UKH

I know there some clever folk in all sorts of stuff on here so looking for some tech nerds...

I am fairly new to networking, in particular AWS - which has a whole load of extra jargon. I’ve made some good progress but hit a stumbling block and really struggling with this one

We have a load of remote devices/servers (‘Spokes’) that we want to connect to from a laptop, and currently these spokes have Public IP SIM cards and we VPN directly using Windows built in VPN. This is expensive and unscalable. So we are looking to switch these to Private IPs on our Network Providers network, and they are setting up a 'DM VPN' connection that we can connect to securely to access all our devices on one VPN connection. I've proved this side of the network is all working OK.

For ease of use, and control, we are setting up an AWS VPC and putting an OpenVPN server on this, and this will be how we can connect to our Network Providers network, and hence our spokes

So we have the VPC, with a Linux instance for debugging, OpenVPN server/gateway and the Site-to-Site VPN with Virtual Private Gateway. I've set up the VPC routing table so that traffic for the Spokes goes via the Virtual Private Gateway. Our Network Provider has all the subnet IPs and traffic for our laptop is direct back over the Site-to-Site VPN. The OpenVPN server is set up so that traffic for our Spokes goes through it.
Each individual connection is working in both directions- I can ping from the Linux instance to our Spokes, and to a laptop that is connected to the OpenVPN. Laptop can ping the Linux instance. Our spokes can ping the Linux instance. But we cannot ping from laptop to spokes. We’ve tried a packet capture from our Spokes and obviously see the pings from the Linux instance, but don’t get anything when we ping from a laptop connected on the OpenVPN - so the traffic isn't passing all the way through AWS VPC to the spokes when coming from laptop/OpenVPN.

So we can do 1 hop, but not 2. Am I missing something with how AWS routing works? Do I need an actual ‘AWS router’ rather than just expecting the routing table to work here?

I hope that makes sense
Many thanks

If you haven’t already draw up a diagram showing how it’s all networked together.  I would also check what you’ve set in the access control lists / network security settings in AWS.

Any chance this is an IPv4 vs IPv6 issue on the laptop? Are you pinging IP addresses or names? Is it possible that the spokes are resolving to IPv6 addresses and the ping packets are not being routed through the Windows VPN? You can force IPv4 pings using -4 on the ping command line.

Your VPC has an "Implicit Router" so I don't believe you need a router in this instance*

I'd double check your aws VPC ACL, although this should be defaulted to any/any.

-When you ping from the OpenVPN Laptop to one of your DMVPN "spokes" are you seeing this traffic hit your openVPN Server? . 

- How is your OpenVPN setup, are you using NAT or routing ? ** Read this - depending on which it is there may be additonal config req'd. 

Either way you need to ensure your routing tables on the DM-VPN spokes are all up to date with the subnet of either your Nat Subnet, or your client VPN Subnet. 

- Check your OpenVPN Laptop has a route for the DMVPN Spokes. Check your DMVPN Spokes have a route for the Laptop IP as presented on the VPC. 

I drew a crappy diagram, is this accurate ? 

*https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html

**https://aws.amazon.com/blogs/awsmarketplace/setting-up-openvpn-access-serve...

Thanks for the help. Some things to investigate here

I checked security / access control and it all looks OK. Actually will need considerably tightening up once solution is proved to work!

I've added a diagram, with IP address etc removed for security purposes, I realise it would be a lot easier with all this info & route tables etc!

In reply to Connorh:

When you ping from the OpenVPN Laptop to one of your DMVPN "spokes" are you seeing this traffic hit your openVPN Server? 

Yes

- How is your OpenVPN setup, are you using NAT or routing ? ** Read this - depending on which it is there may be additonal config req'd. 

We want to use routing, and this is how it is set up. Interestingly when I put it to NAT it works, and I can ping all my spokes. Definitely need to do some more digging around here

 Either way you need to ensure your routing tables on the DM-VPN spokes are all up to date with the subnet of either your Nat Subnet, or your client VPN Subnet. 

I thought the Packet Capture we did from the Spoke end proved that traffic wasn't even getting there, so even if the spoke routing wasn't set up then we'd still see the traffic getting there, but not coming back. I've checked the routing tables at the spokes though and it is all correct 

Try dropping a logic bomb through a trapdoor into the mainframe. This should get you started:

01010100 01110101 01110010 01101110 00100000 01101001 01110100 00100000 01101111 01100110 01100110 00100000 01100001 01101110 01100100 00100000 01101111 01101110 00100000 01100001 01100111 01100001 01101001 01101110

I’m not entirely sure if this is what you are trying to do but if want to route traffic via an instance on AWS you will need to have source destination checking turned off on the EC2 instance (assuming that is your ‘hub’)

In reply to mark20:

Yeah so you are getting closer to your issue then, this is good. My focus would be on openVPN configuration in routing mode and your VPC Config. 

I assume you all of your address spaces are unique, i.e. your VPC is not overlapping with the clientVPN? 

and you have followed the guides recommendations ?

When using the Yes, using Routing option, you need to do the following:

Disable the source/destination check on the OpenVPN Access Server instance to let the appliance forward traffic from and to clients

Set the OpenVPN Access Server security group accordingly to allow traffic from other IPs in the VPC to reach the clients

Update your private subnets’ routing tables to let the internal VPC router know which subnets are reachable via the Access Server (i.e., VPN client subnets)

It does assuming the packet capture is seeing all of the traffic(I Tend to not assume the packet capture is working perfectly when troubleshooting). The routing needs to be correct regardless of what the current fault is, so thought to check this.