# Connect to an AWS Client VPN endpoint using an OpenVPN client
<a name="connect"></a>

You can establish a connection to a Client VPN endpoint using common Open VPN client applications. Client VPN is supported on the following operating systems:
+ **Windows**

  Use a certificate and private key from the Windows Certificate Store. Once you've generated the certificate and key you can establish an AWS Client connection using either the OpenVPN GUI client application or the OpenVPN GUI Connect Client. For the steps to create the certificate and key, see [Establish a VPN connection using a certificate on Windows](windows-openvpn-cryptoapicert.md).
+ **macOS**

  Establish a VPN connection using a configuration file for macOS-based Tunnelblick or for AWS Client VPN. For more information, see [Establish a VPN connection on macOS](macos-tunnelblick.md).
+ **Linux**

  Establish a VPN connection on Linux using either the** OpenVPN - Network Manager** interface or the OpenVPN application. To use the **OpenVPN - Network Manager** interface you'll first need to install the network manager module if it's not already installed. For more information, see [Establish a VPN connection on Linux](ubuntu-network-manager-openvpn.md).
+ **Android and iOS**

  Establish a VPN connection using the OpenVPN client application on an Android or iOS device. For more information see [Client VPN connections on Android and iOS](android.md).

**Important**  
If the Client VPN endpoint has been configured to use [SAML-based federated authentication](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#federated-authentication), you cannot use the OpenVPN-based VPN client to connect to a Client VPN endpoint. This includes any ARM-based architectures. If you are using a device with an ARM processor (such as Apple Silicon Macs or ARM-based Windows devices), you must use SAML-based VPN endpoints with the AWS provided client instead of OpenVPN clients.

**Topics**
+ [Windows](windows.md)
+ [macOS](macos.md)
+ [Linux](linux.md)
+ [Client VPN connections on Android and iOS](android.md)

# Connect to an AWS Client VPN endpoint using a Windows client application
<a name="windows"></a>

These sections describe how to establish a VPN connection using Windows-based VPN clients.

Before you begin, ensure that your Client VPN administrator has [created a Client VPN endpoint](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-endpoints.html#cvpn-working-endpoint-create) and provided you with the [Client VPN endpoint configuration file](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-endpoint-export.html). If you want to connect to multiple profiles simultaneously, you'll need a configuration file for each profile.

For troubleshooting information, see [Troubleshooting AWS Client VPN connections with Windows-based clients](windows-troubleshooting.md).

**Important**  
If the Client VPN endpoint has been configured to use [SAML-based federated authentication](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#federated-authentication), you cannot use the OpenVPN-based VPN client to connect to a Client VPN endpoint. This includes any ARM-based architectures. If you are using a device with an ARM processor (such as Apple Silicon Macs or ARM-based Windows devices), you must use SAML-based VPN endpoints with the AWS provided client instead of OpenVPN clients.

**Topics**
+ [Establish a VPN connection using a certificate on Windows](windows-openvpn-cryptoapicert.md)

# Use a certificate and establish an AWS Client VPN connection on Windows
<a name="windows-openvpn-cryptoapicert"></a>

You can configure the OpenVPN client to use a certificate and private key from the Windows Certificate System Store. This option is useful when you use a smart card as part of your Client VPN connection. For information about the OpenVPN client cryptoapicert option, see [Reference Manual for OpenVPN ](https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/) on the OpenVPN website.

**Note**  
The certificate must be stored on the local computer.

**To use a certificate and establish a connection**

1. Create a .pfx file that contains the client certificate and the private key.

1. Import the .pfx file to your personal certificate store, on your local computer. For more information, see [How to: View certificates with the MMC snap-in](https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in#to-view-certificates-for-the-local-device) on the Microsoft website.

1. Verify that your account has permissions to read the local computer certificate. You can use the Microsoft Management Console to modify the permissions. For more information, see [Rights to see the local computer certificates store](https://learn.microsoft.com/en-us/archive/msdn-technet-forums/743d793c-ca94-45b3-88c6-375097eaafc0) on the Microsoft website.

1. Update the OpenVPN configuration file and specify the certificate by using either the certificate subject, or the certificate thumbprint.

   The following is an example of specifying the certificate by using a subject.

   ```
   cryptoapicert “SUBJ:Jane Doe”
   ```

   The following is an example of specifying the certificate by using a thumbprint. You can find the thumbprint by using the Microsoft Management Console. For more information, see [How to: Retrieve the Thumbprint of a Certificate](https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-retrieve-the-thumbprint-of-a-certificate) on the Microsoft website.

   ```
   cryptoapicert “THUMB:a5 42 00 42 01"
   ```

1.  After you complete the configuration, use OpenVPN to establish a VPN connection by doing one of the following:
   + **Use the OpenVPN GUI client application **

     1. Start the OpenVPN client application.

     1. On the Windows taskbar, choose **Show/Hide icons**. Right-click **OpenVPN GUI**, and then choose **Import file**.

     1. In the Open dialog box, select the configuration file that you received from your Client VPN administrator and choose **Open**.

     1. On the Windows taskbar, choose **Show/Hide icons**. Right-click **OpenVPN GUI**, and then choose **Connect**.
   + **Use the OpenVPN GUI Connect Client **

     1. Start the OpenVPN application, and choose **Import, From local file....**.

     1. Navigate to the configuration file that you received from your VPN administrator, and choose **Open**.

# Connect to an AWS Client VPN endpoint using a macOS client application
<a name="macos"></a>

These sections describe how to establish a VPN connection using the macOS-based VPN client, Tunnelblick or AWS Client VPN.

Before you begin, ensure that your Client VPN administrator has [created a Client VPN endpoint](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-endpoints.html#cvpn-working-endpoint-create) and provided you with the [Client VPN endpoint configuration file](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-endpoint-export.html). If you want to connect to multiple profiles simultaneously, you'll need a configuration file for each profile.

For troubleshooting information, see [Troubleshooting AWS Client VPN connections with macOS clients](macos-troubleshooting.md).

**Important**  
If the Client VPN endpoint has been configured to use [SAML-based federated authentication](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#federated-authentication), you cannot use the OpenVPN-based VPN client to connect to a Client VPN endpoint. This includes any ARM-based architectures. If you are using a device with an ARM processor (such as Apple Silicon Macs or ARM-based Windows devices), you must use SAML-based VPN endpoints with the AWS provided client instead of OpenVPN clients.

**Topics**
+ [Establish a VPN connection on macOS](macos-tunnelblick.md)

# Establish an AWS Client VPN connection on macOS
<a name="macos-tunnelblick"></a>

You can establish a VPN connection using the Tunnelblick client application on a macOS computer.

**Note**  
For more information about the Tunnelblick client application for macOS, see the [Tunnelblick documentation](https://tunnelblick.net/documents.html) on the Tunnelblick website.

**To establish a VPN connection using Tunnelblick**

1. Start the Tunnelblick client application and choose **I have configuration files**.

1. Drag and drop the configuration file that you received from your VPN administrator in the **Configurations** panel.

1. Select the configuration file in the **Configurations** panel and choose **Connect**.

**To establish a VPN connection using AWS Client VPN.**

1. Start the OpenVPN application, and choose **Import**, **From local file...**.

1. Navigate to the configuration file that you received from your VPN administrator, and choose **Open**.

# Connect to an AWS Client VPN endpoint using an OpenVPN client application
<a name="linux"></a>

These sections describe how to establish a VPN connection using either OpenVPN - Network Manager or OpenVPN.

Before you begin, ensure that your Client VPN administrator has [created a Client VPN endpoint](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-endpoints.html#cvpn-working-endpoint-create) and provided you with the [Client VPN endpoint configuration file](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-endpoint-export.html). If you want to connect to multiple profiles simultaneously, you'll need a configuration file for each profile.

For troubleshooting information, see [Troubleshooting AWS Client VPN connections with Linux-based clients](linux-troubleshooting.md).

**Important**  
If the Client VPN endpoint has been configured to use [SAML-based federated authentication](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#federated-authentication), you cannot use the OpenVPN-based VPN client to connect to a Client VPN endpoint. This includes any ARM-based architectures. If you are using a device with an ARM processor (such as Apple Silicon Macs or ARM-based Windows devices), you must use SAML-based VPN endpoints with the AWS provided client instead of OpenVPN clients.

**Topics**
+ [Establish a VPN connection on Linux](ubuntu-network-manager-openvpn.md)

# Establish an AWS Client VPN connection on Linux
<a name="ubuntu-network-manager-openvpn"></a>

Establish a VPN connection using the using either the Network Manager GUI on an Ubuntu computer or the OpenVPN application.

**To establish a VPN connection using OpenVPN - Network Manager**

1. Install the network manager module using the following command.

   ```
   sudo apt-get install --reinstall network-manager network-manager-gnome network-manager-openvpn network-manager-openvpn-gnome
   ```

1. Go to **Settings**, **Network**.

1. Choose the plus symbol (**\$1**) next to **VPN**, and then choose **Import from file...**.

1. Navigate to the configuration file that you received from your VPN administrator and choose **Open**.

1. In the **Add VPN** window, choose **Add**.

1. Start the connection by enabling the toggle next to the VPN profile that you added.

**To establish a VPN connection using OpenVPN**

1. Install OpenVPN using the following command.

   ```
   sudo apt-get install openvpn
   ```

1. Start the connection by loading the configuration file that you received from your VPN administrator.

   ```
   sudo openvpn --config /path/to/config/file
   ```

# AWS Client VPN connections on Android and iOS applications
<a name="android"></a>

**Important**  
If the Client VPN endpoint has been configured to use [SAML-based federated authentication](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#federated-authentication), you cannot use the OpenVPN-based VPN client to connect to a Client VPN endpoint. This includes any ARM-based architectures. If you are using a device with an ARM processor (such as Apple Silicon Macs or ARM-based Windows devices), you must use SAML-based VPN endpoints with the AWS provided client instead of OpenVPN clients.

The following information shows how to establish a VPN connection using the OpenVPN client application on an Android or iOS mobile device. The steps for Android and iOS are the same.

**Note**  
For more information about downloading and using the OpenVPN client application for iOS or Android, see the [OpenVPN Connect User Guide](https://openvpn.net/connect-docs/user-guide.html) on the OpenVPN website.

Before you begin, ensure that your Client VPN administrator has [created a Client VPN endpoint](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-endpoints.html#cvpn-working-endpoint-create) and provided you with the [Client VPN endpoint configuration file](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-endpoint-export.html). If you want to connect to multiple profiles simultaneously, you'll need a configuration file for each profile.

To establish the connection, start the OpenVPN client application, and then import the file that you received from your Client VPN administrator.