SSH to private instances over OpenVPN network?
I've deployed the latest OpenVPN server using the `terraform-aws-service-catalog` production example. I can request and revoke certs, and connect with (non-revoked) certificates, and I can SSH to the private IP of the OpenVPN server and connect with my named user. I then deployed an EC2 instance to the private subnet of my app VPC, and tried to SSH to the instance using the private IP address of the instance (while connected to VPN), but I am getting a network timeout. I _can_ SSH into the EC2 instance if I use the OpenVPN server as a traditional bastion hop. The instance is configured with a security group rule to allow SSH access from the OpenVPN server (via a source security group rule, as opposed to CIDR block). How can I directly SSH to instances over the OpenVPN network?
The issue is that the OpenVPN server is forwarding your IP address in the VPN network as the source IP for the connection, which is then being rejected by the Security Group of the instance. To allow access, you need to setup the security group rules on your instance to allow access from a source CIDR block from the VPN client subnet. The client subnet is controlled by the `vpn_subnet` input variable on the `openvpn-server` module. If you are using the default settings, then the CIDR block for the client subnet will be `172.16.1.0/24`. If you add a security group rule allowing SSH from that IP range to the EC2 instance, you should be able to SSH through the VPN connection without hopping through the server.