AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Client VPN and overlapping subnets

0

Hello,

I've got a client vpn setup right now that is connecting my users to a particular VPC. That VPC has a very low cidr range on the 10.0.0.0/8 block. I am running into issues where users connecting to the client endpoint VPN have overlapping home subnets. Their client assigned IP ranges are well outside of that block (in the upper 10.0.0.0/8 block). The problem I'm running into is that I'm using the AWS built in DNS range (the .2 DNS) as an assigned DNS. This works great if my users have a subnet in some other RFC1918 range or some other block in the 10.0.0.0 address space. But when there's overlap, there's fire. I thought that it might work if I abandoned split tunnel mode and went to full tunnel mode, but that doesn't seem to be the case. The VPN client we're using (tunnelblick) doesn't accept the DNS and I get messages like...

=========CIDR conflict, routing failed=========. 2024-02-28 10:25:27.668408 *Tunnelblick: Routing info stdout: route to: 10.x.x.2 destination: 10.x.x.2 interface: en0. <++++++++++++

This not really surprising considering the home and destination overlapping subnets. But this seems like a well known issue - Is it just the case that you can't have any overlap between your home network and your destination network? How do you plan for something like this, and how can you work around it if you can't control a user's home network ranges?

Thanks for your time and advice!

주제
네트워킹 및 콘텐츠 전송
태그
네트워킹 및 콘텐츠 전송AWS 클라이언트 VPN
언어
English
sentinel21
질문됨 2달 전242회 조회
3개 답변
1

Easiest and best solution would be to use 100.64.0.0/10 address space in your VPC and rebuild the VPN. There is less likely its going to clash.

Muhammad-Muha
답변함 2달 전
0

You have no control over your clients' home network setups. They could be using common ranges like 10.0.0.0/8 or 192.168.x.x. Dictating to users what their home network setup should be is usually not practical.

The most straightforward solution is to reconfigure your VPC to use a different, non-overlapping CIDR range. If this isn't feasible due to existing resources and dependencies, the other options involve trade-offs.

Set up Network Address Translation (NAT) on the VPC side. This maps the overlapping client addresses to a unique, non-overlapping subnet within the VPC. It requires some networking configuration but avoids client-side complexity.

profile picture
전문가
Sedat Salman
답변함 2달 전
profile picture
전문가
Giovanni Lauria
검토됨 2달 전
0

Not really answering the question (although the answer is "It isn't easy to connect networks with overlapping IP addresses") and there are situations where IP overlap is unavoidable no matter what you do, but: this blog post might be of assistance. Perhaps.

profile pictureAWS
전문가
Brettski-AWS
답변함 2달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠