I'm not sure best how to solve this situation that I've found myself in. The VPN in this is running OpenVPN.
I have an app server that needs to make web server requests to a specific server that exists on another network and is only accessible via VPN. However, this machine is not connected to the VPN. There is another server in the farm which does batch processing tasks involving a database which is on the VPN, and therefore has a connection.
Obviously an easy answer to this issue would be to setup the VPN on the app server as well as the batch server, but these servers are in an EC2 farm using Scalr.net. At one point we had 15 app servers running and the client doesn't want to have 15 VPN connections running and we run into the issue of each server needing its own certificate (as far as I know – my knowledge of OpenVPN is limited) and how to include a server-specific cert when each new app server is built off a standard image so they would all be trying to connect with the same cert which is tied to an IP.
The app server needs to be able to send requests like this to a specific host that is at the other end of the VPN that's up and running on the batch box: https://xxx.xxx.xxx.xxx/client/WebService
Can this be achieved with an SSH tunnel or would I have to configure a VPN of my own between the two servers?
Port 80 and 443 are in use on the app servers.
I feel I haven't explained this well enough, so please do ask questions if you need to.
I thank you all in advance as I'm really not sure the best solution here.
Thanks.
It's much simpler than that. You simply configure the batch server (i.e. the server that has the VPN connection to the other network) to become a router. You can then either
And, of course, the other side of the VPN tunnel needs to know that traffic for the subnet of the app servers needs to go into the tunnel (that's another route on the VPN endpoint).
Ideally for this sort of thing, your VPN connection should be a static tunnel, so that you don't have a "server" and a "client". If this cannot be done, the "server" should be on the remote side. Watch out for firewalls!