3

I followed this guide to setup a VPN on a Windows Server 2016 instance in EC2 with only a single network interface and an assigned Elastic IP. I was able to connect my macOS to the VPN successfully using L2TP/IPSEC and get an IP address within th static range as set in the VPN server. The IP address given is within the subnet range where the VPN server resides. But, I could not ping any resources in the VPC including the addresses of the VPN server.

To make it more clear, here is a sample of the IP addresses after the VPN is connected:

  • VPC CIDR: 172.31.0.0/16
  • AZ subnet range: 172.31.0.0/24
  • VPN Server internal IP: 172.31.0.10
  • macOS IP in the VPN: 172.31.0.20

The macOS is also set to route all traffic through the VPN.

In order to isolate the issue, I have temporarily disabled the server firewalls and allowed all traffic through the security group to the VPN server but still could not ping or connect to any resources inside the VPC. I have also disabled the source/destination check on the EC2 instance to no avail.

I need to have road warriors using Windows and Macs to access resources inside the VPC using a secure VPN. We decided to use Windows Server VPN so it's easier to authenticate against Active Directory.

I am not sure what I am doing wrong. Can anyone give me direction on what I can check next? Thanks in advance!

Carlo Miguel Cruz
  • 431
  • 4
  • 12
  • *"get a local address inside the VPC"* I suspect you have made an assumption about how addresses in the VPC supernet can be used, an assumption that doesn't hold. Define "local address" as related to the subnets in the VPC, please. How did you obtain/establish these? – Michael - sqlbot Jul 30 '17 at 18:28
  • Thank you for pointing this out. The address assigned by the VPN server to connecting clients is within the subnet range of the availability zone where the VPN server resides. I have edited the question to make it clearer. – Carlo Miguel Cruz Jul 31 '17 at 01:31
  • Michael, should the IP addresses given by the VPN server to clients be within a network outside the VPC address range? I found another [guide](http://blog.ecloudgate.com/how-to-setup-rras-sstp-vpn-on-aws-vpc-with-active-directory-authentication-step-by-step-part-6/) that, from what I understand, is the point you are trying to provide. I feel that you have the answer to my problem. – Carlo Miguel Cruz Jul 31 '17 at 01:37

1 Answers1

4

Finally found the correct steps on how to create a VPN on Windows Server 2016 in AWS. Once connected, the client is able to access resources within the VPC and still access the Internet. Here's the complete list of steps on how it was done for those interested.

  1. Setup the instance and needed interfaces:

    • Spin up a Windows Server 2016 instance in EC2 with 1 network interface with a public IP.
    • Disable Source/Destination checks on the instance. Ensure that the security group allows RDP from your IP address to the server.
    • Connect to the instance and create a loopback adapted to act as a second network interface by following this serverfault answer.
    • Allow the following UDP ports in the security group of the server: 500,4500,1701
    • Allow the ESP protocol in the security group of the server.

  2. Setup Routing and Remote Access Server:

    • Follow this guide to setup RRAS until Step 9. Include Routing along with the VPN.
    • On the configuration step, select Remote access (dial-up or VPN).
    • Put a check on VPN then click Next.
    • Select the network interface connected to the Internet. This would be the AWS PV Network Device. Uncheck the Enable security feature since it will block your RDP access. Block RDP later using the security group.
    • On the IP Address Assignment, select From a specified range of addresses.
    • Set a static IP range to be given to connecting clients. The first IP in the range will be assigned to the VPN server to act as gateway address. In my case, I just used 192.168.100.1-192.168.100.254.
    • Radius Server? No. Then click Finish. You might lose connectivity from the server for a few minutes.

  3. Setup L2TP:

    • Right-click on the server name then click Properties.
    • Click on the security tab.
    • Put a check on Allow custom IPSEC policy then set the Pre-Shared Key.
    • Click OK to save the settings.
    • Right-click on the server name. Select All tasks then click Restart.

  4. Setup NAT to allow clients to access the AWS resources and Internet:

    • While still in the RRAS management tool, click on IPv4 on the left panel then right-click on General.
    • Click New Routing Protocol then select NAT. Click OK.
    • Right-click on NAT then click New Interface.
    • Select the Ethernet port connected to the Internet (in my case, Ethernet 2). Select Public interface connected to the Internet. Put a check on Enable NAT. Click OK.
    • Right-click again on NAT then click New Interface.
    • Select the Ethernet port connect to the loopback interface (in my case, Ethernet). Select Private interface connected to private network. Click OK.

  5. Connect using a L2TP compatible client.

Carlo Miguel Cruz
  • 431
  • 4
  • 12