AWS Client VPN - Connect using OpenVPN
Updated: Feb 25
A step-by-step guide on how to connect in the AWS Client VPN using OpenVPN
The idea of this post is to show how you can use OpenVPN Connect to establish a tunnel with AWS, by using AWS Client VPN. I’ll explain how AWS Client VPN works in a later post.
OpenVPN is free and open-source software (FOSS) under the GNU GPLv2 license. OpenVPN Connect is a VPN client and is currently available for Android, iOS, Linux, macOS and Windows.
The authentication methods shown in this post are user-based and certificate-based. AWS Client VPN also provides support for MFA. The MFA is only available for Microsoft AD, AD Connector and when it’s enabled in your IdP. Mutual authentication and Simple AD doesn’t support MFA.
Check the links below to download the official client.
A user and password and/or a client certificate
Android, iOS, Linux, macOS or Windows
How to set up
If you’re not using certificate-based authentication, this will only be to suppress the message "Connection Error - Missing external certificate".
Open your terminal
Create a temporary folder mkdir -p /tmp/openvpn-client-certificate
Access the temporary folder cd /tmp/openvpn-client-certificate
Download the EASY RSA git clone https://github.com/OpenVPN/easy-rsa.git
Access the EASY RSA folder cd easy-rsa/easyrsa3
Open the file vars.example
Change the configurations. Example: set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE "California" set_var EASYRSA_REQ_CITY "San Francisco" set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" set_var EASYRSA_REQ_EMAIL "firstname.lastname@example.org" set_var EASYRSA_REQ_OU "My Organizational Unit" set_var EASYRSA_REQ_CN "My-VPN" set_var EASYRSA_KEY_SIZE 4096 set_var EASYRSA_BATCH "yes"
Save and exit the file
Create the vars file cp vars.example vars
Generate the PKCS 12 archive file by running the commands below
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa build-client-full client-certificate nopass
openssl pkcs12 -export -clcerts -inkey pki/private/client-certificate.key -in pki/issued/client-certificate.crt -out client-certificate.p12 -name "My Client Certificate"
Note: In the last command, you'll need to set a password.
Configuring the OpenVPN
You can follow the steps below to configure your OpenVPN. The steps are the same for all platforms.
Download and install the OpenVPN
Get your client configuration Check this link for more information https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-endpoints.html#cvpn-working-endpoint-export
Open the client configuration in a text editor (it's a file .ovpn)
There is a configuration remote, you’ll need to add a random string before the host. e.g.: remote myrandomstr1ng.cvpn-endpoint-<ID>.prod.clientvpn.<REGION>.amazonaws.com <PORT>
- You’ll see four certificates "blocks". Each block starts with --BEGIN CERTIFICATE-- and ends with --END CERTIFICATE-- Replace the third block to the content mentioned in this post: https://docs.aws.amazon.com/vpn/latest/clientvpn-user/windows-troubleshooting.html#windows-troubleshooting-openvpn-connect-ca Note: This is not exclusive to Windows, but only if you generate the server certificate via AWS Certificate Manager. Check this link for more information https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/troubleshooting.html#resolve-host-name
Save and close the file
Open the OpenVPN Connect
On the top, select "File" and then “Browse”
Choose the file you just downloaded and configured and click on "Open"
Add a profile name (it can be anything), set your username (it’s the same that you login into the AWS Client VPN Self-Service Portal) and then click on "Add"
Now your OpenVPN client is ready to connect to the VPN.
Note: If you don’t have a certificate, the message message "Connection Error - Missing external certificate" will appear every time you try to connect. You can click on "Continue". The "Continue" bottom doesn’t appear in the OpenVPN Connect v2.