AWS: routing back from VPC to an instance

Yuri

5/11/24, 9:29 PM

I'm relatively new to AWS and need to set up some internal infrastructure. Example: a VPN server that routes people into a VPC.

I have a VPN server instance bound to an elastic IP that has a subnet carved out for VPN users. Now how do I tell the VPC that the route back to our VPN users should go through this instance?

I tried editing route tables, but I keep getting an error saying that the route destination is not in any CIDR blocks.

OK, I made it part of that VPC's CIDR, set up a reservation in that subnet... still no luck

1 + 5

vpn

routing

amazon-web-services

amazon-vpc

Tim

5/11/24, 9:54 PM

Before I answer the question: why are you using an EC2 instance to run an VPN rather than using an AWS site to site managed VPN service? The service is generally easier to use, more reliable, and simpler to route to https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html

exeral

5/12/24, 8:38 AM

provide more details: the value of your VPC CIDR, the CIDR of VPN users subnet and the exact error message

Yuri

5/12/24, 9:33 AM

@Tim because I need to connect our managed laptops to this VPC, and to allow these machines to access internal infrastructure inside it (think Puppet master, etc...). I need a client VPN, and not site-to-site. Also, Amazon AWS VPN is a very poor fit here for various reasons.

Yuri

5/12/24, 9:35 AM

@exeral Say, my VPC is 10.36.0.0/16. I can choose whatever private subnet (/24) I want for the VPN clients, but I don't know how to tell the VPC to route back to it through the instance running the VPN server.

Tim

5/12/24, 11:27 PM

https://aws.amazon.com/vpn/client-vpn/ could be helpful, but again, beware of costs. I suggest integration with a directory, otherwise when I used it a couple of years ago everyone authenticates with the same certificate which isn't ideal

Score:0

Server

exeral

5/12/24, 10:27 AM

assuming that:

your VPC CIDR is 10.36.0.0/16
you have a subnet in that VPC: subnet-0011aabb with CIDR 10.36.1.0/24
this subnet is associated to route table: rtb-0011aabb
your VPN instance is i-aabbccdd
the VPN users subnet is 172.16.0.0/24

add in rtb-0011aabb the route: 172.16.0.0/24 via i-aabbccdd

once created, AWS will automatically resolve i-aabbccdd to it's corresponding network interface.

+ 1

Yuri

5/13/24, 11:07 AM

One caveat: turns out you have to disable the source/destination check on the instance you're routing through. If you want to use a VPN subnet inside the range that is used for a VPC, you need to create an AWS subnet for this in the same AZ as the instance (not sure if this is a good practice -- I'll be using a range that is outside of the VPC).

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: AWS: routing back from VPC to an instance

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.