By using AWS re:Post, you agree to the Terms of Use

Questions tagged with AWS Virtual Private Network (VPN)

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

S2S VPN tunnels up but no communication.

Hi, I'm trying to get a VPN running between my on premises site, and a VPC. I think I've followed all the instructions on the AWS guide, and created VPG, CGW, and attached them to a VPN on my VPC. I have used the generic config file to setup the IPSec VPN settings on the router here, Draytek 3900 on Static Routing. Added Network ACL and security group rules to allow traffic between the private IP range on prem, and the VPC subnet range. Both tunnels show as up in the console, but I can't ping between the on prem machines and an Instance I created in the subnet. From the router I can ping the inside IP of both tunnels, but not from the Instance. I must be missing something, but I can't see what it is. I have setup route tables to point traffic from my subnets to my internal IP range to go to the VPG. I'm also getting confused by the tunnel IP ranges which don't match anything at either end. Information from config file: Outside IP Addresses: - Customer Gateway : xx.xx.xx.xx Public IP of my router set in CGW - Virtual Private Gateway : yy.yy.yy.yy Public IP of AWS tunnel Inside IP Addresses - Customer Gateway : 169.254.x/30 (This doesn't match my internal IP range) - Virtual Private Gateway : 169.254.y/30 (This doesn't match VPC internal range) - Next Hop : 169.54.y (Pingable from my end) My Router config - Local IP/Subnet Mask: 192.168.a/24 (My internal range). - Local next hop: 0.0.0.0 (also tried next hop from config file, but that didnt work either). - Remote Host: yy.yy.yy.yy Public IP of AWS tunnel from config file). - Remote IP/Subnet Mask: 169.254.x/30 (169.254.y/30 VPG from config file). I've also added the IP range of my VPC into the 'More Remote Subnet' but that doesn't make any difference Ping to keep alive is enabled and set to the VGW public IP. - CGW is attached to my VPC. - VPN settings - VPC: My VPC. - Local IP CIDR: my internal IP range (192.168.a). - State: Available. - Customer gateway: xx.xx.xx.xx Public IP of my router. - Routing: Static. - Remote IP CIDR: 0.0.0.0/0 (also tried subnets and entire VPC range). - VPG: My VPG. - Type: ipsec1. - Acceleration: False. - CGW: My CGW. Can anyone point me in the right direction for the correct settings I need?
1
answers
0
votes
98
views
asked 5 months ago

Issues getting split-tunnel in client VPN endpoint to work correctly.

I'm setting up a company VPN using AWS Client VPN endpoints, I have everything working so far however all client internet traffic is being routed through the VPN and out through the NAT gateway (and therefore incurring NAT gateway costs). I'm trying to enable split-tunnel however I'm still getting 0.0.0.0/0 routes to the vpn added to my route table. If I try: - Split tunnel enabled - Routes to local vpc and peered networks - Authorized access to these routes - Fairly open security group And then connect to the VPN I still get this in my route table: ``` > ~/d/i/vpn on branch ◦ netstat -nr 11:03:22 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.2.161 0.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 enp0s20f0u2 0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 wlp0s20f3 10.0.2.160 0.0.0.0 255.255.255.224 U 0 0 0 tun0 10.10.0.0 10.0.2.161 255.255.0.0 UG 0 0 0 tun0 ------- 10.0.2.161 255.255.0.0 UG 0 0 0 tun0 ``` (With some redaction above, I'm using 10.0.0.0/22 as the vpn cidr) I'm connecting from a Fedora laptop using the built in vpn client, I'm creating a vpn file based off the one you can download and importing it after adding in certs & keys). This all means that when I'm trying to connect to the VPN I can access my private resources, but I lose all general internet connectivity. For our use case it's not workable to us to keep having to hop on and off the VPN.
0
answers
0
votes
199
views
asked 5 months ago

Cannot reach EC2 Instance over client to site VPN

I am somewhat new to AWS admin, but have built several EC2 Instances for customers with both site to site VPNs as well as client to site, using OpenVPN for the latter. I am successfully connected to the VPN, but cannot ping or RDP to my instance's internal IP address. I have created firewall rules in Windows allowing ICMPv4 in/out, and even disable the Windows Defender Firewall. I have applied a security group on the instance allowing all traffic from the subnet range of my VPN (10.0.0.0/16) as source , my VPN client has an IP of 10.0.1.34 currently while connected. On the Route Table under VPC, i have the local route showing 172.31.0.0/16 (server's IP is 172.31.14.231) as a destination, as well as 0.0.0.0/16 as a destination. Both are showing as propagated as No. ( i have no site to site for this customer), not sure if the propagation is an issue here? Subnet association under route tables has all the subnets listed, including the 172.31.16.0/20 which i checked does include my server's IP of 172.31.14.231 Under VPN > Client VPN Endpoint>Associations, i have the network ID associated status with the network ID of the subnet 172.31.16.0/20, security group is the allow all traffic to VPC that i listed above. Authorization tab has access all is true, destination CIDR is 172.31.0.0/16 and state is Active. Route table tab has Destination CIDR of 172.31.0.0/16, target subnet is the one that includes my server ( 172.31.0.0/20) .Connections shows the status of active with IP of 10.0.1.34 I am running a continuous ping from the server to my VPN client IP of 10.0.1.34, as well as a ping from my workstation connected via VPN, both timing out. RDP cannot find the server. I know this is a lot of information, but i really could use some help here. I would think it is a routing or firewall issue, but cannot seem to find the issue. Thank you in advance.
2
answers
0
votes
178
views
asked 6 months ago