A site-to-site VPN connection troubleshooting

Hello,

I am attempting to build a small network on AWS for a college project. Project’s specification requires me to create a site-to-site VPN to my network. Following the guide at https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html?fbclid=IwAR2xnCFFyzCZNLoCdpPYP7MOwuugjoSd1G6loeeUPpBpoDKYpO_WTMdTe4w#cvpn-getting-started-config I created a VPN client endpoint assigning IP addresses from 10.0.0.0/22 range and crafted a *.ovpn* file for that endpoint. I tested the connection with the endpoint and it works fine - my Linux laptop gets assigned a *tun0* interface with an address within the aforementioned range. Next, I added a security rule, allowing to connect to instances inside that AWS subnet via SSH (TCP port 22) only from the address range of 10.0.0.0/22. However, it turned out that I cannot connect to my instance, even though I am connected to my VPN ednpoint.

Can someone guide me what could have went wrong? I am completely new to the AWS and never felt particularly proficient with routing stuff in general, so any help is greatly appreciated. I tried following the guide at https://aws.amazon.com/premiumsupport/knowledge-center/vpn-tunnel-troubleshooting/ but it didn’t really help me pinpoint the issue.

Site to site VPN or client VPN? Your title says one and the doc you are referring to is another. They are not the same thing.

Honestly I don’t like the aws vpn and either use openvpn in ec2 or an appliance like f5/cisco/pa. But if you are connected it is more than just a security group on the vpn. You need to define a range on both sides, have route tables set up to route properly, have inbound security groups on the machines you want to reach set up properly, etc.

What happens when you try to connect to your instance?

To test: Add a line in your security group of the instance to allow icmp from 10.0.0.0/22. Then from your computer ping the private ip address of the instance. Is that successful?

Sorry, didn’t know that. I need site-to-site VPN, according to project specification.

Site to Site VPN connects two networks together. One network is an AWS VPC and the other is your on-prem network. The connection is configured on your internet facing firewall or router. You will need a static IP address unless you plan on using certificate authentication, which adds expensive PKI architecture and complexity.