Hey All,
I have an ec2 openvpn access server within a vpc with two other ec2 windows servers. I was able to set up NAT just fine, however, the applications on the servers heavily rely on network shares and file transfers, and was suuuupper slow when more than one VPN client connected, so I decided to try to set up routing hoping that'll resolve the issue.
So here is my setup, I've got a VPC with a 10.0.0.0/16 CIDR, a subnet using 10.0.0.0/24(where the application servers are), the routing table allows 10.0.0.0/16 local and 0.0.0.0/0 to the internet gateway. Network ACL allows ports for openvpn, security group allows all traffic to make troubleshooting easier atm. Also in routing the main routing table is the vpn client subnet 10.1.0.0/24 thats pointing to the Openvpn Access Server Instance. I've set up each vpn client user with a static IP within this subnet (actually only one user for right now).
I've made sure to disable source/destination check on the openvpn access server ec2 instance.
In the Admin UI > Configuration > Network settings I'm listening on all interfaces, using multi-daemon mode, default ports.
Configuration > VPN Settings using routing, specified 10.0.0.0/16 as the subnets the clients should be able to reach, allowed internet traffic through vpn (i've tried with and without), clients allowed access to network services on vpn gateway.
Configuration > Advanced VPN allowed inter-client communication, disabled multiple sessions per user, TLS enabled, Private routed subnets 10.0.0.0/16.
The issue is, Im unable to communicate with the two other windows servers within the VPC at all, the only thing I can ping is the VPN server at its private IP in the 10.0.0.0/24 subnet ( same net as windows servers ).
The objective is to be able to communicate with those servers be able to attach network shares and have fast file transfer rate between client and server. Multiple clients will need to access programs running on these servers at the same time, planing on modifying the ec2 instance type as the demand increases.
Help is greatly appreciated!
AWS access server routing
-
openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: AWS access server routing
Hi There,
You mentioned that you are using routing mode right?
So, in routing mode, where the source IP of the packets coming from VPN clients remains intact, then the Amazon network may have security features that block this traffic. So with routing, special steps need to be taken. You will need to implement a static route that guides replies to VPN client traffic back through the Access Server instance. In Amazon AWS, when you use routing, your VPC should have a routing table set up that needs to contain a static route that points the VPN client subnet to the Access Server instance, so traffic can find its way there. Find that routing table in the Amazon AWS console by going to the VPC Dashboard and going to Route Tables. This is where you can set up routing for the VPN client subnet, or site-to-site traffic to additional subnets behind VPN clients. When you add a subnet to the routing table you must specify a target. The target can be the AMI ID of the Access Server instance. It should then recognize that this particular EC2 instance with Access Server running on it is the gateway to the VPN client subnet.
Another item specific to Amazon is source/destination checking. Crudely put this is a security setting on the EC2 instance itself that basically just looks at traffic coming from and going to the EC2 instance, and if it isn't traffic that has either a source or destination IP that matches that EC2 instance's network interface address, then it just gets filtered away. Since the VPN clients in routing mode, as well as site-to-site traffic, will send packets through the Access Server while retaining the original source IP of these packets, then this security setting will filter this traffic away. Likewise traffic going to the VPN client IP addresses or site-to-site subnets and trying to pass through the Access Server will be filtered away in the same way. To resolve this go to your EC2 Dashboard and go to Instances and look up your specific instance that runs Access Server. Then right click it and in the Networking menu choose Change Source/Dest. Check. Click the Yes, disable button to disable this setting and let the traffic pass through. If you run a site-to-site VPN client gateway system on Amazon you will have to do the same to that instance too.
Regards,
Crowley
You mentioned that you are using routing mode right?
With this mode, If you are unable to connect to the remote private subnet, make sure that the proper access is delegated inside Access Server. (e.g. Make sure your local subnets are listed under VPN Settings, and under the Specify the private subnets to which all clients should be given access (as 'network/netmask_bits', one per line): textbox.) If you are using the Yes, using routing (advanced) option, make sure that you have added the proper static routes.Configuration > VPN Settings using routing, specified 10.0.0.0/16 as the subnets the clients should be able to reach, allowed internet traffic through vpn (i've tried with and without), clients allowed access to network services on vpn gateway.
So, in routing mode, where the source IP of the packets coming from VPN clients remains intact, then the Amazon network may have security features that block this traffic. So with routing, special steps need to be taken. You will need to implement a static route that guides replies to VPN client traffic back through the Access Server instance. In Amazon AWS, when you use routing, your VPC should have a routing table set up that needs to contain a static route that points the VPN client subnet to the Access Server instance, so traffic can find its way there. Find that routing table in the Amazon AWS console by going to the VPC Dashboard and going to Route Tables. This is where you can set up routing for the VPN client subnet, or site-to-site traffic to additional subnets behind VPN clients. When you add a subnet to the routing table you must specify a target. The target can be the AMI ID of the Access Server instance. It should then recognize that this particular EC2 instance with Access Server running on it is the gateway to the VPN client subnet.
Another item specific to Amazon is source/destination checking. Crudely put this is a security setting on the EC2 instance itself that basically just looks at traffic coming from and going to the EC2 instance, and if it isn't traffic that has either a source or destination IP that matches that EC2 instance's network interface address, then it just gets filtered away. Since the VPN clients in routing mode, as well as site-to-site traffic, will send packets through the Access Server while retaining the original source IP of these packets, then this security setting will filter this traffic away. Likewise traffic going to the VPN client IP addresses or site-to-site subnets and trying to pass through the Access Server will be filtered away in the same way. To resolve this go to your EC2 Dashboard and go to Instances and look up your specific instance that runs Access Server. Then right click it and in the Networking menu choose Change Source/Dest. Check. Click the Yes, disable button to disable this setting and let the traffic pass through. If you run a site-to-site VPN client gateway system on Amazon you will have to do the same to that instance too.
Regards,
Crowley
OpenVPN Inc.Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support