This module sets up an AWS Client VPN Endpoint for you. For those new to this service, AWS Client VPN is AWS' implementation of a VPN which natively integrates to their networking solutions. It follows the OpenVPN specification and can readily be connected to with the OpenVPN Client (which we recommend).
As with other VPN solutions, this one is used to gain secure access to a private network, in this case the private VPC subnets Opta provisioned for your environment. This means that when connected you should have the network access needed to locally connect to your databases, caches, pretty much all resources in your private network that are accepting traffic.
Adding VPN to your Environment
For most cases, it’s actually just adding a single line for the VPN module like so:
name: testing-vpn org_name: runx providers: aws: region: us-east-1 account_id: XXXXXXXXXX modules: - type: base - type: aws-vpn - type: k8s-cluster - type: k8s-base
For upcoming work, it’s best to place it just after the base module instead of at the end.
opta apply and you should be good to go!
Setting Up the Client
AWS VPN uses the OpenVPN client and the ovpn file format to set up the configuration for the connection profile. Opta
makes a default profile for you and stores it in an SSM parameter which you can fetch it from (refer to the
ovpn_profile_parameter_arn output). Simply fetch the value from this parameter, write it into a .ovpn file locally
and tell your OpenVPN client to import a new profile from said file.
Our VPN uses mTLS to handle the network encryption and validation of both the server and each client connecting to it. Opta creates a brand new Certificate Authority to provision the certs for both the servers and clients. As in larger companies it’s an important security consideration to revoke VPN access on a per-person use case, it’s highly recommended to generate a new client key/cert for each user. This can be done in the following steps (steps 2-5 will be repeated for each new user):
- Download the certificate and key of the CA created for your VPN. Again, we store them as SSM parameters whose
arns are the outputs
vpn_ca_key_parameter_arn. Name them
- Generate a new RSA key for your new client certificate like so
openssl genrsa -out "USER_NAME.tld.key" 2048
- Generate the certificate signing request like so
openssl req -new -key USER_NAME.tld.key -out USER_NAME.tld.csr
- Create the new certificate like so
openssl x509 -req -in USER_NAME.tld.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out USER_NAME.tld.crt -days 180 -sha256
- Done! Your new client certificate+key are stored in the files
To get the new OVPN profile, simply download the default one stored in SSM (
replace the contents of
<cert> DEFAULT_CERT_HERE </cert>
<key> DEFAULT_KEY_HERE </key>
with the new key and cert just created. Create a new OpenVPN profile from it and you’re done!
- You will actually get logs of the VPN activity sent to AWS Cloudwatch under a log group made just for the VPN logs (“opta-ENV_NAME-vpn-RANDOM_STRING”).
- You can monitor current connections from thr AWS console by going to the VPN endpoint resource.
- Note that the default client certificate and the one displayed above is set to expire after 2 years. This short lifetime is intentional due to the security risk of having a VPN profile be valid for too long.
- You will need to use certificate revocation lists to revoke individual certificates.
||The id of the VPC to deploy the vpn to||``||False|
||The arn of the kms key to use for encryption||``||False|
||The cidr block to use for provisiong client connections.||
||The public subnet ids to consider to do network association with.||``||False|
||The dns name of the vpn created|
||The arn of the SSM parameter holding the ovpn profile for this VPN|
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.