https://pulumi.com logo
#aws
Title
# aws
g

gentle-account-13294

12/17/2020, 12:43 AM
Are there full examples of creating a VPN with Self signed cert credentials somewhere ? Note: I was able to setup the VPN Endpoint in AWS , Add Associations , Routes etc.. however, the instructions i had before when i tried (without pulumi) using
easyrsa
certificates and keys, said that I have to: • download the VPN config from the Web console • Modify the config to add path to the cert and key • https://prasaddomala.com/2020/04/02/aws-client-vpn-setup-private-access-across-aws-accounts-and-vpcs/ So i tried to dump the cert and key generated using..
Copy code
# one year
VALID_HOURS = 24 * 365

# read teh CA cert obtained from running
# ./easyrsa init-pki && ./easyrsa build-ca nopass
with open("ca_encoded.pem", "r") as ca_crt:
    ca_crt_chain = ca_crt.read().replace("\n", " ")

# TODO: check if we can use this instead of using easy rsa
test_vpn_private_key = tls.PrivateKey("test_vpn", algorithm="RSA")
test_vpn_self_signed_cert = tls.SelfSignedCert(
    "test_vpnSelfSignedCert",
    key_algorithm="RSA",
    private_key_pem=test_vpn_private_key.private_key_pem,
    subjects=[
        tls.SelfSignedCertSubjectArgs(
            common_name="<http://test_vpn.com|test_vpn.com>",
            organization="Valo Health",
        )
    ],
    validity_period_hours=VALID_HOURS,
    allowed_uses=[
        "key_encipherment",
        "digital_signature",
        "server_auth",
        "dns_names",
        "is_ca_certificate",
    ],
)

cert_test_vpn = aws.acm.Certificate(
    "test_vpn",
    private_key=test_vpn_private_key.private_key_pem,
    certificate_body=test_vpn_self_signed_cert.cert_pem,
    certificate_chain=test_vpn_self_signed_cert.cert_pem,
)
but the certificate chain is not what it should be…
So wondering if anyone has setup a VPN Resource and then Connected to it ?
I downloaded the certs using..
Copy code
# store the valo user  public key, private key and cert
def write_file(filename: str):
    file = filename

    def partial_fun(data: str):
        with open(f"{file}", "w+") as file_obj:
            file_obj.write(data)

    return partial_fun


test_vpn_private_key.private_key_pem.apply(func=write_file(filename="test_key_private.pem"))
test_vpn_private_key.public_key_pem.apply(func=write_file(filename="test_key_public.pem"))
test_vpn_self_signed_cert.cert_pem.apply(func=write_file(filename="test_key_cert.pem"))
g

gentle-diamond-70147

12/17/2020, 11:45 PM
Can you elaborate on this?
but the certificate chain is not what it should be…
🙏 1
Are you getting an error?
g

gifted-vase-28337

12/18/2020, 10:19 PM
@gentle-account-13294 are you still getting an error, or did you find a solution already?
g

gentle-account-13294

12/22/2020, 7:32 PM
@gentle-diamond-70147 @gifted-vase-28337 for now I have abandoned the usage of
pulumi-tls
library. I can see that the pem file that is saved for the
test_vpn_self_signed_cert
does not have the certificate chain. Hence I didn’t want to spend time with this approach. I got VPN to work by: • use the
easy-rsa
github repo • create the certs • upload the certs to AWS certificate manager. • NOTE: @gentle-diamond-70147 this i think has a bug in pulumi (or I’m not using the API correctly)… using the Pulumi API to upload the certs generated by
easy-rsa
does not work, gives a validation error. However the same thing works with using AWS CLI
aws acm import-certificate
• then configure rest of the VPN with pulumi
g

gentle-diamond-70147

12/22/2020, 7:34 PM
I'm sorry you weren't able to get it working. If you can share more about the specific error you were getting, I can take a deeper look.
g

gentle-account-13294

12/22/2020, 7:35 PM
Thanks !! I will DM u the bash script I have as well as the pulumi config.. u should be able to configure a VPN with it.
as a side question, is there a way to export the VPN config with pulumi ?
g

gentle-diamond-70147

12/22/2020, 7:46 PM
At quick glance it seems no, but based on the example output at https://docs.aws.amazon.com/cli/latest/reference/ec2/export-client-vpn-client-configuration.html#examples, I think you could construct this yourself. Looks like you need the
dnsName
output and couple other properties from the endpoint.
g

gentle-account-13294

12/22/2020, 7:47 PM
can i get the name of the endpoint configured ? e.g
cvpn-endpoint-123456789123abcde
ah..maybe the
dns_name
in general it would definitely be helpful to have more documentation or real world example with VPN.
happy to write a reference if need be 🙂 , since now we have a full fledged way that will be automated in next 2 weeks to create and configure a VPN using pulumi +
easy-rsa
+
bash
wondering if we should file a bug somewhere that we are not able to export the VPN config similar to above example ?
3 Views