How can I route OpenVPN traffic

Question

Good day all

I'm currently trying to set up OpenVPN on an EC2 instance. I have gotten the server and client to communitcate with each other. The goal is for the clients to be able to communicate to instance in another VPC in which I have set up Peering connections and from a client machine I can reach an instance in the other VPC. Where I am having issues is that, trying to reach the client machine from the instance does not work. I have configured route tables to send all traffic from the instance to my VPN server VPC but I don't see the traffic going through to the instance.

Apologies for the long text, but for more clarity, this is my current setup

VPC A - 172.31.0.0/16
VPC B - 10.10.0.0/16

Both VPCs can communicate

In VPC A, I have my OpenVPN server with two interfaces, eth0 and tun0. Pinging a machine in VPC B goes through because it is NATed through eth0. But I am trying to also be able to ping client devices from instances in VPC B. Any help or resources on how I can do this?

Thanks.

Accepted Answer

Hello,

With the NAT mode this will not work as you pointed out all traffic from the Clients to VPC is Source NAT'd by the OpenVPN access server, the Destination instance in a VPC will not know how to route back to the clients.

This is described in the below OpenVPN article:

https://openvpn.net/vpn-server-resources/reach-openvpn-clients-directly-from-a-private-network/

There is NAT mode and there is Routed mode, with NAT mode reverse connectivity from VPC back to client will not work because of the SNAT. Even with Routed mode connectivity to the instance in a Target VPC might work but I think it would not work via VPC Peering to another VPC as this would become transitive routing which is not allowed.

Please note, suggestions on OpenVPN are best effort here as it is not a native AWS product.

Hope this helps.

How can I route OpenVPN traffic

Contenuto pertinente