As AWS is the top player in cloud market, we see most of the organizations migrating their architectures to AWS. If you are familiar with AWS, you must be knowing that most of the services are region level like EC2, VPC, etc. Let’s say you have a complex architecture with instances running in different regions. In case you want your infrastructure spread across multiple regions, securely communicate with each other through an encrypted channel, a secure VPN tunnel would be the need of the hour.
How would you plan and create a secure tunnel to connect multiple VPCs in different regions/account, which allows instances in different VPCs to seamlessly communicate with each other using private IP addresses? One of the best solutions for the above scenario is Openswan.
Openswan is an opensource IPsec VPN implementation on Linux. For those who are new to networking, VPN stands for Virtual Private Network, used for connecting one or more networks. All data transferred through VPN is encrypted using different kind of encryption algorithms. Openswan uses IKE protocol for negotiation and authentication, packet encryption and decryption is performed by Linux kernel.
In order to create a VPN tunnel to connect multiple VPCs, we use two instances in different VPCs. These instances should be configured to allow traffic from one or more subnets, which will act as gateways to remote networks.
Now, let’s dive deep into configuration and steps to be followed to create the tunnels.
For setting up this architecture, we need two VPCs with a public subnet, each in different regions/accounts. Below is the architecture diagram.
Follow the steps to launch the instances:
Create VPCs as shown in the architecture diagram.
Launch an Amazon Linux EC2 instance in public subnet of each VPC and set the private IP address as mentioned in the architecture diagram
Allocate one EIP in each region and associate to the EC2 instance corresponding to that region
Whitelist all the traffic between the instances through EIP
Disable Source and destination check on both the instances
In the route table of both VPCs, add the route to send traffic to other VPC through the VPN instances launched as shown below.
VPC1 Route Table
Installing and configuring Openswan on EC2 instances:
1. Login to the EC2 instance and install the openswan package
#yum install openswan -y
2. Open the configuration file /etc./ipsec.conf as the root user and add the connection configuration at the end of the file
Note: The strings in <> should be replaced with the corresponding values as shown in the Architecture diagram or according to your requirements. For example leftid=22.214.171.124, leftsubnet=10.0.0.0/16
3. Create the file /etc./ipsec.d/vpc1-vpc2.secrets
<EIP1><EIP2>:PSK"Enter the PreShared Key!!"
4. Repeat the steps 2 and 3 in the other instance replacing the EIPs and CIDR of VPC
5. On both the instances restart the service and make it persistent across the reboot
#service ipsec restart
#chkconfig ipsec on
6. Configure both instances to allow packet forwarding and restart the service
# vim /etc./sysctl.conf
#service network restart
7. Check the VPN status by using the following commands.
#service ipsec verify
#service ipsec status
8. If all the configurations are correct you must be able to ping the instances from a VPC to other VPC
root@VPN1# ping 172.29.0.10
root@VPN2# ping 10.0.0.10
By following these steps you can configure the VPN tunnels between multiple VPCs across the regions/accounts. In this architecture, VPN instance is the single point of failure. Hold on tight for the next article, in which I am going to describe the Highly Available architecture for VPN instances.
In case of any questions, please feel free to post your comments. You could also share your experience setting up VPN tunnels using other products here.