OpenVPN from AWS into Office

Question

I'm trying to build an OpenVPN gateway from my VPC -> into the office network. I've successfully set up a VPN client on one of my EC2 instances (let's name it "gateway") and now it has VPN virtual interface "tun0".

Now I want to route all office-related traffic (dst 172.20.0.0/16) from the rest of EC2 instances in the VPC to "gateway"'s network interface (10.0.0.100).

I've tried 2 different approaches:

add a new rule into the related AWS Route Table: 172.20.0.0/16 -> eni-XXX (where eni-XXX is an id of "gateway"'s interface);
update EC2's route table: route add -net 172.20.0.0 netmask 255.255.0.0 gw 10.0.0.100

Both variants seem to be failed because running "tcpdump -i eth0 'src port not 22 and dst port not 22'" on the gateway and curling/pinging internal office ips shows nothing :(

Does anyone have an idea about what's wrong? Or may be has a batter solution for my problem?

And the second question. Once I get my traffic on gateway's eth0, I plan to forward it into the VPN connection using the following IpTables commands:

iptables -t nat -A POSTROUTING -o tun0  -j MASQUERADE
iptables -A FORWARD -i eth0 -s 10.0.0.0/16 -o tun0 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Should I expect any problems here (except enabling ip forwarding)?

What kind of VPN are we talking about? OpenVPN or another SSL-based one? IPSec? PPTP? Something else? — MadHatter, Jan 19 '17 at 17:38
OpenVPN is the wrong tool for connecting two *networks*; it's very much a leaf-node-to-network protocol. IPSec would be much better, as Tim advises below. — MadHatter, Jan 20 '17 at 09:41

score 1 · Answer 1 · answered Jan 19 '17 at 17:59

Your approach is suboptimal. You should be using an AWS Virtual Private Gateway to connect your office to your VPN, not connecting to a VPN on one EC instance and trying to route from there.

Give that a go, the documentation is good, and if you have problems you should probably start a new question. If you can't use this solution you should edit your question to include more detail about your use case.

score 0 · Answer 2 · answered Jan 20 '17 at 11:11

Ok, so my main problem was with AWS - it doesn't allow to route traffic between EC2 instances by default. To fix this moment one should disable Src/Dst check for your "gateway" instance. After that adding a route into the AWS route table which redirects all your office-targeted traffic to your "gateway" ec2 instance (e.g. 172.20.0.0/16 -> eni-XXX - where eni-XXX is an id of gateway's interface) works fine.

As for forwarding traffic from the public network interface (eth0) to the OpenVpn virtual network interface, iptables solves this very easy:

iptables -F
iptables -t nat -F

iptables -t nat -A POSTROUTING --out-interface tun0 -j MASQUERADE
iptables -A FORWARD -i eth0 -s 10.0.0.0/16 -d 172.20.0.0/16 -o tun0 -j ACCEPT

where "10.0.0.0/16" is VPC sub-network and "172.20.0.0/16" is the office network. Plus, enabling IP forwarding, of course:

echo 1 > /proc/sys/net/ipv4/ip_forward
vim /etc/sysctl.conf <- net.ipv4.ip_forward = 1

Thanks everyone for your replies.

OpenVPN from AWS into Office

2 Answers2