VPN Client to site: Cannot ping to VM in VPC

[tuanhoangth1603]

CLOUDSTACK VERSION

4.17.2.0

SUMMARY

I am experiencing an issue with the VPN Client to Site functionality. I am using the DrayTek Smart VPN Client to connect to the VPN, and the connection is successful. I receive an IP address (10.1.9.2) for the VPN interface on my PC, and I can ping to 10.1.9.1 successfully. There are two scenarios:

1. If I enable "Use default gateway on remote network," I can ping the VMs in the VPC, but I lose internet connection from my PC.
2. If I disable "Use default gateway on remote network," I cannot ping the VMs in the VPC, but the internet connection on my PC remains operational.

I also attempted to set up a VPN connection on Windows, and the result is the same as case 1 when using the DrayTek VPN app.

STEPS TO REPRODUCE

1. Create a non-redundant VPC.
2. Create a network tier.
3. Create a VM in the network tier (ACL default_allow).
4. Enable VPN site-to-site gateway.
5. Create an S2S VPN connection.
6. Enable VPN client-to-site on IP source NAT.
7. Create a user for the VPN.
8. Connect to the VPN using two methods: DrayTek App and VPN connection in Windows.

EXPECTED RESULTS

If I disable "Use default gateway on remote network," I should be able to ping the VMs in the VPC, and the internet connection on my PC should still work.

I am unsure how to check or verify this from any source. Please provide assistance; thanks for any ideas!

[tuanhoangth1603]

I have discovered a new clue.
The steps to reproduce is the same, but for VPC with a CIDR of 192.168.0.0/16 or 172.16.0.0/16, the VPN C2S does not work. On the contrary, for VPCs with a CIDR of 10.x.0.0/16, it is okay. The issue seems to be related to CIDR, but currently, I cannot change CIDR for the already created VPC as it is in use. Is there any way for the VPN C2S to still function with the CIDR 192.168.0.0/16 as it is currently?

[DaanHoogland]

@tuanhoangth1603 , you would have to set a route for the VPC subnet in your local machine.
As of now updateing the CIDR of a VPC is not allowed because multiple tiers might be using it.

[weizhouapache]

I have discovered a new clue. The steps to reproduce is the same, but for VPC with a CIDR of 192.168.0.0/16 or 172.16.0.0/16, the VPN C2S does not work. On the contrary, for VPCs with a CIDR of 10.x.0.0/16, it is okay. The issue seems to be related to CIDR, but currently, I cannot change CIDR for the already created VPC as it is in use. Is there any way for the VPN C2S to still function with the CIDR 192.168.0.0/16 as it is currently?

so, it seems the issue is because your IP (192.168.75.1) is in the VPC CIDR (192.168.0.0/16).

There is no API to update CIDR of existing VPC, as @DaanHoogland mentioned.
You can try to update CIDR by manual database change to a smaller CIDR (for example 192.168.0.0/20, or /22), and restart VPC with cleanup.
I have not tested it, maybe some other changes are required.

[weizhouapache]

@tuanhoangth1603
I am closing this issue. please feel free to reopen it or create new issue.