Issues getting split-tunnel in client VPN endpoint to work correctly.


I'm setting up a company VPN using AWS Client VPN endpoints, I have everything working so far however all client internet traffic is being routed through the VPN and out through the NAT gateway (and therefore incurring NAT gateway costs). I'm trying to enable split-tunnel however I'm still getting routes to the vpn added to my route table.

If I try:

  • Split tunnel enabled
  • Routes to local vpc and peered networks
  • Authorized access to these routes
  • Fairly open security group

And then connect to the VPN I still get this in my route table:

> ~/d/i/vpn on branch ◦ netstat -nr                                                                                                          11:03:22
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface         UG        0 0          0 tun0         UG        0 0          0 enp0s20f0u2         UG        0 0          0 wlp0s20f3 U         0 0          0 tun0     UG        0 0          0 tun0
-------     UG        0 0          0 tun0

(With some redaction above, I'm using as the vpn cidr)

I'm connecting from a Fedora laptop using the built in vpn client, I'm creating a vpn file based off the one you can download and importing it after adding in certs & keys). This all means that when I'm trying to connect to the VPN I can access my private resources, but I lose all general internet connectivity. For our use case it's not workable to us to keep having to hop on and off the VPN.

  • Have you managed to get this resolved at all ? I have been working with the vpn client for some time and created multiple of them and all working fine. Once I switched to work from home i created a new one for testing and as soon as its up and running I can no longer access the internet, even though I have split tunnel enabled. Older client configs in other VPCs are still working fine and I can no longer see why this new one is acting this way.

2 Answers


It looks like in AWS VPC-->ClientVPN endpoint -->Route table , Please make sure you do not have route added for

By looking at the route table, I could see split tunnel is enabled thats reason i see you have two routes received for /16 and also points to tunnel ip .

It is not recommended to add a route to the Client VPN endpoint's route table when using split-tunnel mode.

answered 2 years ago
profile picture
reviewed 4 months ago

When split-tunneling is enabled on a Client VPN endpoint, only routes that are configured on the endpoint route table will be pushed to connecting clients. Any traffic destined for addresses that do not match these routes will be routed directly to the internet rather than through the VPN tunnel.

profile picture
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions