Issues getting split-tunnel in client VPN endpoint to work correctly.
I'm setting up a company VPN using AWS Client VPN endpoints, I have everything working so far however all client internet traffic is being routed through the VPN and out through the NAT gateway (and therefore incurring NAT gateway costs). I'm trying to enable split-tunnel however I'm still getting 0.0.0.0/0 routes to the vpn added to my route table.
If I try:
- Split tunnel enabled
- Routes to local vpc and peered networks
- Authorized access to these routes
- Fairly open security group
And then connect to the VPN I still get this in my route table:
> ~/d/i/vpn on branch ◦ netstat -nr 11:03:22
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.0.2.161 0.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 enp0s20f0u2
0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 wlp0s20f3
10.0.2.160 0.0.0.0 255.255.255.224 U 0 0 0 tun0
10.10.0.0 10.0.2.161 255.255.0.0 UG 0 0 0 tun0
------- 10.0.2.161 255.255.0.0 UG 0 0 0 tun0(With some redaction above, I'm using 10.0.0.0/22 as the vpn cidr)
I'm connecting from a Fedora laptop using the built in vpn client, I'm creating a vpn file based off the one you can download and importing it after adding in certs & keys). This all means that when I'm trying to connect to the VPN I can access my private resources, but I lose all general internet connectivity. For our use case it's not workable to us to keep having to hop on and off the VPN.
When you use split-tunnel on a Client VPN endpoint, all of the routes that are in the Client VPN route tables are added to the client route table when the VPN is established. If you add a route after the VPN is established, you must reset the connection so that the new route is sent to the client.If you intend to use Split tunnel and use local internet and not via NAT-GW and IGW make sure your ClientVPN does not have 0.0.0.0/0 route, just have the route for VPC and peered VPC CIDRs.
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/split-tunnel-vpn.html
Yes I've reset the connection on each of my tests, and I've removed the 0.0.0.0/0 routes from the client vpn route table to leave only the default routes. But I would still get the above behaviour.
Relevant questions
VPN endpoint (VPC) replace certificate(s)
asked 2 months agoClient VPN connection issues - TLS Handshake issue
asked 3 years agoAWS VPN Client on macOS - DNS not resolving
asked 3 months agoDoes VPN Client endpoint really need authorization rules?
asked 3 months agoUsing client vpn with Okta, session re-authenticates multiple times throughout the day
asked 2 months agoVPN client endpoint interfaces have public IP, how to remove?
Accepted Answerasked 2 years agoAWS Client VPN - my systems are in different subnets that are in different VPCs
asked 4 months agoAWS Client VPN unable to set Authorization Route with Group ID using Okta
Accepted Answerasked 4 months agoWhat Username do AWS VPN Client need when using password-encrypted private key certificate?
asked 2 months agoIssues getting split-tunnel in client VPN endpoint to work correctly.
asked 19 days ago
Yes I've reset the connection on each of my tests, and I've removed the 0.0.0.0/0 routes from the client vpn route table to leave only the default routes. But I would still get the above behaviour.