Use right private IP for openvpn to bind to on AWS EC2 instances
I added a second public IP to and ec2 instance following these instructions.
I can reach a test instance by it's second public IP via ssh, but can't connect to the VPN.
For the reference this is the network configuration of an ec2 instance with two private and two public IPs:
--- leap/workshop.bitmask.net » aws_eu describe-instances --instance-ids i-0888803c4a9de01c4 --query 'Reservations[0].Instances[0].NetworkInterfaces'
[
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-18-194-45-50.eu-central-1.compute.amazonaws.com",
"PublicIp": "18.194.45.50"
},
"Attachment": {
"AttachTime": "2017-12-21T20:23:34.000Z",
"AttachmentId": "eni-attach-586e16b3",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached"
},
"Description": "",
"Groups": [
{
"GroupName": "leap_default",
"GroupId": "sg-084e0762"
}
],
"Ipv6Addresses": [],
"MacAddress": "06:bf:9c:61:11:7a",
"NetworkInterfaceId": "eni-4e318865",
"OwnerId": "462352784466",
"PrivateDnsName": "ip-172-31-45-119.eu-central-1.compute.internal",
"PrivateIpAddress": "172.31.45.119",
"PrivateIpAddresses": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-18-194-45-50.eu-central-1.compute.amazonaws.com",
"PublicIp": "18.194.45.50"
},
"Primary": true,
"PrivateDnsName": "ip-172-31-45-119.eu-central-1.compute.internal",
"PrivateIpAddress": "172.31.45.119"
},
{
"Association": {
"IpOwnerId": "462352784466",
"PublicDnsName": "ec2-18-196-43-244.eu-central-1.compute.amazonaws.com",
"PublicIp": "18.196.43.244"
},
"Primary": false,
"PrivateDnsName": "ip-172-31-39-105.eu-central-1.compute.internal",
"PrivateIpAddress": "172.31.39.105"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-f5ab6d88",
"VpcId": "vpc-af7089c4"
}
]
root@blackbox:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 06:bf:9c:61:11:7a brd ff:ff:ff:ff:ff:ff
inet 172.31.45.119/20 brd 172.31.47.255 scope global eth0
valid_lft forever preferred_lft forever
inet 172.31.39.105/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::4bf:9cff:fe61:117a/64 scope link
valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.42.0.1/21 brd 10.42.7.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 2001:db8:123::1/64 scope global
valid_lft forever preferred_lft forever
8: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.41.0.1/21 brd 10.41.7.255 scope global tun1
valid_lft forever preferred_lft forever
inet6 2001:db8:123::1/64 scope global
valid_lft forever preferred_lft forever
root@blackbox:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 06:bf:9c:61:11:7a brd ff:ff:ff:ff:ff:ff
inet 172.31.45.119/20 brd 172.31.47.255 scope global eth0
valid_lft forever preferred_lft forever
inet 172.31.39.105/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::4bf:9cff:fe61:117a/64 scope link
valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.42.0.1/21 brd 10.42.7.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 2001:db8:123::1/64 scope global
valid_lft forever preferred_lft forever
8: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.41.0.1/21 brd 10.41.7.255 scope global tun1
valid_lft forever preferred_lft forever
inet6 2001:db8:123::1/64 scope global
valid_lft forever preferred_lft forever
root@blackbox:~# netstat -tulpen |grep 1194
tcp 0 0 172.31.45.119:1194 0.0.0.0:* LISTEN 0 419113 31633/openvpn
udp 0 0 172.31.45.119:1194 0.0.0.0:* 0 418864 31445/openvpn
The reason is that both VPN processes bind to the first private IP, not the second one.
Edited by Varac