Browse Docs
ONLINE DOCUMENTATION

AWS Client VPN and DNS Behavior with DefensX Agent

Overview

AWS Client VPN is a fully managed, scalable, and elastic remote access VPN service that allows users to securely connect to AWS VPC resources and on-premises networks from virtually any location.

The service is based on OpenVPN. While most OpenVPN clients are compatible, AWS provides its own client applications for Windows and macOS, which are the recommended options.

Because of how AWS Client VPN handles DNS traffic, there are certain behaviors that require attention. This document explains these behaviors and their implications when used with the DefensX Agent.

Windows

On Windows, if Split Tunnel or Enable DNS Servers is not configured in AWS Client VPN, it is not possible to use DNS servers provided by your local network.

DefensX normally uses DNS servers obtained via DHCP or statically configured on interfaces. However, once AWS Client VPN is connected in full-tunnel mode, it installs filtering rules in the Windows Filtering Platform (WFP). These rules redirect all DNS queries into the VPN tunnel and drop any DNS traffic destined for local interfaces.

wfp
Tip
 If you already use a public DNS resolver (e.g., 8.8.8.8), it will continue to work in full-tunnel mode. Only local DNS servers are blocked.

You have two options to overcome this problem:

Enable the DNS Servers Option

  • In the AWS Client VPN configuration, enable DNS Servers and specify one or two resolvers.

enable dns

  • These DNS servers must be reachable through the VPN tunnel.

  • Using a local LAN DNS server here will not work, as the traffic will still be dropped.

  • Once configured, you can continue to operate in full-tunnel mode with DefensX.

Enable Split Tunnel

  • Alternatively, enable Split Tunnel on the AWS Client VPN endpoint.

split tunnel

  • In this mode, AWS Client VPN does not install WFP rules.

  • As a result, DNS queries can continue to use your local LAN DNS servers alongside DefensX Agent.

macOS

On macOS, AWS Client VPN does not install DNS-blocking rules like on Windows. Both full-tunnel and split-tunnel modes work seamlessly with the DefensX Agent.

However, there is a separate known issue which is not related to DefensX Agent:

  • When disconnecting from AWS Client VPN in split-tunnel mode, the default route is not always restored.

  • This appears to be a bug in the current macOS AWS Client VPN client and has been discussed in community forums (https://repost.aws/questions/QUnZb6PUKdSwSY-308ZGvnXQ/no-internet-connection-with-aws-vpn-client-on-macos).

  • If you lose Internet access after disconnecting, verify your routing table by the command netstat -rn and check whether the default route to your local gateway has been restored. If not, you may need to manually re-add it.
Secure Industries, Inc 101 Avenue of The Americas, Floor 9 New York, NY 10013