OpenVPN - EC2 Host to Remote Client Communication

One of our enterprise customers runs the whole of their infrastructure on AWS. They are in logistics space with branches all over the world. We recently had to solve a small but important and interesting problem for them.

The Problem

One of the order processing servers that is inside AWS VPC uses CUPS server to connect to client machines in different parts of the world, deliver checks and remotely trigger a print on the printer connected to remote client's machine. Due to compliance issues, we are not supposed to use static IPs (besides, sometimes you have to deal with computers with no static IPs)

The Environment

The below architecture diagram depicts the environment. The server that sends print commands is inside the VPC. There is also an OpenVPN server which allows access to the other servers. VPN network range is 10.10.10.1/16 and OpenVPN client network range is 172.26.224.0/24

Now if a client has to connect to one of the servers inside VPC, it's easy. But how do you make the RemoteHost1 which is behind a VPN recognize the client1? That was the problem and here how we solved it.

The Solution

You basically need to tunnel the traffic from the host that needs to talk to a remote client through VPN server. Here is how

Changes to OpenVPN Server

For each OpenVPN user, allow access from all server-side private subnets

Now edit the route table of the subnet to which EC2 host belongs and tunnel its traffic through OpenVPN Server for the VPN network range. The image has a placeholder target, you might want to use instance id of your OpenVPN server

Make sure you disable source/destination checks on the EC2 host.

On the OpenVPN server, execute the following command

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE  

And bingo, you should now be able to talk to the remote clients using OpenVPN client. Hope this helps you solve a similar issue.

Manoj Kumar

Manoj is our Principal Cloud Architect. An AWS and Linux geek who takes extreme pleasure in lording servers, tightening security screws and learning new things.

comments powered by Disqus