The downside of this approach is that knowledge and hardware is needed to setup this connection. What if there are resource constraints (be it knowledge or financial) that do not allow to maintain such a connection? Then AWS Client VPN comes into play. In this blog, I will show you how to set up the WSO2 Identity Server as an Identity Provider to use for authentication with AWS Client VPN
AWS Client VPN
AWS also offers a Client VPN Endpoint that can be setup within an AWS Account. This allows end users to download a VPN Client and create an on-demand connection to AWS. Until recently, the authorization methods were limited to either using a shared certificate or Active Directory. However, now AWS has added the feature to use a federated SAML2 Identity Provider for authentication, it became attractive to start using it.
By default, WSO2 Identity Server (KM) is deployed for API and full Connext stacks. The product allows to configure a SAML2 Service Provider in an easy way, thus enabling the use of a connected userstore for AWS Client VPN. Although AWS doesnāt support WSO2 Identity Server (IS) out of the box, I have succeeded in setting up the integration and will show you how to set this up yourself in this blog. I will first dive into setting up the federated IDP, then the Client VPN. Finally, I will show you how to connect to the VPN Endpoint and(, as a next step,) how to authorize based on user role.
Setting up
Create a Service Provider in WSO2 IS (KM)
In the carbon console of your WSO2 IS (KM) go to āService providersā and add a new one. Give it a name (e.g. aws-clientvpn) and click register.
Configure SAML2 SSO for Inbound Authentication and configure as shown in figure 1.
| Issuer | urn:amazon:webservices:clientvpn |
| ACS | For client VPN add: http://127.0.0.1:35001 For self-service portal add: https://self-service.clientvpn.amazonaws.com/api/auth/sso/saml |
| Enable | Attribute profile + include attributes in response always |
| Disable | Signature Validation in Authentication Requests and Logout Requests |
When the SAML configuration is set, also make sure the right claims are being sent along with the SAML response, by setting the claim configuration.
Persist all the changes in the console first and then go back to the SAML settings and click on the āDownload IDP Metadataā button. Remember the location of the downloaded file.
Create Identity Provider in AWS
Go to the IAM console inside AWS, select āIdentity Providersā. Select SAML, name the IDP and select the metadata file that was downloaded in the previous step.
This will result in the IDP being setup for AWS. If you go to the created IDP, youāll see a screen similar to the one below.
VPN Endpoint Prerequisites
ACM Certificate
Go to the ACM console in AWS, request a certificate and use the verification steps (either DNS or email) to get AWS to issue the certificate. An issued certificate is required to setup the Client VPN Endpoint.
Security Group
Users connecting to the Client VPN Endpoint will have a security group applied to the incoming connection. Using the security group, you can setup inbound/outbound rules to determine the access for the incoming VPN connections. The security group will be referenced during the setup of the Client VPN Endpoint.
(Optional) Cloudwatch log group / stream
Optionally the Client VPN endpoint allows setting up logging to Cloudwatch. This will send connection-related logging, displaying login attempts with metadata. See the example log excerpt to get an idea of what is logged.
{ "connection-log-type": "connection-attempt", "connection-attempt-status": "successful", "connection-attempt-failure-reason": "NA", "connection-id": "cvpn-connection-0d00000000000000", "client-vpn-endpoint-id": "cvpn-endpoint-0d00000000000000", "transport-protocol": "udp", "connection-start-time": "2020-12-01 07:49:31", "connection-last-update-time": "2020-12-01 07:49:31", "client-ip": "10.254.240.2", "username": "user@email.com", "device-ip": "1.1.1.1", "port": "54205", "ingress-bytes": "0", "egress-bytes": "0", "ingress-packets": "0", "egress-packets": "0", "connection-end-time": "NA", "connection-duration-seconds": "0" } |
Client VPN endpoint
In the VPC Console of AWS, go to Client VPN Endpoints and create a new Client VPN Endpoint.
| Client IPv4 CIDR | Supply a CIDR that will be used to assign IPs to connecting clients. Please make sure it does not overlap with your VPC or local networks.
For now, we use 10.254.240.0/22 |
| Server certificate ARN | Select the ARN of the certificate you have created in the ACM console |
| Authentication Options | Select āUse user-based authenticationā Select āFederated authenticationā |
| SAML provider ARN | Select the IDP you have created in the IAM console |
| Self-service SAML provider ARN | Select the IDP you have created in the IAM console |
| Connection Logging | If you have created the CloudWatch log group/stream in the previous steps select āYesā and then supply them as options, otherwise select āNoā |
| Client Connect Handler | For now, select āNoā |
| Optional parameters | Enable Split tunnel to not send all client traffic over the tunnel (This pushes the required routes to the client routing table)
Select your VPC for VPC ID |
Create the endpoint using the table above for the required configuration. Upon creation the VPN endpoint has to be provisioned which takes some time, when ready it will mention that it is waiting on association the endpoint.
Create associations for all the subnets that should be reachable by VPN users in the āAssociationsā tab.
Also make sure to create an Authorization for the CIDRs that should be reachable by the VPN users. While authorizing, you get the option to allow access to a certain group only, for now select āall usersā.
Setting up the Client
In the summary tab the URL for the self-service portal will be displayed when the VPN Endpoint is fully provisioned. This URL can be used to hand over to the envisioned client VPN users. Browsing to the URL will trigger a SAML authentication request and requires the user to login to the federated IDP. Upon return the user is logged in to the self-service portal and from there download the AWS Client VPN software and the configuration file (VPN profile) for setting up the connection. Download and install the client first and then go back to the self-service portal to download the VPN configuration file.
Due to a bug in the VPN configuration file that is being generated, it must be modified before use. If you forget to do that, a SSL handshake error will be displayed. The fix is simple: remove the 3rd certificate in the CA chain and save the file. Startup the client, use the menu bar for āManage Profilesā and add the VPN profile. Click āConnectā and it will open your default browser and browses to the login page of the federated IDP.
Upon successful authentication the VPN will setup the connection and add required routing configuration to your local machine.
Authorization
Remember the authorization configuration we made earlier in the VPN Endpoint configuration? Now itās time to alter that a bit to ensure we only allow users that have the right role to be able to connect to specific parts of the network.
As an example, we remove the authorization for all users and only allow a specific role access to the private network. You will have to have the role to access the IPs in the destination CIDR.
Conclusion
Setting up AWS Client VPN endpoint, instead of the traditional Site to Site IPSec VPN, is a good alternative for users to setup a VPN connection to their Connext Platform.
The solution allows the users to connect to the internal network and therefore use the WSO2 management consoles. It however does not allow for secure connectivity between the WSO2 products and the customerās on-premise network. The solution also allows setting up authorization for specific user roles to specific parts of the AWS network.
Do you want to learn more about the Connext Platform? Read one of our Connext case studies!
