Accessing Amazon Web Services (AWS) with VPN Tunnels

What is a VPN in simple terms?

A virtual private network, better known as a VPN, protects your identity and browsing activity from hackers, businesses, government agencies, and other snoops. When connecting to the internet, your data and IP address are hidden by a type of virtual tunnel. This keeps others from spying on your online activity.

A virtual private network (VPN) extends a private network across a public network, enabling users to send and receive data as if the device in use was directly connected to the internal private network. This technology was created to allow remote users the ability to access corporate applications and resources. First developed in 1996 by a Microsoft engineer, the peer-to-peer tunneling protocol (PPTP) set the stage for the evolution of the modern VPN. Since then, many different types of VPN technologies have emerged, and the options remain relatively diverse in terms of hosting, protocols and encryption.

But the fundamentals remain the same: A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols or traffic encryption; and VPN users use authentication methods, including passwords or certificates, to gain access to the VPN.

The VPN Tunnel

In computer networks, a tunneling protocol is a communication method that permits data to move from one network to another. This process allows private network traffic to be sent across a public network (such as the Internet), using a process called encapsulation. A tunneling protocol works by using the data portion of a packet (the payload) to carry the packets that actually provide the service.

In the simplest terms, a VPN tunnel is an encrypted link between your device and another network. Because tunneling involves repackaging the traffic data into a different form, it can hide and secure the contents of the traffic passing through that tunnel. Now let us explore some VPN options:

OpenVPN

OpenVPN works in a client-server model. Basically, it helps to establish a secure channel between the VPN client and the VPN server. Also, it uses its own custom protocol based on TLS and SSL. OpenVPN is open-source which adds to the popularity of this protocol.

Integration guide for AWS can be found here.

General considerations

Pros

  • Better Security: Security is always a top concern while dealing with sensitive data. Luckily, OpenVPN has an upper edge here as it uses 256-bit encryption keys and high-end ciphers. This gives good protection against the man in the middle attacks. As a result, it is rather difficult to grab the information by altering the data packet.
  • Runs on almost all platforms: Secondly, OpenVPN can run on a large number of platforms. Be it Linux or Windows, we can use OpenVPN. Accommodates Windows, macOS, Linux (32-bit and 64-bit), and Mobile OS (Android and iOS) environments.
  • Good firewall compatibility: Similarly, OpenVPN can use any port on TCP or UDP, which makes it easily work with internet. Even when there are network firewall based blocks in place, it is difficult to block the OpenVPN connections. For example, if OpenVPN uses TCP with port 443, then the connection will appear as typical HTTPS connection and can easily pass through the firewall.
  • Supports Perfect Forward Secrecy: OpenVPN supports Perfect Forward Secrecy. This encryption method makes decoding of data difficult for the hackers.
  • Cost advantages: OpenVPN software is free for download and use in Windows, Linux, MacOS computers, as well as Android and iOS devices. OpenVPN client allows to make free connection to a VPN server. Again, when we use it on a server to accept incoming VPN connections, OpenVPN gives free access from two clients.

Cons

  • Complex manual configuration: Similarly, manually setting up an OpenVPN server can be a very daunting task. There are too many options with OpenVPN and configuration requires some level of expertise. Unfortunately, this can end up as a mess if done improperly. As a result, OpenVPN setup may not be a beginner’s cup of tea. It makes it pretty difficult to create a comprehensive "config builder" because there's just so many inter-connection pieces and dependencies on the configs.

    • SoftEther

    SoftEther VPN is a cross-platform, multi-protocol VPN client and VPN server software. It provides VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol in a single VPN server.

    A helpful guide on medium here: SoftEther VPN on AWS

    Pros:

    • SoftEther has several security protocols such as OpenVPN, which make it a really viable option. Another very important feature is that the traffic is unlimited.
    • Availability of an Android app.

    Cons:

  • Some websites are blocked when using this VPN, it is not compatible with banking websites. I also have a negative aspect regarding servers, since there are usually some on the list that do not work.

    • Radius

    RADIUS is a protocol that was originally designed to authenticate remote users to a dial-in access server. RADIUS is now used in a wide range of authentication scenarios. ... The device reads the user name and password. The device creates a message called an Access-Request message and sends it to the RADIUS server. RADIUS server solution uses NPS to perform centralized authentication, authorization, and accounting for wireless, authenticating switches, remote access dial-up or virtual private network (VPN) connections. When you use NPS as a RADIUS server, you configure network access servers, such as wireless access points or VPN servers, as RADIUS clients in NPS. NPS uses an Active Directory Domain Services (AD DS) domain or the local Security Accounts Manager (SAM) user accounts database to authenticate user credentials for connection attempts.

    Recommendation:

    AWS Client VPN

    AWS Client VPN is a fully managed service that provides customers with the ability to securely access AWS and on-premises resources from any location using OpenVPN based clients.

    Pros:

    Connectivity from remote end-users to AWS and on-premises resources can be facilitated by this highly available, scalable, and pay-as-you-go service. The undifferentiated heavy lifting of maintaining and running a client VPN solution is completely avoided. What’s also unique with AWS Client VPN is the scalable nature of the service. The service will seamlessly scale to many users, without the need to acquire or manage any licenses or additional infrastructure. This is key for spiky workloads, such as the typical ebbs and flows of workforce connectivity throughout the day. A great example of this is inclement weather.

    Legacy client VPN solutions are typically pushed to their limits when there is an increase in client connections, not to mention the huge influx in bandwidth required to serve client connections. AWS Client VPN will scale to meet the capacity needs and ensure a consistent user experience, despite influxes in usage.

    AWS Client VPN supports both certificate-based and Active Directory based authentication. Customers get tighter security controls because they can define access control rules based on Active Directory groups and can use security groups to limit access of AWS Client VPN users. Using a single console, you can easily monitor and manage all of your client VPN connections. Client VPN allows you to choose from OpenVPN-based clients, including Windows, macOS, iOS, Android, and Linux based devices.

    Client VPN seeks to simplify the provisioning, scaling, and management of a client VPN infrastructure in a cloud-centric fashion. With a few clicks in the console you can easily deploy a scalable client VPN solution. We’ll walk through this exciting new service!

    Getting started with Client VPN - AWS Client VPN

    Conclusion:

    I believe as clients most of them would perform great. However issues like bandwidth or dropped packets come into play if the upstream isn't that great.

    Comments

    Post a Comment

    Popular posts from this blog

    Rust Static Analysis and Blockchain Licensing

    Image
    What is static analysis? Static analysis is an analysis of software artifacts. For example requirements or code, carried out without execution of these software development artifacts. Static analysis is usually carried out using supporting tools. In other words, we can say that static analysis is an examination of requirements, design, and code that differ from more traditional dynamic testing in several important ways. The main goal behind this analysis is to find the bugs, whether or not they may cause failures. As with reviews, static analysis finds bugs rather than failures. The general name for static analysis is linting. lint, or a linter, is a tool that analyzes source code to flag programming errors, bugs, stylistic errors, and suspicious constructs. Simply put, a linter is a tool that programmatically scans your code with the goal of finding issues that can lead to bugs or inconsistencies with code health and style. Some can even help fix them for you! How to analyse
    Read more

    Length extension attack

    Image
    What is length extension? When a Merkle–Damgård based hash is misused as a message authentication code with construction H(secret ‖ message), and message and the length of secret is known, a length extension attack allows anyone to include extra information at the end of the message and produce a valid hash without knowing the secret. Quick sidebar, before you freak out: Since HMAC does not use this construction, HMAC hashes are not prone to length extension attacks. So, a length extension attack is a type of attack where an attacker can use Hash(message1) and the length of message1 to calculate Hash(message1 ‖ message2) for an attacker-controlled message2, without needing to know the content of message1. Algorithms like MD5, SHA-1 and most of SHA-2 that are based on the Merkle–Damgård construction are susceptible to this kind of attack. Truncated versions of SHA-2, including SHA-384 and SHA-512/256 are not susceptible, nor is the SHA-3 algorithm. A bit more details
    Read more

    CAP Theorem and blockchain

    Image
    In theoretical computer science, the CAP theorem states that it is impossible for a distributed data store (such as a blockchain network) to simultaneously provide more than two out of the three guarantees: Consistency, Availability & Partition tolerance. CAP Theorem – the parts C: Consistency – At any given time, all nodes in the network have exactly the same (most recent) value. A: Availability – Every request to the network receives a response, though without any guarantee that returned data is the most recent. P: Partition tolerance – The network continues to operate, even if an arbitrary number of nodes are failing. Due to the nature of distributed data stores (such as blockchain), Partition tolerance is a given fact; there will always be failing/unreachable nodes in the network (not least because of the unstable nature of the internet). CAP Theorem states that one has to choose between C (Consistency) or A (Availability) when in the presence of P (Partition): Av
    Read more