By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Bidirectional Client VPN Endpoint connectivity

0

Dear Re:Post Team, Maybe you could help me with following problem. Through a Client VPN Endpoint (CIDR 172.16.0.0/22), a cient is successfully able to reach (ping) EC2 instances of the subnets (CIDR 10.0.16.0/20, 10.0.80.0/20, 10.0.144.0/20), but the countrary doesn't work: the EC2 instances cannot reach the VPN client.

  1. The EC2 instances are in permissive Security Groups allowing 0.0.0.0/0 egress.
  2. The Client VPN Secrurity Group is permissive allowing 0.0.0.0/0 ingress and egress.
  3. The Client VPN Authorization rules allow all users to CIDR 10.0.16.0/20, 10.0.80.0/20, 10.0.144.0/20 and 172.16.0.0/22
  4. The Client VPN Route table includes of course the targets 10.0.16.0/20, 10.0.80.0/20, 10.0.144.0/20 to the 3 subnets and I have also 172.16.0.0/22 to local
  5. No network ACL
  6. The Client (Windows 10 PC), is pingable and holds a small web server on port 8080 to test.
  7. I have the feeling my 3 subnets are missing routes to 172.16.0.0/22, as also recommanded by AWS Q, but there is no possibility to add a Client VPN Endpoint as target.
  8. AWS Q keeps on recommanding me to enable the Client-to-client Access in the Client VPN Endpoint, but this option doesn't exist.

What could the cause of this connectivity issue? Is this a routing issue? What configuration am I missing?

Thank you so much for your support!

Topics
Networking & Content Delivery
Tags
AWS Client VPN
Language
English
pearnaly
asked a month ago61 views
3 Answers
1

Contrary to the AI Agent answer, I'm not 100% sure this is even possible. The Client VPN Subnet is for Client IP Assignment only. When traffic from the Client reaches your VPC, they are NAT'd to IP Addresses of the Subnets you bind in the Target network associations.

Thanks

Gary

profile picture
EXPERT
Gary Mclean
answered a month ago
0

The function of bidirectional connection over AWS Managed ClientVPN is not supported as of today. The Client VPN endpoint attaches to one or more subnets per AZ. The attachment creates an elastic network interface (ENI) in the subnet. All of the network traffic from the client subnet is Source NATed (Network Address Translated) to the ENI IP address. By default, NAT provides one-way access, where the client can reach the private network, but not the other way around.

profile pictureAWS
EXPERT
Tushar_J
answered a month ago
-1

Based on the information provided, it appears that the main issue preventing bidirectional connectivity between the EC2 instances and the VPN client is likely related to routing. Here are a few key points to consider:

  1. Route tables for VPC subnets: You are correct in suspecting that the subnets containing the EC2 instances may be missing routes to the Client VPN CIDR (172.16.0.0/22). Each subnet's route table should have a route pointing the Client VPN CIDR to the Client VPN Endpoint as the target. This is crucial for enabling return traffic from the EC2 instances to the VPN clients.

  2. Client-to-client communication: The suggestion to enable client-to-client communication is not relevant in this case, as it only affects communication between different VPN clients, not between VPN clients and EC2 instances.

  3. Split-tunnel vs. Full-tunnel: Ensure that your Client VPN Endpoint is configured for split-tunnel mode. In split-tunnel mode, only traffic destined for the VPC is routed through the VPN connection, while other internet traffic is sent directly from the client. This configuration is generally recommended for most use cases.

  4. Security Groups and NACLs: While you've mentioned that the security groups are permissive, double-check that both inbound and outbound rules allow traffic between the VPN CIDR and the EC2 instance subnets.

  5. VPN Endpoint Association: Verify that the Client VPN Endpoint is properly associated with the target network (VPC) and that the association state is 'associated'.

To resolve the issue:

  1. Add routes in each subnet's route table pointing the Client VPN CIDR (172.16.0.0/22) to the Client VPN Endpoint as the target.
  2. Verify that the Client VPN Endpoint is correctly associated with the VPC.
  3. Double-check all security group rules to ensure they allow bidirectional traffic between the VPN CIDR and EC2 instance subnets.
  4. Confirm that the Client VPN Endpoint is configured for split-tunnel mode.

If the issue persists after implementing these changes, you may need to review your overall network architecture and consult AWS support for further assistance.
Sources
Mastering AWS VPC: A Comprehensive Guide to Building Secure and Scalable Networks | AWS re:Post
Community | Design and Create VPC in AWS

profile picture
re:Post Agent
answered a month ago
profile picture
EXPERT
Oleksii Bebych
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content