Global Routing Configuration on AWS

[sentinel21]

Hello,

I'm deploying openvpn access server on AWS. I have two public and two private subnets. I've got the server up and running, but I cannot get the global routing configuration working. Things work fine if I run with the NAT configuration.

I've set up routes in my public and private subnet routing tables to point client VPN subnets to the server's ENI. I can't get it to work, and the connection times out. I checked my flow logs and I see connectivity to the openvpn server from my IP, but nothing beyond that.

Has anyone attempted to do this and had success? I'm not sure what I may be missing, I've followed several articles and posts to try to figure this out. I'm happy to share anything that might be helpful if anyone's run into anything like this before.

Thank you!

[openvpn_inc]

Hey sentinel21,

On AWS there is one additional thing that needs to be done. There's a very basic filter in place that basically operates on the principle that if packets going in or out don't have at least the IP of the instance itself as the source or destination, it will be filtered away silently. This is the source/destination check that can be turned off in the EC2 panel when you right click the instance and go into the network settings - there's an option there in the rightclick menu somewhere to turn that off. Without that, you can't route foreign subnets through.

Kind regards,
Johan

[sentinel21]

Thanks Johan - that was exactly what I needed. After I did that I was able to SSH into the instance. Trying to connect back, I ran into the instance security group - I opened that to all internal TCP traffic and it works great! Thanks so much for your help.