How can I create a Client VPN endpoint using certificate-based authentication?
Published June 2, 2023, 10:20 p.m. by Liam Bradley
Skip directly to the demo: 0:26
For more details see the Knowledge Center article with this video: https://repost.aws/knowledge-center/vpn-authorize-client-endpoint-cert
Armstrong shows you how to create a Client VPN endpoint using certificate-based authentication.
You may also like to read about:
[Music]
hello
i am armstrong a cloud supports engineer
here at the aws office
in cape town today i'm going to show you
how you can create a client vpn endpoint
using certificate-based authentication
let's get started
to authenticate the clients you must
generate server and client certificates
as well as client keys and then upload
them to aws
certificates manager i'll be using an
amazon elastic compute cloud instance to
generate the certificates
and then upload to acm follow these
steps
to generate the server and client
certificates and
keys and upload them to acm
if you are using linux clone the vpn
easy rsa repo to your local computer
then navigate to the easy rsa folder
if you are using the windows desktop
download the latest release for windows
unzip the folder and then run the
easyrscstats.bat file
initialize a new pki environment
build a new certificate authority
follow the prompts to build the ca
generate the server certificates and key
generate the client's certificates and
key
in this example user is client one be
sure to replace client1
with the name of your user optionally
you can copy the server certificates and
keys to a folder
for this video i'll be copying the
server certificates and keys to a folder
follow these instructions to copy the
certificates and keys to a folder
the following commands uses the aws cli
to upload the client's certificates and
key to acm
replace the region with the region where
you intend to create the client's vpn
endpoints log into the aws management
console
and then navigate to the certificates
manager console
to confirm this certificate is uploaded
navigate to the vpc management console
and choose the client vpn endpoints on
the left navigation pane
then select create clients vpn endpoints
then use the uploaded certificates
when you create the client's vpn
endpoints specify the server certificate
arn provided by acm you
also must choose a client's ipv4 sider
which is the ip address range assigned
to the clients
after the vpn is established note that
the ip address range
can't overlap with the vpcider block
to use the client certificates you must
select
mutual authentication and then
select the client certificates
optionally you can enable client
connection login
with cloudwatch logs and specify custom
dns servers
to be used by the clients also
you can select udp or tcp as a transport
protocol
you can also enable split tunnel to be
sure that internet traffic
is not going through the vpn to enable
clients to establish a vpn section
you must associate a target network with
the client vpn endpoints
a target network is a subnet in a vpc
one subnet association is enough for
clients
to access a vpc's entire network if
authorization rules permit this
you can associate additional subnets to
provide high availability
if an availability zone goes down
to authorize clients to access the vpc
create an authorization rule
the authorization rule specifies the
clients
that can access the vpc
the final step is to download and
prepare the client vpn endpoints
configuration file
provide this file to the clients so that
they can upload the configuration
settings
into their vpn client application
and this is how to create client vpn
endpoints
that uses certificate based
authentication by using easy rsa
to generate the certificates and
uploading to aws certificates manager
thanks for watching and happy cloud
computing from all of us here at aws
[Music]
