vpn

AWS Client VPN endpoints provide secure remote access to VPC resources using SSL/TLS certificate-based authentication. They enable secure connections for remote workers, contractors, or administrators who need access to private AWS resources without exposing them to the internet.

import * as saws from "@stackattack/aws";

const ctx = saws.context();
const vpc = saws.vpc(ctx);
const vpn = saws.vpn(ctx, vpc);

// If you'd only like to associate the VPN with a single subnet (cheapest option)
// const vpn = saws.vpn(ctx, {
//   ...vpc,
//   privateSubnetIds: vpc.privateSubnetIds.slice(0, 1)
// })

export const vpnClientConfig = vpn.clientConfig;

Usage

After deployment, you can retrieve your client configuration from your stack output and write it to a file, like so:

# Export the client config from Pulumi outputs
pulumi stack output vpnClientConfig --show-secrets > client.ovpn

You can use the client.ovpn file to connect to your VPN using any openvpn-compatible client, such as OpenVPN Connect for a desktop app, or on the command line directly:

# Connect using OpenVPN client
sudo openvpn --config client.ovpn

Costs

Warning: Using this component is quite expensive relative to other options. It’s a simple, reliable way to connect to private resources in AWS without any third-party services, but be careful using this approach if you are cost-sensitive.

Client VPN pricing includes both endpoint charges and connection hours:

Endpoint charge: $0.10/hour (~$73/month) per subnet association whether connections are active or not. A subnet association will be created for each subnet passed in privateSubnetIds, so be aware of this and only pass the subnet IDs that you’d like to create subnet associations with.
Connection charge: $0.05/hour per concurrent connection (~$36/month per user connected 24 hours a day, prorated based on actual connection time)
Data transfer: Standard AWS data transfer rates apply. If you do not use split-tunneling, you will pay for traffic flowing through your NAT gateway.

Cost optimization strategies:

Use split tunneling (enabled by default) to avoid routing all traffic through AWS.
AWS recommends associating your client VPN endpoint with at least two subnets for availability, but you can associate a single subnet if you’d prefer (see example above). You are charged per subnet association per hour, so the number of subnets the VPN is associated with highly correlated with the cost.

See the AWS VPN Pricing for current rates.

Creates an AWS Client VPN endpoint with certificate-based authentication. Sets up the VPN endpoint, network associations, authorization rules, and generates client configuration.

function vpn(ctx: Context, args: VpnArgs): { clientConfig: Output<string>; vpnEndpoint: Endpoint }

Parameters

ctx (Context) - The context for resource naming and tagging
args (VpnArgs) - Configuration options for the VPN endpoint

Returns

({ clientConfig: Output<string>; vpnEndpoint: Endpoint }) - Creates an AWS Client VPN endpoint with certificate-based authentication. Sets up the VPN endpoint, network associations, authorization rules, and generates client configuration.

Functions

clientConfigFile

Generates an OpenVPN client configuration file (.ovpn) with embedded certificates. The configuration includes security settings and embedded CA, client cert, and private key.

function clientConfigFile(args: ClientConfigFileArgs): Output<string>

Parameters

args (ClientConfigFileArgs) - Configuration parameters for the client config

Returns

(Output<string>) - Generates an OpenVPN client configuration file (.ovpn) with embedded certificates. The configuration includes security settings and embedded CA, client cert, and private key.

vpnCertificate

Generates VPN certificates using Easy-RSA for mutual TLS authentication. Creates a certificate authority, server certificate, and client certificate.

function vpnCertificate(ctx: Context, args?: VPNCertificateArgs): Output<VPNCertificateOutput>

Parameters

ctx (Context) - The context for resource naming and tagging
args? (VPNCertificateArgs) - Optional configuration for certificate generation

Returns

(Output<VPNCertificateOutput>) - Generates VPN certificates using Easy-RSA for mutual TLS authentication. Creates a certificate authority, server certificate, and client certificate.

Interfaces

ClientConfigFileArgs

Configuration for generating OpenVPN client configuration file.

Properties

certificateChain (Input<string>) - CA certificate chain
clientCertificate (Input<string>) - Client certificate
clientPrivateKey (Input<string>) - Client private key
hostname (Input<string>) - VPN server hostname (may contain wildcards)
name (Input<string>) - Name used for the client configuration

VpnArgs

Configuration options for creating an AWS Client VPN endpoint.

Properties

certificate? (Input<VPNCertificateOutput>) - Pre-generated VPN certificates, will auto-generate if not provided
cidrAllocator? (CidrAllocator) - CIDR allocator to automatically assign a CIDR block
cidrBlock? (Input<string>) - CIDR block for VPN client IP addresses
enableConnectionLogs? (boolean) - Enable CloudWatch connection logging (default: true)
noPrefix? (boolean) - Skip adding prefix to the resource context
privateSubnetIds (Input<string>[]) - Private subnet IDs for VPN network associations
securityGroupIds? (Input<Input<string>[]>) - Security group IDs to attach to the VPN endpoint
vpc (Input<VpcInput>) - VPC where the VPN endpoint will be created

VPNCertificateArgs

Configuration options for generating VPN certificates.

Properties

clientName? (Input<string>) - Client certificate name
commonName? (Input<string>) - Common name for the certificate authority
noPrefix? (boolean) - Skip adding prefix to the resource context
serverName? (Input<string>) - Server certificate name

VPNCertificateOutput

Output structure containing generated VPN certificates and keys.

Properties

ca (string) - Certificate Authority (CA) certificate
clientCrt (string) - Client certificate
clientPrivateKey (string) - Client private key
serverCrt (string) - Server certificate
serverPrivateKey (string) - Server private key