Issue
I am new to StackOverflow, please let me know if I need to edit this post to make it clearer.
Objective: Access through HTTP/HTTPS web app instances inside private subnet via wireguard vpn located inside public subnet (These subnets are all inside the same VPC).
Situation:
I have a VPC with:
- 1 public subnet containing an ec2 instance running wireguard VPN
- 4 private subnets individually containing ec2 running individual web apps (based on bitnami images) The wireguard instance has its own security group and the other instances share the same security group as the VPC. There is a NAT gateway inside the public subnet and all outbound connections from private subnets are routed to that NAT. I've setup a private hosted zone and added records to point domain names to instances inside the private subnets. (i.e. sub.test.com points to 10.0.1.1, etc.). I've enabled port forward and unchecked 'source/destination' on the wireguard ec2 instance.
Result: I can connect to the wireguard instance through SSH and wireguard client, but cannot access web apps ec2 inside private subnets.
Question: How can I access the instances inside the private subnets through the wireguard instance inside the public subnet ? (Is it a wireguard config issue or a route table issue ?)
Solution
Take a look at this tutorial that walks through each step of how to set up WireGuard with AWS private subnets -- it includes some troubleshooting suggestions for issues like this. Here are four things from it in particular to check if you're having trouble reaching apps in the private subnet from the WireGuard server:
- make sure the
AllowedIPssetting in your WireGuard client config includes your private subnets (if the IPv4 CIDR block for your entire VPC is10.0.0.0/16, that's probably what you want to set the client'sAllowedIPsto) - make sure the web app's security group allows inbound access from the WireGuard server's security group on the port range used by the web app (likely TCP port
80and443) - make sure the WireGuard server's security group allows outbound access to the web app -- the default outbound rules allow everything, which is fine -- but if you've customized the outbound rules, make sure they allow access to the web app security group on the port range used by the web app (likely TCP port
80and443) - make sure your network ACLs aren't blocking traffic between the public and private subnets -- the default ACL allows everything, which again is fine -- but if you've customized the ACLs for your subnets, you need to make sure traffic can flow from the public subnet to the private subnets on the port range used by the web app (likely TCP port
80and443), and from the private subnets back to the public subnet on the ephemeral port range used by the OS that the WireGuard server is running (TCP1024-65535to be safe)
Answered By - Justin Ludwig
