Score:1

Packets not routed through openvpn tunnel in ec2 instance

in flag

I'm setting up an openvpn server on an aws ec2 instance. This instance has two interfaces :

  • One interface belonging to a private subnet (10.10.0.0/17)
  • One interface belonging to a public subnet (10.10.128.0/17)

My goal is to allow traffic from the internet to communicate with the instances that are in the private subnet, through the VPN. Here is a schema

The connection is well established between outside and the public interface. It is also established between the private interface and the instances that are in the private subnet.

The problem appears when i try to ping private instances from an outer client. I can see the "initialization sequence completed" message, but no traffic seems to be routed through the tunnel. Actually no route at all seems found, even when the destination is the vpn server itself :

traceroute to server tun interface

connexion logging on client

connexion logging on server

Even though there seems to be errors when the route is created, it is present in the kernel routing table so I guess the problem doesn't come from here :

route command on client

Here is my client configuration :

client
dev tun
proto udp
remote <server_ip> 1194
route 10.10.0.0 255.255.128.0
nobind
resolv-retry infinite
persist-key
persist-tun
comp-lzo 
verb 3
cipher AES-256-CBC
<ca>
-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
<SNIP>
-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
<SNIP>
-----END PRIVATE KEY-----
</key>

And the server one :


local 0.0.0.0 

port 1194

proto udp

dev tun

ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key  

dh /etc/openvpn/easy-rsa/pki/dh.pem

topology subnet

server 10.10.0.0 255.255.128.0

#client-to-client communication
duplicate-cn

keepalive 10 120

cipher AES-256-CBC

comp-lzo

persist-key
persist-tun

status openvpn-status.log

verb 3

mute 10

explicit-exit-notify 1

I've followed the openvpn howto from begin to start and really don't know what I'm missing. Thanks in advance for your help !

Tim avatar
gp flag
Tim
Your question would be easier to understand with a diagram and your terms like "outer traffic" defined. I'm not really sure what you're trying to achieve. Two question 1) Have you considered EC2 source / destination check? 2) Have you considered using the AWS managed VPN?
raphael.oester avatar
in flag
Just added a schema to the post. Outer traffic means traffic coming from the internet. 1) I don't understand your question 2) Yes and I'd prefer not use it because it's both expensive and not personalizable enough
Tim avatar
gp flag
Tim
AWS VPN is about $36 per month, expensive for playing with but cheap for a corporate / business given the redundancy and such. Have a read of this whole page especially the section I link directly to https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck . A VPN is a bit like a NAT in that it's not the source or destination for traffic "Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives..."
raphael.oester avatar
in flag
I'm building an app that will hold multiple VPN instances, and really can't afford $36 per server given the amount. I disabled the source/destination checking, but didn't change anything. And actually that was pretty expected because the VPN traffic isn't even routed through the tunnel - as it was said in the title. See the traceroute screenshot.
Tim avatar
gp flag
Tim
I can't help with OpenVPN, just AWS. AWS VPN charges allow two incoming VPNs and that covers communication with every resource in your VPC, but only to two targets / destinations outside your VPC. If you're connecting many branches / resources to the VPN then I can see why you want many VPNs, but I wonder if you could manage with application level encryption - but you haven't said what you're trying to achieve, just how you want to do it.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.