Configuring Aviatrix User SSL VPN

Aviatrix provides a cloud native and feature rich client VPN solution. The solution is based on OpenVPN® and is compatible with all OpenVPN® clients. In addition, Aviatrix provides its own client that supports SAML authentication directly from the client.



Only AWS is drawn in the diagram, but this feature applies equally to Azure and Google Cloud.

Configuration Workflow


This document assumes you have set up an Aviatrix Controller. Please see this guide for more details.

There are 2 steps to setting up User VPN connectivity:

  1. Create a VPN Gateway
  2. Add a user

You can also watch a video to learn how to setup remote user VPN. The video is not up to date as the product graphics have changed, but the idea remains the same.

Create a VPN Gateway


The description in the steps below provides critical fields to get you started. You can make changes to set up advanced features such as MFA and profile based access later.

  1. Log in to the Aviatrix Controller


  2. Launch a gateway with VPN capability

    1. In the left navigation bar, click Gateway

    2. Click on the + New Gateway button at the top of the page.



      You will need a public subnet in the VPC where the Gateway will be provisioned. Be sure to provision a new one or identify the correct one prior to starting this step.

    3. Select the Cloud Type and enter a Gateway Name.

    4. Once the Account Name is selected, select the appropriate Region and VPC.

    5. After selecting the desired VPC ID, select the Public Subnet where the Gateway will be provisioned.

    6. Select the Gateway Size (t2.micro is sufficient for most test use cases).


    7. Select VPN Access. Leave the Advanced Options unselected.



      Leave the Advanced Options unselected as you can configure it later.

    8. At this stage, you can enable NLB (NLB will be automatically created by Aviatrix.) You can specify the NLB’s name or have it be auto-generated by Aviatrix.

    9. If you wish to create more of such VPN gateways (for example, behind NLBs for load balancing), click Save Template.

    10. Click OK to create the Gateway.


      Once you click OK, the Gateway will be provisioned and all the configuration will be applied. This will take a minute or two.

VPN Users

Users can be added manually or authenticated with an existing LDAP server.

  1. Log in to the Aviatrix Controller

  2. Expand OpenVPN® on the left navigation bar

  3. Select VPN Users


Create VPN Users

  1. Click + Add New


  2. Select the VPC ID where this user should be attached. The associated load balancer will appear in the LB/Gateway Name

  3. Enter the User Name and User Email. If DUO authentication is enabled, the User Name entered must match the user name of your DUO account. The User Email is optional.

  4. Click OK


    When a user is added to the database, an email with an .ovpn file or .onc (for Chromebooks) will be sent to the user with detailed instructions.


Export VPN Users

  1. Click the export icon. imageExportVPNUsers

  2. Check the csv file aviatrix_vpn_users.csv in the Download folder.


    If there has been an aviatrix_vpn_users.csv in the Download folder already, the OS will rename the new file with aviatrix_vpn_users(1).csv automatically.

Import VPN Users

  1. Click the import icon imageImportVPNUsers

  2. Select a csv file to import.


    If you are using a MacOS system, the Apple App Numbers can open and edit the csv file. It can export a new csv file from “File”->”Export To”->”CSV”. If you are using the Excel, you can export a new csv file from “File”->”Save As”.

  3. Click the Open button to start the process.

  4. Select the default VPC ID and LB/Gateway Name from the Default VPN User Settings dialog box.


    Any empty VPC ID field in a csv file will trigger a new dialog box for selecting the default VPC ID. Any record in a csv file with an empty VPC ID will be filled with the values in the Default VPN User Settings dialog box automatically. If all the VPC ID fields are filled in the the original csv file already, the Default VPN User Settings dialog box will not be triggered.


  5. Check the Import Results


Download VPN User Certificate

You can also download the VPN user certificate to your desktop, as shown below. Load this certificate configuration file to your OpenVPN® client on your desktop. You should be able to connect then.


Detach and revoke: will not only detach the user but revoke the user certificate as well. attach: will re-attach detached users and also re-create the user certificate if the user certificate is revoked.


You now have a working Aviatrix VPN Gateway. Users can connect and gain access to their cloud resources.

Detailed audit logs are maintained and available in various logging platforms.


Audit reports are best viewed in the Aviatrix Splunk Application

OpenVPN is a registered trademark of OpenVPN Inc.