Correct place to advertise OpenVPN routes to EC2 Instances?

Question

Setup

I have a OpenVPN server working well in AWS. Everyone on my team can use it to reach any of the servers in AWS.

Need

Now I have a new need. Now servers in AWS need to be able to reach one (but all would be fine) of the machines that connected via VPN. From the VPN server itself, I can reach the machine (which is a router) and all the machines it can see on its network. However, none of the other servers in AWS can.

Questions

Where is the correct place to advertise (to machines in the datacenter) that requests for 10.10.10.0/16 (remote VPN connected site) should be routed through my VPN server?

Which interface on the VPN server address do I use?

Details

• AWS VPC CIDR: 172.31.0.0/16
  • openvpn.conf: push "route 172.31.0.0 255.255.0.0"
• OpenVPN Server IP: 172.31.17.151
• OpenVPN Server client CIDR: 172.141.0.0/17
  • openvpn.conf: server 172.141.0.0 255.255.128.0
• Client to be reached: 10.10.10.1
  • openvpn.conf: route 10.10.10.0 255.255.255.0
  • openvpn.conf: push "route 10.10.10.0 255.255.255.0"
  • ccd/commonname: ifconfig-push 10.10.10.1 10.10.10.2
  • ccd/commonname: iroute 10.10.10.0 255.255.255.0
• Client peer to be reached: 10.10.10.101

OpenVPN ifconfig:

eth0      Link encap:Ethernet  HWaddr 06:52:B7:00:71:F9
          inet addr:172.31.17.151  Bcast:172.31.17.255  Mask:255.255.255.0

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.141.0.1  P-t-P:172.141.0.2  Mask:255.255.255.255

OpenVPN iptables:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:1194
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2    ACCEPT     all  --  172.31.0.0/16        0.0.0.0/0
3    ACCEPT     tcp  --  172.127.0.0/20       172.31.6.110        tcp dpt:22
4    REJECT     tcp  --  172.127.0.0/20       0.0.0.0/0           tcp dpt:22 reject-with icmp-host-prohibited
5    ACCEPT     all  --  172.127.0.0/20       0.0.0.0/0
6    ACCEPT     tcp  --  172.141.0.0/17       172.31.6.110        tcp dpt:22
7    REJECT     tcp  --  172.141.0.0/17       0.0.0.0/0           tcp dpt:22 reject-with icmp-host-prohibited
8    ACCEPT     all  --  172.141.0.0/17       0.0.0.0/0
9    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)

Answer 1

The correct place to advertise the VPN routing to other machines in AWS is in the subnet routing table.

To do so:

• VPC > Subnets > [subnet to give access] > Route Table > [route table name]
• Routes > Edit > Add another route
  • Destination: 10.10.10.0/24 (matches "route 10.10.10.0 255.255.255.0")
  • Target: eni-a1b2c3d4 (id of the network interface associated with 172.31.17.151)

You must also change the "Source/Dest. Check" of the network interface.

To do so:

• EC2 > Network Interfaces > [interface associated with VPN internal IP]
• Actions > Change Source/Dest. Check
  • Source/dest. check: Disabled

What did not work was adding the route to a single machine.

I expected that I could get the same effect, but on a single machine, by doing:

sudo ip addr add 172.31.17.151 dev eth0
sudo ip route add 10.10.10.0/24 via 172.31.17.151 dev eth0

That did not work for me. I would love to know why.