Questions tagged with AWS Virtual Private Network (VPN)

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

AWS Client VPN with SSO doesn't work - suddenly

Hello, For a specific account (managed by our Control Tower) I have set up two VPNs: Site2Site, so we can connect directly to the servers and services from the office and Client VPN for remote users. I also set up the client VPN with Google SSO. As long as there are users in the AWS AD, those same users can also connect via VPN using Google SSO. THIS worked since I created it more than 6 months ago. Suddenly it doesn't work anymore! There has been no change from my side. According to the log file, the last client VPN SSO connections were in September (07th + 21st). When I try to connect (from home), it always just says: "Re-establishing connection." But one thing is noticeable: in the logfile you can find the entry: RESOLVE: Cannot resolve host address: 9c19xxxxxxx.cvpn-endpoint-xxxxxxxxxx.prod.clientvpn.xxxxxxx.amazonaws.com:443 (No such host is known. ) This is probably the reason that no browser tab opens to connect to the Google account. But I have no influence on this name, it comes from AWS. I also re-downloaded the VPN profile from AWS, same result. This did NOT help either: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/troubleshooting.html (Endpoint name) Finally, my configuration was not changed (so AWS must have changed something or something is broken). Google SSO everything looks fine. I am at a loss here. The help I got from the Business Support (we don't have premium/technical support) is not helpful because they sent me some links which will explain how to configure VPNs or troubleshoot other issues. So, what's wrong here? Thx.
1
answers
0
votes
10
views
asked 21 days ago

Cannot resolve host of RDS endpoint in private subnet via VPN client endpoint

I have an AWS VPC VPN client endpoint setup to connect to 2 private subnets. Inside these private subnets is a RDS instance and an EC2 instance running an application server (aka "control plane server"). The private subnets are provided access to the external internet (So servers can download packages and such) via a public subnet with a NAT -> internet gateway. ![Network topology diagram](/media/postImages/original/IMmq5arvCkQbu7gwTh99Wpqg) I have successfully connected to the VPN from my laptop and even SSH-ed into the "control plane server". However from my laptop, connected to the VPN, I cannot connect to the RDS endpoint. I get the error: ``` lookup <rds instance ID>.<random>.us-east-2.rds.amazonaws.com on [2600:4040:5710:9100::1]:53: no such host ``` This seems to be an error related to looking up the RDS endpoint's IP address. To debug this I used the `dig` tool from my laptop and from within an SSH session of the "control plane server". I found that from my laptop, whether or not I'm connected to the VPN, `dig <rds instance ID>.<random>.us-east-2.rds.amazonaws.com` returns 0 answers. However my laptop isn't completely clueless about this URL. I can ask for the name servers and `dig` returns the name servers `ns-573.awsdns-07.net. awsdns-hostmaster.amazon.com.`. If I SSH into the "control plane server" I actually get an `A` record back for the RDS endpoint URL. It's an IP address in the `10.1.2.0/24` subnet. I also get back the same name server results. I have tried disabling split-tunnel mode on the VPN and I get the same `dig` results from my laptop. I cannot exactly give my entire network configuration with all the security groups and such, but I followed [this RDS over VPN official AWS guide](https://aws.amazon.com/blogs/database/accessing-an-amazon-rds-instance-remotely-using-aws-client-vpn/) almost exactly. The only modifications were adding a public subnet with a NAT -> IGW and the modification described in the following paragraph. I had one question about the guide however, to me the security group rules laid out regarding VPN client CIDRs didn't make sense. ![Screenshot from AWS guide highlighting IP mismatch](/media/postImages/original/IMaGX05IK_Q3aAPYWMEpA8Ag) The guide says the CIDR in the security group rule is the CIDR which VPN clients will get IPs from. The security group uses `122....`. However the VPN configuration uses `192....`. So I changed the security group rule to match the actual VPN CIDR. Was this a mistake? Am I missing anything about how I can get the AWS DNS servers to give my private subnet IPs when connected via the VPN? My hypothesis is that when my laptop makes a request to the AWS DNS server for RDS it sees I am connecting from an external network, and not the private subnet from which the RDS endpoint IP is allocated. So it refuses to leak information and says there are no results.
1
answers
0
votes
37
views
Noah
asked a month ago

AWS Client Unable To Uninstall or Or Connect

AWS Client VPN use to work until today. It stop working with the following -AWS VPN Client Helper Tool is required to establish the connection.- I've tried reinstalling the Client found here and it still didnt resolve the issue. I tried to uninstall and i get the same error. I've check resource here https://docs.aws.amazon.com/vpn/latest/clientvpn-user/macos-troubleshooting.html and it didnt help either as i kept getting the same error. I currently use saml(sso) openvpn or tunnelblick didnt work. Other people in my office are able to connect to the vpn successfuly FYI. I've restart the mac(M1) multiple times, Reinstall The Monterray OS(didn't removed all applications** don't know why). I've tried checking the logs and found the following. ``` AWS Client VPN use to work until today. It stop working with the following -AWS VPN Client Helper Tool is required to establish the connection.- I've tried reinstalling the Client found here and it still didnt resolve the issue. I tried to uninstall and i get the same error. I've restart the mac(M1) multiple times, Reinstall The Monterray OS(didn't removed all applications** don't know why). I've tried checking the logs and found the following. ``` ``` tail -f /Users/saviourgidi/.config/AWSVPNClient/logs/aws_vpn_client_20221018.log 2022-10-18 15:36:27.254 +02:00 [DBG] Helper app --init output: Helper failed to install. 2022-10-18 15:36:27.254 +02:00 [DBG] Helper failed to install or was canceled. 2022-10-18 15:36:27.254 +02:00 [DBG] Stopping DNS monitoring thread 2022-10-18 15:36:27.254 +02:00 [DBG] Releasing DNS monitoring lock 2022-10-18 15:36:27.255 +02:00 [DBG] Metric agent started 2022-10-18 15:36:27.255 +02:00 [DBG] Received exception for connection state Disconnected. Show error message to user 2022-10-18 15:36:27.255 +02:00 [ERR] Exception recieved by connection view controller ACVC.Core.OpenVpn.HelperToolInstallationFailedException: AWS VPN Client Helper Tool is required to establish the connection. at ACVC.Core.OpenVpn.OvpnOsxProcessManager.Start (System.String openVpnConfigPath, System.String managementPortPasswordFile, System.Int32 timeoutMilliseconds) [0x001f6] in <122123b2b3914e32b2c06bd2a2d00f27>:0 at ACVC.Core.OpenVpn.OvpnConnectionManager.Connect (ACVC.Core.Metadata.OvpnConnectionProfile configProfile, ACVC.Core.GetCredentialsCallback getCredentialsCallback, System.Int32 timeout) [0x0020f] in <122123b2b3914e32b2c06bd2a2d00f27>:0 2022-10-18 15:40:00.882 +02:00 [DBG] Clean up connections. Connection state: Connecting 2022-10-18 15:40:00.884 +02:00 [INF] Validating schema for OpenVPN config: /Users/saviourgidi/.config/AWSVPNClient/OpenVpnConfigs/test-eu 2022-10-18 15:40:01.889 +02:00 [DBG] Caught exception when getting connection status. Exception information: System.TimeoutException: The message did not respond within the expected timeframe or was cancelled at ACVC.Core.OpenVpn.OvpnConnectionManager.SendMessage (System.String message, System.Int32 timeout, System.Threading.CancellationToken cancellationToken) [0x001ca] in <122123b2b3914e32b2c06bd2a2d00f27>:0 at ACVC.Core.OpenVpn.OvpnConnectionManager.GetConnectionStatus () [0x0007c] in <122123b2b3914e32b2c06bd2a2d00f27>:0 at ACVC.Core.Metrics.MetricsClient.RecordBytesMetricsAndAnalytics (ACVC.Core.IConnectionManager connectionManager) [0x00077] in <122123b2b3914e32b2c06bd2a2d00f27>:0 2022-10-18 15:40:01.890 +02:00 [DBG] Stopping DNS monitoring thread 2022-10-18 15:40:01.890 +02:00 [DBG] Releasing DNS monitoring lock 2022-10-18 15:40:01.892 +02:00 [INF] Terminating connection 2022-10-18 15:40:01.892 +02:00 [WRN] Acs did not stop correctly! 2022-10-18 15:40:01.892 +02:00 [DBG] 🏞 Ending connection details reporting. 2022-10-18 15:40:01.892 +02:00 [WRN] We are calling GracefulKill in a method that is not supposed to change Connection state. 2022-10-18 15:40:01.892 +02:00 [DBG] GracefulKill 2022-10-18 15:40:01.893 +02:00 [DBG] Cancelling socket listen token 2022-10-18 15:40:01.893 +02:00 [DBG] Dispose socket 2022-10-18 15:40:01.893 +02:00 [DBG] Signal process kill with helper tool. 2022-10-18 15:40:01.893 +02:00 [DBG] Starting process 2022-10-18 15:40:01.926 +02:00 [DBG] Start to read process output 2022-10-18 15:40:01.962 +02:00 [DBG] End reading process output 2022-10-18 15:40:02.028 +02:00 [DBG] Helper app --kill output: Kill success. 2022-10-18 15:40:02.028 +02:00 [DBG] Release process manager start lock 2022-10-18 15:40:02.028 +02:00 [DBG] Release process manager stop lock 2022-10-18 15:40:02.028 +02:00 [DBG] Disconnected 2022-10-18 15:40:02.028 +02:00 [DBG] Stopping DNS monitoring thread 2022-10-18 15:40:02.028 +02:00 [DBG] Releasing DNS monitoring lock 2022-10-18 15:40:06.195 +02:00 [INF] Saving profile store to /Users/saviourgidi/.config/AWSVPNClient/ConnectionProfiles 2022-10-18 15:40:06.197 +02:00 [INF] Connecting /Users/saviourgidi/.config/AWSVPNClient/OpenVpnConfigs/test-eu 2022-10-18 15:40:06.198 +02:00 [DBG] validationString: /Users/saviourgidi/.config/AWSVPNClient/OpenVpnConfigs/test-eu 1666100416 2022-10-18 15:40:06.198 +02:00 [DBG] Shutting down metrics agent 2022-10-18 15:40:06.198 +02:00 [DBG] Metrics agent shut down 2022-10-18 15:40:06.354 +02:00 [INF] Starting OpenVpn process 2022-10-18 15:40:06.354 +02:00 [DBG] Starting process 2022-10-18 15:40:06.375 +02:00 [DBG] Start to read process output 2022-10-18 15:40:10.553 +02:00 [DBG] End reading process output 2022-10-18 15:40:10.617 +02:00 [DBG] Helper app --init output: Helper failed to install. 2022-10-18 15:40:10.617 +02:00 [DBG] Helper failed to install or was canceled. 2022-10-18 15:40:10.617 +02:00 [DBG] Stopping DNS monitoring thread 2022-10-18 15:40:10.617 +02:00 [DBG] Releasing DNS monitoring lock 2022-10-18 15:40:10.618 +02:00 [DBG] Metric agent started 2022-10-18 15:40:10.618 +02:00 [DBG] Received exception for connection state Disconnected. Show error message to user 2022-10-18 15:40:10.618 +02:00 [ERR] Exception recieved by connection view controller ACVC.Core.OpenVpn.HelperToolInstallationFailedException: AWS VPN Client Helper Tool is required to establish the connection. at ACVC.Core.OpenVpn.OvpnOsxProcessManager.Start (System.String openVpnConfigPath, System.String managementPortPasswordFile, System.Int32 timeoutMilliseconds) [0x001f6] in <122123b2b3914e32b2c06bd2a2d00f27>:0 at ACVC.Core.OpenVpn.OvpnConnectionManager.Connect (ACVC.Core.Metadata.OvpnConnectionProfile configProfile, ACVC.Core.GetCredentialsCallback getCredentialsCallback, System.Int32 timeout) [0x0020f] in <122123b2b3914e32b2c06bd2a2d00f27>:0 2022-10-18 15:40:11.802 +02:00 [DBG] Clean up connections. Connection state: Connecting 2022-10-18 15:40:11.803 +02:00 [INF] Validating schema for OpenVPN config: /Users/saviourgidi/.config/AWSVPNClient/OpenVpnConfigs/test-eu 2022-10-18 15:40:12.806 +02:00 [DBG] Caught exception when getting connection status. Exception information: System.TimeoutException: The message did not respond within the expected timeframe or was cancelled at ACVC.Core.OpenVpn.OvpnConnectionManager.SendMessage (System.String message, System.Int32 timeout, System.Threading.CancellationToken cancellationToken) [0x001ca] in <122123b2b3914e32b2c06bd2a2d00f27>:0 at ACVC.Core.OpenVpn.OvpnConnectionManager.GetConnectionStatus () [0x0007c] in <122123b2b3914e32b2c06bd2a2d00f27>:0 at ACVC.Core.Metrics.MetricsClient.RecordBytesMetricsAndAnalytics (ACVC.Core.IConnectionManager connectionManager) [0x00077] in <122123b2b3914e32b2c06bd2a2d00f27>:0 2022-10-18 15:40:12.807 +02:00 [DBG] Stopping DNS monitoring thread 2022-10-18 15:40:12.807 +02:00 [DBG] Releasing DNS monitoring lock 2022-10-18 15:40:12.809 +02:00 [INF] Terminating connection 2022-10-18 15:40:12.809 +02:00 [WRN] Acs did not stop correctly! 2022-10-18 15:40:12.809 +02:00 [DBG] 🏞 Ending connection details reporting. 2022-10-18 15:40:12.809 +02:00 [WRN] We are calling GracefulKill in a method that is not supposed to change Connection state. 2022-10-18 15:40:12.809 +02:00 [DBG] GracefulKill 2022-10-18 15:40:12.810 +02:00 [DBG] Cancelling socket listen token 2022-10-18 15:40:12.810 +02:00 [DBG] Dispose socket 2022-10-18 15:40:12.810 +02:00 [DBG] Signal process kill with helper tool. 2022-10-18 15:40:12.810 +02:00 [DBG] Starting process 2022-10-18 15:40:12.842 +02:00 [DBG] Start to read process output 2022-10-18 15:40:12.875 +02:00 [DBG] End reading process output 2022-10-18 15:40:12.943 +02:00 [DBG] Helper app --kill output: Kill success. 2022-10-18 15:40:12.944 +02:00 [DBG] Release process manager start lock 2022-10-18 15:40:12.944 +02:00 [DBG] Release process manager stop lock 2022-10-18 15:40:12.944 +02:00 [DBG] Disconnected 2022-10-18 15:40:12.944 +02:00 [DBG] Stopping DNS monitoring thread 2022-10-18 15:40:12.944 +02:00 [DBG] Releasing DNS monitoring lock ```
0
answers
0
votes
38
views
asked a month ago