Connecting to an AWS instance with public IP

Next-generation cloud-hosted OpenVPN business solution.
Post Reply
easyasasunday
OpenVpn Newbie
Posts: 1
Joined: Fri Feb 11, 2022 2:10 am

Connecting to an AWS instance with public IP

Post by easyasasunday » Fri Feb 11, 2022 2:35 am

Hi,
We have an existing AWS instance to which many people have access. So we kept the security group as 0.0.0.0/0. We now need to secure it to allow access from only whitelisted range. I am now trying to use openvpn to do this. I have setup openvpn cloud and have a linux connector. I am able to connect to openvpn using the connector's ovpn profile. For us in general, we are a completely remote organization with no office setup. So everyone would connect through their home broadband and access this endpoint in AWS which is the only thing we want to secure through VPN. There is no need for us to build an internal network of laptops operating from individual homes as of now.

Here are my questions
1. Which CIDR should I whitelist in AWS security groups. Is this the connector's IP address or something from openvpn cloud
2. I would like only the traffic going to this AWS instance be routed through VPN. How do I configure this in openvpn cloud.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Connecting to an AWS instance with public IP

Post by openvpn_inc » Mon Feb 14, 2022 3:39 pm

Hello easyasasunday,

Solution 1 using OpenVPN Cloud:
What I would recommend is that you connect this AWS instance to OpenVPN Cloud. This will be an outgoing connection, so no incoming direct connections will need to be allowed. Once the outgoing VPN tunnel to OpenVPN Cloud is established, a new virtual network adapter interface will become available on the AWS instance and be assigned a private IP inside the OpenVPN Cloud network. This interface can only be reached through OpenVPN Cloud and not from outside OpenVPN Cloud. You can then connect other devices to OpenVPN Cloud and they can then access resources on this AWS instance on the private IP in the OpenVPN Cloud network. This communication is then completely secure as it goes through encrypted VPN tunnels.

Technically the AWS instance now no longer needs a public IP. It can have a private IP only in the VPC network on AWS, and access the Internet through a NAT gateway that is on the VPC in AWS. This means that no direct access on a public IP will be possible to this system. But with the outgoing VPN tunnel to OpenVPN Cloud established, you can reach this machine through that VPN tunnel.

Solution 2 using OpenVPN Access Server:
Another solution is to remove the public IP from this instance and have it have only a private IP in the VPC network. Then install an OpenVPN Access Server in the same VPC, but that one does have a public IP. A VPN connection can then be established from your computers to that Access Server, and through the VPN tunnel, other EC2 instances in the same VPC that the Access Server is on can be reached by their private IPs.

-
Note:
The questions you are asking refer to a situation we would not advise. The solution you're aiming towards is setting up a client device somewhere that has Internet access, then connecting that to OpenVPN Cloud, and then connecting other devices to OpenVPN Cloud, and having those devices then use the Internet connection of the first client device, to then access the target EC2 instance over the public Internet (outside of VPN tunnels) and then whitelisting the IP of the first client device on the firewall of the target EC2 instance. This seems overly complicated and exposes part of the traffic. It is possible but just not recommended.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply