I am running a LEMP server locally behind my router. Everything is working as it should. Because I would prefer that my ip address isn't exposed to the world, I am attempting to tunnel the web server through an AWS Instance running Ubuntu 18.04. I "thought", that It would be as easy as building the AWS Ubuntu OpenVPN cloud server, connecting my local webserver to that server via openvpn in the terminal, and then changing my dns A records to point towards the Amazon VPN server's IP address.
Apparantly, there is something I am missing, as I have done all of the above assumptions, yet, I still cannot get my webserver to serve traffic on my AWS IP address.
My setup: My Local web server is successfully connected to my ubuntu aws instance via openvpn. My local web server is recieving my aws instance's IP address properly. The Openvpn server seems to be working properly. My DNS configuration has it's A records pointing towards my AWS instance's ip address. I can browser the internet via the tunnel and whatsmyip.org is showing the proper aws ip address.
On the EC2 instance, the output of ip addr show is
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
link/ether 0e:86:bb:81:3b:dd brd ff:ff:ff:ff:ff:ff
inet 172.31.47.112/20 brd 172.31.47.255 scope global dynamic eth0
valid_lft 3208sec preferred_lft 3208sec
inet6 fe80::c86:bbff:fe81:3bdd/64 scope link
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::2405:76a5:410a:17a7/64 scope link stable-privacy
valid_lft forever preferred_lft forever
On the local webserver the output of ip addr show is
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether dc:a6:32:14:6d:e1 brd ff:ff:ff:ff:ff:ff
inet 192.168.30.32/24 brd 192.168.30.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::815e:ba7:5be8:1fb5/64 scope link
valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether dc:a6:32:14:6d:e2 brd ff:ff:ff:ff:ff:ff
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.3/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::292b:b09f:9ac9:2cc7/64 scope link stable-privacy
valid_lft forever preferred_lft forever
On my EC2 Instance, the output of sudo iptables -t nat -vnL is:
Chain PREROUTING (policy ACCEPT 396 packets, 22897 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 173 packets, 8430 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 361 packets, 44271 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 361 packets, 44271 bytes)
pkts bytes target prot opt in out source destination
223 14467 SNAT all -- * * 10.8.0.0/24 !10.8.0.0/24 to:172.31.47.112
On my local server the output of sudo iptables -t nat -vnL is:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
As Far as I can tell, my Ip address is not changing upon reboot or restart of the vpn server. Lastly, in oder to set up the vpn server on the EC2 side, is followed the following guide incase you want to check it out:
https://linuxhint.com/vpn_amazon_ec2_setup/
Aftere this setup, my webserver, is not serving traffic on the amazon ip address.
Could anyone tell me what exactly I might be missing here and how to remedy it?
You are missing the need to port forward /dnat the traffic on the AWS instance back across your VPN (and maybe binding to the web server on the tunnel IP and/or local firewalling - but dnat us the big one).
You havnt provided your addressing, but you most likely have a NAT masquerade rule on your AWS iptables/firewall instance to allow browsing from your VPN. You also need to ensure AWS allows inbound connections for http(s). You need to add a rule like (untested)
updated
You will need to ensure these rues are added to your AWS server on reboot. The first is for http, the second for https.
If you imagine your AWS box as a virtual SOHO router - the router/AWS box is, by default, configured to allow outbound connection, but does not know where to redirect incoming ones. The above lines are equivalent to setting up port forwards in the router to redirect traffic coming in on the routers external address to the internal IP of the server.
We know the IP address of the web server is 10.8.0.3 because of the 4th entry of the "ip address show " output which is for the run interface, which is the openvpn tunnel.