AWS Client VPN — Setup, Cost and OKTA SSO Integration

7 min readJun 21, 2020

AWS Client VPN is an AWS Solution that offers a quick and easy setup for companies to setup Client VPN for private, internal, employee facing applications that may be hosted in private subnets on the VPC.

The following steps are required to setup AWS Client VPN from scratch.

Create Server Certificate:

AWS Client VPN requires a server SSL certificate. Create a server certificate by following the steps on this link under section “Mutual authentication”.
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#mutual

NOTES:

You don’t need to create a client certificate for connection through OKTA. Skip step 5 in the link above.
In step 6, you only need to move the server.crt and server.key to the custom folder
You do need to upload the server certificate to AWS Certificate Manager. Therefore, in step 7, only run the command for server

2. Get SAML Authentication file metadata.xml

Contact your OKTA administrators to provide you with a file with a .xml extension. The file should contain the required SAML information. From this point on, we will refer to this file as metadata.xml. This file contains all the information AWS Client VPN would need to authenticate against OKTA.

3. Create an Identity provider in AWS.

a. Log in to AWS Console and navigate to IAM. From IAM, navigate to Identity Providers and click Create Provider.

c. Enter the following information:

Provider Type: Select SAML.
Provider Name: Enter a preferred name like “COMPANY_NAME_OKTA”
Metadata Document: Upload the metadata.xml from step 2
Click Next Step

d. Click Create

e. Select the SAML provider you just created and make a note of your Provider ARN value:

4. Now that we have the setup in place, we are ready to create a Client VPN Endpoint.

a. On AWS Console, Navigate to VPC.
b. Navigate to Client VPN Endpoints, then click Create Client VPN Endpoint:

c. Enter the following information.

Name Tag: Enter a preferred name.
Client IPv4 CIDR: Specify an IP address range in CIDR notation, from which to assign client IP addresses. We assigned 172.16.0.0/20 which would allow upto 4,096 connections. The requirement is a minimum of /20 CIDR. For more details refer to the Create a Client VPN endpoint guide.
Server certificate ARN: Enter the ARN of the server certificate from Step 1 of this guide.
Authentication Options: Check Use user-based authentication.
Select Federated authentication.
SAML provider ARN: Select your provider ARN you made a note of in step 3.
Do you want to log the details on client connections?: Select Yes/No based on your preference.
DNS Server 1 IP address: We put 8.8.8.8 for google’s DNS server.
DNS Server 2 IP address: We put 1.1.1.1 for the Cloudflare DNS server.
Do not enable split-tunnel. This causes a lot of dropped connections.
VPC ID: Select the VPC you’d like to connect to.
VPN Port: Default 443 is good.

d. Click Create Client VPN

5. To enable VPN connection from clients, you must associate a target network (VPC+Subnets) with the Client VPN endpoint.

a. Select your Client VPN Endpoint you created, select the Associations tab, then click Associate:

b. Enter the following:

VPC: choose the VPC in which the subnet is located. If you specified a VPC when you created the Client VPN endpoint, it must be the same VPC.
Choose a subnet to associate: You must select a public subnet here to allow outbound internet traffic while connected to the VPN.
If you require High Availability, we recommend creating 3 Associations total. One per Public Subnet in each Availability Zone. Follow the above steps to create 2 more Associations. Please refer to the cost breakdown on how this will increase overall cost. AWS Client VPN — Cost
Wait until the state of your Client VPN endpoint changes to Available:

6. Create Authorization rules to grant client access to the VPC as well as to the internet.

a. Select your Client VPN endpoint, choose Authorization, then choose Authorize Ingress:

b. Enter the following.

Destination network to enable: Enter the IP address, in CIDR notation, of the VPC for which you want to allow access.
Grant access to: Specify the clients that are allowed to access the specified network. If you want to grant access to specific Okta group, select Allow access to users in a specific access group, then enter the group name for the Access group ID field. Leave this blank otherwise.
Click Add authorization rule.
Perform the above steps to create another Authorization with CIDR range 0.0.0.0/0 to allow clients to access internet while connected through VPN.

7. Update Route Tables to create flow of traffic to the VPC as well as to the internet. You must create these rules per subnet.

a. Create a route to VPC CIDR per subnet. Example below shows 10.0.0.0/16 (VPC CIDR) route per associated subnet. Replace this CIDR with the CIDR of your VPC.

b. Create a route to internet per CIDR. Example below shows 0.0.0.0/0 per subnet.

8. At this point, the VPN Client is ready. Download the Client VPN endpoint configuration file. Store this file safely as you will be sharing this file with clients to allow connection via OKTA.

a. Select your Client VPN endpoint and click Download Client Configuration:

9. Go here to download the AWS Client VPN application. Install and open it.

Navigate to: File > Manage Profiles.
Click Add Profile:

Display Name: Enter a preferred name.
VPN Configuration File: Locate your Client VPN endpoint configuration file you downloaded in above step.
Click Add Profile: Enter a preferred name.
Click Done

10. Ask an OKTA admin to grant access to AWS ClientVPN to the required users.

The users should see the following integration on their OKTA integration page.

Share the VPN configuration with the users and ask them to follow step 9 above for downloading VPN client and creating a profile.
It is ok to share this config as the true access is controlled by OKTA. If the user is not allowed access through OKTA, they would not be able to access AWS Client VPN.

11. Ask an OKTA admin to do the following.

This is a one time action, so this maybe done already.
Select the Sign On tab for the AWS ClientVPN SAML app, then click Edit.
Port: Use the default 35001, or enter another port number.
Click Save:

12. The user can open the AWS VPN Client > Select the profile from step 9 and click Connect.

13. Voila! The VPN connection is made! The user should be able to navigate to apps in the private subnet.

COST BREAKDOWN:

The cost for AWS Client VPN can be broken down as below:

Approximate cost breakdown for the an example VPN with options for prices reduction.

Subnet association. We recommend starting with one subnet association instead of three for a small organization. This helps save cost at the expense of High Availability.
The cost for this association would be:
.10 (per hour) * 1 (association) * ~730 (hours in a month) = $73.
AWS Client Connection. This is largely an approximation as the number of hours individuals stay connected can vary vastly.
Assuming 15 users that connect per month
Assuming that they are connected on average for 30 hours per month
.05(per hour) * 15 * 30 = $22.50

With above assumptions, the total cost of VPN is approximately $95.50/month.

Resource used: