0

I have a VPC in AWS with OpenVPN server in a public subnet. I'm trying to reach a server running in a private subnet. I cannot.

I have two ENI running on the public machine. One with a public IP address that I'm connecting through and another that I'm trying to use as my gateway to the private subnet.

I think I'm similar to this question but can't figure out how to make it applicable: Allowing SSH on a server with an active OpenVPN client

My guess is that the packets don't know how to get back.

What I can do:

I can reach the private subnet over the bridge (br0) with cURL:

root@ip-10-70-2-175:/home/ubuntu# curl --interface br0 10.70.20.57/time
2022-10-11T13:26:57.724Z

I can reach the connected client over the bridge (br0) with ping:

root@ip-10-70-2-175:/home/ubuntu# ping 10.70.2.225 -I br0
PING 10.70.2.225 (10.70.2.225) from 10.70.2.215 br0: 56(84) bytes of data.
64 bytes from 10.70.2.225: icmp_seq=1 ttl=64 time=154 ms

My ip a looks like:

3: eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000
    link/ether 02:be:e5:7f:a6:b3 brd ff:ff:ff:ff:ff:ff
4: br0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default qlen 1000
    link/ether 02:be:e5:7f:a6:b3 brd ff:ff:ff:ff:ff:ff
    inet 10.70.2.215/24 brd 10.70.2.255 scope global dynamic br0
       valid_lft 2441sec preferred_lft 2441sec
    inet6 fe80::be:e5ff:fe7f:a6b3/64 scope link 
       valid_lft forever preferred_lft forever
18: tap0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UNKNOWN group default qlen 100
    link/ether d2:a6:7b:95:20:ae brd ff:ff:ff:ff:ff:ff

I have a server-bridge and push in the OpenVPN configuration:

server-bridge 10.70.2.215 255.255.255.0 10.70.2.225 10.70.2.250

push "route 10.70.20.0 255.255.255.0"

Port 80 is wide open in all security groups.

I have tcpflow -i br0 running and can get the request through the bridge from the client but no response back to the client:

<tcpflow startime='2022-10-11T13:36:24.540564Z' endtime='2022-10-11T13:36:27.540105Z' mac_daddr='02:be:e5:7f:a6:b3' mac_saddr='36:75:00:9c:62:40' family='2' src_ipn='10.70.2.225' dst_ipn='10.70.20.57' srcport='59779' dstport='80' packets='4' len='312' />

My client-side route get 10.70.20.57 looks like:

   route to: 10.70.20.57
destination: 10.70.20.0
       mask: 255.255.255.0
    gateway: 10.70.2.215
  interface: tap0
      flags: <UP,GATEWAY,DONE,STATIC,PRCLONING>
 recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1500         0

My OpenVPN server route

root@ip-10-70-2-175:/home/ubuntu# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         ip-10-70-2-1.us 0.0.0.0         UG    100    0        0 eth0
default         ip-10-70-2-1.us 0.0.0.0         UG    150    0        0 br0
10.70.2.0       0.0.0.0         255.255.255.0   U     0      0        0 br0
10.70.2.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0
ip-10-70-2-1.us 0.0.0.0         255.255.255.255 UH    100    0        0 eth0
ip-10-70-2-1.us 0.0.0.0         255.255.255.255 UH    150    0        0 br0
asafreedman
  • 101

0 Answers0