This solution provides how to deploy a network topology to filter OpenVPN user traffic by fully qualified domain name (FQDN).
Before configuring this solution, users need to make sure the following prerequisites are completed.
Pre Configuration Check List
- Deploy the Aviatrix Controller
- Create AWS VPC with two public subnets in a same AZ for Aviatrix OpenVPN gateway and Aviatrix Egress gateway.
These prerequisites are explained in detail below.
The Aviatrix Controller must be deployed and setup prior to deploy Aviatrix Gateways. Please refer to "Aviatrix Controller Getting Started Guide for AWS" on how to deploy the Aviatrix Controller.
Aviatrix Controller Getting Started Guide
Check and make sure you can access the Aviatrix Controller dashboard and login with an administrator account. The default URL for the Aviatrix Controller is:
https://<public ip of Aviatrix Controller>
2.1.b Create AWS VPC with two public subnets in a same AZ for Aviatrix OpenVPN gateway and Aviatrix Egress gateway. -----------------------------------------
- Create 1 VPC with CIDR such as 10.1.0.0/16
- In the VPC, create 2 public subnets in a same Availability Zone such as 10.1.0.0/24 and 10.1.1.0/24. The public subnet means that it must be associated with a route table whose default route 0.0.0.0 points to IGW.
- In the VPC, create multiple private subnets if needed.
Make sure the pre-configuration steps in the previous section are completed before proceeding.
The instructions in this section will use the following architecture. The CIDR and subnets may vary depending on your VPC setup; however, the general principals will be the same.
2.2.a Deploy Aviatrix Egress Gateway ------------------------------
The first step is to deploy Aviatrix Egress Gateway in the Public Subnet2 10.1.1.0/24
Instructions:
a.1. Login to the Aviatrix Controller Console
a.2. Create Aviatrix Egress Gateway in Public Subnet2 of VPC
a.3. Click on Gateway -> "New Gateway"
Setting | Value |
---|---|
Cloud Type | Choose AWS |
Gateway Name | This name is arbitrary (e.g. egress-gw) |
Account Name | Choose the account name |
Region | Choose the region of VPC |
VPC ID | Choose the VPC ID of VPC |
Public Subnet | Select a public subnet where the gateway will be deployed (e.g. 10.1.1.0/24) |
Gateway Size | t2.micro is fine for testing |
Enable SNAT | Check this box (IMPORTANT) |
VPN Access | Uncheck this box |
Designated Gateway | Uncheck this box |
Allocate New EIP | Check this box |
Save Template | Uncheck this box |
a.4. Click “OK”. It will take a few minutes for the gateway to deploy. Do not proceed until the gateway is deployed.
a.5. Refer Aviatrix FQDN documents to set up Egress Filter rules and enable Egress Control function
Egress FQDN FAQ Egress Control Filter Egress FQDN Discovery Egress FQDN View Log
Note
For HA topology, please refer Aviatrix Single AZ HA
2.2.b Deploy Aviatrix OpenVPN Gateway ------------------------------
The second step is to deploy Aviatrix OpenVPN Gateway in the Public Subnet1 10.1.0.0/24
Instructions:
b.1. Create Aviatrix VPN Gateway in Public Subnet1 of VPC (note that OpenVPN Gateway is in a different subnet of Egress Gateway but both are in the same AZ)
b.2. Click on Gateway -> "New Gateway"
Setting | Value |
---|---|
|
Choose AWS |
|
This name is arbitrary (e.g. openvpn-gw) |
|
Choose the account name |
|
Choose the region of VPC |
|
Choose the VPC ID of VPC |
|
Select the public subnet where the OpenVPN gateway will be deployed (e.g. 10.1.0.0/24) |
|
t2.micro is fine for testing. |
|
Uncheck this box (IMPORTANT) |
|
Uncheck this box |
|
Check this box |
|
Check this box |
|
Check this box |
|
Uncheck this box |
|
|
|
Optional (Disable is fine for testing) |
|
100 is fine for testing |
|
No (IMPORTANT) |
|
|
|
Leave blank is fine for testing |
|
No |
|
Check this box |
|
|
|
Select the private IP of Aviatrix Egress Gateway (e.g. 10.1.1.185) |
|
Uncheck this box |
|
|
|
Uncheck this box |
b.3. Click “OK”. It will take a few minutes for the gateway to deploy. Do not proceed until the gateway is deployed.
Note
- This solution needs the function "Full Tunnel Mode" be enabled on Aviatrix OpenVPN Gateway.
- For Aviatrix OpenVPN GW scalability topology, any new Aviatrix OpenVPN gateways need to be added in the same AZ.
- PBR function and other OpenVPN functions can be modified on the page "OpenVPN® -> Edit Config" after Aviatrix OpenVPN GW is launced. Aviatrix OpenVPN® FAQs
This step explains how to create a OpenVPN® user.
Instructions:
c.1. From the Aviatrix Controller Console
c.2. Click OpenVPN® -> VPN Users
c.3. Click button "+Add New"
Setting | Value |
---|---|
|
|
|
Choose the ELB in VPC |
|
|
|
|
|
|
c.4. Click button "OK"
c.5. Check your email to receive an ovpn file
c.6. Done
This step proofs how this solution works.
Instructions:
- Set up a whitelist rule with Domain Name "*.google.com", Protocol "tcp", and Port "443" in Egress FQDN Filter
- Enable Egress filter function on Aviatrix Egress gateway
- Enable an OpenVPN® client tool
- Establish an OpenVPN® connection with the ovpn file which has received in email
- Confirm that the access to www.google.com via port 443/80 works properly
5.1. Issue CLI #wget www.google.com on your host machine where you established the OpenVPN session
5.2. It should access www.google.com and download the index.html to your host machine
- Confirm that the access to www.yahoo.com via port 443/80 does not work
6.1. Issue CLI #wget www.yahoo.com on your host machine where you established the OpenVPN session
6.2. It should not able to access www.yahoo.com
OpenVPN is a registered trademark of OpenVPN Inc.