This Terraform configuration provides an example of how the AWS Client VPN service can be configured. It creates a Client VPN, an EC2 instance running Amazon Linux 2023 (named “Client VPN”) that is reachable via that Client VPN, and another EC2 instance running Amazon Linux 2023 (named “VPN Client”) that is connected to the Client VPN with OpenVPN software. It also allows downloading the Client VPN configuration file for use with the AWS Client VPN for Desktop software.
- Git
- Terraform
jqfor external data sources- AWS CLI version 2 for generating S3 presigned URLs
If an environment providing the prerequisites is not readily available, AWS CloudShell can be used for deployment. Terraform can be installed on Amazon Linux 2023 in CloudShell with the following command:
curl https://gist.githubusercontent.com/RhubarbSin/d3db401da906015ff2a88cca1a42b027/raw/ddf6ecbadbbf7304a97d7b5657216af99c8bff49/install-terraform-amazon-linux-2023.sh | bashAfter deployment, there are various ways to use the provisioned resources and to demonstrate the functioning of the Client VPN:
- Use SSH to connect to the public IP address of the VPN Client instance (the vpn_client_instance_public_ip output) and ping the private IP address of the Client VPN instance (the client_vpn_instance_private_ip output) over the VPN tunnel (acting as “User” in the diagram):
ssh -o StrictHostKeyChecking=no \ -i $(terraform output -raw ssh_private_key_file_name) \ ec2-user@$(terraform output -raw vpn_client_instance_public_ip) \ ping -c 3 $(terraform output -raw client_vpn_instance_private_ip) - Use the VPN Client instance as a jump proxy to connect to the Client VPN instance over the VPN tunnel (acting as “User” in the diagram):
ssh -o ProxyCommand="ssh -o StrictHostKeyChecking=no -i $(terraform output -raw ssh_private_key_file_name) -l ec2-user -W %h:%p $(terraform output -raw vpn_client_instance_public_ip)" \ -o StrictHostKeyChecking=no \ -i $(terraform output -raw ssh_private_key_file_name) \ ec2-user@$(terraform output -raw client_vpn_instance_private_ip)
Unfortunately the
ProxyJumpconfiguration directive cannot be used here because the-ioption on the command line does not get used for the connection to the jump host, soProxyCommandis used instead. - The ssh_private_key_file_url output can be used to download the private key to another system and log into ec2-user account on the VPN Client instance via SSH (acting as “User” in the diagram). The ec2-user account’s SSH client configuration on that instance allows easy SSH login to the Client VPN instance by private IP address without specifying the private key or remote user name.
- Download the AWS Client VPN for Desktop software, use the client_vpn_configuration_file_url output to download the Client VPN configuration file, and use the file to add a profile for connecting to the Client VPN for access (e.g. ICMP, SSH) to the private IP address of the Client VPN instance (acting as “Authenticated User” in the diagram).
By default, resources are provisioned in the us-east-2 region. The region used is specified by the value of the region input variable.
The default configuration enables split-tunnel mode on the Client VPN endpoint so that only traffic to specific AWS resources (those in “Client VPN VPC” in the diagram) traverses the VPN tunnel. This behavior can be configured with the split_tunnel_mode input variable. Disabling split-tunnel mode will cause traffic on the Client VPN tunnel that is destined for the Internet to pass through the Internet gateway labeled “Client VPN IGW” in the diagram. That Internet gateway is included even when split-tunnel mode is enabled because if split-tunnel mode is disabled, public IP addresses are allocated to the Client VPN elastic network interfaces, after which attempting to detach and delete the Internet gateway would fail even after re-enabling split-tunnel mode.
- The S3 presigned URLs displayed as output values expire after one day and are regenerated when the Terraform state is refreshed.
- This example uses some services and creates some resources that are not represented in the diagram. These include the following:
- AWS Private Certificate Authority (PCA) for creating the certificates used by the Client VPN endpoint and client VPN connections
- AWS Certificate Manager (ACM) for holding the certificate specified as the server certificate and client certificate for the Client VPN endpoint
- AWS Identity and Access Management (IAM) for the policy, role, and instance profile for the EC2 instances
- VPC Endpoints to enable access to S3 for operating system updates as well as use of AWS Systems Manager Session Manager
- The VPN Client EC2 instance exists only for demonstration and testing. Of course the AWS Client VPN service is intended for secure access to AWS resources from origins outside AWS.
- The VPN Client EC2 security group associated with network interface of the VPN Client instance (“VPN Client EC2 Instance” in the diagram) allows TCP traffic to port 22 from 0.0.0.0/0.
- The Client VPN EC2 security group associated with the network interface of the Client VPN instance (“Client VPN EC2 Instance” in the diagram) allows all traffic from the Client VPN CVPN security group that is associated with the Client VPN endpoint.
- The CIDR blocks used by the VPCs and the Client VPN endpoint are taken from a random selection within the 20-bit block specified in RFC 1918, avoiding the 172.17.0.0/16 and 172.31.0.0/16 ranges as advised by AWS documentation. For the sake of convenience, the 172.16.0.0/16 range is also avoided.
