OpenVPN in AWS with RDS

[the_don]

Hi All,

First post asking for help (in the correct channel at least), can't be that unusual but would be very grateful for some insight into what other people have done.

Scenario:
We have an AWS account, newly opened so it has the default VPC with two default subnets which are publicly open. Inside that VPC, in one of the default subnets, I have created an OpenVPN instance (following the OpenVPN AWS instructions) which is configured correctly to allow an EC2 instance to be locked down using security groups to allow access from specific external ip addresses and from the openvpn box using the internal ip address. The public ip addresses and DNS names are not resolvable when connected to the VPN. This we can live with as it gives us what we want, e.g. protected access for specific applications hosted elsewhere and via VPN for humans.

The problem comes with our RDS instance. It needs to be publicly accessible however the endpoint is always a DNS name. This again is locked down using security groups to allows specific application external ip addresses to have access and humans to go via the OpenVPN box. When it is publicly accessible the end point does not get resolved when connected to OpenVPN, make the RDS instance hidden from the external world and I can connect via VPN. So I have concluded this is to do with the AWS DNS server not being used when connect via OpenVPN.

What have other people done to bring the AWS DNS server into play? A good browse of the internet brings back quite a few solutions but like the new GoogleAuthenticator feature I am expecting there to be an easy way in the latest version. In case it matters we are not routing all traffic through the VPN and this is desired to reduce unnecessary traffic / costs in AWS.

Many thanks in advance,
James

[novaflash]

VPN Settings > DNS resolution zones: (nothing), DNS default suffix: (nothing), push these DNS servers: server1: AWS DNS, server2: some public DNS like 8.8.8.8. Should work.

[the_don]

Thanks will give it a go.

[the_don]

Many thanks, that seems to have done it.

Out of interest, what will setting Have clients use the same DNS servers as the Access Server host to true do as it seems to have the same effect? My fear is putting all traffic through AWS accidentally.

[novaflash]

That setting you refer to takes the DNS servers set in /etc/resolv.conf and pushes those to the VPN clients.

By pushing a DNS server you're not forcing all the traffic through AWS. But you are forcing DNS queries through AWS with this. But once an address is resolved, and depending on your other settings in Access Server, the traffic will then go through the VPN client's normal internet connection and not the VPN tunnel. Of course if you enable the "route all client internet traffic through the VPN server" option then all traffic goes through the VPN server and through AWS.

[the_don]

Makes perfect sense, the nameserver in that file is the same as the one I put into the push server 1. Many thanks for your help, very much appreciated.