AWS, Cloud Computing

4 Mins Read

A Setup Guide for AWS Client VPN with On-Premises Machines


AWS Client VPN is a client-based VPN service that enables you to access resources in AWS and our on-premises network securely. With the help of a client VPN, we can access our resources from any location using OpenVPN software.

It’s a fully managed remote access VPN, fully elastic service. It automatically scales up/down based on traffic. AWS Client VPN supports OpenVPN protocol. This solution is also helpful for WFH (Work From Home) employees who want to connect to AWS VPC from a remote location.


AWS Account

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Create Certificate & VPC

  1. Log in to your AWS Account and go to the EC2 service
  2. After that, launch and Linux instance with AWS CLI installed to generate a certificate and perform the below steps:


  • cd easy-rsa/easyrsa3
  • Initialize PKI environment (to initialize client and server certificate) execute the command “./easyrsa init-pki”
  • Create a new Certification Authority (CA)- “./easyrsa build-ca nopass”
  • Generate the server certificate and key- “./easyrsa build-server-full server nopass”


3. Now generate the Client certificate and key – “./easyrsa build-client-full client1.domain.tld nopass”

4. Once done with the above steps, copy server and client certificates and keys to one directory


5. Now upload the key and certificates to ACM (before that, perform “AWS configure”)

  • aws acm import-certificate –certificate fileb://server.crt –private-key fileb://server.key –certificate-chain fileb://ca.crt –region ap-south-1
  • aws acm import-certificate –certificate fileb://client1.domain.tld.crt –private-key fileb://client1.domain.tld.key –certificate-chain fileb://ca.crt –region ap-south-1


6. Now create VPC with the below naming convention and standards

  • Create VPC (name=VPC-Mumbai) with CIDR
  • Create private subnet “vpc-Mumbai-subnet-private1” with CIDR
  • Create corresponding route table “vpc-Mumbai-rtb-private1-ap-south-1” with just a local route & associate with subnet “vpc-Mumbai-subnet-private1”
  • Create private subnet “vpc-Mumbai-subnet-private1” with CIDR
  • Create corresponding route table “vpc-Mumbai–rtb-private2-ap-south-1” with just a local route & associate with subnet “vpc-Mumbai-subnet-private2”
  • Create security group “vpn-client-sg”
  • Do not add any inbound rules
  • All outbound should be allowed (All traffic –

7. Launch application EC2 instance in “vpc-Mumbai-subnet-private1” subnet

  • Security group inbound rule should allow “All traffic” from security group “vpn-client-sg” created in step 6

Configure AWS client VPN endpoint

8. Go to VPV service and select “client VPN endpoints” service from the Virtual private network (VPN) section

  • Provide the name “client-vpn-endpoint” and the appropriate description
  • Client IPv4 CIDR: as the client received IP from this pool while he tries to connect with AWS


  • Server Certificate ARN: Choose the Server Certificate created earlier
  • Authentication Options: Choose “Use Mutual Authentication”
  • Client certificate ARN: Choose the Client Certificate created earlier


  • Connection Logging: No
  • Transport Protocol: TCP
  • VPC ID: Choose “VPC-Mumbai” VPC created
  • Security Group IDs: Select the “vpn-client-sg” created earlier
  • VPN port: 443


9. Create Client VPN Endpoint

Associate Target Subnet & Allow traffic

10. Select the Client VPN endpoint created earlier


11. Go to Associations and associate the target subnet “vpc-Mumbai-subnet-private2”


12. Go to Authorizations and choose Authorize Ingress

  • For Destination Networks to enable -> Enter the VPC IP address
  • Grant access to -> Choose ”Allow access to all users”

13. Add Authorization Rule


Download the VPN configuration file and Update the changes

14. Select the Client VPN endpoint and “Download Client Configuration” to your local workstation.


15. Copy the client certificate and client key created in the above Steps to any folder in the local workstation.


16. Open the configuration file in a text editor and add the following lines

  • cert /path/of/client.crt
  • key /path/of/client.key

17. Also, modify the endpoint dns name by adding a random prefix

  • Original:
  • Modified:

Connect OpenVPN and Testing

18. Pre-requisite: You should download and install the OpenVPN client

19. Import configuration file.


20. Connect the OpenVPN


21. Now open cmd and ping the private IP of the instance created at step 7 above



If you can ping, you successfully created a client VPN between AWS and on-premises. There are many scenarios in which we have to work on the AWS cloud doing some execution and experiments or set up some Application Server. AWS client VPN provides Secure connectivity so that every individual connects remotely with a secure OpenVPN connection and performs his job. Thanks for reading this blog Setup guide for AWS Client VPN with On-premises machines.

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

CloudThat is also the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding Client VPN Endpoint and I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package that is CloudThat’s offerings.


1. What do you mean by Client VPN endpoint?

ANS: – The Client VPN endpoint is configured to use the service VPN service on AWS. The VPN sessions of the other side users establish at the Client VPN endpoint. As part of creating the Client VPN endpoint, you specify the authentication details, server/client certificate details, client IP address pool, logging options, and VPN port.

2. What do you mean by target network?

ANS: – The Target network you attach to the Client VPN endpoint provides secure access to your AWS services and on-premises.

3. What factors will affect the throughput of my VPN connection?

ANS: – VPN connection throughput depends on multiple factors, like the capacity of your customer gateway, the capacity of your network, average packet size, the protocol used, UDP vs. TCP, and the network latency between your virtual private gateway and customer gateway.

WRITTEN BY Mayank Bharawa



    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!