Routing setup for OpenVPN server on Amazon EC2

Question

Software developer here, trying to get his sysadmin-foo up and running by setting up an OpenVPN server on amazon EC2 to access all the internal resources there. Here's how I envision that on a fresh Ubuntu 12.04 Canonical AMI:

   Local network          /        EC2 Cloud, 10.*.*.*/255.0.0.0
  172.16.20.*/          ,'
     255.255.255.0     ,'                +-----------------+
                      .'                 |Amazon DNS server|
                      |                ,'|  172.16.0.23    |
 +---------------+   |               ,'  +-----------------+
 | Workstation   |   |             ,'
 |               XXX |   +-------,'------+
 | 172.16.20.1   |  XXXX | OpenVPN server|
 +------`.-------+   \  XX  10.23.45.67  `-.  +-------------+
          \          '.  +---------------+  `-. Second server
  +--------`.---+     |                       | 10.23.45.68 |
  |Local server |      \                      +-------------+
  | 172.16.20.2 |       \
  +-------------+        \

Clients can connect to the VPN (even on iPhone), but I'm having trouble to get a full overview of which subsystems i need to check.

Here are my goals for the setup:

• VPN clients should be able to access internal resources via the vpn, the rest of the internet should be routed via the local gateway
• VPN clients should be able to access all servers the OpenVPN server can access
• VPN clients should use the Amazon DNS server at 172.16.0.23 as their primary dns server, because that server resolves Amazon's generated hostnames to internal ip addresses (i.e. ec2-45-67-8-9.eu-west-1.compute.amazonaws.com would resolve to 10.23.45.67 when resolved by that server, but to 45.67.8.9 everywhere else)
• VPN clients should see each other

Here's how I configured /etc/openvpn/server.conf (just the interesting bits, i hope):

persist-tun
server 172.16.10.0 255.255.255.0
push "route-gateway 172.16.10.1"
push "route 10.0.0.0 255.0.0.0"

push "route 172.16.0.23"
push "dhcp-option DNS 172.16.0.23"

However, I'm not sure which parts of these the openvpn server does for me:

• Do I need to configure iptables on the server ? If so, how ?
• Do I need to set routes on the server (besides the ones being pushed to the client) ? If so, which and how ?
• What other networking software am I missing that causes my clients not to connect successfully ?

Answer 1

You need to enable forwarding on the OpenVPN server in the kernel (/proc/sys/net/ipv4/ip_forward) and you have to globally or selectively allow forwarding in the firewall (iptables), e.g.:

# there is probably already a rule allowing all established connections
# iptables -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
# the next rules for every OpenVPN interface (or once for the respective address block)
iptables -A FORWARD -i tun0 -d 10.0.0.0/8  -j ACCEPT
iptables -A FORWARD -i tun0 -d 172.16.0.23 -j ACCEPT
# if the local network shall be accessible
# iptables -A FORWARD -i tun0 -d 172.16.20.0/24 -j ACCEPT

You need not set routes on the server if just simple clients connect. If 172.16.20.1 connects as a gateway for the local network then you need a route for 172.16.20.0/24 but that is probably (and best) set in the OpenVPN config for 172.16.20.1.

Edit 1

If you cannot configure the routing on certain systems and their routing would not send the traffic back the right way then you need NAT (more precise: SNAT):

iptables -t nat -A POSTROUTING -d $PROBLEM_HOST_IP \! -s $LOCAL_IP \
  -j SNAT --to-source $LOCAL_IP

with the variables set accordingly. Assuming you can set the correct routing for targets in 172.16.20.0/24 only then you can do this easier this way:

iptables -t nat -I POSTROUTING 1 -s $LOCAL_IP -j ACCEPT
iptables -t nat -I POSTROUTING 2 -d 172.16.20.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING 3 -j SNAT --to-source $LOCAL_IP