2

I've created a VPC with IPv4 CIDR 172.16.0.0/16, next I've created three subnets:

  • subnet_1 172.16.0.0/20
  • subnet_2 172.16.16.0/20
  • subnet_3 172.16.32.0/20

Next I created an Internet Gateway attached to the VPC.

At this point I've created an EC2 instance and I attached to it an Elastic IP. On this instance I have installed an OpenVPN access server.

I then created a second EC2 instance that only has a private IP address. In my mind I thought that once connected via VPN I should able to ssh into the second EC2 instance with a private IP, but I'm not able to connect. What might I have done wrong?

EDIT: I edit the post with some additional information

This is how I configured my VPC This is how I configured my VPC

My subnets attached to the VPC Subnets

The internet gateway attached to VPC enter image description here

This is my EC2 instance with OpenVpn access server, with his Elastic Ip so that I can access from my browser vpn instance

Inbound rules for security group of vpn instance inbbound rules for vpn instance

And the outbund rules outbund rules for vpn instance

The second and private instance (the instance to which I want to connect via VPN) private EC2

Inbound rules inbound rules

And outbund rules outbund rules

In OpenVpn access server I do this configurations enter image description here

And when I connect to the VPN I receive this address 172.16.128.2 (for example)

Dennis A. Boanini
  • 477
  • 1
  • 5
  • 19
  • When I'm connected on VPN I'm able to ping the private IP of the EC2 with openvpn access server, but not the other EC2 instance. – Dennis A. Boanini Aug 24 '19 at 17:14
  • did your security group allow access to ec2 instance from VPN server? did you define routing in VPN that will route all traffic? are the instances and VPN is in same vpc? what is the log of `ssh command`? – Adiii Aug 25 '19 at 01:10
  • The instance and VPN are in the same VPC. How I define routing in VPN? – Dennis A. Boanini Aug 25 '19 at 09:23
  • Please edit your Question to include the contents of the Security Group on the 2nd EC2 instance. By the way, `ping` is not a reliable network test method because it can be blocked by security groups. – John Rotenstein Aug 25 '19 at 10:21
  • https://serverfault.com/questions/480069/how-to-force-all-traffic-through-vpn – Adiii Aug 25 '19 at 10:22
  • I added some more detail to my question – Dennis A. Boanini Aug 25 '19 at 17:43
  • You have not mentioned if you have attached the subnet to an Internet Gateway(IG) or Nat Gateway(NG). The difference b/w a public and private subnet is the type of gateway you attach it to in their routing tables. Public has IG and private has NG. Refer [this](https://stackoverflow.com/a/57662866/9273701]) answer to check subnets routing table. – bot Aug 28 '19 at 19:26
  • If you want to connect to an instance in private subnet, you create a bastion in public subnet and ssh into private instances from this bastion (may by VPN in your case), refer [this](https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/)doc for more details. Furthermore, add an outbound rule in bastion for private ip and inbound rule in private instance from bastion at port 22 instead of opening it to internet. – bot Aug 28 '19 at 19:31

0 Answers0