the goal & issue
I have tried very hard to solve this, but I'm stuck. I'm not looking to create a site-to-site VPN, for reference.
I have successfully installed OpenVPN using ansible: https://github.com/BastiPaeltz/ansible-openvpn (required quite a few patches to get it to work with python3 and the latest easyrsa version plus fixing a couple bugs).
I am successfully pushing the route of my AWS VPC (172.31.0.0/16) to clients, and they can connect to hosts in that network, but this ceases to work when I configure them to not route all their traffic through the VPN (i.e, not redirect their gateway).
What do I need to do to preserve remote access to my VPC, but not have clients redirect their gateways? I am really struggling to decipher the OpenVPN documentation. There is no straightforward example of how to set up a simple remote access vpn that I've found, but maybe it's there an I missed it due to lack of experience with this.
configs:
server.conf:
NOTE: commenting out push "redirect-gateway def1" does not fix the issue.
dev tun-udp-1194
server 10.9.80.0 255.255.240.0
proto udp
port 1194
ca /etc/openvpn/pki/ca.crt
cert....
key ...
dh /etc/openvpn/pki/dh.pem
crl-verify /etc/openvpn/pki/crl.pem
#push "redirect-gateway def1"
route 172.31.0.0 255.255.0.0
# Fix for the Windows 10 DNS leak described here:
# https://community.openvpn.net/openvpn/ticket/605
push block-outside-dns
remote-cert-tls client
keepalive 10 120
tls-auth /etc/openvpn/pki/ta.key 0
cipher AES-256-CBC
tls-cipher TLS-DHE-DSS-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-DSS-WITH-AES-256-CBC-SHA256
auth SHA256
tls-version-min 1.2
comp-lzo
persist-key
persist-tun
verb 0
client.conf:
NOTE adding pull-filter ignore redirect-gateway breaks the VPN entirely, and I can't access the VPC; commenting out redirect-gateway def1 does nothing.
client
remote <my_ip> 1194 udp
# route all traffic through the VPN (comment out to prevent routing
# all traffic through the VPN, and retain your router's public IP, etc)
#redirect-gateway def1
# ignore any redirect-gateway configs pushed from the server; breaks the VPN
#pull-filter ignore redirect-gateway
dev tun
cipher AES-256-CBC
auth SHA256
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name "<dns_name>" name
tls-version-min 1.2
comp-lzo
key-direction 1
verb 3
These are the iptables rules I've configured on the server, via this script:
#!/usr/bin/env bash
# Generated by ansible
# This script is used to configure iptables to work with OpenVPN on this host
# Allow connections to the VPN
/sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT
# This rule is necessary for OpenVPN to work and forward IP packets
/sbin/iptables -t nat -A POSTROUTING -s 10.9.80.0/20 -o ens5 -j MASQUERADE
/sbin/iptables -A FORWARD -s 10.9.80.0/20 -j ACCEPT
# Allow SSH connections on the VPN
/sbin/iptables -A INPUT -p tcp -d 10.9.80.0/20 --dport 22 -j ACCEPT
The output is below.
root@ip-172-31-38-0:/etc/openvpn# iptables -n -L
Chain INPUT (policy ACCEPT) target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 ACCEPT tcp -- 0.0.0.0/0 10.9.80.0/20 tcp dpt:22
Chain FORWARD (policy ACCEPT) target prot opt source destination
ACCEPT all -- 10.9.80.0/20 0.0.0.0/0
Chain OUTPUT (policy ACCEPT) target prot opt source destination
root@ip-172-31-38-0:/etc/openvpn# iptables -t nat -n -L
target prot opt source destination
Chain INPUT (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain POSTROUTING (policy ACCEPT) target prot opt source destination
MASQUERADE all -- 10.9.80.0/20 0.0.0.0/0
Any help in the form of actual configuration would be greatly appreciated; thanks.
route 172.31.0.0 255.255.0.0when placed in the server conf should be a pushed value. Or place it in the client conf.