Prerequisites Step 1: Generate server and client certificates and keys Step 2: Create a Client VPN endpoint Step 3: Associate a target network Step 4: Add an authorization rule for the VPC Step 5: Provide access to the internet Step 6: Verify security group requirements Step 7: Download the Client VPN endpoint configuration file Step 8: Connect to the Client VPN endpoint

Get started with AWS Client VPN

In this tutorial, you will create a AWS Client VPN endpoint that does the following:

Provides all clients with access to a single VPC.
Provides all clients with access to the internet.
Uses mutual authentication.

The following diagram represents the configuration of your VPC and Client VPN endpoint after you've completed this tutorial.

Steps

Prerequisites
Step 1: Generate server and client certificates and keys
Step 2: Create a Client VPN endpoint
Step 3: Associate a target network
Step 4: Add an authorization rule for the VPC
Step 5: Provide access to the internet
Step 6: Verify security group requirements
Step 7: Download the Client VPN endpoint configuration file
Step 8: Connect to the Client VPN endpoint

Prerequisites

Before you begin this getting started tutorial, make sure that you have the following:

The permissions required to work with Client VPN endpoints.
The permissions required to import certificates into AWS Certificate Manager.
A VPC with at least one subnet and an internet gateway. The route table that's associated with your subnet must have a route to the internet gateway.

Step 1: Generate server and client certificates and keys

This tutorial uses mutual authentication. With mutual authentication, Client VPN uses certificates to perform authentication between clients and the Client VPN endpoint. You will need to have a server certificate and key, and at least one client certificate and key. At minimum, the server certificate will need to be imported into AWS Certificate Manager (ACM) and specified when you create the Client VPN endpoint. Importing the client certificate into ACM is optional.

If you don't already have certificates to use for this purpose, they can be created using the OpenVPN easy-rsa utility. For detailed steps to generate the server and client certificates and keys using the OpenVPN easy-rsa utility, and import them into ACM see Mutual authentication in AWS Client VPN.

Note

The server certificate must be provisioned with or imported into AWS Certificate Manager (ACM) in the same AWS Region where you'll create the Client VPN endpoint.

Step 2: Create a Client VPN endpoint

The Client VPN endpoint is the resource that you create and configure to enable and manage client VPN sessions. It's the termination point for all client VPN sessions.

To create a Client VPN endpoint

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Client VPN Endpoints and then choose Create Client VPN endpoint.
(Optional) Provide a name tag and description for the Client VPN endpoint.
For Client IPv4 CIDR, specify an IP address range, in CIDR notation, from which to assign client IP addresses.

Note
The address range cannot overlap with the target network address range, the VPC address range, or any of the routes that will be associated with the Client VPN endpoint. The client address range must be at minimum /22 and not greater than /12 CIDR block size. You cannot change the client address range after you create the Client VPN endpoint.
For Server certificate ARN, select the ARN of the server certificate that you generated in Step 1.
Under Authentication options, choose Use mutual authentication, and then for Client certificate ARN, select the ARN of the certificate you want to use as the client certificate.

If the server and client certificates are signed by the same certificate authority (CA), you have the option of specifying the server certificate ARN for both the client and server certificates. In this scenario, any client certificate that corresponds with the server certificate can be used to authenticate.
(Optional) Specify which DNS servers to use for DNS resolution. To use custom DNS servers, for DNS Server 1 IP address and DNS Server 2 IP address, specify the IP addresses of the DNS servers to use. To use VPC DNS server, for either DNS Server 1 IP address or DNS Server 2 IP address, specify the IP addresses, and add the VPC DNS server IP address.

Note
Verify that the DNS servers can be reached by clients.
Keep the rest of the default settings, and choose Create Client VPN endpoint.

After you create the Client VPN endpoint, its state is pending-associate. Clients can only establish a VPN connection after you associate at least one target network.

For more information about the options that you can specify for a Client VPN endpoint, see Create an AWS Client VPN endpoint.

Step 3: Associate a target network

To allow clients to establish a VPN session, you associate a target network with the Client VPN endpoint. A target network is a subnet in a VPC.

To associate a target network with the Client VPN endpoint

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Client VPN Endpoints.
Select the Client VPN endpoint that you created in the preceding procedure, and then choose Target network associations, Associate target network.
For VPC, choose the VPC in which the subnet is located.
For Choose a subnet to associate, choose the subnet to associate with the Client VPN endpoint.
Choose Associate target network.
If authorization rules allow it, one subnet association is enough for clients to access a VPC's entire network. You can associate additional subnets to provide high availability in case an Availability Zones becomes impaired.

When you associate the first subnet with the Client VPN endpoint, the following happens:

The state of the Client VPN endpoint changes to available. Clients can now establish a VPN connection, but they cannot access any resources in the VPC until you add the authorization rules.
The local route of the VPC is automatically added to the Client VPN endpoint route table.
The VPC's default security group is automatically applied for the Client VPN endpoint.

Step 4: Add an authorization rule for the VPC

For clients to access the VPC, there needs to be a route to the VPC in the Client VPN endpoint's route table and an authorization rule. The route was already added automatically in the previous step. For this tutorial, we want to grant all users access to the VPC.

To add an authorization rule for the VPC

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Client VPN Endpoints.
Select the Client VPN endpoint to which to add the authorization rule. Choose Authorization rules, and then choose Add authorization rule.
For Destination network to enable access, enter the CIDR of the network for which you want to allow access. For example, to allow access to the entire VPC, specify the IPv4 CIDR block of the VPC.
For Grant access to, choose Allow access to all users.
(Optional) For Description, enter a brief description of the authorization rule.
Choose Add authorization rule.

Step 5: Provide access to the internet

You can provide access to additional networks connected to the VPC, such as AWS services, peered VPCs, on-premises networks, and the internet. For each additional network, you add a route to the network in the Client VPN endpoint's route table and configure an authorization rule to give clients access.

For this tutorial, we want to grant all users access to the internet and also to the VPC. You've already configured access to the VPC, so this step is for access to the internet.

To provide access to the internet

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Client VPN Endpoints.
Select the Client VPN endpoint that you created for this tutorial. Choose Route Table, and then choose Create Route.
For Route destination, enter 0.0.0.0/0. For Subnet ID for target network association, specify the ID of the subnet through which to route traffic.
Choose Create Route.
Choose Authorization rules, and then choose Add authorization rule.
For Destination network to enable access, enter 0.0.0.0/0, and choose Allow access to all users.
Choose Add authorization rule.

Step 6: Verify security group requirements

In this tutorial, no security groups were specified during the creation of the Client VPN endpoint in Step 2. That means that the default security group for the VPC is automatically applied to the Client VPN endpoint when a target network is associated. As a result, the default security group for the VPC should now be associated with the Client VPN endpoint.

Verify the following security group requirements

That the security group associated with subnet you are routing traffic through (in this case the default VPC security group) allows outbound traffic to the internet. To do this, add an outbound rule that allows all traffic to destination 0.0.0.0/0.
That the security groups for the resources in your VPC have a rule that allows access from the security group that's applied to the Client VPN endpoint (in this case the default VPC security group). This enables your clients to access the resources in your VPC.

For more information, see Security groups.

Step 7: Download the Client VPN endpoint configuration file

The next step is to download and prepare the Client VPN endpoint configuration file. The configuration file includes the Client VPN endpoint details and certificate information required to establish a VPN connection. You provide this file to the end users who need to connect to the Client VPN endpoint. The end user uses the file to configure their VPN client application.

To download and prepare the Client VPN endpoint configuration file

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Client VPN Endpoints.
Select the Client VPN endpoint that you created for this tutorial, and choose Download client configuration.
Locate the client certificate and key that were generated in Step 1. The client certificate and key can be found in the following locations in the cloned OpenVPN easy-rsa repo:
- Client certificate — easy-rsa/easyrsa3/pki/issued/client1.domain.tld.crt
- Client key — easy-rsa/easyrsa3/pki/private/client1.domain.tld.key
Open the Client VPN endpoint configuration file using your preferred text editor. Add <cert></cert> and <key></key> tags to the file. Place the contents of the client certificate and the contents of the private key between the corresponding tags, as such:
```
<cert>
Contents of client certificate (.crt) file
</cert>

<key>
Contents of private key (.key) file
</key>
```
Save and close the Client VPN endpoint configuration file.
Distribute the Client VPN endpoint configuration file to your end users.

For more information about the Client VPN endpoint configuration file, see AWS Client VPN endpoint configuration file export.

Step 8: Connect to the Client VPN endpoint

You can connect to the Client VPN endpoint using the AWS provided client or another OpenVPN-based client application and the configuration file that you just created. For more information, see the AWS Client VPN User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Scaling considerations

Work with Client VPN