Fetching contributors…
Cannot retrieve contributors at this time
378 lines (250 sloc) 15 KB

Aviatrix OpenVPN® FAQs

How do I launch a VPN gateway?

Click Gateway -> + New Gateway

The controller launches an Aviatrix gateway instance in AWS/Azure/GCloud. The gateway instance must be launched from a public subnet. You need to give it a name (The name is presented as a Gateway Name field), this name becomes part of the instance name with a prefix CloudOps.

In the Create page, select VPN Access to enable OpenVPN® server capability. There is a default VPN CIDR “”. But you can change it, make sure the CIDR is outside the existing and future VPC CIDR range. This VPN CIDR is where VPN server assign virtual IP address to each user when she connects.

You can select Save Template to save the gateway template. When you come to the page the next time, most of the fields are pre populated. You may change any of the fields.

How can I avoid managing multiple VPN user certs?

If you have multiple VPCs, launching a VPN gateway in each VPC and create VPN users is not the correct way to manage. It forces your developers to carry multiple .ovpn certs and learn when to use which one when connecting to a VPC. Leverage VPC to VPC connectivity to build a scalable solution.

How do I scale out VPN solution?

You can launch multiple VPN gateways in the same VPC at the Create Gateway time.

While launching a gateway, select yes for “Enable AWS ELB”. This will automatically create an AWS ELB (for the first gateway) and register the gateway with the newly created load balancer. VPN traffic will be load balanced across these multiple gateways.

It is required to have consistent gateway configuration when ELB is enabled. For example, authentication methods, tunnel modes and PBR configurations should be identical.

How do I setup Okta authentication for VPN?

Aviatrix vpn gateway integrates seamlessly with Okta. It can authenticate vpn users to Okta service using Okta's OpenVPN® pluggin in module. Follow the link: How to setup Okta for Aviatrix VPN gateway

How do I enable Geo VPN?

If you have global workforce that needs to access the cloud, Geo VPN offers a superior solution. Geo VPN enables a VPN user to connect to a nearest VPC that hosts Aviatrix VPN gateway.

To enable Geo VPN, go to OpenVPN® -> GEO VPN.

Also check out this link for help.

How do I add a VPN user?

After at least one gateway is created, you can add VPN users.

Click OpenVPN® -> VPN Users -> +Add New.

When a user is added, an email is sent to the user with instructions on how to download client software and connect to VPN server.

If you like to assign user profile based policies, you need to create profiles first, see the next section.

What user devices are VPN client software supported?

Windows, MAC, Linux, Chromebook, Android and iOS devices are supported.

Is NAT capability supported on the gateway?

Yes, you can enable NAT function at gateway launch time. When enabled, instances on the private subnet can access Internet directly.

If full tunnel mode is selected, you may want to enable NAT to allow instances in the VPC to have direct Internet access.

Is full tunnel mode supported on the gateway?

Yes, both split tunnel and full tunnel modes are supported. You can specify the mode at the gateway launch time.

Full tunnel means all user traffic is carried through the VPN tunnel to the gateway, including Internet bound traffic.

Split tunnel means only traffic destined to the VPC and any additional network range is carried through the VPN tunnel to the gateway. Any Internet bound traffic does not go through the tunnel.

Can the maximum number of simultaneous connections to VPN gateway be configured?

Yes, you can set the maximum number of connections at the gateway launch time.

What is user profile based security policy?

In VPN access, a user is dynamically assigned a virtual IP address when connected to a gateway. It is highly desirable to define resource access policies based on the users. For example, you may want to have a policy for all employees, a different policy for partners and a still different policy for contractors. You may even give different policies to different departments and business groups.

The profile based security policy lets you define security rules to a target address, protocol and ports. The default rule for a profile can be configured as deny all or allow all during profile creation. This capability allows flexible firewall rules based on the users, instead of a source IP address.

How do I setup profile based security policies?

When a user connects to a VPC, the security policies associated with the profile that the user is assigned to are applied to the VPN gateway instance that user logs in. This effectively blocks traffic from entering the network.

Click OpenVPN® -> Profiles -> +New Profile to create profiles, then click Edit Policies to add rules. You can add multiple of them, then click on Save.

How do I assign a user to a profile?

When you create a VPN user at OpenVPN® -> VPN Users -> +Add New, you can select profile option to assign the user to a specific profile.

You can also attach the user to a profile at a later time. Go to OpenVPN® -> Profiles. Click Attach User on a specific Profile and select a user that is added to the VPN gateway.

What if I want to change profile policies?

You can change profile policies any time. However, the users who are currently active in session will not receive the new policy. The user need to disconnect and reconnect to VPN for the new policy to take effect.

How do I change a user’s profile programmatically?

The controller provides a REST API which can be invoked to change a user’s profile. Refer to API document under Help menu.

During this operation, the user’s existing VPN session will be terminated. The new profile policy will take effect when he or she logs in again.

The use case for this feature is to allow administrator to quarantine a VPN user for security reasons.

Is DUO multi-factor authentication supported?

Yes. If your enterprise has a DUO account with multi-factor authentication, it can be integrated into the VPN solution. From Gateways tab, click Create. At two-step authentication drop down menu, select DUO, then enter your company Integration Key, Secret Key and API hostname.

To obtain Integration Key, Secret key and API hostname, login to DUO website as an admin,, click on the left panel Applications, click Protect an Application below. Scroll down the application list and select OpenVPN® (click Protect this Application), the next screen should reveal the credentials you need to configure on the Aviatrix controller.

For additional help, follow this instruction.

Currently advanced feature such as Trusted Device and Trusted Networks are not supported. Send us a request if you like to integrate these features.

How do I configure LDAP authentication?

See details here.

Can I combine LDAP and DUO authentication?

Yes. With both LDAP and DUO authentication methods enabled on a gateway, when launching the VPN client, a remote user will have to enter his or her LDAP user credentials and then approve the authentication request received on a registered mobile device to login to VPN.

Is OKTA supported?

Yes. OKTA with MFA is also supported. Follow the instructions

How does Policy Based Routing (PBR) work?

When PBR is enabled at gateway launch time, all VPN user traffic arrives at the gateway will be forwarded to a specified IP address defined as PBR default gateway. User must specify the PBR Subnet which in AWS must be in the same availability zone as Ethernet 0 interface of the gateway.

When PBR feature is combined with encrypted peering capability, VPN user should be able to access any instances in the peered VPC/VNets. This helps build an end to end cloud networking environment. For details, check out our reference design.

Another use case for Policy Based Routing is if you like to route all Internet bound traffic back to your own firewall device on Prem, or log all user VPN traffic to a specific logging device, PBR lets you accomplish that.

What are the monitoring capabilities?

Active VPN users are displayed on the Dashboard. Click on any username, the user VPN connectivity history is displayed.

You can also disconnect a user from the dashboard.

When should I use the Aviatrix VPN client?

Aviatrix's VPN Client supports SAML authentication from the VPN client itself. If you need the VPN client itself to authenticate against an IDP (for example, Okta or Duo), you will need to use the Aviatrix VPN client.

Aviatrix VPN gateway can authenticate a VPN user against OKTA on behalf of a VPN user. In that case, you don’t need Aviatrix VPN client, any OpenVPN® clients software such as Tunnelblick can be supported.

Are multiple profiles supported by the Aviatrix VPN client?

Aviatrix's VPN Client allows you to load and switch between one or more VPN profiles.

Load multiple configurations:

  1. Open the client
  2. Click on the Advanced button
  3. Select the Profile tab
  4. Click Add button
  5. Enter a name for the new profile
  6. Select the configuration file

Switch to a different configuration:

  1. Open the client
  2. Click Connect button. A drop down will appear.
  3. Select the profile from the list

What is "Client Certificate Sharing"?

Enabling this feature allows the same user to be logged in from more than one location at a time. If this option is disabled and a user logs in from a second location, the first location will be disconnected automatically.

How to fix Aviatrix VPN times out too quickly?

  • How do I change the Renegotiation interval?
  1. Login to your Aviatrix Controller
  2. Expand OpenVPN navigation menu and select Edit Config
  3. Select the VPC/VNet (or DNS Name) and the Gateway
  4. Scroll to the Modify VPN Configuration section
  5. Set the Name drop down to Renegotiation interval
  6. Change the Status to Enabled
  7. Set the Value (seconds) to the desired timeout value
  8. Click OK



We have a known issue "Aviatrix VPN times out too quickly", but it is fixed in the releases after UCC 3.2. If you are using a VPN gateway which was created before release UCC 3.2 and would like to solve this issue, please first follow the above steps for "Renegotiation interval" and then disable it as below:

  1. Set the Name drop down to Renegotiation interval
  2. Change the Status to Disabled
  3. Click OK
  • How do I change the idle timeout?
  1. Login to your Aviatrix Controller
  2. Expand OpenVPN navigation menu and select Edit Config
  3. Select the VPC/VNet (or DNS Name) and the Gateway
  4. Scroll to the Modify VPN Configuration section
  5. Set the Name drop down to Idle timeout
  6. Change the Status to Enabled
  7. Set the Value (seconds) to the desired timeout value
  8. Click OK



We have a known issue "Aviatrix VPN times out too quickly", but it is fixed in the releases after UCC 3.2. If you are using a VPN gateway which was created before release UCC 3.2 and would like to solve this issue, please first follow the above steps for "idle timeout" and then disable it as below:

  1. Set the Name drop down to Idle timeout
  2. Change the Status to Disabled
  3. Click OK

Where do I find the log for the Aviatrix Client?

  1. Open the Aviatrix VPN Client
  2. Click on the Advanced button
  3. Click on the Advanced tab
  4. Click on the View button next to the View the log file label


Why can't my VPN client access a newly created VPC?

If you are using Split Tunnel mode, it is very likely that the new VPC CIDR is not part of CIDR ranges that Aviatrix VPN gateway pushes down to the client when the VPN client connects. To fix it, follow these steps:

  1. At the main navigation menu, go to OpenVPN® -> Edit Config
  2. Scroll down to MODIFY SPLIT TUNNEL, select yes to Split Tunnel Mode.
  3. At Additional CIDRs, enter the list of CIDR blocks including the new VPC CIDR that you wish the VPN client to access.
  4. When complete, click Modify for the configuration to take effect.
  5. Disconnect the VPN client and connect again, the new CIDR should take effect.

How to turn off NAT with OpenVPN® gateway?

Aviatrix OpenVPN® gateway performs NAT function for the user VPN traffic, effectively masking out the VPN client's virtual IP address assigned by gateway from the VPN CIDR Block. This does not affect profile based policy enforcement as the landing vpn gateway has the information of the virtual IP address before NAT is performed and enforces policies based on user identification.

If you do want to preserve the virtual IP address after the client packet leaves the gateway, you can do by enabling PBR function.

OpenVPN® is a registered trademark of OpenVPN Inc.

.. disqus::