Skip to content

VPN Access

How to generate certificates for the AWS Client VPN endpoint and connect to internal resources.

Prerequisites

  • AWS CLI configured with the appropriate profile
  • EasyRSA installed (make-cadir must be available)
  • AWS Client VPN desktop client

Certificate Authority Setup

This only needs to be done once. If a CA already exists, skip to Generate a Client Certificate.

cd ~
make-cadir .my_ca
cd .my_ca
./easyrsa init-pki

Edit pki/vars to set the org defaults:

set_var EASYRSA_REQ_COUNTRY    "IS"
set_var EASYRSA_REQ_PROVINCE   "NA"
set_var EASYRSA_REQ_CITY       "Reykjanesbaer"
set_var EASYRSA_REQ_ORG        "CookieHub"
set_var EASYRSA_REQ_EMAIL      "noc@cookiehub.com"
set_var EASYRSA_REQ_OU         "VPN"

Build the CA (when prompted for Common Name, enter CookieHubRootCA):

./easyrsa build-ca nopass

Generate Server Certificate

./easyrsa build-server-full vpn.euc1.cookiehub.net nopass

Export clean PEM files and import into ACM:

openssl x509 -in pki/issued/vpn.euc1.cookiehub.net.crt -out server-clean.crt
openssl rsa -in pki/private/vpn.euc1.cookiehub.net.key -out server-clean.key
openssl x509 -in pki/ca.crt -out ca-clean.crt

# Import server certificate
aws acm import-certificate \
  --certificate fileb://server-clean.crt \
  --private-key fileb://server-clean.key \
  --certificate-chain fileb://ca-clean.crt \
  --region eu-central-1

# Import CA certificate (for mutual authentication)
aws acm import-certificate \
  --certificate fileb://ca-clean.crt \
  --private-key fileb://pki/private/ca.key \
  --region eu-central-1

Generate a Client Certificate

For each new user, generate a client certificate:

cd ~/.my_ca
./easyrsa build-client-full <username> nopass

The client will need these files to connect:

  • pki/issued/<username>.crt — client certificate
  • pki/private/<username>.key — client private key
  • pki/ca.crt — CA certificate

Connecting

  1. Download the Client VPN configuration from the AWS console (VPC → Client VPN Endpoints → Download Client Configuration)
  2. Add the client certificate and key to the .ovpn config file or import them separately in the VPN client
  3. Connect using the AWS Client VPN desktop client

Once connected, you can reach internal resources:

  • Internal ALB services (via *.internal.cookiehub.net or *.internal.stage.cookiehub.net)
  • RDS instances
  • EC2 instances in private subnets

VPN Details

Setting Value
Authentication Mutual (certificate-based)
Split tunnel Enabled
Session timeout 8 hours
DNS Internal Route53 zones resolve over VPN