Client VPN Recommendations for Securing AWS Access?

I’m in search of a VPN solution to enhance security and control access to AWS resources for our corporate team. After doing a quick google search, it appears that the AWS VPN Client might be cost-prohibitive for our needs.

I’ve come across options like Tailscale for its simplicity, Netmaker for its speed and OpenVPN, which seem promising. Our user count is around 40-50 individuals, so cost-effectiveness and speed is a crucial factor for us.

If any of you have experience with these VPN solutions or have other recommendations that align with our requirements, I would greatly appreciate your thoughts.

or have other recommendations that align with our requirements

You haven’t really given much in terms of requirements. A few questions to start:

1. What are the “AWS resources” you are trying to provide access to?
2. What kind of access? SSH? RDP? Something else?
3. How frequently are users expected to be utilizing this access?
4. Are all 40-50 users going to need access?
5. What made you think AWS Client VPN was cost prohibitive? How much are you expecting to spend?
6. When you say “speed is a crucial factor for us” can you elaborate on what speed? Connection speed? Onboarding speed?
7. What are you using for authentication?

Wireguard over OpenVPN for performance.

OpenVPN access server is the obvious and great choice especially now that you can authenticate quite easily using SAML2.0.

You get two free licensees but additional are pretty cheap.

If you use AMI for the marketplace you can be up and running very quickly.

Been using Pritunl for a couple of years. Okta SSO support was a requirement for us. It’s built on OpenVPN.

What type of resources and access are you looking for? For most basic scenarios something like AWS Systems Manager Session Manager is good enough.

+1 on the SSM Session Manager and portforwarding capabilities. Another option is AWS Client VPN itself

AWS Client VPN may be costly but it saves time and maintenance which should equate to saving money. I’ve run openvpn in AWS myself and it can work but it requires a lot more care and feeding than a cloud vendor’s managed service offering.

OpenVPN if you’re looking for a client-based VPN…otherwise you could do a site-to-site IPSec tunnel to your office.

We use OpenVPN and have no issues with it…

Is this for VPC based resources or are you trying to restrict the AWS control plane (console/api) to a specific set of IPs as well?

OpenVPN Access Server, but if all you do is shell access use SSM or a bastion. If all you need is web, use something like Cloudflare Access with ZTNA.

AWS Client VPN Endpoints are easy to use, easy to administer, and easily integrate with the subnets you want folks to access.

If you like the look of Tailscale check out Headscale. It’s basically a self hosted management server for the Tailscale clients so you can handle everything in-house.

Look into Hashicorp Boundary. It’s opensource and inexpensive to run. We did some cost comparisons and it was, by FAR, the least expensive and had most of the features we wanted (They JUST implemented support for SSH replay sessions!).

Is a jump server in place of vpn still viable for ec2 access from a security standpoint?

Is the AWS vpn crazy expensive? I run a terraform script that spins it up when I need to run rds migrations then back down again afterward. It’s just for a side project with only me and another dev right now so no idea what the expense would look like at scale.

I’ve setup the Client VPN with Azure for SAML authentication. Works well, users can use the aws sso portal to select aws account with a role and get SDK credentials

I’ve found the client application can be a little buggy at time, at least on Mac (sometimes doesn’t connect properly or update). But it’s not enough for us to stop using it.

Our most expensive part is the availability as I have it connected to two subnets (which I think is required) but that is completely worthwhile. We have about 5/6 devs and data transfer or active connections is not something to moan about.

It’s easy enough to calculate the cost for that as you could maybe use X active connection-hours per day, 40 users etc. Add your static costs for uptime and try and estimate data transfer based on your usage.

I suspect it won’t be your biggest cost with the size of your team.

Apache Guacamole may achieve what you want, its not a VPN but will allow remote connection to resources (RDP, SSH, Telnet) via https.

It’s open source and a low spec Linux EC2 instance will serve you well

Pritunl is a fixed yearly cost per server. It supports OpenVPN and Wireguard. It also supports Windows, MacOS, and Linux. It isn’t perfect, but it is the best option I have found.

Been happy with TwinGate