How AWS Client VPN works

With AWS Client VPN, there are two types of user personas that interact with the Client VPN endpoint: administrators and clients.

The administrator is responsible for setting up and configuring the service. This involves creating the Client VPN endpoint, associating the target network, and configuring the authorization rules, and setting up additional routes (if required). After the Client VPN endpoint is set up and configured, the administrator downloads the Client VPN endpoint configuration file and distributes it to the clients who need access. The Client VPN endpoint configuration file includes the DNS name of the Client VPN endpoint and authentication information required to establish a VPN session. For more information about setting up the service, see Getting started with AWS Client VPN.

The client is the end user. This is the person who connects to the Client VPN endpoint to establish a VPN session. The client establishes the VPN session from their local computer or mobile device using an OpenVPN-based VPN client application. After they have established the VPN session, they can securely access the resources in the VPC in which the associated subnet is located. They can also access other resources in AWS, an on-premises network, or other clients if the required route and authorization rules have been configured. For more information about connecting to a Client VPN endpoint to establish a VPN session, see Getting Started in the AWS Client VPN User Guide.

The following graphic illustrates the basic Client VPN architecture.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Rules and best practices

Client authentication