TLDR;Synopsis
Can a group of VMs, each with it's own public IPv4 address, be organized so as to mimic being on a private subnet and, if so, how can I connect those servers to the rest of my network?
Current Configuration
10.0.0.0/24 AWS Oregon - public
10.1.0.0/24 AWS Oregon - private
10.52.5.0/24 Home, San Diego
10.62.5.0/24 Home, Las Vegas
The AWS public network has an OpenVPN server. Both San Diego and Las Vegas each have their own dedicated OpenVPN clients which connect to that AWS server.
Through the use of this point-to-point VPN setup, any VM on my network can talk to any other VM with no NAT interference. Everything works flawlessly.
Problem
I've been asked to prove that a webapp I've designed, which currently runs at AWS Oregon, can be run just as successfully outside of the AWS ecosystem.
"No problem," I say. So I rent five servers from a Swiss vendor and prepare to join those servers to my network.
I guess my assumption was that SwissVendor would provision five servers for me and place them on an internal network of my choosing (e.g. 10.72.5.0/24, gw:.1) and perhaps give me a public (i.e. "elastic?") IP to drill my way in from the outside. I'd then choose one of the five servers to be my OpenVPN client, point it to my AWS Oregon OpenVPN server, and boom, the Swiss servers are now reachable from anywhere on my network.
Unfortunately for me, however, that's not how things work at SwissVendor. Instead, each of the five servers has its own public IP address and further, there's no guarantee that these IP addresses are even on the same subnet. So I ended up with something like:
Server 1: 11.11.11.11/24
Server 2: 22.22.22.22/24
Server 3: 33.33.33.33/24
Server 4: 44.44.44.44/24
Server 5: 55.55.55.55/24
RDP port 3389 is open to the world on each server, allowing the customer access via a pre-shared administrative password. All other inbound connections are blocked by the server's firewall which is on by default. That's simply the way SwissVendor provisions its servers to customers like me. I can't change this.
My Goal
This is where things get difficult to describe since I'm a hobbyist, not a pro. In my ideal world:
- Each of the Swiss servers would, in addition to having their own real public address, also have some sort of synthetic/virtual NIC on an internal network 10.72.5.0/24.
- The servers would be able to communicate with each other at high speed with virtually zero latency. [You can assume that each of the Swiss servers lives in the same physical cabinet and indeed may actually live on the same physical piece of hardware!]
- One of the servers would act as an OpenVPN client, connected to my AWS OpenVPN server, which would effectively pull 10.72.5.0/24 into my network, making each of these servers accessible to the rest of my network, but not to the Internet, and with no NAT interference.
I can't quite figure out how to pull this off, or if it's even possible at all. Here are two approaches I've considered but ultimately ruled out:
Failed Idea #1: Each Server acts as OpenVPN client
I could abandon the idea of having a dedicated OpenVPN client on the Swiss network. Instead, each Swiss server would run its own OpenVPN client, providing each with it's own additional IP address. So, in addition to the public IP address, each server would also have a virtual IP, probably along the lines of 10.8.0.0/24.
This would work insofar as the Swiss servers would be able to communicate with each other as well as the rest of my network.
The problem is that for a packet to get from SwissServer1 to SwissServer2, it would have to travel all the way to Oregon and back again -- grossly inefficient given that both SwissServer1 and SwissServer2 live on the same physical machine. Recall that I need low latency quick communications between the Swiss servers.
Failed Idea #2: Swiss servers communicate using their public addresses
I could simply allow the Swiss servers to communicate amongst themselves using their respective public IP addresses. This would certainly solve the latency problem.
The main issue I foresee with this is approach is that since each Swiss server's IP is public, and therefore exposed to the Internet, I'd have to be REALLY careful in configuring each server's firewall rules. If SwissServer1 wants to use file sharing with SwissServer2, for example, I'd have to know precisely what ports are used to facilitate that, and open just those ports, and only to SwissServer1. If I make one small mistake, I may end up exposing that file sharing service to the public Internet.
There's also the issue of how to connect these machines to the rest of my network in a clean way. So I see this approach as a non-starter too.
Where to from here?
I've researched it and can't quite figure out the correct approach. I think what I may be looking for is something called a "bridge," and I think OpenVPN might support this but I'm not certain. As I understand it from my extensive research on Wikipedia and Reddit, using bridge technology might allow the five Swiss servers to act as if they're on some single network, like let's say 10.52.7.0/24, thereby facilitating quick communications between these peers. But then what? How would I make 10.52.7.0/24 accessible to/from the rest of my existing network?
All servers are running Windows 2019 Server or Windows 2022 Server.
Any and all advice appreciated!
