Bobcares
Client Area
Emergency Support
Amazon Web Services (AWS) | Latest | VPN

Configure client VPN using AWS CLI – How to do it

by | Aug 23, 2021

Wondering how to configure client VPN using AWS CLI? We can help you.

As a part of our AWS Support Services, we often receive similar requests from our AWS customers.

Today, let’s see the steps followed by our Support Techs to help our customers.

 

How to configure client VPN using AWS CLI?

Today, let us see the steps followed by our Support Techs for the configuration.

Configure a Client VPN using mutual authentication

1. Firstly, provision the Server certificate and import it into AWS Certificate Manager (ACM). For detailed steps to generate the server and client certificates and keys, see Mutual authentication.

2. Then, note the server certificate Amazon Resource Name (ARN) and client certificate ARN.

3. Finally, use the create-client-vpn-endpoint command.

For example, the following command creates an endpoint that uses mutual authentication with a client CIDR block of 172.16.0.0/16.

$ aws ec2 create-client-vpn-endpoint --client-cidr-block 172.16.0.0/16
--server-certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/abc1d23e-45fa-678b-9cd0-ef123a45b678
--authentication-options Type=certificate-authentication,MutualAuthentication={ClientRootCertificateChainArn=arn:aws:acm:us-east-1:
1234567890:certificate/abc1d23e-45fa-678b-9cd0-ef123a45b678 }
--connection-log-options Enabled=false

 

Configure a Client VPN using user-based authentication

Active Directory authentication

1. For Directory ID, specify the ID of the AWS Active Directory.

2. Then, use the create-client-vpn-endpoint command.

For example, the following command creates an endpoint that uses Active Directory based authentication with a client CIDR block of 172.16.0.0/16.

$ aws ec2 create-client-vpn-endpoint --client-cidr-block 172.16.0.0/16
--server-certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/abc1d23e-45fa-678b-9cd0-ef123a45b678
--authentication-options
Type=directory-service-authentication,ActiveDirectory={DirectoryId=d-1234567890}
--connection-log-options Enabled=false

 

Federated authentication (for SAML-based federated authentication)

1.For SAML provider ARN, specify the ARN of the AWS Identity and Access Management (IAM) Security Assertion Markup Language (SAML) identity provider.

2.Then, use the create-client-vpn-endpoint command.

For example, the following command creates an endpoint that uses federated authentication with a client CIDR block of 172.16.0.0/16.

$ aws ec2 create-client-vpn-endpoint --client-cidr-block 172.16.0.0/16
--server-certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/abc1d23e-45fa-678b-9cd0-ef123a45b678
--authentication-options Type=federated-authentication,FederatedAuthentication={SAMLProviderArn=arn:aws:iam::123456789012:saml-provider/MySAMLProvider}
--connection-log-options Enabled=false

 

Associate a subnet with the Client VPN

Use the following command to associate a subnet with the Client VPN endpoint that you created in the previous steps.

$ aws ec2 associate-client-vpn-target-network
--client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --subnet-id subnet-0123456789abc123

This action changes the state of the Client VPN to “Available”.

Local routes for the VPC are automatically added to the Client VPN endpoint route table.

The VPC’s default security group is automatically applied for the subnet association.

You can modify the security group after associating the subnet.

 

Add an authorization rule to grant clients access to the target VPC

Based on your use case, use one of the following commands to add an authorization rule.

For mutual authentication:

$ aws ec2 authorize-client-vpn-ingress --client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --target-network-cidr 10.0.0.0/16 --authorize-all-groups

Then, for Active Directory based authentication:

$ aws ec2 authorize-client-vpn-ingress --client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --target-network-cidr 10.0.0.0/16 --access-group-id S-1-2-34-1234567890-1234567890-1234567890-1234

For federated authentication (using SAML 2.0 where identity provider group is “Engineering”):

$ aws ec2 authorize-client-vpn-ingress --client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --target-network-cidr 10.0.0.0/16 --access-group-id Engineering

 

Download the Client VPN endpoint configuration file to distribute to your clients

Finally, download the Client VPN endpoint configuration file to distribute to your clients.

For mutual authentication, append the client certificate and client key to the configuration file:

$ aws ec2 export-client-vpn-client-configuration --client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --output text>client-config.ovpn

 

[Need help with more AWS queries? We’d be happy to assist]

Conclusion

To conclude, today we discussed the steps followed by our Support Engineers configure client VPN using AWS CLI.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

Related Articles

  1. Can’t run AWS CLI commands on my EC2 – How to fix
  2. Access a Private Amazon Redshift Cluster from Local Machine
  3. Move Amazon Redshift Cluster from one VPC to another VPC
  4. Remove a terminated EC2 instance from Auto Scaling group – How to do

Never again lose customers to poor
server speed! Let us help you.

GET STARTED