1

I am new to StackOverflow, please let me know if I need to edit this post to make it clearer.

Objective: Access through HTTP/HTTPS web app instances inside private subnet via wireguard vpn located inside public subnet (These subnets are all inside the same VPC).

Situation:

I have a VPC with:

  • 1 public subnet containing an ec2 instance running wireguard VPN
  • 4 private subnets individually containing ec2 running individual web apps (based on bitnami images) The wireguard instance has its own security group and the other instances share the same security group as the VPC. There is a NAT gateway inside the public subnet and all outbound connections from private subnets are routed to that NAT. I've setup a private hosted zone and added records to point domain names to instances inside the private subnets. (i.e. sub.test.com points to 10.0.1.1, etc.). I've enabled port forward and unchecked 'source/destination' on the wireguard ec2 instance.

Result: I can connect to the wireguard instance through SSH and wireguard client, but cannot access web apps ec2 inside private subnets.

Question: How can I access the instances inside the private subnets through the wireguard instance inside the public subnet ? (Is it a wireguard config issue or a route table issue ?)

Pat. ANDRIA
  • 2,207
  • 1
  • 10
  • 25
Jarred
  • 83
  • 8

2 Answers2

0

You need to allow HTTP/HTTPS ports (80/443) using your console and this document. You enter in your security group and incoming rules

PS: If you could acces via ssh, that means that SSH (port 22) has already been authorized in your machine's security group. Simply add other rules HTTP and HTTPS

Pat. ANDRIA
  • 2,207
  • 1
  • 10
  • 25
  • I've added the rules to the sg, but I still can't access the instances inside the private subnet via a web browser. However, I can ping them. Do you know how to solve this ? – Jarred Oct 05 '20 at 13:40
  • would you try to look at this? https://askubuntu.com/questions/1041710/can-ping-apache-server-but-cannot-access-any-other-way – Pat. ANDRIA Oct 05 '20 at 14:02
  • I checked using nmap, it says ports 80/tcp, 443/tcp and 22/tcp are open – Jarred Oct 05 '20 at 14:33
0

Take a look at this tutorial that walks through each step of how to set up WireGuard with AWS private subnets -- it includes some troubleshooting suggestions for issues like this. Here are four things from it in particular to check if you're having trouble reaching apps in the private subnet from the WireGuard server:

  1. make sure the AllowedIPs setting in your WireGuard client config includes your private subnets (if the IPv4 CIDR block for your entire VPC is 10.0.0.0/16, that's probably what you want to set the client's AllowedIPs to)
  2. make sure the web app's security group allows inbound access from the WireGuard server's security group on the port range used by the web app (likely TCP port 80 and 443)
  3. make sure the WireGuard server's security group allows outbound access to the web app -- the default outbound rules allow everything, which is fine -- but if you've customized the outbound rules, make sure they allow access to the web app security group on the port range used by the web app (likely TCP port 80 and 443)
  4. make sure your network ACLs aren't blocking traffic between the public and private subnets -- the default ACL allows everything, which again is fine -- but if you've customized the ACLs for your subnets, you need to make sure traffic can flow from the public subnet to the private subnets on the port range used by the web app (likely TCP port 80 and 443), and from the private subnets back to the public subnet on the ephemeral port range used by the OS that the WireGuard server is running (TCP 1024-65535 to be safe)
Justin Ludwig
  • 2,753
  • 1
  • 21
  • 16
  • Hi Justin, thank you for your answer! I've checked out your article and have now got it set up. However I have an issue: I can connect to an internal database with a web client (i.e. PGAdmin), but I can't seem to be able to connect through a browser to my web apps located in the private subnets. I've checked the SGs, ACLs (unchanged from default) and routes; everything seems fine. Is it a wireguard server routing issue ? FYI when I try to connect it displays simply times out... Thanks for your help ! – Jarred May 03 '21 at 18:12
  • Try running `curl` with the IP address of your web app (eg `curl 10.0.1.1`) from both the VPN server and from your workstation -- if it works from both, then it's probably a browser config issue (or if you were trying to use the app's DNS name, a DNS issue); if it doesn't work from either, then it's probably an AWS SG/NACL/route-table issue; and if it only works from the VPN server, then it's probably either an `AllowedIPs` issue in your workstation's WireGuard config or an IP forwarding/masquerading issue on the VPN server. – Justin Ludwig May 03 '21 at 23:05