I Built a Client VPN in AWS by Following Adrian Cantrill's Video Series Tutorial, and This is What I Learned

I built an AWS Client VPN by following Adrian Cantrill's AWS Client VPN tutorial miniseries. I learned quite a bit, including:

1. The man is obsessed with cats, and I'm here for it
2. A bunch of things about VPC's, VPN's, subnets, PKI, and more

You can find Adrian's AWS certificate training wesite at learn.cantrill.io. Since I'm a kinesthetic learner, I learn best from clicking around and just doing while researching, so I jumped into his tutorials. Perhaps this info will help you out!

I started working my way through each step in this tutorial, noting down my questions that arose as I built the AWS Client VPN in my AWS account.

My Research

Q: What is a VPN anyway, and what's the difference between a VPN and a client VPN? From top10vpn.com, A VPN is a service that creates a private tunnel within a public connection (e.g. the internet). VPN software allows its users to send and receive data transfers securely.

VPNs use different types of VPN protocols to encrypt web connections and make them private. What’s more, different versions of VPN software exist.

The four main types of VPN are:

Remote access VPNs Personal VPN services Mobile VPNs Site-to-site VPNs

A client-based VPN (remote access VPN) is a virtual private network created between a single user and a remote network. There's often an application involved to make the connection. In most scenarios, the user manually starts the VPN client and authenticates with a username and password.

The AWS documentation states "AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client".

Then I researched some of the specific AWS terminology Adrian referenced in this tutorial:

Identity based authentication vs. certificate based authentication: From Yubico.com, username and password authentication is based only on what the user knows (the password), but certificate-based client authentication also leverages what the user has (the private key), in addition to what the user knows (the password guarding the private key). Your choice here determines which certificates you need to create for the client VPN. Since Adrian uses identity based authentication in this tutorial, the only certificate we need to create is a server certificate. The user will log in with a username and password we configure, along with some data that is provided via our AWS account.

SimpleAD: It's a type of directory that can be created under AWS Directory Service.

Directory DNS (as Adrian refers to it in this tutorial): He means the default DNS addresses that automatically get created when you create a SimpleAD directory in your AWS account.

Command Line Stuff (Time for some black screen/green text hacker realness)! The tutorial has you use the command line, in addition to an AWS CLI command to create and save the server certificate. (Sidenote: I'm using macOS, but there are slight differences in this command line process for other OS.) First, he has you git clone https://github.com/OpenVPN/easy-rsa.git into a temporary folder on your computer.

Q: What is this OpenVPN easy-rsa code doing? Easy-rsa 3 is an open source tool for managing PKI. I went to the github repository for easy-rsa 3 to learn more. The oveview in the readme states "easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms, this means to create a root certificate authority, and request and sign certificates, including intermediate CAs and certificate revocation lists (CRL)." This had me asking a host of other questions.

Q: What is a PKI CA and how does it work? PKI stands for public key infrastructure. It's a system of processes, polices, and technologies that allow you to encrypt and sign data. PKI can issue digital certificates that securely authenticate users so they can log into VPNs, Wi-Fi, and MFA supported services. An interestijng fact from thesecmaster.com: "A common example of PKI security is the SSL certificate on websites. It is to ensure visitors that they are sending information to the intended recipient and their data will be encrypted." PKI certificates are used for authentication and are commonly used to sign documents, code, or email. A PKI certificate will:

• Verify the identity of the sender or receiver of an electronic message.

• Provide ways to encrypt and decrypt the message between the sender and the receiver.

Here are some of the most common fields in the PKI certificates:

Serial Number: It is used to identify the certificate uniquely within a CA’s system. Specifically, it is used to track revocation information. Issuer: It is the entity that validates the information and signs certificates.

Subject: It is the entity to which the certificate belongs, such as an individual, a machine, or an organization.

Not Before: The earliest date and time on which a certificate is valid. Generally set to a few hours or days before the certificate was issued for avoiding clock skew problems.

Not After: The date and time when the certificate is no longer valid. Public Key: It’s a key that belongs to the certificate subject.

Key Usage: It’s the valid cryptographic use of the public key of the certificate. Common values include key encipherment, digital signature validation, and certificate signing.

Extended Key Usage: The applications in which the certificate may be used, such as email protection, TLS server authentication, and code signing.

Signature: The body of the certificate is hashed, and then the hash is encrypted with the issuer’s private key.

Signature Algorithm: It contains an encryption algorithm and a hashing algorithm. For example, “sha256RSA” where RSA is the encryption algorithm, and sha256 is the hashing algorithm.

After Adrian guides you through creating the PKI outputs (the certificate, private key, and certificate chain) using this feature in easy-rsa 3, now comes the AWS command line part: aws acm import-certificate --certificate fileb://pki/issued/server.crt --private-key fileb://pki/private/server.key --certificate-chain fileb://pki/ca.crt --profile iamadmin-general

Q: What exactly is this AWS command doing? This is taking the PKI CA certificate you just created on your local machine in a temp folder and moving it into your AWS account. Certificate manager is regional, so if this step didn't work for you when following along with the tutorial, try again with the correct region selected (Adrian suggests the North Vriginia location).

Q: What are the client VPN endpoints? From the AWS documentation, "All client VPN sessions terminate at the Client VPN endpoint. You configure the Client VPN endpoint to manage and control all client VPN sessions." Client VPN/Remote VPN endpoints referred to as remote devices such as laptops, smartphones and tablets, but in this tutorial, they are DNS addresses provided upon setting up the SimpleAD.

Q: In the tutorial, Adrian mentions a CIDR (pronounced like Cider). What is a CIDR? CIDR stands for Classless Inter-Domain Routing. It is a method for allocating IP addresses and IP routing. A collection of Internet Protocol (IP) standards is used to create unique identifiers for networks and individual devices (aka VPN endpoints). The IP addresses allow the transmission of unique packets of information to specific computers/endpoints.

Q: What is a DNS Server? A DNS server is a computer server that contains a database of public IP addresses and their associated hostnames, and in most cases serves to resolve, or translate, those names to IP addresses as requested. DNS servers run special software and communicate with each other using special protocols.

Q: In the tutorial, Adrian mentions Split Tunnel VPN. What is this? Split tunneling is a VPN feature that divides your internet traffic and sends some of it through an encrypted virtual private network (VPN) tunnel, but routes the rest through a separate tunnel on the open network. Typically, split tunneling will let you choose which apps to secure and which can connect normally.

Q: Can an external client connect to this VPN via their local port 443 or 1194? I tried this during my friend's test (read really cool details about it below) and found it didn't work. My friend had to dowload the AWS Client VPN app and navigate to the CATWEB EC2 instance Private IPv4 address (yea, CATWEB. You should definitely read exciting details about this test below).

Q: What is a subnet? A subnet, or subnetwork, is a network inside a network. Subnets make networks more efficient. Through subnetting, network traffic can travel a shorter distance without passing through unnecessary routers to reach its destination. Adrian has you configure a private subnet in this tutorial in your AWS account.

Q: In the tutorial, Adrian guides you to ping the IP address associated with the Client VPN in your terminal. What is pinging an IP address, exactly? when you "ping" an IP address, you're using the command-line utility to send a small amount of data to it to see if it's reachable. He shows an example of it not being reachable, showing a 'timeout' response (prior to properly accessing it) and then juxtaposes that with an example of what it looks like when it's reachable.

Q: Part of the 1-click quick-create link for this tutorial creates an EC2 instance. What is that? It's essentially a virtual server. From the documentation, Amazon EC2, or Amazon Elastic Compute Cloud (Amazon EC2), "...provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traffic." For reference, the EC2 instance that Adrian has you create is automatically labelled 'CATWEB' (I told you he was obsessed with cats)!

My Test

Now for the fun part. Now that I've built the Client VPN in my AWS account, my friend in a completely different city than me should be able to follow the below steps to connect to the Client VPN to see the long-awaited CATBREAD gif (a must see). I had my friend way up North in Seattle test it, and yes, it works!

1. Navigate to the client user interface portal at https://self-service.clientvpn.amazonaws.com/
2. Enter the client VPN endpoint ID that appears in my AWS account client VPN endpoints screen for this Client VPN we created.
3. Then, they should simply enter the username and password that I configured in my AWS account. Once logged into the AWS Client VPN Self-Service Portal, they should:
4. Download the VPN client configuration file for the endpoint
5. Download the AWS Client VPN app for desktop based on their local OS
6. The app should prompt them to upload the VPN client configuration file they just downloaded, and may prompt them to log in again
7. Open a new browser window and copy and paste in the CATWEB EC2 instance Private IPv4 address. (In the tutorial, Adrian has you navigate to one of the DNS addresses that appeared as default in your AWS SimpleAD (directory service console) but in my test, this only worked locally. My friend had to enter the CATWEB EC2 instance Private IPv4 address.)
8. They should see the long awaited CATBREAD gif that Adrian has programmed into the Client VPN!

I sincerely hope this information helped you in your quest for knowledge. As always, keep on hacking for good!