What is the difference between AWS site-to-site VPN and AWS client VPN?

Solution 1:

In general the protocol doesn't have much to do with it. You can have IPSec tunnels in both site-to-site or client (aka road warrior) configurations, just like you can have OpenVPN (TLS) tunnels in both site-to-site or client setups. It's a matter of configuration and purpose, not the protocol used.

Site-to-Site VPN

  • typically 1-to-1 configurations
  • both sides in general have similar configuration
  • both sides have fixed IP address
  • either side can initiate or restart the connection
  • both typically have a network behind them (e.g. two office networks connected)
  • you can run a routing protocol (BGP, OSPF, ...) over the tunnel
  • the networks can communicate both ways

Client-to-Site VPN

  • typically N-to-1 configurations, with N clients connecting to 1 server
  • server and client configs are different
  • clients don't need fixed IP address
  • only clients initiate the connections (because the server doesn't know the client's current IP)
  • client is typically just a single laptop with no network behind it
  • routing only permits one IP per client, no BGP or OSPF supported
  • only client to the site behind the server connectivity is permitted, generally the site can't initiate connection to the client

That's roughly the difference between site to site and client to site VPNs.

In AWS the VPN Gateway uses IPsec protocol and the Client VPN uses OpenVPN protocol but that's just how AWS implemented the services. However in general it's perfectly possible to use either protocol in either setup.

Hope that helps :)

Solution 2:

you should always use TLS on the application layer anyway, even on top of client VPN

TLS is a protocol that has many different uses. The most common one is in HTTPS but many other protocols use it too as it's a standard way to encrypt network traffix. That's the application level.

In AWS Client VPN it's being used one level down - to encrypt the actual network layer traffic (level 3), regardless of what's passing through the tunnel. They chose to use TLS because it's a standard well known protocol.

Amazon could have implemented Client VPN with IPsec or even invent their own protocol but they chose TLS because it's a proven technology.

And yes, you can indeed use HTTPS over this VPN which is technically TLS over TLS but with different endpoints and certificates.