AWS private IP is the source IP when pinging client from server on AWS

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
silegnadc
OpenVpn Newbie
Posts: 2
Joined: Sun Aug 01, 2021 8:43 pm

AWS private IP is the source IP when pinging client from server on AWS

Post by silegnadc » Sun Aug 01, 2021 8:55 pm

Hello everyone,
I have setup OpenVPN server on an EC2 instance, I can ping the VPN server IP from the VPN clients, but cannot ping clients from the server.
After some tcpdump debugging, I noticed that, when sending a curl request the source IP of the request is coming from the private IP of the instance in the AWS subnet.

Code: Select all

20:52:48.640329 IP 10.0.0.123 > 172.16.0.101: ICMP echo request, id 3, seq 1, length 64
Where: 10.0.0.123 is the private IP of the AWS instance running OpenVPN server, and 172.16.0.101 is the client IP within the OpenVPN subnet. I was expecting the source IP to be 172.16.0.1.


Server Configuration

port 1194
proto udp
dev tun

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh.pem
tls-auth /etc/openvpn/keys/ta.key 0
tls-server
auth SHA256
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

server 172.16.0.0 255.255.255.0
topology subnet
ifconfig-pool-persist ipp.txt
client-config-dir ccd

push "dhcp-option DNS 1.0.0.1"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 172.16.0.0 255.255.255.0"
push "dhcp-option DNS 172.16.0.1"
keepalive 5 30
compress lzo
persist-key
persist-tun
user nobody
group nogroup


status status-openvpn_udp_1194.log
status-version 1
log-append /var/log/openvpn.log
verb 3



Server CCD Configuration for client

ifconfig-push 172.16.0.101 255.255.255.0
iroute 172.16.0.0 255.255.255.0



Client Configuration

client

tls-client
auth SHA256
cipher AES-256-CBC
remote-cert-tls server
tls-version-min 1.2

proto udp
remote vpn-server-ip 1194
dev tun

resolv-retry 5
nobind
keepalive 5 30
compress lzo
persist-key
persist-tun
verb 3

route-method exe
route-delay 2

key-direction 1


Any hints?

FYI: The server has been configured through the kyl191/openvpn Ansible role.

Thanks,
S

User avatar
TinCanTech
Forum Team
Posts: 9655
Joined: Fri Jun 03, 2016 1:17 pm

Re: AWS private IP is the source IP when pinging client from server on AWS

Post by TinCanTech » Sun Aug 01, 2021 10:25 pm

You don't understand rouing. You cannot --iroute your VPN subnet behind a client.

silegnadc
OpenVpn Newbie
Posts: 2
Joined: Sun Aug 01, 2021 8:43 pm

Re: AWS private IP is the source IP when pinging client from server on AWS

Post by silegnadc » Sun Aug 01, 2021 10:55 pm

That's true, I'm not really into networking, though I don't think that iroute configuration is what is causing the wrong source ip, isn't it?

Thanks

User avatar
TinCanTech
Forum Team
Posts: 9655
Joined: Fri Jun 03, 2016 1:17 pm

Re: AWS private IP is the source IP when pinging client from server on AWS

Post by TinCanTech » Mon Aug 02, 2021 12:28 am

If you stick a square peg into a round hole then you get damage.

Just get rid of the --iroute

Post Reply