[英]What IP addresses do I allow in an EC2 Security group to allow Client VPN traffic through?
I have an AWS Client VPN setup so that people who can connect to the VPN can access our EC2 servers on the same VPC.我有一个 AWS 客户端 VPN 设置,以便可以连接到 VPN 的人可以访问我们在同一 VPC 上的 EC2 服务器。 Some users are reporting they cannot connect to the services while on the VPN, while others can.
一些用户报告说他们在使用 VPN 时无法连接到服务,而其他用户则可以。
I can do a ping {{address_of_ec2_instance}}
in the terminal and get a response, but another user connected to the same vpn will get a timeout with the exact same command, and the same IP resolved.我可以在终端执行
ping {{address_of_ec2_instance}}
并获得响应,但连接到同一 vpn 的另一个用户将使用完全相同的命令获得超时,并解决相同的 IP。 When they go to https://www.whatismyip.com/ , they report being connected to the same ISP and Location.当他们 go 到https://www.whatismyip.com/时,他们报告连接到相同的 ISP 和位置。
The only thing I can speculate is that maybe I haven't allowed the proper port range on the EC2 Security Settings, and some users are within the port range but others are not.我唯一可以推测的是,也许我没有在 EC2 安全设置上允许正确的端口范围,一些用户在端口范围内,但其他用户不在。 How do I determine what port range to forward, given a Client VPN Endpoint?
给定客户端 VPN 终端节点,我如何确定要转发的端口范围?
When you launch a client VPN you will provide a Client IPv4 CIDR
range.当您启动客户端 VPN 时,您将提供一个
Client IPv4 CIDR
范围。 When connecting to this you will be given an IP address from this range (which is treated as the private IP address when connecting).连接到此地址时,您将获得此范围内的 IP 地址(连接时将其视为私有 IP 地址)。
For any private IP connections the source IP will come from this range (and as you're using a Client VPN you should connect using the private IP over public to keep.network transit through the tunnel).对于任何私有 IP 连接,源 IP 将来自此范围(并且当您使用客户端 VPN 时,您应该使用私有 IP 通过公共连接到 keep.network 通过隧道传输)。
If you connect via the public IP address you will need to consider whether you want all traffic or just private traffic to go through the client VPN.如果您通过公共 IP 地址连接,则需要考虑是要所有流量还是仅通过客户端 VPN 到 go 的私有流量。 By enabling split-tunnel you will be using the public IP address of your on premise, otherwise you will be using a public IP address from Amazons pool of servers.
通过启用拆分隧道,您将使用内部部署的公共 IP 地址,否则您将使用亚马逊服务器池中的公共 IP 地址。
As a side note if you're ever trying to debug connection failures you can make use ofVPC Flow Logs .作为旁注,如果您曾经尝试调试连接失败,您可以使用VPC 流日志。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.