3

Working on a IoT type of thing, I want to connect some devices "in the wild" to servers in AWS through OpenVPN on an EC2 instance.

So far I have been able to set up an EC2 instance configured as an OpenVPN server, and I have the client devices connecting to the VPN successfully. This was all set up using this guide - https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6

The OpenVPN clients are getting 10.8.0.x IPs and can talk to each other via those IPs. I can also talk to these IPs from the OpenVPN server itself. So far so good.

I also have other EC2 instances on AWS, in the same VPC and subnet as the OpenVPN server. These instances cannot currently reach the OpenVPN clients via their 10.8.0.x IP. The OpenVPN clients can reach the instances by their private subnet IPs (10.101.x.x), but they represent themselves only with the IP address of the OpenVPN server.

How do I need to do, to:

A. Enable the EC2 instances to send messages to individual OpenVPN client devices (probably via their OpenVPN addresses, but other options are welcome).

B. Let the EC2 instances see the origin IP addresses of the clients rather than just the server's IP, when they send messages to the server. -- This is secondary, really, as the clients would identify themselves in their requests.

Edit

Devices are in distinct geographical locations and not on a common LAN, each connecting via 3G/4G. Each device needs to send messages to all the EC2 instances, and each EC2 instances needs to send messages to some of the devices.

            /- AWS VPC & public subnet ----------------\
            |                                          |
deviceA ----+-\                       /-- ec2_A        |
10.8.0.a    | |                       |   10.101.0.a   |
_______     | >- OpenVPN server ------<                |
            | |  10.8.0.1 / 10.101.0.x |               |
deviceB ----+-/                       \-- ec2_B        |
10.8.0.b    |                             10.101.0.b   |
            \------------------------------------------/
davur
  • 191
  • 1
  • 10

1 Answers1

0

A. Enable the EC2 instances to send messages to individual OpenVPN client devices (probably via their OpenVPN addresses, but other options are welcome).

I am not quite sure of what your idea is here. First of all, you need to allow communications within your network in AWS. If 10.101.x. are the instances' private subnet IPs, what is 10.10.0.x ?

Also, what are the routes configured in your EC2 instances ? ip route will tell you. They need to know who to contact (your OpenVPN server in this case) to reach the clients (10.8.0.x) : ip route add 10.8.0.0/24 via $vpn_ip (with $vpn_ip the "known" IP of the OpenVPN server for the EC2 instances, 10.10.0.?).

If the EC2 instances need to be able to initiate connections with specific users, they need to be aware of these users (e.g. who has which IP), otherwise the users need to start the connection.

B. Let the EC2 instances see the origin IP addresses of the clients rather than just the server's IP, when they send messages to the server. -- This is secondary, really, as the clients would identify themselves in their requests.

The EC2 instances would see your users inner IP addresses (10.8.0.x) and associate them with users (certificates) with ipp.txt (status file) on the openVPN server or by knowing the static IPs.

You could use client-config-dir in OpenVPN's server config to specify user specific directives (static IPs for instance that your EC2 instances know) but that would be probably a bad solution if you had many clients.

Bamse
  • 105
  • 1
  • 3
  • 9
  • Fixed confusing error in graphic, 10.10.x.x and 10.101.x.x were both made up on the spot, should have at least used the same made up subnet for consistency. To be clear, 10.8.x.x is the OpenVPN default VPN, and 10.101.x.x is made up, but represents the subnet in the AWS VPC – davur Apr 21 '16 at 07:51
  • Should these routes be set up in the OS realm, or could it be done via an AWS "Route Table" ? I have tried adding rule to the Subnet Route Table rule with Destination 10.8.0.0/24 and Target {OpenVPN Network Interface ID}. As far as your note on B, devices will be registered in an interface so discovery isn't an issue. – davur Apr 21 '16 at 08:00
  • What do you exactly mean by : "but they represent themselves only with the IP address of the OpenVPN server." ? Because, if your clients can contact your EC2 instances but not the other way around, it can be for several reasons to me : clients are 'hidden' (as with dynamic NAT) under the OpenVPN server or a firewall issue – Bamse Apr 21 '16 at 08:03
  • I mean, I have tried SSHing from a deviceA into EC2_B and the EC2_B's SSH log shows the connection coming from the OpenVPN server's IP address. – davur Apr 21 '16 at 08:10
  • I am new to configuring OpenVPN's and it is entirely possible it is configured as a dynamic NAT (you may be able to tell from the instructions in the linked tutorial). How would I check this / what should I change to get around this? – davur Apr 21 '16 at 08:11
  • I got us confused, sorry ! OpenVPN nats your clients (at least in routing mode) so EC2s can answer packets from the clients but cannot contact them (as they are behind OpenVPN's NAT). I will come back to you later with what I get. – Bamse Apr 21 '16 at 08:21
  • You might want to disable NAT on OpenVPN (which means your clients will be known on the rest of your private net VPC and that will allow your EC2 to contact them). That should solve your 2 questions. Here is a link : http://superuser.com/questions/974327/disable-nat-in-openvpn with the ideas. – Bamse Apr 21 '16 at 08:35