Use right private IP for openvpn to bind to on AWS EC2 instances

I added a second public IP to and ec2 instance following these instructions.

I can reach a test instance by it's second public IP via ssh, but can't connect to the VPN.

For the reference this is the network configuration of an ec2 instance with two private and two public IPs:

--- leap/workshop.bitmask.net » aws_eu describe-instances --instance-ids i-0888803c4a9de01c4 --query 'Reservations[0].Instances[0].NetworkInterfaces'
[
    {
        "Association": {
            "IpOwnerId": "amazon",
            "PublicDnsName": "ec2-18-194-45-50.eu-central-1.compute.amazonaws.com",
            "PublicIp": "18.194.45.50"
        },
        "Attachment": {
            "AttachTime": "2017-12-21T20:23:34.000Z",
            "AttachmentId": "eni-attach-586e16b3",
            "DeleteOnTermination": true,
            "DeviceIndex": 0,
            "Status": "attached"
        },
        "Description": "",
        "Groups": [
            {
                "GroupName": "leap_default",
                "GroupId": "sg-084e0762"
            }
        ],
        "Ipv6Addresses": [],
        "MacAddress": "06:bf:9c:61:11:7a",
        "NetworkInterfaceId": "eni-4e318865",
        "OwnerId": "462352784466",
        "PrivateDnsName": "ip-172-31-45-119.eu-central-1.compute.internal",
        "PrivateIpAddress": "172.31.45.119",
        "PrivateIpAddresses": [
            {
                "Association": {
                    "IpOwnerId": "amazon",
                    "PublicDnsName": "ec2-18-194-45-50.eu-central-1.compute.amazonaws.com",
                    "PublicIp": "18.194.45.50"
                },
                "Primary": true,
                "PrivateDnsName": "ip-172-31-45-119.eu-central-1.compute.internal",
                "PrivateIpAddress": "172.31.45.119"
            },
            {
                "Association": {
                    "IpOwnerId": "462352784466",
                    "PublicDnsName": "ec2-18-196-43-244.eu-central-1.compute.amazonaws.com",
                    "PublicIp": "18.196.43.244"
                },
                "Primary": false,
                "PrivateDnsName": "ip-172-31-39-105.eu-central-1.compute.internal",
                "PrivateIpAddress": "172.31.39.105"
            }
        ],
        "SourceDestCheck": true,
        "Status": "in-use",
        "SubnetId": "subnet-f5ab6d88",
        "VpcId": "vpc-af7089c4"
    }
]

root@blackbox:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 06:bf:9c:61:11:7a brd ff:ff:ff:ff:ff:ff
    inet 172.31.45.119/20 brd 172.31.47.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 172.31.39.105/32 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::4bf:9cff:fe61:117a/64 scope link 
       valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.42.0.1/21 brd 10.42.7.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 2001:db8:123::1/64 scope global 
       valid_lft forever preferred_lft forever
8: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.41.0.1/21 brd 10.41.7.255 scope global tun1
       valid_lft forever preferred_lft forever
    inet6 2001:db8:123::1/64 scope global 
       valid_lft forever preferred_lft forever
root@blackbox:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 06:bf:9c:61:11:7a brd ff:ff:ff:ff:ff:ff
    inet 172.31.45.119/20 brd 172.31.47.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 172.31.39.105/32 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::4bf:9cff:fe61:117a/64 scope link 
       valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.42.0.1/21 brd 10.42.7.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 2001:db8:123::1/64 scope global 
       valid_lft forever preferred_lft forever
8: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.41.0.1/21 brd 10.41.7.255 scope global tun1
       valid_lft forever preferred_lft forever
    inet6 2001:db8:123::1/64 scope global 
       valid_lft forever preferred_lft forever

root@blackbox:~# netstat -tulpen |grep 1194
tcp        0      0 172.31.45.119:1194      0.0.0.0:*               LISTEN      0          419113      31633/openvpn   
udp        0      0 172.31.45.119:1194      0.0.0.0:*                           0          418864      31445/openvpn

The reason is that both VPN processes bind to the first private IP, not the second one.

Edited Dec 22, 2017 by Varac

Admin message

Use right private IP for openvpn to bind to on AWS EC2 instances