How to run AWS Client VPN with Multi Factor Authentication

In the previous post, I introduced AWS Client VPN with Simple AD. On May 2020, AWS introduced a SAML federation. In this post, I will walkthrough the simplest deployment of AWS client VPN with SAML federation.

What you can achieve after reading this post

  • Basic setup of Okta to integrate with AWS Client VPN
  • Basic setup of AWS Client VPN using SAML federation

What is the expected result

  • easy user management on Okta and not in AWS nor separate AD
  • Multi-factor authentication on AWS Client VPN
  • Managed client VPN access to your VPC environment

Walkthrough chart

  1. Generate certs and keys using easy-rsa, and register them on ACM
  2. Deploy AWS resources as in here
  3. Setup Okta to integrate with AWS Client VPN
  4. Deploy AWS Client VPN Endpoint
  5. Install AWS-provided client onto PC and test
  6. Delete all test resources.

1. Generate Certificate and Keys

You need to generate certificate and keys for servers to process client vpn. You can follow the official steps here.

{
 git clone https://github.com/OpenVPN/easy-rsa.git
 cd easy-rsa/easyrsa3
 ./easyrsa init-pki
 ./easyrsa build-ca nopass
 ./easyrsa build-server-full lab_server nopass
 mkdir ~/temp_folder
 cp pki/ca.crt ~/temp_folder/
 cp pki/issued/lab_server.crt ~/temp_folder/
 cp pki/private/lab_server.key ~/temp_folder/
 cd ~/temp_folder/
 }

Once they are generated, register them into the AWS Certificate Manager(ACM). Please note you need to register these to the region you are going to have your VPN connection.

aws acm import-certificate --certificate file://lab_server.crt --private-key file://lab_server.key --certificate-chain file://ca.crt --region us-east-1

If it returns arn, you are successfully registered certificate/key on ACM.


2. Deploy test AWS resources

I have prepared terraform files here for you to setup the lab resources. Once you apply the configuration, it will apply below files to your environment:

  • 1x VPC
  • 1x t2.micro EC2 instance with preloaded web server on ubuntu18.04

Please change necessary parameters, especially those in providers.tf file to adjust to your needs.


3. Setup Okta to integrate with AWS Client VPN

If you don’t have Okta, you can start free trial here.

First, create an AWS ClientVPN integration. Click “Application”, then select “Create New App”.

And change the settings of AWS Client VPN app as in below image:

This step is optional, but if you like to have MFA, add the rule.

Next, I create a user in Okta. You need to assign AWS Client VPN app to this user either individually or via group.

In AWS, go to IAM and configure Okta as an identity provider.


4. Deploy AWS Client VPN Endpoint

In Create Client VPN Endpoint wizard, you need to specify IPv4 CIDR which should be different from your existing VPC.

  • Server certificate ARN … Select arn, which you received in step 1.
  • Authentication Options … Select “Use usesr-based authentication” > “Federated authentication”
  • SAML provider ARN … Select the identity provider ARN(Okta) you created in the previous step.
  • Enable split-tunnel … Enable.

Once Endpoint is created, it needs to be associated to the subnet. Select the VPN endpoint and click “Associate”. Note that you will be charged once you associate endpoint with subnet.

  • VPC … VPC you want to use this VPN Endpoint in
  • Subnet … Subnet you want to use this VPN Endpoint in

Now it’s associated with the subnet. And this is the last step to authrize the access to the network resources from VPN client. You can fine grain users access to specific resources based on user groups in Okta, but I simply “Allow access to all users” for now.


5. Install AWS-provided client onto PC and test

You can download configuration file from AWS console.

Install AWS-provided VPN Client from here and install it on your PC. Previously I used tunnelblick, but it seems not working with federation as of June 2020.

After you installed AWS-Provided VPN Client, follow the manual to import the downloded VPN config.

Once you click “Connect”, it will automatically pops up default web browser and display okta authentication page.

If you didn’t use MFA, you will be connected to AWS now. If you do have MFA enabled in Okta, it will promt you to either:

  1. Setup MFA on the spot if this is user’s first time to connect
  2. Enter MFA token

If everything goes fine, you will be prompted “Authentication details received, processing details. You may close this window at any time”, and you should be able to access the internal web server directly from your PC.

2 Replies to “How to run AWS Client VPN with Multi Factor Authentication”

  1. First off, thank you for this great tutorial. I had never considered using a third-party source for MFA, like Okta. Thank you for the fresh perspective.

    MFA is super important for the company and ideally I would like to find a solution that is able to use the existing AWS SimpleAD Ldap Authentication so that users don’t need to use a different login or are required to have an AWS login. Is this possible to do using Okta? Is there perhaps a different solution than Okta that might work for this?

    Thanks again for the great tutorial.

    1. Thanks for your words, glad to hear it worked well.
      Regarding to your questions, first off unfortunately SimpleAD doesn’t support MFA as in its service description, so you need to use other ID management if you need MFA. You can use either AWS managed Microsoft AD or any other IDaaS(e.g. Okta) to provide MFA.

Leave a Reply

Your email address will not be published. Required fields are marked *