AWS OpenVPN instance can't ssh to other ec2 instances of connect to web

Question

I set up an OpenVPN EC2 instance on AWS and it has security groups like

I downloaded the client.ovpn file and can successfully connect to it like sudo openvpn --config client.ovpn in Ubuntu (and also via Network Manager after importing the config). All good.

Now I want to make it so my other EC2 instances (that host the actual app) can only be accessed via the VPN, and can't be SSH'd into directly for example. The security group of one of these EC2 instances looks like

where here I'm allowing inbound traffic on port 22 from the Private IPv4 addresses of the OVPN server.

However, if I connect to the VPN and try to SSH to the app EC2 instance it just times out, nor can I access the web when connected to the VPN. If I allow SSH on port 22 from 0.0.0.0 then I can SSH in and no issues.

Could anyone point me toward what the problem might be?

Could it be because they are on different subnets?

Answer 1

The simple solution: Forward all traffic through OpenVPN. Restrict and connect to your instances with OpenVPN's public IP, connect to your EC2s through their public IPs

The reason why your solution did not work as I understand it

• AWS VPC is kind of like a VPN already
• You are trying to connect to your EC2 through their public IP which routes through the internet so it makes litte sense allowing OpenVPN's private IP as to talk with EC2's public IP the server that you are installing OpenVPN shall use their public IP
• If you must use OpenVPN and does not want the internal (OpenVPN to EC2) connections to surface to the internet, the EC2 instances must join OpenVPN's private network, there, everyone can talk using the private IPs of OpenVPN's range
• Or extend AWS VPC with OpenVPN
• Or see if split-tunnel work which "May allow users to access their LAN devices while connected to VPN"