I just wanted to suggest the same 
$70/month for SSO/MFA support. Super easy to setup. I wish it supported DocumentDB though
Came here to say this. We use it with multiple servers and accounts. For $70 it’s a lot of value.
Recommended as well. It scaled up nicely when we went from 80 to 300 engineers. Okta integration was a nice bonus. Never had an issue with it. One of those rare services that quietly does its job and does it well.
This. Tailscale is freaking incredible
Another vote for Tailscale here. It’s been an absolute gamechanger.
Just a note on how subpar their client is for Linux and Mac. No auto connect, no minimize to tray and very slow development from AWS. If you use SSO you are forced to use their client. Our development team refused to use it after a week.
Check out the cost for client vpn. It is certainly not free
Our problem with it was it doesn’t support ipv6.
I think it’s about $5 per user
Gonna take a look at OpenVPN Cloud now! We use it hosted on an EC2 as well, and this could be a better fit for us.
IMHO, this is (much) more complication than the OP needs. However, if one already has a pfSense router running, it is easy to set up VPNs. We have run a pfSense firewall/router for over a decade, including as an OpenVPN gateway. We recently moved to Wireguard, and it put an end to our VPN management issues.
I will warn that it takes a bit to grok Wireguard, like any VPN, but it really isn’t bad, and is a cinch if you set up your networks in a sensible way. You can use it for mesh-networking, where every client knows about every other client, but that is a bad idea. Star topology all the way.
Our pfSense router is setup as a Wireguard concentrator (ie. star topology). All clients now how to get to the router, and then the router takes it from there (and, you know, routes). If we want to cut off a client, we just delete them using the router’s interface (provided by the Wireguard package). No need to invalidate the certificate as with OpenVPN, or remove them from each Wireguard configuration on all clients as with a mesh-networked Wireguard network.
This is actually really easy to do with Wireguard on any Linux box with command-line tools. I’ve done so with my home network and actually prefer it to the pfSense interface, but I’m pretty fond of the command-line.
Went with this. Awesome solution. Added Google as an IP and works a treat.
You can also use MFA if you use AWS IAM identity center
I set this up at work, pretty nice.
It is a really bad client. I get complaints about it constantly but… as a one man team to manage it, I don’t want to maintain an OpenVPN (or alternative) EC2 instance.
That’s right, but OpenVPN AS licenses aren’t either, as is my or my teams time.
Also, AWS Client VPN pays for actual use, connections*hours. I can have a hundred team members onboarded, but if they don’t need the VPN, you’re only paying for the shared endpoint (which you’d need to do with EC2 as well)
each endpoint costs $72/mo even when no users are using it, I think?
Yes that sounds about right
Not to mention that AWS VPN is stupid expensive and I found it to be really slow. Tailscale is a wonderful option for client VPN. You can set it up in router mode which is like a typical vpn or in zero-trust mode which has a client on each of your resources and you decide which users have access to which resources. The client is really nice as well, I’ve never tried SSO with anything except google but it’s pretty flawless.