Is there a way to have an AWS managed VPN connection if no on-site office exists. Our workers will all be remote and connecting from various homes/coffee-shops, etc.
We want our internal doc websites and ELK stacks, etc to only to be accessible to them once they have activated their vpn connection.
Is there a way to do this the AWS managed route? If not, I am looking at spinning up an EC2 instance with OpenVPN on it… but my team wants to go AWS managed if possible.
Nope, you will have to spin up some kind of instance to add this capability
We used an OpenVPN instance for a long time until we got a DirectConnect link in place. Our OpenVPN instance was running on a t2.micro and never had an issue in 2+ years.
Depending on how much you want to simplify/complicate things (particularly provisioning of accounts), you may do well enough with the community edition. If you want to have better tooling, you can go with OpenVPN-AS.
It is extremely easy to set them up. One thing I’d recommend is to implement an additional TCP listener on port 443, so if your workers are going to be working in potentially restricted locations, they can still reach your servers (no wifi hotspot will block or interfere with 443/tcp).
We use a product called AppGate SDP to connect our users to multiple VPC’s simultaneously. It behaves a lot like a VPN solution on the client side, with a more robust policy framework. AppGate creates multiple mTLS tunnels from a single network interface to software gateways that live in each of your VPCs, which eliminates the need to backhaul user traffic from single entry point. It can also integrate with most identity providers.
No, VPC VPNs are site-to-site only. You’ll be heading down an EC2 route of some description, but there are nicely set up AMIs in the marketplace.
A lot of people swear by SoftEther. There’s a free AMI in the marketplace. No need for extra client software on most platforms.
Might be worth looking at ZeroTier
As other’s have already mentioned, you’ll either need VPN or a Bastion host inside your VPC with an EIP. Another VPN solution that comes highly recommended is Pritunl, but that would ultimately depend on how many users you have (it unfortunately requires a MongoDB database). Pritunl has extended capabilities outside of just running VPN and is built on top of openvpn
Nope. We deployed Checkpoint firewall VPN solution.
Without wanting to hijack the OP … Do AWS VPN require a customer gateway with a static IP address? I’m trying to do more or less the same thing (even though I would keep it site-to-site), but I’m running on a domestic connection that will change its IP every couple of days.
ScaleFT/Okta has nice product for that (https://www.scaleft.com/product/web-access/) or alternatively Cloudflare Access (Access | Zero Trust Network Access).
You can also launch an EC2 instance with pfSense:
It allows you to create site-to-site and client-to-site OpenVPN tunnels using a web control panel.
This is a pretty common use case.
I’d love to see an AWS native clientless VPN offering.
Basically a managed reverse HTTP proxy with an HTTPS front-end that you sign into with an iam user & 2fa, and then it proxies you to your desired web service inside your VPC.
Let the underlying infrastructure for it be totally AWS-managed like the ELBs, and the users be managed in iam, and it’s a pretty light weight solution.
Edit: add ability to put AWS waf in front of it, and let it be an referenceable object for route53 - and that would be an awesome tool.
OpenVPN is super easy to setup on a small instance.
I dont think there’s a managed solution
I set up something like this: How to setup your own private, secure, free* VPN on the Amazon AWS Cloud in 10 minutes by Web Development
Also left out that I also chose softether because of its rolled in virtual routing function and its ability to hand out dhcp addresses and route tables which makes life much easier. I’ve setup many types of VPNs and network infrastructure but softether made it rather painless and quick. I’m a busy guy and didn’t have time to mess around and manage a bunch of components
Thanks for all the comments. In the end, I followed these instructions and they were easily adaptable to AWS. The only extra thing to do is to install dnsmasq (or similar) and forward the VPC’s dns server so that internal domain names (private hosted zone) can be resolved*.
*Note. It was initially enough for me to set 10.0.0.2 as a dns option (push "dhcp-option DNS 10.0.0.2"). It does work as intended, except for when my home network’s router also served from that ip.
I’ve started building out a managed service to handle this. I really hate having to spin up the instances, and manage user auth separately. If you’re interested in this, sign up and I’ll let you know when it’s ready: http://vpn.backstop.it/
I’ll second OpenVPN…you can spin up via an AMI from the marketplace. We spun up a t2.micro and ran with the free 2-user license for a few weeks. Pretty bulletproof and easy to setup. The licensing is pretty cheap, too.
softether is pretty nice, we use it for a staff of about 50 with no problems. Softether is your entry point and then proper SGs and route tables for your VPCs allow you to establish connectivity for any subnet or vpc
Thanks for the suggestion. I sort of came to that conclusion myself in the meantime.
Since AWS managed VPN supports IPSEC, I thought of configuring the following up on an EC2 instance, attaching an elastic ip and configuring it as the AWS VPN customer gateway.
Would that work?