The best VPN solutions I have worked with so far:
The best VPN solution I have worked with is Aviatrix OpenVPN. Here are some of the reasons why:
It allows having more than one SAML authentication.
It has never gone down during the last 6 years I have worked with..
Aviatrix VPN Client has been installed and worked perfectly on every single MacBook and Windows machine that our users have.
They have the best technical and customer support. AWS support is amazing, but Aviatrix support is way better, faster, and more technical. Even if they do not know the solution, they can call their colleague right onto the call and fix the issue.
Downside of Aviatrix VPN:
Needs to run updates on the controller and gateway nodes. Although it is just a matter of logging into the controller, dry run the update, and then updating if the dry run succeeded.
During the last six years, twice we had to work with Aviatrix support to update EC2 images that reached end of life support.
The worse VPN solutions I have worked with so far:
Worse VPN solution I worked with is AWS Client VPN.
It is advertised as server-less which was a big selling point to me originally. How good it is not to run regular updates on a server-less VPN. It is nice to pay per usage and not have resources running all the time (Aviatrix is running on EC2 instances all the time.). But in practice it was not what was advertised:
AWS Client VPN is the worst AWS Service I have ever worked with. We deployed an AWS Client VPN. As per our use case, we had to disable split tunnel and have all the traffic go via the AWS Client VPN. Then started on-boarding users to this solution.
Some users when they were connected to AWS Client VPN were losing Internet connection completely. Upon working with AWS support, they told us there are conflicts between user’s network IPs and AWS Client VPN IPs.
We deployed 3 other AWS Client VPNs with CIDR blocks recommended by AWS to prevent any conflicts. Still, some users were losing connection to the Internet as soon as connected to the AWS Client VPN.
While using AWS Client VPN, the Internet connection was dropping for a few seconds sometimes. This was the most frustrating issue we faced.
Once we connected to AWS Client VPN some of our CLI command lines were not working. For example, Heroku CLI could not connect to Internet while we were able to browse the web.
AWS Client VPN support was the worst AWS support we ever dealt with. They were not helpful, blaming the latest version of MacOS as the issue (latest version and not beta version)...
Lesson learned from trying AWS Client VPN and failing at it:
AWS cannot be the best in every solution.
Some server-less solutions are not where they should be yet (they are not mature enough yet).
It is good to try new solutions and update the infrastructure. However, I should not have spent so much time deploying the 3rd and the 4th AWS Client VPN. I could have concluded the evaluation of this solution with only two deployments.