AWS Client VPN — Connect using OpenVPN
A step-by-step guide on how to connect in the AWS Client VPN using OpenVPN
Introduction
The idea of this post is to show how you can use OpenVPN Connect to establish a tunnel with AWS, by using AWS Client VPN. I’ll explain how AWS Client VPN works in a later post.
OpenVPN is free and open-source software (FOSS) under the GNU GPLv2 license. OpenVPN Connect is a VPN client and is currently available for Android, iOS, Linux, macOS and Windows.
The authentication methods shown in this post are user-based and certificate-based. AWS Client VPN also provides support for MFA. The MFA is only available for Microsoft AD, AD Connector and when it’s enabled in your IdP. Mutual authentication and Simple AD doesn’t support MFA.
Download
Check the links below to download the official client.
Pre-requirements
- A user and password and/or a client certificate
- Android, iOS, Linux, macOS or Windows
- Internet connection
How to set up
Client certificate
If you’re not using certificate-based authentication, this will only be to suppress the message “Connection Error - Missing external certificate”.
Additional pre-requirements
- Git
- OpenSSL
Step-by-step
- Open your terminal
- Create a temporary folder
mkdir -p /tmp/openvpn-client-certificate
- Access the temporary folder
cd /tmp/openvpn-client-certificate
- Download the EASY RSA
git clone https://github.com/OpenVPN/easy-rsa.git
- Access the EASY RSA folder
cd easy-rsa/easyrsa3
- Open the file
vars.example
- Change the configurations. Example:
set_var EASYRSA_REQ_COUNTRY “US”
set_var EASYRSA_REQ_PROVINCE “California”
set_var EASYRSA_REQ_CITY “San Francisco”
set_var EASYRSA_REQ_ORG “Copyleft Certificate Co”
set_var EASYRSA_REQ_EMAIL “me@example.net”
set_var EASYRSA_REQ_OU “My Organizational Unit”
set_var EASYRSA_REQ_CN “My-VPN”
set_var EASYRSA_KEY_SIZE 4096
set_var EASYRSA_BATCH “yes”
- Save and exit the file
- Create the vars file
cp vars.example vars
- Generate the PKCS 12 archive file by running the commands below
./easyrsa init-pki./easyrsa build-ca nopass./easyrsa build-server-full server nopass./easyrsa build-client-full client-certificate nopassopenssl pkcs12 -export -clcerts -inkey pki/private/client-certificate.key -in pki/issued/client-certificate.crt -out client-certificate.p12 -name "My Client Certificate"
Note: In the last command, you’ll need to set a password.
Configuring the OpenVPN
You can follow the steps below to configure your OpenVPN. The steps are the same for all platforms.
- Download and install the OpenVPN
- Get your client configuration
Check this link for more information https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-endpoints.html#cvpn-working-endpoint-export - Open the client configuration in a text editor (it’s a file .ovpn)
- There is a configuration
remote
, you’ll need to add a random string before the host.
e.g.:remote myrandomstr1ng.cvpn-endpoint-<ID>.prod.clientvpn.<REGION>.amazonaws.com <PORT>
- - You’ll see four certificates “blocks”. Each block starts with
— — -BEGIN CERTIFICATE — —
and ends with— -END CERTIFICATE — —
. Replace the third block to the content mentioned in this post: https://docs.aws.amazon.com/vpn/latest/clientvpn-user/windows-troubleshooting.html#windows-troubleshooting-openvpn-connect-ca
Note: This is not exclusive to Windows, but only if you generate the server certificate via AWS Certificate Manager. Check this link for more information https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/troubleshooting.html#resolve-host-name - Save and close the file
- Open the OpenVPN Connect
- On the top, select “File” and then “Browse”
- Choose the file you just downloaded and configured and click on “Open”
- Add a profile name (it can be anything), set your username (it’s the same that you login into the AWS Client VPN Self-Service Portal) and then click on “Add”
Now your OpenVPN client is ready to connect to the VPN.
Note: If you don’t have a certificate, the message message “Connection Error - Missing external certificate” will appear every time you try to connect. You can click on “Continue”. The “Continue” bottom doesn’t appear in the OpenVPN Connect v2.