Connecting OpenVPN Users to On-Prem

Connecting OpenVPN Users to On-Prem

In this tutorial we will cover the basic routing needed to allow users connected to Aviatrix’s OpenVPN (aka User VPN) service to access On-Prem. This documentation assumes that there is an existing OpenVPN Gateway (to terminate remote users) and a configured Site2Cloud tunnel on a separate S2C or Transit Gateway (for on-prem connectivity).

For more information, please refer to following links:


Network CIDRs

Client Network
OpenVPN Gateway Network
On-Prem Network


1. Add the On-Prem Networks to the OpenVPN Configuration

Controller > OpenVPN > Edit Config > MODIFY SPLIT TUNNEL

  • Add the On-Prem CIDR block (ig, to Additional CIDR
  • If Split Tunnel is set to “No” then no changes need to be made

2. Establish Connectivity Between the Aviatrix OpenVPN Gateway and the Site2Cloud or Transit Gateway

Depending on your network’s use case, please refer to the links below:

3. Add the OpenVPN Gateway CIDR to the Site2Cloud Configuration

  1. The Site2Cloud Connection is built on a Spoke Gateway

Controller > Site2Cloud > select tunnel > Local Subnet(s)

  • Add the OpenVPN Gateway Network to Local Subnets(s) (ig,
  • The remote Firewall/Router will need to add the OpenVPN Gateway’s network (ig, to it’s IPSec policy
  • The User VPN client network (ig, will be SNAT’ed off of the OpenVPN Gateway’s local IP (ig, 10.99.245.x)
  1. The Site2Cloud Connection is Built on a Transit Gateway with BGP
  • Transit Gateways configured with BGP should advertise the OpenVPN network automatically


Users connected to the SSL VPN should now be able to route through the OpenVPN Gateway back to On-prem.


  • Confirm the VPN User policy allows for connectivity to the On-prem network
  • Log out of the Aviatrix VPN client and reconnect - this will refresh your device’s local routes
  • If this a AWS-TGW solution, confirm that the OpenVPN Gateway’s Security Domain is connected to the S2C Security Domain
  • If this is a BGP solution confirm that Transit Gateway is advertising the OpenVPN Gateway network (ig,
  • On the remote firewall or router check for any ACLs that would block the OpenVPN Gateway Network
  • In AWS confirm there are no NACLs or Security Groups blocking the traffic
1reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • I like this article. Couple of suggestions. Can you please add a topology so that it is easy to follow. Also it would be nice if you could add screen shots from Controller. I think if you just take Aviatrix Transit as an example and give us all the details that would be great.

    In the troubleshooting section you mentioned "If this is a BGP solution". It might not be very clear to readers so please elaborate.

Like Follow
  • 2 yrs agoLast active
  • 1Replies
  • 67Views
  • 2 Following