How to Use AWS VPN to Lock Down Access to Your Servers

vpn illustration
Elaine333 / Shutterstock

If you want to run a server on a private subnet, you will need to use a VPN to connect to it. AWS VPN is a managed OpenVPN service that can handle this for you and allow you to lock public access to your protected instances.

Client VPN vs Site-to-Site VPN

AWS offers two different types of VPNs. The first, and simplest, is the client VPN. It is a fully managed elastic VPN service based on OpenVPN. Combined with an OpenVPN-enabled client device, this allows users to access your AWS infrastructure from anywhere as if they were in the network itself.

An OpenVPN-enabled client device allows users to access your AWS infrastructure from anywhere.

This allows your employees to connect directly to servers in private subnets, such as database servers that you prefer not to leave on the web. You can also choose to block SSH on public servers from anywhere that is not on the local subnet, which will only allow administration of users connected to the VPN.

It’s good enough and it works well enough for large business workloads, but if you only have a few people who need to connect, it can be quite expensive. The client VPN has two costs: a fixed rate for each VPN associated with a subnet and an hourly rate for each client connected to it. The flat rate is $ 75 per month and the rate per user is $ 0.05 per hour. With moderate usage by a few people, you could easily rack up over $ 100 in total VPN client fees. And, of course, you will incur all standard data transfer charges for moving data in AWS and to the Internet.

The whole VPN client is really a managed OpenVPN server, which is open source. If you have a little time, you can configure your own OpenVPN server on an EC2 instance, which will cost much less. It’s fairly light, so if the $ 75 a month fee seems a lot, you can probably run it on a t2.micro for example for a fraction of the cost of the client VPN.

The second VPN that AWS offers is a site-to-site VPN. Rather than connecting multiple remote clients, the site-to-site VPN connects your AWS VPC directly to your local network through a secure tunnel.

AWS offerings are a site-to-site VPN that connects your AWS VPC directly to your local network through a secure tunnel.

This allows you to move on-premises applications to the cloud and connect them directly to your pre-existing network, using the same corporate firewall you have in place, and without changing the way your users access your applications. . In a way, site-to-site VPN simply securely extends your local network to the cloud, allowing you to access EC2 instances in the chosen VPC as if they were on your network.

Site-to-site VPN is very elastic and even supports redundant failover connections if the principal loses the connection for any reason. The price is also a little different: you pay only $ 36 per month, per connection, but you will have to pay $ 0.09 per GB of data transferred, in addition to the standard AWS data charges.

Configuring a client VPN

Here we will show how to configure a client VPN, as it is the most versatile and useful for people without local hardware.

Before you begin, you will need to create certificates for the server and each client to use. You can generate them with ACM, but this requires the establishment of a private certification authority, which costs $ 400 per month. If you don’t want to pay this cost, you can generate them using easy-rsa of OpenVPN. Download and initialize a new certification authority:

git clone
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass

Now generate a client certificate, replacing “client1.domain.tld“With the name of the client and

./easyrsa build-client-full client1.domain.tld nopass

Now we need to upload the certificates to ACM for them to be usable with VPN Client. They are all located in the pki folder, so cd over there:

cd pki

and download the server certificate using this rather awkward command, making sure your CLI region is set to the same region in which you are creating the client VPN:

aws acm import-certificate 
--certificate file://issued/server.crt 
--private-key file://private/server.key 
--certificate-chain file://ca.crt

You can also use the “Import Certificate” button in ACM, which will allow you to paste the contents of each file, but it’s easier to copy and paste. Import the client certificate in the same way:

aws acm import-certificate 
--certificate file://issued/client1.domain.tld.crt 
--private-key file://private/client1.domain.tld.key 
--certificate-chain file://ca.crt

Now you can configure the client VPN. In the VPC management console, click "Client VPN Endpoints" under the "Network (VPN)" section in the sidebar, and create a new endpoint.

create a new client VPN endpoint

First, you will need to give the VPN a CIDR block which is not used by your current mail order. You can find the block for your mail order under the "Your mail order" tab. For example, if you use the default block of, you can set VPN Client on, which do not overlap.

Next, paste the ARN of your primary server certificate (you can find it in the ACM console), check "Use mutual authentication" and paste the ARN for client certificates. You can use this client certificate for multiple users, but if you want a better way to manage access, you can use Active Directory authentication with AWS Directory Service.

check use mutual authentication and fill out forms

That's all that is needed, so go ahead and click on create. You will be billed upon creation.

You will need to associate this VPN with a particular VPC and subnet. In the "Associations" tab, click on "Associate", then select the VPC and the subnet you want to use.

Associated VPN

If you use the default values, you will have an available VPC and multiple subnets for each Availability Zone. Select the Availability Zone subnet that you are currently using.

Under "Authorization", you will want to add an entry rule to access the subnet to which you have associated the VPN. It can be a more specific CIDR block or the entire subnet. If you are using AD, you can also limit access to a particular group.

In the VPC console, click on "Download client configuration". This will download a .ovpn file that you can use in any OpenVPN client to connect to the VPN. However, this file only comes from AWS with the CA certificate of the server, so you will have to open it and paste it in /issued/client1.domain.tld.crt cert in a block, and /private/client1.domain.tld.key key file in a block. Your .ovpn The file will look like this:

dev tun
proto udp 443 remote
random remote host name
resolv-retry infinite
remote-cert-tls server
AES-256-GCM encryption
verb 3









----- END OF PRIVATE KEY -----

reneg-sec 0

You will also want to add a random string to "remote cvpn-endpoint-xxxxxx", Like this:

remote asdfa.cvpn-endpoint-xxxxxx....

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.