Você deve tentar desativar a "Verificação de origem / destino" para sua instância do Openvpn de acordo com amazon docs
Eu configurei o servidor openvpn no Ubuntu 16.04 na AWS .. Eu posso conectá-lo da minha máquina localhost. Então eu posso acessar o servidor openvpn pelo seu ip privado .. Mas não consigo conectar outros ec2's na subnet.
Aqui está minha configuração
server.conf
local ip-10-253-254-87
port 1194
proto udp
dev tun
ca ca.crt
cert myvpn.crt
key myvpn.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.253.0.0 255.255.0.0"
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
keepalive 60 3600
comp-lzo
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 3
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.253.254.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.253.254.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
$ sysctl -p
net.ipv4.ip_forward = 1
Log de conexão do cliente
Thu Oct 12 02:02:57 2017 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
Thu Oct 12 02:02:57 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Thu Oct 12 02:02:57 2017 WARNING: file 'rahul.key' is group or others accessible
Thu Oct 12 02:02:57 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Oct 12 02:02:57 2017 UDPv4 link local: [undef]
Thu Oct 12 02:02:57 2017 UDPv4 link remote: [AF_INET]52.221.18.132:1194
Thu Oct 12 02:02:57 2017 TLS: Initial packet from [AF_INET]52.221.18.132:1194, sid=93a5928a db252cae
Thu Oct 12 02:02:58 2017 VERIFY OK: depth=1, C=SG, ST=SG, L=Singapore, O=XXXXXX, OU=XXXXXXDataEng, CN=XXXXXX CA, name=XXXXXXStatsVpn, [email protected]
Thu Oct 12 02:02:58 2017 Validating certificate key usage
Thu Oct 12 02:02:58 2017 ++ Certificate has key usage 00a0, expects 00a0
Thu Oct 12 02:02:58 2017 VERIFY KU OK
Thu Oct 12 02:02:58 2017 Validating certificate extended key usage
Thu Oct 12 02:02:58 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Oct 12 02:02:58 2017 VERIFY EKU OK
Thu Oct 12 02:02:58 2017 VERIFY OK: depth=0, C=SG, ST=SG, L=Singapore, O=XXXXXX, OU=XXXXXXDataEng, CN=XXXXXXstatsvpn, name=XXXXXXStatsVpn, [email protected]
Thu Oct 12 02:02:58 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Oct 12 02:02:58 2017 WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Thu Oct 12 02:02:58 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Oct 12 02:02:58 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Oct 12 02:02:58 2017 WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Thu Oct 12 02:02:58 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Oct 12 02:02:58 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Oct 12 02:02:58 2017 [XXXXXXstatsvpn] Peer Connection Initiated with [AF_INET]52.221.18.132:1194
Thu Oct 12 02:03:00 2017 SENT CONTROL [XXXXXXstatsvpn]: 'PUSH_REQUEST' (status=1)
Thu Oct 12 02:03:00 2017 PUSH: Received control message: 'PUSH_REPLY,route 10.253.0.0 255.255.0.0,route 10.8.0.1,topology net30,ping 60,ping-restart 3600,ifconfig 10.8.0.6 10.8.0.5'
Thu Oct 12 02:03:00 2017 OPTIONS IMPORT: timers and/or timeouts modified
Thu Oct 12 02:03:00 2017 OPTIONS IMPORT: --ifconfig/up options modified
Thu Oct 12 02:03:00 2017 OPTIONS IMPORT: route options modified
Thu Oct 12 02:03:00 2017 ROUTE_GATEWAY 192.168.31.1/255.255.255.0 IFACE=wlp3s0 HWADDR=b4:6d:83:ce:88:12
Thu Oct 12 02:03:00 2017 TUN/TAP device tun0 opened
Thu Oct 12 02:03:00 2017 TUN/TAP TX queue length set to 100
Thu Oct 12 02:03:00 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Oct 12 02:03:00 2017 /sbin/ip link set dev tun0 up mtu 1500
Thu Oct 12 02:03:00 2017 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Thu Oct 12 02:03:00 2017 /sbin/ip route add 10.253.0.0/16 via 10.8.0.5
Thu Oct 12 02:03:00 2017 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Thu Oct 12 02:03:00 2017 Initialization Sequence Completed
Tabela de rotas do cliente
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.31.1 0.0.0.0 UG 600 0 0 wlp3s0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.253.0.0 10.8.0.5 255.255.0.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 docker0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.31.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp3s0
Ping bem-sucedido para o servidor openvpn pelo seu ip privado
$ ping 10.253.254.87
PING 10.253.254.87 (10.253.254.87) 56(84) bytes of data.
64 bytes from 10.253.254.87: icmp_seq=1 ttl=64 time=70.3 ms
64 bytes from 10.253.254.87: icmp_seq=2 ttl=64 time=70.4 ms
Problema: Não é possível fazer ping em nenhuma outra máquina na sub-rede
$ ping 10.253.2.139
PING 10.253.2.139 (10.253.2.139) 56(84) bytes of data.
Configurar rota na tabela de rotas (aws)
10.8.0.0/24 eni-47050xxx / i-0ec7207caba88xxx Active No
Você deve tentar desativar a "Verificação de origem / destino" para sua instância do Openvpn de acordo com amazon docs
Tags openvpn