AWS Client VPN on Ubuntu 22.04?

Seems AWS should update (or the dependency they are using?) their SW to use ssllib3, instead of the not-included ssllib1.1. You can install it manually (assuming 64-bit linux architecture on Intel/AMD here):

wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.16_amd64.deb
dpkg -i ./libssl1.1_1.1.1f-1ubuntu2.16_amd64.deb

Though the version keeps changing there, so please look out for the latest one via http://security.ubuntu.com/ubuntu/pool/main/o/openssl.

The following package addition should help.

wget http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.0g-2ubuntu4_amd64.deb
sudo dpkg -i libssl1.1_1.1.0g-2ubuntu4_amd64.deb

For Ubuntu 23.04 to work you need two steps:

1. You have to install libssl1 as specified in the rest of the posts
2. You have to set the DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 in your environment, best thing is to add to your ~/.bashrc file the entry export DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1
3. You need to change your service file /etc/systemd/system/awsvpnclient.service. In particular you need to add the line Environment=DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1. Your end file will look like:

[Service]
Type=simple
ExecStart=/opt/awsvpnclient/Service/ACVC.GTK.Service
Restart=always
RestartSec=1s
User=root
Environment=DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1

[Install]
WantedBy=multi-user.target

This solves the "Unknown error occurred. Try again."

Finally support for Ubuntu newer versions has been added https://docs.aws.amazon.com/vpn/latest/clientvpn-user/client-vpn-connect-linux-release-notes.html

the problem seems to be related to dotnet not using the libssl3 (which is the only choice available in 22.04).

Installing libssl1.1 from Ubuntu 20.04 seems to solve the issue.

Here is the stack overflow with a work around https://askubuntu.com/questions/1406567/amazon-workspaces-client-not-working-on-22-04

Had the same issue on Ubuntu 23.04 Kept getting "Unable to connect" after a succseful authentication. This did the trick - https://askubuntu.com/questions/1406567/amazon-workspaces-client-not-working-on-22-04

Perhaps someone at @aws can provide an official fix so we dont have to make this workaround?

Any update on the support for 23.04?

All issues on Ubuntu 24.04 summarized in this bash script https://pastebin.com/SzWX9bTT that checks requirements, and launch aws vpn client from command line, useful in case the installation of a newer version overwrite awsvpnclient.service file

Ubuntu20 is now 4 years old, and the current version is Ubuntu24 ... and we still would need to use a work-around that is not even officially documented... This is quite worrisome.

At this point we must start to plan for alternative VPNs in-order to maintain security on our workstations, while still being able to connect into our AWS networks... or even further, start to plan a migration off AWS as they seem to not have any interest in supporting modern versions of desktop linux.

AWS Support Reps... Honestly, at this point in time, should we (the users and paying customers) expect an update any time soon for support for the AWS VPN Client on >Ubuntu20?

Or is this a lost hope?

I followed the workarounds mentioned here, and they worked until the last update. Thank you, everyone, for investigating and suggesting fixes. Unfortunately, the release notes for v3.14.0 are too vague, and I don't know what the current libssl version is that is expected.

The issue started after I upgraded to AWS VPN Client v3.14.0 "Updated the OpenVPN and OpenSSL libraries." https://docs.aws.amazon.com/vpn/latest/clientvpn-user/client-vpn-connect-linux.html#client-vpn-connect-linux-release-notes

The error I have is "Unknown error occurred. Try again". I already tried libssl 1.1, but it's failing, so I will continue testing with other versions and see if I find a suitable one.

I have contacted AWS support about this and their is pretty much that they're not actively maintaining the Client VPN for Linux. I was told that there is an open feature request to support the current Ubuntu LTS release, but apparently this isn't planned yet. (Due to a combination of lack of customer interest / lack of maintenance of the Linux client)

If you're planning to use the Client VPN from Linux I would suggest you open a case and request them to resume basic maintenance of the client. As they're obviously not pro-active with this kind of thing otherwise.

Ubuntu 24.04 was just released but vpn issue are always the same, an upgraded client will be the only option. To make connection work in some way:

1 - install libssl1.1 wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.0g-2ubuntu4_amd64.deb sudo dpkg -i libssl1.1_1.1.1f-1ubuntu2.13_amd64.deb

2 - Fix DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 as explained by @carcaroli a couple of post ahead https://repost.aws/questions/QUNJeF_ja_Suykous7EvfX5Q/aws-client-vpn-on-ubuntu-22-04#AN2pw6_MZ-SmefMHxWKI7m1g

3 - You still won't be able to launch the client since the error ".desktop file doesn't specify Exec value" appears, in /usr/share/applications/awsclient.desktop the line is: Exec=/opt/awsclient/ AWS\ VPN\ Client %u ... that seems correct

4 - Launch /opt/awsclient/ AWS\ VPN\ Client from terminal, the application finally start and you can connect to vpn, a lot of logging will start to fill your terminal

5 - If you close the terminal, you will kill the UI also, but the daemon will still running in background and you can continue to use your vpn connection.

It's clear that a new client is needed to fit newer Ubuntu LTS versions, steps to adapt the system starts to be too many and the user experience is getting worse

I am getting this in Ubuntu 23.04 and Debian 12 (same config is working in Debian 11 and Ubuntu 22). Config is federated with okta

2023-10-18 08:09:43.091 -05:00 [DBG] Received exception for connection state Disconnected. Show error message to user
2023-10-18 08:09:43.091 -05:00 [ERR] Exception received by connect window view model
Tmds.DBus.ConnectException: Connection refused awsvpnclient
 ---> System.Net.Internals.SocketExceptionFactory+ExtendedSocketException (111): Connection refused awsvpnclient
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at System.Net.Sockets.Socket.UnsafeBeginConnect(EndPoint remoteEP, AsyncCallback callback, Object state, Boolean flowContext)
   at System.Net.Sockets.Socket.BeginConnect(EndPoint remoteEP, AsyncCallback callback, Object state)
   at System.Net.Sockets.Socket.ConnectAsync(EndPoint remoteEP)
   at System.Net.Sockets.SocketTaskExtensions.ConnectAsync(Socket socket, EndPoint remoteEP)
   at Tmds.DBus.Transports.TransportSocket.ConnectAsync(EndPoint endPoint)
   at Tmds.DBus.Transports.TransportSocket.ConnectUnixAsync(AddressEntry entry, CancellationToken cancellationToken, Boolean supportsFdPassing)
   at Tmds.DBus.Transports.Transport.ConnectAsync(AddressEntry entry, ClientSetupResult connectionContext, CancellationToken cancellationToken)
   at Tmds.DBus.DBusConnection.ConnectAsync(ClientSetupResult connectionContext, Action`1 onDisconnect, CancellationToken cancellationToken)
   at Tmds.DBus.Connection.DoConnectAsync()
   --- End of inner exception stack trace ---
   at Tmds.DBus.Connection.DoConnectAsync()
   at Tmds.DBus.Connection.ConnectAsync()
   at ACVC.Core.OpenVpn.OvpnGtkServiceClient.StartVpnAsync(String[] ovpnConfigFileContents, String[] managementPortPasswordFileContents) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnGtkServiceClient.cs:line 24
   at ACVC.Core.OpenVpn.OvpnGtkProcessManager.Start(String openVpnConfigPath, String managementPortPasswordFile, Int32 timeoutMilliseconds) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnProcessManager.cs:line 750
   at ACVC.Core.OpenVpn.OvpnConnectionManager.Connect(OvpnConnectionProfile configProfile, GetCredentialsCallback getCredentialsCallback, Int32 timeout) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConnectionManager.cs:line 989
2023-10-18 08:09:43.099 -05:00 [DBG] Inserted event UI_APP_VPN_CONNECT_GENERAL_ERROR 1 to MetricsTable
2023-10-18 08:09:43.101 -05:00 [DBG] Inserted event UI_APP_VPN_CONNECT_GENERAL_ERROR 1 to AnalyticsTable
2023-10-18 08:09:43.103 -05:00 [DBG] Inserted event UI_APP_VPN_CONNECT_ATTEMPT_FAIL_UNCATEGORIZED_ERROR 1 to MetricsTable
2023-10-18 08:09:43.105 -05:00 [DBG] Inserted event UI_APP_VPN_CONNECT_ATTEMPT_FAIL_UNCATEGORIZED_ERR 1 to AnalyticsTable
2023-10-18 08:09:43.105 -05:00 [DBG] Clean up connections. Connection state: Connecting```

I have installed libssl1.1 and set the DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 in my .bashrc

but in Ubuntu 24.04 I don´t have this path /opt/awsvpnclient/AWS\ VPN\ Client %u to lanch client.

In systemd service Execstart=/opt/awsvpnclient/Service/ACVC.GTK.Service have this path.

Anyone can help me?

Thanks in advance.

The path is /opt/awsvpnclient/AWS\ VPN\ Client. You an drop the %u bit added in the .desktop file if you want to run AWS Client VPN from terminal directly.

We are negatively impacted by this lack of feature support. It is very insecure to have to downgrade openssl libraries just so we can use AWS VPN. It is indeed tempting to set up our own OpenVPN with SSO integration so that we can actually support our Linux users.

Please either publish a fix, or deprecate the Linux client entirely... this half broken version does no one any good.

In case you're having troubles with the desktop entry

 sudo ln -s /opt/awsvpnclient/AWS\ VPN\ Client  /usr/bin/awsvpnclient

and use that in the exec of the desktop entry located at /usr/share/applications/awsvpnclient.desktop

[Desktop Entry]
Type=Application
Encoding=UTF-8
Name=AWS VPN Client
Comment=AWS VPN Client
Exec=/usr/bin/awsvpnclient %u
Terminal=false
Categories=Network;VPN;
Keywords=vpn;aws;

Working for me after installing libssl1.1_1.1.1f-1ubuntu.x, hunted latest build here

wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.23_amd64.deb
sudo dpkg -i ./libssl1.1_1.1.1f-1ubuntu2.23_amd64.deb

ubuntu 1804 was released 6 years ago and 2004 4 years ago, are there any plans of updating the client to support newer versions ?