stackoom
  简体   繁体   中英

AWS Client VPN can connect but cannot access VPC resources

 原文  2019-04-23 14:29:46       amazon-web-services/ vpn/ amazon-vpc/ openvpn

Question

I've configured AWS Client VPN so that I can successfully connect using mutual authentication (certificates) and I can access the Internet. Still, despite following manuals, I cannot access resources in other subnets in the very same VPC. I would be very grateful for any hints of what might be missing.

Client VPN configuration:

Association:
Subnet: subnet-0a51a9e6891ccee4f
Security Group:  sg-08649152e7b46e74a

Authorization:
CIDR (1): 0.0.0.0/0
CIDR (2): 172.30.0.0/16 (VPC private IP)

Route Table:
CIDR: 172.30.0.0/16, Target Subnet: subnet-0a51a9e6891ccee4f
CIDR: 0.0.0.0/0, Target Subnet: subnet-0a51a9e6891ccee4f

VPN Subnet configuration (subnet-0a51a9e6891ccee4f):

Route Table:
Destination: 172.30.0.0/16, Target: local
Destination: 0.0.0.0/0, Target: igw-55d21930

Network ACL:
Inbound:
100 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW
1000 ALL Traffic ALL ALL 172.30.0.0/16 ALLOW

Outbound:
100 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW
1000 ALL Traffic ALL ALL 172.30.0.0/16 ALLOW

VPN Security Group: (sg-08649152e7b46e74a)
Inbound:
All traffic All All 0.0.0.0/0 
All traffic All All 172.30.0.0/16
All traffic All All sg-08649152e7b46e74a

Outbound:
All traffic All All 172.30.0.0/16
All traffic All All 0.0.0.0/0
All traffic All All sg-08649152e7b46e74a

Client is able to connect and gets assigned IP, eg 172.30.8.98.

Still I cannot access EC2 instance (in this scenario this is mongodb on port 27017) which is protected by a Security Group even though I allow traffic from the aforementioned VPN Security Group (sg-08649152e7b46e74a).

2 answers

solution1
 0  2019-04-30 09:27:59

Maybe one of this will help:

  1. SG associated with subnet is useful only for internet access - add 0.0.0.0/0 and forget about it (unless someone want to enlighten me after). Now that you want to connect to mongo EC2, add a rule to its SG to allow 27017 from sg-08649152e7b46e74a

  2. You are trying to connect to EC2 public IP instead of private IP

solution2
 0  2020-02-06 19:12:39

In had the exact same problem, I had to amend the OpenVPN configuration file with the following routes.

VPC CIDR : 192.168.0.0/16
Routes for OpenVPN Configuration File :
route-nopull
route 192.16.0.0 255.255.0.0
dhcp-option DNS 192.168.0.2

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to connect aws vpc and gcp bigquery with vpn? Do I have to change my AWS VPC settings if client's VPN is updated? AWS VPN client on Windows 10: can't add VPN configuration file because of invalid path to the sertificate I can't access an AWS API Gateway from inside a VPC Why can't an AWS lambda function inside a public subnet in a VPC connect to the internet? Can not connect to Database outside vpc Unable to connect to AWS Keyspaces from a Lambda in a VPC AWS Elasticache/Redis Access Outside of VPC? How to get network access AWS VPC? AWS VPC connect to more than one Virtual Private Gateways
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM