0

I've got an ssh bastion host, but managing the ssh whitelist is annoying, opening ssh to the world is suboptimal. I'd like to tuck a vpn server in front. Can't get openvpn to stay connected for more than an hour (I'm using 2fa and either openvpn or tunnelblick are apparently ignoring reneg-sec 0 causing hourly re-auth events)

openswan seems like a great option, but I can't get the routing working. I have disabled source/destination checking on the instance and created a route the VPC routing table. I can connect and route traffic northbound, but not to the VPC subnets. Has anyone successfully done this? I suspect I specifically need help understanding how openswan is handling routing for client nat.

1
  • Note, OpenVPN reneg-sec=0 works to eliminate the 2FA re-auth problem. I was just failing to explicitly re-load my config file on the client side.
    – jorfus
    Commented Sep 2, 2015 at 0:49

1 Answer 1

0

There are several things to verify. I had a mistake in my iptables config.

For posterity

  1. Disable source/destination check.

  2. Create entry in VPC route table to enable routing to the VPN NAT subnet

  3. iptables -A POSTROUTING -s 192.168.0.0/24 -o eth+ -j SNAT --to-source ${PRIVATE_IP}

Reading this setup script set me straight.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .