I've got an ssh bastion host, but managing the ssh whitelist is annoying, opening ssh to the world is suboptimal. I'd like to tuck a vpn server in front. Can't get openvpn to stay connected for more than an hour (I'm using 2fa and either openvpn or tunnelblick are apparently ignoring reneg-sec 0 causing hourly re-auth events)
openswan seems like a great option, but I can't get the routing working. I have disabled source/destination checking on the instance and created a route the VPC routing table. I can connect and route traffic northbound, but not to the VPC subnets. Has anyone successfully done this? I suspect I specifically need help understanding how openswan is handling routing for client nat.