How to configure OpenVPN for AWS VPC Peering with single private in 1st and single subnet in 2nd VPC?
Question
I've just installed OpenVPN from AMI Marketplace in my account and connected via LDAP to AWS Simple AD. To start with, here are the details below:
Bastion Host VPC Name: Bastion-VPC ---> Has single public subnet VPC ID: vpc-01000000000000000 CIDR: 10.236.76.192/26
Private Host VPC Name: Private-Environment-VPC ---> Has single private subnet VPC ID: vpc-02000000000000000 CIDR: 192.168.96.0/20
I've established VPC Peering between both subnets. Whenever I logon to any machine in Bastion-VPC , I can RDP to any machine in Private-Environment-VPC machines.
I've installed OpenVPN in Bastion-VPC and can normally RDP to any machines inside Bastion-VPC , but can't RDP / connect to any machines in Private-Environment-VPC .
I'd like to resolve above problem - establish VPC connection to Bastion-VPC and RDP to machines in Private-Environment-VPC using OpenVPN.
Did tried to follow steps noted at: https://forums.aws.amazon.com/thread.jspa?messageID=570840 and https://openvpn.net/index.php/open-source/documentation/howto.html#redirect , but of no help.
Thanks in advance.
1 answers
solution1
-1 ACCPTED 2018-10-06 06:01:33
After trying N number of solutions available, here is the problem:
1 - My OpenVPN was joined to AWS Simple AD
2 - There was no known way to allow access to all authenticated users to be connected to the private subnet hosted in other VPC
Solution
Add permissions for each user in "Allow To" Section for User Profile to allow access to private subnet hosted in other VPC.
solution2
-2 2018-10-03 12:51:29
VPC Peering does not support edge to edge routing through a gateway or private connection.
If either VPC in a peering relationship has one of the following connections, you cannot extend the peering relationship to that connection:
A VPN connection or an AWS Direct Connect connection to a corporate network An internet connection through an internet gateway An internet connection in a private subnet through a NAT device A VPC endpoint to an AWS service; for example, an endpoint to Amazon S3. (IPv6) A ClassicLink connection. You can enable IPv4 communication between a linked EC2-Classic instance and instances in a VPC on the other side of a VPC peering connection. However, IPv6 is not supported in EC2-Classic, so you cannot extend this connection for IPv6 communication. For example, if VPC A and VPC B are peered, and VPC A has any of these connections, then instances in VPC B cannot use the connection to access resources on the other side of the connection. Similarly, resources on the other side of a connection cannot use the connection to access VPC B.
To get around this issue you could use one VPC with two subnets. One public subnet and one private subnet. Place your Bastion host in the public subnet and your other hosts in the private subnet. This is similar to what you do now but you're using subnets to separate public and private hosts instead of VPC's. Create a VPN in your public subnet. Then when you login to your Bastion over the VPN you will not need to travers the VPC Peer to get to the private subnet.
Resource https://docs.aws.amazon.com/vpc/latest/peering/invalid-peering-configurations.html
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.