0

I'm relatively new to AWS and need to set up some internal infrastructure. Example: a VPN server that routes people into a VPC.

I have a VPN server instance bound to an elastic IP that has a subnet carved out for VPN users. Now how do I tell the VPC that the route back to our VPN users should go through this instance?

I tried editing route tables, but I keep getting an error saying that the route destination is not in any CIDR blocks.

OK, I made it part of that VPC's CIDR, set up a reservation in that subnet... still no luck

Yuri
  • 3
  • 1
  • 1
    Before I answer the question: why are you using an EC2 instance to run an VPN rather than using an AWS site to site managed VPN service? The service is generally easier to use, more reliable, and simpler to route to https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html – Tim May 11 '23 at 21:54
  • provide more details: the value of your VPC CIDR, the CIDR of VPN users subnet and the exact error message – exeral May 12 '23 at 08:38
  • @Tim because I need to connect our managed laptops to this VPC, and to allow these machines to access internal infrastructure inside it (think Puppet master, etc...). I need a client VPN, and not site-to-site. Also, Amazon AWS VPN is a very poor fit here for various reasons. – Yuri May 12 '23 at 09:33
  • @exeral Say, my VPC is 10.36.0.0/16. I can choose whatever private subnet (/24) I want for the VPN clients, but I don't know how to tell the VPC to route back to it through the instance running the VPN server. – Yuri May 12 '23 at 09:35
  • https://aws.amazon.com/vpn/client-vpn/ could be helpful, but again, beware of costs. I suggest integration with a directory, otherwise when I used it a couple of years ago everyone authenticates with the same certificate which isn't ideal – Tim May 12 '23 at 23:27

1 Answers1

0

assuming that:

  • your VPC CIDR is 10.36.0.0/16
  • you have a subnet in that VPC: subnet-0011aabb with CIDR 10.36.1.0/24
  • this subnet is associated to route table: rtb-0011aabb
  • your VPN instance is i-aabbccdd
  • the VPN users subnet is 172.16.0.0/24

add in rtb-0011aabb the route: 172.16.0.0/24 via i-aabbccdd

once created, AWS will automatically resolve i-aabbccdd to it's corresponding network interface.

exeral
  • 1,787
  • 11
  • 21
  • One caveat: turns out you have to disable the source/destination check on the instance you're routing through. If you want to use a VPN subnet inside the range that is used for a VPC, you need to create an AWS subnet for this in the same AZ as the instance (not sure if this is a good practice -- I'll be using a range that is outside of the VPC). – Yuri May 13 '23 at 11:07