Using OpenVPN aws server as gateway for aws VPC systems
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Jul 20, 2017 9:43 pm
Using OpenVPN aws server as gateway for aws VPC systems
I have a few systems in a AWS VPC setup. The only system in the VPC which has internet access is the OpenVPN box. I want to configure the OpenVPN server to act as a gateway for all the other systems.
I looked around, but couldn't find how to configure the openVPN server to act as a gateway for the rest of the systems on the same vlan.
Thank you,
Ivo
I looked around, but couldn't find how to configure the openVPN server to act as a gateway for the rest of the systems on the same vlan.
Thank you,
Ivo
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Jul 20, 2017 9:43 pm
Re: Using OpenVPN aws server as gateway for aws VPC systems
I did read the howto guide and everything I could find online. It talks about routing traffic from the internet to the VPC which I have already configured. I'm trying to route traffic from the aws VPC network through the openVPN server out to the internet as none of the other servers in the VPC have internet connection/ips.
I guess thank you for posting the obvious place to look.
I guess thank you for posting the obvious place to look.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Using OpenVPN aws server as gateway for aws VPC systems
Because you are using a VPS you may be having trouble with iptables Masquerade ..
If so try this instead of the documented iptables config:
(Use the correct VPN subnet 10.*):
If so try this instead of the documented iptables config:
(Use the correct VPN subnet 10.*):
Code: Select all
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 12.34.56.78 # <-- Use your OpenVPN server's real external IP here
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Jul 20, 2017 9:43 pm
Re: Using OpenVPN aws server as gateway for aws VPC systems
I can ssh to the internal IP of the OpenVPN Server but I can't ping it. I can't ssh or ping the outside ip nor any other ip from another system on the internal VPC
Here's the OpenVPN server iptables -L
====================================================================
Here's the routing on a system from the VPC
Here's the OpenVPN server iptables -L
Code: Select all
Chain INPUT (policy ACCEPT)
target prot opt source destination
AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_ACCEPT all -- anywhere anywhere
AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
AS0_ACCEPT udp -- anywhere anywhere state NEW udp dpt:openvpn
AS0_ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
AS0_WEBACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_WEBACCEPT tcp -- anywhere anywhere state NEW tcp dpt:943
Chain FORWARD (policy ACCEPT)
target prot opt source destination
AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
AS0_OUT_S2C all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
AS0_OUT_LOCAL all -- anywhere anywhere
Chain AS0_ACCEPT (5 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain AS0_IN (4 references)
target prot opt source destination
ACCEPT all -- anywhere 172.27.224.1
AS0_IN_POST all -- anywhere anywhere
Chain AS0_IN_NAT (0 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x8000000
ACCEPT all -- anywhere anywhere
Chain AS0_IN_POST (1 references)
target prot opt source destination
ACCEPT all -- anywhere 172.31.0.0/16
AS0_OUT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain AS0_IN_PRE (2 references)
target prot opt source destination
AS0_IN all -- anywhere link-local/16
AS0_IN all -- anywhere 192.168.0.0/16
AS0_IN all -- anywhere 172.16.0.0/12
AS0_IN all -- anywhere 10.0.0.0/8
DROP all -- anywhere anywhere
Chain AS0_IN_ROUTE (0 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x4000000
ACCEPT all -- anywhere anywhere
Chain AS0_OUT (2 references)
target prot opt source destination
AS0_OUT_POST all -- anywhere anywhere
Chain AS0_OUT_LOCAL (1 references)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp redirect
ACCEPT all -- anywhere anywhere
Chain AS0_OUT_POST (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain AS0_OUT_S2C (1 references)
target prot opt source destination
AS0_OUT all -- anywhere anywhere
Chain AS0_WEBACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
-----------------------------------------------------------------------------------------------------------
ifconfig
as0t0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.27.224.1 P-t-P:172.27.224.1 Mask:255.255.248.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:200
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
as0t1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.27.232.1 P-t-P:172.27.232.1 Mask:255.255.248.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:859 errors:0 dropped:0 overruns:0 frame:0
TX packets:409 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:200
RX bytes:64371 (64.3 KB) TX bytes:42747 (42.7 KB)
eth0 Link encap:Ethernet HWaddr 06:0d:09:f7:e6:e6
inet addr:172.31.9.202 Bcast:172.31.15.255 Mask:255.255.240.0
inet6 addr: fe80::40d:9ff:fef7:e6e6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:3850 errors:0 dropped:0 overruns:0 frame:0
TX packets:3495 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:463253 (463.2 KB) TX bytes:528374 (528.3 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:36 errors:0 dropped:0 overruns:0 frame:0
TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:18619 (18.6 KB) TX bytes:18619 (18.6 KB)
pr0 Link encap:Ethernet HWaddr 4e:97:11:30:e5:5f
inet6 addr: fe80::4c97:11ff:fe30:e55f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:648 (648.0 B)
Here's the routing on a system from the VPC
Code: Select all
netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.31.0.1 0.0.0.0 UG 0 0 0 eth0
172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
[ec2-user@ip-172-31-7-244 ~]$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 172.31.7.244 netmask 255.255.240.0 broadcast 172.31.15.255
inet6 fe80::43e:71ff:fefe:498 prefixlen 64 scopeid 0x20<link>
ether 06:3e:71:fe:04:98 txqueuelen 1000 (Ethernet)
RX packets 1070 bytes 85306 (83.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 829 bytes 85805 (83.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 68 bytes 6260 (6.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 68 bytes 6260 (6.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Jul 20, 2017 9:43 pm
Re: Using OpenVPN aws server as gateway for aws VPC systems
Let me know if I can provide any more information.
Thank you
Here are the config file, iptables, routing table and ip information for the VPN server
/usr/local/openvpn_as/etc/config.json
iptables -L
netstat -rn
ifconfig
Thank you
Here are the config file, iptables, routing table and ip information for the VPN server
/usr/local/openvpn_as/etc/config.json
server
{
"Default": {
"admin_ui.https.ip_address": "all",
"admin_ui.https.port": "943",
"auth.ldap.0.name": "My LDAP servers",
"auth.ldap.0.ssl_verify": "never",
"auth.ldap.0.timeout": "4",
"auth.ldap.0.use_ssl": "never",
"auth.module.type": "local",
"auth.pam.0.service": "openvpnas",
"auth.radius.0.acct_enable": "false",
"auth.radius.0.name": "My Radius servers",
"cs.cws_proto_v2": "true",
"cs.https.ip_address": "all",
"cs.https.port": "943",
"cs.prof_sign_web": "true",
"host.name": "13.56.95.253",
"sa.initial_run_groups.0": "web_group",
"sa.initial_run_groups.1": "openvpn_group",
"vpn.client.basic": "false",
"vpn.client.config_text": "cipher AES-128-CBC",
"vpn.client.routing.inter_client": "false",
"vpn.client.routing.reroute_dns": "false",
"vpn.client.routing.reroute_gw": "false",
"vpn.daemon.0.client.netmask_bits": "20",
"vpn.daemon.0.client.network": "172.27.224.0",
"vpn.daemon.0.listen.ip_address": "all",
"vpn.daemon.0.listen.port": "443",
"vpn.daemon.0.listen.protocol": "tcp",
"vpn.daemon.0.server.ip_address": "all",
"vpn.server.config_text": "cipher AES-128-CBC",
"vpn.server.daemon.enable": "true",
"vpn.server.daemon.tcp.n_daemons": 1,
"vpn.server.daemon.tcp.port": "443",
"vpn.server.daemon.udp.n_daemons": 1,
"vpn.server.daemon.udp.port": "1194",
"vpn.server.group_pool.0": "172.27.240.0/20",
"vpn.server.nat.masquerade": "true",
"vpn.server.port_share.enable": "true",
"vpn.server.port_share.ip_address": "1.2.3.4",
"vpn.server.port_share.port": "1234",
"vpn.server.port_share.service": "admin+client",
"vpn.server.routing.private_access": "nat",
"vpn.server.routing.private_network.0": "172.31.0.0/16",
"vpn.tls_refresh.do_reauth": "true",
"vpn.tls_refresh.interval": "360"
},
"_INTERNAL": {
"run_api.active_profile": "Default",
"webui.edit_profile": "Default"
}
}
"Default": {
"admin_ui.https.ip_address": "all",
"admin_ui.https.port": "943",
"auth.ldap.0.name": "My LDAP servers",
"auth.ldap.0.ssl_verify": "never",
"auth.ldap.0.timeout": "4",
"auth.ldap.0.use_ssl": "never",
"auth.module.type": "local",
"auth.pam.0.service": "openvpnas",
"auth.radius.0.acct_enable": "false",
"auth.radius.0.name": "My Radius servers",
"cs.cws_proto_v2": "true",
"cs.https.ip_address": "all",
"cs.https.port": "943",
"cs.prof_sign_web": "true",
"host.name": "13.56.95.253",
"sa.initial_run_groups.0": "web_group",
"sa.initial_run_groups.1": "openvpn_group",
"vpn.client.basic": "false",
"vpn.client.config_text": "cipher AES-128-CBC",
"vpn.client.routing.inter_client": "false",
"vpn.client.routing.reroute_dns": "false",
"vpn.client.routing.reroute_gw": "false",
"vpn.daemon.0.client.netmask_bits": "20",
"vpn.daemon.0.client.network": "172.27.224.0",
"vpn.daemon.0.listen.ip_address": "all",
"vpn.daemon.0.listen.port": "443",
"vpn.daemon.0.listen.protocol": "tcp",
"vpn.daemon.0.server.ip_address": "all",
"vpn.server.config_text": "cipher AES-128-CBC",
"vpn.server.daemon.enable": "true",
"vpn.server.daemon.tcp.n_daemons": 1,
"vpn.server.daemon.tcp.port": "443",
"vpn.server.daemon.udp.n_daemons": 1,
"vpn.server.daemon.udp.port": "1194",
"vpn.server.group_pool.0": "172.27.240.0/20",
"vpn.server.nat.masquerade": "true",
"vpn.server.port_share.enable": "true",
"vpn.server.port_share.ip_address": "1.2.3.4",
"vpn.server.port_share.port": "1234",
"vpn.server.port_share.service": "admin+client",
"vpn.server.routing.private_access": "nat",
"vpn.server.routing.private_network.0": "172.31.0.0/16",
"vpn.tls_refresh.do_reauth": "true",
"vpn.tls_refresh.interval": "360"
},
"_INTERNAL": {
"run_api.active_profile": "Default",
"webui.edit_profile": "Default"
}
}
Code: Select all
Chain INPUT (policy ACCEPT)
target prot opt source destination
AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_ACCEPT all -- anywhere anywhere
AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
AS0_ACCEPT udp -- anywhere anywhere state NEW udp dpt:openvpn
AS0_ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
AS0_WEBACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_WEBACCEPT tcp -- anywhere anywhere state NEW tcp dpt:943
Chain FORWARD (policy ACCEPT)
target prot opt source destination
AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
AS0_OUT_S2C all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
AS0_OUT_LOCAL all -- anywhere anywhere
Chain AS0_ACCEPT (5 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain AS0_IN (4 references)
target prot opt source destination
ACCEPT all -- anywhere 172.27.224.1
AS0_IN_POST all -- anywhere anywhere
Chain AS0_IN_NAT (0 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x8000000
ACCEPT all -- anywhere anywhere
Chain AS0_IN_POST (1 references)
target prot opt source destination
ACCEPT all -- anywhere 172.31.0.0/16
AS0_OUT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain AS0_IN_PRE (2 references)
target prot opt source destination
AS0_IN all -- anywhere link-local/16
AS0_IN all -- anywhere 192.168.0.0/16
AS0_IN all -- anywhere 172.16.0.0/12
AS0_IN all -- anywhere 10.0.0.0/8
DROP all -- anywhere anywhere
Chain AS0_IN_ROUTE (0 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x4000000
ACCEPT all -- anywhere anywhere
Chain AS0_OUT (2 references)
target prot opt source destination
AS0_OUT_POST all -- anywhere anywhere
Chain AS0_OUT_LOCAL (1 references)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp redirect
ACCEPT all -- anywhere anywhere
Chain AS0_OUT_POST (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain AS0_OUT_S2C (1 references)
target prot opt source destination
AS0_OUT all -- anywhere anywhere
Chain AS0_WEBACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.31.0.1 0.0.0.0 UG 0 0 0 eth0
172.27.224.0 0.0.0.0 255.255.248.0 U 0 0 0 as0t0
172.27.232.0 0.0.0.0 255.255.248.0 U 0 0 0 as0t1
172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
Code: Select all
as0t0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.27.224.1 P-t-P:172.27.224.1 Mask:255.255.248.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:200
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
as0t1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.27.232.1 P-t-P:172.27.232.1 Mask:255.255.248.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1576 errors:0 dropped:0 overruns:0 frame:0
TX packets:933 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:200
RX bytes:150344 (150.3 KB) TX bytes:248738 (248.7 KB)
eth0 Link encap:Ethernet HWaddr 06:0d:09:f7:e6:e6
inet addr:172.31.9.202 Bcast:172.31.15.255 Mask:255.255.240.0
inet6 addr: fe80::40d:9ff:fef7:e6e6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:19612 errors:0 dropped:0 overruns:0 frame:0
TX packets:54119 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1956212 (1.9 MB) TX bytes:7233371 (7.2 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:280 errors:0 dropped:0 overruns:0 frame:0
TX packets:280 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:91446 (91.4 KB) TX bytes:91446 (91.4 KB)
pr0 Link encap:Ethernet HWaddr 4e:97:11:30:e5:5f
inet6 addr: fe80::4c97:11ff:fe30:e55f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Jul 20, 2017 9:43 pm
Re: Using OpenVPN aws server as gateway for aws VPC systems
After spending hours trying to figure out how to setup the routing on the openvpn server I ended up recreating it from scratch and it worked without any extra work.
The only thing which needed to be changed is for the AWS instance under Network -> disable Src/Dest check
The only thing which needed to be changed is for the AWS instance under Network -> disable Src/Dest check