linuxamazon-web-servicesnetwork-programmingsaml-2.0aws-vpn

AWS VPN connection to private network works differently depending on seemingly external factors


context:

AWS VPN to multiple accounts with saml authentication

these two cases work fine:

CASE aws vpn client on mac:

CASE aws vpn client on fedora linux (copr vorona/aws-rpm-packages) && client machine is connected to generic network:

this is where the issue is:

CASE aws vpn client on fedora linux (copr vorona/aws-rpm-packages) && client machine is connected to mobile hostspot:

question:

anybody has any idea whay this might happen?

what I would expect to happen:

when on fedora linux I can connect to private resources regardless of which wifi/cabled connection my client machine is connected to


Solution

  • found the solution in the official documentation

    Cause

    The client interacts with systemd-resolved, a service available on Linux systems, which serves as a central piece of DNS management. It is used to configure DNS servers that are pushed from the ClientVPN endpoint. The problem occurs because systemd-resolved doesn't set the highest priority to DNS servers that are provided by the ClientVPN endpoint. Instead, it appends the servers to the existing list of DNS servers that are configured on the local system. As a result, the original DNS servers might still have the highest priority, and therefore be used to resolve DNS queries.

    Solution

    Add the following directive on the first line of the OpenVPN config file, to make sure that all DNS queries are sent to the VPN tunnel.

    dhcp-option DOMAIN-ROUTE .
    

    I find it weird that the behaviour changes depending on which access point i am connected to, but I won't complain ;). If anybody has an Idea as to why this might happen I am very curious.