Just recently rolled out Pritunl w/ Google SSO & Duo Push auth. It’s pretty sweet.
Another thumbs up for Pritunl. We run it in our AWS account and route all AWS traffic through it. Even in the office engineers need to be connected to access these resources. The Mongo piece is trivial IMO and not a drawback. It’s exceptionally easy to manage at the level of use Pritunl uses it.
You need to create a new customer gateway if your IP changes, and there will obviously be an interruption in connectivity, but it does work.
I was thinking along other lines.
I wanted to Do some fancy Packer footwork that results in a VPN AMI and some client and server configs (server configs get pushed to the instance via terraform as the instance spins up)
what size instance do you use for 50 staff, and how many vpc’s are you routing to?
No… that would try to create a tunnel from that instance to the vpc it lives in. You don’t want a LAN-to-LAN tunnel, you want a user VPN. Forget about the VPC VPN, that just adds cost and won’t help you.
The most common would be an SSL VPN. There is a QuickStart for an Aviatrix SSL VPN here: Quick Start decommissioned—Amazon Web Services (AWS), or you can build your own with FOSS products like openvpn but that is more work for you to configure.
Think of this EC2 instance as a VPN appliance running in your VPC. No AWS VPN customer gateway configuration is required because you aren’t connecting other VPCs to it (yet?). You just need an EC2 instance running some VPN headend software (several have been suggested in this thread) with an EIP so your clients have a predictable IP address to attach to.
To keep things simple, run it in the same VPC that you want your VPN clients to connect to (e.g. no VPC peering). When configuring the VPN server/headend software running on this instance, it’s going to want to know what IP address to assign to the clients. Pick some range *outside* of the VPC CIDR (e.g. if your VPC is 10.0.0.0/16, pick 192.168.0.0/24), and then add a route to all of the route tables in that VPC directing traffic for that subnet to the ENI of your EC2 instance. Be sure to disable ‘source/dest check’ in the networking config if your VPN instance or this will not work.
For greatest availability you’ll want to run an instance of the VPN ‘appliance’ in separate availability zones. Assign separate client IP address pools to each and set the VPC route tables to forward each pool CIDR to the appropriate instance. Load up a DNS entry with the IPs of these devices and let the clients figure out which to connect to (there are more advanced options here, particularly if it’s an SSL VPN, but this is generally reasonable).
Good luck!
I just wish AWS either offered a managed MongoDB service or Pritunl added DynamoDB support. I know Mongo has Atlas, but it’s another instance we have to install agents and monitor for threats. I know the Mongo instance wouldn’t need too much work, but it’s just something I don’t want to worry about.
Makes sense if you’re down to manage it yourself, and tie in auth. Hit me up if you get tired of that, or don’t get around to it! 
It’s pretty simple to just install it on the same instance and run a mongodump on it nightly to S3. You don’t need to configure a ReplicaSet or anything.
cool thanks is that 50 staff at once?