How can I configure multiple users to use the same Client VPN endpoint?

Last updated: 2020-09-21

I want to configure multiple users to use the same AWS Client VPN endpoint. I need to be able to identify which user is currently connected to the endpoint so that I can make any necessary access changes to the correct user. How can I do this?

Resolution

Note: In the following examples, be sure to replace "client1" and "client2" with the names of your users.

1.    Create a Client VPN endpoint.

2.    Generate the client certificates:

$ ./easyrsa build-client-full client1.domain.tld nopass
$ ./easyrsa build-client-full client2.domain.tld nopass

3.    Retrieve the contents of the certificate (".crt") files for all users:

sudo cat client1.domain.tld.crt
sudo cat client2.domain.tld.crt

4.    Retrieve the contents of the key (".key") files for all users:

sudo cat client1.domain.tld.key
sudo cat client2.domain.tld.key

5.    Add the raw content of the ".crt" and ".key" files to the Client VPN endpoint configuration file. Use the <cert></cert> and <key></key> identifiers. Add the content directly below the "</ca>" line. Or, use the path below. If the .crt and .key file is not located in /Users/username/Downloads, change the path accordingly.

cert /Users/username/Downloads/*.crt
key /Users/username/Downloads/*.key

Note: Be sure to replace "username" with your client's user name.

6.    Save the configuration files. Provide the files to their respective users, who use the files to connect to the Client VPN endpoint.

7.    After connecting to the Client VPN endpoint:
       Open the Amazon Virtual Private Cloud (Amazon VPC) console.
       Choose Client VPN Endpoints.
       Select the Client VPN endpoint.
       Choose the Connections tab, and then choose Common Name. Note the TLD certificates that appear here, each beginning with the user's name.

8.    (Optional) Configure client certificate revocation lists (CRLs) to block or revoke access to specific client certificates. Adding a client's certificate to a revocation list (CRL) revokes the client's access to the Client VPN endpoint.


Did this article help?


Do you need billing or technical support?