The issue is that currently when a user is connected to VPN for the DNS resolution into EC2 instances private IPs we are using
dnsmasq service on the VPN-host which has a
/etc/dnsmasq.hosts file where are manually added private IPs for necessary domains.
You can read more about the current setup in the OpenVPN: настройки DNS и dnsmasq post (Rus).
More correct way is to use AWS VPC’s DNS Resolve option. You can read more about DNS in AWS VPC in the DNS: установка BIND, DNS Load Balancing и network-based routing через view post (Rus).
VPC DNS Resolution documentation – Enabling DNS Resolution Support for a VPC Peering Connection.
The post below describes configuring DNS resolution between VPC with OpenVPN and VPC with ЕС2 where we have our Bitwarden passwords manager running (see Bitwarden: an organization’s password manager self-hosted version installation on an AWS EC2). This ЕС2 has Elastic IP attached, and there is domain name accounts.example.com which is pointed to this EIP via AN A record.
Docs – DNS Support in Your VPC.
If a VPC has no DNS Hostnames enabled – first need to turn it on.
Then VPC will assign public domain names to public IPs for instances in this VPC which can be used then to resolve them to private IPs.
I.e. when resolving a domain from the world – it will be resolved to its public IP but if call it from a VPC – it will be resolved to a private IP of an instance in this VPC.
Go to the VPC, find your VPC, select Edit DNS Hostnames:
Enable the DNS Hostnames:
Next – turn on DNS resolution via between VPCs via their peering.
Go to the VPC > Peering Connections, chose your peering, select Edit DNS Settings:
Enable both options here:
Now let’s check.
First from the office, to check DNS resolution from the world:
[setevoy@setevoy-arch-work ~] $ dig ec2-63-***-***-138.eu-west-1.compute.amazonaws.com +short 63.***.***.138
And now – from the host where is OpenVPN is running, to check how the resolution will work from via VPC peering:
openvpnas@openvpnas2:~$ dig ec2-63-***-***-138.eu-west-1.compute.amazonaws.com +short 172.31.41.159
172.31.41.159 – is the private IP of the Bitwarden instance, all good.
Next, need to update Route53 record for the accounts.examle.com domain, as it has
IN A with Public IP of the Bitwarden’s EC2. Change it to
CNAME and set the Public DNS name of this instance:
Wait a couple of minutes to propagate DNS, and check from the office again:
[setevoy@setevoy-arch-work ~] $ dig accounts.examle.com +short ec2-***-***-252-138.eu-west-1.compute.amazonaws.com. 63.***.***.138
And from the OpenVPN instance:
openvpnas@openvpnas2:~$ dig accounts.examle.com +short ec2-63-***-***-138.eu-west-1.compute.amazonaws.com. 172.31.41.159
Again got 172.31.41.159 – all works.
Go to the VPN Settings and set a private IP of a DNS in this VPC.
DNS in a VPC always as address like .2.
In this current case, we have VPC for OpenVPN with the 10.0.10.0/24 CIDR, therefore DNS will be on the 10.0.10.2:
You can check if DNS is available from any host in this VPC:
openvpnas@openvpnas2:~$ dig @10.0.10.2 ya.ru +short 220.127.116.11
Now go to the OpenVPN admin page and set DNS:
Connect to the VPN from the office:
[setevoy@setevoy-arch-work ~] $ sudo openvpn --config vpnroot-client.ovpn ... Thu May 16 12:05:31 2019 /etc/openvpn/update-resolv-conf tun0 1500 1553 172.27.240.75 255.255.248.0 init dhcp-option DNS 10.0.10.2 ...
And check the accounts.examle.com domain:
[setevoy@setevoy-arch-work ~] $ dig accounts.examle.com +short ec2-63-***-***-138.eu-west-1.compute.amazonaws.com. 172.31.41.159
172.31.41.159 again – all works.
- 02/21/2019 OpenVPN: OpenVPN Access Server set up and AWS VPC peering configuration (0)
- 02/22/2019 OpenVPN: DNS and dnsmasq configuration (0)