I have an AWS EC2 instance, running Amazon Linux, that has two Elastic Network Interfaces (ENIs) attached: eth0 and eth1. I am connecting to the public IP on eth0. Everything works great, except I would like to route unencrypted traffic out of the eth1. i.e. Client connects to eth0 to setup an encrypted VPN tunnel, then his/her unencrypted internet traffic is routed in/out of eth1 and back across the tunnel on eth0.
I don't know enough about iptables to get this config working, despite trying for several hours. I'm hoping this is a simple one?
I've installed the latest version of OpenVPN from source and done the following:
- Disabled source/dest check on the interfaces
- Added the following to "rc.local":
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward - Added the following iptables commands:
iptables -A INPUT -i eth0 -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.18.14.0/24 -o eth0 -j MASQUERADE
My server config file looks like this:
port 443
proto tcp-server
dev tun
tls-server
server 10.18.14.0 255.255.255.0
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/vpnserver.crt
key /etc/openvpn/pki/vpnserver.key
dh /etc/openvpn/pki/dh.pem
ifconfig-pool-persist ipp2.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 15
comp-lzo
max-clients 5
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn_road.log
verb 6
mute 20
tun-mtu 1500
auth SHA1
keysize 128
cipher BF-CBC
No comments:
Post a Comment