Cloud Experts Documentation

Setup a VPN Connection into a PrivateLink ROSA Cluster with OpenVPN

Last edited
Published
Authors
Kevin Collins & Kumudu Herath
Tags: ROSA

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

When you configure a Red Hat OpenShift on AWS (ROSA) cluster with a private link configuration, you will need connectivity to this private network in order to access your cluster. This guide will show you how to configute an AWS Client VPN connection so you won’t need to setup and configure Jump Boxes.

Prerequisites

  • a private link ROSA Cluster - follow this guide to create a private ROSA Cluster
  • jq

Set Envrionment Variables

Start by setting environment variables that we will use to setup the VPN connection

Create certificates to use for your VPN Connection

There are many ways and methods to create certificates for VPN, the guide below is one of the ways that works well. Note, that whatever method you use, make sure it supports “X509v3 Extended Key Usage”.

  1. Clone OpenVPN/easy-rsa

  2. Change to the easyrsa directory

  3. Initialize the PKI

  4. Edit certificate parameters

    Uncomment and edit the copied template with your values

    Uncomment (remove the #) the folowing field

  5. Create the CA:

  6. Generate the Server Certificate and Key

  7. Generate Diffie-Hellman (DH) parameters

  8. Generate client credentials

Import certficates into AWS Certificate Manager

  1. Import the server certificate

    • Before running the below commands, make sure you are still in the pki directory under the easyrsa3 directory

  2. Import the client certificate

Create a Client VPN Endpoint

  1. Retrieve the VPN Client ID

  2. Associate each private subnet with the client VPN endpoint

  3. Add an ingress authorization rule to a Client VPN endpoint

Configure your OpenVPN Client

  1. Download the VPN Client Configuration

  2. Run the following commands to add the certificates created in the first step to the VPN Configuration file.

    • note: make sure you are still in the easy rsa / pki directory.

  3. Add DNS Entries

    In order to resolve the ROSA Cluster domain name, you will need to either add the DNS server and the Route 53 Hosted Domain for the cluster to your VPN settings or /etc/hosts in machine you are connecting from.

    The DNS server will be the x.x.x.2 address of your VPC CIDR. For example, if you VPC CIDR is 10.66.0.0/16 then your DNS server will be 10.66.0.2

    You can find the VPC ( machine ) CIDR with this command:

    You can find the ROSA base domain with this command:

  4. Import the client-config.ovpn file into your VPN Software.

    • Mac users - just double click the client-config.ovpn and it will be imported automatically into your VPN client.

    • Note: In order to connect to your cluster with the oc cli, you will need to update your OS DNS server with the DNS Server above after you connected to VPN.

  5. Connect your VPN.

    screenshot of Vpn Connected
Back to top

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

GitHub Edit this page
Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now © 2026 Red Hat