Page 1 of 1

issues with connectivity during setting up vpn with aws

Posted: Thu Sep 05, 2019 9:13 pm
by santhoshb2610
Hi this is Santhosh,
I was trying to establish vpn connection between our server 0and AWS. I wanted to connect the server 0(which many users can connect trough ssh from their systems). from the server 0the users must be able to connect to the aws securely via vpn. So, as a test case scenario I was logging into a machine 0(located in on-premises) from one of the server 0(on-premises) through ssh.
I was doing ssh from the server 0(server 0subnet to get into machine 0( and from machine 0 I wanted to connect to aws via vpn using “client vpn endpoint” service in aws. (my network in on-premises is private and wanted to connect to private network/private subnet in aws)

my end i was login into machine 0 from server 0 using ssh and running client configuration file in machine 0 to establish vpn tunnel between machine 0 and aws. but when i run the client configuration file it is indeed establishing vpn tunnel from machine 0 to aws but was loosing the ssh connection from server 0 to machine 0.
if i add " route net_gateway " in the client configuration file and run it then machine 0 is not loosing the ssh connection with server 0 and also establishing vpn tunnel between machine 0 and aws but loosing its regular connectivity like internet connectivity in machine 0. why ?
i wanted to establish active vpn connection between machine 0 and aws but it should not effect the network, connectivity of the machine 0 but should add aws tunnel in addition to the machine 0's connectivity.

the procedure I did and client configuration file I got:
I created the certificates in the machine as described in the aws documentation ( ... ation.html) and uploaded to aws certificate manager.
Created vpc with cidr range 172.16. 0.0/16
Created subnet with cidr range
Created a Nacl and attached them. As it is test case, I allowed all traffic.
Created a security group with following rules:
inbound rules:

Custom UDP Rule UDP 1194
Custom UDP Rule UDP 1194
SSH TCP 22 ast arm users
SSH TCP 22 ipcidr assigned
Custom TCP Rule TCP 943
Custom TCP Rule TCP 943
HTTPS TCP 443 ::/0

Outbound rules:
All traffic All All

Created client vpn endpoint with cidr range and associated vpc and subnet to it and downloaded the client config file.
I installed openvpn in the machine 0 and ran the config file (attached the <cert> <key> into the file). I was able to establish vpn tunnel (tun0) from machine 0 to aws client vpn endpoint and can see active connection under the connections section in client vpn end point but was losing ssh connection with the server 0from which I login into machine 0 and performed this process.
I tried adding the “route net_gateway “to the downloaded client configuration file (.ovpn file) from aws and ran the file. This time vpn tunnel between machine 0 and aws is established and also not lost the ssh connection with server 0but lost the machine 0’s connectivity. For example, I was able to login to machine 0 from server 0using ssh and in machine I was able ping when there was no vpn connection or tunnel running. While vpn config file is running and vpn tunnel is up I was unable to ping, it was restricting my network connectivity, even I can’t ping the instance ( inside the aws.
This is the client configuration file I was running in the machine 0:
dev tun
proto udp
remote 443
resolv-retry infinite
remote-cert-tls server
cipher AES-256-GCM
verb 3
route net_gateway (downloaded client configuration file doesn’t contain this line, added this line to keep the ssh connection of server 0with machine 0 alive and stay connected while vpn tunnel establishes and if I remove it , was losing ssh connectivity to machine with server)

<cert> (added this cert as per ... n-getting- started.html)
Version: 3 (0x2)
Serial Number:
Signature Algorithm: sha256WithRSAEncryption
Not Before: Aug 13 18:21:54 2019 GMT
Not After : Jul 28 18:21:54 2022 GMT
Subject: CN=client1.domain.tld
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:

X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption

<key>(added this key as per ... n-getting- started.html)


reneg-sec 0
This is the route previously of machine 0 if this vpn with aws is not running:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default UG 0 0 0 ens6 U 0 0 0 ens6

This is the route of machine 0 if this vpn with aws is running:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface UG 0 0 0 tun0
default UG 0 0 0 ens6 UG 0 0 0 ens6 U 0 0 0 ens6
ec2-52-4-224-24 UGH 0 0 0 ens6 UG 0 0 0 tun0 U 0 0 0 tun0

I want to keep the network and connectivity of the machine 0 as it is and wanted to add/establish vpn connection with aws private subnet without changing or effecting the machine 0’s network or connectivity keeping it intact(like adding additional route to aws in machine 0). So, users can perform their normal actions in machine 0 and also able to perform actions in aws.
If needed further info or details, I will be happy to share as per my best knowledge.
can any one help me out whats wrong. why the machine 0 is loosing the ssh connectivity with server 0 . if i add route to config file its not loosing ssh connection but couldn't ping aws instance and also loosing regular connectivity like internet access of machine 0 which it has before running the client config file.ovpn.

Re: issues with connectivity during setting up vpn with aws

Posted: Fri Sep 06, 2019 10:18 am
by novaflash
Hello. I took the liberty of redacting the private keys and so on from your post. Never post those. You can consider yourself compromised now and if you have the option to revoke these certificates and get new ones, that would be best now. Don't share those with the public.

However, the Amazon AWS documentation you are linking to is not our OpenVPN Access Server product. If you want to use our official OpenVPN Access Server software product you should take a look at this page

Regarding the Amazon AWS solution, I can only point you to Amazon AWS support personnel for support with that.