AWS client VPN - SSH to EC2 instance with custom ssh port


We just set up a AWS client VPN, associated with private subnet and route traffic through NAT gateway to internet. This way to get a static public IP. We have debian EC2 instances with custom SSH port, for example port 56565 instead of port 22. When connected with AWS client VPN, we were not able to SSH to the EC2 instance with ssh port 56565. Have verified all the security groups, network ACL and routing, seems like the AWS client VPN is blocking the non-standard ports. Anyone has some insight on this? Is it possible to configure it?

asked a year ago1293 views
2 Answers

Do you have a rule set up in the security group that EC2 has to allow connections from the security group that AWS Client VPN has?
I don't think AWS Client VPN is doing anything to deny communication.
Also, make sure that all communications are allowed in the outbound rules of the AWS Client VPN security group.

profile picture
answered a year ago
  • Hi, thanks for the suggestions! For EC2 instance security group, I have allowed the VPN external IP for All traffic and All ports(for testing purpose) AWS VPN security group also has All traffic allowed in the outbound rule. For the same EC2 instance, I'm able to ssh into it on Port 22 with VPN connected, but not able to connect when the ssh port is set to 56565. To me, looks like there is some default restrictions on the special ports.


AWS Client VPN does not block other ports.

Please check below guide, specifically step 5 "Provide access to the internet" and step 6 "Verify security group requirements".

profile pictureAWS
answered a year ago
  • Hi, I'm able to access the internet and also able to ssh to the same EC2 instance when ssh port is set to 22.

    • Make sure port 56565 is being allowed on the EC2 security group, the target EC2.
    • Make sure port 56565 is being allowed on the EC2 ACL.
    • Make sure port 56565 is being allowed on the CVPN ENI subnet ACL. When you create your CVPN is going to be associated with one or more than one subnet, make sure port 56565 is being allowed on all the subnets ACL that are associated with CVPN ENI's, for instance, you may have 3 subnets for your CVPN (subnet A, subnet B, and subnet C) each of those subnets may have a different ACL, you would need to make sure those subnets allow port 56565.
    • If all above being checked and still unable to connect, I suggest checking your EC2 VPC flow logs to see if traffic is reaching the EC2.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions