Here's the high-level workflow :
➤ First, we generate certificates using EasyRSA.
➤ Then, we upload the server and client certificates AWS Certificate Manager.
➤ Next, we create a Client VPN Endpoint inside our VPC.
➤ After that, we associate it with our private subnet and set authorization rules.
➤ Finally, we connect from our laptop using the AWS VPN Client.
Step 1 - Create VPC & Subnet
➤ Open the VPC Console
➤ Create a VPC with CIDR 10.0.0.0/16
➤ Add a private subnet 10.0.1.0/24
➤ No Internet Gateway needed
Step 2 - Launch Private EC2 Instance
➤ Go to EC2 Console → Launch Instance ➤ Choose Amazon Linux 2 (or Ubuntu)
➤ Place the EC2 inside the private subnet
➤ Do not assign a public IP
➤ Attach a Security Group allowing SSH (port 22), but only from your VPN CIDR later
Step 3 - Generate Certificates
➤ Download EasyRSA from GitHub and extract it. (https://github.com/OpenVPN/easy-rsa/releases/download/v3.2.2/EasyRSA-3.2.2-win64.zip)
Refer the link - https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-auth-mutual-enable.html
➤ Open CMD run as Administrator and enter into the EasyRSA folder
➤ Generates:
- Certificate Authority (CA)
- Server certificate and key
- Client certificate and key
Step 4 - Upload Certificates to AWS
Go to AWS Management Console →→ Certificate Manager
➤ Upload server certificate (CA, public cert, and private key)
➤ Upload client certificate
➤ Copy the ARN values for later use
Step 5 – Create the Client VPN Endpoint
Go to VPC → Client VPN Endpoints → Create
➤ Select the server certificate ARN
➤ Set client CIDR range, e.g., 10.100.0.0/22
➤ Enable Split-tunnel if desired
After creation :
➤ Add authorization rule to allow VPC CIDR 10.0.0.0/16
➤ Associate VPN Endpoint with private subnet
Step 6 - Download Configuration and Connect
➤ Download the .ovpn configuration file ➤ Embed client certificates inside the file. ➤ Open SSH from EC2 to 10.100.0.0/22
Open AWS VPN Client on your laptop Import configuration and click Connect
No comments:
Post a Comment