Managing secure access to your AWS resources—without juggling IP whitelisting or exposing your infrastructure—is easier than you think. In this guide, you’ll learn how to create your own certificates using EasyRSA, upload them to AWS Certificate Manager (ACM), and configure a fully functional AWS Client VPN Endpoint.
By the end, you’ll be able to connect securely to your VPC with a simple VPN client.
⭐ What We’ll Cover
Generating server & client certificates using EasyRSA
- Uploading certificates to AWS ACM
- Creating and configuring an AWS Client VPN Endpoint
- Associating networks & setting authorization rules
- Downloading the .ovpn file and connecting securely
Let’s get started!
🛠️ Step 1: Install EasyRSA & Generate Certificates
1. Download EasyRSA
Download the ZIP for your Windows version from:
2. Open EasyRSA Shell
C:\Program Files\EasyRSA-3.x> .\EasyRSA-Start.bat
3. Initialize a New PKI
./easyrsa init-pki
4. Build Your Certificate Authority (CA)
./easyrsa build-ca nopass
5. Generate Server Certificate & Key
./easyrsa --san=DNS:server build-server-full server nopass
6. Generate Client Certificate & Key
./easyrsa build-client-full client1.domain.tld nopass
Repeat as needed for additional users.
7. Exit the EasyRSA Shell
exit
📁 Step 2: Organize Certificates for Upload
Create a custom folder and copy the required files:
mkdir C:\custom_folder
copy pki\ca.crt C:\custom_folder
copy pki\issued\server.crt C:\custom_folder
copy pki\private\server.key C:\custom_folder
copy pki\issued\client1.domain.tld.crt C:\custom_folder
copy pki\private\client1.domain.tld.key C:\custom_folder
cd C:\custom_folder
☁️ Step 3: Upload Certificates to AWS ACM
Go to AWS Certificate Manager (ACM) and upload:
- server.crt
- ca.crt
- server.key
Once uploaded, your certificates will be ready to attach to the Client VPN Endpoint.
🔧 Step 4: Create the AWS Client VPN Endpoint
Navigate to:
AWS Console → VPC → Client VPN Endpoints → Create Client VPN Endpoint
Fill in the details:
| Setting | Value |
| ---------------------- | --------------------------------- |
| Name | `my-client` |
| Endpoint IP type | IPv4 |
| Client IPv4 CIDR | `20.0.0.0/22` |
| Server certificate ARN | select from ACM |
| Authentication | Mutual authentication |
| Client certificate ARN | select from ACM |
| DNS servers | `10.0.0.2`, `8.8.8.8` |
| Protocol | UDP |
| VPN Port | 443 |
| VPC | Select your VPC |
| Security Group | Any SG that allows needed traffic |
Click Create.
🌐 Step 5: Associate a Target Network
Go to your Client VPN endpoint:
Target network associations → Associate network
Select:
- Your VPC
- The subnet you want users to access
🔑 Step 6: Add Authorization Rules
Go to Authorization rules → Add new rule:
- Destination network: 10.0.0.0/26 (your VPC CIDR)
- Access: Allow access to all users
Add the rule.
📥 Step 7: Download & Update VPN Config
- Download the client configuration (.ovpn) from your Client VPN endpoint.
- Add your client certificate and key inside the .ovpn file:
<cert>
(contents of client1.domain.tld.crt)
</cert>
<key>
(contents of client1.domain.tld.key)
</key>
💻 Step 8: Install AWS Client VPN
Download here:
Install and open the client.
Add a new profile using the updated .ovpn file and connect.
🎉 You're In!
You are now connected to your AWS VPC securely via Client VPN Endpoint.
No more IP whitelisting. No exposing SSH ports. Just clean, encrypted access.
You can now SSH into your servers safely from your local machine.
💬 Final Thoughts
AWS Client VPN Endpoint is a powerful way to centralize, secure, and simplify access to your private networks. By generating your own certificates, you stay fully in control of your security setup.
Top comments (0)