Client VPN Endpoit with certificate-based authentication

I’m trying to set up a client VPN endpoint. AWS offers three options for obtaining authentication:

- Active Directory authentication (user-based)

- Mutual authentication (certificate-based)

- Single sign-on (SAML-based federated authentication) (user-based)

And following combinations of the options:

- Mutual authentication and federated authentication

- Mutual authentication and Active Directory authentication

While we are not planning to use an Active Directory via AWS Directory Services, therefore the first option is banned.

The third option requires to use the AWS Client VPN, which does not have support for Linux, see:

- https://docs.aws.amazon.com/de_de/vpn/latest/clientvpn-user/connect-aws-client-vpn-connect.html

- https://docs.aws.amazon.com/de_de/vpn/latest/clientvpn-user/ubuntu.html

So, there’s just one option left, the second one. Based on my understanding, I need to create for each user a certificate signed by the same CA as the server-certificate and enroll them with the OpenVPN-Profiles at the same time to the user. Otherwise, I will not be able to identify the user.

Now, my questions are:

- Do I miss a different way to authenticate and identify clients, which are using Linux, over certificates?

- We are using cert-manager inside a Kubernetes-Cluster (only accessible via VPN, so calling cert-manager will only work after establishing a VPN-connection), is there a way to automate the enrollment of the certificates?

- How would you act in this scenario?

You can use the open vpn client on linux with certificates. Just need to set up the config file (.ovpn)with the certificate data embedded.

Try this for certificates. There’s a similar article on AWS site too

https://prasaddomala.com/2020/04/02/aws-client-vpn-setup-private-access-across-aws-accounts-and-vpcs/

more cheaper is to install OpenVpn / wireguard to an ec2 instance (small one) and configure it as a gateway for your aws subnet or/and the internet . ( iptables forward / masquerade & route push to clients)

That’s the reason why only the second option is left. But, how can I automate this enrollment? According to our security guidelines we have to route our certificates within 3 years. So we are expecting hundreds of clients. Therefore, a manual way like described in the attached link will not be efficient and error-prone. Is there a method to handle this, maybe a semi-automatic / automatic way?