More than 1 year has passed since last update.

AWS Client VPN[Mutual authentication]を使用する

Posted at 2022-05-25

AWS Client VPN[Federation authentication]を使用するではiOSやAndroidでは使用できないので、OpenVPN Connect用に相互認証接続を作成する。

参照するリソースはAWS Client VPN[Federation authentication]を使用するで作成したものを使用。

ec2_client_vpn_endpoint.tf

resource "aws_ec2_client_vpn_endpoint" "example_mutual_auth" {
  client_cidr_block = "192.168.16.0/22"
  description       = "use tcp"
  dns_servers = [
    "1.1.1.1",
    "8.8.8.8",
  ]
  self_service_portal    = "enabled"
  server_certificate_arn = data.aws_acm_certificate.select.arn
  split_tunnel           = false

  tags = {
    Name = "example-vpn-mutual-authentication"
  }

  transport_protocol = "tcp"

  authentication_options {
    root_certificate_chain_arn = data.aws_acm_certificate.select.arn
    type                       = "certificate-authentication"
  }
  connection_log_options {
    enabled               = true
    cloudwatch_log_group  = aws_cloudwatch_log_group.client_vpn.name
    cloudwatch_log_stream = aws_cloudwatch_log_stream.client_vpn.name
  }
}

resource "aws_ec2_client_vpn_network_association" "example_mutual_auth_assoc" {
  for_each = var.vpn_client_nat_route_assoc

  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.example_mutual_auth.id
  subnet_id              = aws_subnet.client_vpn[each.key].id
  security_groups        = [aws_security_group.client_vpn_2.id]
}

resource "aws_ec2_client_vpn_authorization_rule" "example_mutual_auth_authorization" {
  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.example_mutual_auth.id
  target_network_cidr    = "0.0.0.0/0"
  authorize_all_groups   = true
}

resource "aws_ec2_client_vpn_route" "example_mutual_auth_route_1a" {

  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.example_mutual_auth.id
  destination_cidr_block = "0.0.0.0/0"
  target_vpc_subnet_id   = aws_subnet.client_vpn["private-1a"].id
}

resource "aws_ec2_client_vpn_route" "example_mutual_auth_route_1c" {

  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.example_mutual_auth.id
  destination_cidr_block = "0.0.0.0/0"
  target_vpc_subnet_id   = aws_subnet.client_vpn["private-1c"].id
}

接続設定ファイルのremoteは*.としておきます。（Androidではasdfg.）

mutual-auth-config.ovpn

client
dev tun
proto tcp
remote *.cvpn-endpoint-xxxxxxxxxxxx.xxxxx.clientvpn.ap-northeast-1.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
remote-cert-tls server
cipher AES-256-GCM
verb 3

AppStoreからOpenVPN Connectをインストールする
ローカルマシンにiPhoneを接続し、ClientConfigrationをOpenVPN配下に置く
OpenVPNを起動させ、設定ファイルを追加する

接続する

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up