Vpn client hostnames and FQDN being altered post routing

[lernah]

Hello,
I'm using OpenVpn Access Server which is located at AWS, In my network i have 2 clients, which belong to a group with their own subnet.
Each of those clients has been assigned with static ip from the vpn server, in which other users can communicate with him over this ip.
Also I'll add that I'm routing my clients traffic trough the vpn server, and the option "Have clients use the same DNS servers as the Access Server host" is set.

Though Client#1 sends a message (using RPC) to Client#2 using Client#2 static ip address, the message is being received at Client#2.

When Client#2 receives the message and trying to resolve the message origins using the routine getnameinfo from <sys/socket.h> <netdb.h> libraries.

He gets back an AWS internal address something like ip-10-251-50-12.ec2.eu.west-2.internal (The getnameinfo returns the sockets FQDN).

Yet this is not the sender hostname or its static ip ?
I'm assuming that its the internal address of the vpn server located at aws ? cause when i try to use this address to send a message back it doesn't work.

All in all what I'm trying to achieve is this:
I want that when Client#1 sends a message to Client#2 and when Client#2 tries to resolve the sender address he will get either is hostname or static-ip or an address that i can actually use in order to reach back to Client#1.

I did some research and the only thing i have in mind is something to do with the DNS that is located to amazon...
I would love to get some help on how do i achieve it?

[novaflash]

If client 1 has a static IP and client 2 has a static IP, isn't that everything you need to get communication between these two working...?

[lernah]

Yes you are correct, though i have more then two Clients in the overall, so lets say i have 3 Clients now and both of them appear with an AWS inter address how do i distinguish them to their static ips?

[novaflash]

I suppose you set up your own DNS server and assign records to it, one for each system, and their static IP addresses...?

[lernah]

Hi thanks for the help !

I had a feeling it’s a dns issue, though when you say one for each system , when do you mean ?

[novaflash]

Well usually if you want to set up a DNS system you create a DNS server and in there you put a zone with records, like whatever.local and bla.local and pc1.local and pc2.local and so on.

[lernah]

Hi again!

So basically I think the problem is a little bit different then what i described here, I spent couple of days going over and over the openvpn docs.
All in all, the problem right now is this
I have 3 clients lets call them A,B all of them have static ip and private subnet.
Client A is a local computer connected to the vpn
client B is an EC2 instance in a default vpc in AWS (connected as a normal client to the vpn)

When client A sends a message to client B (and vice versa) the message hops and sent by another "computer" or address before it reach client B.
Trace Route from client A to client B:
1 ip-172-XX-XXX-1.eu-central-1.compute.internal (172.XXX.XXX.1) 58.166 ms 56.350 ms 56.382 ms ------- The problem --------
2 ip-XXX-XXX-XXX-XXX.eu-central-1.compute.internal (client B ip) 57.746 ms 57.328 ms 58.304 ms -------- the client I'm trying to send a message to -----

Now the 1st line after a little investigation i did is the first ip that the vpn allocates for dynamic users.
what i mean here is that if I'll create a new user in the vpn the dynamic ip he will receive will have the exact same address as line 1 except the last part of the ip (since 1 is reserved for the vpn server) that will be different..


My clients traffic is set to be through the VPN so I'm not that surprised by that, yet my question is IF there is any way (using routing/bridging/whatever) that my two vpn clients will communicate directly without the middle hop while my clients internet traffic being routed through the vpn ?

[novaflash]

I am having quite some trouble understanding your point but it seems to me like the virtual private network that exists purely between the VPN clients and the VPN server is set up in such a way that traffic from a VPN client must first go through the VPN server, and instead you want it to go directly between VPN clients without the VPN server being inbetween. Am I understanding that correctly?

If so, then no, that's not possible, unless you set up a completely different VPN setup, which, while technically possible, would be awkward at best.

[lernah]

Yes you understood it pretty much right, to make myself a little bit more clear, the problem is that when the receiver of the message tries to retrieve the sender IP he gets the ip of the middle computer and not the ip of client A.

Its not that i don't want the vpn server to be in the middle, the problem is that when the VPN server forward that message to client B , he also becomes the sender of the message and its impossible (network wise) to reach back to the sender..

So i guess it is not possible ?

[novaflash]

I still have trouble understanding your case. When I use packet capturing and do a ping from one VPN client to another, I clearly see the correct source IP address of the VPN client.

[lernah]

My access server is at AWS.
I have client A which is connected with all privileges it can have to the network & static ip
I have client B which is a local computer connected to the vpn

B sends message (rpc for that matter) to A.
A receives the message and checks the sender Name(or its ip/fqdn)
A doesn't receives Bs static ip address, but gets some specific other address , the first address that the vpn server can allocate, even though B sent A a message over a static ip address.

Though it makes sense because all traffic goes through the vpn, and the socket who sends the message to A isn't B (by trace route log) its the Vpn.

I can't distinguish in A between two users B&C by ip or fqdn/hostname.

[novaflash]

I have 2 computers both connected to the VPN. They are both in the VPN client subnet. I ping from one client to the other. TCPdump shows this:

08:10:43.964321 In ethertype IPv4 (0x0800), length 100: 172.16.91.211 > 172.16.91.212: ICMP echo request, id 1424, seq 2, length 64
08:10:43.964574 Out ethertype IPv4 (0x0800), length 100: 172.16.91.212 > 172.16.91.211: ICMP echo reply, id 1424, seq 2, length 64

Those are the 2 IP addresses of the VPN client. Thus proof is given that the original sender IP is retained in the packets travelling between the 2 VPN clients.

There is no need, reason, or configuration option, to put NAT on this traffic. So I still do not understand your situation. It should not be happening.

[lernah]

Nope here is my tcp dump - log from client B machine
client A static ip - 172.31.29.6 => ping to client B static ip (mainserver)
12:28:34.003515 IP ip-172-27-XXX-Y.eu-central-1.compute.internal > mainserver: ICMP echo request, id 11034, seq 1, length 64
12:28:34.003532 IP mainserver > ip-172-27-XXX-Y.eu-central-1.compute.internal: ICMP echo reply, id 11034, seq 1, length 64

Though this address ip-172-27-XXX-Y.eu-central-1.compute.internal isn't client A, nor reaches client A..

[novaflash]

To be clear, you are saying that these 2 computers are both connected to the VPN server. And by that you actually do mean that they both have an active VPN tunnel, each one of them, to the same VPN server. And you are pinging from one internal VPN client subnet IP address for VPN client A, to the internal VPN client subnet IP address for VPN client B.

Is this correct?

[novaflash]

Also please use something like -n in the tcpdump command to make the results numeric, this DNS hostname stuff is only confusing. Clear data, please. You can do stuff like tcpdump -eni any icmp to monitor all network interfaces for icmp traffic and output in numeric format instead of hostnames.

[lernah]

I'm not sure about the terminology though what i do have is
Machine A running linux , this machine is connected to the vpn server using the openvpn --config command from the terminal.
This client that is configured with static ip 172.31.29.4

I have another machine (B) over at AWS, running linux and connected to the vpn server using openvpn --config command from the terminal.
This client is configured also with static ip 172.31.29.3

Both of the clients are configured to allow access to these networks
0.0.0.0/0
172.31.29.0/24

They are both admins.

-------------------
"And by that you actually do mean that they both have an active VPN tunnel, each one of them, to the same VPN server."
If i understood you correctly you are asking if both of these clients are connected to the same Access Server? if so yes, I'm not sure how to verify if they both have an active vpn tunnel ?

Regarding the tcpdump i did what you asked (-eni any icmp)
pinging 172.31.29.3 from Client A (172.31.29.4)
The tcdump log is from 172.31.29.3 (machine B)

15:12:47.150508 In ethertype IPv4 (0x0800), length 100: 172.27.232.1 > 172.31.29.3: ICMP echo request, id 2652, seq 1, length 64
15:12:47.150525 Out ethertype IPv4 (0x0800), length 100: 172.31.29.3 > 172.27.232.1: ICMP echo reply, id 2652, seq 1, length 64
15:12:48.151450 In ethertype IPv4 (0x0800), length 100: 172.27.232.1 > 172.31.29.3: ICMP echo request, id 2652, seq 2, length 64
15:12:48.151467 Out ethertype IPv4 (0x0800), length 100: 172.31.29.3 > 172.27.232.1: ICMP echo reply, id 2652, seq 2, length 64
15:12:49.151662 In ethertype IPv4 (0x0800), length 100: 172.27.232.1 > 172.31.29.3: ICMP echo request, id 2652, seq 3, length 64
15:12:49.151679 Out ethertype IPv4 (0x0800), length 100: 172.31.29.3 > 172.27.232.1: ICMP echo reply, id 2652, seq 3, length 64

And repeating itself..

Thanks for the help !!
So again looking at this log 172.27.232.1 by what i understand is the first address in the dynamic ip that the vpn server can allocate..
I'm expecting to get
172.31.29.4 > 172.31.29.3
172.31.29.3 > 172.31.29.4

[novaflash]

Okay, thanks for that.

I am not sure about why you are using the access rules to give access to these two subnets:
> 0.0.0.0/0
> 172.31.29.0/24

The subnet that the VPN client are in themselves does not need an access rule. By default they will have access to that subnet, so that rule is not necessary, it would be best to remove it.

Regarding 0.0.0.0/0, that should not be necessary and it is better to use the option under VPN Settings > route all client internet traffic through the VPN server to enable this.

> They are both admins.

I suggest using admin user for admin purposes, and normal users for VPN purposes. Unexpected results may occur if you use admin users.

> This client that is configured with static ip 172.31.29.4
> This client is configured also with static ip 172.31.29.3

My test was also with static IP addresses. But admittedly mine were from a subnet assigned to a specific group that both users were a member of and not the 'default group address pool' setting. Might be worth trying it out when using a group subnet?

[lernah]

YES IT WORKS !!!!
Thank you so much

[novaflash]

So.. what was the magic trick?