I want to configure multiple users to use the same AWS Client VPN endpoint. I need to be able to identify which user is currently connected to the endpoint so that I can make any necessary access changes to the correct user. How can I do this?
Short description
This article shows you how to generate a client-side certificate using the following command:
./easyrsa build-client-full client1.domain.tld nopass
For more information on creating your own server-side certificate and uploading those certificates to AWS Certificate Manager, see Mutual authentication in the AWS Client VPN guide.
Resolution
Note: client1.domain.tld is a placeholder name used in the following commands. Replace with your own client domain name. You can run this command as many times as needed for each user who needs their own unique client-side certificate.
1. Create a Client VPN endpoint.
2. Generate unique client-side certificates for each user. The following example show two users, User1 and User2. Replace with your unique users as needed.
$ ./easyrsa build-client-full user1.example.com nopass
$ ./easyrsa build-client-full user2.example.com nopass
3. Retrieve the contents of the certificate (".crt") files for all users to update the client-side Client VPN configuration file:
sudo cat user1.exmaple.com.crt
sudo cat user2.example.com.crt
4. Retrieve the contents of the key (".key") files for all users to update the client-side Client VPN configuration file:
sudo cat user1.example.com.key
sudo cat user2.example.com.key
5. Add the raw content of the .crt and .key files to each of the users in the Client VPN configuration files. Users store this file locally. Use the **<cert></cert>**and <key></key> identifiers directly following the **</ca>**line within the Client VPN configuration file. Or, specify the .crt and .key file paths, as shown in the following example.
Note: Replace username with your client's user name. If the .crt and .key file is not located in /Users/username/Downloads, then change the path accordingly.
cert /Users/username/Downloads/*.crt
key /Users/username/Downloads/*.key
6. Save the configuration files, then provide the files to each user. Users then use the files to connect to the Client VPN endpoint.
7. After connecting to the Client VPN endpoint:
Open the Amazon Virtual Private Cloud (Amazon VPC) console.
Choose Client VPN Endpoints.
Select the Client VPN endpoint.
Choose the Connections tab, and then choose Common Name. The TLD certificates that appear on the tab, beginning with each user's name.
8. (Optional) Configure client certificate revocation lists (CRLs) to block or revoke access to specific client certificates. Adding a client's certificate to a revocation list (CRL) revokes the client's access to the Client VPN endpoint.