VPN Client Endpoint - losing internet access even with split tunnel enabled

0

Hi, I have been working with aws vpn client for some time and I have enough understanding of how it works and its config. The only thing Im having issues with right now is even when I have the split tunnel feature enabled, I lose internet access from my computer, at home. If I understand this correctly the whole idea behind the split tunnel is to make sure AWS traffic is only what goes through the vpn tunnel, to avoid extra charges,...etc.

I have older endpoints created previously and are working as expected, both at home and at the office. All clients have the same configs with the CIDR being the only difference, and the new one was created using AWS CDK. My local routing seems ok, but when trying to access "amazon.com" for example I get DNS resolution error in my browser, simply nothing works.

Following is my routing when connected to the vpn client im having issues with. I use 192.168.0.0/16 for my vpc.

Internet:
Destination        Gateway            Flags           Netif Expire
default            10.0.0.1           UGScg             en0       
10/24              link#15            UCS               en0      !
10.0.0.1/32        link#15            UCS               en0      !
10.0.0.1           f4:c1:14:8e:ad:16  UHLWIir           en0   1190
10.0.0.131         a4:93:3f:60:53:84  UHLWI             en0    668
10.0.0.145         f8:28:19:3d:bb:b6  UHLWI             en0      !
10.0.0.166/32      link#15            UCS               en0      !
10.0.0.245         e:bf:67:db:69:3    UHLWI             en0      !
10.0.0.255         ff:ff:ff:ff:ff:ff  UHLWbI            en0      !
127                127.0.0.1          UCS               lo0       
127.0.0.1          127.0.0.1          UH                lo0       
169.254            link#15            UCS               en0      !
192.168.0/16       192.168.100.1      UGSc            utun3       
192.168.100/27     192.168.100.2      UGSc            utun3       
192.168.100.2      192.168.100.2      UH              utun3       

Ziad
已提问 2 年前4000 查看次数
4 回答
1

Your route table looks fine but I think the problem here is DNS. What is your DNS server set to?

You can check that the split tunnel is working correctly by doing a ping to a working external IP address. That's easy to find - when the VPN isn't running do ping www.amazon.com and take note of the IP address. With the VPN running do ping <IP address> and see if you get a response. If you do then DNS is definitely the issue.

Make sure that you can reach your DNS server when on the VPN. If the DNS server is in the VPC then it needs to be able to resolve IP addresses and return responses to your computer via the VPN tunnel.

profile pictureAWS
专家
已回答 2 年前
profile pictureAWS
专家
Toni_S
已审核 2 年前
  • Thank you! I was able to resolve the issue. The idea behind using split tunnel for me is to avoid having non-aws traffic going through the vpn tunnel, as I have a private subnet with no internet access. I wanted to take advantage of the endpoint route table copied on the client side. Note that I have 3 different vpn client endpoints with split tunnel and they all work. After reviewing my work and some trial and error apparently having the client cidr overlap with the VPC, where the client is configured will cause this issue. Overlap documented but didn't realize will cause such issue.

  • I'm having this exact issue. In order to get internal DNS resolution to work, I utilized AWS Route53 Resolver. In configuring the Client VPN Endpoint, I specified the IP addresses of the AWS Resolver Inbound Endpoint. That enabled me to resolve internal hostnames while on the VPN. However, I am now not able to resolve external DNS queries. I have split tunnel enabled. I can resolve the issue by adding an Authorization Rule on the VPN Client to allow traffic to 0.0.0.0/0, but I don't want to do that for security reasons, and don't think I should have to with the split tunnel solution. Do you have any advice?

  • Honestly I think AWS support need to look into this issue and do enough testing to understand the reason behind such an intermittent problem. Today suddenly everything is working fine. I was doing some testing with different vpn endpoints, and I haven't figured out the reason this is happening, yet. I would say first thing is avoid the 0.0.0.0/0 entry, since it will copy the client route table to your local machine, as with that you might have issues trying to figure out whats going on. I had to delete my answer below as now the CIDR overlap is no longer to be the issue I guess.

0

When you enable split-tunnel mode, all the routes in the Client VPN endpoint's route table are added to the client's route table when the VPN connection is established. This operation is different from the default behavior, which overwrites the client's route table with the entry 0.0.0.0/0 to route all traffic over the VPN.

I am assuming the above route table is on your on-premise end. It is not recommended to add a 0.0.0.0/0 route to the Client VPN endpoint's route table when using split-tunnel mode.

Can you confirm if you have added the same ? If yes, can you remove 0.0.0.0/0 and try ?

profile pictureAWS
支持工程师
已回答 2 年前
0

For the benefit of others I will answer this as i was able to resolve it. The issue here was that I was not fully aware of the proper DNS setting when set vs left empty, to allow the DNS IP address configured on the end user's device to take care of resolving DNS queries. A good article that explains exactly the DNS settings can be found here. In my case it was completely optional as I didn't need to use any specific DNS for my setup, also only needed certain traffic to go through the vpn. I had other hardware routing issues, which could have been also contributing to part of the problem.

Ziad
已回答 2 年前
0

my problem is similar and started with AWS VPN client 3.10. I have split-tunnel enabled, and have had client vpn endpoints working with split-tunnel enabled since 2019.

When I upgrade to vpn client 3.10 or newer, my default gateway changes to route all traffic over the vpn, even though split tunnel is enabled.

I roll back to vpn client 3.9.0 and this behavior goes away.

已回答 7 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则