Connecting OpenVPN Users to On-Prem
In this tutorial we will cover the basic routing needed to allow users connected to Aviatrix’s OpenVPN (aka User VPN) service to access On-Prem. This documentation assumes that there is an existing OpenVPN Gateway (to terminate remote users) and a configured Site2Cloud tunnel on a separate S2C or Transit Gateway (for on-prem connectivity).
For more information, please refer to following links:
Topology
Network CIDRs
Client Network | 192.168.43.0/24 |
OpenVPN Gateway Network | 10.99.245.0/24 |
On-Prem Network | 10.200.0.0/16 |
Configuration
1. Add the On-Prem Networks to the OpenVPN Configuration
Controller > OpenVPN > Edit Config > MODIFY SPLIT TUNNEL
- Add the On-Prem CIDR block (ig, 10.200.0.0/16) to Additional CIDR
- If Split Tunnel is set to “No” then no changes need to be made
2. Establish Connectivity Between the Aviatrix OpenVPN Gateway and the Site2Cloud or Transit Gateway
Depending on your network’s use case, please refer to the links below:
3. Add the OpenVPN Gateway CIDR to the Site2Cloud Configuration
- The Site2Cloud Connection is built on a Spoke Gateway
Controller > Site2Cloud > select tunnel > Local Subnet(s)
- Add the OpenVPN Gateway Network to Local Subnets(s) (ig, 10.99.245.0/24)
- The remote Firewall/Router will need to add the OpenVPN Gateway’s network (ig, 10.99.245.0/24) to it’s IPSec policy
- The User VPN client network (ig, 192.168.43.0/24) will be SNAT’ed off of the OpenVPN Gateway’s local IP (ig, 10.99.245.x)
- The Site2Cloud Connection is Built on a Transit Gateway with BGP
- Transit Gateways configured with BGP should advertise the OpenVPN network automatically
Conclusion
Users connected to the SSL VPN should now be able to route through the OpenVPN Gateway back to On-prem.
Troubleshooting
- Confirm the VPN User policy allows for connectivity to the On-prem network
- Log out of the Aviatrix VPN client and reconnect - this will refresh your device’s local routes
- If this a AWS-TGW solution, confirm that the OpenVPN Gateway’s Security Domain is connected to the S2C Security Domain
- If this is a BGP solution confirm that Transit Gateway is advertising the OpenVPN Gateway network (ig, 10.99.245.0/24)
- On the remote firewall or router check for any ACLs that would block the OpenVPN Gateway Network
- In AWS confirm there are no NACLs or Security Groups blocking the traffic