Connecting to VPC with AWS Client VPN

Posted under aws On By xpk

AWS Client VPN allows users to connect to their VPC securely over the Internet. On AWS side, we configure client VPN endpoint. On the user side, we install the AWS VPN client software.

Here is a diagram demonstrating how we can use AWS Client VPN to connect to multiple VPCs.

Read on to see how it’s set up.

Generated keys and certificates

First use the easy-rsa scripts to generate a bunch of keys and certs

git clone
cd easy-rsa/easyrsa3
./easyrsa init-pki
# ca cert in pki/ca.crt
./easyrsa build-ca nopass
# server cert in pki/private/server.key pki/issued/server.crt
./easyrsa build-server-full server nopass

# client cert, generate more if needed. Use an FQDN that represents the user. 
# This FQDN is shown in the connection table and also logged in cloudwatch logs.
# creates pki/private/office-users.domain.local.key pki/issued/office-users.domain.local.crt
./easyrsa build-client-full office-users.domain.local nopass

Once they are generated, import the server and client certs into AWS certificate manager. Use pki/ca.crt as the chain cert.

Configure client VPN endpoint

Next, go to AWS VPN console and create a client VPN endpoint. Select the server and client certs, assign a security group to this endpoint. This SG needs to be referenced on target resources to allow access. Then go to association and associate a VPC and subnet. One can only associate subnets in one VPC. Additional subnets can be added for redundancy.

Next, authorize access by going to the authorization tab. Allow access to a CIDR range in the directly connected VPC. If you are using directory service authentication, enter the AD group SID to be allowed to a specific CIDR range. For example, users in AD group “developers” are allowed to access the “DEV” VPC. Users in “devops” group are allowed to access both DEV and PROD. Obtain the group SID using the Get-ADGroup powershell command, then put the group SID here.

# To get group SID for Administrators
PS> Get-ADGroup -Identity Administrators
SID : S-1-5-32-544

If there are additional VPCs peered to the directly connected VPC, add their CIDR ranges here.

Next setup the route tables. This is only needed if there are peered VPCs. The route for the directly connected VPC is automatically populated. Add routes here so packets for the peered VPC are routed through the directly connected VPC.

Lastly, go to the target resources and edit the security group. Allow access from the VPN endpoint SG as source.

The user side

Download and install AWS VPN client, which can be obtained here. Once installed, go to AWS VPN console and download the client VPN profile. If using certificate-based authentication, edit the profile config file and add the following sections to the file.

content of pki/private/office-users.domain.local.key 
content of pki/issued/office-users.domain.local.crt

Add the profile to the VPN client, click connect and that’s it!

Linux openvpn client

If your client machine is Linux, AWS does not provide a client. We will need to use the openvpn client. First, install the openvpn package

apt install openvpn

Save the connection profile under /etc/openvpn/awsvpn.conf, and then make the following changes. Even though I’m using AD authentication, I’m still required to supply the client cert and key.

# tell openvpn where the username and password is
auth-user-pass /etc/openvpn/cred.txt

# and add the followings
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key

# to enable split tunnel, add the routes to your VPC CIDRs manually 

Create the credential file with 2 lines of text


Once the config and credential file are made, test it with the following command

openvpn --config /etc/openvpn/awsvpn.conf

If it all goes well, create a systemd service so this VPN can be started on boot.

systemctl enable [email protected]
systemctl start [email protected]

Read for troubleshooting.

Check out my wiki page if you want to enable MFA for AWS client vpn.

 235 total views,  1 views today

Leave a comment

Your email address will not be published. Required fields are marked *