AWS Client VPNを試してみた

2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ ϥϯαʔζגࣜձࣾ  43&ʗ҆ୡྋ ͋ͩͪΜ AWS Client VPNΛ ࢼͯ͠Έͨ

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ ɹΞδΣϯμ ɾࣗݾ঺հ ɾAWS Client VPNͬͯͲ͏ͳͷΑʁ ɾ΍Γ͍ͨ͜ͱ ɾߏ੒
ɾϨΠςϯγ ɾϩά ɾσϞ ɾϋϚͬͨͱ͜Ζ ɾ·ͱΊ

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ ࣗݾ঺հ - name: Introduction me user: name:
adachin work: SRE/Hiring Recruitment detail: aws analytical base menta  skill: ansible terraform shell etc  blog: blog.adachin.me  oss: Vuls https://www.wantedly.com/companies/lancers/post_articles/151653

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ AWS Client VPNͬͯͲ͏ͳͷΑʁ https://blog.adachin.me/archives/9813

2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ Ϛωʔδυ ΊͪΌͪ͘Ό͍͍!!!

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ ΍Γ͍ͨ͜ͱ ɾΦϨΰϯʹVPC01ͱAWS Client VPNͷઃఆ   ɾ౦ژϦʔδϣϯʹVPC02,VPC03Λ2ͭઃఆ  
ɾVPC01(ΦϨΰϯ)ͱVPC02,03(౦ژ)ΛVPCϐΞϦϯάͰ઀ଓ   ɾVPC01,VPC02,VPC03ͦΕͧΕʹEC2ͷߏங   ɾAWS Client VPNͷϢʔβʔ࡞੒(ূ໌ॻɺ伴)   ɾ઀ଓͨ͠ࡍͷϩάʢCloudWatch Logs)͕औಘͰ͖Δ͜ͱΛ֬ೝ   ɾVPNܦ༝ͰEC2ʹSSHͰ͖Δ͔֬ೝ   ɾϨΠςϯγͷ֬ೝ

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ ߏ੒

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ ߏ੒ ɾVPC01/ΦϨΰϯ ɾeasy-rsa  CIDR 10.0.0.0/16 OpenVPNͷϢʔςΟϦςΟ  subnet
10.0.0.0/24 10.0.1.0/24 αʔόূ໌ॻɺ伴ͷ࡞੒    ɾVPC02,VPC03/౦ژ   CIDR 10.10.0.0/16 10.20.0.0/16 Subnet 10.10.0.0/24 10.20.0.0/24 ɾTuunelblick 

2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ ઃఆʹ͍ͭͯ͸… ϒϩάݟ͍ͯͩ͘͞!!!!

2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ ϨΠςϯγͱ͔Ͳ͏ͳΜʁ

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ ϨΠςϯγ $ ping 10.0.0.189 PING 10.0.0.189 (10.0.0.189):
56 data bytes 64 bytes from 10.0.0.189: icmp_seq=0 ttl=254 time=127.708 ms 64 bytes from 10.0.0.189: icmp_seq=1 ttl=254 time=127.965 ms 64 bytes from 10.0.0.189: icmp_seq=2 ttl=254 time=128.099 ms 64 bytes from 10.0.0.189: icmp_seq=3 ttl=254 time=127.861 ms 64 bytes from 10.0.0.189: icmp_seq=4 ttl=254 time=127.784 ms 64 bytes from 10.0.0.189: icmp_seq=5 ttl=254 time=127.855 ms ^C --- 10.0.0.189 ping statistics --- 6 packets transmitted, 6 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 127.708/127.879/128.099/0.126 ms  $ ifconfig utun1 utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 inet 10.110.1.98 --> 10.110.1.98 netmask 0xffffffe0

2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ VPNͷϩάͱ͔औΕΔΜʁ

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ ϩά CloudWatch LogsͰશ෦ݟΕΔʂ

2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ σϞ΍Γ·͢

2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ ͜͜Ͱ໰୊͕!….

2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ ͱࢥ͍͖΍…  Πϯλʔωοτ͕ܨ͕Βͳ͍ "

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ ϋϚͬͨͱ͜Ζ https://inamuu.com/aws-client-vpn ɾͦ΋ͦ΋ssh͸Ͱ͖Δ͕ɺΠϯλʔωοτ͕઀ଓͰ͖ͳ͍ ɾϧʔτ௥Ճ ɾauthorization ruleʹΠϯλʔωοτ΁ͷΞΫηεΛڐՄ  ɾެࣜΛՇ!!

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ ɹ·ͱΊ ɾOpenVPNαʔόӡ༻͍Βͣ ɾΦϨΰϯ͕ͩे෼ૣ͍ ɾϩά͸CloudWatch Logsʹ ɾαʔόূ໌ॻɺ伴Λ؅ཧ͢Δඞཁ͕͋Δ ɾϓϩΩγɺBastion΋EIP΋ৼΒͳͯ͘ྑ͖
ɾطଘͷαʔόূ໌ॻΛ࢖ͬͯVPN͸࡞੒Ͱ͖Δ ɾΞΧ΢ϯτ࡟আͱ͍͏֓೦Ͱ͸ͳ͘ূ໌ॻΛrevoke ɾϥϯαʔζ΋ಋೖ͢Δ༧ఆʂʂ

2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ ͝ਗ਼ௌ͋Γ͕ͱ͏  ͍͟͝·ͨ͠ʂʂ

AWS Client VPNを試してみた

AWS Client VPNを試してみた

rvirus0817

More Decks by rvirus0817

Other Decks in Technology

Featured

Transcript

2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ ϥϯαʔζגࣜձࣾ  43&ʗ҆ୡྋ ͋ͩͪΜ AWS Client VPNΛ ࢼͯ͠Έͨ

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ ɹΞδΣϯμ ɾࣗݾ঺հ ɾAWS Client VPNͬͯͲ͏ͳͷΑʁ ɾ΍Γ͍ͨ͜ͱ ɾߏ੒

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ ࣗݾ঺հ - name: Introduction me user: name:

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ AWS Client VPNͬͯͲ͏ͳͷΑʁ https://blog.adachin.me/archives/9813

2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ Ϛωʔδυ ΊͪΌͪ͘Ό͍͍!!!

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ ΍Γ͍ͨ͜ͱ ɾΦϨΰϯʹVPC01ͱAWS Client VPNͷઃఆ   ɾ౦ژϦʔδϣϯʹVPC02,VPC03Λ2ͭઃఆ

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ ߏ੒

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ ߏ੒ ɾVPC01/ΦϨΰϯ ɾeasy-rsa  CIDR 10.0.0.0/16 OpenVPNͷϢʔςΟϦςΟ  subnet

2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ ઃఆʹ͍ͭͯ͸… ϒϩάݟ͍ͯͩ͘͞!!!!

2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ ϨΠςϯγͱ͔Ͳ͏ͳΜʁ

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ ϨΠςϯγ $ ping 10.0.0.189 PING 10.0.0.189 (10.0.0.189):

2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ VPNͷϩάͱ͔औΕΔΜʁ

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ ϩά CloudWatch LogsͰશ෦ݟΕΔʂ

2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ σϞ΍Γ·͢

2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ ͜͜Ͱ໰୊͕!….

2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ ͱࢥ͍͖΍…  Πϯλʔωοτ͕ܨ͕Βͳ͍ "

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ ϋϚͬͨͱ͜Ζ https://inamuu.com/aws-client-vpn ɾͦ΋ͦ΋ssh͸Ͱ͖Δ͕ɺΠϯλʔωοτ͕઀ଓͰ͖ͳ͍ ɾϧʔτ௥Ճ ɾauthorization ruleʹΠϯλʔωοτ΁ͷΞΫηεΛڐՄ  ɾެࣜΛՇ!!

ϥϯαʔζΫϥγίϜϕʔγοΫ߹ಉษڧձ ɹ·ͱΊ ɾOpenVPNαʔόӡ༻͍Βͣ ɾΦϨΰϯ͕ͩे෼ૣ͍ ɾϩά͸CloudWatch Logsʹ ɾαʔόূ໌ॻɺ伴Λ؅ཧ͢Δඞཁ͕͋Δ ɾϓϩΩγɺBastion΋EIP΋ৼΒͳͯ͘ྑ͖

2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ ͝ਗ਼ௌ͋Γ͕ͱ͏  ͍͟͝·ͨ͠ʂʂ