Configuring Aviatrix User SSL VPN

Aviatrix provides a cloud native and feature rich client VPN solution. The solution is based on OpenVPN® and is compatible with all OpenVPN® clients. In addition, Aviatrix provides its own client that supports SAML authentication directly from the client.

image0

Note

Only AWS is drawn in the diagram, but this feature applies equally to Azure and Google Cloud.

Configuration Workflow

Important

This document assumes you have set up an Aviatrix Controller. Please see this guide for more details.

There are 2 main steps to setting up User VPN connectivity:

  1. Create a VPN Gateway
  2. (Optional) Create User Profile(s) and add policies to those profiles
  3. Add a user and (optionally) associate users with profiles

You can also watch a video to learn how to setup remote user VPN.

Create a VPN Gateway

Note

The description in the steps below provides critical fields you need to select; it may not include all fields.

  1. Login to the Aviatrix Controller

  2. Launch a gateway with VPN capability

    1. In the left navigation bar, click Gateway

    2. Click on the + New Gateway button at the top of the page.

      imageSelectGateway

      Important

      You will need a public subnet in the VPC where the Gateway will be provisioned. Be sure to provision a new one or identify the correct one prior to starting this step.

    3. Select the Cloud Type and enter a Gateway Name.

    4. Once the Account Name is selected, select the appropriate Region and VPC.

    5. After selecting the desired VPC ID, select the Public Subnet where the Gateway will be provisioned.

    6. Select the Gateway Size (t2.micro is sufficient for most test use cases).

      imageCreateGateway

    7. Select VPN Access. More fields will appear.

      imageSelectVPNAccess

      Note

      If you just want a basic user VPN solution without multi-factor authentication, you can skip the rest of the VPN related fields.

    8. Use the default VPN CIDR Block . The VPN CIDR Block is the virtual IP address pool that VPN user will be assigned.

    9. If you use a DUO or Okta for multi factor authentication, select one of them at Two-step Authentication, more fields will appear. For details on Okta authentication, check out this link.

    10. If you select Split Tunnel Mode , only the VPC CIDR traffic will go through the tunnel. If you specify “Additional CIDRs”, then these and the VPC CIDR will go through the vpn tunnel. You can modify Split tunnel settings later when more VPCs are created. (Go to OpenVPN® -> Edit Config -> MODIFY SPLIT TUNNEL to make changes. Make sure you specify all the CIDRs, separated by comma.) You can leave Nameservers and Search Domains blank if you don’t have one.

      Note

      If you plan to support Chromebook, you must configure full tunnel mode as Chromebook only supports full tunnel.

    11. By default, ELB will be enabled, meaning you can create more vpn gateways that are load balanced by the ELB. (ELB will be automatically created by Aviatrix.)

      Important

      If you disable ELB, your vpn traffic runs on UDP port 1194. When ELB is enabled, your vpn traffic runs on TCP 443. TCP 443 makes it easier to go through corporate firewall.

    12. Click LDAP if VPN user should be authenticated by AD or LDAP server. After you fill up the LDAP fields, make sure you run Test LDAP Configuration to test your configuration is valid.

    13. If you wish to create more of such VPN gateways (for example, behind ELBs for load balancing), click Save Template, which will save your LDAP and multi-factor authentication credentials.

    14. Click OK to create the Gateway.

      Note

      Once you click OK, the Gateway will be provisioned and all the configuration will be applied. This will take a minute or two.

(Optional) Add VPN Profiles

A VPN user profile is defined by a list of access policies with allow or deny rules. When a VPN user is connected to a VPN gateway, the user’s profile is pushed dynamically to the VPN gateway and the user can only access resources defined in the profile. When a VPN user disconnects from the gateway, the policies are deleted.

Important

If a VPN user has no profile association, the user has full access to all resources.

  1. Login to the Aviatrix Controller

  2. Expand OpenVPN® on the left navigation bar

  3. Select Profiles

    imageOpenVPNProfiles

Create a New Profile

  1. Click + New Profile

  2. Enter a Profile Name

  3. Select the appropriate Base Policy

  4. Click OK

    imageAddNewProfile

Attach Policies to a Profile

Once you have created one or more profiles, you will need to attach policies to the profile(s). There can be any number of policies that apply to each profile.

  1. Click the Edit/View button next to the profile name

    imageEditViewProfile

  2. In the table, click + Add New to create a new policy.

  3. Select the Protocol, Target CIDR block, Port, and Action

  4. Click Save

    imageAddProfilePolicy

VPN Users

Users can be added manually or sync’d from an existing LDAP server.

  1. Login to the Aviatrix Controller

  2. Expand OpenVPN® on the left navigation bar

  3. Select VPN Users

    imageOpenVPNUsers

Create VPN Users

If creating users, manually follow the steps below.

  1. Click + Add New

  2. Select the VPC ID where this user should be attached. The associated load balancer will appear in the LB/Gateweay Name

  3. Enter the User Name and User Email

  4. (Optional) If associating this user with an existing profile, check the checkmark next to Profile and select the appropriate Profile Name.

  5. Click OK

    Note

    When a user is added to the database, an email with .ovpn file or .onc (for Chromebooks) will be sent to the user with detailed instructions.

    imageAddNewVPNUser

Conclusion

You now have a working Aviatrix VPN Gateway. Users can connect and gain access to their cloud resources.

Detailed audit logs are maintained and available in various logging platforms.

Note

Audit reports are best viewed in Aviatrix Splunk Application

OpenVPN is a registered trademark of OpenVPN Inc.