AWS private IP is the source IP when pinging client from server on AWS

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
silegnadc
OpenVpn Newbie
Posts: 2
Joined: Sun Aug 01, 2021 8:43 pm

AWS private IP is the source IP when pinging client from server on AWS

Post by silegnadc » Sun Aug 01, 2021 8:55 pm

Hello everyone,
I have setup OpenVPN server on an EC2 instance, I can ping the VPN server IP from the VPN clients, but cannot ping clients from the server.
After some tcpdump debugging, I noticed that, when sending a curl request the source IP of the request is coming from the private IP of the instance in the AWS subnet.

Code: Select all

20:52:48.640329 IP 10.0.0.123 > 172.16.0.101: ICMP echo request, id 3, seq 1, length 64
Where: 10.0.0.123 is the private IP of the AWS instance running OpenVPN server, and 172.16.0.101 is the client IP within the OpenVPN subnet. I was expecting the source IP to be 172.16.0.1.


Server Configuration

port 1194
proto udp
dev tun

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh.pem
tls-auth /etc/openvpn/keys/ta.key 0
tls-server
auth SHA256
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

server 172.16.0.0 255.255.255.0
topology subnet
ifconfig-pool-persist ipp.txt
client-config-dir ccd

push "dhcp-option DNS 1.0.0.1"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 172.16.0.0 255.255.255.0"
push "dhcp-option DNS 172.16.0.1"
keepalive 5 30
compress lzo
persist-key
persist-tun
user nobody
group nogroup


status status-openvpn_udp_1194.log
status-version 1
log-append /var/log/openvpn.log
verb 3



Server CCD Configuration for client

ifconfig-push 172.16.0.101 255.255.255.0
iroute 172.16.0.0 255.255.255.0



Client Configuration

client

tls-client
auth SHA256
cipher AES-256-CBC
remote-cert-tls server
tls-version-min 1.2

proto udp
remote vpn-server-ip 1194
dev tun

resolv-retry 5
nobind
keepalive 5 30
compress lzo
persist-key
persist-tun
verb 3

route-method exe
route-delay 2

key-direction 1


Any hints?

FYI: The server has been configured through the kyl191/openvpn Ansible role.

Thanks,
S

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: AWS private IP is the source IP when pinging client from server on AWS

Post by TinCanTech » Sun Aug 01, 2021 10:25 pm

You don't understand rouing. You cannot --iroute your VPN subnet behind a client.

silegnadc
OpenVpn Newbie
Posts: 2
Joined: Sun Aug 01, 2021 8:43 pm

Re: AWS private IP is the source IP when pinging client from server on AWS

Post by silegnadc » Sun Aug 01, 2021 10:55 pm

That's true, I'm not really into networking, though I don't think that iroute configuration is what is causing the wrong source ip, isn't it?

Thanks

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: AWS private IP is the source IP when pinging client from server on AWS

Post by TinCanTech » Mon Aug 02, 2021 12:28 am

If you stick a square peg into a round hole then you get damage.

Just get rid of the --iroute

Post Reply