AWS VPN connection to private network works differently depending on seemingly external factors

Question

context:

AWS VPN to multiple accounts with saml authentication

these two cases work fine:

CASE aws vpn client on mac:

• it just works

CASE aws vpn client on fedora linux (copr vorona/aws-rpm-packages) && client machine is connected to generic network:

• it just works

this is where the issue is:

CASE aws vpn client on fedora linux (copr vorona/aws-rpm-packages) && client machine is connected to mobile hostspot:

• specifically there are 2 RDS clusters in 2 different aws accounts I am trying to connect to:
  • it always connects to one but does not connect to the other one in this case
  • about the one failing to connect: the DNS query receives a successful response but it seems that the TCP session fails to initialize and it retry sending SYN packets until it times out

question:

anybody has any idea whay this might happen?

what I would expect to happen:

when on fedora linux I can connect to private resources regardless of which wifi/cabled connection my client machine is connected to

Answer 1

found the solution in the official documentation

Cause

The client interacts with systemd-resolved, a service available on Linux systems, which serves as a central piece of DNS management. It is used to configure DNS servers that are pushed from the ClientVPN endpoint. The problem occurs because systemd-resolved doesn't set the highest priority to DNS servers that are provided by the ClientVPN endpoint. Instead, it appends the servers to the existing list of DNS servers that are configured on the local system. As a result, the original DNS servers might still have the highest priority, and therefore be used to resolve DNS queries.

Solution

Add the following directive on the first line of the OpenVPN config file, to make sure that all DNS queries are sent to the VPN tunnel.

dhcp-option DOMAIN-ROUTE .

I find it weird that the behaviour changes depending on which access point i am connected to, but I won't complain ;). If anybody has an Idea as to why this might happen I am very curious.