VPN Site-to-Site from Home Network to AWS

Dang Nhu HieuAWS

In this guide, we’ll walk you through the process of configuring a VPN Site-to-Site from your home network to AWS, enabling seamless and secure communication between the two environments.

VPN Site-to-Site from Home Network to AWS

Understanding VPN Site-to-Site

Before diving into the setup process, let’s briefly understand what a VPN Site-to-Site connection entails.

A VPN Site-to-Site connection establishes a secure, encrypted tunnel between two networks, allowing them to communicate as if they were directly connected. In our case, we’ll be connecting our home network to an AWS Virtual Private Cloud (VPC), effectively extending our network infrastructure to the cloud.

Prerequisites

Before proceeding, ensure you have the following prerequisites in place:

  • An AWS account with appropriate permissions to create VPC resources.
  • public IP (find public IP of home network at link )

Configure AWS

  • Create VPC with a private subnet
  • Create a EC2 and config inboud for SG
  • Creating a virtual private gateway
  • Setting route table
  • Site to Site VPN settings and download vendor config file

Create a new VPC with a CIDR block that does not conflict with your home network.

IPv4 CIDR: 10.0.0.0/16
Subnet private :subnet-09ea90bc4428089cc / subnet-private-1a, 10.0.32.0/20

image 1

Create a new EC2 in subnet-private-1 for test if you have not

Private IP : 10.0.44.45

image 24

EC2 sercurity group inboud setting(allow ping test only)

image 26

Creating a virtual private gateway

image 2

Attach to the VPC that will be the Site to Site VPN connection destination.

image 3

Edit route table

In the route table of the private subnet connection destination VPN, configure routing for the local network segment with the virtual private gateway as the destination.

image 4

Site to Site VPN settings

IP address : Your public IP adress

Static IP prefixes : Local network segment(192.168.0.0/16)

VPN Site-to-Site
image 7
image 10

VPN config download

Chose Vendor is Strongwan and IKE version is ikev2

image 11

Configure the following settings according to the downloaded file.

Configure Local network

  • Stop firewall
  • Kernel parameter setting
  • strongswan installation
  • strongswan settings
  • strongswan start
  • Verify Connectivity

My Ubuntu server IP : 192.168.0.120

VPN server setting

Stop firewall

image 12

Kernel parameter setting

sudo vi /etc/sysctl.conf

net.ipv4.ip_forward = 1 
net.ipv6.conf.all.forwarding = 1 
net.ipv4.conf.all.accept_redirects = 0 
net.ipv4.conf.all.send_redirects = 0
image 13

sudo sysctl -p
image 14

strongswan installation

Install with the following command.

sudo apt update
sudo apt install -y strongswan

strongswan settings (/etc/ipsec.conf)

Create a new file at /etc/ipsec.conf if doesn’t already exist, and then open it. Add the following under the ‘config setup’ section:

sudo vi /etc/ipsec.conf

	charondebug="all"
	uniqueids=yes
	strictcrlpolicy=no
image 15

Append the following configuration to the end of the file:

conn Tunnel1
	type=tunnel
	auto=start
	keyexchange=ikev2
	authby=psk
	leftid=<Global IP address of connection source>
	leftsubnet= <On-premises CIDR Range>
	right=<Connection destination global IP address/Tunnel 1>
	rightsubnet= <VPC CIDR range>
	aggressive=no
	ikelifetime=28800s
	lifetime=3600s
	margintime=270s
	rekey=yes
	rekeyfuzz=100%
	fragmentation=yes
	replay_window=1024
	dpddelay=30s
	dpdtimeout=120s
	dpdaction=restart
	ike=aes128-sha1-modp1024
	esp=aes128-sha1-modp1024
	keyingtries=%forever
conn Tunnel2
	type=tunnel
	auto=start
	keyexchange=ikev2
	authby=psk
	leftid=<Global IP address of connection source>
	leftsubnet= <On-premises CIDR Range>
	right=<Connection destination global IP address/Tunnel 2>
	rightsubnet= <VPC CIDR range>
	aggressive=no
	ikelifetime=28800s
	lifetime=3600s
	margintime=270s
	rekey=yes
	rekeyfuzz=100%
	fragmentation=yes
	replay_window=1024
	dpddelay=30s
	dpdtimeout=120s
	dpdaction=restart
	ike=aes128-sha1-modp1024
	esp=aes128-sha1-modp1024
	keyingtries=%forever
image 21

strongswan setting(/etc/ipsec.secrets)

Create a new file at /etc/ipsec.secrets if it doesn’t already exist, and append this line to the file. This value authenticates the tunnel endpoints:

sudo vi /etc/ipsec.secrets
image 18

strongswan start

sudo ipsec restart
sudo ipsec status
image 22

image 23

Verify Connectivity

ping IP of private EC2 from local Ubuntu server

ping 10.0.44.45
image 25

To test connect from EC2 private instance to local ubuntu server, you can install SSM-agent for EC2

image 27

Conclusion

By following these steps, you’ve successfully set up a VPN Site-to-Site connection from your home network to AWS, enabling secure communication between the two environments. This setup enhances security by encrypting traffic over the internet and facilitates seamless access to cloud resources from the comfort of your home network. Experiment with different configurations and explore additional AWS networking features to optimize performance and security based on your specific requirements.

Thank you for reading the DevopsRoles page!

, ,

Related Posts

aws

ElastiCache for Redis

06/08/2024
aws

Creating a Terraform variable file from an Excel

01/29/2024
docker

Build lambda with a custom docker image

12/05/2023

About Dang Nhu Hieu

I'm Vietnamese. In the past, I'm a software developer, now working in Japan on an Infra team. Skill : AWS, VMware, HA architech,setting Database : Oracle DB, PostgresDB ,.. Programming language : Java, C#, Python, Bash linux, Batch windows, powershell ,... Hobbies: badminton, film photo, travel. https://www.linkedin.com/in/hieu-dang-15a0561a6/
View all posts by Dang Nhu Hieu →

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.