When implementing network security policies that restrict AWS EC2 SSH access to office IP ranges, remote work scenarios create a technical hurdle. The classic symptom appears when:
ssh -i key.pem ec2-user@ec2-xx-xxx-xxx-xxx.compute-1.amazonaws.com
# Returns: ssh: connect to host ec2-xx-xxx-xxx-xxx.compute-1.amazonaws.com port 22: Connection timed out
The core problem occurs because SSH traffic isn't automatically routed through the VPN tunnel. Here's how to verify:
ip route show
# Without VPN: default via 192.168.1.1 dev wlan0
# With VPN: default dev ppp0 scope linkCreate a dedicated route for your EC2 instance:
sudo ip route add [EC2_PUBLIC_IP]/32 dev ppp0
# Persistent version for Ubuntu/Debian:
echo "[EC2_PUBLIC_IP]/32 dev ppp0" | sudo tee -a /etc/network/interfacesFor environments where direct routing isn't possible:
# ~/.ssh/config
Host office-jump
HostName office-gateway.example.com
User youruser
IdentityFile ~/.ssh/office_key
Host ec2-secure
HostName ec2-xx-xxx-xxx-xxx.compute-1.amazonaws.com
User ec2-user
IdentityFile ~/.ssh/aws_key
ProxyJump office-jumpFor PPTP specifically, ensure proper MTU settings to prevent packet fragmentation:
sudo ifconfig ppp0 mtu 1400
# Permanent fix:
echo "mtu 1400" | sudo tee -a /etc/ppp/peers/[your_vpn_config]Confirm your EC2 security group allows traffic from the VPN subnet:
aws ec2 describe-security-groups --group-ids sg-xxxxxx --query 'SecurityGroups[0].IpPermissions'- Verify VPN assigned IP with
ifconfig ppp0 - Check route tables with
ip route list table all - Test raw connectivity:
nc -zv [EC2_IP] 22 - Inspect VPN logs:
journalctl -u pptpd
Many teams configure AWS EC2 instances to only accept SSH connections from their office network IP range for security reasons. This becomes problematic when team members need remote access while traveling or working from home. A common workaround is setting up a VPN (like PPTP) to tunnel into the office network, but users often find SSH connections still get rejected.
When you establish a VPN connection, your machine typically maintains both the original network interface (wlan0) and the VPN interface (ppp0). The issue occurs because:
$ ifconfig
wlan0: inet 192.168.1.100
ppp0: inet 10.8.0.2
Your SSH client may still be using the default route through wlan0 instead of routing through ppp0. The EC2 instance's security group sees the public IP of your wlan0 interface, not the VPN-assigned IP.
Here are three approaches to solve this:
Method 1: Modify Routing Tables
Add a specific route for your EC2 instance through the VPN interface:
# Linux/macOS
sudo route add -host [EC2_PUBLIC_IP] -interface ppp0
# Windows
route add [EC2_PUBLIC_IP] mask 255.255.255.255 [VPN_GATEWAY_IP]
Method 2: SSH Config with Bind Address
Configure your SSH client to bind to the VPN interface:
# ~/.ssh/config
Host my-ec2-instance
HostName ec2-xx-xx-xx-xx.compute-1.amazonaws.com
User ec2-user
BindAddress 10.8.0.2 # Your VPN-assigned IP
IdentityFile ~/.ssh/aws-key.pem
Method 3: SSH ProxyCommand Through Office Jump Host
If routing modifications don't work, you can chain SSH connections:
Host office-jumpbox
HostName office-jumpbox.example.com
User myuser
IdentityFile ~/.ssh/office-key
Host ec2-via-office
HostName [EC2_PRIVATE_IP]
User ec2-user
ProxyCommand ssh -W %h:%p office-jumpbox
IdentityFile ~/.ssh/aws-key.pem
Check which interface your traffic is using:
# Linux
sudo tcpdump -i ppp0 host [EC2_PUBLIC_IP] and port 22
# macOS/Windows equivalent:
# On VPN-connected machine:
telnet [EC2_PUBLIC_IP] 22
# On office network:
tcpdump host [VPN_PUBLIC_IP] and port 22
While PPTP works, consider upgrading to more secure VPN options:
- OpenVPN with TLS
- AWS Client VPN
- WireGuard for better performance
Also ensure your EC2 security groups only allow SSH from the VPN's IP range, not the entire office network.
If connections still fail:
# Check routes
netstat -rn
# Test VPN tunnel
ping [OFFICE_LAN_IP]
# Verify security groups
aws ec2 describe-security-groups --group-ids sg-xxxxxx