The steps mentioned here are not supported yet. It should be treated as a workaround only.


AWS LBN Supports UDP

AWS recently started supporting UDP protocol for its NLB (Network Load Balancer). Customers are looking to add support for UDP based NLB now. While this support will shortly be available in the product, there is a workaround to deploy such a topology.

Note: Aviatrix User-VPN GW uses TCP:443 for incoming heath-check probes

Deployment Overview

  • Create an Aviatrix GW (AGW) with VPN Access option but without enabling cloud-native ELB integration
  • This will create the AGW and by default it listens on UDP 1194 port
  • Manually create AWS NLB in the AWS console with the UDP option and port 1194
  • Manually create the target group with user-VPN AGW(s) in it
  • Make sure to override the health-check port and use TCP 443 for it

Deployment Details

Following screen shots shows a working deployment


Deploy Aviatrix User-VPN GW

Deploy an Aviatrix User-VPN GW with “VPN Access” checked and without enabling ELB using Aviatrix Controller.

Gateway config shows following in the Aviatrix diagnostics section. Notice the port 1194 here.

"VPN Service": {
"port": {
"1194": [

Create a new user and assign this user to the Aviatrix User-VPN GW

Create NLB in AWS Console

Create a UDP based NLB using the AWS console. Once the NLB is created, you will notice following config in the AWS console. Notice the DNS name for this NLB. This is the name we will use later in the config.

Name: shahzad-udp-nlb
DNS name:
(A Record)

AWS Network Load Balancer

Following screen also shows the name of the NLB and the DNS name associated with it.

NLB Listner

By default the AWS UDP based NLB listen at UDP port 1194 which is the port Aviatrix GW also listen at. You can observe it in the following screen

NLB Listener Details

Now we nee to create target group that will point to the Aviatrix User-VPN GW.

Health Check Configuration for Aviatrix GW

Make sure to modify the health-check port to 443 (by default it will be configured with 1194)

Modify User-VPN Certificate File

Download the User-VPN certificate file and replace the IP address with the DNS name of the AWS NLB.

tun-mtu 1500
remote 1194
proto udp
route-method exe
verb 3
route-delay 2
mute 20
reneg-sec 0
cipher AES-256-CBC
auth SHA512
key-direction 1
dev-type tun
dev tun

Connect VPN User

Now we connect using this profile. I am using OpenVPN connect client version

User will be connected and will show in the Aviatrix Controller UI as well


Thank you Liming Xiang and Felipe Vasconcellos for reviewing and making adjustments to this post.



Comments are closed