Amazon VPC - Enable SSH/HTTP to subnet without changing IP.

[invictus]

I currently have an OpenVPN server set up to provide SSH and HTTP/S access to the private subnet of our Amazon EC2 VPC ("virtual private cloud") using IP routing over dev tun.

So currently all traffic is routed through the VPN with push "redirect-gateway def1 bypass-dhcp" configured in server.conf (see below). All my users are running Macs and using the Tunnelblick client to connect, with "Route all traffic through the VPN" disabled on the client side.

I have a feature request asking me to allow access to the internal subnet via SSH and HTTP/S but NOT to change the external IP, if possible. I'm sure it is. I'm just not sure how best to accomplish it! Hoping you guys can help!

So ideally:

• All SSH tunnels through OpenVPN (needs 10.0.0.0/24 IP) when connected. Or at least when attempting to connect a 10.0.1.0/24 IP.
• HTTP/S access to internal subnet.
• HTTP/S access to internet without external IP change.

Note: VPC route tables allow any outgoing from the 10.0.0.0/24 (public) subnet to the 10.0.1.0/24 (private) subnet. The OpenVPN server itself is on the 10.0.0.0/24.

server.conf

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 10.0.0.2"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

/etc/sysconfig/iptables

Code: Select all

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [50:5986]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -i tun+ -j ACCEPT
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri May  2 13:46:20 2014
# Generated by iptables-save v1.4.7 on Fri May  2 13:46:20 2014
*nat
:PREROUTING ACCEPT [1:42]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT

[invictus]

I have a feature request asking me to allow access to the internal subnet via SSH and HTTP/S

Presumably, you mean this:
HOWTO: Expanding the scope of the VPN to include additional machines

Possibly, yes.

This bit looked useful:

Including multiple machines on the server side when using a routed VPN (dev tun)

Once the VPN is operational in a point-to-point capacity between client and server, it may be desirable to expand the scope of the VPN so that clients can reach multiple machines on the server network, rather than only the server machine itself.

For the purpose of this example, we will assume that the server-side LAN uses a subnet of 10.66.0.0/24 and the VPN IP address pool uses 10.8.0.0/24 as cited in the server directive in the OpenVPN server configuration file.

First, you must advertise the 10.66.0.0/24 subnet to VPN clients as being accessible through the VPN. This can easily be done with the following server-side config file directive:

push "route 10.66.0.0 255.255.255.0"

Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines).

Although I'll have to work out how best to integrate this into our Amazon VPC setup.

Presumably, you mean but not changing the source IP of the client to that of the server. In which case, you would stop using NAT on the server ...

That is correct, yes. I want to route through the VPN, and either stop using NAT for the external IP alone (perhaps simpler?) or find a way to stop using NAT for both external and internal IPs while assigning internal IPs to each client in the 10.0.0.0/24 range that do not conflict with existing IPs.