Arch Linux User Repository

Please note the following requirements for AWS VPN Client:

• If you depend on DNS servers from VPN you need to have a running systemd-resolved.service. Please ensure it does not conflict with any other DNS resolver service or configuration you may use. sudo systemctl --now enable systemd-resolved.service

• You have to enable and start the awsvpnclient.service after installation: sudo systemctl --now enable awsvpnclient

For troubelshooting its worth checking first the logs:

/home/$USER/.config/AWSVPNClient/
/var/log/aws-vpn-client/$USER/

See also the official docs: https://docs.aws.amazon.com/vpn/latest/clientvpn-user/client-vpn-connect-linux.html

If you face any other problem please check the troubleshooting guide (DNS issues): https://docs.aws.amazon.com/vpn/latest/clientvpn-user/linux-troubleshooting.html#aws-provided-client

@damentz What?? I am sharing info with the community. I didn't saw the pinned comment.

@amchacon, why are you posting randomly a part of the pinned comment without context? If you are testing a llama spam bot, please stop immediately as you are wasting real people's time.

This package depends from the package systemd-resolvconf in order to make it work with DNS (and therefore, with SAML aswell).

Renember you have to enable the service aswell:

sudo systemctl enable systemd-resolved.service

sudo systemctl start systemd-resolved.service

Running Manjaro with KDE plasma v. 5.27.10 on linux kernel 6.6.10-1.

Just updated to latest version 3.12.0-2, but now my client won't boot up.

Getting a long stack trace from journalctl:

systemd-coredump[200181]: [🡕] Process 200159 (AWS VPN Client) of user 1000 dumped core.

Stack trace of thread 200159:
#0  0x00007f78d74ab713 n/a (libgtk-3.so.0 + 0xab713)
#1  0x00007f7979bb1156 g_cclosure_marshal_VOID__OBJECTv (libgobject-2.0.so.0 + 0x13156)
...
plasmashell[1085]: Could not find the Plasmoid for Plasma::FrameSvgItem(0x5564b0b7ba30) QQmlContext(0x5564ad657490) QUrl("file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/global/Globals.qml")
systemd[1]: Started Process Core Dump (PID 200180/UID 0).
kernel: AWS VPN Client[200159]: segfault at 0 ip 00007f78d74ab713 sp 00007ffff51368e0 error 4 in libgtk-3.so.0.2407.32[7f78d7484000+395000] likely on CPU 6 (core 2, socket 0)
systemd[903]: Started AWS VPN Client.

Can anybody help me to understand what's going on and why this doesn't work.

Hi,

since you already patch the desktop file for KDE. Is it possible that you add the following line to the awsvpnclient.desktop file so the AWS VPN Client icon is shown for the running application under Gnome:

StartupWMClass=AWS VPN Client

Thanks!

3.9.0 is available, posting proof here since it's hard to read in "Flagged out-of-date" page:

$ curl -Os https://d20adtppz83p9s.cloudfront.net/GTK/latest/awsvpnclient_amd64.deb
$ aunpack awsvpnclient_amd64.deb
$ grep Version awsvpnclient_amd64/DEBIAN/control
Version: 3.9.0

I'd suggest including @jantman's patch - thanks very much for that - I've been using it since posted with no (observed) negative effects.

Recently I've had login work and then 'connection failed' pop up from the GUI. (i.e. I can't connect at all at present.) I've never tried from CLI before (so I'm not certain of a prior working invocation) but running /opt/awsvpnclient/Service/Resources/openvpn/acvc-openvpn --config <(aws ec2 export-client-vpn-client-configuration --output=text) gives the same error as reported by @dcunningham.

The logged error (from GUI attempt) is:

2141 2023-04-13 16:16:28.758 +01:00 [DBG] /bin/ps exit code: 1
2142 2023-04-13 16:16:28.758 +01:00 [ERR] [TI=18] Failed to get process owner of PID: 330602. Stdout: , stderr:
2143 2023-04-13 16:16:28.758 +01:00 [WRN] [TI=18] Exception occured checking process alive: System.Exception: Failed to get process owner of PID: 330602
2144    at ACVC.GTK.Service.DBus.OvpnGtkService.GetProcessOwner(Int32 pid) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.GTK.Service/DBus/OvpnGtkService.cs:line 319
2145    at ACVC.GTK.Service.DBus.OvpnGtkService.IsAliveAsync(Int32 pid) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.GTK.Service/DBus/OvpnGtkService.cs:line 228

Note that /home/ubuntu is (somewhat obviously) not a local path, though I assume that's just a quirk of the logging/compilation, not an issue.

I'm getting "Options error: Unrecognized option or missing or extra parameter(s) in /home/user/.vpn/config-file.ovpn:14: auth-federate (2.4.5) Use --help for more information."

I believe I need to use auth-federate as my org's documentation implies that the vpn client will open a browser window after it starts up so that I can log in. I have no other credentials to try.

--help is unhelpful making no mention of federated auth. What can I do to have this function correctly?

FWIW I submitted a support ticket and asked our Technical Account Manager to bump it to the team working on the client. So far no action.

IP forwarding is currently disabled when using the AWS Client VPN Desktop Application. It has been disabled since the launch of the service on December 18, 2018, in order to address an issue reported by NIST. We understand, however, that some customers may need this functionality for their services. While we do not have a specific date at this time, we do plan to safely enable IP forwarding in an upcoming release.

And this was in... August 2022. There were releases since, none has fixed it.

If you're up for it, you could do the same - create a support ticket to move this to the team. Maybe if there's enough voices, they will make this higher priority.

Has anyone looked into having it not constantly overwrite sysctl net.ipv4.ip_forward=0?

Yeah. It's a bit of a hack, but after installing or updating I modify /opt/awsvpnclient/Service/Resources/openvpn/configure-dns to turn forwarding back on right after it calls the configure_dns and reset_dns functions.