Wednesday, 6 November 2024

Establishing a Site-to-Site VPN Between AWS and On-Premises with VyOS



This guide explains how to set up a VPN tunnel between your AWS Virtual Private Cloud (VPC) and an on-premises network using AWS’s VPN services on one side and VyOS as the VPN router locally.

Requirements:

• AWS VPC: In this VPC you might have any resources like RDS, EC2 etc

• VyOS Router: You should have a VyOS router in DC either hardware or virtual.

• Public IP Address: At both the end at Vyos and at AWS side you should have a public IP for connectivity

• Distinct Network CIDR Blocks: The private subnet at VyOs and at aws end should be different it should not conflict.

Step 1: Configure AWS VPC Side

  • In your existing VPC, you need to create a Virtual Private Gateway with a unique name and you need to attach it to your VPC for which you need to configure a site-to-site VPN as this will act as a VPN endpoint at the AWS site.

  • Now we need to configure a customer Gateway that will have all DC Vyos/Vyatta router information like routing details and DC router public IP. Choose static routing and configure customer gateway with DC Vyos public IP.

  • Now you need to create a VPN connection, Go to VPC and select VPN Connection, choose to Create VPN connection, and select Virtual Private Gateway and Customer Gateway which we have created and we need to define the private CIDR of both AWS and of Datacenter end. This needs to be done as it will link your DC and AWS VPC.

  • Once It's done you will get the option to download the VPN configuration, select the VyOS-compatible configuration file which will have all the configuration details and secret keys that need to be configured at Vyos.

Step 2: Configure VyOS Router Locally

Now, set up the VPN connection on your VyOS router to match the AWS configuration.
This has been done in 2 phase

Phase1 IKE its use for Encryption

  • Take Remote Access to your router and get into configure mode

#configure

  • Now we need to configure the IKE group using the below commands,

#set vpn ipsec ike-group TAWSDC_IKE lifetime '28800'

#set vpn ipsec ike-group TAWSDC_IKE proposal 1 dh-group '2'

#set vpn ipsec ike-group TAWSDC_IKE proposal 1 encryption 'aes256'

#set vpn ipsec ike-group TAWSDC_IKE proposal 1 hash 'sha1' 


Phase 2 ESP its use to protect data moving through the tunnel.

  • Configuring ESP group using the below commands,

#set vpn ipsec esp-group TAWSDC_ESP lifetime '3600'

#set vpn ipsec esp-group TAWSDC_ESP pfs 'dh-group2'

#set vpn ipsec esp-group TAWSDC_ESP proposal 1 encryption 'aes256'

#set vpn ipsec esp-group TAWSDC_ESP proposal 1 hash 'sha1'


 Phase 2 (IPsec) Configure IPsec to protect the data moving through the tunnel.

 #set vpn ipsec esp-group TAWS_ESP lifetime '3600'

 #set vpn ipsec esp-group TAWSDC_ESP pfs 'dh-group2'

#set vpn ipsec esp-group TAWSDC_ESP proposal 1 encryption 'aes256'

#set vpn ipsec esp-group TAWSDC_ESP proposal 1 hash 'sha1

  • Here TAWSDC_IKE and TAWSDC_ESP are IKE and ESP Group Names you can keep them unique

  • Now you need to configure the VPN endpoint and secret key according to the configuration that we have downloaded.

#set vpn ipsec site-to-site peer authentication “pre-shared-secret-unique-value ''

#set vpn ipsec site-to-site peer ike-group 'TDCAWS_IKE'

#set vpn ipsec site-to-site peer “local-address vyos public ip ''

#set vpn ipsec site-to-site peer tunnel 1 local prefix “dc private subnet ”

#set vpn ipsec site-to-site peer tunnel 1 remote prefix “AWS private subnet”'

#set vpn ipsec site-to-site peer tunnel 1 esp-group 'TDCAWS_ESP'

  •  Apply and Save the Configuration: 

#commit #save #exit

Step 3: Now you need to add a Route in VPC subnets routable to route the traffic using a VPN.

  • Open the VPC route table and add a new route using your desired CIDR and select target as Virtual Private Gateway.

  • Save your changes


Step 4: Test the Connection
  • Confirm VPN Status

  • AWS side in site-to-site VPN section coinfirm tunnel are in up state

  • On Vyos use below command to  check tunnen status
    #show vpn ipsec site-to-site peer “aws peer ip”

  •  If status is up try to ping private ips from both the



This completes your secure site-to-site VPN setup, linking AWS and your on-premises network through VyOS. This connection supports reliable data access and secure communication across cloud and local networks.

Written By Numan Gharte ( Cloud Engineer @Cloud.in)

No comments:

Post a Comment

Amazon Macie: Identifying Sensitive Information in S3 Objects

Amazon Macie: An Overview Amazon Macie is an AWS service designed to help detect sensitive information, such as Personally Identifiable Info...