By using AWS re:Post, you agree to the Terms of Use
/AWS Virtual Private Network (VPN)/

Questions tagged with AWS Virtual Private Network (VPN)

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

S2S VPN tunnels up but no communication.

Hi, I'm trying to get a VPN running between my on premises site, and a VPC. I think I've followed all the instructions on the AWS guide, and created VPG, CGW, and attached them to a VPN on my VPC. I have used the generic config file to setup the IPSec VPN settings on the router here, Draytek 3900 on Static Routing. Added Network ACL and security group rules to allow traffic between the private IP range on prem, and the VPC subnet range. Both tunnels show as up in the console, but I can't ping between the on prem machines and an Instance I created in the subnet. From the router I can ping the inside IP of both tunnels, but not from the Instance. I must be missing something, but I can't see what it is. I have setup route tables to point traffic from my subnets to my internal IP range to go to the VPG. I'm also getting confused by the tunnel IP ranges which don't match anything at either end. Information from config file: Outside IP Addresses: - Customer Gateway : xx.xx.xx.xx Public IP of my router set in CGW - Virtual Private Gateway : yy.yy.yy.yy Public IP of AWS tunnel Inside IP Addresses - Customer Gateway : 169.254.x/30 (This doesn't match my internal IP range) - Virtual Private Gateway : 169.254.y/30 (This doesn't match VPC internal range) - Next Hop : 169.54.y (Pingable from my end) My Router config - Local IP/Subnet Mask: 192.168.a/24 (My internal range). - Local next hop: 0.0.0.0 (also tried next hop from config file, but that didnt work either). - Remote Host: yy.yy.yy.yy Public IP of AWS tunnel from config file). - Remote IP/Subnet Mask: 169.254.x/30 (169.254.y/30 VPG from config file). I've also added the IP range of my VPC into the 'More Remote Subnet' but that doesn't make any difference Ping to keep alive is enabled and set to the VGW public IP. - CGW is attached to my VPC. - VPN settings - VPC: My VPC. - Local IP CIDR: my internal IP range (192.168.a). - State: Available. - Customer gateway: xx.xx.xx.xx Public IP of my router. - Routing: Static. - Remote IP CIDR: 0.0.0.0/0 (also tried subnets and entire VPC range). - VPG: My VPG. - Type: ipsec1. - Acceleration: False. - CGW: My CGW. Can anyone point me in the right direction for the correct settings I need?
2
answers
0
votes
3
views
PatWills
asked 13 days ago

Issues getting split-tunnel in client VPN endpoint to work correctly.

I'm setting up a company VPN using AWS Client VPN endpoints, I have everything working so far however all client internet traffic is being routed through the VPN and out through the NAT gateway (and therefore incurring NAT gateway costs). I'm trying to enable split-tunnel however I'm still getting 0.0.0.0/0 routes to the vpn added to my route table. If I try: - Split tunnel enabled - Routes to local vpc and peered networks - Authorized access to these routes - Fairly open security group And then connect to the VPN I still get this in my route table: ``` > ~/d/i/vpn on branch ◦ netstat -nr 11:03:22 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.2.161 0.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 enp0s20f0u2 0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 wlp0s20f3 10.0.2.160 0.0.0.0 255.255.255.224 U 0 0 0 tun0 10.10.0.0 10.0.2.161 255.255.0.0 UG 0 0 0 tun0 ------- 10.0.2.161 255.255.0.0 UG 0 0 0 tun0 ``` (With some redaction above, I'm using 10.0.0.0/22 as the vpn cidr) I'm connecting from a Fedora laptop using the built in vpn client, I'm creating a vpn file based off the one you can download and importing it after adding in certs & keys). This all means that when I'm trying to connect to the VPN I can access my private resources, but I lose all general internet connectivity. For our use case it's not workable to us to keep having to hop on and off the VPN.
1
answers
0
votes
3
views
Alex
asked 13 days ago

Cannot reach EC2 Instance over client to site VPN

I am somewhat new to AWS admin, but have built several EC2 Instances for customers with both site to site VPNs as well as client to site, using OpenVPN for the latter. I am successfully connected to the VPN, but cannot ping or RDP to my instance's internal IP address. I have created firewall rules in Windows allowing ICMPv4 in/out, and even disable the Windows Defender Firewall. I have applied a security group on the instance allowing all traffic from the subnet range of my VPN (10.0.0.0/16) as source , my VPN client has an IP of 10.0.1.34 currently while connected. On the Route Table under VPC, i have the local route showing 172.31.0.0/16 (server's IP is 172.31.14.231) as a destination, as well as 0.0.0.0/16 as a destination. Both are showing as propagated as No. ( i have no site to site for this customer), not sure if the propagation is an issue here? Subnet association under route tables has all the subnets listed, including the 172.31.16.0/20 which i checked does include my server's IP of 172.31.14.231 Under VPN > Client VPN Endpoint>Associations, i have the network ID associated status with the network ID of the subnet 172.31.16.0/20, security group is the allow all traffic to VPC that i listed above. Authorization tab has access all is true, destination CIDR is 172.31.0.0/16 and state is Active. Route table tab has Destination CIDR of 172.31.0.0/16, target subnet is the one that includes my server ( 172.31.0.0/20) .Connections shows the status of active with IP of 10.0.1.34 I am running a continuous ping from the server to my VPN client IP of 10.0.1.34, as well as a ping from my workstation connected via VPN, both timing out. RDP cannot find the server. I know this is a lot of information, but i really could use some help here. I would think it is a routing or firewall issue, but cannot seem to find the issue. Thank you in advance.
2
answers
0
votes
8
views
AWS-User-6756233
asked a month ago

Clientvpn, error on linux client when adding route number 63

Hi, we have a very rare problem with aws clientvpn, we have 62 routes/authorizations and the service works fine, we have windows clients with clientvpn software and linux clients with openvpn software. But, when we add the route number 63, windows clients go fine, but linux clients (all of them) fails with messages like this: ... ``` 55.0,route 10.53.4.0 255.255.255.0,route 10.1.124.0 255.255.255.0,route 10.105.0.0 255.255.0.0,route 172.25.246.0 255.255.255.0,route 172.24.191.0 255.255.255.0,route 172.25.182.0 255.255.255.0,route 10.55.36.0 255.255.255.0,route 10.53.132.0 255.255.255.0,route 172.25.196.0 255.255.255.0,route 172.25.76.0 255.255.255.0,route-gateway 10.200.0.129,topology subnet,ping 1,ping-restart 20,ifconfig' 2022-03-24 09:14:12 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:68: ifconfig (2.5.6) 2022-03-24 09:14:12 OPTIONS IMPORT: timers and/or timeouts modified 2022-03-24 09:14:12 OPTIONS IMPORT: --ifconfig/up options modified 2022-03-24 09:14:12 OPTIONS IMPORT: route options modified 2022-03-24 09:14:12 OPTIONS IMPORT: route-related options modified 2022-03-24 09:14:12 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2022-03-24 09:14:12 Using peer cipher 'AES-256-GCM' 2022-03-24 09:14:12 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2022-03-24 09:14:12 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2022-03-24 09:14:12 net_route_v4_best_gw query: dst 0.0.0.0 2022-03-24 09:14:12 net_route_v4_best_gw result: via 192.168.0.1 dev enx000ec675f0d5 2022-03-24 09:14:12 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=enx000ec675f0d5 HWADDR=00:0e:c6:75:f0:d5 2022-03-24 09:14:12 TUN/TAP device tun0 opened 2022-03-24 09:14:12 WARNING: OpenVPN was configured to add an IPv4 route. However, no IPv4 has been configured for tun0, therefore the route installation may fail or may not work as expected. 2022-03-24 09:14:12 net_route_v4_add: 10.203.0.0/16 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.204.0.0/16 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.202.0.0/16 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.52.12.0/24 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.24.0.0/24 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.201.0.0/16 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.53.8.0/24 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 172.24.224.0/24 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.1.28.0/24 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 172.24.0.0/24 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed ``` ... Any help is welcome, thanks in advance! Bye,
1
answers
0
votes
2
views
Angel Abad
asked 2 months ago

Client VPN on Linux : Connection failed - sql lite error ?

The only clue is in /var/log/syslog which says > Mar 23 11:55:17 lego AWS VPN Client: SQLite error (5): database is locked in "PRAGMA max_page_count = 5000" The AWS client logs says ``` 2022-03-23 12:03:03.870 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_GENERAL_ERROR 0 to MetricsTable 2022-03-23 12:03:03.870 +00:00 [DBG] Starting OpenVpn process 2022-03-23 12:03:04.150 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_ATTEMPT 1 to AnalyticsTable 2022-03-23 12:03:04.151 +00:00 [DBG] Shutting down metrics agent 2022-03-23 12:03:04.151 +00:00 [DBG] Metrics agent shut down 2022-03-23 12:03:04.157 +00:00 [DBG] OvpnGtkServiceClient connected. Calling StartVpnAsync 2022-03-23 12:03:04.178 +00:00 [DBG] OvpnGtkServiceClient received OpenVPN process PID: -1 2022-03-23 12:03:04.178 +00:00 [DBG] DeDupeProcessDiedSignals: Unknown error caused OpenVPN process to not start: -1 2022-03-23 12:03:04.178 +00:00 [WRN] Acs did not stop correctly! 2022-03-23 12:03:04.178 +00:00 [ERR] Process died signal sent ACVC.Core.OpenVpn.OvpnProcessFailedToStartException: Unknown error caused OpenVPN process to not start: -1 at ACVC.Core.OpenVpn.OvpnGtkProcessManager.Start(String openVpnConfigPath, String managementPortPasswordFile, Int32 timeoutMilliseconds) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnProcessManager.cs:line 696 at ACVC.Core.OpenVpn.OvpnConnectionManager.Connect(OvpnConnectionProfile configProfile, GetCredentialsCallback getCredentialsCallback, Int32 timeout) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConnectionManager.cs:line 861 2022-03-23 12:03:04.180 +00:00 [DBG] Received exception for connection state Disconnected. Show error message to user 2022-03-23 12:03:04.180 +00:00 [ERR] Exception received by connect window view model ACVC.Core.OpenVpn.OvpnProcessDiedException: The VPN process has stopped unexpectedly. 2022-03-23 12:03:04.539 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_GENERAL_ERROR 1 to MetricsTable 2022-03-23 12:03:04.856 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_GENERAL_ERROR 1 to AnalyticsTable 2022-03-23 12:03:05.212 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_ATTEMPT_FAIL_VPN_PROCESS_DIED 1 to MetricsTable 2022-03-23 12:03:05.497 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_ATTEMPT_FAIL_VPN_PROCESS_DIED 1 to AnalyticsTable 2022-03-23 12:03:05.497 +00:00 [DBG] Clean up connections. Connection state: Connecting 2022-03-23 12:03:05.498 +00:00 [INF] Validating schema for OpenVPN config: /home/falken/.config/AWSVPNClient/OpenVpnConfigs/AWS JumpCloud 2022-03-23 12:03:05.801 +00:00 [DBG] Inserted event CONNECTION_PROFILE_TYPE 1 to AnalyticsTable 2022-03-23 12:03:06.500 +00:00 [DBG] Caught exception when getting connection status. Exception information: System.TimeoutException: The message did not respond within the expected timeframe or was cancelled at ACVC.Core.OpenVpn.OvpnConnectionManager.SendMessage(String message, Int32 timeout, CancellationToken cancellationToken) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConnectionManager.cs:line 1140 at ACVC.Core.OpenVpn.OvpnConnectionManager.GetConnectionStatus() in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConnectionManager.cs:line 1228 at ACVC.Core.Metrics.MetricsClient.RecordBytesMetricsAndAnalytics(IConnectionManager connectionManager) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/Metrics/MetricsClient.cs:line 136 ``` /var/log/aws-vpn-client/falken/gtk_service_aws_client_vpn_connect_20220301.log ``` 2022-03-23 12:19:36.142 +00:00 [DBG] [TI=9] Start method called: OpenVPN validation file: /home/falken/.config/AWSVPNClient/OpenVpnConfigs/current_connection.txt, management password file: /home/falken/.config/AWSVPNClient/acvc-8096.txt 2022-03-23 12:19:36.146 +00:00 [ERR] Drive type Network not supported. 2022-03-23 12:19:36.146 +00:00 [ERR] [TI=9] Unhandled exception ACVC.Core.OpenVpn.ReferencedFilePathInvalidException: File: /home/falken/.config/AWSVPNClient/OpenVpnConfigs/current_connection.txt may be a path to an unsupported drive type, which is not allowed for security reasons at ACVC.Core.OpenVpn.OvpnConfigParser.CheckSupportedDriveType(String path) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConfigParser.cs:line 795 at ACVC.Core.OpenVpn.OvpnConfigParser.ValidateReferencedFilePath(String path, String flag) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConfigParser.cs:line 689 at ACVC.GTK.Service.DBus.OvpnGtkService.StartVpnAsync(String ovpnConfigValidationFile, String managementPortPasswordFile) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.GTK.Service/DBus/OvpnGtkService.cs:line 46 ``` How can I find out what's up or what DB this is ? v2 seemed to work fine. I've purged and reinstalled the package, and renamed ~/.config/AWSVPNClient to no avail. Ubutn 20.04 LTS, all updated.
1
answers
0
votes
2
views
Tom
asked 2 months ago

Advice on creating VPC for EC2 to use IPSec connection

I am currently working on the integration of 2 platforms which need to communicate to each other via https requests. However one of these platforms' endpoints is only accessible via a VPN into their own network. I therefore want to use AWS to establish an intermediary app that will receive https communications from platform 1, and send it to platform 2, which is the one behind the VPN. To this end, I have been looking at documentation on AWS, and it looks like the best solution is to create a VPC on which I'd create a Site-to-Site VPN Connection using IPSec. Then I would create a new EC2 instance on this VPC which I will use to forward requests from platform 1 to platform 2. The questions I have are as follows: 1) Once the IPSec Site to site connection is established, will my EC2 instance (deployed to the same VPC that hosts the Site-to-Site connection) immediately be able to communicate with platform 2 which is behind their VPN based solely on the fact that it is on the same VPC, or will there be further routing setup required to allow to communicate via the tunnel established? 2) The VPN we wish to connect to has a process through which they must whitelist any given entities they connect with. A) They ask for an IPSec Gateway IP; I have looked at the documentation at https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html , and assume this is referring to the IP of what is in the document called the Virtual Private Gateway. I have created a VPG in my VPC but I cannot see an IP address associated with it. Is this something that only appears once the VPG is associated with site to site connection (and is no longer in a state of detached)? B) They require the IP addresses of the applications they will be interacting with, which in this case I assume will be my EC2 instance. However they require that subnet /29 or higher is required. How can I enforce that subnet on the EC2 public IPs? When creating a VPC I have the option of specifying the IPv4 CIDR block, however I cannot specify a netmask that is not between /16 and /28. I'm looking for advice on the above so I can make sure that the solution I wish to undertake with the VPC is not flawed, and that I am on the right track. Any guidance is appreciated.
1
answers
0
votes
4
views
AWS-User-5851356
asked 2 months ago

Linux VPN Client halts on 'Drive type Network not supported' after upgrade to 3.0.0

My Ubuntu 20.04 installation decided 1,5 hours ago to update awsvpnclient from version 2.0.0 to 3.0.0, and it has not worked since because it seems to think that its configuration directory is hosted on a network file system, which is not supported (the file is, and always was hosted on a local, eCryptFS-encrypted file system). The UI shows a dialog "Connection failed, try again". This is from the logs in /var/log/aws-vpn-client/$USER ``` 2022-03-07 17:36:56.875 +01:00 [DBG] [TI=6] Start method called: OpenVPN validation file: /home/stefan/.config/AWSVPNClient/OpenVpnConfigs/current_connection.txt, management password file: /home/stefan/.config/AWSVPNClient/xxxx-1234.txt 2022-03-07 17:36:56.875 +01:00 [ERR] Drive type Network not supported. 2022-03-07 17:36:56.875 +01:00 [ERR] [TI=6] Unhandled exception ACVC.Core.OpenVpn.ReferencedFilePathInvalidException: File: /home/stefan/.config/AWSVPNClient/OpenVpnConfigs/current_connection.txt may be a path to an unsupported drive type, which is not allowed for security reasons ``` I downgraded successfully back to 2.0.0 so that my connection is working again, for now. As I'm sure this is a temporary solution and the 2.0.0 client will be rejected by the AWS VPN service at some point, is it possible for me to file a bug about this problem, or can I solve it in some other way? I tried moving `/home/$USER/.config/AWSVPNClient` to a location outside of the encrypted drive and create a symbolic link to this directory in `~/.config/`, but the Network drive error kept occurring.
0
answers
3
votes
7
views
AWS-User-1405205
asked 2 months ago
  • 1
  • 90 / page