0

I did setup an OpenVPN server, which works fine and the IP of the server shows instead of my machine's IP.

I am using this VPN to connect to EC2 instance, and restricting access to only instances within the same VPC, for all ports including HTTP, HTTPS & SSH.

To do so, in the inbound rules I set to only accept connection from the VPC CIDR. However whenever I try to open that server, it doesn't work and I get site can't be reached.

PS: The server used to work fine, before I restrict the access from AWS Cloud Firewall.

MLu
  • 23,798
  • 5
  • 54
  • 81
MZaza
  • 51
  • 8

2 Answers2

1

This is how your instances in your default VPC (172.31.0.0/16) should be configured:

  1. The target EC2 instance

    • IP 172.31.16.185
    • Security Group permits SSH, HTTP and HTTPS access from 172.31.0.0/16

  2. The VPN Gateway

    • IP 172.31.4.201
    • Security Group permits all outbound traffic
    • Disable Source/Dest check (not necessary if you NAT though)
    • OpenVPN is configured to NAT all the outbound traffic on eth0 which means all the traffic appears to originate from 172.31.4.201

  3. Your laptop / OpenVPN client

    • SSH to 172.31.16.185 - that should go through the VPN tunnel, be NAT'ed on the VPN gateway and connect to the target system.

No public IPs involved.

Hope this helps :)

MLu
  • 23,798
  • 5
  • 54
  • 81
  • Is that how I should NAT sudo iptables -t nat -I POSTROUTING -s 172.31.4.201/24 -o eth0 -j MASQUERADE – MZaza Oct 08 '18 at 00:53
  • Close - `iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE` or with `-s the-vpn-cidr/prefix`, e.g. if the addresses inside your VPN are 10.10.10.0/24 it would be `-s 10.10.10.0/24`. – MLu Oct 08 '18 at 00:56
  • Or omit that `-s ...` altogether, it should work too. – MLu Oct 08 '18 at 00:57
  • OK, I've done all the steps above. For the NAT I used the following exactly sudo iptables -t nat -I POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE Still no luck :( There has to be something wrong with me. – MZaza Oct 08 '18 at 01:02
  • Run `tcpdump -i tun0 -n host 172.31.16.185` on the VPN gateway and verify that you see the packets coming in from the tunnel. Then run `tcpdump -i eth0 -n host 172.31.16.185` to verify that they are coming out from the VPN GW instance NAT'ed and destined to the target box. – MLu Oct 08 '18 at 01:06
  • 0 packets But google shows the IP of the VPN :D – MZaza Oct 08 '18 at 01:11
  • Looks like your OpenVPN isn't working properly. What routes are you pushing to the client from the VPN server? What is the internal tunnel CIDR? – MLu Oct 08 '18 at 01:16
  • In the server.conf I have the following push "route 172.31.0.0 255.255.0.0" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" – MZaza Oct 08 '18 at 01:22
  • That looks good. What are the tunnel internal IPs? What IP does your VPN client get assigned on the tunnel interface? – MLu Oct 08 '18 at 01:24
  • What is that :D ? Is it in base.conf? If yes, I have that remote 18.214.28.104 1194 – MZaza Oct 08 '18 at 01:26
  • Nope that would be in the server config, like like: `server 192.168.142.128 255.255.255.192` – MLu Oct 08 '18 at 01:28
  • server 10.8.0.0 255.255.255.0 – MZaza Oct 08 '18 at 01:30
  • Ok, so the iptables command should have been: `iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE`. Delete the old rule with `iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE` first. – MLu Oct 08 '18 at 01:33
  • I've done the new command, but when trying to deleted the old rule I got Bad argument `**-D**' – MZaza Oct 08 '18 at 01:35
  • Just `-D`, not `**-D**`. – MLu Oct 08 '18 at 01:36
  • And as far as I know iptables are like some kind of firewall right? Because I have used it on the server, I use AWS Cloud Firewall. – MZaza Oct 08 '18 at 01:37
  • Still no luck, is that the longest thread you have ever had on serverfault? – MZaza Oct 08 '18 at 01:38
  • Yes, iptables is a firewall. – MLu Oct 08 '18 at 01:38
  • I didn't configure IP tables and I don't use it. The problem I see it, is if the VPN server had a problem I wouldn't be able to get Netflix for USA, or get access to currently blocked sites in my country or get the VPN's IP when I check for my IP through browser. I believe the problem is with the target EC2 Instance, don't you think so? – MZaza Oct 08 '18 at 01:41
  • Quite likely it is :) We'll be told off and moved to chat soon. Anyway, what does `tcpdump -i tun0 -n` on the vpn server show when you try to SSH from the client to the target server? Any traffic at all? – MLu Oct 08 '18 at 01:41
  • Well, just typing this command gave me and still does lots of activity. – MZaza Oct 08 '18 at 01:42
  • Restrict it to the VPC CIDR logging: `tcpdump -i tun0 -n net 172.31.0.0/16` – MLu Oct 08 '18 at 01:43
  • Nothing so far, and I can't SSH to the target while using the VPN. I can SSH to other servers, but not the target. – MZaza Oct 08 '18 at 01:47
  • I will contact you through email. – MZaza Oct 08 '18 at 01:54
0

That sounds like a configuration problem on the OpenVPN server side. Check the following:

  • You've got IP forwarding enabled.
  • You're NAT'ing all outbound traffic to the IP of your OpenVPN server.

Get some inspiration in this answer: OpenVPN not default gateway for all traffic.

Hope that helps :)

MLu
  • 23,798
  • 5
  • 54
  • 81
  • If I explicitly allow the IP of the OpenVPN server from the Inbound rules of that instance, it works and only me can connect to that instance. The problem only happens when I try to allow the whole VPC by using the CIDR. – MZaza Oct 07 '18 at 23:46
  • @MZaza CIDR should work too. Have you got the correct prefix length specified? If it's a default VPC it will probably be something like 172.31.0.0/16 (note the /16). What IP address has the OpenVPN server, what is the destination server and what was the CIDR that you specified? – MLu Oct 07 '18 at 23:51
  • First, to clear things up I tried to check for my IP after connecting to VPN and it showed my VPN IP, I tried a couple of blocked websites in my country just to check and they opened up. I tried restricting access to my VPN IP only and it worked, but when I try CIDR Block it doesn't work. my CIDR block is exactly as you wrote 172.31.0.0/16. The private IP address for the OpenVPN server is 172.31.4.201 The private IP address for the destination server is 172.31.16.185 The CIDR I specified is 172.31.0.0/16 – MZaza Oct 07 '18 at 23:58
  • @MZaza something isn't quite right in the setup - so you're saying that if you put 172.31.4.201/32 as a source into the 172.31.16.185's security group it works but if *in the same security group* you change it from 172.31.4.201/32 to 172.31.0.0/16 it stops working?? – MLu Oct 08 '18 at 00:09
  • No, I mean if I use the public IP of the VPN which is something like 18.231.2.19 it works but if I use the CIDR, which is 172.31.0.0/16 of the VPN it doesn't work. – MZaza Oct 08 '18 at 00:15
  • I see. To use VPC CIDR you have to make it work over private IPs. If you SSH to the VPN server can you then SSH to the target server's private IP 172.31.16.185? Yes/No? If not that means the Target server security group is isn't permitting access from 172.31.4.201. You'll have to get this working first. – MLu Oct 08 '18 at 00:19
  • I can SSH, I just get permission denied (public key) – MZaza Oct 08 '18 at 00:23
  • I am sure I am missing something in AWS, not VPN related. There is something I didn't do, I should have done :D – MZaza Oct 08 '18 at 00:25
  • Ok, and from your VPN tunnel client (e.g. from your laptop) can you SSH to 172.31.16.185 with the VPN up? – MLu Oct 08 '18 at 00:26
  • I have SSH port also restricted to the VPC. If I change the restricting to the public IP of the VPN, SSH will work. Otherwise it will not – MZaza Oct 08 '18 at 00:30
  • Should I disable Dest/Source check for the EC2 Instance? – MZaza Oct 08 '18 at 00:42
  • Added one more answer. – MLu Oct 08 '18 at 00:43