Anybody who has been using AWS for a while knows the AWS VPC VPN service is a bit costly, typically $0.05 per hour or about $36 per month.
In a previous post, I reviewed how to use an Ubuntu EC2 instance with strongSwan to tunnel IPv6 traffic between an AWS VPC and an on-prem network. I also mentioned that the EC2 instance type I used in the example had a cost of $0.0047 per hour, which amounts to about $3.38 per month; less than one-tenth the cost of the managed AWS VPN service. This cost savings is a benefit in addition to the increased feature-set of strongSwan in comparison with the VPC VPN service; this is the reason for the original post in the first place.
This post will expand on the previous one with a few modifications to extend the IPv6 VPN to also tunnel IPv4: replacing the AWS VPC managed VPN service and lowering the recurring costs of running a VPN to AWS.
This blog post covers a section of my GitHub repo on this procedure located here.
Approx Setup Time: 10 Minutes
Before we continue, it is worth noting the benefits of the AWS managed VPN service over our strongSwan solution:
- Redundancy: AWS gives you multiple peer IPs to use for the managed VPN service which provides a level of redundancy within a region. They also allow you to automatically propagate the VPN tunneled routes into the VPC Route Tables when the VPN comes up to further enhance this functionality. We don’t get this benefit using our strongSwan instance
- Ease of Management: The managed VPN service is managed by AWS and does not require any kind of regular updates or the typical care and feeding of a Linux instance
Assuming the loss of these benefits are worth the cost savings, let’s get started
Tunneled IPv4 Example Settings
The below details extend those from the previous post to give an IPv4 context to our tunnels
|AWS-Side Tunneled Network||172.31.0.0/20|
|Customer Tunneled Network||192.168.0.0/24|
ASA Configuration Modification
- Make some modifications on the ASA VPN ACL to include both tunneled address-families as below
access-list ACL_AWS_IPV6_VPN extended permit ip 2001:DB8:C::/48 2001:DB8:A::/48
access-list ACL_AWS_IPV6_VPN extended permit ip 192.168.0.0 255.255.255.0 172.31.0.0 255.255.240.0
- Since we are now dealing with the legacy protocol (IPv4) which often uses NAT, you may need to add some NAT-exemption statments to the ASA for the VPN tunnel
- If you already have these NAT statements on the firewall (since you were running an IPv4 VPN to AWS previously), then you likely don’t need to change them
- Delete your old IPv4 crypto-map entry pointed at AWS since you will now be using the same tunnel for that old IPv4 space as well as your shiny new IPv6 space
Ubuntu Instance / VPC Modifications
- Modify the IPv4 forwarding functionality on the server in the /etc/sysctl.conf file with sudo vi /etc/sysctl.conf
- Uncomment the below line
- Reboot the server after this change to have it take effect
- Delete the current AWS Site-to-Site VPN, Customer Gateway, and Virtual Private Gateway if they exist
- Set routes in your route-tables to point at the EC2 instance for your remote tunneled network: 192.168.0.0/24
- Modify the /etc/ipsec.conf settings on the Ubuntu instance with sudo vi /etc/ipsec.conf to reflect the below
- Restart the IPSEC service with sudo ipsec restart
- Check the VPN status with sudo ipsec status
- Once the VPN comes up, you should be able to test end-to-end IPv4 reachability
You’re now running an AWS VPN monthly for the approx cost of a cup of coffee. Go tell your boss you want a raise.