AWS Client VPN Client-Client Communication

Question

I have an AWS Client VPN set up using certificate auth. I'm setting this up for a client-client access system, essentially as is described in this AWS scenario/example. It's all working, and I can ping from one client to another if I know their IP address.

My question is: in actual use, what use is this system if clients get assigned a random IP address every time they connect to the VPN, and there's no way to tell which clients are connected or what their IP addresses are without checking the AWS console or using the describe-client-vpn-connections CLI (which requires IAM credentials)?

Is there any way to:

• Assign static IP addresses to specific clients, so they receive the same one every time they connect to the VPN?
• Get a list of connected clients (with their CommonName and IP address)?
• Use a connected client's host name / computer name instead of their random VPN IP address?
• Any other way to connect from one client to another without having to use the AWS Console or describe-client-vpn-connections CLI to get a list of connected clients?

Answer 1

Much of what you're asking for is not possible. In many organizations, client-to-client communication is not the norm. For client-to-server communication, AWS Client VPN works well.

There is no way to assign static IP addresses to specific clients. You can get a list of current connections and client IP addresses with the following AWS CLI command:

aws ec2 describe-client-vpn-connections --client-vpn-endpoint-id (endpoint ID)

You might be able to get your clients to register via a shared DNS server to get their VPN IP address.

I suspect you'll have better luck rolling your own VPN solution with something like OpenVPN, which much of the AWS Client VPN is built off of.