I am working on setting up VPN-based access to an AWS VPC, and things are not working. I would appreciate any advice or guidance:)
What I’m trying to do: Allow many GL-iNet routers to use their built-in OpenVPN Client functionality to connect to an OpenVPN Access Server running on an EC2 instance in an AWS VPC. LAN Clients (attached to the GL-iNet Routers) will need to access various resources within the VPC (RDS, EC2, DNS, etc…). And AWS VPC resources (EC2 instances, other VPN clients, etc…) need to be able to access a few specific things on two specific computers on the client LANs (ssh, RDC, HTTPS).
Current Plan/Approach:
VPC: 10.10.0.0/16 - broken up into various public and private subnets across 3 AZs (although only using things in AZ1 for now)
OpenVPN Access Server - running on EC2 instance in a public subnet in AZ1. Used the OpenVPN Access Server marketplace setup/AMI, so all networking etc… should be setup correctly. Confirmed that the ENI has Source/Dest Check set to false.
VPN client subnets - various subnets within 10.9.0.0/16 (10.9.0.0/23 for global level dynamically handed out IPs, 10.9.20/23 for global static IPs, 10.9.4.0/23 as the group default, and then further groups for various users and groups.
OpenVPN Access Server is configured with server side private subnet access set to “Yes, using Routing” with 10.10.0.0/16 as the private subnet that clients should be given access.
Added route for 10.9.0.0/16 -> VPN server’s ENI to all route tables.
SG for EC2 instance allows all traffic inbound from 10.9.0.0/16 and 10.10.0.0/16 (plus needed ports for OpenVPN server functionality open to the public).
Testing with both GL-iNet router and with a laptop directly connecting to the OpenVPN.
Connection to VPN server works fine. Can get out to the public internet over the VPN connection (routes out through the EC2 instance’s public IP). Can ping the private IP of the VPN server EC2 instance. Can access client side resources from the OpenVPN EC2 server via port forwarding rules in the GL-inet router. All that is good.
However, I am unable to access private VPC resources outside of the VPN server from the client side of the VPN. This includes RDS instances, the DNS server at 10.10.0.2, or the subnet gateway at 10.10.33.1. Based on tcpdump captures it looks like the packets are going out from the VPN server EC2 instance, but nothing comes back.
If I switch from “Yes, using Routing” to “Yes, using NAT” then I can access all those things just fine, but cannot access client side LAN resources from the VPC.
So it seems like the route telling the subnets/VPC that return traffic to 10.9.0.0/16 needs to go to the VPN EC2 instance isn’t working? Or the EC2 instance isn’t accepting that traffic?
I’ve been beating my head against this all day and am rushing towards a deadline, so any help would be appreciated! Thanks!
-------------
SOLVED (ish)
There’s some routing issue that happens when “route internet traffic through the VPN” is enabled. Disabling that option on the OpenVPN Server seems to solve my routing issue.