I have an AWS Client VPN setup so that people who can connect to the VPN can access our EC2 servers on the same VPC. Some users are reporting they cannot connect to the services while on the VPN, while others can.
I can do a ping {{address_of_ec2_instance}} in the terminal and get a response, but another user connected to the same vpn will get a timeout with the exact same command, and the same IP resolved. When they go to https://www.whatismyip.com/, they report being connected to the same ISP and Location.
The only thing I can speculate is that maybe I haven't allowed the proper port range on the EC2 Security Settings, and some users are within the port range but others are not. How do I determine what port range to forward, given a Client VPN Endpoint?
When you launch a client VPN you will provide a
Client IPv4 CIDRrange. When connecting to this you will be given an IP address from this range (which is treated as the private IP address when connecting).For any private IP connections the source IP will come from this range (and as you're using a Client VPN you should connect using the private IP over public to keep network transit through the tunnel).
If you connect via the public IP address you will need to consider whether you want all traffic or just private traffic to go through the client VPN. By enabling split-tunnel you will be using the public IP address of your on premise, otherwise you will be using a public IP address from Amazons pool of servers.
As a side note if you're ever trying to debug connection failures you can make use of VPC Flow Logs.