{"id":3217,"date":"2021-06-11T13:59:00","date_gmt":"2021-06-11T11:59:00","guid":{"rendered":"https:\/\/blog.besharp.it\/?p=3217"},"modified":"2024-02-02T12:02:31","modified_gmt":"2024-02-02T11:02:31","slug":"managed-dialup-vpn-with-custom-sso-authentication","status":"publish","type":"post","link":"https:\/\/blog.besharp.it\/managed-dialup-vpn-with-custom-sso-authentication\/","title":{"rendered":"Managed Dialup VPN with custom SSO Authentication"},"content":{"rendered":"\n<p>In these days of remote and smart working giving users access to private resources and applications is a hot topic.&nbsp;<\/p>\n\n\n\n<p>A dial-up VPN is the tool that can solve this problem, giving home users and road warriors access to private corporate services that are not exposed on the internet (even if they are hosted on the AWS Cloud).&nbsp;<\/p>\n\n\n\n<p>Implementing a VPN for end users is always a non-trivial task, because there are always opposite requirements like:<\/p>\n\n\n\n<ul>\n<li>Ease of configuration on clients and servers<\/li>\n\n\n\n<li>Security<\/li>\n\n\n\n<li>Centralized management<\/li>\n<\/ul>\n\n\n\n<p>AWS offers the <strong>AWS Client VPN<\/strong> service that can help you to give remote access to resources in a VPC and leverage external identity providers to authenticate users such as Okta, Active Directory and other services using the SAML protocol.<\/p>\n\n\n\n<p>AWS Client VPN users can connect to a self-service web portal, download client software and the configuration needed to connect to the private resource, easing the effort needed to implement the solution because there\u2019s no need for an administrator to be involved in the process.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Example scenario<\/h2>\n\n\n\n<p>Some time ago we released an article on <a href=\"https:\/\/blog.besharp.it\/single-sign-on-with-g-suite-on-the-amazon-web-services-console\/\">how to implement single sign on on the aws console using G Suite as an identity provider<\/a><\/p>\n\n\n\n<p>Based on the considerations made in the previous article about different IdPs we want to&nbsp; configure the AWS Client VPN service using G Suite as the authentication provider, unfortunately there\u2019s a catch that we\u2019re still investigating.&nbsp;<\/p>\n\n\n\n<p>The issue is that the AWS Client VPN software uses a plain http service to authenticate requests, while G Suite accepts and validates only https addresses (we\u2019ll see some details about configuration later).<\/p>\n\n\n\n<p>We\u2019ll set up AWS SSO as an authentication provider, so we\u2019ll be able in the future to switch the user database quite easily and finally configure G Suite as our Identity Source.<\/p>\n\n\n\n<p>AWS SSO is also useful if you\u2019re using AWS Organizations to manage a multi-account scenario to give users different access to specific accounts, you can find <a href=\"https:\/\/docs.aws.amazon.com\/vpn\/latest\/clientvpn-admin\/scenario.html\">some topology examples here<\/a>.&nbsp;<\/p>\n\n\n\n<p>We are going to use a default SSO setup using the internal authentication, the default setup is available at <a href=\"https:\/\/docs.aws.amazon.com\/singlesignon\/latest\/userguide\/step1.html\">this link<\/a>.<\/p>\n\n\n\n<p>In our example configuration we\u2019ll give users VPN access to a VPC in an development account:<\/p>\n\n\n\n<p>VPC Name: test-vpc<\/p>\n\n\n\n<p>VPC CIDR: 172.31.0.0\/16<\/p>\n\n\n\n<p>Client network CIDR: 172.20.20.0\/22 (must not overlap with the destination CIDR or any other network that need to be reached using the VPN connection)<\/p>\n\n\n\n<p>We\u2019ll go through different steps:<\/p>\n\n\n\n<ul>\n<li>Define SAML applications for self-service portal and vpn authentication<\/li>\n\n\n\n<li>Define Identity providers for self-service ad vpn client<\/li>\n\n\n\n<li>Create a Client VPN Endpoint<\/li>\n\n\n\n<li>Associate subnets, configure Authorization and allow traffic through Security Groups<\/li>\n\n\n\n<li>Test the configuration<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Define SAML applications<\/h2>\n\n\n\n<p>We need to define SAML applications that our Client VPN will trust to authenticate users, one for the Self-Service Portal and the other for Client VPN application.<br>On the Organization root account Console go to \u201c<strong>AWS Single Sign-On<\/strong>\u201d, choose \u201c<strong>Applications<\/strong>\u201d, \u201c<strong>Add a new application<\/strong>\u201d and \u201c<strong>Add a custom SAML 2.0 Application<\/strong>\u201d<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"370\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image15-1024x370.png\" alt=\"\" class=\"wp-image-3204\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image15-1024x370.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image15-400x144.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image15-768x277.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image15.png 1160w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>We\u2019ll name it \u201cSSO Client VPN Self Service Portal\u201d<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"743\" height=\"1024\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image2-743x1024.png\" alt=\"\" class=\"wp-image-3178\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image2-743x1024.png 743w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image2-218x300.png 218w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image2-768x1059.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image2-1114x1536.png 1114w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image2.png 1201w\" sizes=\"(max-width: 743px) 100vw, 743px\" \/><\/figure><\/div>\n\n\n<p>Click on the \u201c<strong>Download<\/strong>\u201d link for the AWS SSO SAML metadata file and <strong>keep it secret<\/strong><\/p>\n\n\n\n<p>Select \u201c<strong>Manually type your metadata values<\/strong>\u201d and fill in these values:<\/p>\n\n\n\n<p><strong>Application ACS URL<\/strong>: https:\/\/self-service.clientvpn.amazonaws.com\/api\/auth\/sso\/saml<\/p>\n\n\n\n<p><strong>Application SAML Audience<\/strong>: urn:amazon:webservices:clientvpn<\/p>\n\n\n\n<p>After adding the application select \u201cAttributes mappings\u201d and map the ${user:subject} attribute to the Subject field<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"415\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image10-1024x415.png\" alt=\"\" class=\"wp-image-3194\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image10-1024x415.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image10-400x162.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image10-768x312.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image10.png 1289w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>After adding the Self service Portal application we\u2019ll need to add the VPN Client application:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"921\" height=\"1024\" defer\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image1-921x1024.png\" alt=\"\" class=\"wp-image-3176\" style=\"width:840px;height:933px\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image1-921x1024.png 921w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image1-270x300.png 270w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image1-768x854.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image1.png 1295w\" sizes=\"(max-width: 921px) 100vw, 921px\" \/><\/figure><\/div>\n\n\n<p>Use these values:&nbsp;<\/p>\n\n\n\n<p><strong>Application ACS URL<\/strong>: http:\/\/127.0.0.1:35001<\/p>\n\n\n\n<p><strong>Application SAML Audience<\/strong>: urn:amazon:webservices:clientvpn<\/p>\n\n\n\n<p><strong>Download<\/strong> this metadata and <strong>keep it secret<\/strong><\/p>\n\n\n\n<p>In this case you can see that the application ACS URL is something you wouldn\u2019t expect: http:\/\/127.0.0.1.\u00a0<\/p>\n\n\n\n<p>This is because the VPN Client application will spawn a service listening on the client to be able to validate and forward SAML assertions. This is the reason because G Suite authentication needs further investigation, if you configure the SAML application in G Suite you\u2019ll get this validation error:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"706\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image11-1024x706.png\" alt=\"\" class=\"wp-image-3196\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image11-1024x706.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image11-400x276.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image11-768x530.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image11.png 1290w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>Spoiler: we\u2019ve been able to overcome this behavior with a little hack! We are going to write a separated article soon for this, so keep following us!<\/p>\n\n\n\n<p>After adding the Client VPN application select Attributes mappings and map them:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"674\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image9-1024x674.png\" alt=\"\" class=\"wp-image-3192\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image9-1024x674.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image9-400x263.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image9-768x505.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image9.png 1289w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>If you map them incorrectly the authentication will fail (please pay attention to the format of the Subject field, you need to change it to \u201c<strong>emailAddress<\/strong>\u201d)<\/p>\n\n\n\n<p>After adding SAML applications we\u2019ll need to tell the destination account (development in our case) to trust them as an identity provider (don\u2019t forget to assign users or groups to your applications ! using the \u201cAssigned users\u201d tab, otherwise no application will be available after the user logs in)&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Define Identity providers for self-service portal ad VPN client<\/h2>\n\n\n\n<p>Log into the development account console, go to <strong>IAM<\/strong> -&gt; <strong>Identity Providers<\/strong> and click on \u201c<strong>Add Provider<\/strong>\u201d<br>Select SAML, add a provider name (we\u2019ll use <em>clientvpn-sso-idp<\/em> for client vpn application and <em>clientvpn-portal-idp<\/em> for self-service portal application), choose the previously downloaded metadata files and upload them<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"811\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image14-1024x811.png\" alt=\"\" class=\"wp-image-3202\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image14-1024x811.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image14-379x300.png 379w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image14-768x609.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image14.png 1445w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>We are now ready to create the VPN Client endpoint in our VPC and configure it to trust our SAML applications.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Create a Client VPN Endpoint<\/h2>\n\n\n\n<p>For the client vpn endpoint you\u2019ll need a wildcard ACM Certificate associated with your domain, if you don\u2019t have one create it before creating the Endpoint, refer to <a href=\"https:\/\/docs.aws.amazon.com\/acm\/latest\/userguide\/gs-acm-request-public.html\">this documentation<\/a> to create it.<br>In the Development account go to <strong>VPC<\/strong> and select \u201c<strong>Client VPN Endpoints<\/strong>\u201d, create a new client vpn endpoint.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"856\" height=\"1024\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image4-856x1024.png\" alt=\"\" class=\"wp-image-3182\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image4-856x1024.png 856w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image4-251x300.png 251w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image4-768x918.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image4-1285x1536.png 1285w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image4.png 1498w\" sizes=\"(max-width: 856px) 100vw, 856px\" \/><\/figure><\/div>\n\n\n<p>Select \u201c<strong>Use user-based authentication<\/strong>\u201d and select the previously created IdPs:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"393\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image16-1024x393.png\" alt=\"\" class=\"wp-image-3206\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image16-1024x393.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image16-400x154.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image16-768x295.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image16.png 1211w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>Don\u2019t forget to thick the \u201c<strong>Enable self-service portal\u201d<\/strong> checkbox<\/p>\n\n\n\n<p>After saving the configuration please copy the self service portal url and modify the \u201cSSO Client VPN service portal\u201d application to use it as \u201cApplication start URL, otherwise the user will not be able to access the self-service portal:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"362\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image7-1024x362.png\" alt=\"\" class=\"wp-image-3188\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image7-1024x362.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image7-400x141.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image7-768x272.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image7.png 1230w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"989\" height=\"1024\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image6-989x1024.png\" alt=\"\" class=\"wp-image-3186\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image6-989x1024.png 989w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image6-290x300.png 290w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image6-768x796.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image6.png 1284w\" sizes=\"(max-width: 989px) 100vw, 989px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Associate subnets, configure Authorization and allow traffic through Security Groups<\/h2>\n\n\n\n<p>Click the \u201cAssociations\u201d tab on the client vpn endpoint, select the target VPC and the subnet to associate them, after some time they will show as associated:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"391\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image12-1024x391.png\" alt=\"\" class=\"wp-image-3198\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image12-1024x391.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image12-400x153.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image12-768x293.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image12.png 1284w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>Click on the Authorization tab and authorize the VPC network segment:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"258\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image13-1024x258.png\" alt=\"\" class=\"wp-image-3200\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image13-1024x258.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image13-400x101.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image13-768x193.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image13.png 1284w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>You\u2019ll also see that route tables will automatically be populated:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"322\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image19-1024x322.png\" alt=\"\" class=\"wp-image-3212\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image19-1024x322.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image19-400x126.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image19-768x242.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image19.png 1284w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Test the configuration<\/h2>\n\n\n\n<p>Open a browser and go to the user portal url for your SSO application, you can find it in the \u201cSettings\u201d page of SSO configuration, something like: https:\/\/example-org.awsapps.com\/start<\/p>\n\n\n\n<p>After logging you\u2019ll see the list of configured applications:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"322\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image8-1024x322.png\" alt=\"\" class=\"wp-image-3190\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image8-1024x322.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image8-400x126.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image8-768x242.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image8.png 1284w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>Select the SSO Client VPN Self Service to download the configuration file and client software.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"638\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image5-1024x638.png\" alt=\"\" class=\"wp-image-3184\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image5-1024x638.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image5-400x249.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image5-768x478.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image5.png 1236w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>After installing software import the configuration (file -&gt; manage profiles -&gt; add profile)<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"344\" height=\"166\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image3.png\" alt=\"\" class=\"wp-image-3180\"\/><\/figure><\/div>\n\n\n<p>Click on \u201cconnect\u201d, a new browser window will open asking for credentials. After logging in a confirmation window will appear:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"233\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image20-1024x233.png\" alt=\"\" class=\"wp-image-3214\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image20-1024x233.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image20-400x91.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image20-768x175.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image20.png 1286w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>The client will be in the \u201cconnected state\u201d and you\u2019ll see an entry in the \u201cConnections\u201d tab<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"249\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image18-1024x249.png\" alt=\"\" class=\"wp-image-3210\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image18-1024x249.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image18-400x97.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image18-768x187.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image18.png 1439w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>On the client you\u2019ll see that routing tables are added automatically to reach your VPC:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"625\" height=\"850\" src=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image17.png\" alt=\"\" class=\"wp-image-3208\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image17.png 625w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/image17-221x300.png 221w\" sizes=\"(max-width: 625px) 100vw, 625px\" \/><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Wrap-Up<\/h2>\n\n\n\n<p>AWS Client VPN is a managed service that eases the task of configuring vpn connections for end-users, it offers a lot of out-of-the-box configuration mechanisms; in this article, we explored a custom implementation that is not described in the official documentation.&nbsp;<\/p>\n\n\n\n<p>We\u2019re still searching for the best way to add G Suite authentication, we\u2019re investigating having G Suite as an identity source for AWS SSO and then using SSO SAML applications to map the right attributes for the IDP and Client VPN.&nbsp;Add your thoughts about it in the comments! See you again in 14 days on <strong>#Proud2beCloud<\/strong>!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In these days of remote and smart working giving users access to private resources and applications is a hot topic.&nbsp; [&hellip;]<\/p>\n","protected":false},"author":13,"featured_media":3241,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[470],"tags":[515,513,509,330],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.9.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Managed Dialup VPN with custom SSO Authentication - Proud2beCloud Blog<\/title>\n<meta name=\"description\" content=\"Our custom implementation of AWS Client VPN, a managed service for VPN connections configuration for end-users.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.besharp.it\/managed-dialup-vpn-with-custom-sso-authentication\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Managed Dialup VPN with custom SSO Authentication\" \/>\n<meta property=\"og:description\" content=\"Our custom implementation of AWS Client VPN\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.besharp.it\/managed-dialup-vpn-with-custom-sso-authentication\/\" \/>\n<meta property=\"og:site_name\" content=\"Proud2beCloud Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-06-11T11:59:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-02-02T11:02:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/twitter-shared-link-7.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Damiano Giorgi\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Managed Dialup VPN with custom SSO Authentication\" \/>\n<meta name=\"twitter:description\" content=\"Our custom implementation of AWS Client VPN\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/twitter-shared-link-7.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Damiano Giorgi\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.besharp.it\/managed-dialup-vpn-with-custom-sso-authentication\/\",\"url\":\"https:\/\/blog.besharp.it\/managed-dialup-vpn-with-custom-sso-authentication\/\",\"name\":\"Managed Dialup VPN with custom SSO Authentication - Proud2beCloud Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.besharp.it\/#website\"},\"datePublished\":\"2021-06-11T11:59:00+00:00\",\"dateModified\":\"2024-02-02T11:02:31+00:00\",\"author\":{\"@id\":\"https:\/\/blog.besharp.it\/#\/schema\/person\/a9195473e4a658b45cb12d3df3fdf293\"},\"description\":\"Our custom implementation of AWS Client VPN, a managed service for VPN connections configuration for end-users.\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.besharp.it\/managed-dialup-vpn-with-custom-sso-authentication\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.besharp.it\/managed-dialup-vpn-with-custom-sso-authentication\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.besharp.it\/managed-dialup-vpn-with-custom-sso-authentication\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.besharp.it\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Managed Dialup VPN with custom SSO Authentication\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.besharp.it\/#website\",\"url\":\"https:\/\/blog.besharp.it\/\",\"name\":\"Proud2beCloud Blog\",\"description\":\"il blog di beSharp\",\"alternateName\":\"Proud2beCloud Blog\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.besharp.it\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.besharp.it\/#\/schema\/person\/a9195473e4a658b45cb12d3df3fdf293\",\"name\":\"Damiano Giorgi\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.besharp.it\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/9a20b8c97250d4fb49857192f7e4bedf?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/9a20b8c97250d4fb49857192f7e4bedf?s=96&d=mm&r=g\",\"caption\":\"Damiano Giorgi\"},\"description\":\"Ex sistemista on-prem, pigro e incline all'automazione di task noiosi. Alla ricerca costante di novit\u00e0 tecnologiche e quindi passato al cloud per trovare nuovi stimoli. L'unico hardware a cui mi dedico ora \u00e8 quello del mio basso; se non mi trovate in ufficio o in sala prove provate al pub o in qualche aeroporto!\",\"url\":\"https:\/\/blog.besharp.it\/author\/damiano-giorgi\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Managed Dialup VPN with custom SSO Authentication - Proud2beCloud Blog","description":"Our custom implementation of AWS Client VPN, a managed service for VPN connections configuration for end-users.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.besharp.it\/managed-dialup-vpn-with-custom-sso-authentication\/","og_locale":"en_US","og_type":"article","og_title":"Managed Dialup VPN with custom SSO Authentication","og_description":"Our custom implementation of AWS Client VPN","og_url":"https:\/\/blog.besharp.it\/managed-dialup-vpn-with-custom-sso-authentication\/","og_site_name":"Proud2beCloud Blog","article_published_time":"2021-06-11T11:59:00+00:00","article_modified_time":"2024-02-02T11:02:31+00:00","og_image":[{"width":1200,"height":628,"url":"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/twitter-shared-link-7.png","type":"image\/png"}],"author":"Damiano Giorgi","twitter_card":"summary_large_image","twitter_title":"Managed Dialup VPN with custom SSO Authentication","twitter_description":"Our custom implementation of AWS Client VPN","twitter_image":"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/06\/twitter-shared-link-7.png","twitter_misc":{"Written by":"Damiano Giorgi","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.besharp.it\/managed-dialup-vpn-with-custom-sso-authentication\/","url":"https:\/\/blog.besharp.it\/managed-dialup-vpn-with-custom-sso-authentication\/","name":"Managed Dialup VPN with custom SSO Authentication - Proud2beCloud Blog","isPartOf":{"@id":"https:\/\/blog.besharp.it\/#website"},"datePublished":"2021-06-11T11:59:00+00:00","dateModified":"2024-02-02T11:02:31+00:00","author":{"@id":"https:\/\/blog.besharp.it\/#\/schema\/person\/a9195473e4a658b45cb12d3df3fdf293"},"description":"Our custom implementation of AWS Client VPN, a managed service for VPN connections configuration for end-users.","breadcrumb":{"@id":"https:\/\/blog.besharp.it\/managed-dialup-vpn-with-custom-sso-authentication\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.besharp.it\/managed-dialup-vpn-with-custom-sso-authentication\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.besharp.it\/managed-dialup-vpn-with-custom-sso-authentication\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.besharp.it\/"},{"@type":"ListItem","position":2,"name":"Managed Dialup VPN with custom SSO Authentication"}]},{"@type":"WebSite","@id":"https:\/\/blog.besharp.it\/#website","url":"https:\/\/blog.besharp.it\/","name":"Proud2beCloud Blog","description":"il blog di beSharp","alternateName":"Proud2beCloud Blog","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.besharp.it\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.besharp.it\/#\/schema\/person\/a9195473e4a658b45cb12d3df3fdf293","name":"Damiano Giorgi","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.besharp.it\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/9a20b8c97250d4fb49857192f7e4bedf?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9a20b8c97250d4fb49857192f7e4bedf?s=96&d=mm&r=g","caption":"Damiano Giorgi"},"description":"Ex sistemista on-prem, pigro e incline all'automazione di task noiosi. Alla ricerca costante di novit\u00e0 tecnologiche e quindi passato al cloud per trovare nuovi stimoli. L'unico hardware a cui mi dedico ora \u00e8 quello del mio basso; se non mi trovate in ufficio o in sala prove provate al pub o in qualche aeroporto!","url":"https:\/\/blog.besharp.it\/author\/damiano-giorgi\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/posts\/3217"}],"collection":[{"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/comments?post=3217"}],"version-history":[{"count":0,"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/posts\/3217\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/media\/3241"}],"wp:attachment":[{"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/media?parent=3217"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/categories?post=3217"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/tags?post=3217"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}