How can I configure multiple users to use the same Client VPN endpoint?

Short description

This article shows you how to generate a client-side certificate using the following command:

./easyrsa build-client-full client1.domain.tld nopass

For more information on creating your own server-side certificate and uploading those certificates to AWS Certificate Manager, see Mutual authentication in the AWS Client VPN guide.

Resolution

Note: client1.domain.tld is a placeholder name used in the following commands. Replace with your own client domain name. You can run this command as many times as needed for each user who needs their own unique client-side certificate.

1.    Create a Client VPN endpoint.

2.    Generate unique client-side certificates for each user. The following example show two users, User1 and User2. Replace with your unique users as needed.

$ ./easyrsa build-client-full user1.example.com nopass
            
$ ./easyrsa build-client-full user2.example.com nopass

3.    Retrieve the contents of the certificate (".crt") files for all users to update the client-side Client VPN configuration file:

sudo cat user1.exmaple.com.crt
            
sudo cat user2.example.com.crt

4.    Retrieve the contents of the key (".key") files for all users to update the client-side Client VPN configuration file:

sudo cat user1.example.com.key
            
sudo cat user2.example.com.key

5.    Add the raw content of the .crt and .key files to each of the users in the Client VPN configuration files. Users store this file locally. Use the **<cert></cert>**and <key></key> identifiers directly following the **</ca>**line within the Client VPN configuration file. Or, specify the .crt and .key file paths, as shown in the following example.
Note: Replace username with your client's user name. If the .crt and .key file is not located in /Users/username/Downloads, then change the path accordingly.

cert /Users/username/Downloads/*.crt
    
key /Users/username/Downloads/*.key

6.    Save the configuration files, then provide the files to each user. Users then use the files to connect to the Client VPN endpoint.

7.    After connecting to the Client VPN endpoint:

Open the Amazon Virtual Private Cloud (Amazon VPC) console.

Choose Client VPN Endpoints.

Select the Client VPN endpoint.

Choose the Connections tab, and then choose Common Name. The TLD certificates that appear on the tab, beginning with each user's name.

8.    (Optional) Configure client certificate revocation lists (CRLs) to block or revoke access to specific client certificates. Adding a client's certificate to a revocation list (CRL) revokes the client's access to the Client VPN endpoint.