I am trying to connect two networks (AWS and Azure) together via OpenVPN. I am aware of other implementations (OpenSwan+Azure GW etc.) but I need maximal portability as I will be expanding this to other cloud vps providers as well.
OpenVPN gateways can ping each other, and each gateway can ping all IPs on the opposing network, but computers on one network cannot ping computers on the other network (neither can they ping the opposing gateways).
What am I missing here? Seems like many are having this issue for various reasons, but after 50+ tries I gave up and decided to ask :)
Network 1:
dev tun port 1194 ifconfig 10.8.223.40 10.8.223.41 route 10.22.1.0 255.255.255.0 vpn_gateway comp-lzo keepalive 10 60 persist-key persist-tun user nobody group nobody secret /etc/openvpn/static.key
ip route
default via 10.0.1.1 dev eth0
10.0.1.0/27 dev eth0 proto kernel scope link src 10.0.1.9
10.22.1.0/24 via 10.8.223.41 dev tun0
10.33.0.0/24 via 10.33.0.2 dev tun2
10.33.0.2 dev tun2 proto kernel scope link src 10.33.0.1
10.8.223.41 dev tun0 proto kernel scope link src 10.8.223.40
Network 2
dev tun port 1194 remote my_ext_ip 1194 ifconfig 10.8.223.41 10.8.223.40 route 10.0.0.0 255.254.0.0 vpn_gateway comp-lzo keepalive 10 60 persist-key persist-tun user nobody group nobody secret /etc/openvpn/static.key
ip route
default via 10.22.1.1 dev eth0
10.0.0.0/15 via 10.8.223.40 dev tun0
10.22.1.0/24 dev eth0 proto kernel scope link src 10.22.1.9
10.8.223.40 dev tun0 proto kernel scope link src 10.8.223.41
Here's what I have iptables-wise:
Both networks: iptables -I FORWARD -i eth0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT iptables -I FORWARD -i tun0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
Network 1: iptables -t nat -A POSTROUTING -s "10.0.0.0/15" -o "eth0" -j MASQUERADE iptables -A FORWARD -p tcp -s 10.0.0.0/15 -d 0.0.0.0/0 -j ACCEPT
iptables -t nat -A POSTROUTING -s "10.8.223.40/32" -o "eth0" -j MASQUERADE iptables -A FORWARD -p tcp -s 10.8.223.40/32 -d 0.0.0.0/0 -j ACCEPT
Network 2: iptables -t nat -A POSTROUTING -s "10.22.1.0/24" -o "eth0" -j MASQUERADE iptables -A FORWARD -p tcp -s 10.22.1.0/24 -d 0.0.0.0/0 -j ACCEPT
iptables -t nat -A POSTROUTING -s "10.8.223.41/32" -o "eth0" -j MASQUERADE iptables -A FORWARD -p tcp -s 10.8.223.41/32 -d 0.0.0.0/0 -j ACCEPT
My assumption was (since I have separate gateways for internet access) that I now have to add routes to each non-gateway computer on both networks that will route packets destined for the opposite network via the local OpenVPN gateway.
I did that for machine 10.0.1.7:
ip route add 10.22.1.0/24 via 10.0.1.9
So now I have:
default via 10.0.1.1 dev eth0 10.0.1.0/27 dev eth0 proto kernel scope link src 10.0.1.7 10.22.1.0/24 via 10.0.1.9 dev eth0 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.42.1
but traceroute to 10.22.1.9 (opposing gateway) still doesn't go anywhere...
P.S. Most of my machines are in Docker, but I get the same results from the host machine as well.
Any help would be highly appreciated!
