Questions tagged with AWS Virtual Private Network (VPN)
Content language: English
Sort by most recent
How to connect Workspace (Windows 10) to L2TP/IPSec VPN server
I'm trying to connect to a remote corporate NAS from my Workspace instance through a VPN. Whenever I attempt to do so - using Windows 10 VPN client configuration, the Workspace freezes. I can see there is successful authentication with the NAS device if I look at the NAS's logs. But on the Workspace, the connection attempt stops - and the Workspace completely freezes - at the "Completing connection" stage. While troubleshooting, I've disabled Windows Firewall, and modified the AWS Directory security group rules to open up the relevant ports - to no avail. Any ideas?
Client VPN slowness
I have Client VPN set up on AWS, which connects to a business web app on EC2. I access it from a Windows 10 computer using OpenVpn GUI. The web app runs very slowly at times, where a page takes 5-10 seconds to load. Previously, when it was accessed directly and not through the VPN, the web app loaded pages in under 1 second. Is there any way to improve the speed of Client VPN?
AWS Site-to-Site VPN ping working, TCP not (EC2 networking details)
I want to establish a site-to-site IPsec VPN connection between an AWS EKS-Kubernetes-Cluster and a server from a different provider using AWS Site-to-Site VPN. Pings get through the VPN, but TCP traffic does not. The server on the other end runs Ubuntu 20.04 and uses libreswan. The configuration file from AWS for the VPN for openswan has been altered in two ways (that I think should not matter): * `auth=esp` has been commented out as libreswan would not start otherwise (libreswan 3.29) * The VPN has been configured to use VTI. When sending a HTTP request from the AWS site: `tcpdump` on the libreswan-site shows SYN arriving and SYN-ACK being sent back while `tcpdump` on the EC2-instance (and in a pod as well) only registers SYN. All incoming traffic has been allowed in security groups and ACLs etc. From my understanding of the flow logs, the problem occurs within an EC2 instance: * The pod runs on the instance with its own ip address. * Network traffic of the pod passes through the network interfaces of the underlying EC2 instance. * Pings are processed correctly, but other traffic is not forwarded from the pod to the network interfaces of the EC2 instance. Is my understanding correct? How does networking work inside an EC2 instance with EKS pods?
Inbound network traffic blocked
Hi, all. I'm using AWS as an extension of my on premise data center, and has been running this successfully for quite some time. Now I'm in process of migrating my on premise network to new infrastructure, and have enabled a new on premise firewall to connect to AWS using site-to-site VPN. This works in parallell with my old infrastructure, so both the old and new firewalls are connected. The old firewall (Sonicwall) connects a LAN with 192.168.20.0/24. The new firewall (Fortigate) connects a LAN with 192.168.40.0/24. I have added these subnets into the corresponding site-to-site VPN static routes. I have also added inbound rules (open for all TCP, UDP, ICMP) for the new x.x.40.0 subnet to the existing security group. From a server in the VPC, I am now able to ping resources both on x.x.20.0 and x.x.40.0. If I ping from the .x.x.20.0 network I get a response. However, I cannot get an echo response when pinging the aws server from the x.x.40.0 network. I can see the ICMP packets being sent from a packet trace on the VPN interface of the Fortigate. I have looked at this pretty much from every angle, and is a little stuck. Any hints on how to analyze this further is much appreciated. Regards, Lars
Route table not routing to Site-to-Site VPN's Inside Ipv4 CIDR
I have a VPC with private subnet (NAT) that has a routing table wich redirects traffic of a given IP range(Data center) to a vgw(virtual private gateway), then I have this site-to-site vpn configured with this vgw and a customer gateway, on its static routes I also had the IP range for the Data center. But can't seem to get my ec2 running ubuntu to traceroute to the corresponding VPN's Inside Ipv4 CIDR when trying to reach Data center's range. What could be wrong? VPN tunnels are up so even if I couldn't reach the Data Center, it should at least hop on the VPN IP address. Thanks in advance for any ideas!
AWS Client VPN - Notification of new client connection to another AWS service (e.g. Lambda)?
Hi, I'd like a Lambda function to be notified when a new client connects to our AWS Client VPN endpoint so that it can take some action to update our private hosted zone in Route53. Is there any way to send a notification from our AWS Client VPN endpoint to Lambda either via SNS or Eventbridge? Many thanks in advance.
S2S VPN tunnels up but no communication.
Hi, I'm trying to get a VPN running between my on premises site, and a VPC. I think I've followed all the instructions on the AWS guide, and created VPG, CGW, and attached them to a VPN on my VPC. I have used the generic config file to setup the IPSec VPN settings on the router here, Draytek 3900 on Static Routing. Added Network ACL and security group rules to allow traffic between the private IP range on prem, and the VPC subnet range. Both tunnels show as up in the console, but I can't ping between the on prem machines and an Instance I created in the subnet. From the router I can ping the inside IP of both tunnels, but not from the Instance. I must be missing something, but I can't see what it is. I have setup route tables to point traffic from my subnets to my internal IP range to go to the VPG. I'm also getting confused by the tunnel IP ranges which don't match anything at either end. Information from config file: Outside IP Addresses: - Customer Gateway : xx.xx.xx.xx Public IP of my router set in CGW - Virtual Private Gateway : yy.yy.yy.yy Public IP of AWS tunnel Inside IP Addresses - Customer Gateway : 169.254.x/30 (This doesn't match my internal IP range) - Virtual Private Gateway : 169.254.y/30 (This doesn't match VPC internal range) - Next Hop : 169.54.y (Pingable from my end) My Router config - Local IP/Subnet Mask: 192.168.a/24 (My internal range). - Local next hop: 0.0.0.0 (also tried next hop from config file, but that didnt work either). - Remote Host: yy.yy.yy.yy Public IP of AWS tunnel from config file). - Remote IP/Subnet Mask: 169.254.x/30 (169.254.y/30 VPG from config file). I've also added the IP range of my VPC into the 'More Remote Subnet' but that doesn't make any difference Ping to keep alive is enabled and set to the VGW public IP. - CGW is attached to my VPC. - VPN settings - VPC: My VPC. - Local IP CIDR: my internal IP range (192.168.a). - State: Available. - Customer gateway: xx.xx.xx.xx Public IP of my router. - Routing: Static. - Remote IP CIDR: 0.0.0.0/0 (also tried subnets and entire VPC range). - VPG: My VPG. - Type: ipsec1. - Acceleration: False. - CGW: My CGW. Can anyone point me in the right direction for the correct settings I need?
Issues getting split-tunnel in client VPN endpoint to work correctly.
I'm setting up a company VPN using AWS Client VPN endpoints, I have everything working so far however all client internet traffic is being routed through the VPN and out through the NAT gateway (and therefore incurring NAT gateway costs). I'm trying to enable split-tunnel however I'm still getting 0.0.0.0/0 routes to the vpn added to my route table. If I try: - Split tunnel enabled - Routes to local vpc and peered networks - Authorized access to these routes - Fairly open security group And then connect to the VPN I still get this in my route table: ``` > ~/d/i/vpn on branch ◦ netstat -nr 11:03:22 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.2.161 0.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 enp0s20f0u2 0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 wlp0s20f3 10.0.2.160 0.0.0.0 255.255.255.224 U 0 0 0 tun0 10.10.0.0 10.0.2.161 255.255.0.0 UG 0 0 0 tun0 ------- 10.0.2.161 255.255.0.0 UG 0 0 0 tun0 ``` (With some redaction above, I'm using 10.0.0.0/22 as the vpn cidr) I'm connecting from a Fedora laptop using the built in vpn client, I'm creating a vpn file based off the one you can download and importing it after adding in certs & keys). This all means that when I'm trying to connect to the VPN I can access my private resources, but I lose all general internet connectivity. For our use case it's not workable to us to keep having to hop on and off the VPN.
tDBConnection_1 IO Error: The Network Adapter could not establish the connection\njava.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection
Getting this error when trying to connect from AWS to on-prem Oracle DB using VPN tunnel: tDBConnection_1 IO Error: The Network Adapter could not establish the connection\njava.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection. Thanks in advance and appreciate any inputs/ideas on this. Thanks, Srini
Does VPC need to be updated if client is changing VPN settings?
Currently, a Lambda function uses a VPC to connect to client's server and fetch data. The client will be updating their VPN, and thus, do the VPC settings need to be updated as well? For example, the client is changing the encryption scheme, but I don't see anything related to encryption in VPC?
Wanted VPN tunnel between elastic ip and on prem static IP?
I'm new to AWS, and I have one Elastic IP on my account that I'd like to use to establish a VPN connection between my on-premises and AWS accounts. I tried setting up an OPNsense firewall instance and connecting my elastic IP to form a tunnel, but it didn't work? I also tried connecting Elastic IP to a network interface, but it didn't work. I also changed the security groups to allow everything, including all tcp/udp/icmp traffic. I also added routes tables as required.But packet from on prem is ever showed up at aws end. Is there anything I'm missing?