AWS Client vpn connected but cannot access internet
I have been able to create aws client vpn endpoint also i am able to access servers inside vpc but looks like i am not able to access internet.
DNS resolution doesn't work when connected to vpn.
one thing is tested is before enabling vpn i copied the IP of lets say amazon.com and when i turned vpn on tried to ping that ip and that was working. so most likely its problem with DNS but don't know to fix it.
Here are the screenshots
I get in tunnelblickcode
2023-01-04 03:29:44.819311 VERIFY KU OK
2023-01-04 03:29:44.819382 Validating certificate extended key usage
2023-01-04 03:29:44.819400 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-01-04 03:29:44.819414 VERIFY EKU OK
2023-01-04 03:29:44.819427 VERIFY OK: depth=0, CN=server.zenskar.com
2023-01-04 03:29:45.616001 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-01-04 03:29:45.616136 [server..com] Peer Connection Initiated with [AF_INET]34.192.121.223:443
2023-01-04 03:29:46.930345 MANAGEMENT: >STATE:1672783186,GET_CONFIG,,,,,,
2023-01-04 03:29:46.943423 SENT CONTROL [server..com]: 'PUSH_REQUEST' (status=1)
2023-01-04 03:29:47.622919 PUSH: Received control message: 'PUSH_REPLY,route 0.0.0.0 0.0.0.0,route 10.0.0.0 255.255.0.0,route-gateway 11.0.0.161,topology subnet,ping 1,ping-restart 20,ifconfig 11.0.0.162 255.255.255.224,peer-id 0,cipher AES-256-GCM'
Without VPN Table
Internet:
Destination Gateway Flags Netif Expire
default 192.168.29.1 UGScg en0
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
169.254 link#15 UCS en0 !
192.168.29 link#15 UCS en0 !
192.168.29.1/32 link#15 UCS en0 !
192.168.29.1 8c:a3:99:43:d4:c6 UHLWIir en0 1189
192.168.29.3 62:86:e7:b7:95:3 UHLWIi en0 46
192.168.29.41 d6:e3:d9:51:75:9f UHLWI en0 325
192.168.29.50/32 link#15 UCS en0 !
192.168.29.53 16:c2:44:9f:bd:5c UHLWI en0 82
192.168.29.130 9e:df:ca:48:30:f1 UHLWI en0 84
192.168.29.223 d6:78:7e:8a:b1:1 UHLWI en0 934
192.168.29.255 ff:ff:ff:ff:ff:ff UHLWbI en0 !
224.0.0/4 link#15 UmCS en0 !
224.0.0.251 1:0:5e:0:0:fb UHmLWI en0
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI en0
255.255.255.255/32 link#15 UCS en0 !
With VPN Table
Internet:
Destination Gateway Flags Netif Expire
default 192.168.29.1 UGScg en0
10/16 11.0.0.129 UGSc utun7
11.0.0.128/27 11.0.0.130 UGSc utun7
11.0.0.130 11.0.0.130 UH utun7
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
169.254 link#15 UCS en0 !
192.168.29 link#15 UCS en0 !
192.168.29.1/32 link#15 UCS en0 !
192.168.29.1 8c:a3:99:43:d4:c6 UHLWIir en0 1200
192.168.29.3 62:86:e7:b7:95:3 UHLWIi en0 1168
192.168.29.41 d6:e3:d9:51:75:9f UHLWI en0 247
192.168.29.50/32 link#15 UCS en0 !
192.168.29.53 16:c2:44:9f:bd:5c UHLWI en0 4
192.168.29.130 9e:df:ca:48:30:f1 UHLWI en0 6
192.168.29.223 d6:78:7e:8a:b1:1 UHLWI en0 856
192.168.29.255 ff:ff:ff:ff:ff:ff UHLWbI en0 !
224.0.0/4 link#15 UmCS en0 !
224.0.0.251 1:0:5e:0:0:fb UHmLWI en0
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI en0
255.255.255.255/32 link#15 UCS en0 !```
- Newest
- Most votes
- Most comments
See this documentation; specifically this section: Scenario #2: Split-tunnel with the "DNS Server IP address" parameter enabled
https://aws.amazon.com/premiumsupport/knowledge-center/client-vpn-how-dns-works-with-endpoint/
Also, please note below from the documentation:
Routing considerations
When you enable split-tunnel mode, all the routes in the Client VPN endpoint's route table are added to the client's route table when the VPN connection is established. This operation is different from the default behavior, which overwrites the client's route table with the entry 0.0.0.0/0 to route all traffic over the VPN.
It is not recommended to add a 0.0.0.0/0 route to the Client VPN endpoint's route table when using split-tunnel mode.
From your screenshots I see that you have Split tunnel enabled as well as 0.0.0.0/0 route added which is not recommended.
Lastly, you seem to have setup DNS server as 10.0.0.2 which looks correct (VPC CIDR +2); when you are connected to the ClientVPN is the client machine able to ping the DNS server?
Once connected to VPN, can you ping / telnet/ ssh any machine in your VPC ? IF yes, that means connectivity over tunnel is working fine.
Start with troubleshooting with these commands.
dig www.google.com nslookup www.google.com
it will confirm if DNS is reachable or not.
Some time problem is where system OS prefer locally network interface configured DNS server instead VPN pushed DNS server, but since traffic is going to tunnel, it cant reach local DNS server which will be 192.168.x.x in your case and fails.
its been discussed here https://docs.aws.amazon.com/vpn/latest/clientvpn-user/linux-troubleshooting.html https://aws.amazon.com/premiumsupport/knowledge-center/client-vpn-fix-dns-query-forwarding/
Relevant content
- Accepted Answerasked a year ago
- asked 3 years ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Hi Tushar, thanks for the help. even when i disable split tunnel the case is same and it doesn't connect to internet. I will check if i am able to ping 10.0.0.2 as dns server
I just tested i am not able to ping the dns server 10.0.0.2 though i am able to ping 8.8.8.8. so something is wrong with my dns server in vpc?