Add routes to resources with public ip¶
Archived (pre-2022)
Preserved for reference only -- likely outdated. View original | Last updated: June 2019
For example, we want to add access to the Consul UI.
Prerequisites¶
Log in to the openvpn-core server with the ubuntu user.
Steps¶
- Resolve IPs for the load balancer
Run:
root@ip-10-37-28-230:~# dig +short lb-consul-eu-west-1-1647607189.eu-west-1.elb.amazonaws.com
54.171.15.145
54.246.194.132
- Add iptables rules
Edit /etc/iptables/rules.v4 and add the forwarding rules. Important: New rules must be added before the -A FORWARD -i tun0 -j REJECT --reject-with icmp-port-unreachable line.
root@ip-10-37-28-230:~# vim /etc/iptables/rules.v4
# staging bastion host eu-west-1
-A FORWARD -d 52.209.109.175/32 -i tun0 -j ACCEPT
# rtb consul ui
-A FORWARD -d 54.171.15.145/32 -i tun0 -j ACCEPT
-A FORWARD -d 54.246.194.132/32 -i tun0 -j ACCEPT
#
-A FORWARD -i tun0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
- Restart iptables to load new rules
Run:
root@ip-10-37-28-230:~# netfilter-persistent restart
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
- Add new IP addresses to be pushed to clients
Edit /etc/openvpn/server.conf and add the following push "route" lines:
root@ip-10-37-28-230:~# vim /etc/openvpn/server.conf
# staging bastion host eu-west-1
push "route 52.209.109.175 255.255.255.255"
# rtb consul ui
push "route 54.171.15.145 255.255.255.255"
push "route 54.246.194.132 255.255.255.255"
#
...
- Add OpenVPN server IP to the load balancer security group
The OpenVPN server is in a public subnet and uses Elastic IP 18.202.146.90. Add this IP to the security group of the target Load Balancer for the rtb Consul UI.
You can check the public IP via the EC2 console or by running:
Add a rule to the security group for the LB, as shown in the screenshot:
- Restart OpenVPN server
Run:
- Verify access
Try to access the rtb Consul UI in your browser:
