How can I create a Client VPN endpoint using certificate-based authentication?

Last updated: 2020-03-13

I want to access my AWS Resources using AWS Client VPN. However, I don't want to use Active Directory. How can I create a Client VPN endpoint using certificate-based authentication?


The Client VPN endpoint is the server where all Client VPN sessions are terminated. The endpoint, managed by AWS, establishes a secure TLS connection between your VPC and the OpenVPN-based client. To create a Client VPN endpoint using certificate-based authentication, follow these steps:

Generate server and client certificates and keys

To authenticate the clients, you must generate server and client certificates, as well as client keys, and then upload them to AWS Certificate Manager (ACM). To learn how to generate the certificates and how to upload them to ACM, see Client VPN Mutual Authentication.

Create a Client VPN endpoint

When you create the Client VPN endpoint, specify the Server Certificate ARN provided by ACM. You also must choose a Client IPv4 CIDR, which is the IP address range assigned to the clients after the VPN is established. Note that the IP address range can't overlap with the VPC CIDR block.

You can enable client connection logging with CloudWatch Logs and specify custom DNS servers to be used by the clients. You can also enable split-tunnel on the VPN endpoint, and you can select UDP or TCP as the transport protocol.

Enable VPN connectivity for clients

To enable clients to establish a VPN session, you must associate a target network with the Client VPN endpoint. A target network is a subnet in a VPC. One subnet association is enough for clients to access a VPC's entire network, if authorization rules permit this. You can associate additional subnets to provide high availability if an Availability Zone goes down. For more information, see Subnet Association.

Authorize clients to access VPC resources or any other network

To authorize clients to access the VPC, create an authorization rule. The authorization rule specifies the clients that can access the VPC.

You can also enable access to additional networks, such as AWS services, peered VPCs, on-premises networks, or even the internet. For each additional network, you must add a route to the Client VPN endpoint route table and configure an authorization rule to give clients access.

To authorize clients to access your VPC and different networks, see Authorize Clients to Access a Network.

Download the Client VPN endpoint configuration file

The final step is to download and prepare the Client VPN endpoint configuration file. Provide this file to clients so that they can upload the configuration settings into their VPN client application. For more information about using a client application to connect to the AWS Client VPN endpoint, see the AWS Client VPN User Guide.

Did this article help you?

Anything we could improve?

Need more help?