I am setting up a server with Windows Server 2019 and OpenVPN 2.5.3. The configuration files are almost identical, but with different subnets.
I have the Windows Firewall turned off on the server for now until I get it working (I have other AWS security in place).
I can:
* connect a client to the server
* ping the server's virtual IP address from the client
* remote desktop to the server from the client using it's virtual IP address
* use AWS Reachability Analyzer to verify that I can get to IP addresses served by the OpenVPN server (10.4.0.0/24) from AWS VPC addresses and vice-versa (NOTE: This means that OpenVPN destined addresses get properly routed to the OpenVPN server and that OpenVPN sourced packets get routed properly to AWS addresses -- it does not mean that the OpenVPN client was reached)
* ping and otherwise connect to other servers in my AWS VPC from the OpenVPN server
* ping and otherwise connect to the OpenVPN server from other servers in my AWS VPC
I cannot:
* ping or otherwise connect to addresses on my AWS VPC from my OpenVPN client (route pushed for 10.0.0.0/255.255.0.0)
* ping or otherwise connect to my client VPN address from any address on my AWS VPC (route setup to route OpenVPN subnet to OpenVPN server)
This seems to be a configuration issue on my OpenVPN server and not an AWS configuration issue at this point.
Server Config
#--------------------------------------------------------------------------
#--------------------------------------------------------------------------
# OpenVPN Server Configuration
#--------------------------------------------------------------------------
#--------------------------------------------------------------------------
#--------------------------------------------------------------------------
# Basic connection configuration
#--------------------------------------------------------------------------
port XXXXX
proto udp
dev tun
dev-node openvpn-primary
keepalive 10 120
explicit-exit-notify 1
max-clients 10
persist-key
persist-tun
#--------------------------------------------------------------------------
# Encryption, keys, certifictaes
#--------------------------------------------------------------------------
#-------------------
# these are inlined
# at the bottom of
# the file
#-------------------
;ca ca.crt
;cert server.crt
;key server.key
askpass XXXXX
dh dh.pem
tls-auth ta.key 0
cipher AES-256-CBC
#--------------------------------------------------------------------------
# Network topology
#--------------------------------------------------------------------------
topology subnet
server 10.4.0.0 255.255.255.0
client-to-client
#--------------------------------------------------------------------------
# Client configuration
#--------------------------------------------------------------------------
ifconfig-pool-persist ipp.txt
client-config-dir client-config
# AWS VPC
;push "route 10.4.0.0 255.255.255.0"
push "route 10.0.4.0 255.255.255.0"
push "route 10.0.0.0 255.255.0.0"
# XXXXXXX servers
push "route 10.10.0.200 255.255.255.255"
push "route 10.120.0.4 255.255.255.255"
push "dhcp-option DNS 10.0.1.135"
push "dhcp-option DNS 10.0.2.126"
push "dhcp-option DOMAIN XXXXXXX"
#--------------------------------------------------------------------------
# Logging
#--------------------------------------------------------------------------
status openvpn-status.log
log openvpn.log
mute 20
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 9
#--------------------------------------------------------------------------
# Inline creds
#--------------------------------------------------------------------------
<ca>
-----BEGIN CERTIFICATE-----
blah blah blah
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
blah blah blah
-----BEGIN CERTIFICATE-----
blah blah blah
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
blah blah blah
-----END ENCRYPTED PRIVATE KEY-----
</key>
Client Config
client
dev tun
dev-node XXXXX
proto udp
remote XX.XX.XX.XX XXXXX
resolv-retry infinite
nobind
persist-key
persist-tun
askpass XXXXX
remote-cert-tls server
tls-auth radar-dev.ta.key 1
cipher AES-256-CBC
verb 3
mute 20
mute-replay-warnings
# client:
<ca>
-----BEGIN CERTIFICATE-----
blah blah blah
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
blah blah blah
-----BEGIN CERTIFICATE-----
blah blah blah
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
blah blah blah
-----END ENCRYPTED PRIVATE KEY-----
</key>