I have been working on setting up an AWS VPN for the past week. Despite making four attempts to configure it and recreating the entire VPN setup for the fifth time, I haven't been able to complete the process. Since this is a new account, there shouldn't be any physical damage that would prevent me from starting over. In connection to this matter, AWS expert Gari kindly requested that I share the following information for review. I have provided these details below. (all details are attached on the diagram.) Thank you to all the AWS experts for taking the time to examine the situation and share your valuable knowledge regarding AWS cloud services.
- What are your routes on the vpn endpoint
- What are you authorisation rules on the vpn endpoint
- Is Split tunnel enabled?
- What are the routes on the subnets
- What is your VPC CIDR Range
- What do you have defined on for your client VPN Security Groups
Back Ground
Regarding the current situation, there is an issue I would like to address. While accessing the VPN, the user is able to access some web pages. This situation may sound unusual, but I found that I could open web pages such as Google, Apple, and Facebook while using the VPN. This behavior is only observed on my workstation, Mac OS, which leads me to suspect that there might be an issue with the Client VPN Endpoint DNS. I have set up the DNS record as 10.10.0.2.
On the other hand, I encountered a different issue. Specifically, I was unable to access the internet at all when connecting from a test PC running Windows OS. Your assistance in resolving these matters would be greatly appreciated.
I also have received error while using TunnelBlick. ( hope this helps to invest my configuration. )
Error Report from TunnelBlick
2023-08-22 09:58:09.126629 *Tunnelblick: macOS 13.4.1 (22F770820d); Tunnelblick 4.0.0beta08 (build 5880)
2023-08-22 09:58:09.274756 *Tunnelblick: Cannot recognize the downloaded-client-config-loadTap preference value of '(null)', so Tunnelblick will not load the tap kext
2023-08-22 09:58:09.288038 *Tunnelblick: Attempting connection with downloaded-client-config; Set nameserver = 0x00000305; monitoring connection
2023-08-22 09:58:09.288845 *Tunnelblick: openvpnstart start downloaded-client-config.tblk 58635 0x00000305 0 3 0 0x0210c330 -ptADGNWradsgnw 2.5.9-openssl-1.1.1v <password>
2023-08-22 09:58:09.320998 *Tunnelblick: openvpnstart starting OpenVPN
2023-08-22 09:58:09.744309 OpenVPN 2.5.9 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Aug 4 2023
2023-08-22 09:58:09.744475 library versions: OpenSSL 1.1.1v 1 Aug 2023, LZO 2.10
2023-08-22 09:58:09.745727 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:58635
2023-08-22 09:58:09.745764 Need hold release from management interface, waiting...
2023-08-22 09:58:09.914976 *Tunnelblick: openvpnstart log:
OpenVPN started successfully.
Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.5.9-openssl-1.1.1v/openvpn
--daemon
--log-append /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sdownloaded--client--config.tblk-SContents-SResources-Sconfig.ovpn.773_0_3_0_34652976.58635.openvpn.log
--cd /Library/Application Support/Tunnelblick/Shared/downloaded-client-config.tblk/Contents/Resources
--machine-readable-output
--setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5880 4.0.0beta08 (build 5880)"
--verb 3
--config /Library/Application Support/Tunnelblick/Shared/downloaded-client-config.tblk/Contents/Resources/config.ovpn
--setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Shared/downloaded-client-config.tblk/Contents/Resources
--verb 3
--cd /Library/Application Support/Tunnelblick/Shared/downloaded-client-config.tblk/Contents/Resources
--management 127.0.0.1 58635 /Library/Application Support/Tunnelblick/Mips/downloaded-client-config.tblk.mip
--management-query-passwords
--management-hold
--redirect-gateway def1
--script-security 2
--route-up /Applications/Tunnelblick.app/Contents/Resources/client.1.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down /Applications/Tunnelblick.app/Contents/Resources/client.1.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2023-08-22 09:58:09.924257 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:58635
2023-08-22 09:58:09.956890 MANAGEMENT: CMD 'pid'
2023-08-22 09:58:09.957061 MANAGEMENT: CMD 'auth-retry interact'
2023-08-22 09:58:09.957335 MANAGEMENT: CMD 'state on'
2023-08-22 09:58:09.957386 MANAGEMENT: CMD 'state'
2023-08-22 09:58:09.957457 MANAGEMENT: CMD 'bytecount 1'
2023-08-22 09:58:09.958137 *Tunnelblick: Established communication with OpenVPN
2023-08-22 09:58:09.959464 *Tunnelblick: >INFO:OpenVPN Management Interface Version 3 -- type 'help' for more info
2023-08-22 09:58:09.960707 MANAGEMENT: CMD 'hold release'
2023-08-22 09:58:09.961411 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-08-22 09:58:09.965294 MANAGEMENT: >STATE:1692723489,RESOLVE,,,,,,
2023-08-22 09:58:10.118558 TCP/UDP: Preserving recently used remote address: [AF_INET]3.98.242.229:443
2023-08-22 09:58:10.118934 Socket Buffers: R=[786896->786896] S=[9216->9216]
2023-08-22 09:58:10.118971 UDP link local: (not bound)
2023-08-22 09:58:10.118996 UDP link remote: [AF_INET]3.98.242.229:443
2023-08-22 09:58:10.119044 MANAGEMENT: >STATE:1692723490,WAIT,,,,,,
2023-08-22 09:58:10.197690 MANAGEMENT: >STATE:1692723490,AUTH,,,,,,
2023-08-22 09:58:10.197794 TLS: Initial packet from [AF_INET]3.98.242.229:443, sid=ad4c8ab0 ececf28c
2023-08-22 09:58:10.277660 VERIFY OK: depth=1, CN=VPNDemo
2023-08-22 09:58:10.278144 VERIFY KU OK
2023-08-22 09:58:10.278163 Validating certificate extended key usage
2023-08-22 09:58:10.278177 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-08-22 09:58:10.278192 VERIFY EKU OK
2023-08-22 09:58:10.278206 VERIFY X509NAME OK: CN=server
2023-08-22 09:58:10.278217 VERIFY OK: depth=0, CN=server
2023-08-22 09:58:10.451035 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-08-22 09:58:10.451252 [server] Peer Connection Initiated with [AF_INET]3.98.242.229:443
2023-08-22 09:58:11.553739 MANAGEMENT: >STATE:1692723491,GET_CONFIG,,,,,,
2023-08-22 09:58:11.554615 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2023-08-22 09:58:11.635018 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.10.0.2,redirect-gateway def1 bypass-dhcp,block-outside-dns,dhcp-option DOMAIN-ROUTE .,route-gateway 10.9.0.129,topology subnet,ping 1,ping-restart 20,echo,echo,ifconfig 10.9.0.130 255.255.255.224,peer-id 0,cipher AES-256-GCM'
2023-08-22 09:58:11.635352 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2023-08-22 09:58:11.635402 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.5.9)
2023-08-22 09:58:11.635524 OPTIONS IMPORT: timers and/or timeouts modified
2023-08-22 09:58:11.635555 OPTIONS IMPORT: --ifconfig/up options modified
2023-08-22 09:58:11.635581 OPTIONS IMPORT: route options modified
2023-08-22 09:58:11.635603 OPTIONS IMPORT: route-related options modified
2023-08-22 09:58:11.635626 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-08-22 09:58:11.635646 OPTIONS IMPORT: peer-id set
2023-08-22 09:58:11.635668 OPTIONS IMPORT: adjusting link_mtu to 1624
2023-08-22 09:58:11.635690 OPTIONS IMPORT: data channel crypto options modified
2023-08-22 09:58:11.635930 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-08-22 09:58:11.635962 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-08-22 09:58:11.638743 Opened utun device utun5
2023-08-22 09:58:11.638804 MANAGEMENT: >STATE:1692723491,ASSIGN_IP,,10.9.0.130,,,,
2023-08-22 09:58:11.638841 /sbin/ifconfig utun5 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2023-08-22 09:58:11.676445 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2023-08-22 09:58:11.676584 /sbin/ifconfig utun5 10.9.0.130 10.9.0.130 netmask 255.255.255.224 mtu 1500 up
2023-08-22 09:58:11.695623 /sbin/route add -net 10.9.0.128 10.9.0.130 255.255.255.224
add net 10.9.0.128: gateway 10.9.0.130
2023-08-22 09:58:11.705726 /sbin/route add -net 3.98.242.229 192.168.1.254 255.255.255.255
add net 3.98.242.229: gateway 192.168.1.254
2023-08-22 09:58:11.719144 /sbin/route add -net 0.0.0.0 10.9.0.129 128.0.0.0
add net 0.0.0.0: gateway 10.9.0.129
2023-08-22 09:58:11.726379 /sbin/route add -net 128.0.0.0 10.9.0.129 128.0.0.0
add net 128.0.0.0: gateway 10.9.0.129
/Applications/Tunnelblick.app/Contents/Resources/client.1.up.tunnelblick.sh: line 76: [: /Library/Application: binary operator expected
/Applications/Tunnelblick.app/Contents/Resources/client.1.up.tunnelblick.sh: line 79: [: /Library/Application: binary operator expected
2023-08-22 09:58:11.781520 Initialization Sequence Completed
2023-08-22 09:58:11.781551 MANAGEMENT: >STATE:1692723491,CONNECTED,SUCCESS,10.9.0.130,3.98.242.229,443,,
2023-08-22 09:58:12.898694 *Tunnelblick: Warning: Could not obtain a list of DNS addresses that are expected
2023-08-22 09:58:13.007670 *Tunnelblick: DNS address 10.10.0.2 is being routed through the VPN
2023-08-22 09:58:55.012566 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's name after connecting.
2023-08-22 09:59:33.505559 *Tunnelblick: An error occurred fetching IP address information using the ipInfo host's IP address after connecting
2023-08-22 10:02:27.789408 *Tunnelblick: Disconnecting; 'Disconnect' (toggle) menu command invoked
2023-08-22 10:02:28.096055 *Tunnelblick: Disconnecting using 'kill'
2023-08-22 10:02:28.449002 event_wait : Interrupted system call (code=4)
2023-08-22 10:02:28.449727 /sbin/route delete -net 3.98.242.229 192.168.1.254 255.255.255.255
delete net 3.98.242.229: gateway 192.168.1.254
2023-08-22 10:02:28.454158 /sbin/route delete -net 0.0.0.0 10.9.0.129 128.0.0.0
delete net 0.0.0.0: gateway 10.9.0.129
2023-08-22 10:02:28.456834 /sbin/route delete -net 128.0.0.0 10.9.0.129 128.0.0.0
delete net 128.0.0.0: gateway 10.9.0.129
2023-08-22 10:02:28.459304 Closing TUN/TAP interface
2023-08-22 10:02:28.459526 /Applications/Tunnelblick.app/Contents/Resources/client.1.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun5 1500 1624 10.9.0.130 255.255.255.224 init
/Applications/Tunnelblick.app/Contents/Resources/client.1.down.tunnelblick.sh: line 22: [: /Library/Application: binary operator expected
/Applications/Tunnelblick.app/Contents/Resources/client.1.down.tunnelblick.sh: line 25: [: /Library/Application: binary operator expected
cat: /Library/Application: No such file or directory
cat: Support/Tunnelblick/openvpn_dns_564F62F2-F3E3-47A4-BAD0-D57D9E8442BB: No such file or directory
cat: /Library/Application: No such file or directory
cat: Support/Tunnelblick/openvpn_domain_564F62F2-F3E3-47A4-BAD0-D57D9E8442BB: No such file or directory
d.add: too few arguments
rm: /Library/Application: No such file or directory
rm: Support/Tunnelblick/openvpn_dns_564F62F2-F3E3-47A4-BAD0-D57D9E8442BB: No such file or directory
rm: /Library/Application: No such file or directory
rm: Support/Tunnelblick/openvpn_domain_564F62F2-F3E3-47A4-BAD0-D57D9E8442BB: No such file or directory
2023-08-22 10:02:28.737350 MANAGEMENT: Client disconnected
2023-08-22 10:02:28.737371 WARNING: Failed running command (--up/--down): external program exited with error status: 1
2023-08-22 10:02:28.737377 Exiting due to fatal error
2023-08-22 10:02:30.376746 *Tunnelblick: Expected disconnection occurred.