Creating a VPN Connection between your On-Premises data center and VPC

A virtual private network (VPN) is a technology that allows a secure and private connection between two or more devices or networks over the Internet. It establishes a secure encrypted tunnel between two endpoints, enabling secure communication between them.

In this tutorial, we will see how to create a VPN connection between your On-Premises data center and VPC. We will use Amazon Web Services (AWS) to create a Virtual Private Cloud (VPC) and set up the VPN connection. We will use the OpenVPN protocol, which is an open-source software application for creating secure private network connections over the internet.

Prerequisites

Before we begin, you should have the following:

  • An AWS account
  • A VPC with one subnet in each of two Availability Zones.
  • An EC2 instance running in the VPC that will act as the OpenVPN server.
  • An internet gateway attached to the VPC.
  • Knowledge of how to connect to the EC2 instance using SSH.

Step 1: Create an EC2 instance for OpenVPN server

We will use Ubuntu 18.04 LTS as our server operating system to run OpenVPN. Launch an EC2 instance in the VPC with the following specifications:

  • Region: Select the region where your VPC is located.
  • Instance Type: t2.micro.
  • AMI: Ubuntu Server 18.04 LTS.
  • Network: Choose the VPC you created.
  • Subnet: Choose one of the subnets you created.
  • Security Group: Create a new security group with the following rules:
    • SSH (TCP, port 22) โ€“ Allow access to everyone.
    • OpenVPN (TCP, port 443) โ€“ Allow access to everyone.

Once the instance is launched, connect to it via SSH and update the package list:

sudo apt-get update

Then, install OpenVPN using the following command:

sudo apt-get install openvpn -y

Step 2: Configure OpenVPN server

Now that we have OpenVPN installed, the next step is to configure it. We will create two files: one for the server configuration and another for the client configuration.

Create the server configuration file using the following command:

sudo nano /etc/openvpn/server.conf

Paste the following configuration:

port 443
proto tcp
dev tun
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
ca ca.crt
cert server.crt
key server.key
auth SHA256
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
explicit-exit-notify 1
verb 3

This configuration does the following:

  • Sets the port number to 443 (this is the default port for HTTPS).
  • Uses TCP as the protocol.
  • Defines a tun device for the VPN.
  • Sets the IP range for the VPN clients to 10.8.0.0/24.
  • Pushes the default route to the VPN clients (so that all traffic goes through the VPN).
  • Pushes the DNS servers to the VPN clients (uses Google’s DNS servers).
  • Disables the use of Diffie-Hellman and uses Elliptic Curve Diffie-Hellman with the curve prime256v1 instead.
  • Enables the use of a TLS key and sets the file location for the key.
  • Sets the location for the certificate authority (CA) certificate.
  • Sets the location for the server certificate.
  • Sets the location for the server key.
  • Uses SHA256 for authentication and AES-256-CBC for encryption.
  • Runs the OpenVPN process as nobody and nogroup (for security).
  • Enables the daemon to persist key and tun files across OpenVPN restarts.
  • Sends a signal to the VPN client to exit gracefully when the VPN is stopped.
  • Sets the verbosity level to 3 (for debugging purposes).

Create the client configuration file:

sudo nano /etc/openvpn/client.ovpn

Paste the following configuration:

client
dev tun
proto tcp
remote <PUBLIC_IP_ADDRESS> 443
persist-key
persist-tun
ca ca.crt
cert cert.crt
key key.crt
cipher AES-256-CBC
auth SHA256
nobind
comp-lzo
verb 3

Replace <PUBLIC_IP_ADDRESS> with the public IP address of your VPC. This configuration does the following:

  • Configures a client.
  • Defines a tun device for the VPN.
  • Uses TCP as the protocol.
  • Specifies the public IP address of the OpenVPN server.
  • Enables the daemon to persist key and tun files across OpenVPN restarts.
  • Specifies the location of the CA certificate on the client machine.
  • Specifies the location of the client certificate on the client machine.
  • Specifies the location of the client key on the client machine.
  • Uses AES-256-CBC for encryption and SHA256 for authentication.
  • Disables binding to a specific local address/port.
  • Enables data compression.
  • Sets the verbosity level to 3 (for debugging purposes).

Generate the TLS key:

openvpn --genkey --secret tls-crypt.key

Copy the following files from the OpenVPN server to the client:

  • ca.crt
  • tls-crypt.key
  • cert.crt
  • key.crt
  • client.ovpn

You can use the scp command to copy the files:

scp ca.crt client.ovpn cert.crt key.crt tls-crypt.key <CLIENT>:~/

Step 3: Configure the VPC

Now that we have the OpenVPN server configured, we need to configure the VPC to accept VPN connections.

3.1 Create a Customer Gateway

A customer gateway is a resource object that you create in AWS with information about your customer gateway device, which is the physical device or software application on your side of the VPN connection.

To create a customer gateway, follow these steps:

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Customer Gateways.
  3. Choose Create Customer Gateway.
  4. Enter a name for the customer gateway.
  5. Choose Dynamic IP.
  6. In the Public IP address section, enter the public IP address of your OpenVPN server.
  7. Choose Create Customer Gateway.

3.2 Create a Virtual Private Gateway

A virtual private gateway is the VPN concentrator on the AWS side of the VPN connection. It is represented by a virtual private gateway resource object.

To create a virtual private gateway, follow these steps:

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Virtual Private Gateways.
  3. Choose Create Virtual Private Gateway.
  4. Enter a name for the virtual private gateway.
  5. Choose Yes, create a new attachment.
  6. Choose the VPC you want to attach the virtual private gateway to.
  7. Choose Create Virtual Private Gateway.

3.3 Attach a Virtual Private Gateway to a VPC

To attach a virtual private gateway to a VPC, follow these steps:

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Virtual Private Gateways.
  3. Select the virtual private gateway that you just created.
  4. Choose Attach to VPC.
  5. Select the VPC you want to attach the virtual private gateway to.
  6. Choose the Availability Zone.
  7. Choose Yes, Attach.

3.4 Create a VPN Connection

To create a VPN connection between the customer gateway and the virtual private gateway, follow these steps:

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose VPN Connections.
  3. Choose Create VPN Connection.
  4. Enter a name for the VPN connection.
  5. Choose the virtual private gateway that you just created.
  6. Choose the customer gateway that you just created.
  7. Choose Static.
  8. In the Static IP Prefixes section, enter the IP address range that the OpenVPN server will use for the VPN clients. For example, 10.8.0.0/24.
  9. Choose Create VPN Connection.

3.5 Configure Routing

To configure routing, you need to create a new route table and associate it with the VPC.

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Route Tables.
  3. Choose Create Route Table.
  4. Enter a name for the route table.
  5. Choose the VPC you want to associate with the route table.
  6. Choose Create.

Now, associate the new route table with the VPN connection.

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose VPN Connections.
  3. Select the VPN connection that you just created.
  4. Choose Actions, and then choose Edit VPN Connection.
  5. Choose the route table that you just created.
  6. Choose Save.

Step 4: Start the VPN

To start the VPN, follow these steps on the client machine:

  1. Install OpenVPN client on your machine.
  2. Copy the files received from the OpenVPN server to the client and put them in the same directory.
  3. Open a terminal and navigate to the directory containing the files.
  4. Run the following command: sudo openvpn client.ovpn

If everything goes well, you should be able to connect to your VPC using the VPN.

Conclusion

In this tutorial, we learned how to create a VPN connection between your On-Premises data center and VPC using OpenVPN and AWS. With this configuration, you can securely connect to your VPC from your On-Premises network, giving you full access to your resources in the VPC.

Related Post