Using OpenVPN aws server as gateway for aws VPC systems

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
bestivo
OpenVpn Newbie
Posts: 5
Joined: Thu Jul 20, 2017 9:43 pm

Using OpenVPN aws server as gateway for aws VPC systems

Post by bestivo » Thu Jul 20, 2017 9:51 pm

I have a few systems in a AWS VPC setup. The only system in the VPC which has internet access is the OpenVPN box. I want to configure the OpenVPN server to act as a gateway for all the other systems.


I looked around, but couldn't find how to configure the openVPN server to act as a gateway for the rest of the systems on the same vlan.


Thank you,

Ivo


bestivo
OpenVpn Newbie
Posts: 5
Joined: Thu Jul 20, 2017 9:43 pm

Re: Using OpenVPN aws server as gateway for aws VPC systems

Post by bestivo » Fri Jul 21, 2017 10:00 am

I did read the howto guide and everything I could find online. It talks about routing traffic from the internet to the VPC which I have already configured. I'm trying to route traffic from the aws VPC network through the openVPN server out to the internet as none of the other servers in the VPC have internet connection/ips.

I guess thank you for posting the obvious place to look.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Using OpenVPN aws server as gateway for aws VPC systems

Post by TinCanTech » Fri Jul 21, 2017 5:51 pm

Because you are using a VPS you may be having trouble with iptables Masquerade ..

If so try this instead of the documented iptables config:
(Use the correct VPN subnet 10.*):

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 12.34.56.78   # <-- Use your OpenVPN server's real external IP here

bestivo
OpenVpn Newbie
Posts: 5
Joined: Thu Jul 20, 2017 9:43 pm

Re: Using OpenVPN aws server as gateway for aws VPC systems

Post by bestivo » Mon Jul 24, 2017 8:22 am

I can ssh to the internal IP of the OpenVPN Server but I can't ping it. I can't ssh or ping the outside ip nor any other ip from another system on the internal VPC

Here's the OpenVPN server iptables -L

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
AS0_ACCEPT  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
AS0_ACCEPT  all  --  anywhere             anywhere            
AS0_IN_PRE  all  --  anywhere             anywhere             mark match 0x2000000/0x2000000
AS0_ACCEPT  udp  --  anywhere             anywhere             state NEW udp dpt:openvpn
AS0_ACCEPT  tcp  --  anywhere             anywhere             state NEW tcp dpt:https
AS0_WEBACCEPT  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
AS0_WEBACCEPT  tcp  --  anywhere             anywhere             state NEW tcp dpt:943

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
AS0_ACCEPT  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
AS0_IN_PRE  all  --  anywhere             anywhere             mark match 0x2000000/0x2000000
AS0_OUT_S2C  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
AS0_OUT_LOCAL  all  --  anywhere             anywhere            

Chain AS0_ACCEPT (5 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_IN (4 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             172.27.224.1        
AS0_IN_POST  all  --  anywhere             anywhere            

Chain AS0_IN_NAT (0 references)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere             MARK or 0x8000000
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_IN_POST (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             172.31.0.0/16       
AS0_OUT    all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain AS0_IN_PRE (2 references)
target     prot opt source               destination         
AS0_IN     all  --  anywhere             link-local/16       
AS0_IN     all  --  anywhere             192.168.0.0/16      
AS0_IN     all  --  anywhere             172.16.0.0/12       
AS0_IN     all  --  anywhere             10.0.0.0/8          
DROP       all  --  anywhere             anywhere            

Chain AS0_IN_ROUTE (0 references)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere             MARK or 0x4000000
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_OUT (2 references)
target     prot opt source               destination         
AS0_OUT_POST  all  --  anywhere             anywhere            

Chain AS0_OUT_LOCAL (1 references)
target     prot opt source               destination         
DROP       icmp --  anywhere             anywhere             icmp redirect
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_OUT_POST (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain AS0_OUT_S2C (1 references)
target     prot opt source               destination         
AS0_OUT    all  --  anywhere             anywhere            

Chain AS0_WEBACCEPT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere
-----------------------------------------------------------------------------------------------------------
 ifconfig 
as0t0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:172.27.224.1  P-t-P:172.27.224.1  Mask:255.255.248.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:200 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

as0t1     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:172.27.232.1  P-t-P:172.27.232.1  Mask:255.255.248.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:859 errors:0 dropped:0 overruns:0 frame:0
          TX packets:409 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:200 
          RX bytes:64371 (64.3 KB)  TX bytes:42747 (42.7 KB)

eth0      Link encap:Ethernet  HWaddr 06:0d:09:f7:e6:e6  
          inet addr:172.31.9.202  Bcast:172.31.15.255  Mask:255.255.240.0
          inet6 addr: fe80::40d:9ff:fef7:e6e6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:3850 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3495 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:463253 (463.2 KB)  TX bytes:528374 (528.3 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:36 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:18619 (18.6 KB)  TX bytes:18619 (18.6 KB)

pr0       Link encap:Ethernet  HWaddr 4e:97:11:30:e5:5f  
          inet6 addr: fe80::4c97:11ff:fe30:e55f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:648 (648.0 B)
====================================================================

Here's the routing on a system from the VPC

Code: Select all

netstat -rn 
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.31.0.1      0.0.0.0         UG        0 0          0 eth0
172.31.0.0      0.0.0.0         255.255.240.0   U         0 0          0 eth0
[ec2-user@ip-172-31-7-244 ~]$ ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9001
        inet 172.31.7.244  netmask 255.255.240.0  broadcast 172.31.15.255
        inet6 fe80::43e:71ff:fefe:498  prefixlen 64  scopeid 0x20<link>
        ether 06:3e:71:fe:04:98  txqueuelen 1000  (Ethernet)
        RX packets 1070  bytes 85306 (83.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 829  bytes 85805 (83.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 68  bytes 6260 (6.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 68  bytes 6260 (6.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Using OpenVPN aws server as gateway for aws VPC systems

Post by TinCanTech » Mon Jul 24, 2017 11:15 am


bestivo
OpenVpn Newbie
Posts: 5
Joined: Thu Jul 20, 2017 9:43 pm

Re: Using OpenVPN aws server as gateway for aws VPC systems

Post by bestivo » Tue Jul 25, 2017 10:36 am

Let me know if I can provide any more information.

Thank you

Here are the config file, iptables, routing table and ip information for the VPN server

/usr/local/openvpn_as/etc/config.json
server
{
"Default": {
"admin_ui.https.ip_address": "all",
"admin_ui.https.port": "943",
"auth.ldap.0.name": "My LDAP servers",
"auth.ldap.0.ssl_verify": "never",
"auth.ldap.0.timeout": "4",
"auth.ldap.0.use_ssl": "never",
"auth.module.type": "local",
"auth.pam.0.service": "openvpnas",
"auth.radius.0.acct_enable": "false",
"auth.radius.0.name": "My Radius servers",
"cs.cws_proto_v2": "true",
"cs.https.ip_address": "all",
"cs.https.port": "943",
"cs.prof_sign_web": "true",
"host.name": "13.56.95.253",
"sa.initial_run_groups.0": "web_group",
"sa.initial_run_groups.1": "openvpn_group",
"vpn.client.basic": "false",
"vpn.client.config_text": "cipher AES-128-CBC",
"vpn.client.routing.inter_client": "false",
"vpn.client.routing.reroute_dns": "false",
"vpn.client.routing.reroute_gw": "false",
"vpn.daemon.0.client.netmask_bits": "20",
"vpn.daemon.0.client.network": "172.27.224.0",
"vpn.daemon.0.listen.ip_address": "all",
"vpn.daemon.0.listen.port": "443",
"vpn.daemon.0.listen.protocol": "tcp",
"vpn.daemon.0.server.ip_address": "all",
"vpn.server.config_text": "cipher AES-128-CBC",
"vpn.server.daemon.enable": "true",
"vpn.server.daemon.tcp.n_daemons": 1,
"vpn.server.daemon.tcp.port": "443",
"vpn.server.daemon.udp.n_daemons": 1,
"vpn.server.daemon.udp.port": "1194",
"vpn.server.group_pool.0": "172.27.240.0/20",
"vpn.server.nat.masquerade": "true",
"vpn.server.port_share.enable": "true",
"vpn.server.port_share.ip_address": "1.2.3.4",
"vpn.server.port_share.port": "1234",
"vpn.server.port_share.service": "admin+client",
"vpn.server.routing.private_access": "nat",
"vpn.server.routing.private_network.0": "172.31.0.0/16",
"vpn.tls_refresh.do_reauth": "true",
"vpn.tls_refresh.interval": "360"
},
"_INTERNAL": {
"run_api.active_profile": "Default",
"webui.edit_profile": "Default"
}
}
iptables -L

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
AS0_ACCEPT  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
AS0_ACCEPT  all  --  anywhere             anywhere            
AS0_IN_PRE  all  --  anywhere             anywhere             mark match 0x2000000/0x2000000
AS0_ACCEPT  udp  --  anywhere             anywhere             state NEW udp dpt:openvpn
AS0_ACCEPT  tcp  --  anywhere             anywhere             state NEW tcp dpt:https
AS0_WEBACCEPT  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
AS0_WEBACCEPT  tcp  --  anywhere             anywhere             state NEW tcp dpt:943

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
AS0_ACCEPT  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
AS0_IN_PRE  all  --  anywhere             anywhere             mark match 0x2000000/0x2000000
AS0_OUT_S2C  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
AS0_OUT_LOCAL  all  --  anywhere             anywhere            

Chain AS0_ACCEPT (5 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_IN (4 references)
target     prot opt source               destination         

ACCEPT     all  --  anywhere             172.27.224.1        
AS0_IN_POST  all  --  anywhere             anywhere            

Chain AS0_IN_NAT (0 references)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere             MARK or 0x8000000
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_IN_POST (1 references)
target     prot opt source               destination         

ACCEPT     all  --  anywhere             172.31.0.0/16       
AS0_OUT    all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain AS0_IN_PRE (2 references)
target     prot opt source               destination         
AS0_IN     all  --  anywhere             link-local/16       
AS0_IN     all  --  anywhere             192.168.0.0/16      
AS0_IN     all  --  anywhere             172.16.0.0/12       
AS0_IN     all  --  anywhere             10.0.0.0/8          
DROP       all  --  anywhere             anywhere            

Chain AS0_IN_ROUTE (0 references)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere             MARK or 0x4000000
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_OUT (2 references)
target     prot opt source               destination         
AS0_OUT_POST  all  --  anywhere             anywhere            

Chain AS0_OUT_LOCAL (1 references)
target     prot opt source               destination         
DROP       icmp --  anywhere             anywhere             icmp redirect
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_OUT_POST (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain AS0_OUT_S2C (1 references)
target     prot opt source               destination         
AS0_OUT    all  --  anywhere             anywhere            

Chain AS0_WEBACCEPT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere 
netstat -rn

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.31.0.1      0.0.0.0         UG        0 0          0 eth0
172.27.224.0    0.0.0.0         255.255.248.0   U         0 0          0 as0t0
172.27.232.0    0.0.0.0         255.255.248.0   U         0 0          0 as0t1
172.31.0.0      0.0.0.0         255.255.240.0   U         0 0          0 eth0
ifconfig

Code: Select all

as0t0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:172.27.224.1  P-t-P:172.27.224.1  Mask:255.255.248.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:200 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

as0t1     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:172.27.232.1  P-t-P:172.27.232.1  Mask:255.255.248.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1576 errors:0 dropped:0 overruns:0 frame:0
          TX packets:933 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:200 
          RX bytes:150344 (150.3 KB)  TX bytes:248738 (248.7 KB)

eth0      Link encap:Ethernet  HWaddr 06:0d:09:f7:e6:e6  
          inet addr:172.31.9.202  Bcast:172.31.15.255  Mask:255.255.240.0
          inet6 addr: fe80::40d:9ff:fef7:e6e6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:19612 errors:0 dropped:0 overruns:0 frame:0
          TX packets:54119 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1956212 (1.9 MB)  TX bytes:7233371 (7.2 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:280 errors:0 dropped:0 overruns:0 frame:0
          TX packets:280 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:91446 (91.4 KB)  TX bytes:91446 (91.4 KB)

pr0       Link encap:Ethernet  HWaddr 4e:97:11:30:e5:5f  
          inet6 addr: fe80::4c97:11ff:fe30:e55f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 

bestivo
OpenVpn Newbie
Posts: 5
Joined: Thu Jul 20, 2017 9:43 pm

Re: Using OpenVPN aws server as gateway for aws VPC systems

Post by bestivo » Wed Jul 26, 2017 1:33 pm

After spending hours trying to figure out how to setup the routing on the openvpn server I ended up recreating it from scratch and it worked without any extra work.


The only thing which needed to be changed is for the AWS instance under Network -> disable Src/Dest check

Post Reply