HOME/Articles/AWS Client VPN: Default route gets sucked into VPN

AWS Client VPN: Default route gets sucked into VPN

2025/4/3 1:122025/4/3 11:50

This is Hasegawa (@rarirureluis) from the Service Reliability Group (SRG) of the Media Headquarters.

#SRG(Service Reliability Group) mainly provides cross-sectional support for the infrastructure of our media services, improving existing services, launching new ones, contributing to OSS, etc.

The purpose of this article is to share the problems I encountered while building AWS Client VPN and to help others who have encountered the same problem.

AWS Client VPN: Default route is sucked into VPN The mystery of suddenly being unable to connect to the internet AWS Client VPN: What it does behind the scenes Solution: Add one line Pull-filter mechanism and its advantages and disadvantages merit Disadvantages What is TunnelCrack?Conclusion

AWS Client VPN: Default route is sucked into VPN

Even though your only purpose is to access a VPC, all traffic ends up going through the VPN.

We'll explain how this problem can be solved by simply adding one line to your client configuration.

The mystery of suddenly being unable to connect to the internet

A user suddenly lost connectivity to the Internet shortly after successfully connecting to AWS Client VPN.

But in my environment it's fine.

Thinking to yourself, "I just want to access resources within the VPC...", you check the route table for the user in question and notice that for some reason the route to 0.0.0.0/0 is directed to the VPN's tun device.

I have split tunneling enabled, but for some reason all my traffic is being sucked into the VPN.

How can this happen if I haven't added a default route on the server side?

AWS Client VPN: What it does behind the scenes

In fact, this is a "safety measure" implemented by AWS Client VPN.

If you read the official AWS documentation, you'll find the following:

If the client's LAN IP address range is outside of the standard private IP address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or 169.254.0.0/16), the Client VPN endpoint automatically pushes the OpenVPN directive "redirect-gateway block-local" to the client, forcing all LAN traffic through the VPN.

Troubleshooting AWS Client VPN: Routing traffic to LAN not working as expected - AWS Client VPN

Describes key concepts of AWS Client VPN and provides instructions for using the features of Client VPN.

https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/routing-to-lan.html

This means that if your client device uses an IP address range other than those listed above, AWS Client VPN will force all traffic through the VPN "for security reasons."

This is intended to provide additional security through your VPN connection, but can get in the way if you want to use split tunneling.

Solution: Add one line

To solve this problem, simply add the following line to your client configuration file (.ovpn file):

💡

It works with the official AWS Client VPN software.

This setting will cause the server to ignore any "redirect-gateway block-local" directives sent by the server.

The actual config file looks like this:

After adding this setting, when you reconnect to the VPN, your internet traffic will flow through your local network while still maintaining access to your AWS resources.

Pull-filter mechanism and its advantages and disadvantages

Pull-filter is a feature available in OpenVPN 2.4 and later that allows selective filtering of settings pushed from the server.

💡

It works with the official AWS Client VPN software.

The syntax is as follows:

pull-filter [accept|ignore|reject] "オプション"

accept

ignore

reject

In this case, we are using ignore to silently ignore the redirect-gateway block-local directive sent by the server.

merit

Bandwidth savings: AWS Client VPN reduces bandwidth usage and costs by not routing all traffic through the VPN.

Preserve existing configuration: Unlike route-nopull, you can ignore specific route configuration while preserving other route configuration.

Disadvantages

Security considerations: Not sending all traffic through the VPN, which may be an issue depending on your security policies.

Possibility of Tunnel Crack: One of the reasons AWS Client VPN enforces this setting is to protect against a security risk called "TunnelCrack." By ignoring this setting, you could theoretically be exposed to that risk.

What is TunnelCrack?

Below is an explanation by AI (DYOR)

The nature of the TunnelCrack vulnerability

TunnelCrack, which was announced in August 2023, refers to a group of fundamental vulnerabilities in the routing process of VPN clients. The following two types of attacks are at the core of the attack:1 4：

LocalNet attack (CVE-2023-36672)

Injecting fake local network routes via malicious access points

It is possible to leak traffic outside the VPN tunnel and intercept plaintext communications

CVSS score 6.8 (medium risk)

ServerIP Attack (CVE-2023-36673)

DNS tampering to disguise VPN server IP

Traffic interception at the initial connection stage

CVSS score 7.4 (high risk)

Security implications of pull-filter configuration

Using this is a double-edged sword in terms of the TunnelCrack vulnerability.

Benefits and trade-offs

Vulnerable to LocalNet attacks due to disabling isolation of local network traffic

However, encrypted communications such as HTTPS are protected.1

OpenVPN officialFlagging is recommended, but it is not a complete solution4

Realistic risk assessment

A malicious network connection is a prerequisite for an attack to succeed.2

Problems become evident in high-risk environments such as when using public Wi-Fi

In a trusted environment such as a corporate network, the risk is within the acceptable range.

Defense in depth in practice

If the vulnerability cannot be completely eliminated, recommended measures are:

Application Layer Protection

Enforcing TLS 1.3 on all services (using Let's Encrypt, etc.)1

HSTS preload list enforcement

Optimizing your VPN settings

textredirect-gateway autolocal ipv6
block-outside-dns
tls-version-min 1.3

OS-level measures

Block unexpected outbound traffic with the client firewall

Enforcing DNS over HTTPS/TLS

Vendor Response Status

Status of major vendors (as of April 2025):

vendor	Countermeasure status	Recommended Settings
OpenVPN	Operating system specific solutions under development4
Sophos	No client update required (low risk)1	TLS required
Fortinet	No impact with proper settings5	Encryption Protocol Enforcement

Conclusion

AWS Client VPN is a useful service, but under certain conditions it has the ability to force all traffic through the VPN.

This is due to the "redirect-gateway block-local" directive being pushed automatically.

By adding pull-filter ignore "redirect-gateway block-local" to your client configuration, you can achieve split tunneling, which routes only necessary traffic through the VPN and routes communication to the Internet via your local network.

SRG is looking for people to work with us. If you are interested, please contact us here.

Recruitment Information - CyberAgent SRG #ca_srg

About SRG SRG (Service Reliability Group) is working to improve reliability by promoting the introduction of SREs to the media business as a cross-sectional SRE under the vision of "improving reliability across the media business." The work is centered around the following three pillars: Consolidating and deploying the technical know-how of each business

https://ca-srg.dev/careers