Creating a User VPN Default Gateway

The gateway instance must be launched from a public subnet.

To create a default VPN Gateway instance in AWS, Azure, or GCP in an account with no existing VPN gateways:

  1. In Aviatrix CoPilot, go to Cloud Fabric > UserVPN. Make sure the Default VPN tab is selected.

  2. Click + VPN Gateway.

For more information on these gateway settings, see User VPN Gateway Settings.

Setting Description

Name

Enter a name for the gateway.

Cloud

Select the cloud in which to launch the gateway instance. Note that for AWS and Azure, you can click on the dropdown menu to select the standard, gov, or China clouds.

Account

Select the cloud account in which to launch the gateway. These accounts are onboarded through CoPilot > Cloud Resources > Cloud Accounts.

Region

Select the cloud region in which to launch the gateway.

VPC/VNet

Select the VPC or VNet in which to launch the gateway.

Edit Gateway Name

This field only appears if you are adding a default VPN gateway in an account where a default VPN gateway already exists. If you are adding a new gateway and there is an existing gateway, the other fields listed, including Instance Size and High Performance Encryption, are not available.

You can edit the existing VPN gateway for this VPN Gateway to add more instances as needed. To do so, click Edit <Gateway Name>.

Instance Size

Select the size of the gateway instance.

High Performance Encryption

For more information, see the “About High Performance Encryption” document.

Turn this setting on to use High Performance Encryption if this VPN Gateway will be used for encrypted peering with another gateway.

Instances

To add a gateway instance, click + Instance.

Split Tunnel

Turn Split Tunnel on to ensure only the specified CIDR ranges go through the VPN tunnel. When you turn this setting on, new fields appear below.

Load Balancer

available for AWS, Azure, and GCP

To turn on load balancing to help support larger VPN gateways, click on the dropdown menu and select an option.

Depending on the cloud type you selected, you can select:

  • ELB (available for AWS, Azure, and GCP) – Use the Cloud Service Provider’s load balancing solution. When this option is enabled, the domain name of the ELB will be the connection IP address when a VPN user connects to the VPN gateway. This connection IP address is part of the .ovpn cert file the Controller sends to the VPN client.

  • Existing UDP Load Balancer (available in standard AWS cloud) – Select an existing AWS load balancer that uses the UDP protocol.

  • New UDP Load Balancer (available in standard AWS cloud) – Create a new AWS load balancer that uses the UDP protocol. If you select this option, new fields appear (see below).

  • No Load Balancer – Select this option if you have a smaller deployment with limited traffic and don’t need a load balancer.

VPN gateways are grouped by load balancer. See the UserVPN Gateway Guide document for more information on gateway groupings.

New UDP Load Balancer options

when you selected New UDP Load Balancer for ELB

  • Account – Select the Aviatrix cloud account for the new UDP load balancer.

  • Hosted Zone Name – Enter the name of the AWS hosted zone for this load balancer.

  • VPN Service Name – Enter the name of the VPN service you are using.

Max Connections (Per Gateway Instance)

Set the maximum number of active VPN users allowed to be connected to this gateway. The default is 100.

When you change this number, make sure the number is smaller than the VPN CIDR block. The UserVPN CIDR Block allocates 4 IP addresses for each connected VPN user; when the VPN CIDR Block is a /24 network, it supports about 60 users.

Authentication

Click on this dropdown menu and select an authentication option:

  • None (Certificate-Only)

  • DUO

    • When you select this option, a new section, Authentication: Duo appears below. See UserVPN Duo Authentication to find the Integration key, Secret key, and API hostname needed for this authentication method.

  • LDAP

    • When you select this option, a new section, Authentication: LDAP appears below. See UserVPN LDAP Authentication to find the LDAP Server, Blind DN, Password, and other values needed for this authentication method.

  • LDAP + DUO

  • Okta - When you select this option, a new section, Authentication: Okta appears below. See UserVPN Okta Authentication to find the URL, Token, and Username Suffix needed to enter in these fields.

  • SAML - When you select this option, a new section, Authentication: SAML appears below. See UserVPN SAML Authentication to find the

Client Certificate Sharing

Turn this setting on to allow VPN users to share .ovpn files. You must have MFA (such as SAML, DUO + LDAP) configured to make VPN access secure.

Duplicate Connections

  • Turn this setting on to enable users sharing the same common name to connect at the same time to the VPN Gateway.

  • Turn this setting off to make sure a user cannot make a new connection through a different device until they disconnect their existing session.

Users can still land on different VPN Gateways under a load balancer when Duplicate Connections is turned on.

Policy-Based Routing

Policy-Based Routing (PBR) enables you to route VPN traffic to a different subnet with its default gateway.

By default, all VPN traffic is NATed and sent to VPN gateway’s eth0 interface. If you want to force the VPN traffic to go out on a different subnet other than VPN gateway eth0 subnet, you can specify a PBR Subnet in the VPC and the PBR Default gateway.

If you turn this setting on, new fields appear below.

Policy-Based Routing fields

Subnet

(Optional) Select a specific subnet to route traffic to.

Default Gateway

(Optional) Select a default gateway to route traffic to.

NAT Translation Logging

Turn this setting on to enable logging for the NAT translations at the VPN gateway for each connection of the VPN traffic flowing through the gateway.

Split Tunnel options

Additional CIDR(s)

(Optional) The VPC/VNet CIDR where the VPN gateway is deployed is the default CIDR that VPN gateway pushes to the VPN client. Leave it blank if you do not need it.

When Split Tunnel Mode is enabled, the Additional CIDRs specifies a list of destination CIDR ranges that will also go through the VPN tunnel.

This is a useful field when you have multiple VPC/VNets that the VPN user needs to access.

Nameserver(s)

(Optional) When Split Tunnel Mode is enabled, you can instruct the VPN gateway to push down a list of DNS servers to your desktop, so that a VPN user is connected, it will use these DNS servers to resolve domain names.

Search Domain(s)

(Optional) When Split Tunnel Mode is enabled, a Search Domains lets you specify a list of domain names that will use the Nameserver when a specific name is not in the destination.

Windows VPN clients support a maximum of 10 search-domain entries (the OpenVPN service supports only up to 10 on the Windows OS).

Click Create.

Your default VPN gateway has been created. To view the task’s progress, go to Monitoring > Notifications > select the Tasks tab.