• Matheus Lozano

AWS Client VPN  - Connect using OpenVPN

Updated: Feb 25

A step-by-step guide on how to connect in the AWS Client VPN using OpenVPN

Replica: https://lozanomatheus.medium.com/3c411100220a?source=friends_link&sk=848f9c4f974840ce58e100e6780d5ce6


The idea of this post is to show how you can use OpenVPN Connect to establish a tunnel with AWS, by using AWS Client VPN. I’ll explain how AWS Client VPN works in a later post.

OpenVPN is free and open-source software (FOSS) under the GNU GPLv2 license. OpenVPN Connect is a VPN client and is currently available for Android, iOS, Linux, macOS and Windows.

The authentication methods shown in this post are user-based and certificate-based. AWS Client VPN also provides support for MFA. The MFA is only available for Microsoft AD, AD Connector and when it’s enabled in your IdP. Mutual authentication and Simple AD doesn’t support MFA.


Check the links below to download the official client.


  • A user and password and/or a client certificate

  • Android, iOS, Linux, macOS or Windows

  • Internet connection

How to set up

Client certificate

If you’re not using certificate-based authentication, this will only be to suppress the message "Connection Error - Missing external certificate".

Additional pre-requirements

  • Git

  • OpenSSL


  1. Open your terminal

  2. Create a temporary folder mkdir -p /tmp/openvpn-client-certificate

  3. Access the temporary folder cd /tmp/openvpn-client-certificate

  4. Download the EASY RSA git clone https://github.com/OpenVPN/easy-rsa.git

  5. Access the EASY RSA folder cd easy-rsa/easyrsa3

  6. Open the file vars.example

  7. Change the configurations. Example: set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE "California" set_var EASYRSA_REQ_CITY "San Francisco" set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" set_var EASYRSA_REQ_EMAIL "me@example.net" set_var EASYRSA_REQ_OU "My Organizational Unit" set_var EASYRSA_REQ_CN "My-VPN" set_var EASYRSA_KEY_SIZE 4096 set_var EASYRSA_BATCH "yes"

  8. Save and exit the file

  9. Create the vars file cp vars.example vars

  10. Generate the PKCS 12 archive file by running the commands below

./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa build-client-full client-certificate nopass
openssl pkcs12 -export -clcerts -inkey pki/private/client-certificate.key -in pki/issued/client-certificate.crt -out client-certificate.p12 -name "My Client Certificate"

Note: In the last command, you'll need to set a password.

Configuring the OpenVPN

You can follow the steps below to configure your OpenVPN. The steps are the same for all platforms.

  1. Download and install the OpenVPN

  2. Get your client configuration Check this link for more information https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-endpoints.html#cvpn-working-endpoint-export

  3. Open the client configuration in a text editor (it's a file .ovpn)

  4. There is a configuration remote, you’ll need to add a random string before the host. e.g.: remote myrandomstr1ng.cvpn-endpoint-<ID>.prod.clientvpn.<REGION>.amazonaws.com <PORT>

  5. - You’ll see four certificates "blocks". Each block starts with --BEGIN CERTIFICATE-- and ends with --END CERTIFICATE-- Replace the third block to the content mentioned in this post: https://docs.aws.amazon.com/vpn/latest/clientvpn-user/windows-troubleshooting.html#windows-troubleshooting-openvpn-connect-ca Note: This is not exclusive to Windows, but only if you generate the server certificate via AWS Certificate Manager. Check this link for more information https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/troubleshooting.html#resolve-host-name

  6. Save and close the file

  7. Open the OpenVPN Connect

  8. On the top, select "File" and then “Browse”

  9. Choose the file you just downloaded and configured and click on "Open"

  10. Add a profile name (it can be anything), set your username (it’s the same that you login into the AWS Client VPN Self-Service Portal) and then click on "Add"

Now your OpenVPN client is ready to connect to the VPN.

Note: If you don’t have a certificate, the message message "Connection Error - Missing external certificate" will appear every time you try to connect. You can click on "Continue". The "Continue" bottom doesn’t appear in the OpenVPN Connect v2.

Read More

Administrator Guide

User Guide

AWS VPN options