Cloud Experts Documentation

Setup a VPN Connection into a PrivateLink ROSA Cluster with OpenVPN

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

When you configure a Red Hat OpenShift on AWS (ROSA) cluster with a private link configuration, you will need connectivity to this private network in order to access your cluster. This guide will show you how to configute an AWS Client VPN connection so you won’t need to setup and configure Jump Boxes.


  • a private link ROSA Cluster - follow this guide to create a private ROSA Cluster
  • jq

Set Envrionment Variables

Start by setting environment variables that we will use to setup the VPN connection

export ROSA_CLUSTER_NAME=<rosa cluster name>

export REGION=$(rosa describe cluster -c $ROSA_CLUSTER_NAME  -o json | jq -r


export PRIVATE_SUBNET_IDS=$(rosa describe cluster -c $ROSA_CLUSTER_NAME -o json | jq -r '.aws.subnet_ids[]')

Create certificates to use for your VPN Connection

There are many ways and methods to create certificates for VPN, the guide below is one of the ways that works well. Note, that whatever method you use, make sure it supports “X509v3 Extended Key Usage”.

  1. Clone OpenVPN/easy-rsa

    git clone
  2. Change to the easyrsa directory

    cd easy-rsa/easyrsa3
  3. Initialize the PKI

    ./easyrsa init-pki
  4. Edit certificate parameters

    Uncomment and edit the copied template with your values

    vim pki/vars
    set_var EASYRSA_REQ_COUNTRY   "US"
    set_var EASYRSA_REQ_PROVINCE  "California"
    set_var EASYRSA_REQ_CITY      "San Francisco"
    set_var EASYRSA_REQ_ORG       "Copyleft Certificate Co"
    set_var EASYRSA_REQ_EMAIL     ""
    set_var EASYRSA_REQ_OU        "My Organizational Unit"

    Uncomment (remove the #) the folowing field

    #set_var EASYRSA_KEY_SIZE        2048
  5. Create the CA:

    ./easyrsa build-ca nopass
  6. Generate the Server Certificate and Key

    ./easyrsa build-server-full server nopass
  7. Generate Diffie-Hellman (DH) parameters

    ./easyrsa gen-dh
  8. Generate client credentials

    ./easyrsa build-client-full aws nopass

Import certficates into AWS Certificate Manager

  1. Import the server certificate

    • Before running the below commands, make sure you are still in the pki directory under the easyrsa3 directory
    SERVER_CERT_ARN=$(aws acm import-certificate \
    --certificate fileb://issued/server.crt \
    --private-key fileb://private/server.key \ 
    --certificate-chain fileb://ca.crt \
    --region $REGION \
    --query CertificateArn \
    --output text)
  2. Import the client certificate

    CLIENT_CERT_ARN=$(aws acm import-certificate  \ 
    --certificate fileb://issued/aws.crt \
    --private-key fileb://private/aws.key \
    --certificate-chain fileb://ca.crt \
    --region $REGION \
    --query CertificateArn \ 
    --output text)

Create a Client VPN Endpoint

  1. Retrieve the VPN Client ID

     VPN_CLIENT_ID=$(aws ec2 create-client-vpn-endpoint \
     --client-cidr-block $VPN_CLIENT_CIDR \
     --server-certificate-arn $SERVER_CERT_ARN \
     --authentication-options Type=certificate-authentication,MutualAuthentication={ClientRootCertificateChainArn=$CLIENT_CERT_ARN} \
     --connection-log-options Enabled=false --split-tunnel --query ClientVpnEndpointId --output text)
  2. Associate each private subnet with the client VPN endpoint

    while IFS= read -r subnet;
       echo "Associcating subnet '$subnet'"
       aws ec2 associate-client-vpn-target-network --subnet-id $subnet --client-vpn-endpoint-id $VPN_CLIENT_ID
    done <<< "$PRIVATE_SUBNET_IDS"
  3. Add an ingress authorization rule to a Client VPN endpoint

    aws ec2 authorize-client-vpn-ingress \
     --client-vpn-endpoint-id $VPN_CLIENT_ID \
     --target-network-cidr \

Configure your OpenVPN Client

  1. Download the VPN Client Configuration

    aws ec2 export-client-vpn-client-configuration --client-vpn-endpoint-id $VPN_CLIENT_ID --output text>client-config.ovpn
  2. Run the following commands to add the certificates created in the first step to the VPN Configuration file.

    • note: make sure you are still in the easy rsa / pki directory.
    echo '<cert>' >> client-config.ovpn
    openssl x509 -in issued/aws.crt >> client-config.ovpn
    echo '</cert>' >> client-config.ovpn
    echo '<key>' >> client-config.ovpn
    cat private/aws.key >> client-config.ovpn
    echo '</key>' >> client-config.ovpn
  3. Add DNS Entries

    In order to resolve the ROSA Cluster domain name, you will need to either add the DNS server and the Route 53 Hosted Domain for the cluster to your VPN settings or /etc/hosts in machine you are connecting from.

    The DNS server will be the x.x.x.2 address of your VPC CIDR. For example, if you VPC CIDR is then your DNS server will be

    You can find the VPC ( machine ) CIDR with this command:

    rosa describe cluster -c $ROSA_CLUSTER_NAME -o json | jq -r '.network.machine_cidr'

    You can find the ROSA base domain with this command:

    rosa describe cluster -c $ROSA_CLUSTER_NAME -o json | jq -r '.dns.base_domain'
  4. Import the client-config.ovpn file into your VPN Software.

    • Mac users - just double click the client-config.ovpn and it will be imported automatically into your VPN client.

    • Note: In order to connect to your cluster with the oc cli, you will need to update your OS DNS server with the DNS Server above after you connected to VPN.

  5. Connect your VPN.

    screenshot of Vpn Connected

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

Red Hat logo LinkedIn YouTube Facebook Twitter



Try, buy & sell


About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now
© 2023 Red Hat, Inc.