Join Log in
Score:0
asafreedman avatar Server

Can't Reach Private Subnet Over Bridged OpenVPN

do flag
asafreedman

I have a VPC in AWS with OpenVPN server in a public subnet. I'm trying to reach a server running in a private subnet. I cannot.

I have two ENI running on the public machine. One with a public IP address that I'm connecting through and another that I'm trying to use as my gateway to the private subnet.

I think I'm similar to this question but can't figure out how to make it applicable: Allowing SSH on a server with an active OpenVPN client

My guess is that the packets don't know how to get back.

What I can do:

I can reach the private subnet over the bridge (br0) with cURL:

root@ip-10-70-2-175:/home/ubuntu# curl --interface br0 10.70.20.57/time
2022-10-11T13:26:57.724Z

I can reach the connected client over the bridge (br0) with ping:

root@ip-10-70-2-175:/home/ubuntu# ping 10.70.2.225 -I br0
PING 10.70.2.225 (10.70.2.225) from 10.70.2.215 br0: 56(84) bytes of data.
64 bytes from 10.70.2.225: icmp_seq=1 ttl=64 time=154 ms

My ip a looks like:

3: eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000
    link/ether 02:be:e5:7f:a6:b3 brd ff:ff:ff:ff:ff:ff
4: br0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default qlen 1000
    link/ether 02:be:e5:7f:a6:b3 brd ff:ff:ff:ff:ff:ff
    inet 10.70.2.215/24 brd 10.70.2.255 scope global dynamic br0
       valid_lft 2441sec preferred_lft 2441sec
    inet6 fe80::be:e5ff:fe7f:a6b3/64 scope link 
       valid_lft forever preferred_lft forever
18: tap0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UNKNOWN group default qlen 100
    link/ether d2:a6:7b:95:20:ae brd ff:ff:ff:ff:ff:ff

I have a server-bridge and push in the OpenVPN configuration:

server-bridge 10.70.2.215 255.255.255.0 10.70.2.225 10.70.2.250

push "route 10.70.20.0 255.255.255.0"

Port 80 is wide open in all security groups.

I have tcpflow -i br0 running and can get the request through the bridge from the client but no response back to the client:

<tcpflow startime='2022-10-11T13:36:24.540564Z' endtime='2022-10-11T13:36:27.540105Z' mac_daddr='02:be:e5:7f:a6:b3' mac_saddr='36:75:00:9c:62:40' family='2' src_ipn='10.70.2.225' dst_ipn='10.70.20.57' srcport='59779' dstport='80' packets='4' len='312' />

My client-side route get 10.70.20.57 looks like:

   route to: 10.70.20.57
destination: 10.70.20.0
       mask: 255.255.255.0
    gateway: 10.70.2.215
  interface: tap0
      flags: <UP,GATEWAY,DONE,STATIC,PRCLONING>
 recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1500         0

My OpenVPN server route

root@ip-10-70-2-175:/home/ubuntu# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         ip-10-70-2-1.us 0.0.0.0         UG    100    0        0 eth0
default         ip-10-70-2-1.us 0.0.0.0         UG    150    0        0 br0
10.70.2.0       0.0.0.0         255.255.255.0   U     0      0        0 br0
10.70.2.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0
ip-10-70-2-1.us 0.0.0.0         255.255.255.255 UH    100    0        0 eth0
ip-10-70-2-1.us 0.0.0.0         255.255.255.255 UH    150    0        0 br0
36
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.