AWS Client VPN can connect but cannot access VPC resources

Question

I've configured AWS Client VPN so that I can successfully connect using mutual authentication (certificates) and I can access the Internet. Still, despite following manuals, I cannot access resources in other subnets in the very same VPC. I would be very grateful for any hints of what might be missing.

Client VPN configuration:

Association:
Subnet: subnet-0a51a9e6891ccee4f
Security Group:  sg-08649152e7b46e74a

Authorization:
CIDR (1): 0.0.0.0/0
CIDR (2): 172.30.0.0/16 (VPC private IP)

Route Table:
CIDR: 172.30.0.0/16, Target Subnet: subnet-0a51a9e6891ccee4f
CIDR: 0.0.0.0/0, Target Subnet: subnet-0a51a9e6891ccee4f

VPN Subnet configuration (subnet-0a51a9e6891ccee4f):

Route Table:
Destination: 172.30.0.0/16, Target: local
Destination: 0.0.0.0/0, Target: igw-55d21930

Network ACL:
Inbound:
100 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW
1000 ALL Traffic ALL ALL 172.30.0.0/16 ALLOW

Outbound:
100 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW
1000 ALL Traffic ALL ALL 172.30.0.0/16 ALLOW

VPN Security Group: (sg-08649152e7b46e74a)
Inbound:
All traffic All All 0.0.0.0/0 
All traffic All All 172.30.0.0/16
All traffic All All sg-08649152e7b46e74a

Outbound:
All traffic All All 172.30.0.0/16
All traffic All All 0.0.0.0/0
All traffic All All sg-08649152e7b46e74a

Client is able to connect and gets assigned IP, e.g. 172.30.8.98.

Still I cannot access EC2 instance (in this scenario this is mongodb on port 27017) which is protected by a Security Group even though I allow traffic from the aforementioned VPN Security Group (sg-08649152e7b46e74a).

1

Did you ever resolve this ? – ctorx Aug 13 '19 at 15:03

score 0 · Answer 1 · answered Apr 30 '19 at 09:27

Maybe one of this will help:

SG associated with subnet is useful only for internet access - add 0.0.0.0/0 and forget about it (unless someone want to enlighten me after). Now that you want to connect to mongo EC2, add a rule to its SG to allow 27017 from sg-08649152e7b46e74a
You are trying to connect to EC2 public IP instead of private IP

score 0 · Answer 2 · answered Feb 06 '20 at 19:12

0

In had the exact same problem, I had to amend the OpenVPN configuration file with the following routes.

VPC CIDR : 192.168.0.0/16
Routes for OpenVPN Configuration File :
route-nopull
route 192.16.0.0 255.255.0.0
dhcp-option DNS 192.168.0.2

answered Feb 06 '20 at 19:12

samtoddler

8,463
2
26
21

AWS Client VPN can connect but cannot access VPC resources

2 Answers2