Aviatrix User-VPN Deployment with AWS UDP Based NLB

The steps mentioned here are not supported yet. It should be treated as a workaround only.

Introduction

• Aviatrix supports both TCP and UDP for User-VPN
  • By default the Aviatrix User-VPN GW (AGW) is deployed with UDP
  • AGW listens at UDP:1194 for incoming connection requests
• Aviatrix also integrates with cloud-native LB otions to support load balancing AGWs for both UDP and TCP protocols
• Aviatrix provides workflow for cloud native TCP based NLB (Network Load Balancer)
  • AGW listens at TCP:943 for incoming connection requests
• Aviatrix provides workflow for cloud native UDP based LB using the DNS
  • AGW listens at UDP:1194 for incoming connection requests

AWS LBN Supports UDP

AWS recently started supporting UDP protocol for its NLB (Network Load Balancer). Customers are looking to add support for UDP based NLB now. While this support will shortly be available in the product, there is a workaround to deploy such a topology.

Note: Aviatrix User-VPN GW uses TCP:443 for incoming heath-check probes

Deployment Overview

• Create an Aviatrix GW (AGW) with VPN Access option but without enabling cloud-native ELB integration
• This will create the AGW and by default it listens on UDP 1194 port
• Manually create AWS NLB in the AWS console with the UDP option and port 1194
• Manually create the target group with user-VPN AGW(s) in it
• Make sure to override the health-check port and use TCP 443 for it

Deployment Details

Following screen shots shows a working deployment

Topology

Deploy Aviatrix User-VPN GW

Deploy an Aviatrix User-VPN GW with “VPN Access” checked and without enabling ELB using Aviatrix Controller.

Gateway config shows following in the Aviatrix diagnostics section. Notice the port 1194 here.

"VPN Service": {
"port": {
"1194": [
"up",
"reachable"
]
},

Create a new user and assign this user to the Aviatrix User-VPN GW

Create NLB in AWS Console

Create a UDP based NLB using the AWS console. Once the NLB is created, you will notice following config in the AWS console. Notice the DNS name for this NLB. This is the name we will use later in the config.

Name: shahzad-udp-nlb
arn:aws:elasticloadbalancing:ap-southeast-1:481151252831:loadbalancer/net/shahzad-udp-nlb/a2e01e8690702d00
DNS name: shahzad-udp-nlb-a2e01e8690702d00.elb.ap-southeast-1.amazonaws.com
(A Record)

AWS Network Load Balancer

Following screen also shows the name of the NLB and the DNS name associated with it.

NLB Listner

By default the AWS UDP based NLB listen at UDP port 1194 which is the port Aviatrix GW also listen at. You can observe it in the following screen

NLB Listener Details

Now we nee to create target group that will point to the Aviatrix User-VPN GW.

Health Check Configuration for Aviatrix GW

Make sure to modify the health-check port to 443 (by default it will be configured with 1194)

Modify User-VPN Certificate File

Download the User-VPN certificate file and replace the IP address with the DNS name of the AWS NLB.

client
comp-lzo
nobind
persist-key
persist-tun
auth-nocache
tun-mtu 1500
remote shahzad-udp-nlb-a2e01e8690702d00.elb.ap-southeast-1.amazonaws.com 1194
proto udp
mssfix
route-method exe
verb 3
route-delay 2
mute 20
reneg-sec 0
cipher AES-256-CBC
auth SHA512
key-direction 1
explicit-exit-notify
dev-type tun
dev tun

Connect VPN User

Now we connect using this profile. I am using OpenVPN connect client version 2.7.1.100.

User will be connected and will show in the Aviatrix Controller UI as well

Credits

Thank you Liming Xiang and Felipe Vasconcellos for reviewing and making adjustments to this post.