4

I have an EC2 instance that hosts an OpenVPN service. The company has multiple mini-sites that use this service to sync its data with the headquarter. So site 1 has IP 10.8.0.1, site 2 has IP 10.8.1.1, etc..

I want to slowly shift to collect and aggregate these distributed data into a data warehouse that will be hosted on AWS.

There are multiple services that aid this approach (AWS Glue), whether it would be ETL or stream-based.

My problem is: I can't connect to the on-premise network with the current setup. Or at least I don't know-how. I know there's AWS site-to-site VPN or AWS Client VPN but we opted for the current option to roll our own VPN.

The question is: is there any way to make this work with the current setup?

I thought that maybe there's a way to allocate an internal IP inside the VPC that would use the EC2 instance to transfer the data via the OpenVPN network to the appropriate client. E.g.: If I tell a Lambda function to connect to a DB that is hosted on 192.168.0.1, that would be redirected to the EC2 instance and it would translate 192.168.0.1 to 10.8.0.1 and forward the connection to that client.

I'm no network expert so I don't know if this can be done via routing, NAT-ing or whatever.

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
SLOBY
  • 1,007
  • 2
  • 10
  • 24
  • Before you dive too deep into trying to get this setup work with a managed service (like Lambda), I suggest you try on your own EC2. So just setup another EC2 instance on the same VPC and see if you can reach out your internal on-premises services -- this will allow you to go through all network steps on this setup. At the minimum, you need to disable source/destination checking on your OpenVPN instance, configure your on-premises CIDR on the route table to send that traffic to your EC2 instance. Is this what you are expecting from an answer here? – tyron Oct 19 '20 at 14:33
  • The approach you suggested is also feasible. The main issue is not the "source" (EC2, Lambda, whatever) but rather the "how". As I said, I don't know how to configure the things you mentioned (source/destination checking, on-prem CIDR on the route table). Could you elaborate, please? – SLOBY Oct 21 '20 at 14:57
  • That simplifies a lot, because tests would also be easier since you have total control on your "source" (aka not Lambda). Thanks for explaining, let me get some details written out – tyron Oct 22 '20 at 00:42
  • Can we assume your OpenVPN server is setup and working (therefore your question is just on usage of the service), or is this part of your problem too? – tyron Oct 22 '20 at 00:48

1 Answers1

2

I'll focus this answer on the AWS portion of the setup, as OpenVPN configuration steps are widely available. In your case, you are looking for a Site-to-Site OpenVPN configuration from on-prem to AWS. There's a good tutorial on https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/ about the OpenVPN-side of the configuration. Some extra details for OpenVPN configuration on AWS can be found on https://stackoverflow.com/a/19976330/891772 (while a bit outdated and old screenshots, most steps are still valid).

Network

You should place your AWS OpenVPN in a "public subnet" (let's call it ovpn-subnet and give it a 192.168.255.0/24 range) on your VPC (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario3.html). A public subnet is just a subnet where the Route Table's default destination (0.0.0.0/0) goes to an Internet Gateway. This will allow your AWS OpenVPN sitting on AWS to go out to the internet, and eventually reach out your on-premises IP.

Besides that subnet, you should also have subnet(s) to place your client servers on AWS. Let's call them client-subnet1 (192.168.0.0/24) and client-subnet2 (192.168.1.0/24). Note: they can be collectively represented as 192.168.0.0/23. Make sure your AWS OpenVPN security group allows only traffic from servers on 192.168.0.0/23, besides from your on-prem OpenVPN.

I'll also assume you have another EC2 instance deployed to the same VPC/subnet as your OpenVPN server, so it makes easier to start testing -- you can start to spread things out after you are confident with your simple setup.

Configuration

The most important thing that you need on your AWS OpenVPN server is to disable the source/destination check. This is a security feature normally enabled on AWS, that prevents an EC2 server to receive packets not intended for that instance. In your case, since the server is acting like a Firewall/Router/Gateway/NAT Gateway, it needs to receive packets not intended to it. In summary: go to your EC2 Console, find your OpenVPN server, select Actions > Networking, Change Source/Dest. Check., and confirm you want to disable it.

The next thing is to configure a Route Table on your VPC that sends traffic to your OpenVPN server. Details are in the same AWS docs, under the "Updating the main route table" item. Just make sure you have a separate Route Table for these clients subnets from the OpenVPN subnet (since you want the OpenVPN traffic to go through Internet, and clients to go through your VPN). For that, you'll go to your VPC Console, select "Route Table", create a new Route Table and associate with the client subnets 1 and 2. Once on you are on the Route Table page, select the "Routes" tab, click "Edit routes" and select to "Add route". The "Destination" field should be filled with the CIDR block for your on-premises network (maybe 10.8.0.0/16?), for "Target" you should select Instance and then select your OpenVPN instance ID. If your OpenVPN instance is not shown in the list, make sure you followed the disable source/destination checks.

Checkpoint

At this point, you basically created a rule on your VPC's router that says "any packet going to 10.8.0.0/16 network should not be handled within AWS, rather sent to this EC2 instance". It's your role to configure the OpenVPN instance to actually reach your on-premises network.

Test

At this point, you can try to login to your test EC2 instance and communicate with your on-prem services.

tyron
  • 3,715
  • 1
  • 22
  • 36
  • Thank you for your answer. I followed your suggestion but it partially covers my requirements. Could you help with this part: " It's your role to configure the OpenVPN instance to actually reach your on-premises network."? The way I see it, I have to configure OpenVPN to allow any traffic from `172.31.0.0/16` right? How do I do that? – SLOBY Oct 24 '20 at 22:05
  • FYI: I tried setting up a test instance and ping an OpenVPN client after I did everything you mentioned. The ping was unsuccessful, I was only able to ping 10.8.0.1 which is the OpenVPN server's IP. – SLOBY Oct 24 '20 at 22:07
  • A have added some more details on the network configuration. I hope that helps you! I can't say much about the OpenVPN configuration as I'm not an expert. I provided a link from their docs that should help you. I've highlighted some important things now, for example that you need to have multiple subnets, and 2 Route Tables (1 for your AWS OpenVPN subnet, other for your clients). You have to break your problem in pieces: you need 1st to have VPN working, which I thought you had already. Only after that you should start adding clients to the equation. – tyron Oct 26 '20 at 02:53
  • @SLOBY let me know if that answers your question and/or puts you in a position where you can figure out the next steps. – tyron Oct 26 '20 at 19:18