How do I use the AWS CLI to configure a Client VPN?

4 minute read
0

I want to use the AWS Command Line Interface (AWS CLI) to configure an AWS Client VPN.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version. API actions for the Client VPN service are available only in the most recent AWS CLI version.

Configure a Client VPN with mutual authentication

To configure a Client VPN with mutual authentication, complete the following steps:

  1. Generate server and client certificates, and then upload the certificates to AWS Certificate Manager (ACM).
  2. Note the server certificate ARN and client certificate ARN.
  3. Run the create-client-vpn-endpoint command. For example, the following command creates an endpoint that uses mutual authentication with a client CIDR block of 172.16.0.0/16:
    $ aws --region us-east-1 ec2 create-client-vpn-endpoint --client-cidr-block 172.16.0.0/16 --server-certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/abc1d23e-45fa-678b-9cd0-ef123a45b678 --authentication-options Type=certificate-authentication,MutualAuthentication={ClientRootCertificateChainArn=arn:aws:acm:us-east-1:1234567890:certificate/abc1d23e-45fa-678b-9cd0-ef123a45b678} --connection-log-options Enabled=false

Note:

  • For a client IPv4 CIDR block, specify an IP address range in the CIDR notation to assign client IP addresses.
  • ClientRootCertificateChainArn is the ARN for the client certificate. A certificate authority (CA) must sign the certificate, and you must generate the certificate in ACM.
  • AWS Client VPN is AWS Region specific. Your VPN's Region must match your certificate's Region.

Configure a Client VPN with user-based authentication

Active Directory authentication

To configure a Client VPN with Active Directory authentication, complete the following steps: 

  1. For Directory ID, specify the ID of the AWS Active Directory.
  2. Run the create-client-vpn-endpoint command. For example, the following command creates an endpoint that uses Active Directory-based authentication with a client CIDR block of 172.16.0.0/16:
    $ aws --region us-east-1 ec2 create-client-vpn-endpoint --client-cidr-block 172.16.0.0/16 --server-certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/abc1d23e-45fa-678b-9cd0-ef123a45b678 --authentication-options Type=directory-service-authentication,ActiveDirectory={DirectoryId=d-1234567890} --connection-log-options Enabled=false

Note:

  • Use the —dns-servers option to pass custom DNS servers for DNS resolution. A Client VPN endpoint can have up to two DNS servers. If you don't specify a DNS server, then the DNS address that's configured on the local device is used.
  • Use the —transport-protocol option to set the transport protocol for the VPN session.

Federated authentication (for SAML-based federated authentication)

To configure a Client VPN with federated authentication, complete the following steps:

  1. For SAML provider ARN, specify the ARN of the AWS Identity and Access Management (IAM) Security Assertion Markup Language (SAML) identity provider.
  2. Run the create-client-vpn-endpoint command. For example, the following command creates an endpoint that uses federated authentication with a client CIDR block of 172.16.0.0/16:
    $ aws --region us-east-1 ec2 create-client-vpn-endpoint --client-cidr-block 172.16.0.0/16 --server-certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/abc1d23e-45fa-678b-9cd0-ef123a45b678 --authentication-options Type=federated-authentication,FederatedAuthentication={SAMLProviderArn=arn:aws:iam::123456789012:saml-provider/MySAMLProvider} --connection-log-options Enabled=false
    Note: Replace SAMLProviderArn with the ARN of the SAML provider resource in IAM and MySAMLProvider with the name of your SAML provider.

Associate a subnet with the Client VPN

Run the associate-client-vpn-target-network command to associate a subnet with the Client VPN endpoint:

$  aws --region us-east-1 ec2 associate-client-vpn-target-network --client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --subnet-id subnet-0123456789abc123

This action changes the state of the Client VPN to Available. Local routes for the virtual private cloud (VPC) are automatically added to the Client VPN endpoint route table. The VPC's default security group is automatically applied for the subnet association. You can modify the security group after you associate the subnet.

Add an authorization rule to grant clients access to the target VPC

To add an authorization rule, run the authorize-client-vpn-ingress command for the authentication that you use:

Mutual authentication

$ aws --region us-east-1 ec2 authorize-client-vpn-ingress --client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --target-network-cidr 10.0.0.0/16 --authorize-all-groups

Active Directory authentication

$ aws --region us-east-1 ec2 authorize-client-vpn-ingress --client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --target-network-cidr 10.0.0.0/16 --access-group-id S-1-2-34-1234567890-1234567890-1234567890-1234

Federated authentication (SAML 2.0)

$ aws --region us-east-1 ec2 authorize-client-vpn-ingress --client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --target-network-cidr 10.0.0.0/16 --access-group-id MyAccessGroup

Note: Replace MyAccessGroup with the access group ID of the provider group.

(Optional) Run the create-client-vpn-route command to add additional routes to destination network on the Client VPN endpoint:

$ aws --region us-east-1 ec2 create-client-vpn-route --client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --destination-cidr-block 0.0.0.0/0 --target-vpc-subnet-id subnet-0123456789abcabca

Export the Client VPN endpoint configuration file

Export the Client VPN endpoint configuration file. Use this file to distribute to your clients.

Note: If you configured your Client VPN with mutual authentication, then run the export-client-vpn-client-configuration command to append the client certificate and client key to the configuration file: 

$ aws --region us-east-1 ec2 export-client-vpn-client-configuration --client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --output text > client-config.ovpn
AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago