AWS OpenVPN – Unable to Ping VPN Clients from Target Subnet

amazon ec2amazon-vpcamazon-web-servicesopenvpn

I'm using AWS vpn endpoint to connect vpn clients to a subnet:

I am able to ping an ec2 instance on cidr 10.0.0.0/16 when connected using the vpn endpoint. However that ec2 instance is unable to ping clients using their client ip in the 172.16.0.0/16 cidr.

Do I have to update the routing rules on the VPC or Subnet to access the client cidr? The VPC is currently on cidr 10.0.0.0/16 and the subnet the ec2 instance is on is on subnet with cidr 10.0.64.0/24.

Best Answer

I had opened a ticket in AWS Support and they confirmed that is working as designed: traffic will ONLY work in one direction. It is because client's IP is NAT'd. Here is AWS Support response for my ticket response:

I understand that you have a client VPN (CVPN) set up and you were able to successfully connect (initiate TCP connection) to EC2 instances, but the EC2 instances cannot connect to the client IP assigned to the clients.

As stated in the following link: https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-client-vpn-to-securely-access-aws-and-on-premises-resources/

Note that CVPN will use source NAT (SNAT) to connect to resources in the associated VPC(s).

So, any traffic initiated from the client's IP will be NAT'd (source IP of the client will be changed) to the IP address of the CVPN endpoint. So, the EC2 instance will see as if the traffic is being sourced from the CVPN endpoint IP and not from the client's IP. Also, the VPC route table will not have a route to the client IP's subnet (refer to VPC route table rtb-0ef010cd7b387b8ff). Hence, the connection can only be initiated from the client to the EC2 instance and it wouldn't work for the connections initiated in the other direction.

Best Answer

Related Solutions

Amazon VPC unable to access internet from private subnet

Can’t Connect to EC2 Instance in VPC – Troubleshooting Guide

Related Topic