OpenVPN: Connecting VPCs Between Regions

Using OpenVPN free to secure communications between distributed resources.

As you know, multiple AWS instances living within a single VPC can communicate with each other using private IP addresses. You can also directly connect instances in two separate VPC’s within a single region using VPC Peering.

Assuming that you’ve set up your subnets so they don’t overlap, a peering connection enables direct traffic routing between VPCs using private IP address ranges. But what if you want to connect instances hosted in separate AWS regions? OpenVPN can make it happen.

If your organization can’t afford commercial VPN’s like a commercial product from Cisco or an on-premise UTM appliance, you can use the open source OpenVPN package to secure communications between your distributed resources at no cost. OpenVPN’s SSL/TLS based user-space VPN supports Linux, Solaris, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Windows 2000/XP.

AWS/OpenVPN use cases

  1. You have a configured disaster recovery setup in another region and want to connect using private communication.
  2. You would like to regularly transfer data over a secure tunnel.
  3. You have deployed high-availability architecture across VPCs but need to maintain direct, private communication between them.
  4. You are a big fan of open source and don’t want to pay for commercially available VPN services.

OpenVPN implementation

First, you’ll need to have VPCs configured with both public and private subnets in at least two different AWS regions. In this guide, we will assume that there is one VPC in AWS’s US East Region which we will call VPC-1, and a second VPC in EU West that we’ll call VPC-2.

From the Launch Instance menu of the EC2 dashboard, search for “Open VPN Access Server” from AWS Marketplace and launch the instance in the public subnet of VPC-1.
OpenVPN Marketplace EC2 dashboard
Make sure the security group associated with this instance has ports 22 (SSH), 443 (SSL), 993 (Admin Web UI), and 1194 (OpenVPN UDP port) open. You should also allocate an Elastic IP to this instance.

Login to the instance via SSH using the username openvpnas and the keypair you set for this instance. To start the OpenVPN Access Server Setup Wizard from within your terminal session, run:

sudo vpn-init --ec2

Follow the instructions to begin configuring your server.
Disable the Source/Destination check for your VPN instance:
OpenVPN disabling the source/destination dropdown

VPC-2 Setup

Now navigate to the VPC-2 dashboard in EU West Region and click on Customer Gateways, and then Create Customer Gateway. In the dialogue that opens, enter the public IP address of your OpenVPN Access Server instance, with Routing set to the default value of Static.

From the VPN Connections section on the left, click on Virtual Private Gateways and then Create Virtual Private Gateway. Select the virtual private gateway that you’ve just created and select Attach to VPC-2.

Click on Route Tables in  VPC Management Console and select the routing table corresponding to your subnet(s). Click on the Route Propagation tab and select the vgw identifier for the virtual private gateway that you created earlier, then click the Add button.

Finally, click on the VPN Connections link at the bottom of the left frame, and then on Create VPN Connection. In the dialogue, select the virtual private gateway (vgw) and the customer gateway that you just created.

Select Use Static Routing, and then enter the EIP of Open VPN Access VPN server. Select the VPN connection that was created, and then note the Tunnel 1 and Tunnel 2 IP addresses below. Click the Download Configuration button when finished.

VPC-1 Setup

SSH into your OpenVPN Access Server instance and open the /etc/ipsec.conf:

sudo /etc/ipsec.conf

Edit the rightsubnet= value to point to your VPC CIDR mask.
Under the VPC-CUST-GW1 and VPC-CUST-GW2 sections, add the Tunnel 1 and Tunnel 2 IPs and save the file.
Now open the /etc/ipsec.secrets file and enter the Pre-Shared Keys (PSKs)  from the VPC-2 configuration file you downloaded earlier.

To start the VPN connection, issue the ipsec start command.

If VPN started properly you should see green-colored VPN connection entries in your AWS VPC management console.

Cloud Academy