0

I have multiple AWS VPC network and want to connect in the following configuration using OpenVPN

+---------+             +---------+
| vpc1    |             | vpc2    |
+---------+             +---------+
           \           /
            +---------+
            | vpc0    |
            +---------+
                 |
            +---------+
            | local   |
            +---------+

and below is details about each VPC

+--------------------------+
| VPC  | subnet  | region  |
+------+---------+---------+
| vpc0 | 10.0/16 | region0 |
| vpc1 | 10.1/16 | region1 |
| vpc2 | 10.2/16 | region0 |
+------+---------+---------+

I am able to connect to all the instance in vpc0 using simple OpenVPN configuration and vpc2 being in the same region I was able to do VPC peering with vpc0 and connect to instances in vpc2. Although I am not able to access instances in vpc1.

My OpenVPNs server.conf in vpc0 looks like this

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
mode server
topology subnet
tls-server

push "route 10.0.0.0 255.255.0.0"
push "route 10.1.0.0 255.255.0.0"
push "route 10.2.0.0 255.255.0.0"
route 10.1.0.0 255.255.0.0

keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0

client configuration for vpc1 in /etc/openvpn/ccd

ifconfig-push 10.8.0.1 255.255.255.0
push "route 10.0.0.0 255.255.0.0"
iroute 10.1.0.0 255.255.0.0

route table in vpc0

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         10.0.0.1        0.0.0.0         UG        0 0          0 eth0
10.0.0.0        *               255.255.240.0   U         0 0          0 eth0
10.1.0.0        10.8.0.2        255.255.0.0     UG        0 0          0 tun0
10.8.0.0        *               255.255.255.0   U         0 0          0 tun0

For connecting from vpc1 I created a client certificate as vpc1.ovpn and then just started a process in vpc1 machine as openvpn --config vpc1.ovpn. After starting this process I am able to reach any machine in vpc0 and vpc2 from vpc1 but I am not able to reach to vpc1 instances from vpc0 machine or any instance. The route table on vpc1 machine is.

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         10.1.0.1        0.0.0.0         UG        0 0          0 eth0
10.0.0.0        10.8.0.1        255.255.0.0     UG        0 0          0 tun0
10.1.0.0        *               255.255.240.0   U         0 0          0 eth0
10.2.0.0        10.8.0.1        255.255.0.0     UG        0 0          0 tun0
10.8.0.0        *               255.255.255.0   U         0 0          0 tun0

P.S. I had followed this for setup.

Sar009
  • 105
  • 1
  • 5
  • There was a small mistake at my end the file name in `ccd/` should be same as the `client name`, client name can be also found in `openvpn-status.log` once client connects. The second mistake was `ifconfig-push 10.8.0.1 255.255.255.0` in config_file should have been `ifconfig-push 10.8.0.2 255.255.255.0` – Sar009 Jan 13 '18 at 12:13
  • Do you have the routes setup and a peer with VPC 1? Check the routes in vpc 1 to vpc 0 and vice versa in vpc 0 to 1. https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-full-access.html#one-to-many-vpcs-full-access – strongjz Jan 13 '18 at 22:03
  • Also this might help https://aws.amazon.com/articles/connecting-multiple-vpcs-with-ec2-instances-ipsec/ – strongjz Jan 13 '18 at 22:04
  • Depends on the regions as well, Inter-Region VPC Peering is available in AWS US East (N. Virginia), US East (Ohio), US West (Oregon) and EU (Ireland) with support for other regions coming soon. https://aws.amazon.com/about-aws/whats-new/2017/11/announcing-support-for-inter-region-vpc-peering/ – strongjz Jan 13 '18 at 22:07
  • @strongjz 1. yeah routes where setup. 2. that is a bit ugly as you need to have a different server for each VPC and each instance runs on a different port. 3. I am aware of that. As mentioned I had an issue connecting two OpenVPN vpcs. – Sar009 Jan 14 '18 at 04:35

0 Answers0