VPN server in VPC

Hi Marc,

Pat K from the Cohesive Networks team here.

To the best of my understanding you are correct - but you still have some options.

Lets pretend:
VPC - 10.20.20.0/22
Network Across Direct Connect - 192.168.0.0/16
OpenVPN network - 172.16.0.0/24

The direct connect will only route traffic to/from the VPC CIDR to the "across the direct connect" CIDR.
If you try to send packets to the on-premise from 172.16.0.0/24 they get dropped.

If you try to send packets from 192.168.0.0/16 to 172.16.0.0/24 they get dropped.

You will need to run a virtual gateway on the VPC side to some gateway on the other side of the direct connect. Tis gets you "up and over" the AWS VGW restrictions.

You could install strongswan/libreswan IPsec on your OpenVPN instance (if hand rolled and linux) and connect to an IPsec device across the direct connect. You would define a "tunnel" between the two sides of 192.168.0.0/16 - 172.16.0.0/24. Then your on-prem can route to your VPN.

OR if your OpenVPN server is Linux you can use GRE to make a tunnel (layer 2 tunnel) to a router/gateway across the direct connect and both sides set a static route pointing to the GRE tunnel. (note this tunnel is unencrypted)

OR use any of the appliance vendors in the AWS marketplace - depending on how many VPN credentials you need my company's free edition might meet your need.

Happy to explain the "roll your own" further if you need.

Cheers,

Pat K