OpenVPN Support Forum

Hi! Long time lurker, first time poster!

I've been looking through all the threads, and it seems like all the info I need is scattered around - so I'm just really looking for a sanity check on the below;

Scenario - Running OpenVPN AS as an EC2 image in a private VPC on AWS.
I have it successfully up and running in routed mode and can connect from the VPN clients to EC2 hosts on the VPC subnet with no problems.
Using TCPview I can confirm that the connections are arrived as routed from the VPN client address, and are not NAT'd behind the gateway.
I have disabled source/destination checks on the EC2 instance running the server , and have static routes for the VPN client subnet in the VPC route table pointing back at the OpenVPN server.
Short version - everything works VPN Client -> VPC routed

When initiating connections back *to* the VPN client FROM EC2 it doesnt seem to route the other way.
I have confirmed that the EC2 security group for the access server is allowing incoming connections from the VPC subnet, so I assume that after that the VPN server passes them back to the client, but it never seems to establish the connection.

What else am I missing?
Do I need IP forwarding locally on the clients (to allow traffic to pass between the tunnel interface and the LAN interface hosting the TCP service? or have I missedsome other critical part of the process.
Thanks for any input!!

You need to tell the server where all the various client LANs are.

But in my routed connection, TCPview on the EC2 instance shows the incoming TCP connection coming from the 172.24.27.x VPN subnet.
Are you suggesting that you cannot initiate a connection back to that same VPN client address? And that the outbound connection would have to be the 'real' client-side LAN address? (so I'd need static routes in the VPC for the remote 192.168.1.x subnet via the OpenVPNserver - and initiate the connection to the 192.168.1.x address).

Hello  _uk,

You should be able to reach the VPN clients by their VPN client IP address.

If that fails you might want to check firewall settings on the client devices. You might also want to run tests like TCPdump and Wireshark and such to confirm whether or not packets are arriving or not.

If you try to reach VPN clients by their local IP in the local network, you will fail, because the clients do not expect that and you need to configure that separately. That is not a normal use-case in any case. If you really want this, look into setting up a site-to-site connection so that one VPN device can handle those requests without having to mess with the individual VPN client devices.

Kind regards,
Johan

Thanks for the reply - I was just coming back to comment that is was in fact some IDS/IDP running on the client. I ran it from another client with a clean OS build and I can now connect back to TCP services running on the VPN client device.

Thanks again for the help/support!