270 (#486)

* How to Create a Fully Private AWS EKS Cluster? (Client VPN & Resolve Private Route 53 DNS Locally)

* Remove tf state

Author: antonputra

README.md

@@ -1,6 +1,6 @@
-# New Video - https://youtu.be/s6C-d3SDqoA
+# New Video - https://youtu.be/Zv4c4YC-aAM
 
-[<img src="assets/269.png?raw=true">](https://youtu.be/s6C-d3SDqoA)
+[<img src="assets/270.png?raw=true">](https://youtu.be/Zv4c4YC-aAM)
 
 # Consulting
 

assets/269.png

@@ -189,3 +189,4 @@
 - [265 - Rust vs C++ Performance: Can Rust Actually Be Faster? (Pt. 2)](../lessons/265)
 - [268 - Build a Secure AWS EKS CI/CD Pipeline: Step-by-Step Tutorial (ArgoCD + GitHub Actions)](../lessons/268)
 - [269 - Reduce AWS Latency by 200x: Drop from 7ms to 35μs](../lessons/269)
+- [270 - How to Create a Fully Private AWS EKS Cluster? (Client VPN & Resolve Private Route 53 DNS Locally)](../lessons/270)

assets/270.png

@@ -0,0 +1,45 @@
+# How to Create a Fully Private AWS EKS Cluster? (Client VPN & Resolve Private Route 53 DNS Locally)
+
+You can find tutorial [here](https://youtu.be/Zv4c4YC-aAM).
+
+## Commands
+
+```bash
+sudo apt-get update && sudo apt-get -y upgrade
+curl -fsSL https://swupdate.openvpn.net/repos/repo-public.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/openvpn.gpg
+echo "deb [signed-by=/etc/apt/keyrings/openvpn.gpg] http://build.openvpn.net/debian/openvpn/stable $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/openvpn.list
+sudo apt-get update
+sudo apt-get install -y openvpn
+wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.2.4/EasyRSA-3.2.4.tgz
+tar -zxf EasyRSA-3.2.4.tgz
+sudo mv EasyRSA-3.2.4/ /etc/openvpn/easy-rsa
+sudo ln -s /etc/openvpn/easy-rsa/easyrsa /usr/local/bin/
+cd /etc/openvpn/easy-rsa
+easyrsa init-pki
+easyrsa build-ca nopass
+easyrsa gen-req openvpn-server nopass
+easyrsa sign-req server openvpn-server
+openvpn --genkey secret ta.key
+sudo vim /etc/sysctl.conf
+sudo sysctl -p
+sudo iptables -t nat -S
+ip route list default
+sudo iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o ens5 -j MASQUERADE
+sudo apt-get install iptables-persistent
+sudo vim /etc/openvpn/server/server.conf
+cat /etc/passwd | grep nobody
+cat /etc/group | grep nogroup
+sudo systemctl start openvpn-server@server
+sudo systemctl status openvpn-server@server
+sudo systemctl enable openvpn-server@server
+journalctl --no-pager --full -u openvpn-server@server -f
+easyrsa gen-req example-1 nopass
+easyrsa sign-req client example-1
+cat /etc/openvpn/easy-rsa/pki/ca.crt
+cat /etc/openvpn/easy-rsa/pki/issued/example-1.crt
+cat /etc/openvpn/easy-rsa/pki/private/example-1.key
+cat /etc/openvpn/easy-rsa/ta.key
+netstat -nr -f inet
+journalctl --no-pager --full -u openvpn-server@server -f
+aws eks update-kubeconfig --name dev-main --region us-east-1
+```

docs/contents.md

@@ -0,0 +1,87 @@
+client
+dev tun
+proto udp
+remote 54.234.2.175 1194
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+remote-cert-tls server
+cipher AES-256-GCM
+auth SHA256
+key-direction 1
+verb 3
+
+; If Linux client do NOT use systemd-resolved
+; script-security 2
+; up /etc/openvpn/update-resolv-conf
+; down /etc/openvpn/update-resolv-conf
+
+; If Linux client do USE systemd-resolved
+; script-security 2
+; up /etc/openvpn/update-systemd-resolved
+; down /etc/openvpn/update-systemd-resolved
+; down-pre
+; dhcp-option DOMAIN-ROUTE .
+
+<ca>
+-----BEGIN CERTIFICATE-----
+MIIB/TCCAYKgAwIBAgIUCcT5+o8xHJVpoi2YCa3V/BskWUowCgYIKoZIzj0EAwQw
+FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjUxMDE5MDU0NzU1WhcNMzUxMDE3
+MDU0NzU1WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTB2MBAGByqGSM49AgEGBSuB
+BAAiA2IABMR2w9FWxy5pW2jWkVe7EtjrZtwkOHYFFo4VyQQbwN0HA38i+9MBlhDA
+RFMc5S9flpjXVsVM7KaBmUYSSS2J5IxCoS+G4NENaTN/QJ6xG7Pe6V4/2xfFj2Kr
+Z9MPy8K3B6OBkDCBjTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRZosPucrOxQywt
+CDsgg/otDSQaOjBRBgNVHSMESjBIgBRZosPucrOxQywtCDsgg/otDSQaOqEapBgw
+FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCFAnE+fqPMRyVaaItmAmt1fwbJFlKMAsG
+A1UdDwQEAwIBBjAKBggqhkjOPQQDBANpADBmAjEAnr3hWbjgsjyfQqg/vDUh0ie5
+u0kQ1BcBHOfFeufZyF5HqVuiq4HfnfQOk6A+cqcAAjEAvtOWYtxMfr0pzfBLqtp0
+TCCAhbLr9lyQkmpAVKwD1to4rkmpPAV3LOkbN5dmn2Q1
+-----END CERTIFICATE-----
+</ca>
+
+<cert>
+-----BEGIN CERTIFICATE-----
+MIICCTCCAY6gAwIBAgIQMvm/zKyHXcsJl5IIgFRswDAKBggqhkjOPQQDBDAWMRQw
+EgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0yNTEwMTkwNTUxMjBaFw0yODAxMjIwNTUx
+MjBaMBQxEjAQBgNVBAMMCWV4YW1wbGUtMTB2MBAGByqGSM49AgEGBSuBBAAiA2IA
+BEIX/Ez7ii2u54RXvkQHaf7n3iY+NBU2Oy5iwf/FJrzwM7O8mhyMU6uz1DDkwWzA
+U11sGQdlSWHMGM7iBDnwW0+ASA9w3FI/YzEc0jxUM2mTZPCW64ECHvThe0gqJo5a
+CaOBojCBnzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQMVdmJLkD9/QpEhJXX4NEwPobS
+CTBRBgNVHSMESjBIgBRZosPucrOxQywtCDsgg/otDSQaOqEapBgwFjEUMBIGA1UE
+AwwLRWFzeS1SU0EgQ0GCFAnE+fqPMRyVaaItmAmt1fwbJFlKMBMGA1UdJQQMMAoG
+CCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAKBggqhkjOPQQDBANpADBmAjEArtAEZ7ia
+uTMWjUsH1BO3mnSIIDr1aFoW3KxBl/9foCsytNydpZgIhTxTB0bwZfCtAjEAmiBY
+t6XxqZ5lAUr+5pesTETecNPmSrMXfolbv0lAnuDKiDp3Qed/mkqSUqZTvmiK
+-----END CERTIFICATE-----
+</cert>
+
+<key>
+-----BEGIN PRIVATE KEY-----
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDD90tbIdDRcue04LVST
+OOmSox7eRjZh/RhBNG790jzjZq6wj6BwQtAwBMznEEmvaR6hZANiAARCF/xM+4ot
+rueEV75EB2n+594mPjQVNjsuYsH/xSa88DOzvJocjFOrs9Qw5MFswFNdbBkHZUlh
+zBjO4gQ58FtPgEgPcNxSP2MxHNI8VDNpk2TwluuBAh704XtIKiaOWgk=
+-----END PRIVATE KEY-----
+</key>
+
+<tls-crypt>
+-----BEGIN OpenVPN Static key V1-----
+49bd538a3e01410d542c2e32d47e17e3
+bb401d5d972db33260c48bf7c9f73e31
+673b48fcc7b3f96c6a0419d3d0f0446f
+88a7ba7d9b3cf6f52bfc4e4f1b10e914
+104355d99d7a58084fcf1bbdd3a5736c
+d2a31e86c928b53a5f5d9cd2be7d7356
+104ba00bbbd574ad1c43dbdd427f7f91
+de9d9bac17fd77ff2e947021e50f6e5a
+b877d20918f5f5949e5493f74d8b1133
+a1755a19138dd577a787026d8712c17c
+0fa9435278bf70b185fd685119793208
+b52f6353af25c77bebd18d65d781617e
+b9b05b436c71cde183006a85d9cd1942
+82035d35e94928870f6b8e672f44e384
+cc3969e6e5552dae20639eefd9974731
+585596a32209a8a98fcf00bdd80491a0
+-----END OpenVPN Static key V1-----
+</tls-crypt>

lessons/270/README.md

@@ -0,0 +1,55 @@
+# Port for OpenVPN
+port 1194
+# Protocol, can be tcp or udp
+proto udp
+# It will create a routed IP tunnel
+dev tun
+# Location of the Certificate Authority
+ca /etc/openvpn/easy-rsa/pki/ca.crt
+# Location of the OpenVPN certificate
+cert /etc/openvpn/easy-rsa/pki/issued/openvpn-server.crt
+# Location of the OpenVPN private key
+key /etc/openvpn/easy-rsa/pki/private/openvpn-server.key
+# Disable Diffie Hellman since we are using elliptic curves
+dh none
+# Location of the ta secret that used it is used as an additional HMAC signature 
+# to all SSL/TLS handshake packets for integrity verification.
+tls-crypt /etc/openvpn/easy-rsa/ta.key 0
+# Cipher to use
+cipher AES-256-GCM
+# Auth used to authenticate received packets
+auth SHA256
+# Configure server mode and supply a VPN subnet
+# for OpenVPN to draw client addresses from.
+server 10.8.0.0 255.255.255.0
+# Location to save records of client <-> virtual IP address
+ifconfig-pool-persist /var/log/openvpn/ipp.txt
+# ping-like messages to be sent back and forth to check the status
+keepalive 10 120
+# Used reduce the OpenVPN daemon's privileges after initialization
+user nobody
+group nogroup
+# Persist certain options that may no longer be available because of the privilege downgrade
+persist-key
+persist-tun
+# Shows current connections
+status /var/log/openvpn/openvpn-status.log
+# Log verbosity
+verb 3
+# Notify the client when the server restarts so it can automatically reconnect
+explicit-exit-notify 1
+# Network topology
+topology subnet
+
+# Push route from AWS (private subnet az1), 10.0.0.0/19
+push "route 10.0.0.0 255.255.224.0"
+# Push route from AWS (private subnet az1), 10.0.32.0/19
+push "route 10.0.32.0 255.255.224.0"
+
+# Push AWS name server since we want to use private hosted zones
+# (Optional) if 10.0.0.2 is not included in routes
+# push "route 10.0.0.2 255.255.255.255"
+push "dhcp-option DNS 10.0.0.2"
+
+# (Optional) Location of the Revoked Certificates (Example)
+# crl-verify /etc/openvpn/easy-rsa/pki/crl.pem

lessons/270/example-1.ovpn

@@ -0,0 +1,17 @@
+locals {
+  env = "dev"
+
+  region = "us-east-1"
+  az1    = "us-east-1a"
+  az2    = "us-east-1b"
+
+  vpc_cidr = "10.0.0.0/16"
+
+  private_subnet_az1_cidr = "10.0.0.0/19"
+  private_subnet_az2_cidr = "10.0.32.0/19"
+  public_subnet_az1_cidr  = "10.0.64.0/19"
+  public_subnet_az2_cidr  = "10.0.96.0/19"
+
+  eks_cluster_name = "main"
+  eks_version      = "1.34"
+}

lessons/270/server.conf

@@ -0,0 +1,14 @@
+provider "aws" {
+  region = local.region
+}
+
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}

lessons/270/terraform/0-locals.tf

@@ -0,0 +1,12 @@
+resource "aws_vpc_security_group_ingress_rule" "eks_allow_443_from_openvpn" {
+  security_group_id            = aws_eks_cluster.eks.vpc_config[0].cluster_security_group_id
+  referenced_security_group_id = aws_security_group.openvpn.id
+
+  from_port   = 443
+  to_port     = 443
+  ip_protocol = "tcp"
+
+  tags = {
+    Name = "eks-allow-443-from-openvpn"
+  }
+}