I’m trying to set up a client VPN endpoint. AWS offers three options for obtaining authentication:
- Active Directory authentication (user-based)
- Mutual authentication (certificate-based)
- Single sign-on (SAML-based federated authentication) (user-based)
And following combinations of the options:
- Mutual authentication and federated authentication
- Mutual authentication and Active Directory authentication
While we are not planning to use an Active Directory via AWS Directory Services, therefore the first option is banned.
The third option requires to use the AWS Client VPN, which does not have support for Linux, see:
- https://docs.aws.amazon.com/de_de/vpn/latest/clientvpn-user/connect-aws-client-vpn-connect.html
- https://docs.aws.amazon.com/de_de/vpn/latest/clientvpn-user/ubuntu.html
So, there’s just one option left, the second one. Based on my understanding, I need to create for each user a certificate signed by the same CA as the server-certificate and enroll them with the OpenVPN-Profiles at the same time to the user. Otherwise, I will not be able to identify the user.
Now, my questions are:
- Do I miss a different way to authenticate and identify clients, which are using Linux, over certificates?
- We are using cert-manager inside a Kubernetes-Cluster (only accessible via VPN, so calling cert-manager will only work after establishing a VPN-connection), is there a way to automate the enrollment of the certificates?
- How would you act in this scenario?