A
Arun's Blog
← Back to all posts

Secure Remote Access - AWS Client VPN & Endpoint Deployment

VPNNetworkingSecurity
TL;DR

AWS Client VPN enables secure remote access to AWS resources using OpenVPN. Create certificates with easy-rsa, import to ACM, create a Client VPN endpoint with mutual authentication, associate with your VPC subnet, add authorization rules, and distribute the .ovpn config file to users.

Introduction

AWS Client VPN is a managed client-based VPN service that enables end-users to securely access your AWS resources. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client.

Overview

AWS Client VPN Architecture

Create VPC

  1. VPC
    • Navigate to VPC Console
    • Create a VPC
    • Provide a name for this VPC
    • Enter an IPv4 CIDR
  2. Subnet(s)
    • Navigate to Subnet
    • Click Create a Subnet
    • Select the VPC created above
    • Provide a subnet name
    • Enter an IPv4 CIDR that is part of the larger VPC CIDR

Authentication

There are three ways the Client VPN can use authentication:

  • Active Directory - user based
  • Mutual Authentication - certificate based
  • SSO via SAML - user based
Note

For this exercise, we will use certificate-based mutual authentication using a Linux OS to create certificates and keys with easy-rsa.

Creating Certificates and Keys

  1. Create a file with the contents below
  2. Make the file executable: chmod +x [filename]
  3. Run the file: ./[filename]
#!/bin/bash
echo "Enter a folder name"
read folder
if [ -d "$folder" ] 
then
  echo "This folder exists"
else
  mkdir ~/$folder
fi
git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa build-client-full client1.domain.tld nopass
cp pki/ca.crt ~/$folder/
cp pki/issued/server.crt ~/$folder/
cp pki/private/server.key ~/$folder/
cp pki/issued/client1.domain.tld.crt ~/$folder
cp pki/private/client1.domain.tld.key ~/$folder/
cd ~/$folder/
exec bash

This creates the following files:

  • ca.crt - certificate chain
  • client1.domain.tld.crt - client certificate
  • client1.domain.tld.key - client private key
  • server.crt - server certificate
  • server.key - server private key
Important

Keep the private keys (.key files) secure. Never share them or commit them to version control. The client private key will be embedded in the .ovpn config file distributed to users.

Upload Certificates to ACM

AWS CLI

# Server Certificate, Key, and Chain
aws acm import-certificate --certificate fileb://server.crt --private-key fileb://server.key --certificate-chain fileb://ca.crt

# Client Certificate, Key, and Chain
aws acm import-certificate --certificate fileb://client1.domain.tld.crt --private-key fileb://client1.domain.tld.key --certificate-chain fileb://ca.crt

AWS Console

  1. Navigate to ACM Console
  2. Import a certificate
  3. Paste the contents of server.crt into Certificate body
  4. Paste the contents of server.key into Certificate private key
  5. Paste the contents of ca.crt into Certificate chain
  6. Repeat for client certificate

Client VPN Endpoint

  1. Go to VPC Console > Client VPN endpoints
  2. Create client VPN endpoint
  3. Provide a name and description
  4. Enter an IPv4 CIDR that does NOT overlap with your VPC (between /12 and /22)
  5. Under Server certificate ARN, select the Server certificate
  6. Check "Use mutual authentication"
  7. Under Client certificate ARN, select the client certificate
  8. Enable split-tunnel (recommended)
  9. Create Client VPN Endpoint
Pro Tip

Enable split-tunnel to only route traffic destined for your VPC through the VPN. This improves performance for users and reduces VPN bandwidth costs.

VPN Connectivity Enablement

  1. Navigate to VPC Console > Client VPN Endpoints
  2. Select your endpoint and click Associate target network
  3. Select your VPC and subnet
  4. Click Associate target network
  5. Repeat for additional subnets if desired

The endpoint state will change from Pending-associate to Available. This creates:

  • A route table entry allowing the VPC CIDR
  • A security group with the default VPC security group applied

VPN Network Authorization

  1. Navigate to Client VPN Endpoints
  2. Select your endpoint > Authorization rules
  3. Click Add authorization rule
  4. Enter the VPC CIDR (or specific subnet CIDRs)
  5. Select "Allow access to all users"
  6. Click Add authorization rule

Client VPN Configuration File

  1. Navigate to Client VPN Endpoints
  2. Click Download client configuration
  3. Open the .ovpn file and add client certificate between <cert></cert> tags
  4. Add client private key between <key></key> tags
  5. Prepend a random string to the endpoint DNS name
  6. Save and distribute to users

Client VPN Application

Download the AWS VPN Client from: https://aws.amazon.com/vpn/client-vpn-download/

  1. Open AWS VPN Client
  2. File > Manage Profiles > Add Profile
  3. Input a Display Name
  4. Browse and select the .ovpn config file
  5. Click Add Profile > Done
  6. Click Connect

Troubleshooting

  • Connection fails immediately - Verify the client certificate and key are correctly embedded in the .ovpn file. Check that the random string was prepended to the endpoint DNS name.
  • Connected but can't reach resources - Check authorization rules allow access to the destination CIDR. Verify the security group on the VPN endpoint allows traffic to your resources.
  • Endpoint stuck in Pending-associate - Ensure the subnet has available IP addresses. Check that the subnet's route table has a route to an internet gateway (for public subnets).
  • Certificate import fails - Ensure certificate format is PEM. Verify the certificate chain (ca.crt) is included. Check for any extra whitespace or characters.
  • Client CIDR overlap error - The Client VPN CIDR must not overlap with VPC CIDR or any associated networks. Choose a completely different range.
  • Split-tunnel not working - Verify split-tunnel is enabled on the endpoint. Check that routes are correctly configured for the destination networks.

Conclusion

In today's remote work environment, creating a Client VPN in your AWS environment is essential. It provides increased security, improved productivity, and is cost-effective. With the steps outlined above, you can create a Client VPN in your AWS environment and provide your remote workers with secure access to the resources they need.