xdr-terraform-modules/base/aws_client_vpn

AWS Client VPN

Users must download the client vpn: https://aws.amazon.com/vpn/client-vpn-download/

They must be provided with the configuration file which can be downloaded from vpc->client VPN endpoints in the aws console (same for every user, and a self-service portal is possible but not set up in this).

Findings:

Pros:

• SAML works great, meaning we could use either RHSSO or Okta and easily move from one to thte other or two a different IdP
• Pricing seems reasonable. Base price of $0.10/hour for the VPN + $0.05/hour per connection.
• The ability to write a lambda function to handle connections gives us some great flexibility to handle connection-related requirements (e.g. only 2 concurrent connections)

Cons:

• It requires an OpenVPN client that support “auth-federate”, which does not include viscosity. (But aws has a free client themselves for OS X, Windows, and Ubuntu, and the community openvpn client should work)
• It does not appear to play nice with zScalar. We may be able to work with their team to allow it to work, but uncertain.
• It does not have a lot of flexibility. Configuration is bare minimum: networks, split tunneling, and DNS servers. I suspect we have FedRAMP requirements we’d be unable to meet. With some ingenuity, some of it could be addressed via the connection handler and/or lambda functions.

Summary/Conclusion

That last bullet, I think, is a big strike against this as a VPN solution to solve the split tunneling issue. For example, there’s no idle timeout setting (which is an absolutely absurd setting to have on a non-split-tunneled vpn, btw), and the current AWS response is basically, “Write a lambda function to disconnect users after a time period.” I admire the flexibility (“just write some python”) but also hate the complexity of it (“just maintain some python somebody else wrote.”).