New Client VPN Setup

Question

Have a single account with 1 VPC no peering, no transit gateway, etc..

I setup Client VPN and can connect properly.

I updated the instances EC2 security groups to allow communication from the Client VPN subnet. 
I completed a TCPDUMP on the instance and traffic does not get to the instance.
My netstat -nr shows a route through the VPN tunnel to get to the instances

I have associated the target subnet and setup authorization for all users.

I can't seem to get traffic from the VPN client to the server.

Anyone have any other thoughts?  I am on a mac, going to test on PC next.

Thank you for your assistances in advance

Answer

I figured it out.  Client VPN creates 2 nat addresses in the network interfaces, you have to allow those IPs to allow the traffic.  To figure it out, i enabled all traffic and was able to connect.  Then tcpdumped on the hosts to identify where the traffic was coming from.  Than found the network interfaces with that IP. Question can be closed and thank you for your help!

Answer

Hello.

Is it possible to enable VPC flow logs and check whether traffic connected with ClientVPN is reaching the VPC?  
If it has reached the VPC, please check if any "REJECT" actions are recorded in the log.  
https://docs.aws.amazon.com/vpc/latest/userguide/working-with-flow-logs.html

Answer

It sounds like you've covered the bases.  There are a few things you might want to check/try:
* Put an EC2 instance in the subnet with the Client VPC Endpoint.  This will eliminate any routing/NACL issues.
* Verify in the Security Group being used on the EC2/Server that the inbound rules do not include any Security Group names in the Source specification - it should be 0.0.0.0/0.  Default Security Groups will have inbound rules that allow all inbound traffic from members of the same security group.

New Client VPN Setup

Relevant content