0 votes
Hi, i have a problem, i cant talk with AWS Server if im connected via OPENVPN
I can talk with AWS via IPSEC, but not if im connected with OPENVPN outside the LAN

This is a example of the Topology
In OpenVPN
Saturday, November 06 2021, 12:12 AM
Share this post:
Responses (3)
  • Accepted Answer

    Thursday, November 11 2021, 09:19 AM - #Permalink
    0 votes
    There is no point adding the Custom Firewall rule as that is what the Enabling NAT option does in the background.

    As I said in my first reply, just doing this may not work and it looks like it has not. You will still need the EXTRALANS, but you will need to define another IPsec tunnel from your server to AWS. You can also disable the NAT option again in OpenVPN.

    There is a trick that can sometimes be pulled. If you can change your OpenVPN subnet to be adjacent to your LAN subnet, then you can get away with a single IPsec tunnel for the combined subnet. To give you an example, my LAN subnet is I have moved my OpenVPN subnet to by changing the "server" line in /etc/openvpn/clients.conf. Then a single IPsec tunnel routing will carry both LAN and OpenVPN traffic through it without needing a second tunnel
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, November 11 2021, 12:33 AM - #Permalink
    0 votes
    Hi Nick, thanks for your answer

    I configure the EXTRALAN parameter:


    # Network interface roles
    EXTIF="enp5s0f0 enp5s0f1"

    # Domain and Internet Hostname

    # Extra LANS

    # ISP Maximum Speeds

    I enable NAT (Gateway mode only) In the section of OPEN VPN Additional Settings

    I put in Custom Firewall the next:
    $iptables -t nat -I POSTROUTING -s -j MASQUERADE

    I restart the OPEN VPN Service

    But i cant see my AWS Server yet.

    Do you have another Tip for configure??

    Thanks in Advance.

    The reply is currently minimized Show
  • Accepted Answer

    Saturday, November 06 2021, 09:17 AM - #Permalink
    0 votes
    By default OpenVPN only pushes routes to the ClearOS LAN. To push a route to the AWS LAN as well, add the subnet to the EXTRALANS parameter in /etc/clearos/network.conf. Because of how IPsec works, you will also need to add an IPsec tunnel between and There is a chance you will get away without adding the extra IPsec tunnel if you enable NAT in the OpenVPN webconfig.
    The reply is currently minimized Show
Your Reply