Client VPN Basic Setup

Alright, this is a ballache and I found the online documentation pretty miserable. And I am by no means an

Most of this is lifted from the tutorial on the AWS site:

https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#mutual

For details of the commands see that link.

This will generate a new PKI environment for a single user.

username='lsmith'
git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easyrsa3
./easyrsa init-pki
# There are some questions to answer in this next command
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
# This is for the user specified. Repeat for new users
./easyrsa build-client-full $username nopass

Then AWS give you this really unhelpful command which I've edited

username='lsmith'
custom_folder='lsmith_kpi_clientvpn'
mkdir /$custom_folder/
cp pki/ca.crt /$custom_folder/
cp pki/issued/server.crt /$custom_folder/
cp pki/private/server.key /$custom_folder/
cp pki/issued/${username}.crt /$custom_folder
cp pki/private/${username}.key /$custom_folder/
cd /$custom_folder/

Now we do some work in ACM

username='lsmith'
aws acm import-certificate --certificate fileb://server.crt --private-key fileb://server.key --certificate-chain fileb://ca.crt
aws acm import-certificate --certificate fileb://${username}.crt --private-key fileb://${username}.key --certificate-chain fileb://ca.crt

Alright, now we have a certificate for the server and for a single user.

Now go to Client VPN creation screen and click on Create Client VPN Endpoint

https://ap-southeast-2.console.aws.amazon.com/vpc/home?region=ap-southeast-2#ClientVPNEndpoints:sort=clientVpnEndpointId

Create endpoint

Create auth rules

Create SG

Download + Update file