Need help?

Our experts have had an average response time of 13.14 minutes in February 2024 to fix urgent issues.

We will keep your servers stable, secure, and fast at all times for one fixed price.

Configure client VPN using AWS CLI – How to do it

by | Aug 23, 2021

Wondering how to configure client VPN using AWS CLI? We can help you.

As a part of our AWS Support Services, we often receive similar requests from our AWS customers.

Today, let’s see the steps followed by our Support Techs to help our customers.

 

How to configure client VPN using AWS CLI?

Today, let us see the steps followed by our Support Techs for the configuration.

Configure a Client VPN using mutual authentication

1. Firstly, provision the Server certificate and import it into AWS Certificate Manager (ACM). For detailed steps to generate the server and client certificates and keys, see Mutual authentication.

2. Then, note the server certificate Amazon Resource Name (ARN) and client certificate ARN.

3. Finally, use the create-client-vpn-endpoint command.

For example, the following command creates an endpoint that uses mutual authentication with a client CIDR block of 172.16.0.0/16.

$ aws ec2 create-client-vpn-endpoint --client-cidr-block 172.16.0.0/16
--server-certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/abc1d23e-45fa-678b-9cd0-ef123a45b678
--authentication-options Type=certificate-authentication,MutualAuthentication={ClientRootCertificateChainArn=arn:aws:acm:us-east-1:
1234567890:certificate/abc1d23e-45fa-678b-9cd0-ef123a45b678 }
--connection-log-options Enabled=false

 

Configure a Client VPN using user-based authentication

Active Directory authentication

1. For Directory ID, specify the ID of the AWS Active Directory.

2. Then, use the create-client-vpn-endpoint command.

For example, the following command creates an endpoint that uses Active Directory based authentication with a client CIDR block of 172.16.0.0/16.

$ aws ec2 create-client-vpn-endpoint --client-cidr-block 172.16.0.0/16
--server-certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/abc1d23e-45fa-678b-9cd0-ef123a45b678
--authentication-options
Type=directory-service-authentication,ActiveDirectory={DirectoryId=d-1234567890}
--connection-log-options Enabled=false

 

Federated authentication (for SAML-based federated authentication)

1.For SAML provider ARN, specify the ARN of the AWS Identity and Access Management (IAM) Security Assertion Markup Language (SAML) identity provider.

2.Then, use the create-client-vpn-endpoint command.

For example, the following command creates an endpoint that uses federated authentication with a client CIDR block of 172.16.0.0/16.

$ aws ec2 create-client-vpn-endpoint --client-cidr-block 172.16.0.0/16
--server-certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/abc1d23e-45fa-678b-9cd0-ef123a45b678
--authentication-options Type=federated-authentication,FederatedAuthentication={SAMLProviderArn=arn:aws:iam::123456789012:saml-provider/MySAMLProvider}
--connection-log-options Enabled=false

 

Associate a subnet with the Client VPN

Use the following command to associate a subnet with the Client VPN endpoint that you created in the previous steps.

$ aws ec2 associate-client-vpn-target-network
--client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --subnet-id subnet-0123456789abc123

This action changes the state of the Client VPN to “Available”.

Local routes for the VPC are automatically added to the Client VPN endpoint route table.

The VPC’s default security group is automatically applied for the subnet association.

You can modify the security group after associating the subnet.

 

Add an authorization rule to grant clients access to the target VPC

Based on your use case, use one of the following commands to add an authorization rule.

For mutual authentication:

$ aws ec2 authorize-client-vpn-ingress --client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --target-network-cidr 10.0.0.0/16 --authorize-all-groups

Then, for Active Directory based authentication:

$ aws ec2 authorize-client-vpn-ingress --client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --target-network-cidr 10.0.0.0/16 --access-group-id S-1-2-34-1234567890-1234567890-1234567890-1234

For federated authentication (using SAML 2.0 where identity provider group is “Engineering”):

$ aws ec2 authorize-client-vpn-ingress --client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --target-network-cidr 10.0.0.0/16 --access-group-id Engineering

 

Download the Client VPN endpoint configuration file to distribute to your clients

Finally, download the Client VPN endpoint configuration file to distribute to your clients.

For mutual authentication, append the client certificate and client key to the configuration file:

$ aws ec2 export-client-vpn-client-configuration --client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --output text>client-config.ovpn

 

[Need help with more AWS queries? We’d be happy to assist]

Conclusion

To conclude, today we discussed the steps followed by our Support Engineers configure client VPN using AWS CLI.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Categories

Tags

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF