By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Client VPN and overlapping subnets

0

Hello,

I've got a client vpn setup right now that is connecting my users to a particular VPC. That VPC has a very low cidr range on the 10.0.0.0/8 block. I am running into issues where users connecting to the client endpoint VPN have overlapping home subnets. Their client assigned IP ranges are well outside of that block (in the upper 10.0.0.0/8 block). The problem I'm running into is that I'm using the AWS built in DNS range (the .2 DNS) as an assigned DNS. This works great if my users have a subnet in some other RFC1918 range or some other block in the 10.0.0.0 address space. But when there's overlap, there's fire. I thought that it might work if I abandoned split tunnel mode and went to full tunnel mode, but that doesn't seem to be the case. The VPN client we're using (tunnelblick) doesn't accept the DNS and I get messages like...

=========CIDR conflict, routing failed=========. 2024-02-28 10:25:27.668408 *Tunnelblick: Routing info stdout: route to: 10.x.x.2 destination: 10.x.x.2 interface: en0. <++++++++++++

This not really surprising considering the home and destination overlapping subnets. But this seems like a well known issue - Is it just the case that you can't have any overlap between your home network and your destination network? How do you plan for something like this, and how can you work around it if you can't control a user's home network ranges?

Thanks for your time and advice!

Topics
Networking & Content Delivery
Tags
Networking & Content DeliveryAWS Client VPN
Language
English
sentinel21
asked 2 months ago222 views
3 Answers
1

Easiest and best solution would be to use 100.64.0.0/10 address space in your VPC and rebuild the VPN. There is less likely its going to clash.

Muhammad-Muha
answered 2 months ago
0

You have no control over your clients' home network setups. They could be using common ranges like 10.0.0.0/8 or 192.168.x.x. Dictating to users what their home network setup should be is usually not practical.

The most straightforward solution is to reconfigure your VPC to use a different, non-overlapping CIDR range. If this isn't feasible due to existing resources and dependencies, the other options involve trade-offs.

Set up Network Address Translation (NAT) on the VPC side. This maps the overlapping client addresses to a unique, non-overlapping subnet within the VPC. It requires some networking configuration but avoids client-side complexity.

profile picture
EXPERT
Sedat Salman
answered 2 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
0

Not really answering the question (although the answer is "It isn't easy to connect networks with overlapping IP addresses") and there are situations where IP overlap is unavoidable no matter what you do, but: this blog post might be of assistance. Perhaps.

profile pictureAWS
EXPERT
Brettski-AWS
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content