Problem Setting up EC2 as Airgap Server with Client VPN Endpoint

0

Afternoon All, I'm a (very) inexperienced user who's keen to learn and appreciate I might have bitten off far more than I can chew with this.

I'm working on a project where we need to share UDP packets between two companies with the packets going in both directions. I want to setup an airgap server where exchange of data could take place.

I have an EC2 server with an external IP address (that I SSH into) as the airgap machine and a VPN client endpoint linked to the subnet the EC2 instance is in. My intent was to send UDPs from my company system to the airgap on a particular port say 3005, for example and then listen on a different port, say 4005, for example, on the same EC2 instance for UDP packets from the other company. And use socat to send packets from 4005 to the client IP on my Windows machine (currently set in the Endpoint to 16.10.0.0/16 (yes I know the subnet is probably far too big for this)).

I have successfully created the VPN client endpoint, downloaded the configuration file and can connect in from my Windows10 laptop using OpenVPN client. I can send packets from my Windows10 machine to the Airgap EC2 instance and see that it arrives on port 3005 as expected using tcpdump. I can also ping from the Windows machine to the Airgap server... so the connection is working in one direction.

The issue I have is that the connection does not work sending packets from the Airgap EC2 instance to my machine via the VPN... If I run socat with various options of udp-recvfrom or udp-listen and udp-sendto or udp-datagram I get no packets arriving at my Windows machine. Neither can I ping the Windows machine from the EC2 Airgap instance (I have tried this with Windows Firewall turned off to test whether the FW was getting in the way)

My questions then:

  1. Is it possible to do what I want?
  2. WHat am I doing wrong and how can I fix?
  3. Is my assumption about an EC2 instance being a good way of setting up an airgap server like this correct?

Many Thanks

G

1 Answer
0

AWS Client VPN is a managed service that is designed to allow you to securely access AWS resources from any location using OpenVPN based clients. It is not designed to allow you to access remote clients from your VPC. Your AWS resources, for example, EC2 cannot initiate communication with remote clients but will respond to requests initiated by remote clients. If you require bi-directional communication, you will need to set up an AWS site to site VPN to the site where the remote remote clients are located.

AWS Site-to-Site VPN https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html

Workaround if you still choose to use Client VPN - There is an indirect way of making this work, which is by running OpenVPN/AWS Client VPN application on the EC2 instance and then using the client-to-client communication, you can have the EC2 instance communicate to the Windows machine which is also connected to the same Client VPN Endpoint.

Sample Architecture: Client Device1 (Windows) <> CVPN connection <> AWS Client VPN endpoint <> CVPN connection <> Client Device2 (EC2)

Client-to-client access using AWS Client VPN https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario-client-to-client.html

profile pictureAWS
EXPERT
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions