AWS - Access instances inside private subnets through wireguard instance inside public subnet

1
votes

I am new to StackOverflow, please let me know if I need to edit this post to make it clearer.

Objective: Access through HTTP/HTTPS web app instances inside private subnet via wireguard vpn located inside public subnet (These subnets are all inside the same VPC).

Situation:

I have a VPC with:

  • 1 public subnet containing an ec2 instance running wireguard VPN
  • 4 private subnets individually containing ec2 running individual web apps (based on bitnami images) The wireguard instance has its own security group and the other instances share the same security group as the VPC. There is a NAT gateway inside the public subnet and all outbound connections from private subnets are routed to that NAT. I've setup a private hosted zone and added records to point domain names to instances inside the private subnets. (i.e. sub.test.com points to 10.0.1.1, etc.). I've enabled port forward and unchecked 'source/destination' on the wireguard ec2 instance.

Result: I can connect to the wireguard instance through SSH and wireguard client, but cannot access web apps ec2 inside private subnets.

Question: How can I access the instances inside the private subnets through the wireguard instance inside the public subnet ? (Is it a wireguard config issue or a route table issue ?)

2
amazon-web-servicesamazon-ec2amazon-vpcwireguard
You need to allow http/httpsPat. ANDRIA
in which security group ? Can you explain a little more ?Jarred
You have another thread here stackoverflow.com/questions/5309910/….Pat. ANDRIA

2 Answers

0
votes

Take a look at this tutorial that walks through each step of how to set up WireGuard with AWS private subnets -- it includes some troubleshooting suggestions for issues like this. Here are four things from it in particular to check if you're having trouble reaching apps in the private subnet from the WireGuard server:

  1. make sure the AllowedIPs setting in your WireGuard client config includes your private subnets (if the IPv4 CIDR block for your entire VPC is 10.0.0.0/16, that's probably what you want to set the client's AllowedIPs to)
  2. make sure the web app's security group allows inbound access from the WireGuard server's security group on the port range used by the web app (likely TCP port 80 and 443)
  3. make sure the WireGuard server's security group allows outbound access to the web app -- the default outbound rules allow everything, which is fine -- but if you've customized the outbound rules, make sure they allow access to the web app security group on the port range used by the web app (likely TCP port 80 and 443)
  4. make sure your network ACLs aren't blocking traffic between the public and private subnets -- the default ACL allows everything, which again is fine -- but if you've customized the ACLs for your subnets, you need to make sure traffic can flow from the public subnet to the private subnets on the port range used by the web app (likely TCP port 80 and 443), and from the private subnets back to the public subnet on the ephemeral port range used by the OS that the WireGuard server is running (TCP 1024-65535 to be safe)
0
votes

You need to allow HTTP/HTTPS ports (80/443) using your console and this document. You enter in your security group and incoming rules

PS: If you could acces via ssh, that means that SSH (port 22) has already been authorized in your machine's security group. Simply add other rules HTTP and HTTPS