Wednesday, August 26, 2015

How to Setup a VPN Gateway Server on Amazon VPC Using Ubuntu

In my last post, I’ve talked about setting up a site-to-site VPN using Sophos UTM 9 and strongSwan IPsec running on Amazon EC2 instance. So the idea was to create a VPC on AWS and connect this VPC to my home network. Setup on my last article works fine to connect to a single instance, but if we are to connect the entire VPC subnet to my home network subnet, I had to setup an instance as a gateway and route all the VPN traffic though that gateway. This is the instance I have installed strongSwan on. This involved setting up NAT on that instance.

Please refer the this post to see how to setup a IPSetup tunnel.

To recap, my AWS VPC has the CIDR block of I have two subnets on my home network - and I have connected my home network and the VPC together using a IPSec tunnel.

Here's the setup in a digram.

Lets see how to do that. I have used Ubuntu free tier instance to setup the gateway.

First create a VPC as below. Also name them accordingly, because AWS IDs are hard to remember!

So my VPC has the CIDR block of

Setup 2 subnets on this VPC as below. I used for the private subnet and for the public subnet.

Now it's time to create a Internet Gateway. Please attach the internet gateway to the VPC we just created.

Now it's time to create 2 route tables. One for private subnet and one for public subnet.

We'll only configure the route table for the public subnet for now. We'll come back to the private one. This is a very simple route table. Anything other than local traffic, we'll route the Internet gateway.

That's it. Now run up a instance of Ubuntu on public subnet ( You can use the basic settings. Nothing too fancy here. Use an Elastic IP so our public IP won't change when we stop and start this instance.

Create an assign a security group for this instance. I have called this security group "singapore-sg-vpc1-gateways". You'll need to allow connections such as SSH into this. As you can see below, I have  also opened up UDP port 500 and 4500. These ports are used by IPSec. I'm planning on setting this gateway as a VPN gateway as well.

Another tricky bit: Disable Source/Destination check on the instance

In few minutes, the new instance will start up and ready to be configured.

But before that, now we are ready to configure the route tables for the private subnet. I have added all my home network subnets to route though the VPN Gateway server (Ubuntu instance we've just setup). All the other Internet traffic will be routed though the Internet gateway. Have a look at the image below.

Now we are all done with AWS VPC configuration. Next thing to do is to configure the VPN Gateway Server to do NAT.

SSH into the VPN Gateway Server.

ssh -i ~/AWS_Key.pem ubuntu@XX.XX.XX.XX

Now run the following commands on the Gateway Server to make NAT work.

echo '#!/bin/sh echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -s -j MASQUERADE ' | sudo tee /etc/network/if-pre-up.d/nat-setup

sudo chmod +x /etc/network/if-pre-up.d/nat-setup

sudo /etc/network/if-pre-up.d/nat-setup

That's it! Now we have the VPN Gateway Server working with NAT. Next thing I had to do was to setup a IPSec tunnel between my home Sophos UTM 9 and AWS VPC VPN Gateway Server we've just setup. Please follow this article to do so.

Please make sure to replace my CIDR blocks with your own, if you're following this article.