Configuring AWS Client VPN

Configuring AWS Client VPN

Configuring AWS Client VPN

Client VPN integrates with your SAML provider to authenticate the users. When using AWS Identity Center (also known as AWS SSO), some configuration is needed to allow Client VPN to work.

SAML Apps at AWS Identity Center (AWS SSO)

Creating the SAML App for each environment

⚠️
It’s recommended to create one SAML App for each environment that you will enable Client VPN in Citadel. It’s possible to reuse the same SAML App on multiple Environments but the side effect is that you won’t be able to control access for individual Environments, giving access to one user or group would allow them to access Client VPN on all Environments.

Login to your AWS account with AWS Identity Center (usually the Management/Master account), navigate to Identity Center and click Applications.

image

Select “Add custom SAML 2.0 application” and click Next

image

Enter a name and a description

image

And under “Application metadata”, enter ACS URL and SAML audience as below

image

  • Application ACS URL: http://127.0.0.1:35001
  • Application SAML audience: urn:amazon:webservices:clientvpn

Once the application is created, edit the attribute mappings by selecting “Actions”

image

Enter the attributes as shown below

image
User attribute in the application
Maps to this string value or user attribute in AWS IAM Identity Center
Format
Subject
${user:email}
emailAddress
Name
${user:email}
unspecified
FirstName
${user:givenName}
unspecified
LastName
${user:familyName}
unspecified
memberOf
${user:groups}
unspecified

Now to download the XML containing the certificates, back on the Application, click Actions, Edit configuration

image

And under “IAM Identity Center Metadata”, click Download

image

Save the XML in a secure place.

Creating the Self-Service Portal Application

📢
You don’t need to create a Self-Service Portal SAML App for each Citadel Environment. Sharing the same SAML App between all Environments is safe since access control will be done by the Client VPN SAML App, which is one per Environment.

Repeat the steps above, with the only difference that the name of the application should mention “Self-Service Portal”, an example below

image

And when configuring the ACS URL and SAML Audience, enter the values below:

  • Application ACS URL: https://self-service.clientvpn.amazonaws.com/api/auth/sso/saml
  • Application SAML audience: urn:amazon:webservices:clientvpn

Once created, see the instructions from the previous section to save the XML into a secure location.

Giving Users Permission to Access Client VPN

Under IAM Identity Center → Applications, click on each of the Client VPN applications created.

image

Click “Assign Users” to allow Users or Groups to access Client VPN.

You can add different users or groups per Environment, based on the SAML Apps created per Environment before.

For the Self-Service Portal application, you should add all users with VPN access to any Environment, as independently of the Environment they will need to access the Self-Service Portal to be able to download and configure AWS Client VPN in their workstation..

Enabling Client VPN at Citadel

Back on Citadel, go to the environment to setup Client VPN and select “Network Access”

image

Click the toggle next to AWS Client VPN to enable it.

As the form is shown, upload the XML files generated from the previous sections by clicking on the “Upload XML” button for each.

image
  • “Upload SAML Provider Metadata XML file” Select the file generated with the SAML App for this environment, example: Client VPN Dev_ins-d8ba5a39dd0d5da0.xml
  • “Upload SAML Provider Metadata XML file for Self-Service Portal” Select the file generated for the Self-Service Portal SAML App, example Client VPN Self-Service Portal_ins-3f8f96deeb3408f0.xml
  • “Route all traffic through VPN” Select this option if you want all the VPN traffic to be routes to the VPN, and not only the traffic to the VPC.
⚠️
Routing all traffic through VPN can disrupt your internet access when connected. This happens because the default route is changed to the VPN, and all the traffic of the client workstation is routed to the internet through the NAT Gateway of your VPC. This can be useful when required to access private services via an IP allow-list, as all connected clients will access the internet using the NAT Gateway static IP address (using Availability-Zone/Subnet “A”).

Then click “Save” to enable the VPN.

Connecting a workstation to AWS Client VPN

Once enabled, click on the three dots in the top-right corner of the form and select “View Self-Service Portal URL” as shown below:

image

This will open a modal with a URL, copy this URL.

image

Distribute this URL to VPN users.

Accessing this URL will redirect to authenticate to the SSO provider (IAM Identity Center). Once authenticated, the user is shown a page with options to download and configure AWS Client VPN on their workstation.

Redeploy your Client VPN

  • Go to Citadel Run and select Environment on the menu;
  • Select the Environment you want to work;
  • Select Network Access on the left menu;
  • Click on the three dots in the top-right corner of the AWS Client VPN form;
  • Click Redeploy.

For more information about AWS Client VPN usage, please see the user guide at: https://docs.aws.amazon.com/vpn/latest/clientvpn-user/user-getting-started.html