Hi,
a little while back I tried setting up a site-to-site VPN between my on-prem lab and my AWS VPC.
I do this via CloudFormation, and I decided to advertise the AWS subnets via BGP.
Some details:
AWS VPC Subnet: 10.0.0.0/16
Subnet A in AWS: 10.0.0.0/24
Subnet B in AWS: 10.0.1.0/24
Subnet C in AWS: 10.0.2.0/24
On-prem subnet: 172.21.20.0/24
OpenVPN server IP address: 10.0.0.200
OpenVPN Tunnel subnet: 10.1.100.0/24
Laptop/OpenVPN Client ip: 10.1.100.60
Tried to make a gliffy as well: https://imgur.com/a/lKfjn03
Description
Currently, BGP from AWS advertises 10.0.0.0/16 successfully to my Juniper SRX, and traffic flows as expected with the VPN tunnel established.
In the AWS VPC, I have set up a OpenVPN server in EC2. It has a elastic public ip associated to it, and it sits in the subnet 10.0.0.0/24.
When I configured OpenVPN, I set the OpenVPN tunnel subnet to be 10.1.100.0/24.
This was chosen as you cannot specify a route more specific than the VPC CIDR which is 10.0.0.0/16 in the route table.
The message if you try to specify a more specific route in the route table is "This route table is used by a subnet, and doesn't support route destination which are more specific than VPC local CIDR."
In the route table, I set up a static route for 10.1.100.0/24 --- > IP address of the instance hosting the OpenVPN server, in order to get around the above issue.
When I connect to the OpenVPN server using my laptop (10.1.100.60), I can ping other servers hosted in the VPC, and I can also ping the OpenVPN client (the laptop) from a server hosted in EC2 in the 10.0.0.0/24 subnet. So the routing within the VPC works.
I can also from the laptop, ping my servers hosted on-prem in the subnet 172.21.20.0/24.
The subnets are propagated to the route table in AWS via BGP.
My problem is, I cannot send traffic from on-prem (172.21.20.0/24) to the OpenVPN clients, since the advertised routes from AWS via BGP is 10.0.0.0/16, and the OpenVPN traffic is using 10.1.100.0/24.
If I run tcpdump on one of my servers hosted on-prem (172.21.20.0/24) while pinging it from the laptop connected via OpenVPN, it send the respond back to the OpenVPN server (10.0.0.200).
So I know i need to route traffic destined for the subnet 10.1.100.0/24 to the OpenVPN server 10.0.0.200. That's clear to me.
However, from the AWS documentation "The virtual private gateway does not route any other traffic destined outside of received BGP advertisements, static route entries, or its attached VPC CIDR" https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html
Does the above have an impact in setting up a static route to the OpenVPN server?
How do I route traffic to the OpenVPN tunnel subnet from my on-prem SRX, via the already established AWS VPN tunnel to my VPC?
- Can I set up static routing? eg 10.1.100.0/24 -> 10.0.0.207. My brain is having a hard time understanding the language of the AWS documentation listed above.
I did a test already, but I could not get it to play along. I did this on the SRX: set routing-options static route 10.1.100.0/24 next-hop 10.0.0.207
I think this does not work due to the IP adress of the OpenVPN server, 10.0.0.207 is not reachable from within the SRX itself as its using a 169. address.(https://forums.aws.amazon.com/thread.jspa?threadID=48379)
Show route 10.1.100.0 tells me that it's still routed by the route 0.0.0.0/0
- Did I shoot myself in the foot, and need to redesign the the whole VPC and network (if so, how should I do it instead?)
I am fresh to both networking and AWS, so any hints appreciated :)
No comments:
Post a Comment