IPSec VPN - Windows, MacOS and Android only SSL VPN Technical Support. Download for Windows Download for MacOS. Download for Linux:.rpm.deb. Windows 7 or higher supported. Download; Get FortiClient 6.0 for Mac OSX. Mac OSX v10.12 Sierra or higher. Download; Get FortiClient 6.0 for Linux. Ubuntu 16.04 or higher Red Hat, CentOS 7.4. Aviatrix VPN Client Changelog¶ 2.11.6 - July 22 2020. OpenSSL lib of the MacOS client is updated to 1.1.11g; OpenSSL lib of the Windows client is updated to 1.1.11f; Enhance the security to prevent Man-in-the-middle attack; Boost the Windows client data throughput; Improve the connectivity of the MacOS client under the unstable WiFi connection.
How do I launch a VPN gateway?¶
Click Gateway -> + New Gateway
The controller launches an Aviatrix gateway instance inAWS/Azure/GCloud. The gateway instance must be launched from a publicsubnet. You need to give it a name (The name is presented as a GatewayName field), this name becomes part of the instance name with a prefixCloudOps.
In the Create page, select VPN Access to enable OpenVPN® servercapability. There is a default VPN CIDR “192.168.43.0/24”, but you canchange it to make sure the CIDR is outside the existing and future VPCCIDR range. This VPN CIDR is where the VPN server assigns a virtual IP addressto each user when she connects.
You can select Save Template to save the gateway template. When you cometo the page the next time, most of the fields are pre populated. You maychange any of the fields.
How can I avoid managing multiple VPN user certs?¶
If you have multiple VPCs, launching a VPN gateway in each VPC and creating VPN users is not the correct way of management. It forces your developers to carry multiple .ovpn certs and learn when to use which one when connecting to a VPC.Leverage VPC to VPC connectivity to build a scalable solution.
How do I scale out VPN solution?¶
You can launch multiple VPN gateways in the same VPC.By default the first VPN gateway in a VPC is launched with a NLB. Subsequent VPN gateways in the same VPCare automatically associated with the same NLB, enabling a scale out VPN solution, where the NLB load balances incoming VPN user sessions.
Consistent gateway configuration is required when NLB isenabled. For example, authentication methods, tunnel modes and PBRconfigurations should be identical.
How do I setup Okta authentication for VPN?¶
An Aviatrix vpn gateway integrates seamlessly with Okta. It can authenticate vpn usersto Okta service using Okta’s OpenVPN® plugin in module.Follow this link for directions: How to setup Okta for Aviatrix VPNgateway
How do I enable Geo VPN?¶
If you have a global workforce that needs to access the cloud, Geo VPNoffers a superior solution. Geo VPN enables a VPN user to connect to thenearest VPC that hosts an Aviatrix VPN gateway.
To enable Geo VPN, go to OpenVPN® -> GEO VPN.
Also check out this link for help.
How do I add a VPN user?¶
After at least one gateway is created, you can add VPN users.
Click OpenVPN® -> VPN Users -> +Add New.
When a user is added, an email is sent to the user with instructions on how to download client software and connect to a VPN server. You can customize this email by updating the settings at “OpenVPN -> Advanced -> Global Config -> User Defined Email Notification”. You could also use your own SMTP server to send these emails out by following these instructions
If you prefer to not share the .ovpn file with your users via email, do not enter the email address when you add a VPN user. You can then download the .ovpn file from OpenVPN -> VPN Users -> Select VPN User and then download the file and share it with your VPN user via your preferred file share mechanism.
If you would like to assign user profile based policies, you need to createprofiles first. See the next section.
What user devices are VPN client software supported?¶
Windows, MAC, Linux, Chromebook, Android and iOS devices are supported.
Is NAT capability supported on the gateway?¶
Yes, you can enable NAT function at gateway launch time. When enabled,instances on the private subnet can access the Internet directly.
If full tunnel mode is selected, you may want to enable NAT to allowinstances in the VPC to have direct Internet access.
Is full tunnel mode supported on the gateway?¶
Yes, both split tunnel and full tunnel modes are supported. You canspecify the mode at the gateway launch time.
Full tunnel means all user traffic is carried through the VPN tunnel tothe gateway, including Internet bound traffic.
Split tunnel means only traffic destined to the VPC and any additionalnetwork range is carried through the VPN tunnel to the gateway. AnyInternet bound traffic does not go through the tunnel.
To enable full tunnel mode, go to Edit Config -> MODIFY SPLIT TUNNEL, select No, as shown below.
Can the maximum number of simultaneous connections to VPN gateway be configured?¶
Yes, you can set the maximum number of connections at the gateway launchtime.
What is user profile based security policy?¶![]()
In VPN access, a user is dynamically assigned a virtual IP address whenconnected to a gateway. It is highly desirable to define resource accesspolicies based on the users. For example, you may want to have a policyfor all employees, a different policy for partners and a still differentpolicy for contractors. You may even give different policies todifferent departments and business groups.
The profile based security policy lets you define security rules to atarget address, protocol and ports. The default rule for a profile canbe configured as deny all or allow all during profile creation. Thiscapability allows flexible firewall rules based on the users, instead ofa source IP address.
The security policy is dynamically pushed to the landing VPN gateway when a VPN user connects.It is only active when a VPN user is connected. When a VPN user disconnects,the security policy is deleted from the VPN gateway.
How do I setup profile based security policies?¶
When a user connects to a VPC, the security policies associated with theprofile that the user is assigned to are applied to the VPN gatewayinstance that user logs in. This effectively blocks traffic fromentering the network.
Click OpenVPN® -> Profiles -> +New Profile to create profiles, then click EditPolicies to add rules. You can add multiple of them. Click Save. Click Update for the rules to take effect.
How do I assign a user to a profile?¶
When you create a VPN user at OpenVPN® -> VPN Users -> +Add New, youcan select profile option to assign the user to a specific profile.
You can also attach the user to a profile at a later time. Go to OpenVPN® -> Profiles. Click Attach User on a specific Profile and select a user that is added to the VPN gateway.
What if I want to change profile policies?¶
You can change profile policies any time. However, users who arecurrently active in the session will not receive the new policy. The userwill need to disconnect and reconnect to VPN for the new policy to takeeffect.
How do I change a user’s profile programmatically?¶
The controller provides a API which can be invoked to change auser’s profile. Refer to API documentation under the Help menu.
During this operation, the user’s existing VPN session will beterminated. The new profile policy will take effect when he or she logsin again.
The use case for this feature is to allow an administrator to quarantine aVPN user for security reasons.
How to set User VPN License Threshold Notification?¶
The User VPN License Threshold Notification can be set in Aviatrix Controller. Login to controller’s console, navigate to Settings -> Controller -> License.
Under License, user can set the number of license purchased and threshold value. Once the number of licenses exceeded the threshold value an email notification will be sent.
The email id which receives all the notification can be set in Email tab (Settings -> Controller -> Email).
Is DUO multi-factor authentication supported?¶
Yes. If your enterprise has a DUO account with multi-factorauthentication, it can be integrated into the VPN solution. FromGateways tab, click Create. At the two-step authentication drop down menu,select DUO, then enter your company Integration Key, Secret Key and APIhostname.
To obtain an Integration Key, Secret key and API hostname, log in to the DUOwebsite, www.duo.com as an admin. Click on theleft panel Applications, click Protect an Application below. Scroll downthe application list and select OpenVPN® (click Protect thisApplication), the next screen should reveal the credentials you need toconfigure on the Aviatrix controller.
For additional help, follow this instruction.
Currently, advanced features such as Trusted Device and Trusted Networksare not supported. Send us a request if you would like to integrate thesefeatures.
How do I configure LDAP authentication?¶
See details here.
Can I combine LDAP and DUO authentication?¶
Yes. With both LDAP and DUO authentication methods enabled on a gateway,when launching the VPN client, a remote user will have to enter his orher LDAP user credentials and then approve the authentication requestreceived on a registered mobile device to login to the VPN.
Is OKTA supported?¶
Yes. OKTA with MFA is also supported. Follow theinstructions
How does Policy Based Routing (PBR) work?¶
When PBR is enabled at gateway launch time, all VPN user traffic that arrivesat the gateway will be forwarded to a specified IP address defined asthe PBR default gateway. The user must specify the PBR Subnet which in AWS mustbe in the same availability zone as the Ethernet 0 interface of the gateway.
When the PBR feature is combined with encrypted peering capability, a VPN usershould be able to access any instances in the peered VPC/VNets. Thishelps build an end to end cloud networking environment. For details,check out our referencedesign.
Another use case for Policy Based Routing is if you would like to route allInternet bound traffic back to your own firewall device on Prem, or logall user VPN traffic to a specific logging device. PBR lets youaccomplish that.
What are the monitoring capabilities?¶
Active VPN users are displayed on the Dashboard. Click on any username andthe user VPN connectivity history is displayed.
You can also disconnect a user from the dashboard.
Does the Aviatrix OpenVPN® solution support SAML client?¶
Yes. The Aviatrix VPN client is the only OpenVPN® based client software that supports SAMLauthentication from the client software itself. Read here to learn more.
When should I use the Aviatrix VPN client?¶
Aviatrix’s VPN Client supports SAML authentication from the VPN client itself. If you need the VPN client itself to authenticate against an IDP (for example, Okta, Google, AWS SSO and Azure AD), you will need to use the Aviatrix VPN client.
An Aviatrix VPN gateway can authenticate a VPN user against OKTA on behalf of a VPN user. In that case, the Aviatrix VPN client is not needed, and any OpenVPN® client software such as Tunnelblick can be supported.
Are multiple VPN configuration profiles supported by the Aviatrix VPN client?¶
Note that this is about the OpenVPN® configuration file that is installed on end user machines.
Aviatrix’s VPN Client allows you to load and switch between one or more VPN profiles.
Load multiple configurations:
Switch to a different configuration:
What is “Client Certificate Sharing”?¶
Enabling this feature allows the same user to be logged in from more than one location at a time. If this option is disabled and a user logs in from a second location, the first location will be disconnected automatically.
How do I fix the Aviatrix VPN timing out too quickly?¶
Note
We have a known issue of “Aviatrix VPN times out too quickly”, but it is fixed in the releases after UCC 3.2. If you are using a VPN gateway that was created before release UCC 3.2 and would like to solve this issue, please first follow the above steps for “Renegotiation interval” and then disable it as below:
Note
We have a known issue “Aviatrix VPN times out too quickly”, but it is fixed in the releases after UCC 3.2. If you are using a VPN gateway which was created before release UCC 3.2 and would like to solve this issue, please first follow the above steps for “idle timeout” and then disable it as below:
Where do I find the log for the Aviatrix Client?¶
Aviatrix Vpn DownloadWhy can’t my VPN client access a newly created VPC?¶
If you are using Split Tunnel mode, it is very likely that the new VPC CIDR is not part of CIDR ranges that the Aviatrix VPN gateway pushes down to the client when the VPN client connects. To fix it,follow these steps:
How do I turn off NAT with an OpenVPN® gateway?¶
An Aviatrix OpenVPN® gateway performs a NAT function for the user’s VPN traffic, effectively masking out the VPN client’s virtual IP address assigned by gateway from the VPN CIDR Block. This does not affect profile based policy enforcement as the landing vpn gateway has the information of the virtual IP address before NAT is performed and enforces policies based on user identification.
If you do want to preserve the virtual IP address after the client packet leaves the gateway, you can do by enabling PBR function.
What IP Address is used for NAT’ing the VPN Clients?¶
If the destination is another instance within the cloud provider, then the OpenVPN gateway’s private IP address is used to NAT the OpenVPN Client’s traffic. But if the destination is outside the cloud provider(the Internet), then the public IP address of the OpenVPN Gateway is used.
What is User Defined Email Notification?¶Aviatrix Vpn
User Defined Email Notification feature allows users to customize the email notification (both email content and attachment file name) for VPN client.
To configure it, go to OpenVPN® -> Advanced -> Global Config -> User Defined Email Notification to edit the file name or email content. The new email format will be used when a VPN certificate is issued. Check How do I add a VPN user? for more info.
Preview upcoming Google Chrome features before they’re released and give us feedback to make Chrome a better browser. Try New Features with Google Chrome Beta - Google Chrome. Sep 25, 2020. Get more done with the new Google Chrome. A more simple, secure, and faster web browser than ever, with Google’s smarts built-in. Download now. Google chrome beta mac download. Try new features with Google Chrome Beta. Jump to content. Extensions; Download Chrome Beta. Download for Mac. Mac OS X 10.10 or later. The Mac OS you are using is no longer supported. Try new features with Google Chrome Beta. Jump to content. Home; The Browser by Google. Download for Mac. Mac OS X 10.10 or later. The Mac OS that you are using is no longer supported.
How to customize pop-up messages after a VPN user is connected?¶
System Use Notification feature allows users to customize pop-up messages after a VPN user is connected. One use case is for customer to write their own messages for compliance.
To configure it, go to OpenVPN® -> Advanced -> Global Config -> System Use Notification.
Note
Please ensure that you are running Aviatrix VPN Client version 2.9 or higher to view the usage notification.
How to set a minimum Aviatrix VPN client software version for OpenVPN® connection?¶
Minimum Aviatrix VPN Client Version feature allows users to set a minimum Aviatrix VPN client software version that is allowed to connect successfully.
Aviatrix Client Download
To configure it, go to OpenVPN® -> Advanced -> Global Config -> Minimum Aviatrix VPN Client Version to set the Aviatrix VPN client version.
Aviatrix Vpn Client Mac Download Windows 10
OpenVPN® is a registered trademark of OpenVPN Inc.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |