[SOLVED] Routed Connections initiated by EC2 -> Clients

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
dickie_uk
OpenVpn Newbie
Posts: 4
Joined: Mon Aug 02, 2021 10:13 pm

[SOLVED] Routed Connections initiated by EC2 -> Clients

Post by dickie_uk » Mon Aug 02, 2021 10:23 pm

Hi! Long time lurker, first time poster!

I've been looking through all the threads, and it seems like all the info I need is scattered around - so I'm just really looking for a sanity check on the below;

Scenario - Running OpenVPN AS as an EC2 image in a private VPC on AWS.
I have it successfully up and running in routed mode and can connect from the VPN clients to EC2 hosts on the VPC subnet with no problems.
Using TCPview I can confirm that the connections are arrived as routed from the VPN client address, and are not NAT'd behind the gateway.
I have disabled source/destination checks on the EC2 instance running the server , and have static routes for the VPN client subnet in the VPC route table pointing back at the OpenVPN server.
Short version - everything works VPN Client -> VPC routed

When initiating connections back *to* the VPN client FROM EC2 it doesnt seem to route the other way.
I have confirmed that the EC2 security group for the access server is allowing incoming connections from the VPC subnet, so I assume that after that the VPN server passes them back to the client, but it never seems to establish the connection.

What else am I missing?
Do I need IP forwarding locally on the clients (to allow traffic to pass between the tunnel interface and the LAN interface hosting the TCP service? or have I missedsome other critical part of the process.
Thanks for any input!!
Last edited by dickie_uk on Tue Aug 03, 2021 7:20 pm, edited 1 time in total.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Routed Connections initiated by EC2 -> Clients

Post by TinCanTech » Tue Aug 03, 2021 5:02 pm

You need to tell the server where all the various client LANs are.

dickie_uk
OpenVpn Newbie
Posts: 4
Joined: Mon Aug 02, 2021 10:13 pm

Re: Routed Connections initiated by EC2 -> Clients

Post by dickie_uk » Tue Aug 03, 2021 5:44 pm

But in my routed connection, TCPview on the EC2 instance shows the incoming TCP connection coming from the 172.24.27.x VPN subnet.
Are you suggesting that you cannot initiate a connection back to that same VPN client address? And that the outbound connection would have to be the 'real' client-side LAN address? (so I'd need static routes in the VPC for the remote 192.168.1.x subnet via the OpenVPNserver - and initiate the connection to the 192.168.1.x address).

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Routed Connections initiated by EC2 -> Clients

Post by openvpn_inc » Tue Aug 03, 2021 5:49 pm

Hello  _uk,

You should be able to reach the VPN clients by their VPN client IP address.

If that fails you might want to check firewall settings on the client devices. You might also want to run tests like TCPdump and Wireshark and such to confirm whether or not packets are arriving or not.

If you try to reach VPN clients by their local IP in the local network, you will fail, because the clients do not expect that and you need to configure that separately. That is not a normal use-case in any case. If you really want this, look into setting up a site-to-site connection so that one VPN device can handle those requests without having to mess with the individual VPN client devices.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

dickie_uk
OpenVpn Newbie
Posts: 4
Joined: Mon Aug 02, 2021 10:13 pm

Re: Routed Connections initiated by EC2 -> Clients

Post by dickie_uk » Tue Aug 03, 2021 7:17 pm

Thanks for the reply - I was just coming back to comment that is was in fact some IDS/IDP running on the client. I ran it from another client with a clean OS build and I can now connect back to TCP services running on the VPN client device.

Thanks again for the help/support!

Post Reply