AWS ENI source/destination checking

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
wjcarpenter
OpenVpn Newbie
Posts: 1
Joined: Thu Jun 22, 2017 2:11 am

AWS ENI source/destination checking

Post by wjcarpenter » Thu Jun 22, 2017 9:46 pm

I've spent an embarrassing amount of time messing with network settings of all sorts, reading forum threads here and elsewhere, reading AWS docs and help pages, and howling at the moon. I just finally figured this out / stumbled upon the answer.

I have a typical AWS VPC, with one of the instances on that VPC running OpenVPN from the AWS Linux repo. For the life of me, I have not been able to connect from my client to anything other than the VPN gateway machine. It's like IP forwarding is disabled, except I've checked that about a thousand times in the last couple of days.

Well, here is the answer: The config for an AWS elastic network interface (ie, eth0) has a setting called "Source/dest. check", and it's true by default. The network interface will discard packets that don't have a source or destination address corresponding to that interface. It's like an extra layer of disabling IP forwarding. Change that setting to false, and your pings will sing.

Skaperen
OpenVPN Power User
Posts: 89
Joined: Fri Aug 05, 2011 3:02 pm
Contact:

Re: AWS ENI source/destination checking

Post by Skaperen » Sat Jul 08, 2017 6:05 am

my auto-config tunnel script includes this setting.

Post Reply