By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Troubleshooting Client VPN Setup: Addressing Connectivity Issues and Seeking Guidance

0

I have set up an AWS Client VPN endpoint and connected it to the private/public subnet within the AWS VPC. I've completed and tested the following seven steps:

  1. Generated the server and client certificates and keys (Completed).
  2. Created the Client VPN Endpoint (Completed).
  3. Enabled VPN connectivity for the clients (Completed).
  4. Tested client authorization to access the network. *Generated authorization rules.
  5. Optional: Enabled access to additional networks using the same connection (Skipped for now).
  6. Downloaded the Client Endpoint configuration file and ensured proper configuration (Tested).
  7. Currently in the process of testing the connection to the Client VPN Endpoint.

The setup seems to be functioning without any apparent errors. I've confirmed that the welcome text is displayed upon logging in from a user's PC. However, an error occurs when attempting to access an internet web page. welcome text

Browser Error

In an effort to address this issue, I've enrolled CloudWatch and Reachability Analyzer to trace the error. However, due to my limited knowledge with the AWS environment, I'm uncertain about where to begin troubleshooting.

I've confirmed that the inbound and outbound subnet route tables have been configured as follows:

Public Subnet Route Table: Destination: 10.0.0.0/16 -> Target: local Destination: 0.0.0.0/0 -> Target: IGW

Private Subnet Route Table: Destination: 10.0.0.0/16 -> Target: local Destination: 0.0.0.0/0 -> Target: NAT

Could you kindly provide guidance on where I should direct my attention to address this issue? Your assistance is greatly appreciated.

Topics
Networking & Content Delivery
Tags
Amazon VPCAWS Virtual Private Network (VPN)AWS Client VPN
Language
English
Hoseok Han
asked 8 months ago641 views
4 Answers
1
Accepted Answer

Looks like you may have not defined the DNS servers in the VPN client section. This setting is optional.

You can assign the VPC DNS servers or use something like google DNS servers.

Can you confirm what DNS servers you have defined?

If none, try setting to the VPC CIDR +2. So if the vpc is 172.31.0.0 the dns server should be 172.31.0.2

Please also confirm the routes you have assigned to the VPN endpoint.

profile picture
EXPERT
Gary Mclean
answered 8 months ago
  • Hoseok Han
    8 months ago

    Hi, Gary,

    It seems I might have had a misconception regarding VPC setup. I had assumed that VPC would automatically handle DNS configuration. However, upon further review, I realize that I haven't defined any DNS servers in the VPN client section as of now. I intend to rectify this promptly. Additionally, I'm wondering whether enabling Route53 might be a necessary step in this context. Your insights would be greatly appreciated.

    Thank you for your time and assistance.

  • Gary Mclean EXPERT
    8 months ago

    No need to do anything with route53. There’s a default vpc resolver you can use as per my answer the+2 IP address or you could assign or the google DNS for example.

  • Hoseok Han
    8 months ago

    Hey, Gary, DNS resolution is currently enabled, as indicated in the Details section of the VPC. However, I couldn't locate an option to edit the DNS settings. Below, I have attached some screenshots for your reference.

  • Hoseok Han
    8 months ago

    I am pleased to share you that I have successfully added the DNS records for 10.0.0.2 and 8.8.8.8 to the Client VPN endpoint. While I am able to ping 8.8.8.8, unfortunately, I am encountering difficulties in reaching local IPs. Although there are more tests that I intend to conduct, I am grateful to have identified the initial point for troubleshooting. Once again, thank you for your assistance, Gary. As the initial inquiry has been resolved, I will proceed to close this case for the time being. Wishing you a splendid day ahead!

  • Gary Mclean EXPERT
    8 months ago

    That’s good to hear. It’s likely you can ping 8.8.8.8 because you have split tunnel and doesn’t go via AWS. For local IPs in the VPC you will have to ensure ICMP is allowed from the VPN etc

0
  1. Double check the security group rules on the client VPN endpoint to ensure TCP/UDP ports 443, 1194 are allowed from the client CIDR range.
  2. Verify the route table for the private subnet has a route pointing traffic (0.0.0.0/0) back to the client VPN endpoint. This allows internet traffic to flow back.
  3. Check that the NACL rules are not blocking any required ports or IP ranges.
  4. Confirm the client configuration file has the correct endpoint IP and certificate/keys match the server side.
  5. Try adjusting the MTU on the client VPN endpoint in case there are fragmentation issues. Start with 1300 and increase in increments.
  6. Validate that DNS resolution is working from the client side after connecting. Try a manual DNS lookup to confirm.
  7. Tail the VPN connection logs on the client and server side for any clues on connection drops or errors.
  8. Confirm internet access works if you connect the client directly to the public subnet instead. Indicates a routing issue if so.
  9. Check for security software, firewalls etc on the client machine that may be blocking VPN traffic.
jose Gutierrez
answered 8 months ago
0

Thanks for your helpful tips, Jose

  1. Double check the security group rules on the client VPN endpoint to ensure TCP/UDP ports 443, 1194 are allowed from the client CIDR range. (Completed) 01_Security Groups 01.outbound

  2. Verify the route table for the private subnet has a route pointing traffic (0.0.0.0/0) back to the client VPN endpoint. This allows internet traffic to flow back. 02.error 02.error2

  3. Check that the NACL rules are not blocking any required ports or IP ranges. 03.NACL1 03.NACL2

  4. Confirm the client configuration file has the correct endpoint IP and certificate/keys match the server side. 04.cvpnConfig 04.cvpnConfig2

  5. Confirm internet access works if you connect the client directly to the public subnet instead. Indicates a routing issue if so.

Both, Public/Private does not allow me to access Internet while accessing the AWS VPN

  1. Check for security software, firewalls etc on the client machine that may be blocking VPN traffic.

I have reviewed there is no specific error on the Window Defender FW at the moment. (NO Anti-virus software)

================================================================ 5. Try adjusting the MTU on the client VPN endpoint in case there are fragmentation issues. Start with 1300 and increase in increments. 6. Validate that DNS resolution is working from the client side after connecting. Try a manual DNS lookup to confirm. 7. Tail the VPN connection logs on the client and server side for any clues on connection drops or errors.

I encountered some challenges while trying to proceed with steps #5 to #7. I made an attempt to trace the traffic using the "Reachability Analyzer," as shown in the image below: Reachability Analyzer

Regrettably, I was unable to establish the Source/Destination during this attempt. Could you kindly suggest any other tools that might be suitable for addressing my current situation?

Your response is greatly valued. Thank you very much for your assistance.

Hoseok Han
answered 8 months ago
0

Resource map

Here is the route logic

  1. Client VPN endpoints
  1. Private subnet (2. refer rtb-private) send to 3. VPN DemoNAT in 4. public subnet
  2. Public sunet ( 5 refet rtb-pubic ) > send to 6. Internet Gateway

While conducting the reachability analyzer, I identified an error in connectivity between the public network and the NAT (Network Address Translation) configuration. reachability analyzer

Hoseok Han
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content