Creating a UserVPN Default Gateway

The gateway instance must be launched from a public subnet.

To create a default VPN Gateway instance in AWS, Azure, or GCP in an account with no existing VPN gateways:

  1. In Aviatrix CoPilot, go to Cloud Fabric > UserVPN. Make sure the Default VPN tab is selected.

  2. Click + VPN Gateway.

    For more information on these gateway settings, see UserVPN Gateway Settings.

    Setting Description

    Name

    Enter a name for the gateway.

    Cloud

    Select the cloud in which to launch the gateway instance. Note that for AWS and Azure, you can click on the dropdown menu to select the standard, gov, or China clouds.

    Account

    Select the cloud account in which to launch the gateway. These accounts are onboarded through CoPilot > Cloud Resources > Cloud Accounts.

    Region

    Select the cloud region in which to launch the gateway.

    VPC/VNet

    Select the VPC or VNet in which to launch the gateway.

    Edit Gateway Name

    This field only appears if you are adding a default VPN gateway in an account where a default VPN gateway already exists. If you are adding a new gateway and there is an existing gateway, the other fields listed, including Instance Size and High Performance Encryption, are not available.

    You can edit the existing VPN gateway for this VPN Gateway to add more instances as needed. To do so, click Edit <Gateway Name>.

    Instance Size

    Select the size of the gateway instance.

    High Performance Encryption

    For more information, see the “About High Performance Encryption” document.

    Turn this setting on to use High Performance Encryption if this VPN Gateway will be used for encrypted peering with another gateway.

    Instances

    To add a gateway instance, click + Instance.

    • Attach to Subnet

    • Public IP

    • VPN CIDR

    Split Tunnel

    Turn Split Tunnel on to ensure only the specified CIDR ranges go through the VPN tunnel. When you turn this setting on, new fields appear below.

    Load Balancer

    available for AWS, Azure, and GCP

    To turn on load balancing to help support larger VPN gateways, click on the dropdown menu and select an option. You can select the Do not use Load Balancer option.

    If you decide you want to use a Load Balancer, depending on the cloud type you selected, you can select:

    • ELB (available for AWS, Azure, and GCP) – Use the Cloud Service Provider’s load balancing solution. When this option is enabled, the domain name of the ELB will be the connection IP address when a VPN user connects to the VPN gateway. This connection IP address is part of the .ovpn cert file the Controller sends to the VPN client.

    • Existing UDP Load Balancer (available in standard AWS cloud) – Select an existing AWS load balancer that uses the UDP protocol.

    • New UDP Load Balancer (available in standard AWS cloud) – Create a new AWS load balancer that uses the UDP protocol. If you select this option, new fields appear (see below).

    • No Load Balancer – Select this option if you have a smaller deployment with limited traffic and don’t need a load balancer.

    VPN gateways are grouped by load balancer. See the UserVPN Gateway Guide document for more information on gateway groupings.

    ELB Name

    when you select ELB Load Balancer

    Enter the (optional) ELB name.

    Select the VPN Protocol (TCP or UDP).

    New UDP Load Balancer options

    when you select New UDP Load Balancer

    • Account – Select the Aviatrix cloud account for the new UDP load balancer.

    • Hosted Zone Name – Enter the name of the AWS hosted zone for this load balancer.

    • VPN Service Name – Enter the name of the VPN service you are using.

    UDP Load Balancer

    when you select Existing UDP Load Balancer

    Select the name of the existing UDP Load Balancer.

    Max Connections (Per Gateway Instance)

    Set the maximum number of active VPN users allowed to be connected to this gateway. The default is 100.

    When you change this number, make sure the number is smaller than the VPN CIDR block. The UserVPN CIDR Block allocates 4 IP addresses for each connected VPN user; when the VPN CIDR Block is a /24 network, it supports about 60 users.

    Authentication

    Click on this dropdown menu and select an authentication option:

    • None (Certificate-Only)

    • Duo: When you select this option, a new section, Authentication: Duo appears below. See the "UserVPN Duo Authentication" document to find the Integration key, Secret key, and API hostname needed for this authentication method.

    • LDAP: When you select this option, a new section, Authentication: LDAP appears below. See the "UserVPN LDAP Authentication" document to find the LDAP Server, Blind DN, Password, and other values needed for this authentication method.

    • LDAP + Duo: When you select this option, Authentication: Duo and Authentication: LDAP sections appear below. See the "UserVPN Duo Authentication" and "UserVPN LDAP Authentication" documents to find the Integration key, LDAP Server, or other information to enter in these sections.

    • Okta: When you select this option, a new section, Authentication: Okta appears below. See the "UserVPN Okta Authentication" document to find the URL, Token, and Username Suffix needed to enter in these fields.

    • SAML

    Client Certificate Sharing

    Turn this setting on to allow VPN users to share .ovpn files. You must have MFA (such as SAML, LDAP + Duo) configured to make VPN access secure.

    Duplicate Connections

    • Turn this setting on to enable users sharing the same common name to connect at the same time to the VPN Gateway.

    • Turn this setting off to make sure a user cannot make a new connection through a different device until they disconnect their existing session.

    Users can still land on different VPN Gateways under a load balancer when Duplicate Connections is turned on.

    Policy-Based Routing

    Policy-Based Routing (PBR) enables you to route VPN traffic to a different subnet with its default gateway.

    By default, all VPN traffic is NATed and sent to VPN gateway’s eth0 interface. If you want to force the VPN traffic to go out on a different subnet other than VPN gateway eth0 subnet, you can specify a PBR Subnet in the VPC and the PBR Default gateway.

    If you turn this setting on, new fields appear below.

    Policy-Based Routing options

    Subnet

    (Optional) Select a specific subnet to route traffic to.

    Default Gateway

    (Optional) Select a default gateway to route traffic to.

    NAT Translation Logging

    Turn this setting on to enable logging for the NAT translations at the VPN gateway for each connection of the VPN traffic flowing through the gateway.

    Split Tunnel options

    Additional CIDR(s)

    (Optional) The VPC/VNet CIDR where the VPN gateway is deployed is the default CIDR that VPN gateway pushes to the VPN client. Leave it blank if you do not need it.

    When Split Tunnel Mode is enabled, the Additional CIDRs specifies a list of destination CIDR ranges that will also go through the VPN tunnel.

    This is a useful field when you have multiple VPC/VNets that the VPN user needs to access.

    Nameserver(s)

    (Optional) When Split Tunnel Mode is enabled, you can instruct the VPN gateway to push down a list of DNS servers to your desktop, so that a VPN user is connected, it will use these DNS servers to resolve domain names.

    Search Domain(s)

    (Optional) When Split Tunnel Mode is enabled, a Search Domains lets you specify a list of domain names that will use the Nameserver when a specific name is not in the destination.

    Windows VPN clients support a maximum of 10 search-domain entries (the OpenVPN service supports only up to 10 on the Windows OS).

  1. Click Create.

Your default VPN gateway has been created. To view the task’s progress, go to Monitoring > Notifications > select the Tasks tab.