Client vpn endpoint doesn't reach my subnet private

Question

Hi,

I'm facing a peculiar situation. I have an existing client VPN endpoint set up with AD directory login, and it's working well—I can access my private subnet without any issues. However, I've set up another VPN endpoint, this time with federated SAML login, and for some reason, I can't access my private subnet through this one. Internet access (such as Google) is reachable.

Do you have any idea why this might be happening?

I understand this might not be straightforward, but please ask for any information you need, and I'll provide it.

Thanks for your help.

Answer

HI, 
How are you routing to the internet ? Is split tunnelling activated as this may explain why you can reach the internet.

I assume your client VPN user has been authenticated and able to establish ssl connection to the AWS client VPN endpoint, hence follow the steps below to troubleshoot connectivity issue :

* If you  are trying to reach your Target via DNS , Check DNS Resolution from your user's computer for Target FQDN. This must resolve to a private IP address within your VPC.

* Check proper association of Subnet - https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-target.html

* Once this is verified, check for Routes. You should have route for destination to which we want to reach. - https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-routes.html

* Check if user connected is authorised to access destination. This is very important to check in case of Active directory where we can grant access based on AD Group. - https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-rules.html

* Check VPC Flow Logs-  We should see traffic between Client Endpoint ENI IP address and Target as all traffic gets source NATed to the Ip address of the client Endpoint

* Don’t forget to check SG, NACL and Route Table.

Client vpn endpoint doesn't reach my subnet private

Relevant content