3

I have setup a Transit Gateway and a Site-to-Site VPN connection from our on-prem to our AWS accounts. It is working like a charm.

We have remote users working at home who need remote connection to our infrastructure. So I setup an OpenVPN Server in one account, and OpenVPN Client in the others + nomade users.

Now I was wondering if it was possible to use the OpenVPN Server with the Transit Gateway. This is to avoid having multiple OpenVPN Client in each account.

Update

There is one account (infra) which is only setup to host a Site-to-Site VPN from AWS to on-prem and a Transit Gateway (automatic sharing is activated). In this account, the VPC is already linked to the Transit Gateway, so maybe it's already like a "shared" account/VPC.

Update 2

OpenVPN server is in a VPC, in the same account as the transit gateway. I : - added transit gateway route as 10.0.9.0/24 -> VPC. - added another account CIDR to the TGW route table - added VPC route as 10.0.9.0/24 -> OpenVPN ENI - added route in a second account to 10.0.9.0/24 -> TGW

Am I missing something? It's not working.

Kaymaz
  • 241
  • 3
  • 11
  • If OpenVPN is server based then it needs to be in a VPC, and Transit Gateway runs as an account level service. You might be able to put OpenVPN in a shared services VPC and then let it route to all accounts over a transit gateway, but that may give users access to the VPC it's in - it may need its own VPC. Suggest you give it a go with OpenVPN in its own VPC and routing via your transit gateway. Once you have perhaps update your question or provide an answer. Also unsure what a "nomade user" is in your question. – Tim Oct 21 '19 at 20:36
  • I have edited my question. – Kaymaz Oct 22 '19 at 08:57
  • I've changed "nomade" to "remote users working at home". When you've tried what I suggested above please edit your question. The way most organisations I've been in do this is users VPN from home into the corporate LAN, and then from the LAN they get access to AWS. This means the IP blocks that are put in place in AWS for security allow the users to access AWS resources. – Tim Oct 22 '19 at 18:09
  • @Tim I edited the question with the setup you proposed. – Kaymaz Nov 01 '19 at 09:26
  • Can you validate that an instance in the same VPN as the OpenVPN server can ping an instance in another VPC? That confirmed transit gateway is working. Once you've confirmed that you'll have to look at routing, maybe using VPC flow logs. AWS VPCs aren't transitive, off the top of my head the only way to typically enable that is to use an an AWS VPN or a router appliance with source / destination check turned off. This isn't a trivial thing you're trying to do, and the information you're giving us is fairly limited. – Tim Nov 02 '19 at 06:34

1 Answers1

0

I now have it working. I use Pritunl rather than pure OpenVPN.

  • My VPN server has a single NAT route to 0.0.0.0/0
  • VPC1 (172.31.0.0/16) - Transit gateway and my VPN server
  • VPC2 (172.42.0.0/16) - Another VPC attached to the transit gateway
  • Both VPC's are already attached to the TG

In each VPC add a route in your subnet route tables for the other VPC CIDR address to the TG.

Adam Mills
  • 25
  • 8