VPN access for individual users on AWS?

I would suggest using an OpenVPN solution: https://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/amazon-ec2-appliance-ami-quick-start-guide/

Alternatively, if you don't want to spin up an instance just for that, you could terminate the VPN at your own firewall and provide routes to the AWS environment from there. Then you could either build your own VPN solution onsite or use whatever solution came with your edge gear.

Both OpenVPN and OpenSwan (or Libreswan) will work. I'm not sure which one I like better. OpenVPN was way easier to set up. I never got 2FA and PAM working with Openswan (or any variant)

One warning about OpenVPN: If you implement openvpn with 2FA, you may wish to set session key renegotiation reneg-sec=0 Your client must also support this (tunnelblick seems not to)

I also recommend a transparent ssh proxy bastion inside the VPN. This allows you to have restrictive security groups with little hassle. It's a very solid security foundation and can be extended with 2fa at each stage later if needed.

Some quick notes about the two VPN options:

OpenVPN ipsec

The Viscosity ($9) client is way more stable than Tunnelblick Single incoming port Single config file NOTE: Requires some iptables work

The simplest OpenVPN instructions I've found are here You can also use a community AMI of a pre-built openvpn server. (Though I haven't tried that)

OpenSwan ipsec + l2tpd

1. Mac OS has a built-in client
2. Requires 3 ports
3. 2 main packages and 3 config files
4. Also requires some iptables work
5. PAM support is disabled by default. It's hard to get best security practices implemented (mac os prior to 10.11 only support IKE1, secure password storage and 2fa are a challenge without pam.)

There's a good write-up and a really nice setup script here I stepped through the script and confirmed that it appears to be doing the right thing at each stage.