover the reasons to switch from traditional VPN solutions, explore the various authentication methods, and guide you through setting up AWS VPN for your remote workforce. The goal is to provide you with a comprehensive understanding of how AWS Client VPN can be a game-changer for your organization in the new normal of remote work.
Reasons Why You Should Switch to AWS VPN
1. Elasticity and Scalability
AWS VPN’s cloud-based elasticity allows scaling up or down as remote work demands fluctuate, ensuring uninterrupted service.
Up to 7,000 concurrent users can connect to a single Client VPN Endpoint in each subnet.
2. Simplified Management and Deployment
It reduces the complexity of VPN management. The admin can see the active users who are connected to the VPN and their details like IP address, time of connection, type of device, and much more.
3. Enhanced Security and Compliance
It offers robust security features, including Multi-factor Authentication (MFA) and federated authentication, essential for secure remote work environments.
4. Split Tunneling
This optimizes traffic routing by allowing only AWS-destined traffic through the VPN, enhancing performance, reducing costs, and enabling you to utilize your internet speed to its fullest when not connecting to any resource inside the VPC.
5. SSL Certificate-Based Authentication
This provides SSL certificate-based mutual authentication, meaning both the client and the server certificates are authenticated upon connection creation.
6. Support for IoT Devices
AWS VPN can also be used for establishing secure connections between IoT devices and Amazon VPC resources, vital for IoT-enabled organizations.
AWS VPN combines scalability, ease of management, security, seamless integration, diverse authentication methods, IoT support, split tunneling, and SSL authentication, making it an ideal solution for efficient remote workforce management.
Different Types of Authentication Methods in AWS VPN
AWS Client VPN offers a versatile range of authentication methods to cater to different security requirements and organizational policies. Understanding these methods is crucial for setting up a secure and efficient VPN solution for your remote workforce. Here’s an overview of the authentication methods available in AWS Client VPN:
1. Active Directory Authentication (User-based)
Active Directory authentication allows you to integrate AWS Client VPN with your existing Active Directory. This method enables users to authenticate using their existing Azure Active Directory credentials, streamlining the login process and maintaining consistent security policies across your organization.
2. Mutual Authentication (Certificate-based)
Mutual authentication involves both the client and the server verifying each other’s identities through certificates. This method is highly secure as it requires both parties to present a valid certificate for the connection to be established. To create a Client VPN endpoint, you must provision a server certificate in AWS Certificate Manager, regardless of the type of authentication you use. This requirement highlights the importance AWS places on secure, authenticated connections.
3. Single Sign-On (SAML-based Federated Authentication — User-based)
SAML-based federated authentication is ideal for organizations using single sign-on (SSO) solutions. This method allows users to authenticate using their SSO credentials, providing a seamless and secure user experience.
How to Set Up AWS VPN for Your Remote Workforce
Setting up AWS VPN for your remote workforce involves several key steps to ensure a secure and efficient remote access environment. Here’s a guide to help you through the process:
Before setting up AWS Client VPN, ensure that you have the necessary permissions to work with Client VPN endpoints and import certificates into AWS Certificate Manager. Additionally, prepare a VPC with at least one subnet and an internet gateway.
2. Generate Server and Client Certificates and Keys
Start by generating the necessary server and client certificates and keys. This step is crucial for mutual authentication, as both the client and server need to verify each other’s identities through these certificates. Import the server certificate into AWS Certificate Manager and keep the client certificate ready for deployment. This is the official guide provided by AWS on how to generate the SSL certificates for both, the Client and the Server. For Linux/MacOS, these are the steps that I followed from the guide with some minor tweaks:
git clone https://github.com/OpenVPN/easy-rsa.git
./easyrsa build-ca nopass
./easyrsa build-server-full production.vpn.server nopass
./easyrsa build-client-full production.vpn.client1.domain.tld nopass
I added ‘production.vpn.’ at the start of each domain, differing from the original document, because managing various certificates in AWS can make it tricky to discern what the server or client1.domain.tld domain refers to.
Remember, always be explicit when naming anything and add as many tags as possible while creating any resource in the cloud, as it makes tracking easier, especially when deleting old and unused resources.
Once the certificates are created, you can import them to AWS either through the CLI or using the GUI.
3. Create a Client VPN Endpoint
Create the Client VPN endpoint in the AWS VPC console. This endpoint will serve as the termination point for all client VPN sessions. Specify the client IPv4 CIDR and select the ARN of the server certificate generated earlier.
- Client IPv4 CIDR — Select a CIDR that you think will be able to allocate IP addresses for your entire workforce with a generous amount of breathing room. So for instance, if you expect 1000 users that can connect to the VPN at the same time, then you can assign this as the CIDR:
184.108.40.206/22, which would allocate 1024 IP addresses. To be on the safer side, you can use the CIDR:
220.127.116.11/21which can allocate 2048 IP addresses.
Make sure that this CIDR range does not collide with the CIDR of the VPC that you are going to be connecting it to.
An IP address is 32 bits in size, for example, 18.104.22.168.
The number after the '/' in the CIDR represents the reserved bits of the IP address that should not be used for allocating new IP addresses.
Let’s say the CIDR is
then, 32 - 24 = 8. i.e. 8 bits can be allocated from the IP address pool
Meaning, 2 ^ 8 = 256
Thus, 256 different IP addresses can be allocated with the CIDR: 22.214.171.124/24
- Server Certificate ARN — Select the certificate that you imported for the server.
- You can check the Mutual Authentication option.
- Client Certificate ARN — Similarly, select the certificate that you imported for the client.
- DNS server addresses are not needed
- The Transport Protocol can be set to UDP itself, as it is more performant.
- Make sure to check the Split Tunnel option (This is essential)
- Select the VPC where you want the endpoint to connect to.
- The Session Timeout can be set according to your requirement; my suggestion is to set it to the lowest number, which is 8 hours, for better security.
- You can set a Client Login Banner, such as “Successfully connected to the ‘production’ environment VPN.” This is not essential, but it’s an option.
4. Associate a Target Network
Once the Client VPN Endpoint is created, you then need to associate a target network (a subnet in the VPC) with the Client VPN endpoint to enable clients to establish a VPN session. This step links your VPN to your internal network. This subnet does not have to be the primary subnet, it can be, but my recommendation would be to select a subnet that is the least used in the VPC.
5. Add an Authorization Rule for the VPC
To allow client access to the VPC, add an authorization rule in the Client VPN endpoint’s route table. Specify the destination network as the CIDR of the VPC.
6. Download the Client VPN Endpoint Configuration File
Download and prepare the Client VPN endpoint configuration file.
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- In the navigation pane, choose Client VPN Endpoints.
- Select the Client VPN endpoint for which to download the client configuration and choose Download Client Configuration.
This file includes the necessary details and certificate information for establishing a VPN connection. Once downloaded, a few changes are needed in the file to enable connection to the VPN endpoint. Add the following at the end of the downloaded configuration file:
... contents of the .cert file for the client.domain.tld domain created earlier
... contents of the .key file for the client.domain.tld domain created earlier
7. Security Groups
If you’re trying to access resources within the VPC, such as an EC2 instance, and have existing security groups attached to that instance, you’ll need to add another rule. This rule should allow the CIDR of the VPC (not the CIDR of the Client VPN Endpoint) to the security group to permit connections from the Client VPN Endpoint.
8. Connect to the Client VPN Endpoint
Finally, test the VPN connection and distribute the configuration file to your end users. They can use this file to configure their VPN client application and connect to the Client VPN endpoint, either using an AWS-provided client or another OpenVPN-based client application.
This setup ensures a secure and efficient VPN solution, allowing your remote workforce to access necessary resources securely and reliably.
Since the Split Tunnel feature was enabled while creating the VPN Endpoint, the users connected to the VPN can enjoy their traditional internet speeds while browsing the general internet since the traffic only goes through the VPN when we connect to anything within the VPC.
In conclusion, we’ve explored the pivotal features and benefits of AWS VPN Client Endpoint, delving into its scalability, management ease, security enhancements, integration capabilities, authentication methods, IoT support, and advanced features like split tunneling and SSL certificate-based authentication. It’s my hope that this comprehensive guide has provided you with a deeper understanding of AWS VPN and its critical role in modern remote work environments.
Thank you for dedicating your time to read this blog post. Your engagement and interest are greatly appreciated. Writing this piece has been an enriching experience, and I’m hopeful it offers valuable insights applicable to your professional endeavors. Should you have any inquiries or wish to share feedback, I welcome your thoughts and encourage reaching out.
For further insights and updates, feel free to visit my website karanjagtiani.com, where you’ll find more resources and links to my social media profiles. Connecting with like-minded individuals and sharing knowledge is always a pleasure, so don’t hesitate to get in touch.
Once again, thank you for reading, and keep an eye out for more exciting content on the horizon!