Hi,
My server (Ubuntu 22.04) has two public IPs assigned. The server is configured to route all traffic though the second domain. Pritunl is using for WireGuard and OpenVPN the first IP. How can I tell Pritunl that it should use the other public IP?
With an enterprise subscription there is a route option for the NAT interface name to modify what interface is used for the route.
Just in case someone stumbles on this: NAT interface name option does not work on AWS EC2. I couldn’t exactly figure out why but this is my theory:
This is how it looks after you add a new ENI/NIC to your EC2:
[ec2-user@ip-10-255-x-x ~]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default ip-10-255.... 0.0.0.0 UG 100 0 0 eth0
default ip-10-255.... 0.0.0.0 UG 101 0 0 eth1
ip-10-255-1-0.a 0.0.0.0 255.255.255.0 U 100 0 0 eth0
ip-10-255-1-0.a 0.0.0.0 255.255.255.0 U 101 0 0 eth1
Notice the Metric value for eth1 is greater than the eth0 value making eth0 primary/preffered gateway. Hence, OpenVPN somehow figures this out, and in the server logs you can see these two lines:
us=573049 net_route_v4_best_gw query: dst 0.0.0.0
us=573122 net_route_v4_best_gw result: via 10.255.1.1 dev eth0
So even if you input a different value in the NAT Interface Name field in the Pritunl Web UI it practically has no effect.
This might be achievable with a new routing table and IP rule to when to use that specific route table; example SO answer on how to do so
But I’m unsure about it since underlying OpenVPN behavior is pretty much unknown to me.
Please don’t get me wrong; I’m not trying to place blame—just noting my findings in the hope that this helps someone.