Configuring Aviatrix User SSL VPN

Aviatrix provides a cloud-native and feature-rich client VPN solution. The solution is based on OpenVPN® and is compatible with all OpenVPN® clients. In addition, Aviatrix provides its own client that supports SAML authentication directly from the client.

image0

Only AWS is drawn in the diagram, but this feature applies equally to Azure and Google Cloud.

Configuration Workflow

This document assumes you have set up an Aviatrix Controller. See this guide for more details.

There are two steps to setting up User VPN connectivity:

Creating a VPN Gateway

The description in the steps below provides critical fields to get you started. You can make changes to set up advanced features such as MFA and profile based access later.

  1. Log in to the Aviatrix Controller.

    AVTXSignIn
  2. Launch a gateway with VPN capability.

    • In the left sidebar, click Gateway.

    • Click + New Gateway at the top of the page.

      imageSelectGateway

You need a subnet (a public subnet in AWS or GCP) in the VPC/VNet where the Gateway will be provisioned. Be sure to provision a new one or identify the correct one prior to starting this step.

  1. Select the Cloud Type and enter a Gateway Name.

  2. Once the Account Name` is selected, select the appropriate Region and VPC or VNet.

  3. After selecting the desired VPC ID/VNet Name:Resource Group, select the Public Subnet where the Gateway will be provisioned.

  4. Select the Gateway Size (t2.micro is sufficient for most test use cases).

    imageCreateGateway
  5. Select VPN Access. Leave the Advanced Options unselected.

    imageSelectVPNAccess

Leave the Advanced Options unselected as you can configure them later.

  1. At this stage, you can enable NLB (NLB will be automatically created by Aviatrix.) You can specify the NLB’s name or have it auto-generated by Aviatrix.

  2. If you wish to create more of such VPN gateways (for example, behind NLBs for load balancing), click Save Template.

  3. Click OK to create the Gateway.

    Once you click OK, the Gateway will be provisioned and all the configuration will be applied. This will take a minute or two.

VPN Users

Users can be added manually or authenticated with an existing LDAP server.

  1. Log in to the Aviatrix Controller.

  2. Select OpenVPN® on the left sidebar.

  3. Select VPN Users.

    imageOpenVPNUsers

Creating VPN Users

  1. Click + Add New.

    image::vpn-user.png[vpnuser]

  2. Select the VPC ID where this user should be attached. The associated load balancer will appear in the LB/Gateway Name.

  3. Enter the User Name and User Email. If DUO authentication is enabled, the User Name entered must match the user name of your DUO account. The User Email is optional.

  4. Click OK.

    When a user is added to the database, an email with an .ovpn file or .onc (for Chromebooks) will be sent to the user with detailed instructions.

    imageAddNewVPNUser
Exporting VPN Users
  1. Click the export icon. image::export-vpn-users.png[imageExportVPNUsers]

  2. Check the csv file aviatrix_vpn_users.csv in the Download folder.

    If there has been an aviatrix_vpn_users.csv in the Download folder already, the OS will rename the new file with aviatrix_vpn_users(1).csv automatically.

Importing VPN Users
  1. Click the import icon image::import-vpn-users.png[imageImportVPNUsers]

  2. Select a csv file to import.

    If you are using a MacOS system, the Apple App "Numbers" can open and edit the csv file. It can export a new csv file from File > Export To > CSV. If you are using the Excel, you can export a new csv file from File > Save As.

  3. Click Open to start the process.

  4. Select the default VPC ID and LB/Gateway Name in Default VPN User Settings.

    Any empty VPC ID field in a csv file will trigger a new popup window for selecting the default VPC ID. Any record in a csv file with an empty VPC ID will be filled with the values in Default VPN User Settings automatically. If all the VPC ID fields are filled in the the original csv file already, Default VPN User Settings will not appear.

imageImportVPNUsersDefaultVPCID
  1. Check the Import Results.

    imageImportVPNUsersResults

Downloading the VPN User Certificate #

You can also download the VPN user certificate to your desktop, as shown below. Load this certificate configuration file to your OpenVPN® client on your desktop. You should be able to connect then.

New_User

Detach and revoke: will not only detach the user but revoke the user certificate as well. attach: will re-attach detached users and also re-create the user certificate if the user certificate is revoked.

Conclusion

You now have a working Aviatrix VPN Gateway. Users can connect and gain access to their cloud resources.

Detailed audit logs are maintained and available in various logging platforms.

OpenVPN is a registered trademark of OpenVPN Inc.