The Woes of AWSVPNClient

#Amazon #AWS #AWSVPNClient

For my current $dayjob I am required to start using the AWS VPN Client. This is not a problem per se, however, this piece of software has given me some particular headaches. In this post, I want to air some frustrations that it has brought me in the past two days, trying to get this software working properly on Debian.

GNU+Linux Support

The AWS VPN Client has gotten an official client for GNU+Linux users. Not all of them, sadly, they specifically support Ubuntu 18.04. I find it important to note that this is 2 LTS versions behind the current Ubuntu version 22.04. Apart from that, only Ubuntu is rather limited. Amazon isn’t a small company, and they should be able to support various distributions.

In general I would recommend to support the upstream distribution, which in this case would be Debian. This would ensure that it becomes available on Ubuntu by virtue of it being Debian based.

That said, only Ubuntu packages wouldn’t be a huge problem if not for the next issue I have with this software…

Proprietary Software

The code for this application is private, and Amazon has no intention to change this. There’s nothing very special about the application, it’s just a proprietary wrapper around OpenVPN, so in my mind I find it hard to believe that they’re trying to “protect” anything sensitive. It feels like a simple move to instill the idea that you’re highly dependent on them.

If they were to make this software free (as in freedom), packaging could be done by package maintainers, or really just anyone who feels like doing it. This would remove a burden on Amazon, and ensure better availability for all potential users.

Additionally, it would make debugging issues much easier. Because…


The logging the application does is pathetic. There’s a lot of duplicated logs that are spammed hundreds of times per second. Tailing your logs can also be more annoying than it needs to be, since the client rotates which file it logs to every 1048629 bytes.

I currently have 30 log files, generated by two sessions. In these log files, the line [INF] Begin receive init again appears 509114 times. Over half a million times. The total number of log lines in all these log files is 510394, meaning only 1280 lines are something different.

Of those 1280 lines, the logs themselves aren’t much better. I apparently had to install systemd-resolved in order to fix the following error:

2023-02-23 10:02:50.870 +01:00 [DBG] CM received: >LOG:1677142970,F,WARNING: Failed running command (--up/--down): external program exited with error status: 1
>FATAL:WARNING: Failed running command (--up/--down): external program exited with error status: 1

2023-02-23 10:02:50.870 +01:00 [DBG] CM processsing: >LOG:1677142970,F,WARNING: Failed running command (--up/--down): external program exited with error status: 1
2023-02-23 10:02:50.870 +01:00 [DBG] CM processsing: >FATAL:WARNING: Failed running command (--up/--down): external program exited with error status: 1
2023-02-23 10:02:50.870 +01:00 [DBG] Fatal exception occured
2023-02-23 10:02:50.870 +01:00 [DBG] Stopping openvpn process
2023-02-23 10:02:50.870 +01:00 [DBG] Sending SIGTERM to gracefully shut down the OpenVPN process
2023-02-23 10:02:50.871 +01:00 [DBG] Invoke Error
2023-02-23 10:02:50.871 +01:00 [DBG] DeDupeProcessDiedSignals: OpenVPN process encountered a fatal error and died. Try connecting again.

It is not particularly clear this fails due to not having systemd-resolved installed and running. The .deb provided by Amazon does not even depend on systemd-resolved!

Another gripe I’ve had with the logs is their location. It saves these in ~/.config/AWSVPNClient/logs. It may seem weird since this path contains a directory named .config, and indeed, this is not a great place to store logs. The XDG Base Directory Specification specifies $XDG_STATE_HOME, with one explicit example for it being logs. However, for this to make sense, the application needs to respect the XDG_* values to begin with, which it currently doesn’t.

All in all

This software is pretty bad, but if it were free software, at least the users could improve it to suck less, and easily introduce support for various additional platforms. Instead, we’re just stuck with a piece of bad software.