Add the DNS entry to verify the VPN server certificate.
This repository uses mutual authentication architecture following AWS guidelines.
To start, clone the easy-rsa repository:
git clone https://github.com/OpenVPN/easy-rsa.gitNow trigger the PKI creation process:
bash scripts/generateCerts.shYou'll be required to provide inputs to the script:
- The CA common name, like
awsvpn.example.com yesyes
The artifacts will be generated in the ./certs directory.
The generated certificates location is already referenced by the configuration.
Simply provision the infrastructure:
terraform init
terraform apply -auto-approveOnce the VPN is provisioned, download the client config, edit the OpenVPN connection, and and connect to AWS following this guideline.
Client certificate — easy-rsa/easyrsa3/pki/issued/client1.domain.tld.crt
Client key — easy-rsa/easyrsa3/pki/private/client1.domain.tld.key
<cert>
Contents of client certificate (.crt) file
</cert>
<key>
Contents of private key (.key) file
</key>
Locate the line that specifies the Client VPN endpoint DNS name, and prepend a random string to it so that the format is random_string.displayed_DNS_name. For example:
Original DNS name: cvpn-endpoint-0102bc4c2eEXAMPLE.prod.clientvpn.us-west-2.amazonaws.com
Modified DNS name: asdfa.cvpn-endpoint-0102bc4c2eEXAMPLE.prod.clientvpn.us-west-2.amazonaws.com
DNS should work properly as it is replicated by AWS.
Using the Console, subscribe to the OpenVPN product. There should be no costs associated with it.
For more information, follow the instructions of the product.
🚧 Under construction