Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

No internet connection with AWS VPN Client on MacOS

0

When I connect my VPN client version 5.1.0 to our server I am unable to connect to the internet. That is, I can resolve DNS using dig, but I am unable to wget / open any url in my browser. As soon as I disconnect the VPN again everything is ok again. It's working fine on all Windows laptops that we have in our department. It was also working fine on my own, I just switched to a macbook 1 week ago.

  • I'm on MacOS Sequoia 15.3.2
  • My private IP range is 192.168.2.x
  • I have disabled IPv6 for LAN+WiFi.
  • Attached is the log, I can't spot any obvious issues in the logs other than the ACVCHelperTool one, but no clue what to make of it.
  • Split tunnel is enabled in our aws config, as I said it works fine on Windows machines.
  • At the office toggling wifi on and off again after connecting helps solves the issue, at home it does not (anymore?) so I cannot work now.

ACVCHelperTool stderr: 2025-03-28 09:31:14.203 ACVCHelperTool[12350:1369824] [Snappet AWS VPN] Fix DNS: Reply from daemon: <OS_xpc_dictionary: <dictionary: 0x600003988000> { count = 1, transaction: 0, voucher = 0x0, contents = "exitCode" => <int64: 0x19a77e7437dd4a83>: 0 }>

Not sure what else to try to analyse this issue? Any suggestions from anyone?

Kind regards, Martijn

Topics
Networking & Content Delivery
Tags
AWS Virtual Private Network (VPN)Amazon VPCAWS Client VPN
Language
English
asked 10 months ago1.2K views
3 Answers
1
Accepted Answer

It appears you're experiencing an issue with internet connectivity when using the AWS VPN Client on your MacOS device. This is a known issue that can occur with AWS Client VPN, especially on MacOS systems. Here are some troubleshooting steps you can try:

  1. Check your route table: When connected to the VPN, the default route may be incorrectly set. You can verify this by checking your route table before and after connecting to the VPN. If you notice that the default route changes to the VPN interface, this could be causing your internet connectivity issues.

  2. Modify the route table manually: If the default route is being changed, you can try manually modifying it after connecting to the VPN. You can do this by using the following commands in the terminal:

    sudo route delete -net 0.0.0.0/0 sudo route add -net 0.0.0.0/0 <your_gateway_ip>

    Replace <your_gateway_ip> with your actual gateway IP address.

  3. Check the Client VPN endpoint configuration: Ensure that the split-tunnel option is correctly configured on the AWS side. Even if it's enabled, there might be an issue with how it's being applied.

  4. Use the AWS Client VPN GUI: Some users have reported that using the official AWS Client VPN GUI application instead of the built-in OpenVPN client can resolve this issue. If you're not already using it, try installing and using the AWS Client VPN application.

  5. Verify the mssfix setting: If you're having trouble with larger packets, you might need to adjust the maximum segment size. You can do this by adding the following line to your Client VPN endpoint .ovpn configuration file:

    mssfix 1328

  6. Check for non-RFC1918 IP addresses: Ensure that none of your network interfaces have non-RFC1918 IP addresses, as this can sometimes cause routing issues with the VPN.

If these steps don't resolve the issue, you may need to contact AWS support for further assistance, as there could be a configuration problem on the AWS side that's specific to your setup.
Sources
Troubleshooting AWS Client VPN connections with macOS clients - AWS Client VPN
Troubleshooting AWS Client VPN: Clients can't access a peered VPC, Amazon S3, or the internet - AWS Client VPN
AWS Client VPN with split tunnel add default route even though it shouldn't | AWS re:Post
Losing internet access with split tunnel on in aws client VPN | AWS re:Post

answered 10 months ago
AWS
EXPERT
reviewed 10 months ago
  • Martijn
    10 months ago

    The problem does indeed appear to be with routing, adding the route back again (sudo route delete -net 0.0.0.0/0 && sudo route add -net 0.0.0.0/0 <your_gateway_ip>) AFTER connecting to VPN does resolve the issue. But it's only temporary, for that 1 session. The next time I connect the routes are replaced again. This seems like a VERY similar issue we had when our office private network IP CIDR was wrong (https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/routing-to-lan.html). That could also be manually resolved by adding the route again. But as stated I think my gateway address of 192.168.2.1 is correct right? I also don't see any errors in the logs which we did in the past at the office.

  • Martijn
    10 months ago

    Strangely enough the default route added appears to persist, even after a reboot. I'll keep an eye on it but for now adding the route to my gateway manually "appears to have" resolved the issue. I'll update in a few days.

  • Martijn
    10 months ago

    Tested it for a week at home and at the office and I haven't seen the issue anymore.

0

Have you enabled SPLIT Tunnel on the VPN Client endpoint? This will likely fix your issue. https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/split-tunnel-vpn.html

If you want to route ALL traffic over your VPN, we will need to take a look at how you have your VPC setup

EXPERT
answered 10 months ago
  • Martijn
    10 months ago

    Formatted my opening question a bit for readability, we have already configured splitting and it IS working fine on all other machines. Also see the tentatively positive reply on the AI's answer.

0

We used to have a lot of issues with internet outages on disconnect from our split-tunnel Client VPN Endpoints because we had old 0.0.0.0/0 routes configured in the route table. We had previously used a full-tunnel configuration and just never cleaned up the route table when we switched to split tunnel for that endpoint. As such, removing the internet routes from our CVPNE route table configuration eliminated the issue.

Before figuring that out, I wrote a daemon for MacOS that automatically resets your network interfaces and flushes your system's route tables when DNS changes are detected coming off of a VPN. It was a quick little project, but maybe you or someone else will find a use-case for it to help as well: https://github.com/bmartinson/netrestarterd.

answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content