About VPN Gateway Settings

Your cloud provider account.

Instance Size is the gateway instance size.

When selecting the gateway instance size, use the following guidelines of IPsec performance based on IPERF tests conducted between two gateways of the same size:

High Performance Encryption (HPE) is an Aviatrix technology that enables 10Gbps and higher IPsec performance between two single Aviatrix Gateway instances or between a single Aviatrix Gateway instance and on-prem Aviatrix appliance.

When a gateway instance is launched with High Performance Encryption enabled, the Aviatrix Controller will look for a spare /26 subnet segment to create a new public subnet "-insane" and launch the gateway on this subnet.

The instance sizes that support High Performance Encryption are:

For an overview of Aviatrix High Performance Encryption, see About High-Performance Encryption.

info

Aviatrix Gateways are launched in a public subnet in AWS, GCP, and OCI. A public subnet in AWS VPC is defined as a subnet whose associated route table has a default route entry that points to the Internet gateway (IGW). To learn more about VPC and subnets, refer to this link.

If you do not have a VPC/VCN with public subnet in AWS, GCP, or OCI, you can use our Creating a VPC/VNet using CoPilot tool to create a VPC with fully populated public and private subnets in each AZ.

When a VPN user connects to the VPN gateway, the user will be assigned a virtual IP address from a pool of IP addresses. This pool of IP addresses is defined as the VPN CIDR Block. The default IP address pool is 192.168.43.0/24.

The only reason you would want to change this address pool is if 192.168.43.0/24 overlaps with your desktop or laptop network address range. For example, if you are on a LAN with a network CIDR 10.0.0.0/24, your desktop IP address will never conflict with your VPN virtual IP address. On the other hand, if your desktop is on a LAN with a network CIDR 192.168.20.0/16, your VPN virtual IP address might conflict with your LAN address. In this case, change the VPN CIDR Block to a different address range, for example, 10.10.0.0/24.

Note a /24 VPN CIDR block supports about 64 simultaneous VPN clients. This is because for each connected VPN client, VPN gateways reserves 3 virtual addresses. For larger number of clients per VPN gateway, consider making the VPN CIDR block to a /22 or /20 network.

Maximum number of active VPN users allowed to be connected to this gateway. The default is 100.

When you change this address, make sure the number is smaller than the VPN CIDR block.

The OpenVPN® VPN CIDR Block allocates 4 IP addresses for each connected VPN user; when the VPN CIDR Block is a /24 network, it supports about 60 users.

Split Tunnel Mode is enabled by default. When Split Tunnel mode is enabled, only traffic that is destined to the VPC/VNet CIDR where the VPN gateway is deployed is going into the VPN tunnel when a user is connected to the VPN gateway.

When Split Tunnel Mode is disabled (Full Tunnel Mode), all laptop traffic, including Internet traffic (such as a visit to www.google.com), is going through the VPN tunnel when a user is connected to the VPN gateway.

Disabling Split Tunnel Mode should be a deliberate decision. You will be charged for all Internet traffic as they are considered egress traffic by the Cloud Service Provider (AWS/Azure/GCP/OCI).

This is an optional parameter. The VPC/VNet CIDR where the VPN gateway is deployed is the default CIDR that VPN gateway pushes to the VPN client. Leave it blank if you do not need it.

When Split Tunnel Mode is enabled, the Additional CIDRs specifies a list of destination CIDR ranges that will also go through the VPN tunnel.

This is a useful field when you have multiple VPC/VNets that the VPN user needs to access.

Enter all network ranges in CIDR blocks separated by commas.

This is an optional parameter. Leave it blank if you do not need it.

When Split Tunnel Mode is enabled, you can instruct the VPN gateway to push down a list of DNS servers to your desktop, so that a VPN user is connected, it will use these DNS servers to resolve domain names.

This is an optional parameter. Leave it blank if you do not need it.

When Split Tunnel Mode is enabled, Search Domains let you specify a list of domain names that will use the Nameserver when a specific name is not in the destination.

split here

The "Enable ELB" Load Balancer option is turned on by default.

When ELB is enabled, the domain name of the CSP’s load balancer (ELB/ALB/CLB), will be the connection IP address when a VPN user connects to the VPN gateway. This connection IP address is part of the .ovpn cert file the Controller sends to the VPN client. Even when you delete all VPN gateways, you can re-launch them without having to reissue a new .ovpn cert file. This helps reduce friction to VPN users.

When the ELB option is enabled, you can launch multiple VPN gateways behind ELB, thus achieving a scale out VPN solution.

The ELB Name is generated automatically if it is left blank. If it is left blank and there is already a load balancer in the specified VPC/VNet, the system uses that load balancer’s name.

You can set the ELB name if there is no existing ELB in the specified VPC/VNet.

When the TCP checkbox is marked, the VPN gateway will accept the VPN TCP connection only.

If the UDP checkbox is marked, only the VPN UDP connection is allowed. These options are only available on the AWS.

For all cloud types, the VPN protocol is TCP by default if ELB is enabled. If the ELB is disabled, the VPN protocol is always UDP.

This setting is disabled by default.

By enabling client certificate sharing, all VPN users share one .ovpn file. You must have MFA (such as SAML, LDAP + Duo) configured to make VPN access secure.

This setting controls whether users sharing the same common name can connect at the same time to the VPN Gateway.

If this is disabled, when a user attempts to connect to the gateway through a different device, his existing VPN connection from the current device gets disconnected.

Policy Based Routing enables you to route VPN traffic to a different subnet with its default gateway.

By default, all VPN traffic is NATed and sent to VPN gateway’s eth0 interface. If you want to force the VPN traffic to go out on a different subnet other than VPN gateway eth0 subnet, you can specify a PBR Subnet in the VPC and the PBR Default gateway.

One use case for this feature is Anonymous Internet Surfing.

This feature controls whether the VPN connection uses NAT (Network Address Translation) while the VPN traffic leaves the Aviatrix VPN Gateway.

VPN NAT is enabled by default. If you want to disable it, you can do so from OpenVPN > Edit Config > VPN NAT.

If NAT is disabled, the traffic would appear to originate from the virtual IP of the VPN user rather than the VPN Gateway itself. Note that you would need to open up the security groups of the target instance to the VPN CIDR for the traffic to flow through. Any peering connection to this VPN gateway would additionally require traffic for the VPN CIDR to be forwarded to the gateway as well.

If you have multiple gateways under the load balancer, you would also need to ensure that the VPN CIDR of the gateways do not overlap, so that the traffic can be routed back to the respective gateway.

SNAT/DNAT Settings

The Use VPC/VNet DNS Server feature enables you to set the default DNS server for the Aviatrix gateway.

When this feature is On, it removes the default DNS server for the Aviatrix Gateway and instructs the gateway to use the VPC or VNet DNS server configured in VPC or VNet DHCP option.

When this feature is Off, the Aviatrix Gateway will revert to use its built-in (default) DNS server.

For more information, see Using VPC/VNet DNS Server.

Jumbo Frame improves Aviatrix Gateway throughput performance.

The GRO/GSO feature enables you to configure the gateway interface and enable or disable Generic Receive Offload (GRO) and Generic Segmentation Offload (GSO).

GRO/GSO is On by default to improve performance. You can set this feature to Off to minimize out of order packets for sensitive applications (like FTP), but there will be a performance throughput penalty.

The Gateway Single AZ HA feature enables the Aviatrix Controller to monitor the health of the gateway instance and restart the gateway instance if it becomes unreachable. Gateway Single AZ HA is enabled by default.

Using Gateway Single AZ HA, you can select the gateway instance to restart.

When Gateway Single AZ HA status is On, the Aviatrix Controller attempts to restart the gateway instance. When status is Off, Controller does not attempt to restart the gateway instance.

Using the Change Interface(s) RX Queue Size, you can select a gateway and set the gateway’s interface(s) RX Queue Size.