使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

Issues getting split-tunnel in client VPN endpoint to work correctly.

0

I'm setting up a company VPN using AWS Client VPN endpoints, I have everything working so far however all client internet traffic is being routed through the VPN and out through the NAT gateway (and therefore incurring NAT gateway costs). I'm trying to enable split-tunnel however I'm still getting 0.0.0.0/0 routes to the vpn added to my route table.

If I try:

  • Split tunnel enabled
  • Routes to local vpc and peered networks
  • Authorized access to these routes
  • Fairly open security group

And then connect to the VPN I still get this in my route table:

> ~/d/i/vpn on branch ◦ netstat -nr                                                                                                          11:03:22
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.0.2.161      0.0.0.0         UG        0 0          0 tun0
0.0.0.0         192.168.4.1     0.0.0.0         UG        0 0          0 enp0s20f0u2
0.0.0.0         192.168.4.1     0.0.0.0         UG        0 0          0 wlp0s20f3
10.0.2.160      0.0.0.0         255.255.255.224 U         0 0          0 tun0
10.10.0.0       10.0.2.161      255.255.0.0     UG        0 0          0 tun0
-------       10.0.2.161      255.255.0.0     UG        0 0          0 tun0

(With some redaction above, I'm using 10.0.0.0/22 as the vpn cidr)

I'm connecting from a Fedora laptop using the built in vpn client, I'm creating a vpn file based off the one you can download and importing it after adding in certs & keys). This all means that when I'm trying to connect to the VPN I can access my private resources, but I lose all general internet connectivity. For our use case it's not workable to us to keep having to hop on and off the VPN.

  • Ziad
    2 年前

    Have you managed to get this resolved at all ? I have been working with the vpn client for some time and created multiple of them and all working fine. Once I switched to work from home i created a new one for testing and as soon as its up and running I can no longer access the internet, even though I have split tunnel enabled. Older client configs in other VPCs are still working fine and I can no longer see why this new one is acting this way.

主题
网络和内容交付
标签
网络和内容交付AWS 虚拟专用网络 (VPN)
语言
English
Alex
已提问 2 年前1492 查看次数
2 回答
1

Hi,

It looks like in AWS VPC-->ClientVPN endpoint -->Route table , Please make sure you do not have route added for 0.0.0.0.

By looking at the route table, I could see split tunnel is enabled thats reason i see you have two routes received for 10.10.0.0 /16 and also 0.0.0.0/0 points to tunnel ip .

It is not recommended to add a 0.0.0.0/0 route to the Client VPN endpoint's route table when using split-tunnel mode.

AWS
AWS-User-7653869
已回答 2 年前
profile picture
专家
Giovanni Lauria
已审核 1 个月前
0

When split-tunneling is enabled on a Client VPN endpoint, only routes that are configured on the endpoint route table will be pushed to connecting clients. Any traffic destined for addresses that do not match these routes will be routed directly to the internet rather than through the VPN tunnel.

https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/split-tunnel-vpn.html

profile picture
专家
Giovanni Lauria
已回答 1 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容