Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Client VPN Endpoint local traffic routing disfunctional

0

Hi,

I have set up a client VPN endpoint, with an assigned range of 172.16.48.0/20. In order for clients to be able to directly communicate with each other, I setup a route with a destination CIDR of 172.16.48.0/20 with a target of local. The routing inside the VPC is also setup and works fine. I added authorization rules for 0.0.0.0/0 and 10.16.0.0/16 with Access all set to true.

Now the problem is that we experience issues with the connectivity between clients, no matter where they are located (my own laptop, an EC2 instance in the associated VPC, ...). A client with an assigned IP of e.g. 172.16.48.1 is not able to communicate in any way (ping/ssh/...) with another client with an IP 172.16.49.4. After lot of tries I saw the regularity that there seems to be no traffic allowed between the ranges 172.16.48.* and 172.16.49.*, which seems like a bug to me.

I double and triple checked (me + anthropic's claude) the routing tables and they seem ok. I tried a no-pull option in the VPN config and setup the routes manually, I tried to just use the pulled routes from the server, nothing helped or worked to get this issue fixed. So I am out of ideas how to fix this.

Is there any error in the VPN configuration, or is that a known limitation? Happy to provide more information if needed. I am grateful for any hints and help!

Thanks, Tobi

Topics
ComputeNetworking & Content Delivery
Tags
Amazon VPCAWS Client VPNAmazon EC2Networking & Content Delivery
Language
English
asked a month ago47 views
1 Answer
0

Based on your description, it sounds like you're experiencing an issue with client-to-client communication in AWS Client VPN. This is likely related to how AWS Client VPN handles routing between clients.

For AWS Client VPN, there are a few key points to understand:

  1. By default, the Client VPN endpoint NATs all traffic from clients to the elastic network interface (ENI) in the subnet. This NAT behavior provides one-way access where clients can reach the private network, but bidirectional connectivity between clients is not automatically supported.

  2. While you've correctly set up a route with destination CIDR 172.16.48.0/20 with a target of local, there might be an issue with how the traffic is being routed between different subnets within your Client VPN CIDR range.

  3. The issue you're seeing where clients in 172.16.48.* cannot communicate with clients in 172.16.49.* suggests that there might be limitations in how the local target handles routing across different subnets within the Client VPN CIDR block.

To address this issue, you could try:

  1. Enable client-to-client access in your Client VPN endpoint configuration if it's available. This option specifically allows communication between clients connected to the same VPN endpoint.

  2. Consider using a smaller subnet mask for your Client VPN CIDR to ensure all clients fall within the same subnet (e.g., use a /24 instead of /20).

  3. Check if there are any security groups or network ACLs that might be blocking traffic between these IP ranges.

  4. Verify that your authorization rules properly allow traffic between the Client VPN CIDR ranges.

If these solutions don't resolve the issue, it might indeed be a limitation of how AWS Client VPN handles routing between different subnets within the assigned CIDR range.
Sources
Bidirectional Client VPN Endpoint connectivity | AWS re:Post

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content