New Client VPN Setup

0

Have a single account with 1 VPC no peering, no transit gateway, etc..

I setup Client VPN and can connect properly.

I updated the instances EC2 security groups to allow communication from the Client VPN subnet. I completed a TCPDUMP on the instance and traffic does not get to the instance. My netstat -nr shows a route through the VPN tunnel to get to the instances

I have associated the target subnet and setup authorization for all users.

I can't seem to get traffic from the VPN client to the server.

Anyone have any other thoughts? I am on a mac, going to test on PC next.

Thank you for your assistances in advance

3개 답변
0

Hello.

Is it possible to enable VPC flow logs and check whether traffic connected with ClientVPN is reaching the VPC?
If it has reached the VPC, please check if any "REJECT" actions are recorded in the log.
https://docs.aws.amazon.com/vpc/latest/userguide/working-with-flow-logs.html

profile picture
전문가
답변함 4달 전
0

It sounds like you've covered the bases. There are a few things you might want to check/try:

  • Put an EC2 instance in the subnet with the Client VPC Endpoint. This will eliminate any routing/NACL issues.
  • Verify in the Security Group being used on the EC2/Server that the inbound rules do not include any Security Group names in the Source specification - it should be 0.0.0.0/0. Default Security Groups will have inbound rules that allow all inbound traffic from members of the same security group.
profile pictureAWS
답변함 3달 전
0

I figured it out. Client VPN creates 2 nat addresses in the network interfaces, you have to allow those IPs to allow the traffic. To figure it out, i enabled all traffic and was able to connect. Then tcpdumped on the hosts to identify where the traffic was coming from. Than found the network interfaces with that IP. Question can be closed and thank you for your help!

JimmyG
답변함 3달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠