issues with connectivity during setting up vpn with aws

[santhoshb2610]

Hi this is Santhosh,
I was trying to establish vpn connection between our server 0and AWS. I wanted to connect the server 0(which many users can connect trough ssh from their systems). from the server 0the users must be able to connect to the aws securely via vpn. So, as a test case scenario I was logging into a machine 0(located in on-premises) from one of the server 0(on-premises) through ssh.
I was doing ssh from the server 0(server 0subnet 10.118.0.0) to get into machine 0(10.118.97.119) and from machine 0 I wanted to connect to aws via vpn using “client vpn endpoint” service in aws. (my network in on-premises is private and wanted to connect to private network/private subnet in aws)

my end i was login into machine 0 from server 0 using ssh and running client configuration file in machine 0 to establish vpn tunnel between machine 0 and aws. but when i run the client configuration file it is indeed establishing vpn tunnel from machine 0 to aws but was loosing the ssh connection from server 0 to machine 0.
if i add " route 10.118.0.0 255.255.0.0 net_gateway " in the client configuration file and run it then machine 0 is not loosing the ssh connection with server 0 and also establishing vpn tunnel between machine 0 and aws but loosing its regular connectivity like internet connectivity in machine 0. why ?
i wanted to establish active vpn connection between machine 0 and aws but it should not effect the network, connectivity of the machine 0 but should add aws tunnel in addition to the machine 0's connectivity.

the procedure I did and client configuration file I got:
I created the certificates in the machine as described in the aws documentation (https://docs.aws.amazon.com/vpn/latest/ ... ation.html) and uploaded to aws certificate manager.
Created vpc with cidr range 172.16. 0.0/16
Created subnet with cidr range 172.16.1.0/24
Created a Nacl and attached them. As it is test case, I allowed all traffic.
Created a security group with following rules:
inbound rules:

Custom UDP Rule UDP 1194 10.118.0.0/16
Custom UDP Rule UDP 1194 172.16.4.0/22
SSH TCP 22 10.118.0.0/16 ast arm users
SSH TCP 22 172.16.4.0/22 ipcidr assigned
Custom TCP Rule TCP 943 10.118.0.0/16
Custom TCP Rule TCP 943 172.16.4.0/22
HTTPS TCP 443 0.0.0.0/0
HTTPS TCP 443 10.118.0.0/16
HTTPS TCP 443 172.16.4.0/22
HTTPS TCP 443 ::/0

Outbound rules:
All traffic All All 0.0.0.0/0

Created client vpn endpoint with cidr range 172.16.4.0/22 and associated vpc and subnet to it and downloaded the client config file.
I installed openvpn in the machine 0 and ran the config file (attached the <cert> <key> into the file). I was able to establish vpn tunnel (tun0) from machine 0 to aws client vpn endpoint and can see active connection under the connections section in client vpn end point but was losing ssh connection with the server 0from which I login into machine 0 and performed this process.
I tried adding the “route 10.118.0.0 255.255.0.0 net_gateway “to the downloaded client configuration file (.ovpn file) from aws and ran the file. This time vpn tunnel between machine 0 and aws is established and also not lost the ssh connection with server 0but lost the machine 0’s connectivity. For example, I was able to login to machine 0 from server 0using ssh and in machine I was able ping google.com when there was no vpn connection or tunnel running. While vpn config file is running and vpn tunnel is up I was unable to ping google.com, it was restricting my network connectivity, even I can’t ping the instance (172.16.1.79) inside the aws.
This is the client configuration file I was running in the machine 0:
----------------------------------------------------------------------------------------------------------------------------------------
client
dev tun
proto udp
remote cvpn-endpoint-04241add53656b7af.prod.clientvpn.us-east-1.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
verb 3
route 10.118.0.0 255.255.0.0 net_gateway (downloaded client configuration file doesn’t contain this line, added this line to keep the ssh connection of server 0with machine 0 alive and stay connected while vpn tunnel establishes and if I remove it , was losing ssh connectivity to machine with server)
<ca>
-----BEGIN CERTIFICATE-----
(redacted)
-----END CERTIFICATE-----

</ca>
<cert> (added this cert as per https://docs.aws.amazon.com/vpn/latest/ ... n-getting- started.html)
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6a:e7:11:f8:61:17:5f:5e:0c:41:7a:f0:1b:ba:29:d4
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=login.aws.ast.arm.com
Validity
Not Before: Aug 13 18:21:54 2019 GMT
Not After : Jul 28 18:21:54 2022 GMT
Subject: CN=client1.domain.tld
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
(redacted)
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
55:3E:93:52:BD:E2:69:C6:5B:8C:7E:A8:2D:A3:E9:70:E9:04:E8:F9
X509v3 Authority Key Identifier:
keyid:EF:4D:B7:1F:68:A8:C5:F6:67:31:4F:BF:60:D9:A3:1D:02:1E:50:42
DirName:/CN=login.aws.ast.arm.com
serial:CE:A1:DE:41:14:00:48:38

X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
(redacted)
-----BEGIN CERTIFICATE-----
(redacted)
-----END CERTIFICATE-----

</cert>
<key>(added this key as per https://docs.aws.amazon.com/vpn/latest/ ... n-getting- started.html)
-----BEGIN PRIVATE KEY-----
(redacted)
-----END PRIVATE KEY-----

</key>

reneg-sec 0
-----------------------------------------------------------------------------------------------------------------------------------------
This is the route previously of machine 0 if this vpn with aws is not running:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.118.97.1 0.0.0.0 UG 0 0 0 ens6
10.118.97.0 0.0.0.0 255.255.255.0 U 0 0 0 ens6

This is the route of machine 0 if this vpn with aws is running:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.4.161 128.0.0.0 UG 0 0 0 tun0
default 10.118.97.1 0.0.0.0 UG 0 0 0 ens6
10.118.0.0 10.118.97.1 255.255.0.0 UG 0 0 0 ens6
10.118.97.0 0.0.0.0 255.255.255.0 U 0 0 0 ens6
ec2-52-4-224-24 10.118.97.1 255.255.255.255 UGH 0 0 0 ens6
128.0.0.0 172.16.4.161 128.0.0.0 UG 0 0 0 tun0
172.16.4.160 0.0.0.0 255.255.255.224 U 0 0 0 tun0


I want to keep the network and connectivity of the machine 0 as it is and wanted to add/establish vpn connection with aws private subnet without changing or effecting the machine 0’s network or connectivity keeping it intact(like adding additional route to aws in machine 0). So, users can perform their normal actions in machine 0 and also able to perform actions in aws.
If needed further info or details, I will be happy to share as per my best knowledge.
can any one help me out whats wrong. why the machine 0 is loosing the ssh connectivity with server 0 . if i add route to config file its not loosing ssh connection but couldn't ping aws instance and also loosing regular connectivity like internet access of machine 0 which it has before running the client config file.ovpn.

[novaflash]

Hello. I took the liberty of redacting the private keys and so on from your post. Never post those. You can consider yourself compromised now and if you have the option to revoke these certificates and get new ones, that would be best now. Don't share those with the public.

However, the Amazon AWS documentation you are linking to is not our OpenVPN Access Server product. If you want to use our official OpenVPN Access Server software product you should take a look at this page https://openvpn.net/amazon-cloud/

Regarding the Amazon AWS solution, I can only point you to Amazon AWS support personnel for support with that.