TransWikia.com

How to connect to OpenVPN clients from LAN 'members'

Server Fault Asked by davur on December 11, 2021

Working on a IoT type of thing, I want to connect some devices “in the wild” to servers in AWS through OpenVPN on an EC2 instance.

So far I have been able to set up an EC2 instance configured as an OpenVPN server, and I have the client devices connecting to the VPN successfully. This was all set up using this guide – https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6

The OpenVPN clients are getting 10.8.0.x IPs and can talk to each other via those IPs. I can also talk to these IPs from the OpenVPN server itself. So far so good.

I also have other EC2 instances on AWS, in the same VPC and subnet as the OpenVPN server. These instances cannot currently reach the OpenVPN clients via their 10.8.0.x IP. The OpenVPN clients can reach the instances by their private subnet IPs (10.101.x.x), but they represent themselves only with the IP address of the OpenVPN server.

How do I need to do, to:

A. Enable the EC2 instances to send messages to individual OpenVPN client devices (probably via their OpenVPN addresses, but other options are welcome).

B. Let the EC2 instances see the origin IP addresses of the clients rather than just the server’s IP, when they send messages to the server. — This is secondary, really, as the clients would identify themselves in their requests.

Edit

Devices are in distinct geographical locations and not on a common LAN, each connecting via 3G/4G. Each device needs to send messages to all the EC2 instances, and each EC2 instances needs to send messages to some of the devices.

            /- AWS VPC & public subnet ----------------
            |                                          |
deviceA ----+-                       /-- ec2_A        |
10.8.0.a    | |                       |   10.101.0.a   |
_______     | >- OpenVPN server ------<                |
            | |  10.8.0.1 / 10.101.0.x |               |
deviceB ----+-/                       -- ec2_B        |
10.8.0.b    |                             10.101.0.b   |
            ------------------------------------------/

One Answer

A. Enable the EC2 instances to send messages to individual OpenVPN client devices (probably via their OpenVPN addresses, but other options are welcome).

I am not quite sure of what your idea is here. First of all, you need to allow communications within your network in AWS. If 10.101.x. are the instances' private subnet IPs, what is 10.10.0.x ?

Also, what are the routes configured in your EC2 instances ? ip route will tell you. They need to know who to contact (your OpenVPN server in this case) to reach the clients (10.8.0.x) : ip route add 10.8.0.0/24 via $vpn_ip (with $vpn_ip the "known" IP of the OpenVPN server for the EC2 instances, 10.10.0.?).

If the EC2 instances need to be able to initiate connections with specific users, they need to be aware of these users (e.g. who has which IP), otherwise the users need to start the connection.

B. Let the EC2 instances see the origin IP addresses of the clients rather than just the server's IP, when they send messages to the server. -- This is secondary, really, as the clients would identify themselves in their requests.

The EC2 instances would see your users inner IP addresses (10.8.0.x) and associate them with users (certificates) with ipp.txt (status file) on the openVPN server or by knowing the static IPs.

You could use client-config-dir in OpenVPN's server config to specify user specific directives (static IPs for instance that your EC2 instances know) but that would be probably a bad solution if you had many clients.

Answered by Bamse on December 11, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP