CloudFormation template for setting up a Client VPN endpoint to securely access private resources in a VPC.
Make sure to have AWS CLI installed and configure on your workstation.
Firstly, you need a self-signed certificate for encrypted tunnels. Use below commands to generate a key-pair and import it into AWS Certificate Manager:
# download easy-rsa
$ git clone https://github.com/OpenVPN/easy-rsa.git ~/easyrsa
$ cd ~/easyrsa/easyrsa3
# generate server certificates
$ ./easyrsa build-ca nopass
$ ./easyrsa build-server-full server nopass
# import the certificate
$ aws acm import-certificate \
--certificate file://pki/issued/server.crt \
--private-key file://private/server.key \
--certificate-chain file://pki/ca.crtTake note of the ARN for the imported certificate.
- Now go to Identity Center in AWS Console.
- Create a new Custom SAML 2.0 application, name it e.g.,
VPN. - In the Application metadata fields, use below values:
- Application ACS URL:
http://127.0.0.1:35001 - Application SAML audience:
urn:amazon:webservices:clientvpn
- Download the metadata file from the creation page.
- Click on Edit attributes mapping from the Actions menu for your app and and configure the mappings shown below.
| User attribute in the application | Maps to this string value or user attribute | Format |
|---|---|---|
| Subject | ${user:email} |
emailAddress |
| Name | ${user:email} |
unspecified |
| FirstName | ${user:givenName} |
unspecified |
| LastName | ${user:familyName} |
unspecified |
| memberOf | ${user:groups} |
unspecified |
- Once created, you might want to assign some users to your new app.
- Now go to IAM in AWS Console.
- Go to Identity providers and click on Add provider button.
- Enter a Provider name e.g.,
VPNand choose the metadata file downloaded previously. - Click on Add provider and take note the or ARN for newly added provider.
In project folder, run below commands to deploy the stack:
$ aws cloudformation deploy \
--capabilities CAPABILITY_IAM \
--stack-name client-vpn \
--template-file template.yml \
--parameter-overrides \
"SamlProviderArn=???" \ # replace this
"ServerCertificateArn=???" \ # replace this
"SubnetId=???" \ # replace this
"VpcId=???" # replace thisOnce created, our new Client VPN setup is ready for use.
# get the client VPN endpoint ID
$ aws cloudformation describe-stacks \
--stack-name client-vpn \
--query "Stacks[0].Outputs[?OutputKey=='VpnEndpointId'].OutputValue" \
--output text
# get the SSP URL
$ aws ec2 describe-client-vpn-endpoints \
--client-vpn-endpoint-ids ??? \ # replace this
--query "ClientVpnEndpoints[0].SelfServicePortalUrl" \
--output textYou can now download the AWS Client VPN and related config from the self-service portal URL obtained above.
The stack also exports a the Security Group ID associated with created Client VPN endpoint. You can use this value in your other CloudFormation templates to restrict access to certain resources.
AWSTemplateFormatVersion: 2010-09-09
Description: Example CloudFormation template.
Resources:
ExampleSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: ExampleSecurityGroup
GroupDescription: Example security group.
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
# use it like below
SourceSecurityGroupId: !ImportValue client-vpn-VpnSecurityGroupIdCoded with ❤️ love from 🇮🇳 India for everyone by Syncloud Softech.