Aviatrix provides a cloud-native user VPN solution:
- it does not backhaul to on-prem DC
- connect users to public cloud resources
- Least latency accessing the cloud resources
- Multi-cloud repeatability
- Identity Provider integration

Architecture
I recommend to create dedicate(s) VPCs to VPN GWs. VPCs holding the VPN GWs connect to the transit using spoke gateways. The overall AVX FireNet architecture is discussed here:
http://rtrentinsworld.com/2022/05/28/deploying-an-aviatrix-firenet-on-gcp-with-pans/
Once a VPN gateway is created, the controller automatically launches a cloud-native load balancer and automates target groups to attach Aviatrix VPN gateways to the LB.
The domain name of the cloud provider’s load balancer will be the connection when a VPN user connects to the VPN gateway.
If a gateway fails, the users will get disconnect and reconnected to another gateway behind the load-balancer. This happens automatically. and no action needed by the user.
The failover time is between 10 and 15 seconds.
Configuration
I start the configuration creating a dedicated VPC for VPN Gateways:

Then deploy spoke GWs:

Attach the spoke gateways to the transit:

Once the infra is ready we can move to deploy VPN GWs:

Profiles
Each VPN user can be assigned to a profile that is defined by access privileges to network, host, protocol and ports. The access control is dynamically enforced when a VPN user connects to the public cloud via an Aviatrix VPN Gateway:

Once a profile is created, security policies can be added to it to make it granular:

Create VPN Users
I’m going to create a new local user called Shade and attach it to the profile allowing access to all networks:

Once the user is created, we can test it.
Testing
From the OpenVPN -> VPN Users I download the user file I’ll use to configure the VPN client piece.

OpenVPN Client
Once the client was installed I imported the profile downloaded from my controller:

Once I click “connect” I’m connected to my gcp deployment:

Aviatrix VPN Client
Aviatrix provides its own client that supports SAML authentication directly from the client. Download the client for your OS here.
Once the client was installed I imported the profile downloaded from my controller:

Once I click “connect” I’m connected to my gcp deployment:

The AVX icon changes from orange to green when connected:

Split Tunnel
Split Tunnel Mode is enabled by default. When Split Tunnel mode is enabled, only traffic that is destined to the VPC/VNet CIDR where the VPN gateway is deployed is going into the VPN tunnel when a user is connected to the VPN gateway (172.21.40/23 entry below).

When Split Tunnel Mode is enabled, the Additional CIDRs specifies a list of destination CIDR ranges that will also go through the VPN tunnel.

The VPN client creates a static pointing to the Additional CIDR configured:

By default the user VPN gateway NATs the clients connection but that can be disabled under the OPENVPN -> Edit Config -> VPN Nat:
When disabling VPN NAT, the client IP from the VPN CIDR will be visible through the network.
Troubleshooting
Client addresses are allocated from the VPN CIDR (configurable under the Gateway):

VPN Activity can be monitored from CoPilot:

AppIQ can be used to troubleshoot issues like security firewall rules:

User VPN Performance Guide for Deployment
Number of Clients per Gateway = VPN Gateway Throughput/Throughput per client