Join Log in
Score:2
Abhishek avatar Server

AWS Client vpn connected but cannot access internet

jp flag
Abhishek

I have been able to create aws client vpn endpoint also i am able to access servers inside vpc but looks like i am not able to access internet.

DNS resolution doesn't work when connected to vpn.

Here are the details

enter image description here

enter image description here

enter image description here

enter image description here enter image description here

Tunnelblick logs

 023-01-03 22:43:08.497342 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-01-03 22:43:08.503457 MANAGEMENT: >STATE:1672765988,RESOLVE,,,,,,
2023-01-03 22:43:08.724886 TCP/UDP: Preserving recently used remote address: [AF_INET]*****:443
2023-01-03 22:43:08.732514 Socket Buffers: R=[786896->786896] S=[9216->9216]
2023-01-03 22:43:08.732753 UDP link local: (not bound)
2023-01-03 22:43:08.732777 UDP link remote: [AF_INET]*****:443
2023-01-03 22:43:08.732815 MANAGEMENT: >STATE:1672765988,WAIT,,,,,,
2023-01-03 22:43:08.976379 MANAGEMENT: >STATE:1672765988,AUTH,,,,,,
2023-01-03 22:43:08.976486 TLS: Initial packet from [AF_INET]*****:443, sid=dd6ef088 3ed5ee33
2023-01-03 22:43:09.226709 VERIFY OK: depth=1, CN=***.com
2023-01-03 22:43:09.230330 VERIFY KU OK
2023-01-03 22:43:09.230440 Validating certificate extended key usage
2023-01-03 22:43:09.230454 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-01-03 22:43:09.230465 VERIFY EKU OK
2023-01-03 22:43:09.230478 VERIFY OK: depth=0, CN=server.***.com
2023-01-03 22:43:09.751110 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-01-03 22:43:09.751323 [server.*****.com] Peer Connection Initiated with [AF_INET]****:443
2023-01-03 22:43:10.934390 MANAGEMENT: >STATE:1672765990,GET_CONFIG,,,,,,
2023-01-03 22:43:10.946185 SENT CONTROL [server.*****.com]: 'PUSH_REQUEST' (status=1)
2023-01-03 22:43:11.190001 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.0.0.2,route 0.0.0.0 0.0.0.0,route 10.0.0.0 255.255.0.0,route-gateway 11.0.0.1,topology subnet,ping 1,ping-restart 20,ifconfig 11.0.0.2 255.255.255.224,peer-id 0,cipher AES-256-GCM'
2023-01-03 22:43:11.197839 OPTIONS IMPORT: timers and/or timeouts modified
2023-01-03 22:43:11.198115 OPTIONS IMPORT: --ifconfig/up options modified
2023-01-03 22:43:11.198141 OPTIONS IMPORT: route options modified
2023-01-03 22:43:11.198155 OPTIONS IMPORT: route-related options modified
2023-01-03 22:43:11.198167 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-01-03 22:43:11.198179 OPTIONS IMPORT: peer-id set
2023-01-03 22:43:11.198190 OPTIONS IMPORT: adjusting link_mtu to 1624
2023-01-03 22:43:11.198203 OPTIONS IMPORT: data channel crypto options modified
2023-01-03 22:43:11.198329 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-03 22:43:11.198347 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-03 22:43:11.220497 Opened utun device utun7
2023-01-03 22:43:11.220627 MANAGEMENT: >STATE:1672765991,ASSIGN_IP,,11.0.0.2,,,,
2023-01-03 22:43:11.220653 /sbin/ifconfig utun7 delete
                           ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2023-01-03 22:43:11.238044 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2023-01-03 22:43:11.238122 /sbin/ifconfig utun7 11.0.0.2 11.0.0.2 netmask 255.255.255.224 mtu 1500 up
2023-01-03 22:43:11.253953 /sbin/route add -net 11.0.0.0 11.0.0.2 255.255.255.224
                           add net 11.0.0.0: gateway 11.0.0.2
2023-01-03 22:43:11.269657 /sbin/route add -net ***** 192.168.29.1 255.255.255.255
                           add net *****: gateway 192.168.29.1
2023-01-03 22:43:11.335276 /sbin/route delete -net 0.0.0.0 192.168.29.1 0.0.0.0
                           delete net 0.0.0.0: gateway 192.168.29.1
2023-01-03 22:43:11.380416 /sbin/route add -net 0.0.0.0 11.0.0.1 0.0.0.0
                           add net 0.0.0.0: gateway 11.0.0.1
2023-01-03 22:43:11.414312 MANAGEMENT: >STATE:1672765991,ADD_ROUTES,,,,,,
2023-01-03 22:43:11.414391 /sbin/route add -net 0.0.0.0 11.0.0.1 0.0.0.0
                           route: writing to routing socket: File exists
                           add net 0.0.0.0: gateway 11.0.0.1: File exists
2023-01-03 22:43:11.427638 /sbin/route add -net 10.0.0.0 11.0.0.1 255.255.0.0
                           add net 10.0.0.0: gateway 11.0.0.1
                           22:43:11 *Tunnelblick:  **********************************************
                           22:43:11 *Tunnelblick:  Start of output from client.up.tunnelblick.sh
                           22:43:13 *Tunnelblick:  Retrieved from OpenVPN: name server(s) [ 10.0.0.2 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
                           22:43:13 *Tunnelblick:  WARNING: Ignoring ServerAddresses '10.0.0.2' because ServerAddresses was set manually and '-allowChangesToManuallySetNetworkSettings' was not specified
                           22:43:13 *Tunnelblick:  Setting search domains to 'openvpn' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
                           22:43:15 *Tunnelblick:  Saved the DNS and SMB configurations so they can be restored
                           22:43:15 *Tunnelblick:  Did not change DNS ServerAddresses setting of '11.0.0.1' (but re-set it)
                           22:43:15 *Tunnelblick:  Changed DNS SearchDomains setting from '' to 'openvpn'
                           22:43:15 *Tunnelblick:  Changed DNS DomainName setting from '' to 'openvpn'
                           22:43:15 *Tunnelblick:  Did not change SMB NetBIOSName setting of ''
                           22:43:15 *Tunnelblick:  Did not change SMB Workgroup setting of ''
                           22:43:15 *Tunnelblick:  Did not change SMB WINSAddresses setting of ''
                           22:43:15 *Tunnelblick:  DNS servers '11.0.0.1' were set manually
                           22:43:15 *Tunnelblick:  DNS servers '11.0.0.1' will be used for DNS queries when the VPN is active
                           22:43:15 *Tunnelblick:  NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
                           22:43:15 *Tunnelblick:  Flushed the DNS cache via dscacheutil
                           22:43:15 *Tunnelblick:  /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
                           22:43:15 *Tunnelblick:  Notified mDNSResponder that the DNS cache was flushed
                           22:43:15 *Tunnelblick:  Not notifying mDNSResponderHelper that the DNS cache was flushed because it is not running
                           22:43:15 *Tunnelblick:  Setting up to monitor system configuration with process-network-changes
                           22:43:15 *Tunnelblick:  End of output from client.up.tunnelblick.sh
                           22:43:15 *Tunnelblick:  **********************************************
2023-01-03 22:43:15.324027 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-01-03 22:43:15.324045 Initialization Sequence Completed
2023-01-03 22:43:15.324064 MANAGEMENT: >STATE:1672765995,CONNECTED,SUCCESS,11.0.0.2,*****,443,,
2023-01-03 22:43:16.548770 *Tunnelblick: DNS address 11.0.0.1 is being routed through the VPN
2023-01-03 22:43:39.228943 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed

Without VPN route table

Internet:
Destination        Gateway            Flags           Netif Expire
default            192.168.29.1       UGScg             en0
127                127.0.0.1          UCS               lo0
127.0.0.1          127.0.0.1          UH                lo0
169.254            link#15            UCS               en0      !
192.168.29         link#15            UCS               en0      !
192.168.29.1/32    link#15            UCS               en0      !
192.168.29.1       8c:a3:99:43:d4:c6  UHLWIir           en0   1189
192.168.29.3       62:86:e7:b7:95:3   UHLWIi            en0     46
192.168.29.41      d6:e3:d9:51:75:9f  UHLWI             en0    325
192.168.29.50/32   link#15            UCS               en0      !
192.168.29.53      16:c2:44:9f:bd:5c  UHLWI             en0     82
192.168.29.130     9e:df:ca:48:30:f1  UHLWI             en0     84
192.168.29.223     d6:78:7e:8a:b1:1   UHLWI             en0    934
192.168.29.255     ff:ff:ff:ff:ff:ff  UHLWbI            en0      !
224.0.0/4          link#15            UmCS              en0      !
224.0.0.251        1:0:5e:0:0:fb      UHmLWI            en0
239.255.255.250    1:0:5e:7f:ff:fa    UHmLWI            en0
255.255.255.255/32 link#15            UCS               en0      !

With VPN table

Internet:
Destination        Gateway            Flags           Netif Expire
default            192.168.29.1       UGScg             en0
10/16              11.0.0.129         UGSc            utun7
11.0.0.128/27      11.0.0.130         UGSc            utun7
11.0.0.130         11.0.0.130         UH              utun7
127                127.0.0.1          UCS               lo0
127.0.0.1          127.0.0.1          UH                lo0
169.254            link#15            UCS               en0      !
192.168.29         link#15            UCS               en0      !
192.168.29.1/32    link#15            UCS               en0      !
192.168.29.1       8c:a3:99:43:d4:c6  UHLWIir           en0   1200
192.168.29.3       62:86:e7:b7:95:3   UHLWIi            en0   1168
192.168.29.41      d6:e3:d9:51:75:9f  UHLWI             en0    247
192.168.29.50/32   link#15            UCS               en0      !
192.168.29.53      16:c2:44:9f:bd:5c  UHLWI             en0      4
192.168.29.130     9e:df:ca:48:30:f1  UHLWI             en0      6
192.168.29.223     d6:78:7e:8a:b1:1   UHLWI             en0    856
192.168.29.255     ff:ff:ff:ff:ff:ff  UHLWbI            en0      !
224.0.0/4          link#15            UmCS              en0      !
224.0.0.251        1:0:5e:0:0:fb      UHmLWI            en0
239.255.255.250    1:0:5e:7f:ff:fa    UHmLWI            en0
255.255.255.255/32 link#15            UCS               en0      !
1115
2 + 1
vpn
quartaela avatar
pe flag
quartaela
I am having exactly same issue.
0
Reply
Score:1
Vadim Yangunaev avatar Server
pl flag
Vadim Yangunaev

Check the security group rules that you use for the Client VPN endpoint. Is should allows outbound traffic to the Internet. If not, add outbound rules that allow traffic to 0.0.0.0/0 for HTTP and HTTPS traffic.

Also you need to create Internet Gateway and attach it to your VPC, so your solution will look like this:

enter image description here

Read AWS VPN Access to the internet Administrator Guide for more details.

+ 7
Abhishek avatar
jp flag
Abhishek
Thanks for the help. I have added screenshot of security group to question again now. i had enabled outbound rules to 0.0.0.0/0
1
Reply
Vadim Yangunaev avatar
pl flag
Vadim Yangunaev
Thanks Abhishek. Have you added an Internet Gateway as well?
0
Reply
Abhishek avatar
jp flag
Abhishek
Yes Vadim, the internet gateway is attached to the vpc. one thing i didn't mention is vpn is on cidr block 11.0.0.0/16 while vpc is on 10.0.0.0/16 which i think is fine as they should be on different range. I can post the pic of internet gateway attached.
0
Reply
Vadim Yangunaev avatar
pl flag
Vadim Yangunaev
By "VPN cidr block" do you mean Clients CIDR range? If so, it's correct - they should not overlap with the VPC CIDR.
0
Reply
Abhishek avatar
jp flag
Abhishek
Yes thats correct. :)
0
Reply
Abhishek avatar
jp flag
Abhishek
I have added the image for internet gateway and vpc attached to it.
1
Reply
Abhishek avatar
jp flag
Abhishek
one thing is tested is before enabling vpn i copied the IP of lets say amazon.com and when i turned vpn on tried to ping that ip and that was working. so most likely its problem with DNS but don't know to fix it.
1
Reply
Score:0
avatar Server
it flag
Felix

I had same problem. I enabled Custom DNS and put Google DNS servers - 8.8.8.8 and 8.8.4.4 and it started working

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.