Last active
November 9, 2019 20:05
-
-
Save amcginlay/0daf3ec7083e3548e32ad04812d5b790 to your computer and use it in GitHub Desktop.
How to build a VPN in AWS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Create VPC-A in us-west-2 on 10.100.0.0/16 with IGW and public subnet on 10.100.0.0/24 | |
- Create VPC-B in us-east-2 on 10.200.0.0/16 with IGW and public subnet on 10.200.0.0/24 | |
- Create EC2-A in 10.100.0.0/24 with all TCP & ICMP ports open to 10.200.0.0/24 | |
- Create EC2-B in 10.200.0.0/24 with all TCP & ICMP ports open to 10.100.0.0/24 | |
- Allocate EC2-B an Elastic IP address | |
- Create a Virtual Private Gateway (VGW) attached to VPC-A | |
- Create a Customer Gateway (CGW) referencing EC2-B's Elastic IP address | |
- Create a VPN Connection (VPN), referencing the VGW, the CGW and static route 10.200.0.0/24 | |
- Download the Generic VPN configuration file | |
ssh -i <key> ec2-user@<EC2-B-IP> | |
sudo su | |
yum -y install openswan | |
cat >> /etc/sysctl.conf << EOF | |
net.ipv4.ip_forward = 1 | |
net.ipv4.conf.all.accept_redirects = 0 | |
net.ipv4.conf.all.send_redirects = 0 | |
EOF | |
service network restart | |
# extract the following var values from the downloaded VPN configuration file (Tunnel #1 only) | |
CGW_IP=<Customer Gateway IP> | |
VGW_IP=<Virtual Private Gateway IP> | |
PSK=<Pre-Shared Key> | |
cat > /etc/ipsec.d/aws-vpn.conf << EOF | |
conn Tunnel1 | |
authby=secret | |
auto=start | |
left=%defaultroute | |
leftid=${CGW_IP} | |
right=${VGW_IP} | |
type=tunnel | |
ikelifetime=8h | |
keylife=1h | |
phase2alg=aes128-sha1;modp1024 | |
ike=aes128-sha1;modp1024 | |
keyingtries=%forever | |
keyexchange=ike | |
leftsubnet=10.200.0.0/16 | |
rightsubnet=10.100.0.0./16 | |
dpddelay=10 | |
dpdtimeout=30 | |
dpdaction=restart_by_peer | |
EOF | |
cat > /etc/ipsec.d/aws-vpn.secrets << EOF | |
${CGW_IP} ${VGW_IP}: PSK "${PSK}" | |
EOF | |
chkconfig ipsec on | |
service ipsec start |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment