One of our enterprise customers runs the whole of their infrastructure on
AWS. They are in logistics space with branches all over the world. We recently had to solve a small but important and interesting problem for them.
One of the order processing servers that is inside
AWS VPC uses CUPS server to connect to client machines in different parts of the world, deliver checks and remotely trigger a print on the printer connected to remote client's machine. Due to compliance issues, we are not supposed to use static IPs (besides, sometimes you have to deal with computers with no static IPs)
The below architecture diagram depicts the environment. The server that sends print commands is inside the VPC. There is also an OpenVPN server which allows access to the other servers. VPN network range is
10.10.10.1/16 and OpenVPN client network range is
Now if a client has to connect to one of the servers inside VPC, it's easy. But how do you make the
RemoteHost1 which is behind a VPN recognize the
client1? That was the problem and here how we solved it.
You basically need to tunnel the traffic from the host that needs to talk to a remote client through VPN server. Here is how
Changes to OpenVPN Server
For each OpenVPN user, allow access from
all server-side private subnets
Now edit the route table of the subnet to which EC2 host belongs and tunnel its traffic through OpenVPN Server for the VPN network range. The image has a placeholder target, you might want to use instance id of your OpenVPN server
Make sure you disable source/destination checks on the EC2 host.
On the OpenVPN server, execute the following command
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
And bingo, you should now be able to talk to the remote clients using OpenVPN client. Hope this helps you solve a similar issue.