AWS Client VPN is connecting to VPC but can't access to Internet

0

Hi there,

I am struggling with this issue around a week. I setup a VPC, public subnet, security group and Client VPN. I am able to connect with AWS VPN Client into the VPC which I can ping/ssh an EC2 instance provisioned in the public subnet and ping outside world within that ec2. However, I can't ping anything from my local machine which I am guessing because of the OS DNS Server configuration which is set to 192.168.1.1. This is exactly the same issue described from https://repost.aws/questions/QUedk6QWR_SluIj4-DrHCPmw/aws-client-vpn-connected-but-cannot-access-internet

Here are the main details of the resources I provisioned.

VPC: 172.31.0.0/16
Subnet: 172.31.0.0/20. And it has route table as below;
   Destination	Target
   172.31.0.0/16	local
   0.0.0.0/0	        igw-e518ba82

Security Group: All Traffic for Inbound and Outbound
VPN Client:
  DNS Server: 172.31.0.2
  Split Tunnel: Disabled
  Route Table: Destination CIDR: 172.31.0.0/16, Target Subnet: The one from above
  Authorization Rule:  Access All: True Destination: 0.0.0.0/0

Also here the logs from ovpn_aws_vpn_client_20230425.log log file.

2023-04-25 17:31:13.161 +03:00 [DBG] CM processsing: >LOG:1682433070,,PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,block-outside-dns,dhcp-option DOMAIN-ROUTE .,route-gateway 1.0.0.33,topology subnet,ping 1,ping-restart 20,ifconfig 1.0.0.34 255.255.255.224,peer-id 0,cipher AES-256-GCM'
2023-04-25 17:31:13.161 +03:00 [DBG] CM processsing: >LOG:1682433070,N,Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:2: block-outside-dns (2.4.5)
2023-04-25 17:31:13.161 +03:00 [DBG] CM processsing: >LOG:1682433070,,OPTIONS IMPORT: timers and/or timeouts modified
2023-04-25 17:31:13.161 +03:00 [DBG] CM processsing: >LOG:1682433070,,OPTIONS IMPORT: --ifconfig/up options modified
2023-04-25 17:31:13.161 +03:00 [DBG] CM processsing: >LOG:1682433070,,OPTIONS IMPORT: route options modified
2023-04-25 17:31:13.161 +03:00 [DBG] CM processsing: >LOG:1682433070,,OPTIONS IMPORT: route-related options modified
2023-04-25 17:31:13.161 +03:00 [DBG] CM processsing: >LOG:1682433070,,OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-04-25 17:31:13.161 +03:00 [DBG] CM processsing: >LOG:1682433070,,OPTIONS IMPORT: peer-id set
2023-04-25 17:31:13.161 +03:00 [DBG] CM processsing: >LOG:1682433070,,OPTIONS IMPORT: adjusting link_mtu to 1624
2023-04-25 17:31:13.161 +03:00 [DBG] CM processsing: >LOG:1682433070,,OPTIONS IMPORT: data channel crypto options modified
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >LOG:1682433070,,Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >LOG:1682433070,,Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >LOG:1682433070,,ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=en8 HWADDR=14:4f:d7:c0:0e:90
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >LOG:1682433070,,Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >LOG:1682433070,,Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >LOG:1682433070,,Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >LOG:1682433070,,Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >LOG:1682433070,,Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >LOG:1682433070,I,Opened utun device utun5
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >LOG:1682433070,D,do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >LOG:1682433070,,MANAGEMENT: >STATE:1682433070,ASSIGN_IP,,1.0.0.34,,,,
2023-04-25 17:31:13.162 +03:00 [DBG] CM received state: >LOG:1682433070,,MANAGEMENT: >STATE:1682433070,ASSIGN_IP,,1.0.0.34,,,,
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >STATE:1682433070,ASSIGN_IP,,1.0.0.34,,,,
2023-04-25 17:31:13.162 +03:00 [DBG] CM received state: >STATE:1682433070,ASSIGN_IP,,1.0.0.34,,,,
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >LOG:1682433070,I,/sbin/ifconfig utun5 delete
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >LOG:1682433070,I,NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >LOG:1682433070,I,/sbin/ifconfig utun5 1.0.0.34 1.0.0.34 netmask 255.255.255.224 mtu 1500 up
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >LOG:1682433070,,/sbin/route add -net 1.0.0.32 1.0.0.34 255.255.255.224
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >LOG:1682433070,I,/Applications/AWS VPN Client/AWS VPN Client.app/Contents/Resources/openvpn/client.up utun5 1500 1552 1.0.0.34 255.255.255.224 init
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >LOG:1682433073,,/sbin/route add -net 3.229.217.52 192.168.1.1 255.255.255.255
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >LOG:1682433073,,/sbin/route add -net 0.0.0.0 1.0.0.33 128.0.0.0
2023-04-25 17:31:13.162 +03:00 [DBG] CM processsing: >LOG:1682433073,,/sbin/route add -net 128.0.0.0 1.0.0.33 128.0.0.0
2023-04-25 17:31:13.163 +03:00 [DBG] CM processsing: >LOG:1682433073,W,WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-04-25 17:31:13.163 +03:00 [DBG] CM processsing: >LOG:1682433073,I,Initialization Sequence Completed
2023-04-25 17:31:13.163 +03:00 [DBG] CM processsing: >LOG:1682433073,,MANAGEMENT: >STATE:1682433073,CONNECTED,SUCCESS,1.0.0.34,3.229.217.52,443,,
2023-04-25 17:31:13.163 +03:00 [DBG] CM received state: >LOG:1682433073,,MANAGEMENT: >STATE:1682433073,CONNECTED,SUCCESS,1.0.0.34,3.229.217.52,443,,
2023-04-25 17:31:13.163 +03:00 [DBG] Starting DNS monitoring thread for Mac
2023-04-25 17:31:13.163 +03:00 [DBG] Current OpenVPN PID is 93587
2023-04-25 17:31:13.163 +03:00 [DBG] Got DNS server string:  from the DNS verification file
2023-04-25 17:31:13.163 +03:00 [DBG] PID specified in the DNS verification file is 93587
2023-04-25 17:31:13.163 +03:00 [DBG] Current OpenVPN PID matches PID specified in the DNS verification file. Fetching DNS servers
2023-04-25 17:31:13.163 +03:00 [DBG] Checking if  is an IPv4 address
2023-04-25 17:31:13.163 +03:00 [DBG]  is not in IPv4 format. Ignore
2023-04-25 17:31:13.163 +03:00 [DBG] DNS servers for OpenVPN with pid 93587:
2023-04-25 17:31:13.163 +03:00 [DBG] DNS is not configured for this connection. Quit DNS monitoring thread

Here is the example contents of resolv.conf file if it helps

$ cat /etc/resolv.conf | grep nameserver
nameserver 192.168.1.1
nameserver 192.168.1.1

Thanks for the help! Burak

1 Risposta
4
Risposta accettata

Do you want to route all your internet traffic via your VPN? If not, enable split tunnel VPN

I see the problem in your configuration. You have connected the VPN endpoint to a subnet that has a default route 0.0.0.0/0 to an internet gateway (IGW).

The VPN Client needs to be attached to a subnet that has a default route 0.0.0.0/0 to a NAT Gateway in-order to provide a public Internet Address for all outbound traffic. Then that subnet where the NAT Gateway exists will need a default route to the internet gateway. Standard public and private Subnet deployment in AWS

The traffic will have no public IP Address in your setup when trying to access the internet so routing will fail and will be dropped.

Details here https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html

profile picture
ESPERTO
con risposta un anno fa
profile picture
ESPERTO
verificato 2 mesi fa
  • Hi Gary, thanks! I created a NAT GW and attached it into the Public Subnet I was using. Additionally, I created a new Route Table for the Private Subnet (172.31.16.0/20) with having default route 0.0.0.0 pointing to the NAT GW, however, I still can't connect to the Internet. By the way, yes I want to route all internet traffic via my VPN so I didn't enable split tunnel.

  • Ok, I would double check the routing table is applied to the private subnet.

    Did you create a PUBLIC Nat Gateway?

    In the VPC Page, please select the VPC, and then Resource Map. Select the private subnet you have and make sure it maps all the way to the Nat Gateway on the right of the page Select the public subnets and make sure they all route to the internet gateway to the right. Make sure 100% your nat gateways are in the public subnet and not private. Your NAT gateway will need a public IP. If you select the NAT Gateway it should say there is 1 ENI with 1 EIP The Network Connections column on the right should have your NAT Gateway and IGW listed with paths from your subnets.

  • hey Gary, thanks again

    1. Yes, I created NAT Gateway in the Public Subnet. It has public and private IPv4 addresses, 1 ENI with 1 EIP
    2. Yes, the Private Subnet goes through Nat Gateway by its own Route Table.
    3. All the Public Subnets are routing to Interget Gateway by the main Route Table.
    4. Network connections column on the right has listed NAT Gateway and IGW with paths from all subnets.

    I started to believe the problem is about my local computer's DNS setting not the AWS configuration. Can it be?

  • hey Gary,

    I am almost sure that the problem is from my local network setting from macos. When I connect with Tunnelblick I get an error mentioning about my local DNS server.

    2023-04-29 00:35:34.958899 Initialization Sequence Completed 2023-04-29 00:35:34.958949 MANAGEMENT: >STATE:1682717734,CONNECTED,SUCCESS,1.0.1.2,34.233.233.86,443,, 2023-04-29 00:35:36.069844 *Tunnelblick: Warning: DNS server address 192.168.1.1 is being used but should not be used. That may indicate that more than one network interface is active. Tunnelblick does not support multiple active network interfaces.

  • Have you tried using the native aws vpn client? I’ve not used tunnelbrick myself.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande