How can I create a Client VPN endpoint using certificate-based authentication?

3 minute read

I want to access my AWS Resources using AWS Client VPN. How can I create a Client VPN endpoint using certificate-based authentication?


The Client VPN endpoint is the server where all Client VPN sessions are terminated. The endpoint, managed by AWS, establishes a secure Transport Layer Security (TLS) connection between your VPC and the OpenVPN-based client. To create a Client VPN endpoint using certificate-based authentication, follow these steps:

Generate server and client certificates and keys

To authenticate the clients, you must generate the following, and then upload them to AWS Certificate Manager (ACM):

  • Server and client certificates
  • Client keys

Create a Client VPN endpoint

When you create a Client VPN endpoint, specify the Server Certificate ARN provided by ACM. You also must choose a Client IPv4 CIDR, which is the IP address range assigned to the clients after the VPN is established. Note that the IP address range can't overlap with the VPC CIDR block.

You can enable client connection logging with CloudWatch Logs and specify custom DNS servers for clients to use. You can also enable split-tunnel on the VPN endpoint, and then select UDP or TCP as the transport protocol.

Enable VPN connectivity for clients

To enable clients to establish a VPN session, you must associate a target network with the Client VPN endpoint. A target network is a subnet in a VPC. One subnet association is sufficient for clients to access a VPC's entire network, if authorization rules permit this. You can associate additional subnets to provide high availability if an Availability Zone goes down.

Authorize clients to access VPC resources or any other network

To authorize clients to access the VPC, create an authorization rule. The authorization rule specifies the clients that can access the VPC.

You can also enable access to additional networks, such as AWS services, peered VPCs, on-premises networks, or the internet. For each additional network, you must add a route to the Client VPN endpoint route table and then configure an authorization rule to give clients access.

To authorize clients to access your VPC and different networks, see Add an authorization rule for the VPC.

Download the Client VPN endpoint configuration file

The final step is to download and prepare the Client VPN endpoint configuration file. Provide this file to clients so that they can upload the configuration settings into their VPN client application.

Related information

Getting started with Client VPN