Aviatrix Cloud Native User VPN Solution for the Rescue

Aviatrix provides a cloud-native user VPN solution:

  • it does not backhaul to on-prem DC
  • connect users to public cloud resources​
  • Least latency accessing the cloud resources​
  • Multi-cloud repeatability​
  • Identity Provider integration​

Architecture

I recommend to create dedicate(s) VPCs to VPN GWs. VPCs holding the VPN GWs connect to the transit using spoke gateways. The overall AVX FireNet architecture is discussed here:

http://rtrentinsworld.com/2022/05/28/deploying-an-aviatrix-firenet-on-gcp-with-pans/

Once a VPN gateway is created, the controller automatically launches a cloud-native load balancer and automates target groups to attach Aviatrix VPN gateways to the LB​.

The domain name of the cloud provider’s load balancer will be the connection when a VPN user connects to the VPN gateway​.

If a gateway fails, the users will get disconnect and reconnected to another gateway behind the load-balancer.​ This happens automatically. and no action needed by the user.​

The failover time is between 10 and 15 seconds.​

Configuration

I start the configuration creating a dedicated VPC for VPN Gateways:

Then deploy spoke GWs:

Attach the spoke gateways to the transit:

Once the infra is ready we can move to deploy VPN GWs:

Profiles

Each VPN user can be assigned to a profile that is defined by access privileges to network, host, protocol and ports. The access control is dynamically enforced when a VPN user connects to the public cloud via an Aviatrix VPN Gateway:

Once a profile is created, security policies can be added to it to make it granular:

Create VPN Users

I’m going to create a new local user called Shade and attach it to the profile allowing access to all networks:

Once the user is created, we can test it.

Testing

From the OpenVPN -> VPN Users I download the user file I’ll use to configure the VPN client piece.

OpenVPN Client

Once the client was installed I imported the profile downloaded from my controller:

Once I click “connect” I’m connected to my gcp deployment:

Aviatrix VPN Client

Aviatrix provides its own client that supports SAML authentication directly from the client. Download the client for your OS here.

Once the client was installed I imported the profile downloaded from my controller:

Once I click “connect” I’m connected to my gcp deployment:

The AVX icon changes from orange to green when connected:

Split Tunnel

Split Tunnel Mode is enabled by default. When Split Tunnel mode is enabled, only traffic that is destined to the VPC/VNet CIDR where the VPN gateway is deployed is going into the VPN tunnel when a user is connected to the VPN gateway (172.21.40/23 entry below).

When Split Tunnel Mode is enabled, the Additional CIDRs specifies a list of destination CIDR ranges that will also go through the VPN tunnel.

The VPN client creates a static pointing to the Additional CIDR configured:

By default the user VPN gateway NATs the clients connection but that can be disabled under the OPENVPN -> Edit Config -> VPN Nat:

Screen Shot 2022-06-06 at 10.38.39 AM

When disabling VPN NAT, the client IP from the VPN CIDR will be visible through the network.

Troubleshooting

Client addresses are allocated from the VPN CIDR (configurable under the Gateway):

VPN Activity can be monitored from CoPilot:

AppIQ can be used to troubleshoot issues like security firewall rules:

User VPN Performance Guide for Deployment

Number of Clients per Gateway = VPN Gateway Throughput/Throughput per client

https://docs.aviatrix.com/HowTos/openvpn_design_considerations.html#simultaneous-clients-on-a-given-vpn-gateway%20%E2%80%8B

References

https://docs.aviatrix.com/#openvpn

Leave a Reply