Creating a User VPN Default Gateway
The gateway instance must be launched from a public subnet. |
To create a default VPN Gateway instance in AWS, Azure, or GCP in an account with no existing VPN gateways:
-
In Aviatrix CoPilot, go to Cloud Fabric > UserVPN. Make sure the Default VPN tab is selected.
-
Click + VPN Gateway.
For more information on these gateway settings, see User VPN Gateway Settings.
Setting | Description | ||
---|---|---|---|
Name |
Enter a name for the gateway. |
||
Cloud |
Select the cloud in which to launch the gateway instance. Note that for AWS and Azure, you can click on the dropdown menu to select the standard, gov, or China clouds. |
||
Account |
Select the cloud account in which to launch the gateway. These accounts are onboarded through CoPilot > Cloud Resources > Cloud Accounts. |
||
Region |
Select the cloud region in which to launch the gateway. |
||
VPC/VNet |
Select the VPC or VNet in which to launch the gateway. |
||
Edit Gateway Name |
You can edit the existing VPN gateway for this VPN Gateway to add more instances as needed. To do so, click Edit <Gateway Name>. |
||
Instance Size |
Select the size of the gateway instance. |
||
High Performance Encryption |
For more information, see the “About High Performance Encryption” document. Turn this setting on to use High Performance Encryption if this VPN Gateway will be used for encrypted peering with another gateway. |
||
Instances |
To add a gateway instance, click + Instance. |
||
Split Tunnel |
Turn Split Tunnel on to ensure only the specified CIDR ranges go through the VPN tunnel. When you turn this setting on, new fields appear below. |
||
Load Balancer available for AWS, Azure, and GCP |
To turn on load balancing to help support larger VPN gateways, click on the dropdown menu and select an option. Depending on the cloud type you selected, you can select:
|
||
New UDP Load Balancer options when you selected New UDP Load Balancer for ELB |
|
||
Max Connections (Per Gateway Instance) |
Set the maximum number of active VPN users allowed to be connected to this gateway. The default is 100. When you change this number, make sure the number is smaller than the VPN CIDR block. The UserVPN CIDR Block allocates 4 IP addresses for each connected VPN user; when the VPN CIDR Block is a /24 network, it supports about 60 users. |
||
Authentication |
Click on this dropdown menu and select an authentication option:
|
||
Client Certificate Sharing |
Turn this setting on to allow VPN users to share .ovpn files. You must have MFA (such as SAML, DUO + LDAP) configured to make VPN access secure. |
||
Duplicate Connections |
|
||
Policy-Based Routing |
Policy-Based Routing (PBR) enables you to route VPN traffic to a different subnet with its default gateway. By default, all VPN traffic is NATed and sent to VPN gateway’s eth0 interface. If you want to force the VPN traffic to go out on a different subnet other than VPN gateway eth0 subnet, you can specify a PBR Subnet in the VPC and the PBR Default gateway. If you turn this setting on, new fields appear below. |
||
Policy-Based Routing fields |
|||
Subnet |
(Optional) Select a specific subnet to route traffic to. |
||
Default Gateway |
(Optional) Select a default gateway to route traffic to. |
||
NAT Translation Logging |
Turn this setting on to enable logging for the NAT translations at the VPN gateway for each connection of the VPN traffic flowing through the gateway. |
||
Split Tunnel options |
|||
Additional CIDR(s) |
(Optional) The VPC/VNet CIDR where the VPN gateway is deployed is the default CIDR that VPN gateway pushes to the VPN client. Leave it blank if you do not need it. When Split Tunnel Mode is enabled, the Additional CIDRs specifies a list of destination CIDR ranges that will also go through the VPN tunnel. This is a useful field when you have multiple VPC/VNets that the VPN user needs to access. |
||
Nameserver(s) |
(Optional) When Split Tunnel Mode is enabled, you can instruct the VPN gateway to push down a list of DNS servers to your desktop, so that a VPN user is connected, it will use these DNS servers to resolve domain names. |
||
Search Domain(s) |
(Optional) When Split Tunnel Mode is enabled, a Search Domains lets you specify a list of domain names that will use the Nameserver when a specific name is not in the destination. Windows VPN clients support a maximum of 10 search-domain entries (the OpenVPN service supports only up to 10 on the Windows OS). |
Click Create.
Your default VPN gateway has been created. To view the task’s progress, go to Monitoring > Notifications > select the Tasks tab.