AWS Client VPN with AWS SSO authentication
AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client © Amazon
Complete solutions works like that(from Users perspective):
- User opens AWS VPN Client on computer, picks needed (pre-saved) VPN configuration-profile and presses «Connect»
- in the web-browser User is being redirected to AWS SSO authentication page
- after successful authentication User is connected to the VPC
Prerequisites:
- configure AWS VPC
- enable AWS SSO identity provider
- create(request) a public certificate in AWS Certificate manager
- download and install on your computer official AWS Client VPN program https://aws.amazon.com/ru/vpn/client-vpn-download/
Note:
All the resources mentioned in this article should be in the same AWS region
- Create and configure SSO Application
- Go to AWS SSO, pick «Applications» tab and press «Add new application» button
- Choose «Add a custom SAML 2.0 application»
- Scroll down to « Application metadata» section and click «If you don’t have a metadata file, you can manually type your metadata values.»
- Set «Application start URL» as: http://127.0.0.1:35001
- Set Application SAML audience as: urn:amazon:webservices:clientvpn
- Press «Save changes»
- When SSO Application is created, go to «Attribute mappings» and add next attribute mappings:
- attribute `Subject` maps to `${user:email}` and format is: `emailAddress`
- attribute `FirstName ` maps to `${user:givenName}` and format is: `unspecified`
- attribute `memberOf ` maps to `${user: groups}` and format is: `unspecified`
- attribute `LastName` maps to `${user: familyName}` and format is: `unspecified`
- Assign the Users or UserGroup in the «Assigned users» tab
- Download «AWS SSO SAML Metadata» file (AWS SSO Application -> `Configuration` tab). This file will be needed for the next steps.
2. Create IAM Identity provider
- Go to AWS Identity Providers and click button «Add provider»
- Name it, upload the «AWS SSO SAML Metadata» file and click «Add provider»
3. Create Client VPN endpoint
- Go to VPC -> Client VPN endpoints and click «Create Client VPN Endpoint»
- Name it
- Set Client IPv4 CIDR to your VPC CIDR (Example: 100.100.0.0/22)
- Choose Server certificate ARN(can be created in AWS Certificate manager and has to be in the same AWS region)
- Set `Authentication Options` to `Use user-based authentication` and `Federated authentication`. In `SAML provider ARN` choose the arn of IAM Identity provider created before
- Set `Do you want to log the details on client connections?` to `Yes` or `No` depending on your needs
- Set `Do you want to enable Client Connect Handler?` to `Yes` or `No` depending on your needs
- Set Transport Protocol to UDP
- Checkmark Enable split-tunnel
- Pick your VPC id from select-box
- Assign needed security group (by default «default» one is picked)
- VPN port set to 1194
- Click button `Create Client VPN Endpoint` and Endpoint will be created with status `Pending-associate`
4. Create Association in Client VPN Endpoint
- Choose the Client VPN endpoint, click on “Associations” tab and on click on button “Associate”
- Pick VPC id, pick Subnet you want to have an access to(you will have to look up for Subnet id of the Subnet that you want in VPC->Subnet) and click `Associate`
5. Add Authorization rule in Client VPN Endpoint
- Choose the Client VPN endpoint, click on “Associations” tab and click on `Authorize Ingress`
- set in `Destination network to enable access` the Ipv4 CIDR that you want, for example 100.100.0.0/16
- grant access to All users or to the SSO group that you want. If you want second option(allow specific SSO group only to be able to access destination network) then you need to specify SSO “Group ID” (to be taken from SSO group). Example value could look like: 99672b2925–2eab8fdb-efef-48c9-b49b-7351c376433b
- click `Add authorization rule`
6. Propagate AWS VPN client config file to Users / Test it
- Pick AWS VPN Client and press `Download Client Configuration`(.ovpn file) and propagate it to users who you want to be able to log into VPC
- To test the connection(+also you should instruct your users) you/your users should download AWS VPN client (https://aws.amazon.com/ru/vpn/client-vpn-download/)
- After installing the AWS VPN Client, open it, add Profile. When adding profile (File->Manage profiles) name profile and specify the .ovpn file from previous step
- When Profile is created in AWS VPN Client you are good to go and should be able to connect
Troubleshooting
Error: Connection failed because of a TLS handshake error. Contact your IT administrator.
Solution is to be taken from: https://docs.aws.amazon.com/vpn/latest/clientvpn-user/windows-troubleshooting.html (go to `Certificate error` section/problem).
Do not forget to recreate profile in AWS VPN client specifying updated .ovpn file