Workspace page remains blocked when connected to VPN, despite VPN allowlisting in access controls
Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.
Summary
This article will explain the potential causes behind this issue and suggest troubleshooting steps for resolving the problem.
Diagnosis
Despite allowing VPN CIDR IP addresses under access controls, the Bitbucket Cloud workspace page remains inaccessible when connected via the VPN.
The error "You're currently blocked from this page" is displayed.
Cause
The IP address that needs to be added to the allowlist will be displayed on the blocked page. Please check whether the displayed IP matches your client's public IP and is not part of the VPN IP CIDR range. For example, one can check their client IP at https://www.iplocation.net/.
If it is confirmed that the client's IP is displayed and not the allow listed VPN CIDR block, it indicates that the traffic to the internet is originating directly from the client IP address and not through the VPN.
Solution
There may be split tunneling enabled on the VPN client endpoint service, in which case the VPN connection will only route traffic destined for the private subnet over the VPN tunnel. All other traffic, including internet traffic, will be sent directly from the client device to the internet.
When visiting a website such as https://www.iplocation.net/, the website can detect the client's public IP address, which is the IP address assigned to the client's device by the Internet service provider (ISP). Since the internet traffic is not being routed through the VPN tunnel, Bitbucket Cloud can detect the actual client public IP and not the VPN IP.
This behavior is expected with split tunneling. If one wants all internet traffic to be routed through the VPN tunnel, one would need to disable split tunneling. However, this could lead to reduced internet performance and increased latency, as all traffic would need to be routed through the VPN.
Routing only specific URL IP addresses to VPN tunneling is also possible, but can be challenging. Here are the steps to do so:
Below are the IPv4 inbound addresses for bitbucket.org, api.bitbucket.org, and altssh.bitbucket.org. The complete list of Bitbucket Cloud IPs (IPV4 and IPV6) that need to be allow listed can be found in this document.
1 2 3 4 5 6 7 8 9104.192.136.0/21 185.166.140.0/22 18.205.93.0/25 18.234.32.128/25 13.52.5.0/25Create a new routing table for the VPN tunnel on your laptop/server/instance where you have enabled VPN. Use the command below to create a new routing table and set the VPN gateway as the default route:
1ip route add table <table_name> default via <vpn_gateway_ip>Create a routing rule that directs traffic for the Bitbucket Cloud URL to the new routing table. Use the command below to create a new routing rule that directs traffic from the client device to the specific URL IP address through the VPN tunnel. Please note that policy-based routing can be complex, and it is recommended to consult with a network administrator or qualified expert before implementing this method:
1ip rule add from <client_ip> to <web_url_ip> lookup <table_name>It's important to note that routing traffic for a specific URL over the VPN tunnel could affect the performance of the website, especially if the VPN connection has limited bandwidth or high latency. Another option is to allow all client public IPs in Bitbucket Cloud under access controls.
It's recommended that you consult with a network administrator or a qualified expert before implementing these methods, as they require technical knowledge and can have a potential impact on network performance.
If the above instructions do not assist in resolving the issue, please raisea support ticket or raise a community support ticket for further assistance with this.
Was this helpful?