3

I'm trying to allow VPN users to use Private Route53 DNS entries. Eg: a private hosted zone example.corp issuing DNS records on the local network.

At the moment I can't even find the right set of configurations to allow connected clients to use amazon's DNS at all.

Current (simplified) setup

The client VPN endpoint is allocated CIDR range 172.20.0.0/22. It has one configured target network association which has CIDR 172.20.254.0/24.

The target network is empty; meaning no EC2 instances live there etc.. However it does itself have onward routing rules to allow traffic to other networks. Access to those onward routes is controlled through "Authorization Rules". The route table has just one entry stating 172.20.0.0/16 (the whole VPC) is forwarded to the target network association.

The security group associated with the VPN is very permissive allowing anything on 172.20.0.0/16.

This configuration has worked without DNS for over a year. The only changes I'm now making are to enable DNS.

Changes - Attempting to enable DNS

This page tells me that the DNS should be available on the network range +2. I've tried setting the VPN DNS server to 172.20.0.2 and 172.20.254.0 (not at the same time). But neither respond to DNS request or ICMP ping.

In an attempt to get this working I have tried:

  • Ensured that "DNS resolution" and "DNS hostnames" were both set on the VPC
  • Adding Authorization Rules for both 172.20.254.0/24 and 172.20.0.2/22.
  • Adding route table entry for 172.20.0.0/22 to local

How am I supposed to setup Client VPN Endpoint to use AWS DNS?

Improve this question

1 Answer 1

Reset to default
4

VPN's own CIDR block is not supposed to be part of your VPC's CIDR block and exists outside the VPC.

As above my associated subnet was on 172.20.254.0/24, part of VPC CIDR 172.20.0.0/16. Having the VPN's CIDR block be 172.20.0.0/22 was problematic because it overlapped the all important 172.20.0.2 which is the DNS IP on the VPC.

One real point of confusion here is that the DNS IP does not need to be in any subnet at all.

Solution

  • I tore down the VPN and moved it's CIDR to 172.16.0.0/22 so that it no-longer overlapped the VPC's CIDR 172.20.0.0/16.
  • I made sure there was an Authorization Rule allowing traffic to the DNS IP 172.20.0.2: IE 172.20.0.2/32.
  • I did not need any subnet overlapping the DNS IP
  • It did still work after I moved the "empty" subnet to overlap the DNS IP.
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .