Openvpn – Access instance behind ELB through OpenVPN server

amazon-elbamazon-web-servicesopenvpn

I want to redirect the traffic through an openvpn server only for some specific domains (dev.mydomain.com, admin.mydomain.com, jira.mydomain.com, etc) which are hosted on some ec2 machines and they are behind some ELBs (each one with 2 AZs – so it has 2 public IPs) and the domains are managed through route53.

In my vpn server config I have

push "route 54.72.xxx.xyz 255.255.255.255 10.8.0.1 1" # dev.mydomain.com
push "route 54.72.xxx.xyz 255.255.255.255 10.8.0.1 1" # 2nd IP for dev.mydomain.com
....

for each domain. Unfortunately also these AWS ELB IPs are changing from time to time and I have to update my server config manually.

Do you know a solution for this?

Best Answer

There are two main ways how to address this:

Keep public access to dev, admin, jira and only optionally route traffic through the VPN. That's what you seem to be doing now. You will have to keep re-resolving the hostnames to IPs as the IPs occasionally change as you know.
- One way is to update the server config push route lines from time to time, e.g. using cron.
  
  In your openvpn.conf on the server add a line that will make it read additional config from a separate file:
```
dev tun
server ...
config /etc/openvpn/elb-routes.inc # <- This file gets updated automatically
```
  Then create a cron job that runs this script every hour:
```
#!/bin/bash -e

# Resolve each of the ELB_HOSTNAMES below and update the server config

ELB_HOSTNAMES="dev.mydomain.com admin.mydomain.com jira.mydomain.com"
for ELB_HOSTNAME in ${ELB_HOSTNAMES}; do
    for ELB_IP in $(host -t A ${ELB_HOSTNAME} | awk '/has address/{print $NF}'); do
    echo "push \"route ${ELB_IP} 255.255.255.255 vpn_gateway 1\""
    done
done > /etc/openvpn/elb-routes.inc

systemctl reload openvpn.service
```
  It will update the list of push routes in /etc/openvpn/elb-routes.inc with the most recent IPs of the ELBs so you always get the correct routes.
  
  You can go even fancier and hook up this script on CloudWatch Event that's created every time the ELB IP changes to get it updated immediately :)
- Another option is to do the ELB hostname to IP resolving on the client. To do that remove the push route command from the server config and instead create the routes dynamically when the client connects.
  
  To do that create an openvpn up script on the client that will be called every time you connect to the VPN:
```
script-security 2
up /etc/openvpn/up.sh
```
  Then in /etc/openvpn/up.sh you can resolve the current IPs of your ELBs and create the appropriate routes:
```
#!/bin/bash
# Resolve each of the ELB_HOSTNAMES below and insert route through the VPN

ELB_HOSTNAMES="dev.mydomain.com admin.mydomain.com jira.mydomain.com"
for ELB_HOSTNAME in ${ELB_HOSTNAMES}; do
    for ELB_IP in $(host -t A ${ELB_HOSTNAME} | awk '/has address/{print $NF}'); do
        ip route add $ELB_IP via $route_vpn_gateway dev $dev
    done
done
```
  Note that you will need the host command from bind9-host (Ubuntu) or bind-utils (Fedora) packages.
  
  Now every time you bring up your OpenVPN connection it will run this script, resolve the hostnames, and run commands like this:
```
# IPs for dev.mydomain.com ...
ip route add 52.65.12.34 via $route_vpn_gateway dev $dev
ip route add 13.211.56.78 via $route_vpn_gateway dev $dev
```
  For more info about OpenVPN up/down scripts check the OpenVPN man page, namely sections for --up, --script-security and Environmental variables.
Another and IMO better option is to restrict access to dev, admin, jira to VPN only and don't permit access without VPN at all.

That's not what you are asking for in the question but it may be a good option for increased security - no one without the VPN will be able to access these restricted hosts.

To do that simply change the ELBs to Scheme: internal - that will give them only private IP addresses (e.g. from 172.31.0.0/16 range) and assuming your VPN is configured to route all the traffic to 172.31.0.0/16 from your clients you will have the only have access to dev, admin, jira over VPN.

Hope one of these methods will work for you :)

Related Solutions

What’s the options if you must provide a static IP endpoint for your service behind AWS ELB

In the end, I go with the TCP SSL pass-through reverse proxy solution, here is my HAProxy config :

global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

defaults
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    option tcplog
    log-format %ci:%cp\ [%t]\ %ft\ %b/%s/%si\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq
    log global

resolvers dns
    nameserver google 8.8.8.8

# pass 80 port request to AWS ELB
listen http-proxy
    bind *:80
    mode tcp
    server elb my.elb.amazonaws.com:80 check resolvers dns

# pass 443 port request to AWS ELB
listen https-proxy
    bind *:443
    mode tcp
    server elb my.elb.amazonaws.com:443 check resolvers dns

Some explanation :

The proxy listen connections from port 80 and 443, then pass to the ELB endpoint.
HAProxy will resolve the IP dynamically with DNS I specify
Use TCP mode so there is no need to create extra SSL certification for the proxy

I did some tests and it works well.

However I did notice a downside (or just didn't know how to solve it)

Unable to put real client IP into HTTP header because it is in TCP mode

This may cause problems if you want to allow some IPs to access certain service.

Openvpn – Communicating between private IP addresses on two separate networks through OpenVPN

Yes, it is possible.

Each end of the tunnel must have interfaces in respective end's private networks. That is, for example 10.8.0.1 must have an address in 192.168.20.0/24 network and 10.8.0.2 must have an address in 172.16.1.0/24 network (I guessed the netmasks for the networks just for example, your setup might be different).

Then, you need to enable proper routing on the devices.

For clients in 192.168.20.0/24 network, they need to have a route in their routing table that tells them to route packets to 172.16.1.0/24 via 192.168.20.x, where x is the octet corresponding to the other interface of the 10.8.0.1 server.

Then, the server at 10.8.0.1 has to have a routing table entry which tells that packets to 172.16.1.0/24 network have to be sent via 10.8.0.2, that is, the other end of the tunnel.

Then you need to have corresponding rules for the other end of the tunnel, swapping network addresses.

Easiest way to implement this is to run the OpenVPN server / client on the router for that network. Then one doesn't need to add the routing rules for each client, since the routing is handled by the default gateway. In this case, one only need the routing rule at the OpenVPN server / client.

If OpenVPN server / client is a different machine than the default router, then one needs to distribute the network routes to the clients. One way to do this is via DHCP. One method is described in How can I configure my DHCP server to distribute IP routes?.

Best Answer

Related Solutions

What’s the options if you must provide a static IP endpoint for your service behind AWS ELB

Openvpn – Communicating between private IP addresses on two separate networks through OpenVPN

Related Topic