Skip to main content

Authenticate to the VPN server

For security reasons, just about everything runs in private subnets, which means they do not have a public IP address, and cannot be reached directly from the public Internet. This reduces the "surface area" that attackers can reach. Of course, we still need access into the VPCs, so we expose a single entrypoint into the network: an OpenVPN server.

The idea is that you use an OpenVPN client to connect to the OpenVPN server, which gets you "in" to the network, and you can then connect to other resources in the account as if you were making requests from the OpenVPN server itself.

Here are the steps you'll need to take:

Install an OpenVPN client

There are free and paid OpenVPN clients available for most major operating systems:

Join the OpenVPN IAM group

To get access to an OpenVPN server, your IAM user needs access to SQS queues used by that OpenVPN server. Since our IAM users are defined in one AWS account (security) and the OpenVPN servers are defined in separate AWS accounts (stage, prod, etc), that means you need to "switch" to the accounts with the OpenVPN servers by assuming an IAM role that has access to the SQS queues in those accounts.

To be able to assume an IAM role, your IAM user needs to be part of an IAM group with the proper permissions, such as _account.xxx-full-access or _account.xxx-openvpn-users, where xxx is the name of the account you want to access (stage, prod, etc). See Configure other IAM users for instructions on adding users to IAM groups.

Use openvpn-admin to generate a configuration file

To connect to an OpenVPN server, you need an OpenVPN configuration file, which includes a certificate that you can use to authenticate. To generate this configuration file, do the following:

  1. Install the latest openvpn-admin binary for your OS.

  2. Authenticate to AWS via the CLI. You will need to assume an IAM role in the AWS account with the OpenVPN server you're trying to connect to. This IAM role must have access to the SQS queues used by OpenVPN server. Typically, the allow-full-access-from-other-accounts or openvpn-server-allow-certificate-requests-for-external-accounts IAM role is what you want.

  3. Run openvpn-admin request --aws-region <AWS REGION> --username <YOUR IAM USERNAME>.

  4. This will create your OpenVPN configuration file in the current folder.

  5. Load this configuration file into your OpenVPN client.

Connect to the OpenVPN server

To connect to the OpenVPN server, simply click the "Connect" button next to your configuration file in the OpenVPN client! After a few seconds, you should be connected. You will now be able to access all the resources within the AWS network (e.g., SSH to EC2 instances in private subnets) as if you were "in" the VPC itself.