I've spent an embarrassing amount of time messing with network settings of all sorts, reading forum threads here and elsewhere, reading AWS docs and help pages, and howling at the moon. I just finally figured this out / stumbled upon the answer.
I have a typical AWS VPC, with one of the instances on that VPC running OpenVPN from the AWS Linux repo. For the life of me, I have not been able to connect from my client to anything other than the VPN gateway machine. It's like IP forwarding is disabled, except I've checked that about a thousand times in the last couple of days.
Well, here is the answer: The config for an AWS elastic network interface (ie, eth0) has a setting called "Source/dest. check", and it's true by default. The network interface will discard packets that don't have a source or destination address corresponding to that interface. It's like an extra layer of disabling IP forwarding. Change that setting to false, and your pings will sing.
AWS ENI source/destination checking
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Jun 22, 2017 2:11 am
-
- OpenVPN Power User
- Posts: 89
- Joined: Fri Aug 05, 2011 3:02 pm
- Contact:
Re: AWS ENI source/destination checking
my auto-config tunnel script includes this setting.