Browse through the questions and answers listed below or filter and sort to narrow down your results.
Site to Site VPN Issue
I have a VPN site-to-site connection established with my local office. The tunnels are up on both ends. I was able yesterday to ping from my office network to my AWS private subnet, as well as pingback the other direction. I was trying to set up a client endpoint VPN. Once I had that VPN established, the Site to Site stopped working. I deleted the client endpoint VPN, but the other functionality didn't come back online. Is there something I'm missing in this scenario?
Using client vpn with Okta, session re-authenticates multiple times throughout the day
We are using okta to authenticate when logging into AWS's client vpn. Multiple times throughout the day, while logged in to the vpn, a pop-up with okta login will show up, and require us the enter credentials again in order to continue using the VPN. My ovpn file already has reneg-sec 0 & keepalive, and it still doesn't help. I tried creating a new vpn endpoint, without okta, and it seems I don't get prompt for re-authentication there. I contacted okta support and they say it is 100% on aws's side, I looked everywhere and cannot find a reason as to why this is happening.
Recommended setup for Grafana, Thanos, Prometheus, and AWS split accounts
The Thanos documentation says: "Put Prometheus in the same failure domain. This means same network, same datacenter as monitoring services." But what if the accounts are split and if Prometheus resides in one account (e.g. in the workloads OU) and Thanos, the connected S3 and Grafana are in another account (e.g. "monitoring" in the infrastructure OU)? Are these then also already considered as different failure domains? Should Prometheus also move to the monitoring account? *(I would not consider the latter so favorable because of the transfer performance of the metrics, if that matters at all. Shrug.)* Would it help to have shared VPCs? What is the recommended setup and organization here? Many thanks for the help!
Clientvpn, error on linux client when adding route number 63
Hi, we have a very rare problem with aws clientvpn, we have 62 routes/authorizations and the service works fine, we have windows clients with clientvpn software and linux clients with openvpn software. But, when we add the route number 63, windows clients go fine, but linux clients (all of them) fails with messages like this: ... ``` 55.0,route 10.53.4.0 255.255.255.0,route 10.1.124.0 255.255.255.0,route 10.105.0.0 255.255.0.0,route 172.25.246.0 255.255.255.0,route 172.24.191.0 255.255.255.0,route 172.25.182.0 255.255.255.0,route 10.55.36.0 255.255.255.0,route 10.53.132.0 255.255.255.0,route 172.25.196.0 255.255.255.0,route 172.25.76.0 255.255.255.0,route-gateway 10.200.0.129,topology subnet,ping 1,ping-restart 20,ifconfig' 2022-03-24 09:14:12 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:68: ifconfig (2.5.6) 2022-03-24 09:14:12 OPTIONS IMPORT: timers and/or timeouts modified 2022-03-24 09:14:12 OPTIONS IMPORT: --ifconfig/up options modified 2022-03-24 09:14:12 OPTIONS IMPORT: route options modified 2022-03-24 09:14:12 OPTIONS IMPORT: route-related options modified 2022-03-24 09:14:12 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2022-03-24 09:14:12 Using peer cipher 'AES-256-GCM' 2022-03-24 09:14:12 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2022-03-24 09:14:12 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2022-03-24 09:14:12 net_route_v4_best_gw query: dst 0.0.0.0 2022-03-24 09:14:12 net_route_v4_best_gw result: via 192.168.0.1 dev enx000ec675f0d5 2022-03-24 09:14:12 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=enx000ec675f0d5 HWADDR=00:0e:c6:75:f0:d5 2022-03-24 09:14:12 TUN/TAP device tun0 opened 2022-03-24 09:14:12 WARNING: OpenVPN was configured to add an IPv4 route. However, no IPv4 has been configured for tun0, therefore the route installation may fail or may not work as expected. 2022-03-24 09:14:12 net_route_v4_add: 10.203.0.0/16 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.204.0.0/16 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.202.0.0/16 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.52.12.0/24 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.24.0.0/24 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.201.0.0/16 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.53.8.0/24 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 172.24.224.0/24 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.1.28.0/24 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 172.24.0.0/24 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed ``` ... Any help is welcome, thanks in advance! Bye,
Client VPN on Linux : Connection failed - sql lite error ?
The only clue is in /var/log/syslog which says > Mar 23 11:55:17 lego AWS VPN Client: SQLite error (5): database is locked in "PRAGMA max_page_count = 5000" The AWS client logs says ``` 2022-03-23 12:03:03.870 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_GENERAL_ERROR 0 to MetricsTable 2022-03-23 12:03:03.870 +00:00 [DBG] Starting OpenVpn process 2022-03-23 12:03:04.150 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_ATTEMPT 1 to AnalyticsTable 2022-03-23 12:03:04.151 +00:00 [DBG] Shutting down metrics agent 2022-03-23 12:03:04.151 +00:00 [DBG] Metrics agent shut down 2022-03-23 12:03:04.157 +00:00 [DBG] OvpnGtkServiceClient connected. Calling StartVpnAsync 2022-03-23 12:03:04.178 +00:00 [DBG] OvpnGtkServiceClient received OpenVPN process PID: -1 2022-03-23 12:03:04.178 +00:00 [DBG] DeDupeProcessDiedSignals: Unknown error caused OpenVPN process to not start: -1 2022-03-23 12:03:04.178 +00:00 [WRN] Acs did not stop correctly! 2022-03-23 12:03:04.178 +00:00 [ERR] Process died signal sent ACVC.Core.OpenVpn.OvpnProcessFailedToStartException: Unknown error caused OpenVPN process to not start: -1 at ACVC.Core.OpenVpn.OvpnGtkProcessManager.Start(String openVpnConfigPath, String managementPortPasswordFile, Int32 timeoutMilliseconds) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnProcessManager.cs:line 696 at ACVC.Core.OpenVpn.OvpnConnectionManager.Connect(OvpnConnectionProfile configProfile, GetCredentialsCallback getCredentialsCallback, Int32 timeout) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConnectionManager.cs:line 861 2022-03-23 12:03:04.180 +00:00 [DBG] Received exception for connection state Disconnected. Show error message to user 2022-03-23 12:03:04.180 +00:00 [ERR] Exception received by connect window view model ACVC.Core.OpenVpn.OvpnProcessDiedException: The VPN process has stopped unexpectedly. 2022-03-23 12:03:04.539 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_GENERAL_ERROR 1 to MetricsTable 2022-03-23 12:03:04.856 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_GENERAL_ERROR 1 to AnalyticsTable 2022-03-23 12:03:05.212 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_ATTEMPT_FAIL_VPN_PROCESS_DIED 1 to MetricsTable 2022-03-23 12:03:05.497 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_ATTEMPT_FAIL_VPN_PROCESS_DIED 1 to AnalyticsTable 2022-03-23 12:03:05.497 +00:00 [DBG] Clean up connections. Connection state: Connecting 2022-03-23 12:03:05.498 +00:00 [INF] Validating schema for OpenVPN config: /home/falken/.config/AWSVPNClient/OpenVpnConfigs/AWS JumpCloud 2022-03-23 12:03:05.801 +00:00 [DBG] Inserted event CONNECTION_PROFILE_TYPE 1 to AnalyticsTable 2022-03-23 12:03:06.500 +00:00 [DBG] Caught exception when getting connection status. Exception information: System.TimeoutException: The message did not respond within the expected timeframe or was cancelled at ACVC.Core.OpenVpn.OvpnConnectionManager.SendMessage(String message, Int32 timeout, CancellationToken cancellationToken) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConnectionManager.cs:line 1140 at ACVC.Core.OpenVpn.OvpnConnectionManager.GetConnectionStatus() in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConnectionManager.cs:line 1228 at ACVC.Core.Metrics.MetricsClient.RecordBytesMetricsAndAnalytics(IConnectionManager connectionManager) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/Metrics/MetricsClient.cs:line 136 ``` /var/log/aws-vpn-client/falken/gtk_service_aws_client_vpn_connect_20220301.log ``` 2022-03-23 12:19:36.142 +00:00 [DBG] [TI=9] Start method called: OpenVPN validation file: /home/falken/.config/AWSVPNClient/OpenVpnConfigs/current_connection.txt, management password file: /home/falken/.config/AWSVPNClient/acvc-8096.txt 2022-03-23 12:19:36.146 +00:00 [ERR] Drive type Network not supported. 2022-03-23 12:19:36.146 +00:00 [ERR] [TI=9] Unhandled exception ACVC.Core.OpenVpn.ReferencedFilePathInvalidException: File: /home/falken/.config/AWSVPNClient/OpenVpnConfigs/current_connection.txt may be a path to an unsupported drive type, which is not allowed for security reasons at ACVC.Core.OpenVpn.OvpnConfigParser.CheckSupportedDriveType(String path) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConfigParser.cs:line 795 at ACVC.Core.OpenVpn.OvpnConfigParser.ValidateReferencedFilePath(String path, String flag) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConfigParser.cs:line 689 at ACVC.GTK.Service.DBus.OvpnGtkService.StartVpnAsync(String ovpnConfigValidationFile, String managementPortPasswordFile) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.GTK.Service/DBus/OvpnGtkService.cs:line 46 ``` How can I find out what's up or what DB this is ? v2 seemed to work fine. I've purged and reinstalled the package, and renamed ~/.config/AWSVPNClient to no avail. Ubutn 20.04 LTS, all updated.
What Username do AWS VPN Client need when using password-encrypted private key certificate?
We have a Client VPN Endpoint and want to use password encrypted private key certificates. When using Windows "aws vpn client", a pop-up asks username and password. What username should we specify? The CN of the certificate? Anything else? The password is the password we specified when creating client certificate with EasyRSA Thanks.
Can't ping AWS-side of the tunnel from on-premise router
Simple setup: VPC with public and private subnets, VPG, S2S VPN connection with an on-prem router, static routing. Downloaded config for the router (Cisco ISR 1921) from the VPN Connection page and successfully applied it. Now I have 2 tunnels to the VPC. And I want to set up SLAs to track tunnels state and modify the ISR route table accordingly. Tunnel 1: 169.254.1.6/30 Tunnel 2: 169.254.2.6/30 ``` ip sla 100 icmp-echo 169.254.1.5 source-interface Tunnel1 threshold 1000 timeout 1000 frequency 5 ip sla schedule 100 life forever start-time now ip sla 200 icmp-echo 169.254.2.5 source-interface Tunnel2 threshold 1000 timeout 1000 frequency 5 ip sla schedule 200 life forever start-time now ``` but I got *timeout* for both SLAs. Tried to ping AWS-end form the router manually with the same result: ``` chd-r0-c1921#show ip route 169.254.1.5 Routing entry for 169.254.1.4/30 Known via "connected", distance 0, metric 0 (connected, via interface) Routing Descriptor Blocks: * directly connected, via Tunnel1 Route metric is 0, traffic share count is 1 chd-r0-c1921# chd-r0-c1921# chd-r0-c1921#ping 169.254.1.5 source Tunnel1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 169.254.1.5, timeout is 2 seconds: Packet sent with a source address of 169.254.1.6 ..... Success rate is 0 percent (0/5) chd-r0-c1921# ```
Restrict a Cloudfront distribution to only ClientVPN users
I need to restrict access to a Cloudfront distribution to clientVPN users only. Idea I had was to connect them to a VPC into a NAT, and add the IP address of the NAT in the approved Ip access list of the Cloudfront, so that only them can access. Issue is that I need to put a route for this NAT into the Clientvpn - otherwise they will route it through the split tunnel through their internet. I could not find what is the best way to achieve. that last bit without having to disable split tunnel. We are using Transit Gateway and a shared networking account.
Advice on creating VPC for EC2 to use IPSec connection
I am currently working on the integration of 2 platforms which need to communicate to each other via https requests. However one of these platforms' endpoints is only accessible via a VPN into their own network. I therefore want to use AWS to establish an intermediary app that will receive https communications from platform 1, and send it to platform 2, which is the one behind the VPN. To this end, I have been looking at documentation on AWS, and it looks like the best solution is to create a VPC on which I'd create a Site-to-Site VPN Connection using IPSec. Then I would create a new EC2 instance on this VPC which I will use to forward requests from platform 1 to platform 2. The questions I have are as follows: 1) Once the IPSec Site to site connection is established, will my EC2 instance (deployed to the same VPC that hosts the Site-to-Site connection) immediately be able to communicate with platform 2 which is behind their VPN based solely on the fact that it is on the same VPC, or will there be further routing setup required to allow to communicate via the tunnel established? 2) The VPN we wish to connect to has a process through which they must whitelist any given entities they connect with. A) They ask for an IPSec Gateway IP; I have looked at the documentation at https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html , and assume this is referring to the IP of what is in the document called the Virtual Private Gateway. I have created a VPG in my VPC but I cannot see an IP address associated with it. Is this something that only appears once the VPG is associated with site to site connection (and is no longer in a state of detached)? B) They require the IP addresses of the applications they will be interacting with, which in this case I assume will be my EC2 instance. However they require that subnet /29 or higher is required. How can I enforce that subnet on the EC2 public IPs? When creating a VPC I have the option of specifying the IPv4 CIDR block, however I cannot specify a netmask that is not between /16 and /28. I'm looking for advice on the above so I can make sure that the solution I wish to undertake with the VPC is not flawed, and that I am on the right track. Any guidance is appreciated.
AWS client vpn selfservice
Hi, I'm trying to create a VPN endpoint using AWS SSO as IdP but I'm always getting an error when doing the assertion exchange after logging. I've created the endpoint, selected federated authentication and then selected the ARN of the SAML provider of my SSO configuration. The endpoint is created and available and associated to a VPC. Then I downloaded the AWS VPN client, created a profile using the configuration from my VPN endpoint and then I clicked on 'Connect'. That takes me to the SSO login page but after login I get an error: Oops, something went wrong Provide your administrator with the following info: Issuer of request does not match our record Request ID: <<some id>> HTTP status: 403 Any idea on what fails? Thanks.
Linux VPN Client halts on 'Drive type Network not supported' after upgrade to 3.0.0
My Ubuntu 20.04 installation decided 1,5 hours ago to update awsvpnclient from version 2.0.0 to 3.0.0, and it has not worked since because it seems to think that its configuration directory is hosted on a network file system, which is not supported (the file is, and always was hosted on a local, eCryptFS-encrypted file system). The UI shows a dialog "Connection failed, try again". This is from the logs in /var/log/aws-vpn-client/$USER ``` 2022-03-07 17:36:56.875 +01:00 [DBG] [TI=6] Start method called: OpenVPN validation file: /home/stefan/.config/AWSVPNClient/OpenVpnConfigs/current_connection.txt, management password file: /home/stefan/.config/AWSVPNClient/xxxx-1234.txt 2022-03-07 17:36:56.875 +01:00 [ERR] Drive type Network not supported. 2022-03-07 17:36:56.875 +01:00 [ERR] [TI=6] Unhandled exception ACVC.Core.OpenVpn.ReferencedFilePathInvalidException: File: /home/stefan/.config/AWSVPNClient/OpenVpnConfigs/current_connection.txt may be a path to an unsupported drive type, which is not allowed for security reasons ``` I downgraded successfully back to 2.0.0 so that my connection is working again, for now. As I'm sure this is a temporary solution and the 2.0.0 client will be rejected by the AWS VPN service at some point, is it possible for me to file a bug about this problem, or can I solve it in some other way? I tried moving `/home/$USER/.config/AWSVPNClient` to a location outside of the encrypted drive and create a symbolic link to this directory in `~/.config/`, but the Network drive error kept occurring.