We currently use a small EC2 instance as our company VPN server. It’s using OpenVPN from a marketplace image and this seems to work fine. We only have a few developers and so far there hasn’t been an issue.
That being said - it’s a nightmare to deal with starters, leavers and guests and the certificate/key creation process is a little technical end to end and so I thought I’d ask if anyone has experience with a VPN solution that we can host in AWS that has a friendly GUI in which users and their relevant certs can be generated as well as those users removed where necessary.
We use the Netgate pfSense Plus Firewall/VPN/Router on the AWS marketplace. It provides integrated OpenVPN server capabilities with a user directory and wizards to make life easy for generating client configs.
As it is also a firewall, you can create different OpenVPN pools for different users and control what IPs and ports they can access.
Runs quite well on smaller instances which cost mich less than the recommended instance size on the marketplace page.
Check out Perimeter 81. They have a turn key VPN solution that will integrate with Google SSO, ActiveDirectory, etc and makes it trivial to add/remove, maintain user access for VPNs.
You could run windows vpn server to on an ec2 instance with 2 nics and make a reservation for it. Or run a firewall on AWS and use some built in VPN however licensing on said firewall may not be the cheapest.
CloudZiti handles all the nightmares you mentioned and gives you more - e.g., outbound only connections via NAT GW, MFA TOTP, optional microsegmentation, least privilege towards zero trust networking. Free tier, no credit card for up to 10 endpoints - https://netfoundry.io/pricing/.
I’ve been using Twingate for a year. It’s dead simple and fast to setup, supports SSO & SCIM provisioning, and you can use terraform to setup basically all of it.
Depending on your team, it may work to just use a bastion host and access it via ssm. No ports to open on the outside and you use the same credentials you’re already using for aws. ssm supports forwarding ports. It’s what we’re planning on moving to.