Skip to main content

Connecting OpenVPN Users to On-Prem


In this tutorial we will cover the basic routing needed to allow users connected to Aviatrix’s OpenVPN (aka User VPN) service to access On-Prem. This documentation assumes that there is an existing OpenVPN Gateway (to terminate remote users) and a configured Site2Cloud tunnel on a separate S2C or Transit Gateway (for on-prem connectivity).


For more information, please refer to following links:



Topology


Network CIDRs

















Client Network 192.168.43.0/24
OpenVPN Gateway Network 10.99.245.0/24
On-Prem Network 10.200.0.0/16

Configuration


1. Add the On-Prem Networks to the OpenVPN Configuration


Controller > OpenVPN > Edit Config > MODIFY SPLIT TUNNEL



  • Add the On-Prem CIDR block (ig, 10.200.0.0/16) to Additional CIDR

  • If Split Tunnel is set to “No” then no changes need to be made


2. Establish Connectivity Between the Aviatrix OpenVPN Gateway and the Site2Cloud or Transit Gateway


Depending on your network’s use case, please refer to the links below:



3. Add the OpenVPN Gateway CIDR to the Site2Cloud Configuration



  1. The Site2Cloud Connection is built on a Spoke Gateway


Controller > Site2Cloud > select tunnel > Local Subnet(s)



  • Add the OpenVPN Gateway Network to Local Subnets(s) (ig, 10.99.245.0/24)

  • The remote Firewall/Router will need to add the OpenVPN Gateway’s network (ig, 10.99.245.0/24) to it’s IPSec policy

  • The User VPN client network (ig, 192.168.43.0/24) will be SNAT’ed off of the OpenVPN Gateway’s local IP (ig, 10.99.245.x)



  1. The Site2Cloud Connection is Built on a Transit Gateway with BGP



  • Transit Gateways configured with BGP should advertise the OpenVPN network automatically


Conclusion


Users connected to the SSL VPN should now be able to route through the OpenVPN Gateway back to On-prem.


Troubleshooting



  • Confirm the VPN User policy allows for connectivity to the On-prem network

  • Log out of the Aviatrix VPN client and reconnect - this will refresh your device’s local routes

  • If this a AWS-TGW solution, confirm that the OpenVPN Gateway’s Security Domain is connected to the S2C Security Domain

  • If this is a BGP solution confirm that Transit Gateway is advertising the OpenVPN Gateway network (ig, 10.99.245.0/24)

  • On the remote firewall or router check for any ACLs that would block the OpenVPN Gateway Network

  • In AWS confirm there are no NACLs or Security Groups blocking the traffic

I like this article. Couple of suggestions. Can you please add a topology so that it is easy to follow. Also it would be nice if you could add screen shots from Controller. I think if you just take Aviatrix Transit as an example and give us all the details that would be great.

In the troubleshooting section you mentioned "If this is a BGP solution". It might not be very clear to readers so please elaborate.


Reply