Connect to AWS private subnet without static IP address

Enes Doğan

11/22/22, 10:50 PM

My ISP user CGNAT and I don't have a static IP address but I want to connect to my AWS subnet. I tried creating a VM for an OpenVPN server but that way I can only connect to the server VM unless I setup the on all the other VMs. How can I connect to my subnet without a static IP address?

764

1 + 2

cloud

vpn

amazon-web-services

Mikael Öhman

11/22/22, 11:47 PM

I would think that wireguard might be a good fit here, though I admit I haven't tested this particular combination.

Enes Doğan

11/23/22, 12:39 AM

It still has the issue of installing the VPN on all the servers.

Score:0

Server

Mikael Öhman

11/23/22, 1:06 AM

I don't have experience with OpenVPN, but, with a simple wireguard setup, you can have a single wireguard server which can allow access to any number of private subnets.

In this example, 10.xx.xx.x are my private subnets, and 192.168.x.x is my wireguard network.

Pick or set up a dedicated machine as the wireguard server and set up a basic configuration. E.g. server side

[Interface]
Address = 192.168.200.1
PrivateKey = ...
ListenPort = 51820

[Peer] # Enes home computer
PublicKey = ...
AllowedIPs = 192.168.200.2

and client side

[Interface]
PrivateKey = ...
Address = 192.168.200.2
ListenPort = 51820

[Peer]
PublicKey = ...
Endpoint = your.wg.server
AllowedIPs = 192.168.200.1/32, 10.0.0.0/8  # We can route whatever we want!

Configure the wireguard server to allow ip forwarding, with e.g. sysctl settings:

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1

Configure the wireguard server to allow masquerading, e.g. with firewalld, a custom rule on the zone where the wireguard interface is (e.g. internal)

firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.211.0/24" masquerade' --permanent
firewall-cmd --reload

And that should be it. Use wg to verify that wireguard is working and you should be able to ping any 10.x.x.x address that the wireguard server can.

I run this setup with a single wireguard server VM against dozens of private subnets with hundreds of machines.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Connect to AWS private subnet without static IP address

TH: เชื่อมต่อกับเครือข่ายย่อยส่วนตัวของ AWS โดยไม่มีที่อยู่ IP แบบคงที่

RO: Conectați-vă la subrețeaua privată AWS fără adresă IP statică

RU: Подключиться к частной подсети AWS без статического IP-адреса

VI: Kết nối với mạng con riêng của AWS mà không cần địa chỉ IP tĩnh

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.