By using AWS re:Post, you agree to the Terms of Use
/Issues getting split-tunnel in client VPN endpoint to work correctly./

Issues getting split-tunnel in client VPN endpoint to work correctly.

0

I'm setting up a company VPN using AWS Client VPN endpoints, I have everything working so far however all client internet traffic is being routed through the VPN and out through the NAT gateway (and therefore incurring NAT gateway costs). I'm trying to enable split-tunnel however I'm still getting 0.0.0.0/0 routes to the vpn added to my route table.

If I try:

  • Split tunnel enabled
  • Routes to local vpc and peered networks
  • Authorized access to these routes
  • Fairly open security group

And then connect to the VPN I still get this in my route table:

> ~/d/i/vpn on branch ◦ netstat -nr                                                                                                          11:03:22
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.0.2.161      0.0.0.0         UG        0 0          0 tun0
0.0.0.0         192.168.4.1     0.0.0.0         UG        0 0          0 enp0s20f0u2
0.0.0.0         192.168.4.1     0.0.0.0         UG        0 0          0 wlp0s20f3
10.0.2.160      0.0.0.0         255.255.255.224 U         0 0          0 tun0
10.10.0.0       10.0.2.161      255.255.0.0     UG        0 0          0 tun0
-------       10.0.2.161      255.255.0.0     UG        0 0          0 tun0

(With some redaction above, I'm using 10.0.0.0/22 as the vpn cidr)

I'm connecting from a Fedora laptop using the built in vpn client, I'm creating a vpn file based off the one you can download and importing it after adding in certs & keys). This all means that when I'm trying to connect to the VPN I can access my private resources, but I lose all general internet connectivity. For our use case it's not workable to us to keep having to hop on and off the VPN.

1 Answers
0

When you use split-tunnel on a Client VPN endpoint, all of the routes that are in the Client VPN route tables are added to the client route table when the VPN is established. If you add a route after the VPN is established, you must reset the connection so that the new route is sent to the client.If you intend to use Split tunnel and use local internet and not via NAT-GW and IGW make sure your ClientVPN does not have 0.0.0.0/0 route, just have the route for VPC and peered VPC CIDRs.

https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/split-tunnel-vpn.html

answered 19 days ago
  • Yes I've reset the connection on each of my tests, and I've removed the 0.0.0.0/0 routes from the client vpn route table to leave only the default routes. But I would still get the above behaviour.

  • Yes I've reset the connection on each of my tests, and I've removed the 0.0.0.0/0 routes from the client vpn route table to leave only the default routes. But I would still get the above behaviour.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions