Skip to main content
HashnodeSumeet Tanpure

Command Palette

Search for a command to run...

AWS Client VPN endpoint

Published
2 min read
S
Sumeet

Skilled in managing carrier-grade ISP infrastructure, enterprise environments, and server operations. Enthusiastic about optimizing high-performance networks and exploring emerging technologies. Committed to continuous learning and driven to leverage cloud solutions and automation tools to enhance innovation and efficiency.

Perfect — AWS Client VPN endpoint does require certificates, and now your EasyRSA setup makes sense.
Let’s continue cleanly and generate the correct certs for AWS.

Goal

Create:

  • Server certificate → upload to ACM

  • Client certificate → import into OpenVPN client

  • Client VPN Endpoint → attach to VPC

🚀 Step 1: Initialize PKI (you already did this)

You already ran:

easyrsa init-pki

Good.

🚀 Step 2: Build the Certificate Authority (CA)

In the EasyRSA shell, run:

easyrsa build-ca

It will ask for:

  • CA common name
    You can use: Sumeet-ClientVPN-CA

You will get:

  • pki/ca.crt

  • pki/private/ca.key

🚀 Step 3: Create Server Certificate (for AWS)

AWS requires:

✔ Server certificate
✔ Must be uploaded to ACM
✔ Must be signed by your CA

Run:

easyrsa build-server-full server nopass

This produces:

  • pki/issued/server.crt

  • pki/private/server.key

🚀 Step 4: Create Client Certificate (for your laptop)

Run:

easyrsa build-client-full sumeet-client nopass

This produces:

  • pki/issued/sumeet-client.crt

  • pki/private/sumeet-client.key

🚀 Step 5: Upload server certificate to AWS ACM

You need 3 things:

  • server.crt

  • server.key

  • ca.crt

Upload using AWS CLI:

aws acm import-certificate \
  --certificate fileb://pki/issued/server.crt \
  --private-key fileb://pki/private/server.key \
  --certificate-chain fileb://pki/ca.crt

AWS ACM returns a CertificateArn.

🚀 Step 6: Create Client VPN Endpoint

In AWS Console:

VPC → Client VPN Endpoints → Create

Fill in:

FieldValue
Client IPv4 CIDR10.10.0.0/22 (example)
AuthenticationMutual (certificate-based)
Server certificateSelect the ACM cert you uploaded
Client CAUpload ca.crt
VPCChoose your VPC
SubnetChoose any one subnet

Enable:

✔ Split tunnel (optional)
✔ Enable Transport (TCP/443 or UDP/443)

🚀 Step 7: Export the client bundle

You need:

  • ca.crt

  • sumeet-client.crt

  • sumeet-client.key

Put these into OpenVPN client folder.

AWS lets you download the config:

VPC → Client VPN Endpoints → Download Client Config

Add these lines to the downloaded .ovpn file:

<ca>
-----BEGIN CERTIFICATE-----
(your CA cert)
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
(your client cert)
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
(your client key)
-----END PRIVATE KEY-----
</key>

Then connect using OpenVPN Client or AWS VPN Client.

📌 Do you want me to continue with the next command?

Your next step is:

👉 easyrsa build-ca

Shall I give the exact command and expected output?

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Sumeet Tanpure

30 posts

As a network/system engineer with over half a decade of experience, I'm constantly driven to stay ahead of the curve in new technologies.