AWS Client VPN[Federation authentication]を使用するではiOSやAndroidでは使用できないので、OpenVPN Connect用に相互認証接続を作成する。
参照するリソースはAWS Client VPN[Federation authentication]を使用するで作成したものを使用。
ec2_client_vpn_endpoint.tf
data "aws_acm_certificate" "server" {
domain = "xxxxxx.com"
statuses = ["ISSUED"]
most_recent = true
types = ["AMAZON_ISSUED"]
}
data "aws_acm_certificate" "client1" {
domain = "client1.domain.tld"
statuses = ["ISSUED"]
most_recent = true
types = ["IMPORTED"]
tags = {
Authentication = "client-certificate-base"
}
}
resource "aws_ec2_client_vpn_endpoint" "example_mutual_auth" {
client_cidr_block = "192.168.16.0/22"
description = "use tcp"
dns_servers = [
"1.1.1.1",
"8.8.8.8",
]
self_service_portal = "enabled"
server_certificate_arn = data.aws_acm_certificate.server.arn
split_tunnel = false
tags = {
Name = "example-vpn-mutual-authentication"
}
transport_protocol = "tcp"
authentication_options {
root_certificate_chain_arn = data.aws_acm_certificate.client1.arn
type = "certificate-authentication"
}
connection_log_options {
enabled = true
cloudwatch_log_group = aws_cloudwatch_log_group.client_vpn.name
cloudwatch_log_stream = aws_cloudwatch_log_stream.client_vpn.name
}
}
resource "aws_ec2_client_vpn_network_association" "example_mutual_auth_assoc" {
for_each = var.vpn_client_nat_route_assoc
client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.example_mutual_auth.id
subnet_id = aws_subnet.client_vpn[each.key].id
security_groups = [aws_security_group.client_vpn_2.id]
}
resource "aws_ec2_client_vpn_authorization_rule" "example_mutual_auth_authorization" {
client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.example_mutual_auth.id
target_network_cidr = "0.0.0.0/0"
authorize_all_groups = true
}
resource "aws_ec2_client_vpn_route" "example_mutual_auth_route_1a" {
client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.example_mutual_auth.id
destination_cidr_block = "0.0.0.0/0"
target_vpc_subnet_id = aws_subnet.client_vpn["private-1a"].id
}
resource "aws_ec2_client_vpn_route" "example_mutual_auth_route_1c" {
client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.example_mutual_auth.id
destination_cidr_block = "0.0.0.0/0"
target_vpc_subnet_id = aws_subnet.client_vpn["private-1c"].id
}
クライアントVPNエンドポイント設定ファイルをダウンロードし、
mutual-auth-config.ovpn
client
dev tun
proto tcp
remote cvpn-endpoint-xxxxxxxxxxxx.xxxxx.clientvpn.ap-northeast-1.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
remote-cert-tls server
cipher AES-256-GCM
verb 3
<ca>
-----BEGIN CERTIFICATE-----
Amazon Root CA 1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Starfield Services Root Certificate Authority - G2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Starfield Services Root Certificate Authority - G2
-----END CERTIFICATE-----
</ca>
<ca>
-----BEGIN CERTIFICATE-----
server_certificate_arnで指定している証明書
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
root_certificate_chain_arnで指定している証明書
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
server_certificate_arnで指定している証明書を作成した秘密鍵
-----END PRIVATE KEY-----
</key>
reneg-sec 0
verify-x509-name xxxxxx.com name
-
AppStoreからOpenVPN Connectをインストールする
-
ローカルマシンにiPhoneを接続し、ClientConfigrationをOpenVPN配下に置く
-
OpenVPNを起動させ、設定ファイルを追加する
- 接続する
