By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

EC2 Instance not reachable after connection to instance VPN client

0

Hello everybody,

I am using an EC2 instance for my job as a software dev and thus this request for help is pretty urgent since my whole environment is on there. Today to test an application, I had to connect to a VPN from the client using WireGuard. As soon as I connected to the VPN my connection to the EC2 instance got lost (For connecting I am using NiceDCV or Windows Remotedesktop). My network knowledge is limited but loosing the connection makes somewhat sense to me.

Since then I have been trying to connect to the instance:

  1. Creating an AWS VPC with an openVPN instance giving access to the private subnet which my dev instance is located in (following this guide https://linuxhint.com/setup-aws-vpn-ec2-instance-losing-connection/)
  2. Connecting to the same VPN that caused the disconnect from my client PC and trying to use the instance's private and public IPs to connect to it. Both didn't work but at least when using the Windows Remotedesktop App in the second attempt with the private or public IP I got an error saying that there is already a connection to the computer. (error code 0x516)

I also tried to create an AMI, terminate the instance and launch it again from the AMI because I thought that may disconnect the instance from the VPN.

Now my question is probably how to find out the public IP of the instance and how can I connect to it again? Of course it would be great to be able to have a solution where I can still use the VPN from the EC2 instance since I need it for work.

I deeply appreciate all help!

Topics
Networking & Content DeliveryCompute
Tags
Amazon VPCAmazon EC2Networking & Content DeliveryAWS Virtual Private Network (VPN)Windows
Language
English
Aaron Peters
asked 9 months ago767 views
2 Answers
1

I would therefore see about enabling split tunnel on wireguard VPN https://asheroto.medium.com/split-tunneling-in-wireguard-on-windows-e2dfd86d5982

Followed by setting up the SSM private endpoint on the VPC so that split tunnel allows access to SSM as it’s on the local network.

https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html

profile picture
EXPERT
Gary Mclean
answered 9 months ago
  • Aaron Peters
    9 months ago

    Alright that sounds like it should work. Just to be clear about the VPC, I just created it because I thought it would help connect to the instance again. Normally I don't use a VPC but connect directly to the instance using the public DNS. Do I need to use a VPC and do the second part of the answer? Also do you have an idea on how I can connect to the instance again and configure the WireGuard connection? Since the VPN was activated I cannot connect to the instance anymore since it's automatically connected to the VPN when booting and I don't have a clue what IP I have to use now.

  • Aaron Peters
    9 months ago

    UPDATE: I restored the instance from an older AMI where the VPN was not installed. I follow the article to set up split tunneling, but I am having issues with adding the proxy server to Proxifier. It is asking for an IP address, port and protocol. When using "route print" in PS I see the Wireguard Interface but using this IP with the port 51820 I set in the Wireguard conifg als listening port won't work. (Using HTTPS protocol). Any idea on this?

0

You don’t mention if the vpn you were using was to your VPC or some other VPN service/provider.

It sounds like a simple routing issue. If you are using AWS client VPN you may want to enable split tunnel. To use NiceDCV you need to be able to access the SSM public or private endpoint.

Sounds like when your VPN connects, you loose access to the HTTPs endpoint

profile picture
EXPERT
Gary Mclean
answered 9 months ago
  • Aaron Peters
    9 months ago

    Thanks for the answer Gary! The VPN connection was established between the EC2 instance and WireGuard, connecting to the client's network. So I guess the second part of your answer doesn't apply since this refers to a VPN connection between my laptop and the instance right?

  • Gary Mclean EXPERT
    9 months ago

    Arh ok. I suspect the same issue is happening then on the EC2. It also needs to connect to the SSM end point. I assume the same thing is happening with the vpn client you are using there too. Soon as the VPN comes up it drops the connection to SSM and you loose access.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content