AWS Client VPN with certificates using Vault + automate

Hi,

I am wondering if we can use Vault PKI to generate certificates for users, in order to authenticate to AWS Client VPN.

The official guide uses easy-rsa to create a CA and generate a server certificate and a client certificate but I figured we can use Vault for that part.

Even more, using Vault can help solve the issue of certificate rotation.
We have a person that left our team and changing the VPN config for all is not fun.
Having certificates expire fast would work to solve this issue.

Is there any prior work to this? I could not find any - but I am tired at this moment.

Also an issue that I would like to solve is: VPN configuration generation.
Normal process is: you download VPN config and edit the file to include the certificate and key before you can use it (easily). Process is described in link bellow.

I would like to solve this issue for non-devs - that might not have the vault cli - but will have access to the vault UI .

Any ideas on how to solve it?

Thanks,

It’s been a while (a couple of years v1.1 or v1.2) but I think tried this and couldn’t get it to work. Now that I’m reading the AWS documentation I can’t see why it wouldn’t though.

ok, it’s good to know that I am not alone.
Care to share why :)?

As I said I don’t see why it wouldn’t work and I honestly don’t remember why my initial attempt failed but that was at the very beginning of my experience with both Vault and AWS VPN so it’s possible I just didn’t have a good grasp on the terminology or requirements.

I have never used AWS Client VPN. But I have used OpenVPN in a similar architecture, and I think my experience will translate to this problem.

You could use Vault to generate certificates for this application.

But for using short-lived certificates, I see a problem: unless your Vault is accessible without the VPN, how will your clients be able to get to Vault to get a certificate to connect to the VPN?

Most organizations that want to use client certificate auth instead of just username/password, want to do it because they find passwords unacceptably insecure - so I think this architecture wouldn’t be accepted because of that.

As for VPN configuration generation - for that you would need to build your own web application with a UI the users can interact with. The Vault UI does not have relevant features to guide end-users acquiring client certificates.

1 Like