The open source version of the AWS Client VPN Administrator Guide. To submit feedback or requests for changes, submit an issue or make changes and submit a pull request.
License: Other
This repository is archived, read-only, and no longer updated. For more information, read the announcement on the AWS News Blog.
You can find up-to-date AWS technical documentation on the AWS Documentation website, where you can also submit feedback and suggestions for improvement.
These instructions are incomplete.
On the instance on which your resource is running, that does not allow traffic from the security group that was applied to the target network association.
Limitations of Client VPN
Client VPN has the following rules and limitations:
Client CIDR ranges cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or any routes manually added to the Client VPN endpoint's route table.
Client CIDR ranges must have a block size of at least /22 and must not be greater than /12.
The doc says
The server and client certificates must be provisioned in AWS Certificate Manager (ACM). For more information about provisioning certificates in ACM, see the AWS Certificate Manager User Guide.
It then shows us how to provision our certificates locally using Easy-RSA. It seems like the doc should say something like "The server cert must be stored in ACM. The client cert must also be stored in ACM only if..."
The Linux documentation mentions "client1.domain.tld"
I'm assuming that this needs to be substituted, but with what? This is for Client OpenVPN connections to AWS, with say OAUTH authentication via G-Suite, AD, etc. It's not clear what "client1.domain.tld" should be. Would it be the AWS DNS entry for the OpenVPN endpoint?
== John ==
It's not clear from the docs what policy/permissions you need to create the service-linked role for ClientVPN. I believe it is this policy but I'm not positive:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/clientvpn.amazonaws.com/AWSServiceRoleForClientVPN*",
"Condition": {"StringLike": {"iam:AWSServiceName": "clientvpn.amazonaws.com"}}
},
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/clientvpn.amazonaws.com/AWSServiceRoleForClientVPN*"
}
]
}
Adding this document to https://github.com/awsdocs/aws-client-vpn-administrator-guide/blob/master/doc_source/using-service-linked-roles.md would be very useful.
Hi,
I followed the instructions as per the below articles to integrate aws clientvpn federated authentication with Azure AD and it is working as expected for non-prod.
https://learn.microsoft.com/en-gb/azure/active-directory/saas-apps/aws-clientvpn-tutorial
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#federated-authentication
I tried to create same AWS ClientVPN enterprise application in Azure AD for a different AWS environment (prod). But I am getting following error message for Audience URI:
Please enter an identifier which is unique within your organization. Search in Enterprise applications and App registrations for AWS ClientVPN Non-Prod, which currently uses this identifier.
As per the above article, thh Audience URI should be urn:amazon:webservices:clientvpn. If i change it to something like urn:amazon:webservices:clientvpn#prod, it let me save the configuration but authentication is not working.
I have contacted Azure AD support team and they recommended to contact AWS support team. Please see their reponse below:
=====================================================
Findings from Azure authentication team:
As we cannot use same identifier for both the applications, we need AWS team input to provide the correct Entity ID for prod application as he cannot use #prod
=====================================================
Anyone please share some thoughts how to create same azure ad - AWS ClientVPN enterprise app for a different environment.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.