2

I am trying to connect the VPN client to VPC different than VPN server belongs to. That's my setup: Network diagram

However I can't manage the VPN client 10.8.0.6 to be able to reach the instance in the non-VPN VPC 10.24.0.249.

Description of my diagram:

There are 2 VPCs. The VPN Server is just in one of the VPCs. Between VPCs there is a Peering Connection (PXC). There are routes added to the VPCs route tables, so they know they should push traffic over PXC. On the non-VPN VPC, using the Security Groups, the instance allowed incoming traffic from the VPN VPC subnet and the VPN Client subnet.

The OpenVPN server pushes the routes to the client:

 push "route 10.26.0.0 255.255.255.0"
 push "route 10.24.0.0 255.255.255.0"

VPN Client 10.8.0.6 can contact any node in the VPN VPC including the VPN server 10.26.0.81.
VPN server 10.26.0.81 can contact any node in the non-VPN VPC e.g 10.24.0.249.

When you look at it separately it works, but the VPN client for some reason can't reach the remote instance in the non-VPN VPC.

Any ideas what shall I check?

Tom Raganowicz
  • 183
  • 1
  • 1
  • 9
  • I've actually gotten this to work. If you're still wanting a solution for this, I'll need to see your route tables for both VPCs. – Stuporman Apr 04 '18 at 17:44

1 Answers1

1

This is a designed-in limitation:

If either VPC in a peering relationship has one of the following connections, you cannot extend the peering relationship to that connection:

  • A VPN connection or an AWS Direct Connect connection to a corporate network

http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/invalid-peering-configurations.html

Consider these questions:

  • In the VPC with the VPN connection, which routing table is responsible for the routing decisions for traffic received from the peering connection, so that the traffic from the peered VPC can return over the VPN connection?

  • In the VPC with the VPN connection, which routing table is responsible for the routing decisions for traffic received over the VPN, so that traffic from the VPN can be sent to the peered VPC?

Actually, those are trick questions.

No routing table applies to the traffic received from a VPN connection or received over a peering connection. Traffic from those sources can only reach instances in your VPC's supernet CIDR block. The routing of inbound traffic is implicit and not configurable. The route tables in VPCs only apply to traffic originated by the instances on the subnets in the VPC. The default route table is merely the route table that applies to any subnet without its own route table assignment -- that is the only sense in which it is a "default" route table.

Only things with elastic network interfaces -- instances, essentially -- in the other VPC are accessible across a peering connection. Nothing external or external-facing can be accessed across a connection, including VPN, Direct Connect, NAT Gateway, Internet Gateway, or VPC Endpoint (available, as of this writing, only for S3).

Michael - sqlbot
  • 22,658
  • 2
  • 63
  • 86
  • Thank you, what solution would you recommend to connect client to multiple VPC? I would like to avoid setting up EC2 instance with the OpenVPN in each VPC, but I can't see any better solution yet. I've considered setting up the Customer and Virtual Private Gateways in each VPC, but it does require public IP or Port Forwarding on the Customer Gateway (the client) side, which is not always met. – Tom Raganowicz Jul 01 '16 at 06:50
  • Is this also the case with Transit Gateways? – scape Aug 12 '20 at 19:44