5

I have an AWS Client VPN setup so that people who can connect to the VPN can access our EC2 servers on the same VPC. Some users are reporting they cannot connect to the services while on the VPN, while others can.

I can do a ping {{address_of_ec2_instance}} in the terminal and get a response, but another user connected to the same vpn will get a timeout with the exact same command, and the same IP resolved. When they go to https://www.whatismyip.com/, they report being connected to the same ISP and Location.

The only thing I can speculate is that maybe I haven't allowed the proper port range on the EC2 Security Settings, and some users are within the port range but others are not. How do I determine what port range to forward, given a Client VPN Endpoint?

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
Jack Cole
  • 1,528
  • 2
  • 19
  • 41

1 Answers1

3

When you launch a client VPN you will provide a Client IPv4 CIDR range. When connecting to this you will be given an IP address from this range (which is treated as the private IP address when connecting).

For any private IP connections the source IP will come from this range (and as you're using a Client VPN you should connect using the private IP over public to keep network transit through the tunnel).

If you connect via the public IP address you will need to consider whether you want all traffic or just private traffic to go through the client VPN. By enabling split-tunnel you will be using the public IP address of your on premise, otherwise you will be using a public IP address from Amazons pool of servers.

As a side note if you're ever trying to debug connection failures you can make use of VPC Flow Logs.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
  • I currently don't have access to flow logs. When I connect to servers, the IP I'm connecting from doesn't match that CIDR. The Client CIDR I have for example is 172.30.4.0/22, but the IP I'm connecting as is 172.30.20.244 (Last login: Mon Aug 10 18:53:37 2020 from ip-172-30-20-244.ec2.internal). Where is this IP coming from? – Jack Cole Aug 10 '20 at 18:55
  • 1
    Ah, I see the IP matches the subnet that the VPN is associated with. – Jack Cole Aug 10 '20 at 19:14
  • Yes indeed it is :) – Chris Williams Aug 10 '20 at 19:15
  • I have 2 instances on the same subnet with the same firewall rules. One can be connected to, the other can't, while on the VPN. Where should I put the flow logs? On the instances themselves? Or on the VPN subnet? Or on the instances' subnet? – Jack Cole Aug 10 '20 at 19:54
  • Put it on the instances ENI that you cannot connect to :) – Chris Williams Aug 10 '20 at 19:56
  • So the next morning I connected to the VPN, and I was able to connect to the instance that had this issue, and so were other users now. But now I can't connect to another instance. When I check the flow logs, there is no records of my attempts to connect to the instance that isn't working, but for the instance that is working it does show ACCEPT. I do see other VPN users connetions in the flow log to the instance I cannot connect to. So I think the issue isn't with the instances firewalls. – Jack Cole Aug 11 '20 at 19:57
  • Hmm, are the instances in the same subnets, same security groups, both private? – Chris Williams Aug 11 '20 at 19:58
  • Well before it was like that, with 2 nearly identical instances (just with different names). I could connect to one on the VPN, but not the other. Both could be connected to outside the VPN (if I allowed my home address). They are on the same subnet, same exact firewall rules. But now the previously not working instance is now working, and a bit different instance isn't working. – Jack Cole Aug 11 '20 at 20:03
  • Hmm, if there is nothing appearing in the VPC flow logs that would indicate network traffic is not entering the VPC for routing that subnet. If you allow inbound for all IPs does it work on both? – Chris Williams Aug 11 '20 at 20:05
  • I looked through the VPC logs, and the only REJECT that had my VPN IP address was connections attempting to be made to it. I couldn't find any thing in the logs showing my address trying to connect to the target instance I was trying to connect to. I did see my connections to the instance that does work. My IP just changed since I disconnected for a few hours, and now the instances switched in functionality. My VPN IP changed from 172.30.20.102 to 172.30.20.244. – Jack Cole Aug 12 '20 at 05:19
  • Just to wrap this up, the issue was the IP addresses of the VPN users overlapped with the IP addresses of the servers I was trying to connect to. Once I separated the ranges, everything worked fine. – Jack Cole Mar 10 '22 at 21:04