使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Client VPN and overlapping subnets

0

Hello,

I've got a client vpn setup right now that is connecting my users to a particular VPC. That VPC has a very low cidr range on the 10.0.0.0/8 block. I am running into issues where users connecting to the client endpoint VPN have overlapping home subnets. Their client assigned IP ranges are well outside of that block (in the upper 10.0.0.0/8 block). The problem I'm running into is that I'm using the AWS built in DNS range (the .2 DNS) as an assigned DNS. This works great if my users have a subnet in some other RFC1918 range or some other block in the 10.0.0.0 address space. But when there's overlap, there's fire. I thought that it might work if I abandoned split tunnel mode and went to full tunnel mode, but that doesn't seem to be the case. The VPN client we're using (tunnelblick) doesn't accept the DNS and I get messages like...

=========CIDR conflict, routing failed=========. 2024-02-28 10:25:27.668408 *Tunnelblick: Routing info stdout: route to: 10.x.x.2 destination: 10.x.x.2 interface: en0. <++++++++++++

This not really surprising considering the home and destination overlapping subnets. But this seems like a well known issue - Is it just the case that you can't have any overlap between your home network and your destination network? How do you plan for something like this, and how can you work around it if you can't control a user's home network ranges?

Thanks for your time and advice!

主題
網路與內容交付
標籤
網路與內容交付AWS Client VPN
語言
English
sentinel21
已提問 2 個月前檢視次數 243 次
3 個答案
1

Easiest and best solution would be to use 100.64.0.0/10 address space in your VPC and rebuild the VPN. There is less likely its going to clash.

Muhammad-Muha
已回答 2 個月前
0

You have no control over your clients' home network setups. They could be using common ranges like 10.0.0.0/8 or 192.168.x.x. Dictating to users what their home network setup should be is usually not practical.

The most straightforward solution is to reconfigure your VPC to use a different, non-overlapping CIDR range. If this isn't feasible due to existing resources and dependencies, the other options involve trade-offs.

Set up Network Address Translation (NAT) on the VPC side. This maps the overlapping client addresses to a unique, non-overlapping subnet within the VPC. It requires some networking configuration but avoids client-side complexity.

profile picture
專家
Sedat Salman
已回答 2 個月前
profile picture
專家
Giovanni Lauria
已審閱 2 個月前
0

Not really answering the question (although the answer is "It isn't easy to connect networks with overlapping IP addresses") and there are situations where IP overlap is unavoidable no matter what you do, but: this blog post might be of assistance. Perhaps.

profile pictureAWS
專家
Brettski-AWS
已回答 2 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容