Client VPN endpoints - AWS Client VPN

Client VPN endpoints

All client VPN sessions terminate at the Client VPN endpoint. You configure the Client VPN endpoint to manage and control all client VPN sessions.

Create a Client VPN endpoint

Create a Client VPN endpoint to enable your clients to establish a VPN session.

The Client VPN must be created in the same AWS account in which the intended target network is provisioned.

Prerequisites

Before you begin, ensure that you do the following:

To create a Client VPN endpoint (console)

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Client VPN Endpoints.

  3. (Optional) For Description, enter a brief description for the Client VPN endpoint.

  4. For Client IPv4 CIDR, specify an IP address range, in CIDR notation, from which to assign client IP addresses.

  5. For Server certificate ARN, specify the ARN for the TLS certificate to be used by the server. Clients use the server certificate to authenticate the Client VPN endpoint to which they are connecting.

    Note

    The server certificate must be provisioned in AWS Certificate Manager (ACM).

  6. Specify the authentication method to be used to authenticate clients when they establish a VPN connection. You must select an authentication method.

    • To use user-based authentication, select Use user-based authentication, and then choose one of the following:

      • Active Directory authentication: Choose this option for Active Directory authentication. For Directory ID, specify the ID of the Active Directory to use.

      • Federated authentication: Choose this option for SAML-based federated authentication.

        For SAML provider ARN, specify the ARN of the IAM SAML identity provider.

        (Optional) For Self-service SAML provider ARN, specify the ARN of the IAM SAML identity provider that you created to support the self-service portal, if applicable.

    • To use mutual certificate authentication, select Use mutual authentication, and then for Client certificate ARN, specify the ARN of the client certificate that's provisioned in AWS Certificate Manager (ACM).

      Note

      If the client certificate has been issued by the same Certificate Authority (Issuer) as the server certificate, you can continue to use the server certificate ARN for the client certificate ARN. If you've generated a separate client certificate and key for each user using the same CA as the server certificate, you can use the server certificate ARN.

  7. Specify whether to log data about client connections using Amazon CloudWatch Logs. For Do you want to log the details on client connections?, do one of the following:

    • To enable client connection logging, choose Yes. For CloudWatch Logs log group name, enter the name of the log group to use. For CloudWatch Logs log stream name, enter the name of the log stream to use, or leave this option blank to let us create a log stream for you.

    • To disable client connection logging, choose No.

  8. (Optional) For Client Connect Handler, choose Yes to enable the client connect handler to run custom code that allows or denies a new connection to the Client VPN endpoint. For Client Connect Handler ARN, specify the Amazon Resource Name (ARN) of the Lambda function that contains the logic that allows or denies connections.

  9. (Optional) Specify which DNS servers to use for DNS resolution. To use custom DNS servers, for DNS Server 1 IP address and DNS Server 2 IP address, specify the IP addresses of the DNS servers to use. To use VPC DNS server, for either DNS Server 1 IP address or DNS Server 2 IP address, specify the IP addresses, and add the VPC DNS server IP address.

    Note

    Verify that the DNS servers can be reached by clients.

  10. (Optional) To have the endpoint be a split-tunnel VPN endpoint, select Enable split-tunnel.

    By default, split-tunnel on a VPN endpoint is disabled.

  11. (Optional) By default, the Client VPN server uses the UDP transport protocol. To use the TCP transport protocol instead, for Transport Protocol, select TCP.

    Note

    UDP typically offers better performance than TCP. You cannot change the transport protocol after you create the Client VPN endpoint.

  12. (Optional) For VPC ID, choose the VPC to associate with the Client VPN endpoint. For Security Group IDs, choose one or more of the VPC's security groups to apply to the Client VPN endpoint.

  13. (Optional) For VPN port, choose the VPN port number. The default is 443.

  14. (Optional) To generate a self-service portal URL for clients, choose Enable self-service portal.

  15. Choose Create Client VPN Endpoint.

After you create the Client VPN endpoint, do the following to complete the configuration and enable clients to connect:

  • The initial state of the Client VPN endpoint is pending-associate. Clients can only connect to the Client VPN endpoint after you associate the first target network.

  • Create an authorization rule to specify which clients have access to the network.

  • Download and prepare the Client VPN endpoint configuration file to distribute to your clients.

  • Instruct your clients to use the AWS provided client or another OpenVPN-based client application to connect to the Client VPN endpoint. For more information, see the AWS Client VPN User Guide.

To create a Client VPN endpoint (AWS CLI)

Use the create-client-vpn-endpoint command.

Modify a Client VPN endpoint

After a Client VPN has been created, you can modify any of the following settings:

  • The description

  • The server certificate

  • The client connection logging options

  • The DNS servers

  • The split-tunnel option

  • The VPC and security group associations

  • The VPN port number

  • The client connect handler option

  • The self-service portal option

You cannot modify the client IPv4 CIDR range, authentication options, or transport protocol after the Client VPN endpoint has been created.

When you modify any of the following parameters on a Client VPN endpoint, the connection resets:

  • The server certificate

  • The DNS servers

  • The split-tunnel option (turning support on or off)

  • Routes (when you use the split-tunnel option)

  • Certificate Revocation List (CRL)

  • Authorization rules

  • The VPN port number

You can modify a Client VPN endpoint by using the console or the AWS CLI.

To modify a Client VPN endpoint (console)

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Client VPN Endpoints.

  3. Select the Client VPN endpoint to modify, choose Actions, and then choose Modify Client VPN Endpoint.

  4. For Description, enter a brief description for the Client VPN endpoint.

  5. For Client IPv4 CIDR, specify an IP address range, in CIDR notation, from which to assign client IP addresses.

  6. For Server certificate ARN, specify the ARN for the TLS certificate to be used by the server. Clients use the server certificate to authenticate the Client VPN endpoint to which they are connecting.

    Note

    The server certificate must be provisioned in AWS Certificate Manager (ACM).

  7. Specify whether to log data about client connections using Amazon CloudWatch Logs. For Do you want to log the details on client connections?, do one of the following:

    • To enable client connection logging, choose Yes. For CloudWatch Logs log group name, enter the name of the log group to use. For CloudWatch Logs log stream name, enter the name of the log stream to use, or leave this option blank to let us create a log stream for you.

    • To disable client connection logging, choose No.

  8. For Client Connect Handler, choose Yes to enable the client connect handler to run custom code that allows or denies a new connection to the Client VPN endpoint. For Client Connect Handler ARN, specify the Amazon Resource Name (ARN) of the Lambda function that contains the logic that allows or denies connections.

  9. Specify which DNS servers to use for DNS resolution. To use custom DNS servers, for DNS Server 1 IP address and DNS Server 2 IP address, specify the IP addresses of the DNS servers to use. To use VPC DNS server, for either DNS Server 1 IP address or DNS Server 2 IP address, specify the IP addresses, and add the VPC DNS server IP address.

    Note

    Verify that the DNS servers can be reached by clients.

  10. To have the endpoint be a split-tunnel VPN endpoint, select Enable split-tunnel.

    By default, split-tunnel on a VPN endpoint is disabled.

  11. (For VPC ID, choose the VPC to associate with the Client VPN endpoint. For Security Group IDs, choose one or more of the VPC's security groups to apply to the Client VPN endpoint.

  12. For VPN port, choose the VPN port number. The default is 443.

  13. To generate a self-service portal URL for clients, choose Enable self-service portal.

  14. Choose Modify Client VPN Endpoint.

To modify a Client VPN endpoint (AWS CLI)

Use the modify-client-vpn-endpoint command.

Export and configure the client configuration file

The Client VPN endpoint configuration file is the file that clients (users) use to establish a VPN connection with the Client VPN endpoint. You must download (export) this file and distribute it to all clients who need access to the VPN. Alternatively, if you've enabled the self-service portal for your Client VPN endpoint, clients can log into the portal and download the configuration file themselves. For more information, see Access the self-service portal.

If your Client VPN endpoint uses mutual authentication, you must add the client certificate and the client private key to the .ovpn configuration file that you download. After you add the information, clients can import the .ovpn file into the OpenVPN client software.

Important

If you do not add the client certificate and the client private key information to the file, clients that authenticate using mutual authentication cannot connect to the Client VPN endpoint.

By default, the “--remote-random-hostname” option in the OpenVPN client configuration enables wildcard DNS. Because wildcard DNS is enabled, the client does not cache the IP address of the endpoint and you will not be able to ping the DNS name of the endpoint.

If your Client VPN endpoint uses Active Directory authentication and if you enable multi-factor authentication (MFA) on your directory after you distribute the client configuration file, you must download a new file and redistribute it to your clients. Clients cannot use the previous configuration file to connect to the Client VPN endpoint.

Export the client configuration file

You can export the client configuration by using the console or the AWS CLI.

To export client configuration (console)

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Client VPN Endpoints.

  3. Select the Client VPN endpoint for which to download the client configuration and choose Download Client Configuration.

To export client configuration (AWS CLI)

Use the export-client-vpn-client-configuration command and specify the output file name.

$ aws ec2 export-client-vpn-client-configuration --client-vpn-endpoint-id endpoint_id --output text>config_filename.ovpn

Add the client certificate and key information (mutual authentication)

If your Client VPN endpoint uses mutual authentication, you must add the client certificate and the client private key to the .ovpn configuration file that you download.

You cannot modify the client certificate when you use mutual authentication.

To add the client certificate and key information (mutual authentication)

You can use one of the following options.

(Option 1) Distribute the client certificate and key to clients along with the Client VPN endpoint configuration file. In this case, specify the path to the certificate and key in the configuration file. Open the configuration file using your preferred text editor, and add the following to the end of the file. Replace /path/ with the location of the client certificate and key (the location is relative to the client that's connecting to the endpoint).

cert /path/client1.domain.tld.crt key /path/client1.domain.tld.key

(Option 2) Add the contents of the client certificate between <cert></cert> tags and the contents of the private key between <key></key> tags to the configuration file. If you choose this option, you distribute only the configuration file to your clients.

If you generated separate client certificates and keys for each user that will connect to the Client VPN endpoint, repeat this step for each user.

The following is an example of the format of a Client VPN configuration file that includes the client certificate and key.

client dev tun proto udp remote asdf.cvpn-endpoint-0011abcabcabcabc1.prod.clientvpn.eu-west-2.amazonaws.com 443 remote-random-hostname resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-GCM verb 3 <ca> Contents of CA </ca> <cert> Contents of client certificate (.crt) file </cert> <key> Contents of private key (.key) file </key> reneg-sec 0

Access the self-service portal

If you enabled the self-service portal for your Client VPN endpoint, you can provide your clients with a self-service portal URL. Clients can access the portal in a web browser, and use their user-based credentials to log in. In the portal, clients can download the Client VPN endpoint configuration file and they can download the latest version of the AWS provided client.

The following rules apply:

  • The self-service portal is not available for clients that authenticate using mutual authentication.

  • The configuration file that's available in the self-service portal is the same configuration file that you export using the Amazon VPC console or AWS CLI. If you need to customize the configuration file before distributing it to clients, you must distribute the customized file to clients yourself.

  • You must enable the self-service portal option for your Client VPN endpoint, or clients cannot access the portal. If this option is not enabled, you can modify your Client VPN endpoint to enable it.

After you have enabled the self-service portal option, provide your clients with one of the following URLs:

  • https://self-service.clientvpn.amazonaws.com/

    If clients access the portal using this URL, they must enter the ID of the Client VPN endpoint before they can log in.

  • https://self-service.clientvpn.amazonaws.com/endpoints/<endpoint-id>

    Replace <endpoint-id> in the preceding URL with the ID of your Client VPN endpoint, for example, cvpn-endpoint-0123456abcd123456.

You can also view the URL for the self-service portal in the output of the describe-client-vpn-endpoints AWS CLI command. Alternatively, the URL is available in the Summary tab on the Client VPN Endpoints page in the Amazon VPC console.

For more information about configuring the self-service portal for use with federated authentication, see Support for the self-service portal.

View Client VPN endpoints

You can view information about Client VPN endpoints by using the console or the AWS CLI.

To view Client VPN endpoints using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Client VPN Endpoints.

  3. Select the Client VPN endpoint to view.

  4. Use tabs to view the associated target networks, authorization rules, routes, and client connections.

    You can use filters to help refine your search.

To view Client VPN endpoints using the AWS CLI

Use the describe-client-vpn-endpoints command.

Delete a Client VPN endpoint

When you delete a Client VPN endpoint, its state is changed to deleting and clients can no longer connect to it. You must disassociate all associated target networks before you can delete a Client VPN endpoint.

You can delete a Client VPN endpoint by using the console or the AWS CLI.

To delete a Client VPN endpoint (console)

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Client VPN Endpoints.

  3. Select the Client VPN endpoint to delete, choose Actions, choose Delete Client VPN Endpoint, and then Yes, Delete.

To delete a Client VPN endpoint (AWS CLI)

Use the delete-client-vpn-endpoint command.