Connecting an EC2 VPC with OpenVPN all routed traffic being lost

Solution 1:

Turns out EC2 was blocking the forwarded packets from the OpenVPN server.

There is a setting on the EC2 Dashboard under Network & Security -> Network Interfaces -> Actions -> Change Source/Dest. Check.

When I disabled this on all my instances traffic through the VPN is flowing as intended.

Hopefully this will help someone else.

Solution 2:

You beat me to your own answer, so I'll expand on it a little...

If you need to build this into your instance bootstrap script, you can add the following to the User Data block (when starting the instance, it's under step 3, Configure Instance Details...expand the Advanced Details section at the bottom of the page) for the instance...update line 3 for correct region:

#!/bin/bash
export my_instance=`curl http://169.254.169.254/latest/meta-data/instance-id`
export AWS_DEFAULT_REGION=us-east-1
aws ec2 modify-instance-attribute --instance-id $my_instance --no-source-dest-check

...and if it's for a NAT instance, you can modify your route table by adding this line (update route-table-id for the route table id used by your VPC):

aws ec2 replace-route --route-table-id rtb-01234567 --destination-cidr-block 0.0.0.0/0 --instance-id $my_instance

For this to work, your instance will need rights to update the attribute and replace the route...You can make that happen with an EC2 Role with the following policy statement, then specify the policy name on the IAM Role box (also in the EC2 wizard's Step 3, Configure Instance Details):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1413415456000",
      "Effect": "Allow",
      "Action": [
        "ec2:ModifyInstanceAttribute",
        "ec2:ReplaceRoute"
      ],
      "Resource": "*"
    }
  ]
}