I'm trying to setup a VPN server in an AWS environment. I have setup the server using the same configuration as I use on a working Digital Ocean host (with the exception of a different server IP range and port), and I can connect from a client running tunnelblick.
However, when I connect to the AWS VPN server, I do not receive an IP address on my client tunX device and no routes are updated. When I connect to the DigitalOcean one, I get an IP address within the server IP range from my openvpn server.conf
My the NACL on my VPC in AWS allows all traffic inbound and all traffic outbound.
There is only one security group associated with the EC2 instance and that allows all traffic with protocol All, Port Range All and Destination 0.0.0.0/0
Source/Destination Check is disabled on the instance, but the same behaviour happened with this enabled.
The subnet my EC2 instance is associated with has a route to a valid internet gateway and can access the internet
My AWS /etc/openvpn/server.conf is as follows:
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/ip-foo.crt
key /etc/openvpn/easy-rsa/keys/ip-foo.key
user nobody
group nogroup
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.20.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
push "route 172.100.0.0 255.255.0.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
persist-key
persist-tun
status openvpn-status.log
verb 3
My DigitalOcean server.conf is
port 443
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/foo.crt
key /etc/openvpn/easy-rsa/keys/foo.key
user nobody
group nogroup
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.4.0 255.255.255.0
ifconfig-pool-persist 443ipp.txt
keepalive 10 120
comp-lzo
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
persist-key
persist-tun
verb 3
A sample client log is at https://pastebin.com/tYwAKFwn
When connecting to the AWS server, I see the following in the output of journalctl -f
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 TLS: Initial packet from [AF_INET]my.public.ip:56720, sid=f565fbbe 3fc25003
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 VERIFY OK: depth=1, C=GB, ST=Your Province, L=Your City, O=Your Organisation, OU=Your organisational unit, CN=Your Organisation CA, name=EasyRSA, emailAddress=Organisation CA e-mail
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 VERIFY OK: depth=0, C=GB, ST=Your Province, L=Your City, O=Your Organisation, OU=Your organisational unit, CN=vpnclient, name=EasyRSA, emailAddress=Organisation CA e-mail
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1558'
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 [vpnclient] Peer Connection Initiated with [AF_INET]my.public.ip:56720
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: vpnclient/my.public.ip:56720 MULTI_sva: pool returned IPv4=10.8.20.6, IPv6=(Not enabled)
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: vpnclient/my.public.ip:56720 MULTI: Learn: 10.8.20.6 -> vpnclient/my.public.ip:56720
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: vpnclient/my.public.ip:56720 MULTI: primary virtual IP for vpnclient/my.public.ip:56720: 10.8.20.6
Output of ifconfig tun0 on the AWS server is
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.20.1 P-t-P:10.8.20.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
but I never get an IP on the tun device, and can't ping 10.8.20.1
Any pointers would be much appreciated!
atm i do not have time to go through your things, but I have a working setup for openvpn.
Here are a few things that may help:
My server and client configs server.conf and client.ovpn
Try using this to automatically configure your aws instance: Nyr OpenVPN installer
also try using a static ip instead of just the one that is randomly generated