How do I configure a Client VPN using the AWS CLI?

Short description

To configure a Client VPN using the AWS CLI:

1.    Configure a Client VPN for your specific authentication type: mutual or user-based.

2.    Associate a subnet with the Client VPN that you created in step 1.

3.    Add an authorization rule to grant clients access to the target virtual private cloud (VPC).

4.    (Optional) Add additional routes to the destination network on the Client VPN endpoint, as required.

5.    Download the Client VPN endpoint configuration file to distribute to your clients.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version. API actions for the Client VPN service are available only in the most recent AWS CLI version.

Configure a Client VPN using mutual authentication

1.    Provision the Server certificate and import it into AWS Certificate Manager (ACM). For detailed steps to generate the server and client certificates and keys, see Mutual authentication.

2.    Note the server certificate Amazon Resource Name (ARN) and client certificate ARN.

3.    Use the create-client-vpn-endpoint command. For example, the following command creates an endpoint that uses mutual authentication with a client CIDR block of 172.16.0.0/16.

$ aws ec2 create-client-vpn-endpoint --client-cidr-block 172.16.0.0/16
--server-certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/abc1d23e-45fa-678b-9cd0-ef123a45b678
--authentication-options Type=certificate-authentication,MutualAuthentication={ClientRootCertificateChainArn=arn:aws:acm:us-east-1:
1234567890:certificate/abc1d23e-45fa-678b-9cd0-ef123a45b678 }
--connection-log-options Enabled=false

Notes:

• For a client IPv4 CIDR block, specify an IP address range in CIDR notation to assign client IP addresses. For example, 172.16.0.0/16.
• "ClientRootCertificateChainArn" is the ARN for the client certificate. The certificate must be signed by a certificate authority (CA) and provisioned in ACM.

Configure a Client VPN using user-based authentication

Active Directory authentication

1.    For Directory ID, specify the ID of the AWS Active Directory.

2.    Use the create-client-vpn-endpoint command. For example, the following command creates an endpoint that uses Active Directory based authentication with a client CIDR block of 172.16.0.0/16.

$ aws ec2 create-client-vpn-endpoint --client-cidr-block 172.16.0.0/16
--server-certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/abc1d23e-45fa-678b-9cd0-ef123a45b678
--authentication-options
Type=directory-service-authentication,ActiveDirectory={DirectoryId=d-1234567890}
--connection-log-options Enabled=false

Notes:

• Use the “--dns-servers” option to pass custom DNS servers for DNS resolution. A client VPN endpoint can have up to two DNS servers. If no DNS server is specified, the DNS address configured on the local device is used.
• Use the “--transport-protocol” option to set the transport protocol for the VPN session.

Federated authentication (for SAML-based federated authentication)

1.    For SAML provider ARN, specify the ARN of the AWS Identity and Access Management (IAM) Security Assertion Markup Language (SAML) identity provider.

2.    Use the create-client-vpn-endpoint command. For example, the following command creates an endpoint that uses federated authentication with a client CIDR block of 172.16.0.0/16.

$ aws ec2 create-client-vpn-endpoint --client-cidr-block 172.16.0.0/16
--server-certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/abc1d23e-45fa-678b-9cd0-ef123a45b678
--authentication-options Type=federated-authentication,FederatedAuthentication={SAMLProviderArn=arn:aws:iam::123456789012:saml-provider/MySAMLProvider}
--connection-log-options Enabled=false

Note: "SAMLProviderArn" is the ARN of the new SAML provider resource in IAM.

Associate a subnet with the Client VPN

1.    Use the following command to associate a subnet with the Client VPN endpoint that you created in the previous steps.

$  aws ec2 associate-client-vpn-target-network
--client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --subnet-id subnet-0123456789abc123

This action changes the state of the Client VPN to "Available". Local routes for the VPC are automatically added to the Client VPN endpoint route table. The VPC's default security group is automatically applied for the subnet association. You can modify the security group after associating the subnet.

Add an authorization rule to grant clients access to the target VPC

1.    Based on your use case, use one of the following commands to add an authorization rule.

For mutual authentication:

$ aws ec2 authorize-client-vpn-ingress --client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --target-network-cidr 10.0.0.0/16 --authorize-all-groups

For Active Directory based authentication:

$ aws ec2 authorize-client-vpn-ingress --client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --target-network-cidr 10.0.0.0/16 --access-group-id S-1-2-34-1234567890-1234567890-1234567890-1234

For federated authentication (using SAML 2.0 where identity provider group is "Engineering"):

$ aws ec2 authorize-client-vpn-ingress --client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --target-network-cidr 10.0.0.0/16 --access-group-id Engineering

(Optional) Add additional routes to the destination network on the Client VPN endpoint, as required

1.    Use the following command to add additional routes to destination network on the Client VPN endpoint.

$ aws ec2 create-client-vpn-route --client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --destination-cidr-block 0.0.0.0/0 --target-vpc-subnet-id subnet-0123456789abcabca

Download the Client VPN endpoint configuration file to distribute to your clients

1.    Download the Client VPN endpoint configuration file to distribute to your clients.

For mutual authentication, append the client certificate and client key to the configuration file:

$ aws ec2 export-client-vpn-client-configuration --client-vpn-endpoint-id cvpn-endpoint-0ab1cd234ef567ab890 --output text>client-config.ovpn