I've got an ssh bastion host, but managing the ssh whitelist is annoying, opening ssh to the world is suboptimal. I'd like to tuck a vpn server in front. Can't get openvpn to stay connected for more than an hour (I'm using 2fa and either openvpn or tunnelblick are apparently ignoring reneg-sec 0 causing hourly re-auth events)
openswan seems like a great option, but I can't get the routing working. I have disabled source/destination checking on the instance and created a route the VPC routing table. I can connect and route traffic northbound, but not to the VPC subnets. Has anyone successfully done this? I suspect I specifically need help understanding how openswan is handling routing for client nat.
There are several things to verify. I had a mistake in my iptables config.
For posterity
Disable source/destination check.
Create entry in VPC route table to enable routing to the VPN NAT subnet
Reading this setup script set me straight.