Hi,
Forgive me if this is the wrong sub for this - but I tried posting over at r/aws and didn’t get much of a response so thought I’d shoot here!
has anyone previously used/created a script that can add a profile on the AWS VPN Client with a given .ovpn file?
At the moment our users do this themselves from within the client (following a guide that is provided to them) but we wish to take the manual aspect out of the process and automate it if possible.
Any help would be appreciated 
I am confused now - the ovpn file is the profile. Can you elaborate, please?
I did this. I did it in a bad way since i base64 encoded the actual MSI as well so it would rehydrate the msi, go through the install, and then create the profile. There was a caveat that I had to open the aws vpn client at least once. Do you have your cert somewhere already? If so you can just copy the cert to the correct profile path location and then modify a single line in another file. I doubt this is enough info, and I did this like 2 years ago, and we immediately switched off to the actual OpenVPN clinet so this knowledge is stale at best.
"“c:\users\$env:username\appdata\roaming\AWSVPNClient\OpenVpnConfigs\your_cert_name”
$user = $env:username
(Get-Content -path C:\users\$env:username\AppData\Roaming\AWSVPNClient\ConnectionProfiles -Raw) -replace 'Generic',"$user" | Set-Content -Path C:\users\$env:username\AppData\Roaming\AWSVPNClient\ConnectionProfiles
Huge shoutout to u/XenEngine, because this is mainly their script with some slight adjustments. This allows multiple VPN config files to be added to the same AWS VPN Client client. In our setup, we created Intunewin apps with this as the install command and another script that removes the OVPN file as the uninstall command.
# Open the AWS Client to create roaming files if needed
& "C:\Program Files\Amazon\AWS VPN Client\AWSVPNClient.exe"
# Pause for 2 secs
Start-Sleep -s 2
# Kill the app
Get-Process AWSVPNClient
Stop-Process -Name "AWSVPNClient" -Force
# Get the config line from the ConnectionProfiles file
$configline = (Get-Content -path $env:USERPROFILE\AppData\Roaming\AWSVPNClient\ConnectionProfiles -Raw)
# Count the number of '{' operators in the config file
$charCount = ($configline.ToCharArray() | Where-Object {$_ -eq '{'} | Measure-Object).Count
# Get reference to the Config File
$stream = [System.IO.StreamWriter] "$env:USERPROFILE\\appdata\\roaming\\AWSVPNClient\\ConnectionProfiles"
# Line to be added if the user has another VPN profile in their config file
$line = ', {"ProfileName":"*Profile Name*","OvpnConfigFilePath":"C:\\Users\\Generic\\AppData\\Roaming\\AWSVPNClient\\OpenVpnConfigs\\*File Name.ovpn*","CvpnEndpointId":"cvpn-endpoint-*ENDPOINT ID*","CvpnEndpointRegion":"*us-east-1*","CompatibilityVersion":"2","FederatedAuthType":1}'
# Line to be added if the user doesn't have another VPN profile in thier config file
$fullline = '{"Version":"1","LastSelectedProfileIndex":0,"ConnectionProfiles":[{"ProfileName":"*Profile Name*","OvpnConfigFilePath":"C:\\Users\\Generic\\AppData\\Roaming\\AWSVPNClient\\OpenVpnConfigs\\*File Name.ovpn*","CvpnEndpointId":"cvpn-endpoint-*ENDPOINT ID*","CvpnEndpointRegion":"*us-east-1*","CompatibilityVersion":"2","FederatedAuthType":1}]}'
# If there is another VPN profile in the config file
if ($charCount -gt 1) {
$configline = $configline.Insert(($configline.Length - 2), $line)
$stream.WriteLine($configline)
$stream.close()
}
# If there isn't another VPN profile in the config file
if ($charCount -eq 1) {
$stream.WriteLine($fullline)
$stream.close()
}
# .ovpn Profile Information
$ovpncert = "client
dev tun
proto udp
remote cvpn-endpoint-*ENDPOINT ID*
remote-random-hostname
resolv-retry infinite
nobind
remote-cert-tls server
cipher AES-256-GCM
verb 3
<ca>
-----BEGIN CERTIFICATE-----
*Long string cert here*
-----END CERTIFICATE-----
</ca>
auth-user-pass
auth-retry interact
auth-nocache
reneg-sec 0
"
# Write to the Config File
$stream = [System.IO.StreamWriter] "$env:USERPROFILE\\appdata\\roaming\\AWSVPNClient\\OpenVpnConfigs\*File Name.ovpn*"
$stream.WriteLine($ovpncert)
$stream.close()
# Get the name of the current user's working users directory
# We made this because some users had the same username when connected to previous domains
# so their username would be jsmith but their working users directory is jsmith.domain
$user = $env:USERPROFILE.Split('\')[-1]
# Replace the 'Generic' string (line 21 or 24) used when creating the config file lines
(Get-Content -path $env:USERPROFILE\AppData\Roaming\AWSVPNClient\ConnectionProfiles -Raw) -replace 'Generic',"$user" | Set-Content -Path $env:USERPROFILE\AppData\Roaming\AWSVPNClient\ConnectionProfiles
# Restart the app to apply changes
# Kill the app
Get-Process AWSVPNClient
Stop-Process -Name "AWSVPNClient" -Force
# Start the client
& "C:\Program Files\Amazon\AWS VPN Client\AWSVPNClient.exe"
Glad that helped you out!
Well, since the aws vpn is just openvpn, maybe it just copies the .ovpn file to a folder somewhere? That’s what the unbranded openvpn client does anyway.
Can you check, maybe it’s as simple as that?
What I remember is that there are two files needed for each connectiuon profile. One file is in the " c:\users\$env:username\appdata\roaming\AWSVPNClient\ConnectionProfiles" folder. the other is the “cert” and it is located in the “c:\users\$env:username\appdata\roaming\AWSVPNClient\OpenVpnConfigs” folder. Here is the “connection profile” part of the code. I used stream.writeline to actually create the files in this, but hopefully this at least helps.
$line = '{"Version":"1","LastSelectedProfileIndex":0,"ConnectionProfiles":[{"ProfileName":"Company_AWS_SSL_UDP","OvpnConfigFilePath":"C:\\Users\\Generic\\AppData\\Roaming\\AWSVPNClient\\OpenVpnConfigs\\Company_AWS_SSL_UDP","CvpnEndpointId":"cvpn-endpoint-[redacted]","CvpnEndpointRegion":"us-east-1","CompatibilityVersion":"1","FederatedAuthType":0}]}'
$stream = [System.IO.StreamWriter] "c:\\users\\$env:username\\appdata\\roaming\\AWSVPNClient\\ConnectionProfiles"
$stream.WriteLine($line)
$stream.close()
$ovpncert = "client
dev tun
proto udp
remote cvpn-endpoint-<REDACTED>.prod.clientvpn.us-east-1.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
verb 3
<ca>
-----BEGIN CERTIFICATE-----
{REDACTED}
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[RERDACTED]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----
</ca>
auth-user-pass
reneg-sec 0"
$stream = [System.IO.StreamWriter] "c:\\users\\$env:username\\appdata\\roaming\\AWSVPNClient\\OpenVpnConfigs\company_AWS_SSL_UDP"
$stream.WriteLine($ovpncert)
$stream.close()
$user = $env:username
(Get-Content -path C:\users\$env:username\AppData\Roaming\AWSVPNClient\ConnectionProfiles -Raw) -replace 'Generic',"$user" | Set-Content -Path C:\users\$env:username\AppData\Roaming\AWSVPNClient\ConnectionProfiles
Yeah man, glad i could help. I know that you would have to modify it pretty heavily since, like i said, when I wrote that script i was carrying the installer and everything else with it.
Hello! Can you share what tweaks you made to the script? I was able to get it to show in AWS Client VPN as a profile but for some reason, the connection failed. Any help would be useful. Thanks!
Thank you! Made great progress so far. Seems to be giving me a TLS handshake for some odd reason. I verified the ID and certificate are the same from the original file so not sure the reason for the error. It needs to redirect the connection to a web browser to authenticate with login credentials but for some reason it does not do that. Do you have users authenticate?
Nevermind i had to switch from UDP to TCP for proto type! You’re the man thanks!