3

I am trying to run a RRAS VPN server that pulls from a windows DHCP server running on the same box. I am finding that the AWS DHCP is getting hit first with the DHCP request and it provides invalid information to my clients. I need to get the DHCP offers from my localhost DHCP server for the additional option fields (which cannot be specified in the VPC DHCP option set) instead of the VPC DHCP server. Is there any way I can either disable the VPC DHCP entirely or block the external offers on the RRAS firewall?

UPDATE 1/30/2015:

Thanks to the brilliant suggestion by Craig Watson, I was able to resolve this issue. My ultimate goal was to push multiple routes to my L2TP VPN clients using the DHCPINFORM mechanism on various platforms without screwing with vendor-specific issues. The final setup is as follows:

Windows 2012 R2 RRAS/DHCP Server:

  • Physical LAN adapter with static IP on VPC subnet 10.150/16
  • Microsoft Loopback Adapter with static IP (10.250.0.1) on subnet 10.250.0/24
  • DHCP Server configured to provide leases in range 10.250.0.10-10.250.0.250
  • DHCP Server bound only to the loopback interface
  • RRAS configured to use Loopback adapter for DHCP/DNS/WINS
  • DHCP Relay Agent configured with both Internal and Loopback interfaces.
  • DHCP Relay Agent configured to point to 10.250.0.1
  • DHCP Relay Agent has boot threshold set to 0 seconds on both interfaces (This fixed an issue I had with the DHCP requests being rejected for some reason)

With this setup I am able to provide complete DHCP services from Windows Server to my VPN clients despite being stuck with AWS-provided DHCP in the VPC.

Note that for this to work all IP assignments must be static or the DHCP and RRAS services will not be able to see the interfaces.

I have successfully received all of the correct routes on OSX and Windows when connecting to the L2TP tunnel without any additional client-side configuration.

Let me know in the comments if there is anything missing and I will update this post.

2 Answers2

4

As far as I'm aware, this is simply not possible within an Amazon VPC, as they use DHCP for all of their IP assignments within a VPC subnet, static IP addresses are assigned by using Elastic Network Interfaces, which work in the same way as a DHCP reservation. Amazon Support will be able to confirm this though, so I'd suggest you contact them.

Your next-best solution is to create a virtual network on the Windows box, using the Loopback Adapter. You can then create a DHCP scope on this network, and essentially dual-home the box.

To create a NIC using the loopback driver (from the link above):

Start -> Computer -> Right-click, Properties -> Device Manager -> Computer Name, Right-click, Add Legacy Hardware -> Next -> Install the hardware I manually select from a list -> Next -> Network Adapters -> Microsoft on the right, Loopback adapter on the left -> Next

Once you have two functioning networks, it should be relatively straightforward to configure your RRAS clients to receive a DHCP address from the virtual scope and route to the Internet via your Amazon VPC's default gateway.

Craig Watson
  • 9,575
  • 3
  • 32
  • 47
0

  • Create your VPC

  • Turn off DHCP on your VPC

  • Create 2 subnets: sub-myVPC-priv & sub-myVPC-pub

  • Create a network interface on sub-myVPC-pub: eni-myVPC-pubGW

  • Create another network interface on sub-myVPC-priv: eni-myVPC-privGW (IMPORTANT: turn off source/dest check)

  • Create a route on sub-myVPC-priv and point the default route to eni-myVPC-privGW (AWS will label this blackhole - fear not -- read on)

  • Provision desired number of network interfaces on the sub-myVPC-priv, use:

    # aws ec2 create-network-interface --subnet-id {sub-myVPC-priv}

    (Hint: 1st 2 IPs on every subnet are reserved by AWS .1=gw / .2=dns, don't use)

  • Get a list of your mac addresses and associated IP on your sub-myVPC-priv. Use:

    #  aws ec2 describe-tags --output=text | grep "<desired eni-xxxx>"

  • Provision your own VPN/firewall/gw/whatever on sub-myVPC-pub Use 2 network interfaces:

    • Tie the private side to the eni-myVPC-privGW (as created above).
    • Tie the public side to the eni-myVPC-pubGW (as created above).
    • Associate an ElasticIP to join the net for eni-myVPC-pubGW

  • Configure your firewall as a DHCP server to listen on eni-myVPC-privGW Configure static dhcp address on all pre-allocated mac address as probed above.

  • DISCO!

Any machine now provisioned on the sub-myVPC-priv, will automatically get assigned the correct IP address by your own firewall based on the AWS provisioned mac addresses as created by your private eni pool.

You are now in control of your network. Do whatever... IPsec/OpenVPN/L2TP. You are as close to real hardware as possible. No need to depend on AWS to provide you with network connectivity and charge you.

:-) Enjoy.... and send some pizza!

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
Raj Agarwal
  • 1