Configuring Aviatrix User SSL VPN¶
Aviatrix provides a cloud-native and feature-rich client VPN solution. The solution is based on OpenVPN® and is compatible with all OpenVPN® clients. In addition, Aviatrix provides its own client that supports SAML authentication directly from the client.
Only AWS is drawn in the diagram, but this feature applies equally to Azure and Google Cloud.
This document assumes you have set up an Aviatrix Controller. Please see this guide for more details.
There are 3 important steps to setting up User VPN connectivity:
- Create a VPN Gateway
- Create User Profile(s) and attach policies to those profiles
- Associate Users with Profiles
Create a VPN Gateway¶
The description in the steps below provides critical fields you need to select; it may not include all fields.
Login to the Aviatrix Controller
Launch a gateway with VPN capability
In the left navigation bar, click Gateway
Click on the + New Gateway button at the top of the page.
You will need a public subnet in the VPC where the Gateway will be provisioned. Be sure to provision a new one or identify the correct one prior to starting this step.
Select the Cloud Type and enter a Gateway Name.
Once the Account Name is selected, select the appropriate Region and VPC.
After selecting the desired VPC ID, select the Public Subnet where the Gateway will be provisioned.
Select the Gateway Size (t2.micro is sufficient for most test use cases).
Select VPN Access. More fields will appear.
If you just want a basic user VPN solution without multi-factor authentication, you can skip the rest of the VPN related fields.
Use the default VPN CIDR Block. The VPN CIDR Block is the virtual IP address pool that VPN user will be assigned.
If you use a DUO or Okta for multi factor authentication, select one of them at Two-step Authentication, more fields will appear. For details on Okta authentication, check out this link.
If you select Split Tunnel Mode, only the VPC CIDR traffic will go through the tunnel. If you specify “Additional CIDRs”, then these and the VPC CIDR will go through the vpn tunnel. You can modify Split tunnel settings later when more VPCs are created. (Go to OpenVPN® -> Edit Config -> MODIFY SPLIT TUNNEL to make changes. Make sure you specify all the CIDRs, separated by comma.) You can leave Nameservers and Search Domains blank if you don’t have one.
If you plan to support Chromebook, you must configure full tunnel mode as Chromebook only supports full tunnel.
By default, ELB will be enabled, meaning you can create more vpn gateways that are load balanced by the ELB. (ELB will be automatically created by Aviatrix.)
If you disable ELB, your vpn traffic runs on UDP port 1194. When ELB is enabled, your vpn traffic runs on TCP 443. TCP 443 makes it easier to go through corporate firewall.
Click LDAP if VPN user should be authenticated by AD or LDAP server. After you fill up the LDAP fields, make sure you run Test LDAP Configuration to test your configuration is valid.
If you wish to create more of such VPN gateways (for example, behind ELBs for load balancing), click Save Template, which will save your LDAP and multi-factor authentication credentials.
Click OK to create the Gateway.
Once you click OK, the Gateway will be provisioned and all the configuration will be applied. This will take a minute or two.
Add VPN Profiles¶
A profile is defined by a list of access policies with allow or deny rules. When a VPN user is connected to a VPN gateway, the user’s profile is pushed dynamically to the VPN gateway and the user can only access resources defined in the profile. When a VPN user disconnects from the gateway, the policies are deleted.
If a VPN user has no profile association, the user has full access to all resources.
Create a New Profile¶
Attach Policies to a Profile¶
Once you have created one or more profiles, you will need to attach policies to the profile(s). There can be any number of policies that apply to each profile.
Users can be added manually or sync’d from an existing LDAP server.
Create VPN Users¶
If creating users, manually follow the steps below.
Click + Add New
Select the VPC ID where this user should be attached. The associated load balancer will appear in the LB/Gateweay Name
Enter the User Name and User Email
If associating this user with an existing profile, check the checkmark next to Profile and select the appropriate Profile Name.
When a user is added to the database, an email with .ovpn file or .onc (for Chromebooks) will be sent to the user with detailed instructions.
You now have a working Aviatrix VPN Gateway. Users can connect and gain access to their cloud resources.
Detailed audit logs are maintained and available in various logging platforms.
Audit reports are best viewed in Aviatrix Splunk Application
OpenVPN is a registered trademark of OpenVPN Inc.