I have an OpenVPN server set up in one VPC region in AWS (region X). This VPC uses a transit gateway to peer with another VPC in region Y. The OpenVPN server routes traffic from region X to a particular subnet (10.12.0.0/16) in region Y. The OpenVPN server assigns its clients an address in the range (10.4.0.0/17). When this client tries to access a machine in the aforementioned subnet, the source IP address of the client is the IP address of the OpenVPN server (10.1.4.4) instead of the IP address of the OpenVPN client.
In contrast, an OpenVPN server set up in region Y routes traffic to the same subnet and assigns its clients an address in the range (10.9.0.0/17). When a client accesses a machine in this subnet, the source IP address of the client is coming from the client CIDR range (10.9.0.0/17)
Is there any way to ensure that data hitting machines in region Y from clients in region X contain the client CIDR range as the source IP as opposed to the OpenVPN server IP.
OpenVPN server configuration file:
Code: Select all
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.4.0.0 255.255.128.0
ifconfig-pool-persist ipp.txt
push "route 10.12.0.0 255.255.0.0"
push "route-metric 1000"
keepalive 5 120
reneg-sec 360000
ncp-disable
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append openvpn-new.log
verb 3
crl-verify crl.pem
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
management localhost 7505
txqueuelen 1000
Code: Select all
client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote SERVER-IP 1194
resolv-retry infinite
nobind
explicit-exit-notify 3
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
comp-lzo
key-direction 1
verb 3
reneg-sec 0
Code: Select all
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.4.0.0/17 anywhere