I have several Amazon EC2 instances, running Ubuntu, which need to communicate (web servers and a MySQL server). I'd like to use OpenVPN to ensure their communication is secure and to reduce the number of open ports. I've been following this article, but I've run into a problem. Note: I'm using port 1194, not port 80, as shown in the article.
I've installed and configured the OpenVPN server on the MySQL server and setup a web server to connect to it as a client. Running ifconfig
shows a tunnel has been created on both sides, but data doesn't appear to be being transferred over it.
How do I change the default route to make it use the VPN tunnel? I'm assuming that's the problem, but I'm not positive.
Below are my server.conf and client.conf files. I am using tun rather than tap, from what I've read, I think that's the best choice. I currently have compression turned off, just to eliminate that as the problem.
server.conf
port 1194
proto udp
server 10.4.0.0 255.255.255.0
dev tun
dh dh1024.pem
ca ca.crt
cert mysqlserver.crt
key mysqlserver.key
client.conf
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
;remote my-server-1 1194
;remote my-server-2 1194
remote myopenvpnserver.com 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert webclient.crt
key webclient.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
;comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
Given your current configuration, when a host is connected 10.4.0.0/24 network. If you use the IP in the 10.4.0.0/24 range to communicate between the hosts then it should cross the tunnel. Your server will most likely have the address 10.4.0.1. From a client you should be able to ping 10.4.0.1 while running a capture on the tun interface and see the ICMP cross the tunnel.
If you want all the communication between the hosts to cross the tunnel, then you probably need to use the private IPs in the VPN subnet to communicate between the hosts.
To make this easier you may want to adjust your VPN configuration to assign static IPs.
To push static addresses you would modify your server config like this.
OpenVPN server config.
/etc/openvpn/ccd/client1.example.org
/etc/openvpn/ccd/client2.example.org
/etc/openvpn/ccd/client3.example.org
I am not very familiar with EC2. How are they addressed? Specifically is each host on a different subnet, or are they all on the same subnet. If they are on a different subnet like this.
Then you could easily push a route from your OpenVPN server so that all traffic destined for one of those networks will use the vpn.
If the non-vpn interfaces of your hosts are all on the same subnet this won't work though. Since they will will be directly connected.