OpenVPN inside AWS Client VPN

0

Hi there!

We have AWS Client VPN running, the endpoint only tunnels traffic into the private networks. I want to be able to route all traffic through it (to get a static IP that can be whitelisted), and could easily create another endpoint for this, but that would double the costs.

OpenVPN is free, but handling user authentication is a pain, while I have this already set up for AWs Client VPN. I wondered if I could just run OpenVPN inside AWS Client VPN.

So I set up OpenVPN with as a shared certificate, on a host inside my private network, so only users who already are connected via AWS Client VPN can connect and have all their traffic tunnelled through.

Connection works, but then AWS Client VPN drops the connection, because the address space of my local network has changed.

Bummer. Any idea how to stop this? I already tried to makeOpenVPN run a script that sets routes to the IPs of my VPN endpoint, so that this would stil lgo through my standard gateway as before, but a) those IPs seem to change very frequently and b) it did not work anyway.

profile picture
asked 2 months ago130 views
2 Answers
0

If you want to use this as an Internet access solution, to process all traffic with ClientVPN you just need to add a destination 0.0.0.0/0 route in the Endpoint Routes section on ClientVPN in the AWS Console.

Read the documentation here on how to do this: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-routes.html

AWS
EXPERT
answered 2 months ago
0

Your suggestion looks similar to de-activating split-mode, but implemented by adding a general route for 0.0.0.0/0. Interesting.

However, in most cases, we want it to be as it is, split-mode with only private traffic going through the VPN. But maybe... access to the individual subnets is granted by group memberships, so by changing a User's group membership, I could make him switch between all or partial traffic through the VPN. Somewhat clumsy though.

Not sure how to proceed. The easiest way would probably be to just create a second endpoint that will tunnel all traffic, and for cost saving, hav this up only when needed, which will be not often. But then I have to figure out how to quickly get an endpoint up and down, and so I had the idea to use a VPN inside a VPN. Which seemed smart to me, until I saw AWS Client VPn dropping the connection.

profile picture
answered 2 months ago