If you want to run a server on a private subnet, you will need to use a VPN to connect to it. AWS VPN is a managed OpenVPN service that can handle this for you and allow you to lock public access to your protected instances.
Client VPN vs Site-to-Site VPN
AWS offers two different types of VPNs. The first, and simplest, is the client VPN. It is a fully managed elastic VPN service based on OpenVPN. Combined with an OpenVPN-enabled client device, this allows users to access your AWS infrastructure from anywhere as if they were in the network itself.
This allows your employees to connect directly to servers in private subnets, such as database servers that you prefer not to leave on the web. You can also choose to block SSH on public servers from anywhere that is not on the local subnet, which will only allow administration of users connected to the VPN.
It’s good enough and it works well enough for large business workloads, but if you only have a few people who need to connect, it can be quite expensive. The client VPN has two costs: a fixed rate for each VPN associated with a subnet and an hourly rate for each client connected to it. The flat rate is $ 75 per month and the rate per user is $ 0.05 per hour. With moderate usage by a few people, you could easily rack up over $ 100 in total VPN client fees. And, of course, you will incur all standard data transfer charges for moving data in AWS and to the Internet.
The whole VPN client is really a managed OpenVPN server, which is open source. If you have a little time, you can configure your own OpenVPN server on an EC2 instance, which will cost much less. It’s fairly light, so if the $ 75 a month fee seems a lot, you can probably run it on a
t2.micro for example for a fraction of the cost of the client VPN.
The second VPN that AWS offers is a site-to-site VPN. Rather than connecting multiple remote clients, the site-to-site VPN connects your AWS VPC directly to your local network through a secure tunnel.
This allows you to move on-premises applications to the cloud and connect them directly to your pre-existing network, using the same corporate firewall you have in place, and without changing the way your users access your applications. . In a way, site-to-site VPN simply securely extends your local network to the cloud, allowing you to access EC2 instances in the chosen VPC as if they were on your network.
Site-to-site VPN is very elastic and even supports redundant failover connections if the principal loses the connection for any reason. The price is also a little different: you pay only $ 36 per month, per connection, but you will have to pay $ 0.09 per GB of data transferred, in addition to the standard AWS data charges.
Configuring a client VPN
Here we will show how to configure a client VPN, as it is the most versatile and useful for people without local hardware.
Before you begin, you will need to create certificates for the server and each client to use. You can generate them with ACM, but this requires the establishment of a private certification authority, which costs $ 400 per month. If you don’t want to pay this cost, you can generate them using
OpenVPN. Download and initialize a new certification authority:
git clone https://github.com/OpenVPN/easy-rsa.git cd easy-rsa/easyrsa3 ./easyrsa init-pki ./easyrsa build-ca nopass ./easyrsa build-server-full server nopass
Now generate a client certificate, replacing “
client1.domain.tld“With the name of the client and
./easyrsa build-client-full client1.domain.tld nopass
Now we need to upload the certificates to ACM for them to be usable with VPN Client. They are all located in the
pki folder, so
cd over there:
and download the server certificate using this rather awkward command, making sure your CLI region is set to the same region in which you are creating the client VPN:
aws acm import-certificate --certificate file://issued/server.crt --private-key file://private/server.key --certificate-chain file://ca.crt
You can also use the “Import Certificate” button in ACM, which will allow you to paste the contents of each file, but it’s easier to copy and paste. Import the client certificate in the same way:
aws acm import-certificate --certificate file://issued/client1.domain.tld.crt --private-key file://private/client1.domain.tld.key --certificate-chain file://ca.crt
Now you can configure the client VPN. In the VPC management console, click "Client VPN Endpoints" under the "Network (VPN)" section in the sidebar, and create a new endpoint.
First, you will need to give the VPN a CIDR block which is not used by your current mail order. You can find the block for your mail order under the "Your mail order" tab. For example, if you use the default block of
172.31.0.0/16, you can set VPN Client on
172.16.0.0/16, which do not overlap.
Next, paste the ARN of your primary server certificate (you can find it in the ACM console), check "Use mutual authentication" and paste the ARN for client certificates. You can use this client certificate for multiple users, but if you want a better way to manage access, you can use Active Directory authentication with AWS Directory Service.
That's all that is needed, so go ahead and click on create. You will be billed upon creation.
You will need to associate this VPN with a particular VPC and subnet. In the "Associations" tab, click on "Associate", then select the VPC and the subnet you want to use.
If you use the default values, you will have an available VPC and multiple subnets for each Availability Zone. Select the Availability Zone subnet that you are currently using.
Under "Authorization", you will want to add an entry rule to access the subnet to which you have associated the VPN. It can be a more specific CIDR block or the entire subnet. If you are using AD, you can also limit access to a particular group.
In the VPC console, click on "Download client configuration". This will download a
.ovpn file that you can use in any OpenVPN client to connect to the VPN. However, this file only comes from AWS with the CA certificate of the server, so you will have to open it and paste it in
/issued/client1.domain.tld.crt cert in a
/private/client1.domain.tld.key key file in a
.ovpn The file will look like this:
customer dev tun proto udp asdfa.cvpn-endpoint-0dbc42be17e0f2c68.prod.clientvpn.us-east-1.amazonaws.com 443 remote random remote host name resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server AES-256-GCM encryption verb 3 ----- BEGIN CERTIFICATE ----- CA KEY ----- FINAL CERTIFICATE ----- ----- BEGIN CERTIFICATE ----- CUSTOMER CRT FILE ----- FINAL CERTIFICATE ----- ----- START THE PRIVATE KEY ----- CUSTOMER KEY FILE ----- END OF PRIVATE KEY ----- reneg-sec 0
You will also want to add a random string to "
remote cvpn-endpoint-xxxxxx", Like this: