3

I have setup a Transit Gateway and a Site-to-Site VPN connection from our on-prem to our AWS accounts. It is working like a charm.

We have remote users working at home who need remote connection to our infrastructure. So I setup an OpenVPN Server in one account, and OpenVPN Client in the others + nomade users.

Now I was wondering if it was possible to use the OpenVPN Server with the Transit Gateway. This is to avoid having multiple OpenVPN Client in each account.

Update

There is one account (infra) which is only setup to host a Site-to-Site VPN from AWS to on-prem and a Transit Gateway (automatic sharing is activated). In this account, the VPC is already linked to the Transit Gateway, so maybe it's already like a "shared" account/VPC.

Update 2

OpenVPN server is in a VPC, in the same account as the transit gateway. I : - added transit gateway route as 10.0.9.0/24 -> VPC. - added another account CIDR to the TGW route table - added VPC route as 10.0.9.0/24 -> OpenVPN ENI - added route in a second account to 10.0.9.0/24 -> TGW

Am I missing something? It's not working.

Improve this question
5
  • If OpenVPN is server based then it needs to be in a VPC, and Transit Gateway runs as an account level service. You might be able to put OpenVPN in a shared services VPC and then let it route to all accounts over a transit gateway, but that may give users access to the VPC it's in - it may need its own VPC. Suggest you give it a go with OpenVPN in its own VPC and routing via your transit gateway. Once you have perhaps update your question or provide an answer. Also unsure what a "nomade user" is in your question.
    – Tim
    Commented Oct 21, 2019 at 20:36
  • I have edited my question.
    – Kaymaz
    Commented Oct 22, 2019 at 8:57
  • I've changed "nomade" to "remote users working at home". When you've tried what I suggested above please edit your question. The way most organisations I've been in do this is users VPN from home into the corporate LAN, and then from the LAN they get access to AWS. This means the IP blocks that are put in place in AWS for security allow the users to access AWS resources.
    – Tim
    Commented Oct 22, 2019 at 18:09
  • @Tim I edited the question with the setup you proposed.
    – Kaymaz
    Commented Nov 1, 2019 at 9:26
  • Can you validate that an instance in the same VPN as the OpenVPN server can ping an instance in another VPC? That confirmed transit gateway is working. Once you've confirmed that you'll have to look at routing, maybe using VPC flow logs. AWS VPCs aren't transitive, off the top of my head the only way to typically enable that is to use an an AWS VPN or a router appliance with source / destination check turned off. This isn't a trivial thing you're trying to do, and the information you're giving us is fairly limited.
    – Tim
    Commented Nov 2, 2019 at 6:34

1 Answer 1

Reset to default
0

I now have it working. I use Pritunl rather than pure OpenVPN.

  • My VPN server has a single NAT route to 0.0.0.0/0
  • VPC1 (172.31.0.0/16) - Transit gateway and my VPN server
  • VPC2 (172.42.0.0/16) - Another VPC attached to the transit gateway
  • Both VPC's are already attached to the TG

In each VPC add a route in your subnet route tables for the other VPC CIDR address to the TG.

Improve this answer
4
  • Could you be a bit more precise please? I still don't get it :)
    – Kaymaz
    Commented Jan 24, 2020 at 20:39
  • Which areas do you need more information?
    – Adam Mills
    Commented Jan 27, 2020 at 1:57
  • The whole setup :) maybe by a diagram
    – Kaymaz
    Commented Jan 27, 2020 at 9:57
  • what does your client vpn config look like? the client still doesn't route properly for me
    – scape
    Commented Sep 4, 2020 at 14:07

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .