I want to set up a VPN from one EC2 instance in a default VPC the other instances in the same VPC can use so I am doing some initial tests. I have 2 test instances running and they can ping each other. When I route a test public IP from one to the other the packets do go out from eth0 of the sender instance (as seen by tcpdump
with the expected target MAC address (so I guess I have host routing set right) but never arrive at the target instance. I have tested this 2 ways, one via 172.31.0.1 , and also directly using the IP of the other instance as the gateway. iptables
on both hosts (Ubuntu and Amazon Linux both tested) is empty. The test public IP was added as a route on the VPC master routing table using the test receive instance as the gateway.
My goal is that instances I launch in that VPC that send to any non-VPC IP end up going to the instance I run the VPN on (still undecided between IPsec or OpenVPN). How can I get the packets to go through on EC2 over a default VPC? I suspect there is more to this than I find in the AWS docs or via Google (maybe some other EC2 object ... do I have all the concepts right?).
Routing of traffic to a VPN concentrator is done in the same way routing is done to a NAT instance.
Disable the IP source/dest check on the target instance to allow the traffic through, and then
use the VPC routing tables (not static routes in individual instances) to forward the traffic to the VPN concentrator by its instance-ID/elastic network interface-ID.
The instances using such a route as their default route will, of necessity, only have private IP addresses assigned.