I've created a Client VPN endpoint, using a self signed CA PKI (easy-RSA) and imported into ACM my CA cert into the Chain section and the server cert into the Body section. Exported the oVPN file, and added my client cert and key per the guide.
When I try to connect with the AWS VPN client software, I don't get any log details, nor any error. When I try to connect with a more robust client, I get the following log (IPs removed for privacy):
Oct 17 9:21:21 AM: State changed to Connecting
Oct 17 9:21:21 AM: Viscosity Windows 1.11.3 (1828)
Oct 17 9:21:21 AM: Running on Microsoft Windows 11 Home Single Language 64 bit
Oct 17 9:21:21 AM: Running on .NET Framework Version 4.8.09032.533320
Oct 17 9:21:21 AM: Checking reachability status of connection...
Oct 17 9:21:21 AM: Connection is reachable. Starting connection attempt.
Oct 17 9:21:21 AM: Interface Type: ViscTunTap
Oct 17 9:21:21 AM: Bringing up interface...
Oct 17 9:21:21 AM: OpenVPN 2.6.12 Windows [SSL (OpenSSL)] [LZO] [LZ4] [AEAD]
Oct 17 9:21:21 AM: library versions: OpenSSL 3.0.14 4 Jun 2024, LZO 2.10
Oct 17 9:21:22 AM: Resolving address: "0dd084ecac34.cvpn-endpoint-yyyyyyyyyy.prod.clientvpn.ap-southeast-1.amazonaws.com"
Oct 17 9:21:22 AM: Valid endpoint found: cvpn-endpoint-yyyyyyyyyyyyy.prod.clientvpn.ap-southeast-1.amazonaws.com:443:udp
Oct 17 9:21:23 AM: TCP/UDP: Preserving recently used remote address: [AF_INET]y.y.y.y:443
Oct 17 9:21:23 AM: Socket Buffers: R=[65536->65536] S=[65536->65536]
Oct 17 9:21:23 AM: UDPv4 link local: (not bound)
Oct 17 9:21:23 AM: UDPv4 link remote: [AF_INET]y.y.y.y:443
Oct 17 9:21:23 AM: State changed to Authenticating
Oct 17 9:21:23 AM: TLS: Initial packet from [AF_INET]y.y.y.y:443, sid=e4f8cb21 7922b9f7
Oct 17 9:21:23 AM: VERIFY OK: depth=1, CN=Easy-RSA CA
Oct 17 9:21:23 AM: VERIFY KU OK
Oct 17 9:21:23 AM: Validating certificate extended key usage
Oct 17 9:21:23 AM: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Oct 17 9:21:23 AM: VERIFY EKU OK
Oct 17 9:21:23 AM: VERIFY X509NAME OK: CN=server_name (===> placeholder, matches the steps below)
Oct 17 9:21:23 AM: VERIFY OK: depth=0, CN=server_name
Oct 17 9:21:23 AM: Virtual Adapter Version: 0.7.2.1017
Oct 17 9:22:10 AM: State changed to Disconnecting (Manual)
Oct 17 9:22:10 AM: SIGTERM[hard,] received, process exiting
Oct 17 9:22:10 AM: OpenVPN has exited. Exitcode = -1
Oct 17 9:22:10 AM: State changed to Disconnected
In ACM, "server_name" shows up in the domain column, and I created the certs with the following:
- Setup PKI/CA/Server cert
- ./easyrsa init-pki ==> initialize new pki
- ./easyrsa build-ca ===> creates private ca.key
- ./easyrsa build-server-full server_name
- ==> import the "server_name" crt (starting with ---- begin certificate), CA cert, and the private key of the server_name into ACM
- Finish the setup of the endpoint VPN with the ACM cert and all the other steps for endpoint creation.
- Generate the client cert from the same CA:
- ./easyrsa build-client-full client_name
- ===> import the "client_name" crt (starting with ---- begin certificate) and the private key into my OVPN file
I've confirmed I don't have any firewall blocking on the client network
I've confirmed I don't have any Security Group rules blocking (it's all traffic allowed inbound and outbound) on the Endpoint connection.
I've also confirmed with OpenSSL that my certs are all trusted by the CA.
$openssl verify -CAfile ../ca.crt **server_name**.crt
yyyyyyy-vpn.crt: OK
$openssl verify -CAfile ../ca.crt **client_name**.crt
vpn-user.crt: OK
What else could be wrong?