I have recently set up an AWS VPN Client. I can successfully connect to the AWS VPC defined from my office, and through setting up the split-tunnel option, I can see that the default internet path is kept as per my office configuration, however, I cannot browser the internet. I have checked and ping works ok to external addresses, the problem lays with the DNS resolution.
I have tried setting public DNS such as 8.8.8.8 (correctly pushed to my office config as per what I can see in the ipconfig and routing) and have also tried to disable DNS config pushing altogether, but no matter what I try, the second I connect the vpn, dns resolution stops working altogether.
Anyone experience that? AWS VPN Client is OpenVPN, but I don't have access to backend and therefore can't really do much with server-side config other than what AWS interface provides.
My LAN adapter has the following config:
Link-local IPv6 Address . . . . . : fe80::61dd:e38c:8f56:6914%33(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.46(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 80.58.61.250
80.58.61.254
My route table before connecting to vpn is:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.46 35
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.1.0 255.255.255.0 On-link 192.168.1.46 291
192.168.1.46 255.255.255.255 On-link 192.168.1.46 291
192.168.1.255 255.255.255.255 On-link 192.168.1.46 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.1.46 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.1.46 291
===========================================================================
After I connect the VPN, my vpn network config is:
Ethernet adapter Ethernet 4:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::9525:f089:27af:591c%11(Preferred)
IPv4 Address. . . . . . . . . . . : 10.10.1.194(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 8.8.8.8
205.251.192.0
NetBIOS over Tcpip. . . . . . . . : Enabled
And my route table just adds the routes to the destination networks
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.46 35
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
10.10.0.0 255.255.0.0 10.10.1.193 10.10.1.194 257
10.10.1.192 255.255.255.224 On-link 10.10.1.194 257
10.10.1.194 255.255.255.255 On-link 10.10.1.194 257
10.10.1.223 255.255.255.255 On-link 10.10.1.194 257
10.20.0.0 255.255.0.0 10.20.1.193 10.10.1.194 257
192.168.1.0 255.255.255.0 On-link 192.168.1.46 291
192.168.1.46 255.255.255.255 On-link 192.168.1.46 291
192.168.1.255 255.255.255.255 On-link 192.168.1.46 291
192.168.228.224 255.255.255.240 On-link 192.168.228.225 5256
192.168.228.225 255.255.255.255 On-link 192.168.228.225 5256
192.168.228.239 255.255.255.255 On-link 192.168.228.225 5256
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.1.46 291
224.0.0.0 240.0.0.0 On-link 172.17.1.194 257
224.0.0.0 240.0.0.0 On-link 192.168.228.225 5256
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.1.46 291
255.255.255.255 255.255.255.255 On-link 10.10.1.194 257
255.255.255.255 255.255.255.255 On-link 192.168.228.225 5256
===========================================================================
At this point, I can successfully connect to any 10.10.x or 10.20.x VM, but I lose access to internet. If I try ping 8.8.8.8, ping is successful:
c:\Temp>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=13ms TTL=54
But if I try to resolve, it doesn't work:
c:\Temp>ping google.com
Ping request could not find host google.com. Please check the name and try again.
Same with nslookup:
c:\Temp>nslookup google.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 8.8.8.8
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
And tracert to 8.8.8.8 correctly shows that it's going to office gateway:
C:\Users\Me>tracert 8.8.8.8
Tracing route to 8.8.8.8 over a maximum of 30 hops
1 3 ms 3 ms 3 ms 192.168.1.1
2 73 ms 6 ms 34 ms 81.46.38.134
3 11 ms 12 ms 11 ms 81.46.34.21
4 41 ms 12 ms 11 ms 81.46.34.137
5 11 ms 11 ms 13 ms 80.58.106.1
6 11 ms 11 ms 12 ms 176.52.253.93
7 54 ms 12 ms 12 ms 209.85.149.88
8 * * * Request timed out.
9 29 ms 12 ms 11 ms 8.8.8.8
Trace complete.
Any help would be appreciated..
Thanks!
Nissy
To me, it looks like you issue in in the VPN Subnet NACls in the AWS VPN you are using. When connected to VPN, all your traffic is flowing to the AWS subnet. ICMP traffic appears to be permitted, but specific application protocols like HTTP (80, 443) and DNS (53) appear to be blocked on either Ingress or Egress.
Have a look at the NACLs (Network Access Control Lists) in AWS to see what way they are set up.
Also, do a
tracertto 8.8.8.8 and see what way that traffic is flowing.tracertwill also use ICMP so it will give you some extra information.