The default route is being routed to the VPN in AWS Client VPN.

This is Hasegawa (@rarirureluis) from the Service Reliability Group (SRG) of the Media Division.
#SRGThe Service Reliability Group primarily provides comprehensive support for the infrastructure surrounding our media services, focusing on improving existing services, launching new ones, and contributing to open-source software (OSS).
This article aims to share problems encountered during AWS Client VPN setup and help others who may be facing similar issues.
 

The default route is being routed to the VPN in AWS Client VPN.


It's that situation where, even though your only purpose is to access your VPC, all your traffic ends up going through the VPN.
This article explains how to resolve this issue by simply adding one line to the client settings.
 

The mystery of suddenly losing internet connection


One user suddenly lost their internet connection immediately after successfully connecting to AWS Client VPN.
But it's fine in my environment.
"I just want to access resources within the VPC..." I thought, and when I checked the route table for the user in question, I noticed that for some reason the route to 0.0.0.0/0 was pointing to the VPN's tun device.
Even though I have split tunneling enabled, all my traffic is somehow being routed through the VPN.
Why is this happening even though I haven't added a default route on the server side?
 

Hidden behavior of AWS Client VPN


Actually, this is due to a "security measure" implemented by AWS Client VPN.
The official AWS documentation states the following:
If the client's LAN IP address range is outside the standard private IP address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or 169.254.0.0/16), the Client VPN endpoint automatically pushes the OpenVPN directive "redirect-gateway block-local" to the client, forcing all LAN traffic to the VPN.
In other words, if your client device is using an IP address range other than those mentioned above, AWS Client VPN will force all traffic to go through the VPN "for security reasons."
This is a measure to enhance security through VPN connections, but it gets in the way if you want to use split tunneling.
 

How to solve it by adding one line


To resolve this issue, simply add the following line to your client configuration file (.ovpn file):
💡
It works with AWS's official Client VPN software.
This setting will cause the server to ignore the "redirect-gateway block-local" instruction sent from the server.
The actual configuration file will look like this:
After adding this setting and reconnecting to the VPN, you will maintain access to AWS resources while internet traffic will flow through your local network.
 

The mechanism, advantages, and disadvantages of pull filters


The `pull-filter` feature, available in OpenVPN 2.4 and later, selectively filters the settings pushed from the server.
💡
It works with AWS's official Client VPN software.
The syntax is as follows:
pull-filter [accept|ignore|reject] "オプション"
  • accept
  • ignore
  • reject
In this case, we are using `ignore` to silently ignore the `redirect-gateway block-local` instruction sent from the server.

merit

  • Bandwidth savings: By not routing all traffic through the VPN, you can reduce AWS Client VPN bandwidth usage and costs.
  • Maintaining existing settings: Unlike `route-nopull`, this allows you to ignore only specific settings while preserving other route settings.

Disadvantages

  • Security considerations: Not routing all traffic through the VPN may cause problems depending on your security policy.
  • Potential Tunnel Cracking: One reason AWS Client VPN enforces this setting is to protect against a security risk called "TunnelCrack." Ignoring this setting could theoretically expose you to that risk.

What is TunnelCrack?

The following is an explanation by AI (DYOR)

The essence of the TunnelCrack vulnerability

The TunnelCrack, disclosed in August 2023, refers to a set of fundamental vulnerabilities lurking in the routing process of VPN clients. The following two types of attacks are particularly central to this vulnerability.14
LocalNet attack (CVE-2023-36672)
  • Injecting a fake local network route via a malicious access point.
  • Traffic can be leaked outside the VPN tunnel, making it possible to intercept plaintext communications.
  • CVSS score 6.8 (medium risk)
ServerIP attack (CVE-2023-36673)
  • VPN server IP address spoofed through DNS tampering
  • Intercept traffic during the initial connection phase
  • CVSS score 7.4 (high risk)

Security impact of pull-filter configuration

Using it is a double-edged sword in terms of TunnelCrack vulnerabilities.
Trade-offs with benefits
  • Disabling the isolation of local network traffic exposes a vulnerability to LocalNet attacks.
  • However, encrypted communications such as HTTPS are protected.1
  • OpenVPN officialThey recommend using the flag, but state that it is not a complete solution.4
Realistic risk assessment
  • The success of an attack requires "connection to a malicious network."2
  • The problem becomes apparent in high-risk environments, such as when using public Wi-Fi.
  • Within the acceptable range of risk in trusted environments such as corporate networks.

Examples of multi-layered defense in practice

Recommended countermeasures when it is not possible to completely eliminate vulnerabilities:
  1. Application Layer Protection
      • Enforcing TLS 1.3 across all services (utilizing services like Let's Encrypt)1
      • Applying the HSTS preload list
  1. Optimizing VPN settings
textredirect-gateway autolocal ipv6 block-outside-dns tls-version-min 1.3
  1. OS-level countermeasures
      • Unexpected outbound traffic blocked by client firewall
      • Enforcement of DNS over HTTPS/TLS

Vendor support status

Status of major vendors' responses (as of April 2025):
vendorStatus of countermeasuresRecommended settings
OpenVPNOperating system-specific countermeasures are currently under development.4
SophosNo client update required (low risk assessment).1TLS required
FortinetNo impact with proper settings.5Enforce encryption protocol
 

In conclusion


AWS Client VPN is a convenient service, but under certain conditions, it can force all traffic to go through the VPN.
This is because the directive "redirect-gateway block-local" is automatically pushed.
By adding `pull-filter ignore "redirect-gateway block-local"` to the client configuration, you can achieve split tunneling, where only necessary traffic is routed through the VPN, while internet access is routed through the local network.
SRG is looking for new team members. If you are interested, please contact us here.