By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How can I route OpenVPN traffic

1

Good day all

I'm currently trying to set up OpenVPN on an EC2 instance. I have gotten the server and client to communitcate with each other. The goal is for the clients to be able to communicate to instance in another VPC in which I have set up Peering connections and from a client machine I can reach an instance in the other VPC. Where I am having issues is that, trying to reach the client machine from the instance does not work. I have configured route tables to send all traffic from the instance to my VPN server VPC but I don't see the traffic going through to the instance.

Apologies for the long text, but for more clarity, this is my current setup

VPC A - 172.31.0.0/16 VPC B - 10.10.0.0/16

Both VPCs can communicate

In VPC A, I have my OpenVPN server with two interfaces, eth0 and tun0. Pinging a machine in VPC B goes through because it is NATed through eth0. But I am trying to also be able to ping client devices from instances in VPC B. Any help or resources on how I can do this?

Thanks.

Topics
Networking & Content DeliveryCompute
Tags
Amazon VPCAmazon EC2
Language
English
rePost-User-9477713
asked 2 years ago974 views
1 Answer
0
Accepted Answer

Hello,

With the NAT mode this will not work as you pointed out all traffic from the Clients to VPC is Source NAT'd by the OpenVPN access server, the Destination instance in a VPC will not know how to route back to the clients.

This is described in the below OpenVPN article:

https://openvpn.net/vpn-server-resources/reach-openvpn-clients-directly-from-a-private-network/

There is NAT mode and there is Routed mode, with NAT mode reverse connectivity from VPC back to client will not work because of the SNAT. Even with Routed mode connectivity to the instance in a Target VPC might work but I think it would not work via VPC Peering to another VPC as this would become transitive routing which is not allowed.

Please note, suggestions on OpenVPN are best effort here as it is not a native AWS product.

Hope this helps.

profile pictureAWS
EXPERT
Tushar_J
answered 2 years ago
  • rePost-User-9477713
    2 years ago

    Thank you for you response. I appreciate it.

    Do you sugeest having both instances in the same VPC might work?

  • Tushar_J EXPERT
    2 years ago

    Yes, that might work with the routed mode.

  • rePost-User-9477713
    2 years ago

    I will try that. Thank you once again

  • rePost-User-9477713
    2 years ago

    I was able to meet my needs by using a transit gateway rather than peering connection.

    Thanks again for pointing me in a better direction.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content