I’ve spent the past day building AWS Client VPN as redundancy in the event that my IKEv2/IPSec VPN cluster goes down.
The IKEv2/IPSec cluster resides in a VPC which is connected to many other VPCs using Transit Gateway.
I’ve managed to set up AWS Client VPN in the same VPC as the IKEv2/IPSec VPN cluster, and successfully used AWS Client VPN to connect to resources within the same VPC.
I’m having problems using AWS Client VPN to connect to resources in other VPCs connected via Transit Gateway.
I’ve got 2 questions:
- Is it possible for traffic coming from AWS Client VPN to traverse over Transit Gateway
- If it is possible, would you please share troubleshooting advice.
Not enough information in your post to offer specific advice, but I’ll wager some internet points that your route tables need work. They are the most complicated part of building a TGW-based network by far, particularly if you don’t have a solid networking background.
AWS client vpn is Nat mode OpenVPN (probably)
Therefore any downstream clients will see the IPs coming from one of the IPs in the vpc.
If you have setup routing in the tgw route tables with this in mind, also check the client VPNs authorised routes and route configuration.
Thanks, this post was the hint I needed. The AWS Client VPN route table wasn’t configured properly the first time I connected.
The changes I was making whiles I was connected weren’t being picked up by the OpenVPN client because split tunnel was enabled and I wasn’t reseting the connection between changes as documented here.
Routes - AWS Client VPN
Split-Tunnel on AWS Client VPN Endpoint Considerations
When you use split-tunnel on an AWS Client VPN endpoint, all of the routes that are in the AWS Client VPN route tables are added to the client route table when the VPN is established. If you add a route after the VPN is established, you must reset the connection so that the new route is sent to the client.
Thanks, your advice on checking the client VPN’s route configuration, it was spot on.
The root cause was badly configured Route Tables on the AWS Client VPN, along with not resetting the connection whiles split-tunnel was enabled.