Rules and best practices for using AWS Client VPN

AWS Client VPN is a fully-managed service that automatically scales to accommodate additional user connections and bandwidth requirements. Each user connection has a maximum baseline bandwidth of 50 Mbps. You can request an increase through AWS Support if needed. The actual bandwidth experienced by users connecting through a Client VPN endpoint can vary based on several factors. These factors include packet size, traffic composition (TCP/UDP mix), network policies (shaping or throttling) on intermediate networks, internet conditions, application-specific requirements, and the total number of concurrent user connections.

Client CIDR ranges cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or any routes manually added to the Client VPN endpoint's route table.

Client CIDR ranges must have a block size of at least /22 and must not be greater than /12.

A portion of the addresses in the client CIDR range are used to support the availability model of the Client VPN endpoint, and cannot be assigned to clients. Therefore, we recommend that you assign a CIDR block that contains twice the number of IP addresses that are required to enable the maximum number of concurrent connections that you plan to support on the Client VPN endpoint.

The client CIDR range cannot be changed after you create the Client VPN endpoint.

Client VPN supports IPv4 traffic only. See IPv6 considerations for AWS Client VPN for details regarding IPv6.

Client VPN performs Network Address Translation (NAT). When a client connects through Client VPN:

Client VPN performs Port Address Translation (PAT) only when concurrent users are connecting to the same target. Port translation is automatic and necessary to support multiple simultaneous connections through the same VPN endpoint.

For example, when two clients, client 1 and client 2, connect to the same destination server and port through a Client VPN endpoint:

The subnets associated with a Client VPN endpoint must be in the same VPC.

You cannot associate multiple subnets from the same Availability Zone with a Client VPN endpoint.

A Client VPN endpoint does not support subnet associations in a dedicated tenancy VPC.

The self-service portal is not available for clients that authenticate using mutual authentication.

If multi-factor authentication (MFA) is disabled for your Active Directory, user passwords cannot use the following format.

SCRV1:base64_encoded_string:base64_encoded_string

Certificates used in AWS Client VPN must adhere to RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, including the Certificate Extensions specified in section 4.2 of the memo.

User names with special characters might cause connection errors.

We do not recommend connecting to a Client VPN endpoint using IP addresses. Because Client VPN is a managed service, you will occasionally see changes in the IP addresses to which the DNS name resolves. In addition, you will see Client VPN network interfaces deleted and recreated in your CloudTrail logs. We recommend connecting to the Client VPN endpoint using the DNS name provided.

The Client VPN service requires that the IP address the client is connected to matches the IP that the Client VPN endpoint's DNS name resolves to. In other words, if you set a custom DNS record for the Client VPN endpoint, then forward the traffic to the actual IP address the endpoint's DNS name resolves to, this setup will not work using recent AWS provided clients. This rule was added to mitigate a server IP attack as described here: TunnelCrack.

You can use an AWS provided client to connect to multiple concurrent DNS sessions. However, for name resolution to work correctly, the DNS servers of all connections should have synchronized records.

The Client VPN service requires that the local area network (LAN) IP address ranges of client devices be within the following standard private IP address ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or 169.254.0.0/16. If the client LAN address range is detected to fall outside of the above ranges, the Client VPN endpoint will automatically push the OpenVPN directive "redirect-gateway block-local" to the client, forcing all LAN traffic into the VPN. Therefore, if you require LAN access during VPN connections, it is advised that you use the conventional address ranges listed above for your LAN. This rule is enforced to mitigate chances of a local net attack as described here: TunnelCrack.

IP forwarding is not currently supported when using the AWS Client VPN desktop application. IP forwarding is supported from other clients.

Client VPN does not support multi-Region replication in AWS Managed Microsoft AD. The Client VPN endpoint must be in the same Region as the AWS Managed Microsoft AD resource.

You can't establish a VPN connection from a computer if there are multiple users logged into the operating system.