How to create AWS Client VPN

Mutual Authentication

  1. Clone the OpenVPN easy-rsa repo to your local computer.
    $ git clone
  2. Navigate into the easy-rsa/easyrsa3 folder in your local repo.
    $ cd easy-rsa/easyrsa3
  3. Initialize a new PKI environment.
    $ ./easyrsa init-pki
  4. Build a new certificate authority (CA).
    $ ./easyrsa build-ca nopass
    Follow the prompts to build the CA.
  5. Generate the server certificate and key.
    $ ./easyrsa build-server-full server nopass
  6. Generate the client certificate and key.
    Make sure to save the client certificate and the client private key because you will need them when you configure the client.
    $ ./easyrsa build-client-full client1.domain.tld nopass
    You can optionally repeat this step for each client (end-user) that requires a client certificate and key.
  7. Copy the server certificate and key and the client certificate and key to a custom folder and then navigate into the custom folder.
    Before you copy the certificates and keys, create the custom folder by using the mkdir /custom_folder command.
    $ mkdir /custom_folder/
    $ cp pki/ca.crt /custom_folder/
    $ cp pki/issued/server.crt /custom_folder/
    $ cp pki/private/server.key /custom_folder/
    $ cp pki/issued/client1.domain.tld.crt /custom_folder
    $ cp pki/private/client1.domain.tld.key /custom_folder/
    $ cd /custom_folder/
  8. Upload the server certificate and key to ACM.
    $ aws acm import-certificate --certificate file://server.crt --private-key file://server.key --certificate-chain file://ca.crt --region region
    Be sure to upload the certificate and key in the same region in which you intend to create the Client VPN endpoint.
  9. Upload the client certificate and key to ACM.
    $ aws acm import-certificate --certificate file://client1.domain.tld.crt --private-key file://client1.domain.tld.key --certificate-chain file://ca.crt --region region

Create a Client VPN Endpoint

Associate a subnet with Client VPN endpoint

Authorize Clients

Configure Security Groups

Check security group of Client VPN endpoint

Security group of Bastion should be opened for the sg above

Download the Client VPN Endpoint Configuration file

File name should be downloaded-client-config.

Edit the configure file: add random string to Origin DNS (xyzabc)

Add tag <cert> and <key>: content in <cert> should be in step 7 of Mutual Authentication client1.domain.tld.crt. And <key> is  client1.domain.tld.key

Setup Open VPN

Download Open VPN from

Install -> Import file setting (downloaded-client-config) from previous step -> Connect

Then you will be assigned an IP in VPN Connection

Access to Bastion server via VPN connection

Use Bastion private IP to access

Leave a Reply

Your email address will not be published. Required fields are marked *