Aviatrix UserVPN FAQ

Aviatrix’s VPN Client supports SAML authentication from the VPN client itself and SAML redirection. You can use the Aviatrix VPN Client to authenticate against an IDP (for example, Okta and Azure AD). If you do not need to use SAML and want to use a different authentication type, you can use a different VPN client such as Tunnelblick.

Note that this is about the UserVPN configuration file that is installed on end user machines.

Aviatrix’s VPN Client allows you to load and switch between one or more VPN profiles.

Load multiple configurations:

Switch to a different configuration:

If you have multiple VPC/VNets, do not launch a VPN gateway in each VPC/VNet and create VPN users, as that will create multiple .ovpn certificates. Instead, select a design pattern from UserVPN Designs.

An Aviatrix VPN gateway integrates seamlessly with Okta. It can authenticate VPN users to Okta service using Okta’s OpenVPN® plugin in module. OKTA with MFA is also supported.

If you have a global workforce that needs to access the cloud, Geo VPN offers a superior solution. Geo VPN enables a VPN user to connect to the nearest VPC/VNet that hosts an Aviatrix VPN Gateway.

To use Geo VPN, see Creating a Geo VPN Gateway.

After at least one gateway is created, you can add VPN users. See Creating a UserVPN User.

The Aviatrix VPN Client is a GUI-based software and runs on devices with GUI. It supports Windows, MAC, Linux on desktop. The VPN Client can be installed on desktop platforms and is supported on various OS like Windows, Mac, and Linux. See Downloading the Aviatrix VPN Client for more information.

Yes, NAT capability is automatically enabled for VPN gateways. See VPN Gateway Settings.

Yes, both split tunnel and full tunnel modes are supported. You can specify the mode at the gateway launch time.

Full tunnel means all user traffic is carried through the VPN tunnel to the gateway, including Internet bound traffic.

Split tunnel means only traffic destined to the VPC/VNet and any additional network range is carried through the VPN tunnel to the gateway. Any Internet bound traffic does not go through the tunnel.

To enable full tunnel mode, go to the CloudFabric > UserVPN > Default VPN VPN gateways > click the Edit icon next to the gateway. Click on the Split Tunnel setting to turn it off.

In VPN access, a user is dynamically assigned a virtual IP address when connected to a gateway. It is highly desirable to define resource access policies based on the users. For example, you may want to have a policy for all employees, a different policy for partners and a still different policy for contractors. You may even give different policies to different departments and business groups.

The profile-based security policy lets you define security rules to a target address, protocol and ports. The default rule for a profile can be configured as deny all or allow all during profile creation. This capability allows flexible firewall rules based on the users, instead of a source IP address.

The security policy is dynamically pushed to the landing VPN gateway when a VPN user connects. It is only active when a VPN user is connected. When a VPN user disconnects, the security policy is deleted from the VPN gateway.

You can change profile policies any time. However, users who are currently active in the session will not receive the new policy. The user will need to disconnect and reconnect to VPN for the new policy to take effect.

The Aviatrix Controller provides an API which can be invoked to change a user’s profile. Refer to the API documentation under the Help menu.

During this operation, the user’s existing VPN session will be terminated. The new profile policy will take effect when he or she logs in again.

The use case for this feature is to allow an administrator to quarantine a VPN user for security reasons.

Yes. If your enterprise has a Duo account with multi-factor authentication, it can be integrated into the VPN solution. See UserVPN Duo Authentication.

See LDAP Authentication.

Yes. When you create a gateway, under Authentication, select LDAP + Duo as the authentication method.

When PBR is enabled at gateway launch time, all VPN user traffic that arrives at the gateway will be forwarded to a specified IP address defined as the PBR default gateway. You must specify the PBR Subnet, which in AWS must be in the same availability zone as the Ethernet 0 interface of the gateway.

Another use case for Policy-Based Routing is routing all Internet-bound traffic back to your own firewall device on Prem, or logging all UserVPN traffic to a specific logging device.

Yes. The Aviatrix VPN client is the only OpenVPN® based client software that supports SAML authentication from the client software itself. For more information, see UserVPN SAML Authentication.

This setting is disabled by default.

By enabling the client certificate sharing, all VPN users share one .ovpn file. You must have MFA (such as SAML, Duo + LDAP) configured to make VPN access secure.

If the destination is another instance within the cloud provider, then the UserVPN gateway’s private IP address is used to NAT the UserVPN Client’s traffic. But if the destination is outside the cloud provider (the Internet), then the public IP address of the UserVPN Gateway is used.

Open the Aviatrix VPN Client > Settings > click View the log file.