How can I route OpenVPN traffic
Good day all
I'm currently trying to set up OpenVPN on an EC2 instance. I have gotten the server and client to communitcate with each other. The goal is for the clients to be able to communicate to instance in another VPC in which I have set up Peering connections and from a client machine I can reach an instance in the other VPC. Where I am having issues is that, trying to reach the client machine from the instance does not work. I have configured route tables to send all traffic from the instance to my VPN server VPC but I don't see the traffic going through to the instance.
Apologies for the long text, but for more clarity, this is my current setup
VPC A - 172.31.0.0/16 VPC B - 10.10.0.0/16
Both VPCs can communicate
In VPC A, I have my OpenVPN server with two interfaces, eth0 and tun0. Pinging a machine in VPC B goes through because it is NATed through eth0. But I am trying to also be able to ping client devices from instances in VPC B. Any help or resources on how I can do this?
Thanks.
Hello,
With the NAT mode this will not work as you pointed out all traffic from the Clients to VPC is Source NAT'd by the OpenVPN access server, the Destination instance in a VPC will not know how to route back to the clients.
This is described in the below OpenVPN article:
https://openvpn.net/vpn-server-resources/reach-openvpn-clients-directly-from-a-private-network/
There is NAT mode and there is Routed mode, with NAT mode reverse connectivity from VPC back to client will not work because of the SNAT. Even with Routed mode connectivity to the instance in a Target VPC might work but I think it would not work via VPC Peering to another VPC as this would become transitive routing which is not allowed.
Please note, suggestions on OpenVPN are best effort here as it is not a native AWS product.
Hope this helps.
Yes, that might work with the routed mode.
I will try that. Thank you once again
I was able to meet my needs by using a transit gateway rather than peering connection.
Thanks again for pointing me in a better direction.
Relevant questions
How can I create a friends list with GameLift?
asked a year agoHow to communicate with GameLift Server with Java Client
asked 6 months agocan I set up DNS to route requests to an alternate subdomain with EC2?
asked 2 years agoOpenVPN client IP will not route accross VPC Peering
asked 3 months agoAWS Client VPN Please add support for Login / Logout scripts like OpenVPN has
asked 5 months agoAddressable clients for Client VPN
Accepted Answerasked 3 years agoEasiest / Best way to setup private VPC
Accepted Answerasked a year agocan I prevent Client VPN from setting the hostname on the client machine?
Accepted Answerasked a year agoHow can I route OpenVPN traffic
Accepted Answerasked 23 days agoMiddlebox routing - VPN clients
asked 3 months ago
Thank you for you response. I appreciate it.
Do you sugeest having both instances in the same VPC might work?