Using AWS I need to make sure I have multiple clients using the VPN network. Each of the clients will use the same server certificate I created earlier.
Now using this documentation I managed to setup my own VPN and been able to connect to it using the generated client certificate. This is of course for just one client. I need this done for 3. I cannot share the same client certificate between them as I want to be able to revoke the certificate per person.
Whilst configuring the VPN endpoint I noticed that I had to use "Mutual Authentication" since we have no AD nor will we set one up. This requires you to provide a client certificate when creating the endpoint.
The documentation for generating the certificates and keys states this:
You only need to upload the client certificate to ACM when the Certificate Authority (Issuer) of the client certificate is different from the Certificate Authority (Issuer) of the server certificate.
Since I just created both (client and server) using the easyrsa steps as mentioned by amazon itself, I find myself unable to create an endpoint when I don't have a client certificate uploaded to the ACM, regardless of it apparently not being required to upload.
Does this actually mean that I need to setup N different endpoints (for each user) when I want to have them use their own certificates? This to me sounds a pretty heavy task, especially provided you have more than 3 users. The documentation is mentioning this:
You can create a separate client certificate and key for each client that will connect to the Client VPN endpoint.
(emphasis mine)
Notice the single "endpoint" as opposed to the plural? Can anyone shed some light on what I might be missing?
Each VPN connection offers two tunnels for high availability. You can enable logging on one tunnel at a time and only the modified tunnel will be impacted. For more information, see Site-to-Site VPN tunnel endpoint replacements in AWS Site-to-Site VPN User Guide.
Click the Settings icon on top-right-corner of the page and select VPN Cert to go to the VPN Certificate download page. 2. Click the VPN certificate link to download the CA Certificate for this Management console. 3.To renew the certificate, click Regenerate.
Client VPN supports multi-factor authentication (MFA) when it's enabled for AWS Managed Microsoft AD or AD Connector. If MFA is enabled, clients must enter a user name, password, and MFA code when they connect to a Client VPN endpoint.
When using Mutual Authentication option for your VPN, (with the limitations regarding the same issue in CA) then yes, each of the 3 client certs should be able to connect to the same end point, without needing to upload each client cert to ACM.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With