Bidirectional OpenVPN in AWS

[rozzwell]

I'm working on setting up an OpenVPN instance (using the OpenVPN AMI) to facilitate bidirectional communication between remote clients and private servers. In this case, for database replication purposes. The OpenVPN server resides in the same VPC as the private servers, and I can successfully get a client to connect to OpenVPN and access all of private server resources. I added a route to the VPC to route all traffic with a destination address of the VPN client IP pool to the OpenVPN server, and I can ping private servers from the clients without any problems. What I can't do is successfully ping or connect to clients from the private servers.

If I do a tracert from a private server, it correctly hits the OpenVPN server's IP, but then dies and never routes to the client. I suspect there is a configuration in OpenVPN or on the server itself (iptables, etc) that I need in order to allow the private network to route out to the clients.

I've searched around to try and find a solution but I can't seem to find a scenario that matches what I'm trying to do. Has anyone run into this before? I can't imagine I'm the first person to try and solve this problem.

Thanks in advance for the help!!

[novaflash]

You need to set up routing in the Access Server. By default access to private subnets behind the Access Server are given access via the NAT method. NAT is one-way. Set up routing and it will work.

Furthermore, AWS uses security groups that function sort of like firewalls. Unknown subnets like the VPN subnet may simply be filtered away, and there is also source checking, another security feature that needs adjustment to work with 'unknown' subnets like the VPN subnet.

[rozzwell]

Perfect! That worked. Switched things over to routing instead of NAT and things clicked into place quickly.

Thanks for the quick reply!

[deepakkothandan]

Hi Rozzwell,

I am in a similar siutation, could you share how did you get this to work?

[sindhu]

I'm able to route vpn client requests (pings/SSH/etc) to other instances in different subnets within the same VPC so I know my routing tables are correct.

However, when it comes to a peered VPC, the target instance isn't seeing anything coming from the OpenVPN clients. The routing table have been updated to allow the VPN client range (10.8.0.0./24) as well. As per original post, the instances within each AWS VPC can talk to each other. However the VPN clients can't.

I've changed the VPN client range to the OpenVPN default (10.8.0.0./24). Restrictions via Security groups have been left open to help troubleshoot. Network ACLs are at default.

Can anyone confirm if the VPC Peering connection has some sort of filtering to only allow traffic with dest/src addresses that belong to the peered VPC network ranges?

[novaflash]

There is source checking AWS which could be your problem here. Security groups on virtual machines in AWS can also contain rules to allow only specific traffic through. I would suggest you run tcpdump and trace the problem till you find the point where the traffic disappears.

[missmansirao]

You need to set up routing in the Access Server. By default access to private subnets behind the Access Server are given access via the NAT method. NAT is one-way. Set up routing and it will work.

Furthermore, AWS uses security groups that function sort of like firewalls. Unknown subnets like the VPN subnet may simply be filtered away, and there is also source checking, another security feature that needs adjustment to work with 'unknown' subnets like the VPN subnet.

Thank you.. It worked well for me too.

Cheers.
Mansi Rao

[hopesuresh]

Hi, Your Idea worked for me, I followed step by step your instruction then the VPN worked on my AWS. Thanks for your valuable information.

[roberto.clavijo]

Hi all I followed the next steps to get it working:

1. Change the configuration from NAT to Routing in OpenVpn Server UI, stop and start server from UI.
2. In OpenVpn Server (aws console) Disable Source/Dest check
3. Open ports that will be used in OpenVpn (aws security groups, in my case ICMP ports)

To test

4. Connect a windows 10 laptop to vpn (OpenVpn client)
5. Ping from the windows 10 laptop to any aws instance. Success
6. Ping from an aws instance to the windows 10 laptop. Success