I have just configured a PPTP VPN server in an AWS VPC subnet. However, I am unable to ping through to other hosts in the same subnet (as the VPN server). I am not sure whether I am overlooking a general network configuration, a pptp / ppp configuration or if this something specifically related to AWS that I'm missing.
The VPN server is configured in a VPC subnet 172.16.0.0/24 with a public EIP associated to it. Once I've made a VPN connection from a client, I can ping the VPN server's 172.16 interface, but nothing beyond that.
VPN server IP: 172.16.0.235. VPN client IP: 192.168.11.11 (with route 172.16.0.0/16 via vpn interface)
vpnserver$ ping 172.16.0.200
64 bytes from 172.16.0.200
vpnclient$ ping 172.16.0.235
64 bytes from 172.16.0.235
vpnclient$ ping 172.16.0.200
timed out
On any other host on 172.16.0.0/24 subnet, I never get the ICMP echo request packet, although I see the packet on the vpn server:
vpnserver$ tcpdump -nn icmp
13:53:07.714010 IP 192.168.11.11 > 172.16.0.200: ICMP echo request, id 1, seq 1, length 40
172-16-0-200$ tcpdump -nn icmp
<no packet>
I have checked that iptables - there are no rules and default policy is ACCEPT (for all chains in the filter and nat tables). Forwarding is enabled:
vpnserver$ cat /proc/sys/net/ipv4/ip_forward
1
vpnserver$ route -n
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.0.1 0.0.0.0 UG 0 0 0 eth0
172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.11.11 0.0.0.0 255.255.255.255 UH 0 0 0 pptp0
I have configured an AWS security group that both the VPN server and test target (172.16.0.200) are in that has no restrictions (allows all traffic). I have configured a route in the VPC Route Table used for the 172.16.0.0/24 to route via the vpn server which would be needed for the icmp echo reply without NAT, but the echo request is not even getting to the host.
Any ideas as to what I am doing wrong? Something needed in ppp configuration to allow routing? I can't see anything wrong with the network config, and I'm wondering if there's something AWS might be doing between the vpnserver and other hosts that's blocking the packets? Or is it simpler than that?
AWS was enabling source/destination checks which was blocking the traffic.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck
Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance.