AWS VPN Client on a guest VM

The AWS VPN Client for Linux (https://docs.aws.amazon.com/vpn/latest/clientvpn-user/client-vpn-connect-linux.html) at the time of writing (Nov 26, 2023) is only supported on Ubuntu and the latest Ubuntu version supported is 20.04 LTS. This version of Ubuntu is nearly 4 years old and people have been having problems with the client - there have been numerous complaints on the forums by people trying to get it working on newer Ubuntu versions, for example https://repost.aws/questions/QUNJeF_ja_Suykous7EvfX5Q/aws-client-vpn-on-ubuntu-22-04.

While it is possible to get the VPN client working on Ubuntu 22.04, there is a caveat - the client uses an outdated libssl version (libssl1) and Ubuntu 22.04 comes with a libssl3, which makes the client error out.  The workaround is manual installation of libssl1, replacing libssl3. If one uses another distro or simply does not want to downgrade libssl just for the AWS VPN client, one solution is to run the client on guest installation of Ubuntu 20.04 in a virtual machine. Configuration for the host and guest OSes follows below.

Guest OS

I run the guest installation of Ubuntu 20.04 on Virtual Box, with a Bridged network adapter. Select the correct interface, in my case - enp5s0 (screenshot below)
One thing worth doing is obtaining a static IP for the host machine in the DHCP server (where it reserves a specific IP to a MAC address), if the router has that functionality. For the sake of example, I've set mine to 192.168.0.105.

Let's proceed with configuring the guest machine.

Guest configuration

Enable packet forwarding:

In /etc/sysctl.conf uncomment the next line to enable packet forwarding for IPv4. net.ipv4.ip_forward=1:

Set a routing rule

Run ip addr show tun0 is the network interface that appears when a VPN is running. IP 192.168.0.105 is the host IP (in host: ip addr show enp5s0 | grep 'inet ')

sudo iptables -t nat -A POSTROUTING -o tun0 -s 192.168.0.105 -j MASQUERADE

For viewing and verifying if this is still applied (e.g. after reboot): sudo iptables -t nat -L -n -v

The output, e.g.:

Chain POSTROUTING (policy ACCEPT 682 packets, 128K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   39  2340 MASQUERADE  all  --  *     tun0   192.168.0.105       0.0.0.0/0

To optionally disallow other traffic,

# Allow established and related traffic for open connections
sudo iptables -A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Drop all other incoming traffic
sudo iptables -A INPUT -i tun0 -j DROP

Save the rules

sudo sh -c "iptables-save > /etc/iptables.rules"

Persist changes for reboot

sudo vim /usr/local/bin/iptables_restore.sh add:

#!/bin/bash

iptables-restore < /etc/iptables.rules

sudo chmod 750 /usr/local/bin/iptables_restore.sh

sudo vim /etc/systemd/system/restore-iptables.service

add:

[Unit]
Description=Restore IP Tables
After=network.target

[Service]
ExecStart=/usr/local/bin/iptables_restore.sh
Type=oneshot

[Install]
WantedBy=multi-user.target

sudo systemctl start restore-iptables
sudo systemctl enable restore-iptables

Note for AWS VPN Client:

It disables IP packet forwarding. I need to re-enable it after I launch it:

sudo sysctl net.ipv4.ip_forward=1
view raw guest-os-vm.md hosted with ❤ by GitHub

Host OS

On the host, the configuration is as follows.

Host configuration

Resolve the guest IP:

From the output of ip addr show on the guest: near enp023 (in my case):

inet 192.168.0.106/24 (...)

hence the guest IP is 192.168.0.106.

On host run: sudo ip route add default via 192.168.0.106

I needed to delete the old default gateway: ip route del default

Make the route persistent

sudo vim /usr/local/bin/set_gateway_route.sh

add

#!/bin/bash

# Remove existing default gateway
ip route del default 2>/dev/null

# Add the new default route
ip route add default via 192.168.0.106 dev enp5s0
sudo chmod +x /usr/local/bin/set_gateway_route.sh

Now host routes through the guest:

➜  ~ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  _gateway (192.168.0.106)  0.573 ms  0.551 ms  0.549 ms
 2  192.168.0.1 (192.168.0.1)  1.021 ms  1.148 ms  1.154 ms
 3  device.lan (192.168.1.254)  2.161 ms  2.173 ms  2.364 ms
(...)

When the VM is up, run the bash script. Check the results with ip route show. Expect line default via 192.168.0.106 where the IP is the guest's IP.

Now host routes through the VPN on the guest.

view raw vm-host-os.md hosted with ❤ by GitHub

This solution is not ideal - it requires the guest OS to be up, as it serves as a default gateway, and everything gets routed through the guest OS. Perhaps a better solution would be to explicitly define IP ranges to route through the guest, but it does the job for the time being.

Comments

Post a Comment

Popular posts from this blog

Cyberghost Vpn on Arch Linux

  CyberGhost has apps or shell scripts for various Linux distros but not for Arch Linux, at least not at the time of writing this. However, it is very easy to configure it for Arch. Here’s what I did. Steps Logged into  https://my.cyberghostvpn.com/,  “My Download Apps” -> “Other Apps” -> “Routers and other devices” -> “Configure New Device”. Make the selections, for my setup I’ve selected “Open VPN” as the protocol. Download the OpenVPN configuration files. Extract the archive, mv the files to  /etc/openvpn/client . chmod 600 /etc/openvpn/client/* chown openvpn:network /etc/openvpn/client/* Create an auth file that stores the login credentials for this VPN connection /etc/openvpn/client/login.conf with the username on the 1st line and the password on the 2nd line. Change  auth-user-pass  in cyberghost.conf to  auth-user-pass login.conf . sudo systemctl start openvpn-client@cyberghost sudo systemctl enable openvpn-client@cyberghost Check the I...
Read more

Go error handling and stack traces voted as the biggest challenge

Image
The results of Go Developer Survey 2022 Q2 came out and showed that error handling and working with stack traces in Go pose the biggest challenge to respondents: "Error handling remains a challenge. Following the release of generics, respondents' top challenge when working with Go shifted to error handling." The answer distribution is as below (click): In this blog post I would like to focus on error handling and try to explain in detail how, in my view, error handling in Go is or should be done. Ready? Let's begin. Error handling in Go explained A function or a method in Go returns a non-nil error if and only if it encounters an error during execution. The caller checks for the returned error value - if it is not nil, it either handles it or returns an error of its own. I hope this blog post makes Go error handling better understood and appreciated.  
Read more