Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Set up VGW on AWS with OpenSwan

Set up VGW on AWS with OpenSwan

You will need 2 VPCs. The Internet VPC will have the Internet Gateway and the OpenSwan EC2 instance. The Project VPC will have your application or Kubernetes cluster.

Internet VPC

  • VPC CIDR: 10.230.30.0/24
  • Private Subnet: 10.230.30.128/25 - Route Table with 0.0.0.0/0 to NAT
  • Public Subnet: 10.230.30.0/25 - Route Table with 0.0.0.0/0 to IGW, 10.224.36.0/23 to OpenSwan Instance
  • NAT Gateway in the public subnet with an IP of 52.15.61.171
  • IGW attached to the VPN

Project VPC

  • VPC CIDE: 10.224.36.0/23
  • Private Subnets: Any - Route Table with 0.0.0.0/0 to NAT
  • Public Subnets: Any - Route Table with 0.0.0.0/0 to VGW
  • Customer Gateway to NAT in Internet VPC: 52.15.61.171
  • VPN Connection with static route of: 0.0.0.0/0

Once the VPN Connection is active, download the configuration for OpenSwan.

Jumpbox

Launch an Amazon Linux 1 AMI in the public subnet of the Internet VPC, make sure it gets a public IP. You'll need to enable Auto-Assign IP for the subnet. Make sure you can SSH into the instance. Security Group - Inbound: SSH in from your IP. Security Group - Outbound: All

Project Server

Launch an Amazon Linux 1 AMI in the public subnet of the Project VPC.

  • Security Group - Inbound: SSH in from your Internet VPC: 10.230.30.0/24
  • Security Group - Outbound: All

OpenSwan

Launch an Amazon Linux 1 AMI in the private subnet of the Internet VPC.

  • Security Group - Inbound: SSH in from your Internet VPC: 10.230.30.0/24
  • Security Group - Outbound: All
  • Disable Source/Destination Check in AWS
# SSH into the Jumpbox. Then SSH into the OpenSwan Server.

# Install OpenSwan.
sudo yum install openswan

# Follow the instructions from the downloaded config.

# Open the config file.
sudo nano /etc/sysctl.conf
# Ensure these values match:
# net.ipv4.ip_forward = 1
# net.ipv4.conf.default.rp_filter = 0
# net.ipv4.conf.default.accept_source_route = 0

# Apply the changes.
sudo sysctl -p

# Restart the network services.
sudo service network restart

# Open the ipsec config file.
sudo nano /etc/ipsec.conf
# Uncomment the line at the bottom.
# include /etc/ipsec.d/*.conf

# Create a new config file.
sudo nano /etc/ipsec.d/aws.conf
# Paste in the contents from the downloaded config.
# Replace leftsubnet=<LOCAL NETWORK> with leftsubnet=0.0.0.0/0
# Replace rightsubnet=<REMOTE NETWORK> with rightsubnet=10.224.36.0/23 (Project VPC CIDR)

# Create a new secret file.
sudo nano /etc/ipsec.d/aws.secrets
# Paste in the contents from the downloaded config.

# Start the ipsec service.
sudo service ipsec start

# Check the logs.
sudo service ipsec status
sudo ipsec auto --status

# The tunnel in the VPC connection in AWS should now be "up".

You can now access the Project Server from any server in the Internet VPC. The Project Server can also access the internet because it's routing through the OpenSwan server.

Resources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.