AWS client VPN - SSH to EC2 instance with custom ssh port

We just set up a AWS client VPN, associated with private subnet and route traffic through NAT gateway to internet. This way to get a static public IP. We have debian EC2 instances with custom SSH port, for example port 56565 instead of port 22. When connected with AWS client VPN, we were not able to SSH to the EC2 instance with ssh port 56565. Have verified all the security groups, network ACL and routing, seems like the AWS client VPN is blocking the non-standard ports. Anyone has some insight on this? Is it possible to configure it?

Topics

Networking & Content Delivery Compute

Tags

Amazon VPC Amazon EC2 AWS Client VPN

Language

English

rePost-SL-Wang

asked a year ago1139 views

2 Answers

Newest
Most votes
Most comments

Do you have a rule set up in the security group that EC2 has to allow connections from the security group that AWS Client VPN has?
I don't think AWS Client VPN is doing anything to deny communication.
Also, make sure that all communications are allowed in the outbound rules of the AWS Client VPN security group.

EXPERT

Riku_Kobayashi

answered a year ago

rePost-SL-Wang
a year ago
Hi, thanks for the suggestions! For EC2 instance security group, I have allowed the VPN external IP for All traffic and All ports(for testing purpose) AWS VPN security group also has All traffic allowed in the outbound rule. For the same EC2 instance, I'm able to ssh into it on Port 22 with VPN connected, but not able to connect when the ssh port is set to 56565. To me, looks like there is some default restrictions on the special ports.

AWS Client VPN does not block other ports.

Please check below guide, specifically step 5 "Provide access to the internet" and step 6 "Verify security group requirements".

https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html

Matt_E

answered a year ago

rePost-SL-Wang
a year ago
Hi, I'm able to access the internet and also able to ssh to the same EC2 instance when ssh port is set to 22.
Matt_E
a year ago

Make sure port 56565 is being allowed on the EC2 security group, the target EC2.

Make sure port 56565 is being allowed on the EC2 ACL.

Make sure port 56565 is being allowed on the CVPN ENI subnet ACL. When you create your CVPN is going to be associated with one or more than one subnet, make sure port 56565 is being allowed on all the subnets ACL that are associated with CVPN ENI's, for instance, you may have 3 subnets for your CVPN (subnet A, subnet B, and subnet C) each of those subnets may have a different ACL, you would need to make sure those subnets allow port 56565.

If all above being checked and still unable to connect, I suggest checking your EC2 VPC flow logs to see if traffic is reaching the EC2.

Relevant content

Issue with Accessing Websites Through AWS VPN Client and Bastion Host
Accepted Answer
Hoseok Han
asked 8 months ago
Middlebox routing - VPN clients
Bert6449263
asked 2 years ago
How to setup a NAT Gateway together with a VPN
Accepted Answer
rePost-User-9342809
asked a year ago
Static IP for AWS Client VPN
elbigbadmo
asked 2 years ago
The VPN tunnel between my customer gateway and my virtual private gateway is Up, but I am unable to pass traffic through it. What can I do?
AWS OFFICIALUpdated 2 years ago
Why can't my Amazon EC2 instance in a private subnet connect to the internet using a NAT gateway?
AWS OFFICIALUpdated 2 years ago
How can Client VPN users get a static IP address so that they can access the internet?
AWS OFFICIALUpdated 7 months ago
How do I set up an IPsec VPN between a virtual pfSense router and an AWS managed VPN endpoint with static routing?
AWS OFFICIALUpdated 5 months ago
Usage of Security Group associated with AWS Client VPN
EXPERT
Karthikiran Ilango
published 6 months ago
Secure way to set up IPsec VPN between IBM Cloud and an AWS-managed VPN endpoint with static routing
EXPERT
Vinay Gugueoth
published 6 months ago