En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Client VPN and overlapping subnets

0

Hello,

I've got a client vpn setup right now that is connecting my users to a particular VPC. That VPC has a very low cidr range on the 10.0.0.0/8 block. I am running into issues where users connecting to the client endpoint VPN have overlapping home subnets. Their client assigned IP ranges are well outside of that block (in the upper 10.0.0.0/8 block). The problem I'm running into is that I'm using the AWS built in DNS range (the .2 DNS) as an assigned DNS. This works great if my users have a subnet in some other RFC1918 range or some other block in the 10.0.0.0 address space. But when there's overlap, there's fire. I thought that it might work if I abandoned split tunnel mode and went to full tunnel mode, but that doesn't seem to be the case. The VPN client we're using (tunnelblick) doesn't accept the DNS and I get messages like...

=========CIDR conflict, routing failed=========. 2024-02-28 10:25:27.668408 *Tunnelblick: Routing info stdout: route to: 10.x.x.2 destination: 10.x.x.2 interface: en0. <++++++++++++

This not really surprising considering the home and destination overlapping subnets. But this seems like a well known issue - Is it just the case that you can't have any overlap between your home network and your destination network? How do you plan for something like this, and how can you work around it if you can't control a user's home network ranges?

Thanks for your time and advice!

Sujets
Réseaux et diffusion de contenu
Balises
Réseaux et diffusion de contenuClient VPN AWS
Langue
English
sentinel21
demandé il y a 2 mois243 vues
3 réponses
1

Easiest and best solution would be to use 100.64.0.0/10 address space in your VPC and rebuild the VPN. There is less likely its going to clash.

Muhammad-Muha
répondu il y a 2 mois
0

You have no control over your clients' home network setups. They could be using common ranges like 10.0.0.0/8 or 192.168.x.x. Dictating to users what their home network setup should be is usually not practical.

The most straightforward solution is to reconfigure your VPC to use a different, non-overlapping CIDR range. If this isn't feasible due to existing resources and dependencies, the other options involve trade-offs.

Set up Network Address Translation (NAT) on the VPC side. This maps the overlapping client addresses to a unique, non-overlapping subnet within the VPC. It requires some networking configuration but avoids client-side complexity.

profile picture
EXPERT
Sedat Salman
répondu il y a 2 mois
profile picture
EXPERT
Giovanni Lauria
vérifié il y a 2 mois
0

Not really answering the question (although the answer is "It isn't easy to connect networks with overlapping IP addresses") and there are situations where IP overlap is unavoidable no matter what you do, but: this blog post might be of assistance. Perhaps.

profile pictureAWS
EXPERT
Brettski-AWS
répondu il y a 2 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents