Bidirectional OpenVPN in AWS

Post Reply
rozzwell
OpenVpn Newbie
Posts: 3
Joined: Mon May 23, 2016 5:13 pm

Bidirectional OpenVPN in AWS

Post by rozzwell » Tue May 24, 2016 1:44 pm

I'm working on setting up an OpenVPN instance (using the OpenVPN AMI) to facilitate bidirectional communication between remote clients and private servers. In this case, for database replication purposes. The OpenVPN server resides in the same VPC as the private servers, and I can successfully get a client to connect to OpenVPN and access all of private server resources. I added a route to the VPC to route all traffic with a destination address of the VPN client IP pool to the OpenVPN server, and I can ping private servers from the clients without any problems. What I can't do is successfully ping or connect to clients from the private servers.

If I do a tracert from a private server, it correctly hits the OpenVPN server's IP, but then dies and never routes to the client. I suspect there is a configuration in OpenVPN or on the server itself (iptables, etc) that I need in order to allow the private network to route out to the clients.

I've searched around to try and find a solution but I can't seem to find a scenario that matches what I'm trying to do. Has anyone run into this before? I can't imagine I'm the first person to try and solve this problem. :)

Thanks in advance for the help!!

novaflash
I should be on the dev team.
Posts: 1017
Joined: Fri Apr 13, 2012 8:43 pm

Re: Bidirectional OpenVPN in AWS

Post by novaflash » Tue May 24, 2016 2:09 pm

You need to set up routing in the Access Server. By default access to private subnets behind the Access Server are given access via the NAT method. NAT is one-way. Set up routing and it will work.

Furthermore, AWS uses security groups that function sort of like firewalls. Unknown subnets like the VPN subnet may simply be filtered away, and there is also source checking, another security feature that needs adjustment to work with 'unknown' subnets like the VPN subnet.

rozzwell
OpenVpn Newbie
Posts: 3
Joined: Mon May 23, 2016 5:13 pm

Re: Bidirectional OpenVPN in AWS

Post by rozzwell » Tue May 24, 2016 6:13 pm

Perfect! That worked. Switched things over to routing instead of NAT and things clicked into place quickly.

Thanks for the quick reply!

deepakkothandan
OpenVpn Newbie
Posts: 1
Joined: Mon Jun 06, 2016 6:13 pm

Re: Bidirectional OpenVPN in AWS

Post by deepakkothandan » Mon Jun 06, 2016 6:14 pm

Hi Rozzwell,

I am in a similar siutation, could you share how did you get this to work?

sindhu
OpenVpn Newbie
Posts: 1
Joined: Fri Aug 26, 2016 11:48 am

Re: Bidirectional OpenVPN in AWS

Post by sindhu » Fri Aug 26, 2016 11:50 am

I'm able to route vpn client requests (pings/SSH/etc) to other instances in different subnets within the same VPC so I know my routing tables are correct.

However, when it comes to a peered VPC, the target instance isn't seeing anything coming from the OpenVPN clients. The routing table have been updated to allow the VPN client range (10.8.0.0./24) as well. As per original post, the instances within each AWS VPC can talk to each other. However the VPN clients can't.

I've changed the VPN client range to the OpenVPN default (10.8.0.0./24). Restrictions via Security groups have been left open to help troubleshoot. Network ACLs are at default.

Can anyone confirm if the VPC Peering connection has some sort of filtering to only allow traffic with dest/src addresses that belong to the peered VPC network ranges?

novaflash
I should be on the dev team.
Posts: 1017
Joined: Fri Apr 13, 2012 8:43 pm

Re: Bidirectional OpenVPN in AWS

Post by novaflash » Fri Aug 26, 2016 2:00 pm

There is source checking AWS which could be your problem here. Security groups on virtual machines in AWS can also contain rules to allow only specific traffic through. I would suggest you run tcpdump and trace the problem till you find the point where the traffic disappears.

missmansirao
OpenVpn Newbie
Posts: 2
Joined: Wed Nov 22, 2017 5:57 am

Re: Bidirectional OpenVPN in AWS

Post by missmansirao » Wed Nov 22, 2017 6:02 am

novaflash wrote:
Tue May 24, 2016 2:09 pm
You need to set up routing in the Access Server. By default access to private subnets behind the Access Server are given access via the NAT method. NAT is one-way. Set up routing and it will work.

Furthermore, AWS uses security groups that function sort of like firewalls. Unknown subnets like the VPN subnet may simply be filtered away, and there is also source checking, another security feature that needs adjustment to work with 'unknown' subnets like the VPN subnet.
Thank you.. It worked well for me too.

Cheers.
Mansi Rao

hopesuresh
OpenVpn Newbie
Posts: 1
Joined: Mon Oct 15, 2018 9:55 am

Re: Bidirectional OpenVPN in AWS

Post by hopesuresh » Mon Oct 15, 2018 9:57 am

Hi, Your Idea worked for me, I followed step by step your instruction then the VPN worked on my AWS. Thanks for your valuable information.

roberto.clavijo
OpenVpn Newbie
Posts: 1
Joined: Tue May 07, 2019 2:58 pm

Re: Bidirectional OpenVPN in AWS

Post by roberto.clavijo » Tue May 07, 2019 3:14 pm

Hi all I followed the next steps to get it working:

1. Change the configuration from NAT to Routing in OpenVpn Server UI, stop and start server from UI.
2. In OpenVpn Server (aws console) Disable Source/Dest check
3. Open ports that will be used in OpenVpn (aws security groups, in my case ICMP ports)

To test

4. Connect a windows 10 laptop to vpn (OpenVpn client)
5. Ping from the windows 10 laptop to any aws instance. Success
6. Ping from an aws instance to the windows 10 laptop. Success

Post Reply