Hi everyone, I’m looking for a VPN solution for our infrastructure. We have multiple AWS accounts (5) and resources in every are pretty much the same, utilizing a lot of AWS services, and one of those is also RDS. I want to have secure access to our database without me whitelisting dev’s IP address etc. We will be also aiming for security certificates like SOC2, so I was looking at some options. I can see OpenVPN is popular, but not sure if that is the case for me too. So we have multi-AWS accounts, all of them have their own VPC but they are all in the same region so far (there is a plan to have one in a different region). How would I set this up?
Aws have their own VPN endpoint solution and a client. Supports SAML Auth so can integrate with your IDP and RBAC access to different subnets. Transit gateway for hub and spoke all VPCs from multiple accounts into one account where the VPN endpoint is. Used for many years in our org with 100+ users. Works well, simple stable and 0 maintenance.
Twingate is a great tool for that.
AWS client vpn, Tailscale, firezone, and pritunal are all reasonable options. Teleport for similar access but different functionality.
Pritunl has worked well.
Consider SSM instead of VPN.
Benefit is no resource is in a public subnet and you rely on AWS to handle that routing.
Wireguard is very easy to setup. You could use transit gateway or vpc peering to route traffic from where wireguard is hosted. There is plenty of documentation online.
Tailscale is awesome
Tailscale is easy to set up and secure. It uses your existing Identity Provider (Google Workspace, Microsoft 365, etc) for auth.
Tailscale’s Subnet Router solution gives devs secure access to RDS DBs on private subnets.
Have you looked at setting up transit gateway to connect all the accounts?
Just out of curiosity, how come that no one didn’t recommend openvpn? I thought they were big in the VPN Market
We recently started to use pritunl for 7+ accounts in one aws org. It is nice and all dirt cheap and based on OpenVPN, easy to setup but beware that it can get really tricky if you go with vpc peering for hub and spoke. Its terraform provider is not even close to be useful apart from initial setup.
If I can go back in time I would definitely give a shot to something more managed like tailscale
Potentially big problem with the AWS Client VPN is that the Linux support is only technically there, but it’s not maintained anymore. They don’t support anything other than Ubuntu and still haven’t added support for anything newer than 20.04 that is EoL in about 1 year (and the current build doesn’t work on 22.04 or other newer distros due to dependencies). Asked support about it and apparently there’s no plan on maintaining this unless enough customers complain.
As others have said, no support for Linux. At my company we were looking for a solution and originally went with AWS VPN endpoint. When half our workers couldn’t connect on Linux or Mac we gave it up.
We moved to an OpenVPN AMI instance with our own license. Have had no issues since.
Twingate takes less than 10 minutes to set up and is rock solid. I’ve been using it for 2 years. It’s also super easy to manage entirely in terraform, and integrate with SSO and SCIM provisioning
It is not really a VPN
Some folks recommended AWS Client VPN which uses the Open VPN protocol. I.e. you can use the open VPN client with the AWS endpoint.
So I am a big fan of openvpn. It is relatively easy to set up. I use certificate based auth combined with duo for mfa which is relatively cheap if that is all you use it for.
You obviously just need a hub and spoke setup which can be accomplished in a couple of ways. You probably have your accounts under one org, a new one for transit makes sense usually or even just vpc peer.
I really don’t like aws’ vpn solution. They dropped the ball there. Partially because I don’t think they really want anyone to use it.
Tons if commercial software out there from cisco to palo alto to just about everything. For compliance if you want a vpn you may have your hand forced to something like this.
That said you may not need a vpn at all. Do you really want the client to be connected to your entire network? Or just a handful of resources? If the latter, such as a dev connecting to a database, use ssm and port forwarding. This will use aws access control. And can be scripted so all a dev has to run is “connect-databaes.py/ps1/whatever”. That is by far the safest and easiest to sell to an auditor.
Interesting, we are all 100% Mac and have no issues.
And has terraform modules and device policies. Great tool.