3

I have a VPC using the network 10.10.0.0/16, and a VPN server in the public subnet (10.10.0.0/24). The VPN uses addresses in the 10.11.254.0/24 range. When I connect to the VPN, I can access hosts in both the public subnet and the private subnet (10.10.1.0/24), so I believe I have the routing table set up properly to send packets bound for the VPN back through the VPN server. I have disabled source/destination checks on the VPN server (which is also needed to be able to access other hosts in the network).

The AmazonProvidedDNS server seems to be working properly inside the VPC; I can run dig @10.10.0.2 ip-10-10-1-215.ec2.internal from a host in the VPC, and I get the expected response.

However, if I run that same dig command from may laptop, connected to the VPN, I get no response.

From running tcpdump on the vpn server, I see the A? packets coming from my VPN address, going to 10.10.0.2, but I don't see any response coming back. Is there something I need to do to enable the DNS server to answer requests from outside the VPC address range?

pkaeding
  • 810
  • 2
  • 13
  • 23

2 Answers2

1

That sounds like unusual way to do it, but given the inside/outside split resolution magic they've implemented, I can see why it makes sense (now that I think about it).

It's unlikely that the EC2 DNS resolvers would answer requests from a foreign IP address, but there should be an easy workaround.

For example, if your IP address on the vpn is 192.168.2.*, then, on the vpn server in VPC...

$ sudo iptables --table nat -A POSTROUTING -s 192.168.2.0/24 -d 10.10.0.2/32 -j MASQUERADE

This adds a rule to the network address translation table so that after it makes the routing decision on packets from the specified source block to the specified destination block, instead of just forwarding the packet as usual, it will strip off your IP and add its own IP as the source address, and it will memorize the request. When the response comes back, addressed to the vpn server's IP, it will again rewrite the address (destination, this time, back to your address) and send the response back to you.

That should accomplish what you want.

Michael - sqlbot
  • 22,658
  • 2
  • 63
  • 86
  • Does this require me to use NAT on the VPN? I'm not currently doing that. I'm using a 'routed' OpenVPN configuration. – pkaeding Oct 17 '14 at 02:59
  • 1
    "Require?" Not in the sense that you are asking, no... You should still be able to do everything the same as you're doing now. This adds a small exception to your routed vpn, performing NAT only for traffic to the one particular IP address, while continuing to pass traffic normally, if it doesn't match both the source and destination in the new rule. – Michael - sqlbot Oct 17 '14 at 03:20
0

You could spin up a micro instance and you could use it as udp proxy.

sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to 10.10.0.2
Alberto Miorin
  • 1