AWS Client VPN setup was driving me crazy. So I built the easy button

You know that feeling when you decide to try something new? Ever thought about setting up an AWS Client VPN?

First, you're optimistic. You search for blog posts, read the AWS documentation and dive in. Then reality hits.

You need to understand certificate generation. Manual steps pile up. You realize this will be a nightmare to reproduce. You try CloudFormation but get cryptic errors like "route already exists" and you have no idea why.

Eventually, you create all the resources following the documentation step by step. But guess what? The connection still doesn't work.

Plot twist: It doesn't have to suck.

Enter: the "just work already" solution

What if VPN setup was more like ordering pizza and less like performing surgery? One command, actual results:

./scripts/deploy-client-vpn.sh \ --stack-name "please-just-work" \ --region "us-east-1" \ --profile "my-sanity" \ --vpc-id "vpc-12345678" \ --subnet-id "subnet-87654321" \ --vpc-cidr "172.31.0.0/16" 

Ten minutes later: You have a working VPN. With certificates. And documentation that actually explains why SSH might not work (spoiler: it's the NAT thing and here's how to fix it).

The plot twist nobody tells you

Here's the kicker that breaks everyone: AWS Client VPN uses NAT routing. Your traffic doesn't come from the VPN client IP range - it comes from your subnet range. So when you configure security groups for "VPN clients", you're configuring them wrong.

The real fix: Your private resources need to allow traffic from your private subnet CIDR used in the Client VPN configuration, not from the VPN client CIDR range.

Most tutorials skip this. Most solutions leave you to figure it out. This one puts it right in the troubleshooting guide with the exact commands to fix it. Because 2 AM debugging sessions are nobody's friend.

What you actually get

• The reality check: no more certificate generation mysteries or "route already exists" CloudFormation failures.
• The time saver: 4 hours of frustration → 10 minutes of deployment.
• The bonus: complete cleanup command (because nobody remembers how to tear things down properly).
• The relief: works in any AWS account - personal, corporate or that weird sandbox environment.

Perfect for when you need secure access yesterday, not next week after you've become a networking wizard.

The Easy Button

Grab it here: github.com/lucianpatian/aws_clientvpn

Because sometimes you just want the VPN to work so you can get back to the actual work. Revolutionary concept, I know.

Built entirely with Amazon Q CLI.