Are there full examples of creating a VPN with Self signed cert credentials somewhere ? Note: I was able to setup the VPN Endpoint in AWS , Add Associations , Routes etc.. however, the instructions i had before when i tried (without pulumi) using

easyrsa

certificates and keys, said that I have to: • download the VPN config from the Web console • Modify the config to add path to the cert and key • https://prasaddomala.com/2020/04/02/aws-client-vpn-setup-private-access-across-aws-accounts-and-vpcs/ So i tried to dump the cert and key generated using..

# one year
VALID_HOURS = 24 * 365

# read teh CA cert obtained from running
# ./easyrsa init-pki && ./easyrsa build-ca nopass
with open("ca_encoded.pem", "r") as ca_crt:
    ca_crt_chain = ca_crt.read().replace("\n", " ")

# TODO: check if we can use this instead of using easy rsa
test_vpn_private_key = tls.PrivateKey("test_vpn", algorithm="RSA")
test_vpn_self_signed_cert = tls.SelfSignedCert(
    "test_vpnSelfSignedCert",
    key_algorithm="RSA",
    private_key_pem=test_vpn_private_key.private_key_pem,
    subjects=[
        tls.SelfSignedCertSubjectArgs(
            common_name="<http://test_vpn.com|test_vpn.com>",
            organization="Valo Health",
        )
    ],
    validity_period_hours=VALID_HOURS,
    allowed_uses=[
        "key_encipherment",
        "digital_signature",
        "server_auth",
        "dns_names",
        "is_ca_certificate",
    ],
)

cert_test_vpn = aws.acm.Certificate(
    "test_vpn",
    private_key=test_vpn_private_key.private_key_pem,
    certificate_body=test_vpn_self_signed_cert.cert_pem,
    certificate_chain=test_vpn_self_signed_cert.cert_pem,
)

but the certificate chain is not what it should be…

Can you elaborate on this?

but the certificate chain is not what it should be…

@gentle-account-13294 are you still getting an error, or did you find a solution already?

@gentle-diamond-70147 @gifted-vase-28337 for now I have abandoned the usage of

pulumi-tls

library. I can see that the pem file that is saved for the

test_vpn_self_signed_cert

does not have the certificate chain. Hence I didn’t want to spend time with this approach. I got VPN to work by: • use the

easy-rsa

github repo • create the certs • upload the certs to AWS certificate manager. • NOTE: @gentle-diamond-70147 this i think has a bug in pulumi (or I’m not using the API correctly)… using the Pulumi API to upload the certs generated by

easy-rsa

does not work, gives a validation error. However the same thing works with using AWS CLI

aws acm import-certificate

• then configure rest of the VPN with pulumi

I'm sorry you weren't able to get it working. If you can share more about the specific error you were getting, I can take a deeper look.

Thanks !! I will DM u the bash script I have as well as the pulumi config.. u should be able to configure a VPN with it.

At quick glance it seems no, but based on the example output at https://docs.aws.amazon.com/cli/latest/reference/ec2/export-client-vpn-client-configuration.html#examples, I think you could construct this yourself. Looks like you need the

dnsName

output and couple other properties from the endpoint.

can i get the name of the endpoint configured ? e.g

cvpn-endpoint-123456789123abcde