connecting multiple lans with openvpns iroute directive

by Sar009   Last Updated January 12, 2018 21:00 PM

I have multiple AWS VPC network and want to connect in the following configuration using OpenVPN

+---------+             +---------+
| vpc1    |             | vpc2    |
+---------+             +---------+
           \           /
            +---------+
            | vpc0    |
            +---------+
                 |
            +---------+
            | local   |
            +---------+

and below is details about each VPC

+--------------------------+
| VPC  | subnet  | region  |
+------+---------+---------+
| vpc0 | 10.0/16 | region0 |
| vpc1 | 10.1/16 | region1 |
| vpc2 | 10.2/16 | region0 |
+------+---------+---------+

I am able to connect to all the instance in vpc0 using simple OpenVPN configuration and vpc2 being in the same region I was able to do VPC peering with vpc0 and connect to instances in vpc2. Although I am not able to access instances in vpc1.

My OpenVPNs server.conf in vpc0 looks like this

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
mode server
topology subnet

push "route 10.0.0.0 255.255.0.0"
push "route 10.1.0.0 255.255.0.0"
push "route 10.2.0.0 255.255.0.0"
route 10.1.0.0 255.255.0.0

keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0

client configuration for vpc1 in /etc/openvpn/ccd

ifconfig-push 10.8.0.1 255.255.255.0
push "route 10.0.0.0 255.255.0.0"
iroute 10.1.0.0 255.255.0.0

route table in vpc0

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         10.0.0.1        0.0.0.0         UG        0 0          0 eth0
10.0.0.0        *               255.255.240.0   U         0 0          0 eth0
10.1.0.0        10.8.0.2        255.255.0.0     UG        0 0          0 tun0
10.8.0.0        *               255.255.255.0   U         0 0          0 tun0

For connecting from vpc1 I created a client certificate as vpc1.ovpn and then just started a process in vpc1 machine as openvpn --config vpc1.ovpn. After starting this process I am able to reach any machine in vpc0 and vpc2 from vpc1 but I am not able to reach to vpc1 instances from vpc0 machine or any instance. The route table on vpc1 machine is.

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         10.1.0.1        0.0.0.0         UG        0 0          0 eth0
10.0.0.0        10.8.0.1        255.255.0.0     UG        0 0          0 tun0
10.1.0.0        *               255.255.240.0   U         0 0          0 eth0
10.1.0.0        10.8.0.1        255.255.0.0     UG        0 0          0 tun0
10.2.0.0        10.8.0.1        255.255.0.0     UG        0 0          0 tun0
10.8.0.0        *               255.255.255.0   U         0 0          0 tun0

P.S. I had followed this for setup.



Related Questions



Windows IPSec Tunnel

Updated April 18, 2017 17:00 PM

Openvpn routing for lan to lan through tun

Updated January 12, 2018 19:00 PM

Pfsense OpenVPN Site to Site Routing issues

Updated June 10, 2017 00:00 AM