Does the vMX100 appliance when deployed in an AWS VPN support Client VPN connections? I can make a Client VPN connection but packets don't seem to be routed to the LAN side. This document does not describe the Client VPN feature: vMX100 Setup Guide for Amazon AWS
If the Client VPN is not currently a supported feature in the vMX100, then the document should mention that, and the UI should remove the Client VPN. I have a feeling Client VPN may not be possible as the vMX100 lacks the Addressing & VLANs page.
BTW: The site-to-site AutoVPN with an on-premises MX250 is working fine, but it would be nice to be able to make direct Client VPN connections to the AWS site. It would also be nice to use the vMX100 as the NAT Gateway for the private side instances. Currently I have to deploy a NAT Gateway since the vMX100 doesn't support this capability.
This topic seems to suggest there is a way to make it work, but you probably need support from the helpdesk for it:
https://community.meraki.com/t5/Security-SD-WAN/vMX-client-VPN-on-AWS/td-p/11947
That said, for dedicated client VPN I'd recommend looking at another solution. Client VPN on MX (even the appliance based version) is very limited for now (anyconnect support is on the roadmap but it will probably take some time). Cisco ASAv + Anyconnect may be an option if you need a virtualized solution:
In any case, reach out to a Cisco Partner or a Meraki SE. They'll be able to support you coming up with the best design.
Did you remember to add the client VPN subnet to the AWS route table?
Client VPN address space is routed not NATed.
Do your AWS security groups allow the client VPN range?
@PhilipDAth adding the Client VPN subnet range to the private subnet security group fixed problem of accessing instances in the the private subnet. That makes sense since now I understand that the vMX100 isn't NATing the Client VPN clients. Seems like I'll have to use split tunnel in this scenario.
This guide includes a split tunnel configuration.
Thanks @PhilipDAth . I've been using PowerShell scripts to create the VPN on Windows for a few years now with -SplitTunnel enabled, but I wasn't aware of the Add-Vpnconnectionroute cmdlet. I was using a rather complicated setup where a scheduled task fired when the VPN connection was made in order to add routes using the New-NetRoute cmdlet. Then another scheduled task would run then the VPN connection was disconnected, and the routes would be removed with the Remove-NetRoute cmdlet. I imagine switching to Add-Vpnconnectionroute will be a much cleaner and easier to implement solution.
It is a good learning experience to figure it out yourself before someone shows you the easy way.
Where should it be pointing in the route table?
When I say pointing which "Target" in AWS should go