VPN Recomendations

Hey,

We currently use a small EC2 instance as our company VPN server. It’s using OpenVPN from a marketplace image and this seems to work fine. We only have a few developers and so far there hasn’t been an issue.

That being said - it’s a nightmare to deal with starters, leavers and guests and the certificate/key creation process is a little technical end to end and so I thought I’d ask if anyone has experience with a VPN solution that we can host in AWS that has a friendly GUI in which users and their relevant certs can be generated as well as those users removed where necessary.

Low cost is important.

Pay me for my data. Fuck /u/spez – mass edited with https://redact.dev/

I’d look at Tailscale or Headscale

AWS hasAWS Client VPN, which you can integrate with AWS SSO or any saml-IdP

No licenses to buy, nothing to manage and maintain :slight_smile:

We’ve switched from OpenVPN Access Server to OpenVPN Cloud and it integrates with SAML for on/offboardimg well.

Cloudflare Zero Trust

We use the Netgate pfSense Plus Firewall/VPN/Router on the AWS marketplace. It provides integrated OpenVPN server capabilities with a user directory and wizards to make life easy for generating client configs.

As it is also a firewall, you can create different OpenVPN pools for different users and control what IPs and ports they can access.

Runs quite well on smaller instances which cost mich less than the recommended instance size on the marketplace page.

Check out Perimeter 81. They have a turn key VPN solution that will integrate with Google SSO, ActiveDirectory, etc and makes it trivial to add/remove, maintain user access for VPNs.

We are using https://www.firezone.dev/ ! Its an excellent solution imho

Tailscale is amazing

If you want MFA with AWS Client VPN you’ll have to build AD.

With the OpenVPN server is there no appetite to just use username and password and the Google Authenticator integration ? It’s real simple

Which resources would you need to reach?
Might be worth looking into AWS Verified Access https://docs.aws.amazon.com/verified-access/latest/ug/what-is-verified-access.html

It only supports HTTPS at the moment.

I recently started using Tailscale, and I was pleasantly surprised by how easy it was to set up.

You could run windows vpn server to on an ec2 instance with 2 nics and make a reservation for it. Or run a firewall on AWS and use some built in VPN however licensing on said firewall may not be the cheapest.

CloudZiti handles all the nightmares you mentioned and gives you more - e.g., outbound only connections via NAT GW, MFA TOTP, optional microsegmentation, least privilege towards zero trust networking. Free tier, no credit card for up to 10 endpoints - https://netfoundry.io/pricing/.

What is the VPN used for? To access resources inside AWS? And what operating systems do the users use?

I’ve been using Twingate for a year. It’s dead simple and fast to setup, supports SSO & SCIM provisioning, and you can use terraform to setup basically all of it.

I’ve been loving Firezone

Depending on your team, it may work to just use a bastion host and access it via ssm. No ports to open on the outside and you use the same credentials you’re already using for aws. ssm supports forwarding ports. It’s what we’re planning on moving to.

pritunl has worked well for us, its stupid simple to get up and running and administration is pretty easy, and it supports MFA