How to connect to AWS Client VPN using mutual authentication?

In this series so far we have talked about What is AWS Client VPN? and How does client authentication work? In this article, we will set up keys for mutual authentication. The keys setup in this article will be used to set up the Client VPN endpoint in upcoming articles in this series.

What is Mutual Authentication?

Mutual authentication in an AWS Client VPN is based on certificates. The server uses client certificates to identify and authenticate a client before they can connect to a Client VPN endpoint. To configure this auth in AWS Client VPN, you must create a server certificate and a key and at least one client certificate and key.

The server certificate is uploaded to the ACM (AWS Certificate manager) and it gets attached to the Client VPN endpoint when the endpoint is provisioned. You have to provide a Certificate Authority(CA) when a server certificate is uploaded to the ACM. To keep things simple, use the same CA to generate the client certificates. If you have generated the client certificate from a different CA than the one used to generate the server certificate, you must import the certificate in ACM for it to work.

How to generate and set up keys?

To generate keys for server and client certificates, we will use OpenVPN easy-rsa. It is a CLI utility to build and manage a PKI CA. You will be able to create a root certificate authority, and request and sign certificates, including intermediate CAs and certificate revocation lists (CRL).

  1. Clone the repo from GitHub and initialize a PKI environment.
git clone https://github.com/OpenVPN/easy-rsa.git
Clone the Repo
cd easy-rsa/easyrsa3
Navigate to the folder
./easyrsa init-pki
Initialize a PKI environment

2. Once the environment is set up, we will create a certificate authority (CA). This will allow us to generate server and client certificates.

./easyrsa build-ca nopass
Create a Certificate Authority (CA)

3. Generate the server certificate and key.

./easyrsa build-server-full server nopass
Server Certificate

4. Generate the client certificate and key. This will be required when we configure the VPN client to connect to our endpoint.

./easyrsa build-client-full user1.yourdomain.com nopass
Generate client certificate

5. You have to import the server certificate and certificate authority to the AWS Certificate Manager (ACM). This step is required to configure the AWS Client VPN endpoint. We will use aws-cli to perform this step. Make sure you have a configured aws-cli installed on your machine.

aws acm import-certificate --certificate fileb://pki/issued/server.crt --private-key fileb://pki/private/server.key --certificate-chain fileb://pki/ca.crt
Import server certificate to ACM

6. If you have issued the client certificate using the same CA, then you do not have to import the client certificate into ACM. In case the certificate authority for issuing the client is different than the server, then you can import the client certificate in the same way as we did it for the server.

aws acm import-certificate --certificate fileb://pki/issued/user1.yourdomain.com.crt --private-key fileb://pki/private/user1.yourdomain.com.key --certificate-chain fileb://pki/ca.crt
Import client certificate

If you are following the steps above then the CA for server and client certificates is the same and you do not have to import the client certificate in ACM.

How can I configure multiple users to use the same Client VPN endpoint?

If you want to use the same Client VPN endpoint for different users, you can do the following steps

  1. Generate multiple client certificates i.e. repeat step 4 from the above-mentioned steps.
./easyrsa build-client-full user1.yourdomain.com nopass
./easyrsa build-client-full user2.yourdomain.com nopass
./easyrsa build-client-full user3.yourdomain.com nopass
./easyrsa build-client-full user4.yourdomain.com nopass
Generate client certificates

2. We will prepare different configuration files for each client with their own public and private key.

3. When the users will connect to the Client VPN endpoint using their configuration files, you will be able to see them in the connections tab.

Conclusion

In this article, we configured keys for Mutual Authentication in the AWS Client VPN. In the upcoming article, we will configure an AWS VPN endpoint and use these certificates to connect to it.

Articles in this series