向客戶端授予對於單個目標 VPC 中資源的訪問權限並允許訪問互聯網

# 向客戶端授予對於單個目標 VPC 中資源的訪問權限並允許訪問互聯網 [TOC] ###### tags: `aws` `vpc` `vpn` --- ## 生成服務器和客戶端證書以及密鑰 - 雙向身份驗證 1. 将 OpenVPN easy-rsa 存储库克隆到本地计算机并导航到`easyrsa3`文件夹。 ``` git clone https://github.com/OpenVPN/easy-rsa.git OpenVPN ; cd OpenVPN/easyrsa3 ``` 示例輸出： ``` Cloning into 'OenVPN'... remote: Enumerating objects: 2095, done. remote: Counting objects: 100% (13/13), done. remote: Compressing objects: 100% (11/11), done. remote: Total 2095 (delta 3), reused 3 (delta 0), pack-reused 2082 Receiving objects: 100% (2095/2095), 11.72 MiB | 13.34 MiB/s, done. Resolving deltas: 100% (916/916), done. ``` 2. 初始化一个新的 PKI 环境。 ``` ./easyrsa init-pki ``` 示例輸出： ``` init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /Users/someone/OpenVPN/easyrsa3/pki ``` 3. 构建新的证书颁发机构并按照提示进行操作。 ``` ./easyrsa build-ca nopass ``` 示例輸出： ``` Using SSL: openssl LibreSSL 2.8.3 Generating RSA private key, 2048 bit long modulus ....+++ ..............................................................................................+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /Users/someone/OpenVPN/easyrsa3/pki/ca.crt ``` 4. 生成服务器证书和密钥。 ``` ./easyrsa build-server-full server nopass ``` 示例輸出： ``` Using SSL: openssl LibreSSL 2.8.3 Generating a 2048 bit RSA private key .....................+++ ..........................................................+++ writing new private key to '/Users/someone/OpenVPN/easyrsa3/pki/easy-rsa-911.KmVBdj/tmp.6jFyYU' ----- Using configuration from /Users/someone/OpenVPN/easyrsa3/pki/easy-rsa-911.KmVBdj/tmp.RBB2BV Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Aug 20 09:18:50 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated ``` 5. 生成客户端证书和密钥。 ``` ./easyrsa build-client-full client1.domain.tld nopass ``` 示例輸出： ``` Using SSL: openssl LibreSSL 2.8.3 Generating a 2048 bit RSA private key ......................+++ ....................................................+++ writing new private key to '/Users/someone/OpenVPN/easyrsa3/pki/easy-rsa-1098.tAjZcA/tmp.11wHqw' ----- Using configuration from /Users/someone/OpenVPN/easyrsa3/pki/easy-rsa-1098.tAjZcA/tmp.ioqhu2 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'client1.domain.tld' Certificate is to be certified until Aug 20 09:21:14 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated ``` :::warning 务必保存客户端证书和客户端私有密钥，因为配置客户端时需要这些信息。 ::: 可为需要客户端证书和密钥的每个客户端(最终用户)重复此步骤。 6. 将服务器证书和密钥和客户端证书和密钥复制到自定义文件夹，然后导航到此自定义文件夹。 ``` cp pki/ca.crt ../ cp pki/issued/server.crt ../ cp pki/private/server.key ../ cp pki/issued/client1.domain.tld.crt ../ cp pki/private/client1.domain.tld.key ../ cd .. ``` 7. 将服务器证书和密钥以及客户端证书和密钥上传到 ACM。 ``` aws acm import-certificate \ --certificate fileb://server.crt \ --private-key fileb://server.key \ --certificate-chain fileb://ca.crt ``` 示例輸出： ``` { "CertificateArn": "arn:aws:acm:ap-southeast-1:932250170661:certificate/c08fb7be-1cce-4550-8edf-87508e28f342" } ``` ``` aws acm import-certificate \ --certificate fileb://client1.domain.tld.crt \ --private-key fileb://client1.domain.tld.key \ --certificate-chain fileb://ca.crt ``` 示例輸出： ``` { "CertificateArn": "arn:aws:acm:ap-southeast-1:932250170661:certificate/25ccda56-9f91-461a-817b-e915c61677e3" } ``` 除非客户端证书的 CA 与服务器证书的 CA 不同，否则无需将客户端证书上传到 ACM。在上述步骤中，客户端证书使用与服务器证书相同的 CA，但为了完整性，此处包括上传客户端证书的步骤。 ## 创建客户端 VPN 终端节点 1. 打开 [Amazon VPC 控制台](https://console.aws.amazon.com/vpc/)；在导航窗格中，选择**客户端 VPN 终端节点**，然后选择**创建客户端 VPN 终端节点**。 ![](https://i.imgur.com/0cmiZO6.png) 2. 对于 Client IPv4 CIDR (客户端 IPv4 CIDR)，以 CIDR 表示法指定要从中分配客户端 IP 地址的 IP 地址范围。例如：**`10.0.0.0/16`**。 > 注意 > > IP 地址范围不能与目标网络或将与客户端 VPN 终端节点关联的任何路由重叠。客户端 CIDR 范围必须有介于 /12 和 /22 之间的块大小，且不得与 VPC CIDR 或路由表中的任何其他路由重叠。创建客户端 VPN 终端节点后，您无法更改客户端 CIDR。 3. 对于 Server certificate ARN (服务器证书 ARN)，请指定服务器要使用的 TLS 证书的 ARN。客户端使用服务器证书对它们正在连接的客户端 VPN 终端节点进行身份验证。指定当客户端建立 VPN 连接时要用来对客户端进行身份验证的身份验证方法。对于本教程，选择使用相互身份验，然后对于客户端证书 ARN，指定您在步骤 1 中生成的客户端证书的 ARN。 ![](https://i.imgur.com/lhbagoM.png)