Forums

Resolved
0 votes
Hi, i have a problem, i cant talk with AWS Server if im connected via OPENVPN
I can talk with AWS via IPSEC, but not if im connected with OPENVPN outside the LAN


This is a example of the Topology
Attachments:
In OpenVPN
Saturday, November 06 2021, 12:12 AM
Share this post:
Responses (3)
  • Accepted Answer

    Thursday, November 11 2021, 09:19 AM - #Permalink
    Resolved
    0 votes
    There is no point adding the Custom Firewall rule as that is what the Enabling NAT option does in the background.

    As I said in my first reply, just doing this may not work and it looks like it has not. You will still need the EXTRALANS, but you will need to define another IPsec tunnel from your server to AWS. You can also disable the NAT option again in OpenVPN.

    There is a trick that can sometimes be pulled. If you can change your OpenVPN subnet to be adjacent to your LAN subnet, then you can get away with a single IPsec tunnel for the combined subnet. To give you an example, my LAN subnet is 172.17.2.0/24. I have moved my OpenVPN subnet to 172.17.3.0/24 by changing the "server" line in /etc/openvpn/clients.conf. Then a single IPsec tunnel routing 172.17.2.0/23 will carry both LAN and OpenVPN traffic through it without needing a second tunnel
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, November 11 2021, 12:33 AM - #Permalink
    Resolved
    0 votes
    Hi Nick, thanks for your answer

    I configure the EXTRALAN parameter:

    =====================================================
    MODE="gateway"

    # Network interface roles
    EXTIF="enp5s0f0 enp5s0f1"
    LANIF="eno1"
    DMZIF=""
    HOTIF=""

    # Domain and Internet Hostname
    DEFAULT_DOMAIN="xxxxxxxx.molp"
    INTERNET_HOSTNAME="xxxxxxxxx.molp"

    # Extra LANS
    EXTRALANS="10.80.0.0/22"

    # ISP Maximum Speeds
    ENP5S0F1_MAX_DOWNSTREAM=20000
    ENP5S0F1_MAX_UPSTREAM=20000
    ENP5S0F0_MAX_DOWNSTREAM=212750
    ENP5S0F0_MAX_UPSTREAM=225300
    ENO1_MAX_DOWNSTREAM=0
    ENO1_MAX_UPSTREAM=0
    ========================================================


    I enable NAT (Gateway mode only) In the section of OPEN VPN Additional Settings

    I put in Custom Firewall the next:
    $iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -j MASQUERADE

    I restart the OPEN VPN Service

    But i cant see my AWS Server yet.

    Do you have another Tip for configure??


    Thanks in Advance.

    REGARDS!!
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, November 06 2021, 09:17 AM - #Permalink
    Resolved
    0 votes
    By default OpenVPN only pushes routes to the ClearOS LAN. To push a route to the AWS LAN as well, add the subnet to the EXTRALANS parameter in /etc/clearos/network.conf. Because of how IPsec works, you will also need to add an IPsec tunnel between 10.8.0.0/24 and 10.80.0.0/16. There is a chance you will get away without adding the extra IPsec tunnel if you enable NAT in the OpenVPN webconfig.
    The reply is currently minimized Show
Your Reply