OpenVPN: Connecting VPCs Between Regions

Using OpenVPN free to secure communications between distributed resources.

As you know, multiple AWS instances living within a single VPC can communicate with each other using private IP addresses. You can also directly connect instances in two separate VPC’s within a single region using VPC Peering.

Assuming that you’ve set up your subnets so they don’t overlap, a peering connection enables direct traffic routing between VPCs using private IP address ranges. But what if you want to connect instances hosted in separate AWS regions? OpenVPN can make it happen.

If your organization can’t afford commercial VPN’s like a commercial product from Cisco or an on-premise UTM appliance, you can use the open source OpenVPN package to secure communications between your distributed resources at no cost. OpenVPN’s SSL/TLS based user-space VPN supports Linux, Solaris, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Windows 2000/XP.

AWS/OpenVPN use cases

  1. You have a configured disaster recovery setup in another region and want to connect using private communication.
  2. You would like to regularly transfer data over a secure tunnel.
  3. You have deployed high-availability architecture across VPCs but need to maintain direct, private communication between them.
  4. You are a big fan of open source and don’t want to pay for commercially available VPN services.

OpenVPN implementation

First, you’ll need to have VPCs configured with both public and private subnets in at least two different AWS regions. In this guide, we will assume that there is one VPC in AWS’s US East Region which we will call VPC-1, and a second VPC in EU West that we’ll call VPC-2.

From the Launch Instance menu of the EC2 dashboard, search for “Open VPN Access Server” from AWS Marketplace and launch the instance in the public subnet of VPC-1.
OpenVPN Marketplace EC2 dashboard
Make sure the security group associated with this instance has ports 22 (SSH), 443 (SSL), 993 (Admin Web UI), and 1194 (OpenVPN UDP port) open. You should also allocate an Elastic IP to this instance.

Login to the instance via SSH using the username openvpnas and the keypair you set for this instance. To start the OpenVPN Access Server Setup Wizard from within your terminal session, run:

sudo vpn-init --ec2

Follow the instructions to begin configuring your server.
Disable the Source/Destination check for your VPN instance:
OpenVPN disabling the source/destination dropdown

VPC-2 Setup

Now navigate to the VPC-2 dashboard in EU West Region and click on Customer Gateways, and then Create Customer Gateway. In the dialogue that opens, enter the public IP address of your OpenVPN Access Server instance, with Routing set to the default value of Static.

From the VPN Connections section on the left, click on Virtual Private Gateways and then Create Virtual Private Gateway. Select the virtual private gateway that you’ve just created and select Attach to VPC-2.

Click on Route Tables in  VPC Management Console and select the routing table corresponding to your subnet(s). Click on the Route Propagation tab and select the vgw identifier for the virtual private gateway that you created earlier, then click the Add button.

Finally, click on the VPN Connections link at the bottom of the left frame, and then on Create VPN Connection. In the dialogue, select the virtual private gateway (vgw) and the customer gateway that you just created.

Select Use Static Routing, and then enter the EIP of Open VPN Access VPN server. Select the VPN connection that was created, and then note the Tunnel 1 and Tunnel 2 IP addresses below. Click the Download Configuration button when finished.

VPC-1 Setup

SSH into your OpenVPN Access Server instance and open the /etc/ipsec.conf:

sudo /etc/ipsec.conf

Edit the rightsubnet= value to point to your VPC CIDR mask.
Under the VPC-CUST-GW1 and VPC-CUST-GW2 sections, add the Tunnel 1 and Tunnel 2 IPs and save the file.
Now open the /etc/ipsec.secrets file and enter the Pre-Shared Keys (PSKs)  from the VPC-2 configuration file you downloaded earlier.

To start the VPN connection, issue the ipsec start command.

If VPN started properly you should see green-colored VPN connection entries in your AWS VPC management console.


Written by

Nitheesh Poojary

My professional IT career began nine years back when I was just out of my college. I worked with a great team as an infrastructure management engineer, managing hundreds of enterprise application servers. I found my passion when I got the opportunity to work with Cloud technologies: I'm addicted to AWS Cloud Services, DevOps engineering, and all the cloud tools and technologies that make engineers' lives easier. Currently, I am working as a Solution Architect in SixNines IT. We are an experienced team of engineers that have helped hundreds of customers move to the cloud responsibly. I have achieved 5 AWS certifications, happily helping fellow engineers across the globe through my blogs and answering questions in various forums.

Related Posts

Wendy Dessler
Wendy Dessler
— July 17, 2020

VPN Encryption: How to Find the Best Solution

Each day there are 2.5 quintillion bytes of data created. People in all corners of the earth use the internet all day, every day. When we browse social media, conduct transactions, and search the web, we're leaving behind a digital footprint.  Encryption helps you protect the data yo...

Read more
  • Encryption
  • IPsec
  • Security
  • VPN
Vineet Badola
— February 22, 2016

OpenVPN: how secure virtual private networks really work

Because OpenVPN devices are fully managed by the kernel, data transfers are invisible to the network, enhancing security and cross-platform compatibility. I'm not going to talk about configuring OpenVPN in an AWS environment, for that you should read OpenVPN: Connecting VPCs between re...

Read more
  • AWS
  • VPN
Praveen Kumar Muppala
— June 18, 2014

Connecting AWS VPC Resources Using CipherGraph Cloud VPN – Part 2

In my last blog post, we discussed the advantages of using the CipherGraph Cloud VPN solution to connect the Amazon VPC environment from office LANs or homes or any other locations. In this post, we will discuss how to deploy the CipherGraph solution to connect your VPC resources. He...

Read more
  • AWS
  • VPN
Praveen Kumar Muppala
— June 4, 2014

Connecting AWS VPC Resources Using CipherGraph Cloud VPN – Part 1

Since Amazon AWS has made the EC2-VPC as the default platform for using the AWS Computing resources, Amazon VPC will give great control over the AWS resources with respect to networking, IP Addressing, Security and Routing. In VPC, we can completely isolate our resources in private n...

Read more
  • AWS
  • VPN