My setting is quite simple: a raspberry pi (tun0 IP is 172.32.0.130) is connected to aan AWS VPC (172.31.0.0/16) through AWS Client VPN, with an attachment to a public subnet (172.31.32.0/20). There’s an EC2 instance (172.31.37.157) up and running in this subnet. The raspberry pi can access all resources of the subnet and I can SSH into the EC2 instance, from the Raspberry PI, using the private IP address. This makes me believe that the VPN is working just fine.
The problem is when I try the opposite direction. If I try to SSH from the EC2 instance into the raspberry pi, I can’t reach the host. I’m assuming that I need to add some sort of routing configuration so the OpenVPN client running on the raspberry PI allows me to SSH into it, but I can’t figure out exactly how.
Here's the RBP routing table:
| Destination | Gateway | Genmask | Flags | Metric | Ref | Use | Iface |
|---|---|---|---|---|---|---|---|
| 0.0.0.0 | 192.168.86.1 | 0.0.0.0 | UG | 303 | 0 | 0 | wlan0 |
| 172.31.0.0 | 172.32.0.129 | 255.255.0.0 | UG | 0 | 0 | 0 | tun0 |
| 172.32.0.128 | 0.0.0.0 | 255.255.255.224 | U | 0 | 0 | 0 | tun0 |
| 192.168.0.0 | 0.0.0.0 | 255.255.255.0 | U | 202 | 0 | 0 | eth0 |
| 192.168.1.0 | 0.0.0.0 | 255.255.255.0 | U | 304 | 0 | 0 | wlan1 |
| 192.168.86.0 | 0.0.0.0 | 255.255.255.0 | U | 303 | 0 | 0 | wlan0 |
Here's the EC2 instance routing table:
| Destination | Gateway | Genmask | Flags | Metric | Ref | Use | Iface |
|---|---|---|---|---|---|---|---|
| 0.0.0.0 | 172.31.32.1 | 0.0.0.0 | UG | 100 | 0 | 0 | eth0 |
| 172.31.0.2 | 172.31.32.1 | 255.255.255.255 | UGH | 100 | 0 | 0 | eth0 |
| 172.31.32.0 | 0.0.0.0 | 255.255.240.0 | U | 100 | 0 | 0 | eth0 |
| 172.31.32.1 | 0.0.0.0 | 255.255.255.255 | UH | 100 | 0 | 0 | eth0 |
This is the Raspberry's PI OpenVPN client config:
client
dev tun
proto udp
remote xxx.clientvpn.eu-west-1.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
cert client1.domain.tld.crt
key client1.domain.tld.key
remote-cert-tls server
cipher AES-256-GCM
verb 3
Finally, because my Raspberry PI sits in front of several devices, I'm routing the internet coming from wlan0 to eth0 and wlan1 by adding an entry to iptables:
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I'm not a network specialist and I can't figure out what's going on, but the asymmetrical nature of this behaviour makes me believe that the problem is on the Raspberry PI. What do you think?
