How can I configure multiple users to use the same Client VPN endpoint?

0

I have created aws client vpn using certificate authentication i want to connect multiple users with same endpoints with different certificate.

  1. I have generated server certificate and server key and imported it to aws acm.
  2. After that i have created aws client vpn endpoint using same server arn and by choosing mutual authentication i select client arn.
  3. After creating i download the configuration file and paste the same server certificate and client key then i can connect with client vpn.

Now i want multiple user can connect with that endpoints with different server certificate and client key and i can also able to see that user in connection tab.

5 Answers
1
Accepted Answer

Hi Ashutosh, I recreated the entire environment in my lab and I can confirm that what we already discussed should work.

In my case, as Certificate Authority to create both Server and Client certificates I used AWS Private CA, but again, you can use any Certificate Authority you like, better if used o generate both client and server certificates.

One thing that I missed during the various steps, is that client certificates needs either to be generated with the nopass command, or when exported (in my case from ACM) then you need to decrypt the private key before pasting it into the vpn client configuration file, otherwise the client would not be able to connect.

After all of this, in the Connection pane of the VPN endpoint you will see the client name in the Common Name column.

Can I ask what are you using to generate the server and client certificates ?

profile pictureAWS
answered 8 months ago
profile picture
EXPERT
reviewed 6 months ago
  • Hi, Thanks for reply but i have already did this can you please share your lab video so that i can easily relate with my environment if you don't have any problem with sharing.

0

Hi Ashutosh, the only way to make that happen is to create a different client certificate for every client you want to connect:

client1.domain.tld client2.domain.tld client3.domain.tld

That should allow you to both recognize them in the connection tab and also to be able to revoke a specific client certificate if you need to.

Are you already doing this ?

profile pictureAWS
answered 8 months ago
  • yes i already did that

  • when i generate like this client1.domain.tld client2.domain.tld client3.domain.tld and try to paste in configuration file i am not able to make connection with vpn

0

Hi Ashutosh, I might be missing some bits here, however, if you want multiple users to connect to the same Client VPN Endpoint using Mutual Authentication, and being able to see them in the connection tab, you do need a different client certificate for each of them, but one single server certificate in use for the endpoint is enough.

There is a good article here that actually explains how to achieve it:

How can I configure multiple users to use the same Client VPN endpoint? https://repost.aws/knowledge-center/client-vpn-multiple-users-same-endpoint

The Client VPN Endpoint allows to specify only one single server certificate. You can change it if you like, but still, as far as I know, only one would be in use at any given time.

Can I ask you why you would like to have different server certificates ?

profile pictureAWS
answered 8 months ago
  • When i run command to generate .cert and .key and upload it to configuration file i can not connect to client vpn because i think when i first time create server certificate and upload it to acm and from that i created a client vpn endpoint so when i generated new one locally for new user and try to connect with that i face issue in connection

0

Hi Ashutosh, are the Server Certificate and Client Certificate generated from the same Certificate Authority ?

If not, you have to upload to ACM the Client certificate as well.

If the CA is the same for both Client and Server, in the Client VPN endpoint configuration you have to specify the server certificate ARN for the client certificate filed as well

profile pictureAWS
answered 8 months ago
  • I generated server and client certificate from same certificate authority and upload it to acm , and when i try to connect it connected successfully but i want that when other user connect it i can recognise them in connection tab but i only see same comman name client1.domain.tld

0

Hi Ashutosh, You said:

"when i generate like this client1.domain.tld client2.domain.tld client3.domain.tld and try to paste in configuration file i am not able to make connection with vpn"

Just to be on the safe side, every client needs to have its own certificate and its own configuration file. If you successfully created the certificate and the configuration file for client1, then you simply have to repeat the same process for client 2 and client 3, always starting from the configuration file template you can download from the Client VPN Endpoint in the AWS Console, and adding the <cert></cert> and <key></key> sections, after the <ca></ca> section, with the specific certificate and key you generated for the client.

Are you using easy-rsa to generate certificates ? If so, AWS documentation describe the step by step process to create both server and client certificates using east-rsa here: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/mutual.html

Lastly, when you created the client VPN Endpoint configuration in the AWS console, what certificate did you select in the section "Client certificate ARN" ? If all your certificates, client and server, are generated from the same CA, here you need to specify again the SERVER certificate:

*Client certificate ARN If the server and client certificates are signed by the same certificate authority (CA), you have the option of specifying the server certificate ARN for both the client and server certificates. In this scenario, any client certificate that corresponds with the server certificate can be used to authenticate. *

Please note that this is somethign you cannot modify in an existing Client VPN Endpoint, but you are able to verify in the configuration details if you actually specified the same certificate for both "Server Certificate ARN" and "Client Certificate ARN". If you find that those are different, you need to delete/recreate the existing endpoint, or to create a new one.

profile pictureAWS
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions