[GUIDE]: Setting up an AWS VPC Client VPN

AWS Client VPN is a AWS client-based VPN service that enables we to securely access our resources in AWS and our on-premises network. With Client VPN, we can access our resources from any location using an OpenVPN-based VPN client.

Below are the step to implement AWS VPC Client VPN.

Server and Client Certificate and keys:

Generate Server and Client Certificates and Keys using below steps on any Linux system

  • git clone https://github.com/OpenVPN/easy-rsa.git
  • cd easy-rsa/easyrsa3
  • ./easyrsa init-pki
  • ./easyrsa build-ca nopass
  • ./easyrsa build-server-full server nopass (This step will generate server certificate and key)
  • ./easyrsa build-client-full client1.domain.tld nopass (This step will generate client certificate and the client private key)
  • Store/Copy the server and client certificates and keys in specified location as these are important
  • mkdir /custom_folder/
  • cp pki/ca.crt /custom_folder/
  • cp pki/issued/server.crt /custom_folder/
  • cp pki/private/server.key /custom_folder/
  • cp pki/issued/client1.domain.tld.crt /custom_folder
  • cp pki/private/client1.domain.tld.key /custom_folder/


Upload the Certificate to AWS ACM:

Once the certificate creation is completed, login to the AWS console and import the certificates through ACM.

Note: Certificate body content will be server.crt | Certificate key content will be server.key

Create Client VPN EndPoint:

Open the Amazon VPC console, In the navigation pane, choose Client VPN Endpoints and choose Create Client VPN Endpoint. Use the certificates which are uploaded in previous step while configuring EndPoint.

  • For Client IPv4 CIDR, specify an IP address range, in CIDR notation, from which to assign client IP addresses
  • For Server certificate ARN, specify the ARN for the TLS certificate to be used by the server. Clients use the server certificate to authenticate the Client VPN endpoint to which they are connecting
  • Specify the authentication method to be used to authenticate clients when they establish a VPN connection. To use mutual certificate authentication select Use mutual authentication, and then for Client certificate ARN
  • Click on “Create Client VPN endpoint” and Select Associations to associate VPC with Subnet And Associate the same wait till Client VPN endpoint becomes available

VPC Subnet Association:

To enable clients to establish a VPN session, you must associate a target network with the Client VPN endpoint. A target network is a subnet in a VPC

Select the Associations column and specify the VPC and Subnet to associate and then click on Associate

Authorize Clients to Access a Network:

To authorize clients to access the VPC in which the associated subnet is located, you must create an authorization rule. The authorization rule specifies which clients have access to the VPC. In this document, we grant access to all users by clicking Authorize Ingress and specify Destination CIDR as

You can enable access to additional networks connected to the VPC, such as AWS services, peered VPCs, and on-premises networks. For each additional network, you must add a route to the network and configure an authorization rule to give clients access. This is Optional selection and can be achieved by selecting “Create Route” option under Route table

Once all the steps are completed in AWS, Download the Client configuration

Once client configuration is downloaded appended the client certificate and key in the file at the end which was generated in step #1, (client1.domain.tld.crt abd client1.domain.tld.key) with below syntax


Enter Certificate here



Enter key here


Configuring OpenVPN Client:

Download the OpenVPN software in your Local machine and Import the file

  • Connect to Client VPN using the configuration file

  • Try connecting the Instance with private IP which is in the same VPC

With this we have successfully established an AWS VPC Client VPN.