I want to use a VPN in Amazon WorkSpaces. Or, when I connect to my VPN client from inside a WorkSpace, I get disconnected and the WorkSpace status changes to Unhealthy.
Resolution
For WorkSpaces, it's a best practice to use an AWS Site-to-Site VPN connection instead of a VPN at the operating system (OS) level. If you use an OS-level VPN, then the VPN might affect routing traffic on the management interface.
WorkSpaces uses two network interfaces and specific IP address ranges to connect and stream. When you use a Site-to-Site VPN connection, your changes to a route table affect only the primary network interface (eth1). Your changes don't affect traffic on the management network interface (eth0), so you don't experience disruptions to streaming or management function.
If you can't use a Site-to-Site VPN connection, then configure your VPN client as a split-tunnel VPN. Then, route only required traffic over the VPN, or verify that your VPN excludes the required management interface IP address ranges from VPN traffic.
For an example VPN client setup in a WorkSpace, see the Zscaler and AWS traffic forwarding deployment guide on the Zscaler website.
Related information
Management interface ports