I've configured AWS Client VPN so that I can successfully connect using mutual authentication (certificates) and I can access the Internet. Still, despite following manuals, I cannot access resources in other subnets in the very same VPC. I would be very grateful for any hints of what might be missing.
Client VPN configuration:
Association:
Subnet: subnet-0a51a9e6891ccee4f
Security Group: sg-08649152e7b46e74a
Authorization:
CIDR (1): 0.0.0.0/0
CIDR (2): 172.30.0.0/16 (VPC private IP)
Route Table:
CIDR: 172.30.0.0/16, Target Subnet: subnet-0a51a9e6891ccee4f
CIDR: 0.0.0.0/0, Target Subnet: subnet-0a51a9e6891ccee4f
VPN Subnet configuration (subnet-0a51a9e6891ccee4f):
Route Table:
Destination: 172.30.0.0/16, Target: local
Destination: 0.0.0.0/0, Target: igw-55d21930
Network ACL:
Inbound:
100 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW
1000 ALL Traffic ALL ALL 172.30.0.0/16 ALLOW
Outbound:
100 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW
1000 ALL Traffic ALL ALL 172.30.0.0/16 ALLOW
VPN Security Group: (sg-08649152e7b46e74a)
Inbound:
All traffic All All 0.0.0.0/0
All traffic All All 172.30.0.0/16
All traffic All All sg-08649152e7b46e74a
Outbound:
All traffic All All 172.30.0.0/16
All traffic All All 0.0.0.0/0
All traffic All All sg-08649152e7b46e74a
Client is able to connect and gets assigned IP, eg 172.30.8.98.
Still I cannot access EC2 instance (in this scenario this is mongodb on port 27017) which is protected by a Security Group even though I allow traffic from the aforementioned VPN Security Group (sg-08649152e7b46e74a).
Maybe one of this will help:
SG associated with subnet is useful only for internet access - add 0.0.0.0/0 and forget about it (unless someone want to enlighten me after). Now that you want to connect to mongo EC2, add a rule to its SG to allow 27017 from sg-08649152e7b46e74a
You are trying to connect to EC2 public IP instead of private IP
In had the exact same problem, I had to amend the OpenVPN configuration file with the following routes.
VPC CIDR : 192.168.0.0/16
Routes for OpenVPN Configuration File :
route-nopull
route 192.16.0.0 255.255.0.0
dhcp-option DNS 192.168.0.2
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.