AWS Client VPN - AWS Networking

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hi guys welcome to this lesson this lesson is about the aws client vpn so it is exactly what it sounds like this is a way that you can connect your client computer to the aws data center to a vpc via a vpn connection so a virtual private network connection so let's say you've got a computer which is windows or mac or linux you're able to set up a client connection from there into a vpc and that means you're then able to communicate with resources in that vpc so you might be able to connect to an ec2 instance directly using private ip addresses now of course it's a virtual private network so that does mean that it's encrypted as well end to end so let's look at how you set them up so here we have a region in that region we have a vpc with a couple of subnets now we create a vpn endpoint and the vpn endpoint is associated with subnets so the client vpn network interfaces are created in the subnet and that is the method by which the vpn connection is then able to communicate with resources in the subnets because there is an association between this network adapter that's provisioned into the subnet and the vpn endpoint we then have the client computer and that's going to be running some vpn software the vpn software is not aws software so you need to choose one of the available options there's lots of free options in the hands-on in the next lesson we're going to use openvpn the client software will establish a connection with the vpn endpoint over ssl tls so port 443 and that's going to be via the internet the vpn endpoint will actually perform source network address translation from the cider block that's associated with the vpn client to the cider block that's associated with the vpc and on the client side if you look in your route table you can run a command on windows which is route print and you would then see your route table and you'd be able to see that you have a destination for the cider block of the vpc and a gateway which is pointing at the vpn endpoint so that's the theory behind how a client vpn works again this is an encrypted connection over the internet from your computer so your computer is then able to communicate using private ip addresses over to your instances in your subnets within your vpc so that's how it all works we're going to set this up using a windows client on amazon workspaces and a vpn endpoint so this is what we're going to do now on the left here you can see i'm using amazon workspaces in one region and then i'm setting up a vpn endpoint in a different region now the reason i wanted to do this and use workspaces is just to provide some instructions that are the same for everyone so it doesn't matter if you're on mac if you're on linux or if you're on windows you can use workspaces and follow along now the good news is if you are using windows then you don't need to use workspaces which will save you a bit of time but by all means follow along if you want to learn a bit about workspaces but you'll basically need a windows client and then we're going to follow some instructions to install openvpn client software on the windows computer and we're also going to use the windows computer to generate some certificates and we're going to use the certificates for mutual authentication so there are a couple of options for authentication with the client vpn one of them is mutual authentication using certificates another is that you can integrate a directory service like aws directory service that takes a bit longer it's a bit more work to set up and a bit outside of the scope of this course so i just wanted to use workspaces and we're going to use certificates so this is the configuration and what should happen is once we've connected our client to the vpn we're going to have an instance running in a subnet within our vpc and we're going to just test that we can ping that instance which will show that we have that connectivity using private ip addresses via our connection now when i'm running workspaces in another region we're definitely using the internet to connect to our vpn endpoints there's nothing going over the aws backbone here this is using a public internet connection from one region to another region now as i mentioned if you're running windows on your computer you can quite easily set this up from your own computer and that will be via the internet obviously as well now also you can download the configuration so even if you want to use workspaces to set up and generate the certificates that we're going to use you can then use the vpn configuration and install that on whatever computer you're running on so that's what we're going to do let's head over to the console and start building this out i'm in the aws management console and i'm just going to type workspaces at the top here and then choose workspaces so this is desktops in the cloud so it means that we can run a client operating system in the cloud now when you see the main screen here you just click get started and then you choose quick setup don't choose advanced because that will try and configure some options for using directory services which we're not going to do so use the quick setup click launch and then what you want to do is it automatically goes to linux but we want to use windows so we just select this option free tier eligible standard with windows 10 what you then do is put in your name or whatever your username you want it to be then i'm going to put in my full name and then my email address once i've done that i simply click launch workspaces now it does take a bit of time so what i've done i'm just going to cancel out of there and head over to us east north virginia where i've already set it up now notice that some regions are greyed out that's because it's not available in all regions so you can choose a different region if you like but i'm going to go to us east north virginia and you'll only be able to select some of the available options here so it can take about 20 minutes or so to actually become available when it does just click on this down arrow here and you'll find the clients link so let's copy this address and what we're going to do is then go to another browser window and navigate to this web page so this is the web page you'll see you need to download the client software and it's available for various different versions of operating system i use mac os so i just download this option if you're on windows just download this one here once you've downloaded it install the software and then you'll be ready to go now you'll notice that there's a registration code here what you need to do is copy this registration code and then head to the client software that you just downloaded and installed then in the workspaces software just click on change registration code enter your registration code and click on register we're now ready to connect my username is neil and then for the password what you'll find is an email should have come to your inbox in that email there's a link you have to click on the link and the link will take you to a page where you get to reset your own password or to set your own password once you've done that come back and enter your password here and you should be able to connect to your desktop so i'm ready and i'm going to click on sign in and that should start my workspace and connect me to my windows 10 desktop so that's it i'm logged on to my windows 10 desktop now what i want to do is show you an article and i'm going to link this article to the lesson and this is going to have some instructions that we can follow for actually generating the certificates we're going to use so you'll see on here that the instructions by the way if you just come to the top of the article just scroll down to mutual authentication then you'll see linux mac os or windows so we're going to choose windows and then we're going to download the openvpn software install it and then we run a series of commands and those commands are going to generate the certificates that we're going to use for mutual authentication so what i'm going to do is just copy this link come back and use firefox to connect so i'm on the openvpn webpage and i'm going to download the 64-bit windows installer and that's an msi let's just save that locally and then let's look at that download let's double click and run the msi installer now we're going to click on customize we need to make a couple of changes firstly what i want to do is change the path to install to d colon's backslash the reason is on workspaces we are restricted from the c drive and we do need to go into this into this file location um to you to use some of the utilities and find some of the files we generate so change that to d colon slash and then the same path click on ok scroll down to the bottom here and we want to install the open ssl utilities that installs this easy rsa free certificate manager scripts and then click on install so that's installed successfully and now what i want to do is head back to this article and we're going to start using some of these commands so we're starting here at number five the first command here i'm just going to copy that to my clipboard come back let's open a command prompt paste that in that changes us to the easy rsa directory then we're going to start easy rsa then come back and from here the commands actually pick up this hash which we don't need so rather than using the copy here i'm just going to highlight it and copy that across and we just run each of these one after the other now this one does ask for some information i'm just going to type vpn server here for the hostname hit enter and that's finished let's come down to the next one put this command in and then lastly one more command we paste this in and that should generate all of our certificates great so that all completed successfully now what you'll notice now is there's a couple of ways that we can then upload these certificates so we're going to upload them to aws certificate manager and you can either do that manually which i'm going to show you how to do or you can just follow this here and use the aws command line interface if you do that just make sure you install the aws command line interface and then you need to run these commands to copy the files to a custom folder of your choice and then you can run a single command which will actually then go and upload those to aws certificate manager for you now i'm going to show you the manual way as well so that you can do it that way if you choose so on the aws management console i'm going to search for certificate and that will bring up certificate manager and i need to change regions because i need to have the certificates installed in the same region where my vpn endpoint will be and i don't want my vpn endpoint to be the same region as my workspaces so i'm going to choose north california in certificate manager let's click on get started under provision certificates we're going to choose import a certificate at the top and now we need to supply this information so we need the certificate body first now we're going to do this for the server and the client certificate so back in workspaces i'm going to open up file explorer i'm going to go into the d drive program files open vpn easy rsa pki and then in pki there's a few files that we need firstly we go into issued and we find the server certificate here what i'm going to do is open with and let's choose notepad and then we just copy all of this information to our clipboard come back over paste it into the certificate body we next need the private key so now we go up a level back to pki go to private and server dot key again we're going to open this with notepad again highlight it all copy to your clipboard come back paste that in and then the certificate chain certificate chain is back up again ca so just choose the ca here and again open let's open this with notepad copy that to our clipboard and paste that in we'll need that for the next one so i'll leave that file open as well we can now just click on review and import and click on import so that's great we now have our server certificate let's head back over and we can leave this one open i'm going to need that in a moment and what we want to do is go back to issued open the client certificate copy that to our clipboard and then let's come back and we're going to import a certificate paste that in come back for the private key we can close this file again we go up a level go to private choose the client certificate open with notepad we paste this one in and then lastly we come back and we've already got this file open so we just copy this again and paste this in and that gives us our certificate chain click on next review and import and import so we now have our certificates we've got our server and our client certificate and what i want to do is just connect over to the vpc management console and we're going to scroll down to vpn and you'll find client vpn endpoints we're going to create an endpoint i'll just call this my client vpn we need to give it a cider block so this is the cider block for the computers that connect in so the computer that you connect in whether it's your computer or your workspaces client will get an ip in this range i'm going to use a range that i know we haven't used now for server certificate i'm going to select this top one that says server i'm going to select mutual authentication and then select the client certificate here i'm not going to select logging or enable the connection handler now we can also supply a dns server here for dns resolution i'm going to supply one which could be in the subnet that we're connecting to we next choose the vpc in this region we've only got one we can select the security group there's just a default security group at this stage and you can also enable the self service portal if you want to i'm not going to enable that at this stage now i'm going to create the client vpn endpoint our vpn endpoint is set up we can see that it's pending associate so remember we need to associate it with a subnet so i'm going to choose a vpc choose a subnet to associate with i'm going to choose us west 1a click on associate and close another thing we need to do is we need to set up authorization now this is where you can set the destination networks that you want to allow your clients to connect to now i'm just going to open it up with the any ip address you can also grant to specific users so you can actually do this in combination with aws directory services if you use that instead of the certificate based authentication and allow access to users in a particular group we'll just allow it for everybody and just add that authorization rule there's also a route table in here you can create your own but it will create one for you and that route table will allow access to the subnet that we just connected to you can see that's in the state of creating and it does take a few minutes so you might have to leave this for five to ten minutes and then everything should be set up now in the meantime what we can do is download the client configuration so just click on download and you'll get that file we then need to get the contents of that file over to our workspaces desktop so a couple of ways to do that you can find a way to actually upload the file there if you like using uh you know some kind of file sharing or you can just open it with a text editor copy the contents and then create a file on the destination i'm going to do that so i'll open my file with notepad copy the contents and then i'll show you where to create the file on your amazon workspaces desktop back on workspaces let's just open up the notepad and i'm pasting in the information from the file which i downloaded so this is the config so what we need to do now is just save this file somewhere i'm going to just put this onto the d drive in fact no i'll put it onto the desktop because i'm not sure we have the rights to actually save it there i need to change to all files and then i'm just going to call this client config dot and let's save that file now there are a couple of lines that we need to add to this it will often not work in this particular state so i'll show you what those are in the course download you'll find in the code directory you'll find client vpn and then open vpn config and we've got these two lines here and these will actually provide the path to the certificate and the certificate private key so just copy these two and don't worry about the double backslashes that is required for the config file that's not a typo and then back in here we can simply add a new line we'll paste that in so we've got those two lines here and then save that file now let's run the openvpn gui and you might get this message here that's okay now you'll find it in your system tray in the bottom here and if you right click it you can then choose import file let's go to our desktop and we've got our client config so let's import the file so that looks good we've got this all running now the other thing we want to do is just head over and launch an ec2 instance which is what we're going to ping to prove that we've got the connectivity into our subnet so i'm in the ec2 management console in north california i'm going to launch an instance let's choose launch instances the usual options the linux 2 ami and the t2 micro and then there's only one vpc let's make sure we put it in the right subnet because this is the subnet we associated to the vpn endpoint so i'm using us west 1a so i'm going to choose that one let's click on next go through to security group and let's see if we've got a security group we don't have one in this region so i'm going to call this web dash access and then let's just add in an additional rule because we want to be able to ping this instance so i'm going to allow icmp from anywhere and that will give us the ability to ping this instance and we've also got ssh if we did want to connect in so that's it i'm going to launch i do need to create a key pair because i haven't used this region recently so let's call this ncal dot kp and i'm going to download the key pair and launch the instance you'll want to go in and take a note of the private ip address for your instance and then let's head back and see if our vpn endpoint is ready okay things look good it says it's available let's check the association that's associated the authorization is active so that all looks good so let's head back to workspaces and see if we can connect our vpn okay so let's try and connect now so in the system tray i'm going to right click the open vpn choose connect and it's running through looks good and there we are we're now connected to the vpn so let's now try and connect to the ec2 instance we launched so i'm going to try and ping the ec2 instance and that's not responding so let's just go and check why that is i'm pretty sure we got it set up correctly let's check a few things so we've got the route table that's definitely set up and active we have an authorization for the destination cider that definitely looks good the security group shouldn't apply the default security group will have an outbound rule that allows all traffic and then we're associated with the 448d network here the subnet that ends in 448d so we'll check that in a moment but the first thing i want to check is security groups because i reckon that's most likely the problem here so let's see we've got web access let's have a look we've got echo reply so actually what we want to do is we just want to go and add a rule for all icmp v4 so if you've done the same as me then just go back in and edit your rule and i just need it for v4 so it should be all icmp v4 so with that applied let's go back and that should take instant effects and sure enough it does so that's great we've now got an echo response from our ec2 instance in a private subnet using a private ip address and remember this workspace's desktop is running in north virginia and we're accessing the ec2 instance over a vpn connection using the public internet and the ec2 instance is running in california so that all looks great now back in the console here if we just go back to client vpn endpoints another thing you'll be able to see is under connections you can see your connections here i disconnected a couple of times so you can see i picked up a different ip address once in the middle there and you can monitor your connections here so that's it guys i hope you enjoyed that lab hope it all works for you so we don't need this configuration anymore so i'm actually going to go and get rid of it now we do have to remove the association first and then wait till that's disassociated while that's happening let's go back to workspaces and i'm going to remove my workspace so we don't end up paying anything so in workspaces just select your workspace and then choose remove workspace and that will remove that workspace for you and then back in the client vpn just wait until this is disassociated and then you should be able to go in and choose delete client vpn endpoint [Music]
Info
Channel: Digital Cloud Training
Views: 17,807
Rating: undefined out of 5
Keywords: AWS, AWS Certification, Amazon Web Services, AWS Amazon, AWS Certified, AWS Training, AWS tutorial, Amazon AWS, What is AWS, Getting started with AWS, Amazon AWS tutorials, AWS Fundamentals, free aws, free aws tutorials, AWS Cloud, AWS Exam, Cloud Computing, Cloud Technology, AWS career, AWS for beginners, AWS Services, AWS Networking, AWS Client VPN
Id: St8y0xZSn3c
Channel Id: undefined
Length: 24min 0sec (1440 seconds)
Published: Wed Jan 06 2021
Related Videos
AWS Networking Fundamentals
Amazon Web Services
252K
AWS re:Invent 2018: AWS VPN Solutions (NET304)
Amazon Web Services
25K
Setup AWS Client VPN & Access Private AWS Resources Across VPCs
Prasad Domala
36K
AWS Site To Site VPN - New video with improved steps (Part 1)
AWS Training Center
60K
Don't Talk to the Police
Regent University School of Law
16M
Are You Well-Architected? - AWS Virtual Workshop
AWS Online Tech Talks
16K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
AWS VPC Endpoints (What You Need To Know)
Go Cloud Architects
6.9K
AWS Directory Service | Domain-Join Windows & Linux Instances
Easy Cloud
1.1K
AWS Client VPN: Connected with the Cloud
cloudonaut
775
SITE TO SITE VPN | VIRTUAL PRIVATE GATEWAY | TRANSIT GATEWAY | ACCELERATED SITE TO SITE VPN
Pythoholic
9.8K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.