0

I've configured OpenVPN server on Bastion instance in public subnet on AWS VPC. Right now, I have access private IP address of that instance with my OpenVpn client, but we want to access EC2 instances running in other private subnets in the VPC.

Here is my server.conf file:

port 1194 # TCP or UDP server? ;proto tcp proto udp ;dev tap dev tun ;dev-node MyTap ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key dh /etc/openvpn/easy-rsa/pki/dh.pem ;topology subnet server 10.8.0.0 255.255.255.0 ;client-config-dir ccd route 10.10.0.0 255.255.0.0 route 10.10.12.0 255.255.255.0 route 10.10.52.0 255.255.255.0 route 10.10.51.0 255.255.255.0 push "route 10.10.0.0 255.255.0.0" push "route 10.10.12.0 255.255.255.0" push "route 10.10.11.0 255.255.255.0" push "route 10.10.51.0 255.255.255.0" push "route 10.10.52.0 255.255.255.0" ;learn-address ./script ;push "redirect-gateway def1 bypass-dhcp" ;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220" client-to-client #keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-256-CBC user nobody group nobody status openvpn-status.log verb 3

Since my networking knowledge is not on proper level, if anyone has an idea how to solve this, i would be very greatful.

Thanks

Improve this question

1 Answer 1

Reset to default
1

I have several Mikrotik Cloud RouterOS as OpenVPN server in my VPC, and it also took me a while to get it working.

I don't have a clear picture of your infrastructure and what is your current problem, but I assume that your client can already connect to the OpenVPN server but cannot reach other private EC2 servers.

I noticed that your client IP pool (10.8.0.0/24) is different than the OpenVPN server internal IP (10.10.0.0/16). This complicates VPC routing because your VPC route table has no idea what subnet is 10.8.0.0/24 and where to route the corresponding traffic.

The way I solved this was to apply NAT so my client traffic (Say IP 10.8.0.100) would be masqueraded as the OpenVPN server (Say IP 10.10.0.100) when packets leave the OpenVPN server. This way the private EC2 server will always route through the OpenVPN server.

Several things you also need to check:

  1. EC2 Security group is allowing the traffic

  2. VPC Subnets are associated with your route table

  3. VPC Route table has the corresponding routes setup

  4. EC2 Source/Destination checks is disabled if NAT is happening

An alternative solution might be setting the route table so that all 10.8.0.0/24 traffic is sent to your OpenVPN server, but I never got that working so good luck if you go this route.

Improve this answer
1
  • Thanks @Victor Wong, i've solved Yesterday by setting custom client subnet in VPC range. Also, I didnt disable Source/Destination checks. Commented Sep 4, 2018 at 10:44

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.