By using AWS re:Post, you agree to the Terms of Use

Use of OpenVPN 3 client with split tunnelling to access S3 buckets

0

We're using OpenVPN Cloud and accessing a number of AWS-based resources. We have split tunnelling enabled and we want to send our S3 and certain other traffic through the VPN with everything else through the user's internet connection. The buckets that we have require access from specific IP addresses (and impose other conditions such as secure transport) and I've added the VPN instance's external IP to that list of permitted IPs. We've added a certain number of DNS domains (including "amazonaws.com") and s3-related IP ranges to the list of destinations that need to go via the VPN as OpenVPN cloud does both domain-based and IP-based routing. At present we have buckets in a few regions, so I've added the S3 ip ranges for those regions, but I'm still getting rejected by the bucket policy with "...(AccessDenied) when calling ListObjectsV2" for some of them. If I turn off the VPN I can access the bucket with no problem. Has anyone encountered this or is anyone else running a set up like this one?

1 Answers
0

Hi,

I understand you are using split tunneling to access S3 buckets but you are getting an "...(AccessDenied) when calling ListObjectsV2" error. When you configure SPLIT VPN means specific traffic goes through VPN but your source IP remains private. For connection reaching VPC, it will have source IP that is private not the public IP of your VPN. To access S3 you either access it privately or publicly, if accessing publicly you have to access it via internet. Basically whitelist your public IP where you break out to internet for S3 traffic. When accessing Privately it will be through VPC Endpoints, specifically Interface VPC Endpoint to allow access to S3 but its only regional not for all [1].

When you got the “"...(AccessDenied) when calling ListObjectsV2" output Amazon S3 had issued the following AP Calls: ListObjectsV2, CopyObject, GetObject, and PutObject. Amazon S3 lists the source and destination to check whether the object exists and then performs the following API calls: CopyObject call for a bucket to bucket operation, GetObject for a bucket to local operation and PutObject for a local to bucket operation. The resolution if to Verify that you have the permission for s3:ListBucket on the Amazon S3 buckets that you're copying objects to or from. You must have this permission to perform ListObjectsV2 actions [2].

Refer to the references

[1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html

[2] https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-denied-listobjects-sync/

answered 2 months ago
  • As I said I'm using OpenVPN Cloud. This uses an instance in AWS with an external IP to present data to the outside world. When data is sent through the VPN, it appears at the destination with the external IP that's attached to the instance. So, if I've set the VPN to route data to the bbc.co.uk domain through the VPN, then the servers at their site will see the in-coming IP as the external IP of the AWS instance whereas data to a domain that I'm not routing through the VPN will appear to be from my external IP address. I've added the IP of the AWS instance to the bucket policies, but some buckets work, while others don't. I suspect that in addition to the amazonaws.com domain and the IPs of the S3 services, some additional IPs might be required, but I don't know what they are or which domains I'm missing. I've tried running a packet capture with the VPN attached and not attached and it seems that when I try an access to an S3 bucket data is sent to/from one of the AWS EC2 ip ranges, although I don't know if this is relevant.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions