I need to access some hosts that are accessible through OpenVPN from my AWS VPC private subnet. My VPC setup is similar to the one described here.
Inside the private network I've created an EC2 instance which sets up an OpenVPN client with the following command:
openvpn --verb 3 --config config.ovpn --script-security 2 --up up.sh
Content of the up.sh script file:
#!/bin/bash
/sbin/sysctl -w net.ipv4.ip_forward=1
/sbin/iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT 2>&1
/sbin/iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
-j ACCEPT 2>&1
/sbin/iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE 2>&1
Let's assume that 171.20.0.0/16 is the subnet behind VPN. Route table for private subnet looks like this:
DESTINATION TARGET
10.0.0.0/16 local
0.0.0.0/0 nat-gateway
171.20.0.0/16 ec2-instance-with-openvpn-client
I'm using default security groups.
My problem is that I cannot access hosts behind VPN from a docker image running in an ECS cluster inside private subnet. OpenVPN client is working properly because I can access hosts behind VPN directly from the EC2 instance. From what I was able to observe, I think that traffic from docker never reaches EC2 instance, but I'm not 100% sure about that.
Best Answer
The VPC network is a software-defined network -- a layer 3 network that emulates Ethernet. By default, the network doesn't allow traffic to pass to or from an EC2 instance that doesn't have exactly that instance's address as source or destination address (depending on the direction of the traffic)... so the check must be disabled for cases like this one.