AWS Site-to-Site VPN enables secure internet communication between your on-premises network and an AWS VPC using IPsec tunnels. To establish this connection, certain requirements must be met on both the AWS and on-premises.
On the AWS side, you need a VPC, a Virtual Private Gateway (VGW) or Transit Gateway (TGW), and a Customer Gateway (CGW) with a static public IP. On the on-premises side, a compatible router/firewall with IPsec VPN support and proper routing and subnet configurations are required.
To ensure a successful VPN connection, both networks must have non-overlapping CIDR blocks, appropriate security rules, and either static routes or BGP for dynamic routing. If a static public IP is unavailable, alternative solutions like OpenVPN or WireGuard can be considered.
This setup is also beneficial for multi-VPC connectivity and hybrid network configurations. In this guide, I will explain how I configured a Site-to-Site VPN between an AWS EC2 instance and my home lab. My home lab consists of four Raspberry Pis — two Raspberry Pi 5 units and two Raspberry Pi 3 units. We are using strongSwan open-source IPsec-based VPN client for our home devices. For a detailed overview, refer to the diagram below.
Before proceeding further, create an EC2 instance in AWS and ensure the nodes in the home network are running fine. Ensure the necessary ports are open in the home router. In AWS make sure at least the following rules are added to the security group;
First, we need to create the following in the AWS console for configuring a site-to-site VPN connection;
- Customer Gateway. (CGW)
- Virtual Private Gateway. (VPG)
We are going to create a Customer Gateway (CGW) in the AWS console.
Step 1: To create a CGW, first go to the VPC option in the AWS console. You can use the search box to find the VPC option, please refer to the following image.
Step 2: Once you go to the VPC menu, on the side under Virtual Private Network (VPN) you can see ‘Customer gateways’, then click on ‘Create customer gateway’.
Once you click, it will open another window asking following details:
Name tag : ‘CGW’ (you can give a custom name)
BGP ASN : BGP ASN (Border Gateway Protocol Autonomous System Number) is a unique identifier assigned to a network participating in BGP (Border Gateway Protocol) routing. It allows networks (Autonomous Systems) to exchange routing information dynamically over the internet or private networks.AWS provides a default ASN (64512 to 65534, private range). You can specify a custom ASN if needed. I am using the default one for this project.
IP address : Add your home IP address
Certificate ARN : In AWS, the Certificate ARN (Amazon Resource Name) is optional when setting up a Site-to-Site VPN unless you are using:
- AWS Direct Connect with Private Certificate Authentication.
- SSL/TLS-based VPN connections (e.g., OpenVPN)
For standard IPsec-based Site-to-Site VPN, the Certificate ARN is not required, as authentication is handled via pre-shared keys (PSK) or BGP.
Device : Enter a name for the customer gateway device.
Once done, click on the ‘Create customer gateway’ option in the yellow box.
Refer to the following image for more info:
Step 3: Now we will create a ‘Virtual private gateway’ for our cloud VPC. As similar to the previous step in the VPC menu, on the side under Virtual Private Network (VPN) you can see ‘Customer gateways’, then click on ‘Create customer gateway’. Give a name and create.
Step 4: Now we need to attach the ‘Virtual private gateway’ we created to the VPC. Before proceeding further, please refer to the image below. Make sure the state changed from ‘pending’ to ‘detached’ as in the checkbox 1. Then click on the box as in checkbox 2. Later click on ‘Attach to VPC’.
Step 5: In the upcoming window, choose your VPC and click attach option.
Step 6: Now we can configure the site-to-site VPN. Let’s click on the ‘Site-to-Site VPN connection’ under the ‘Virtual private network (VPN)’ option. Choose the configurations as in the following image. Choose the correct VPG, CGW and CIDR range. By default, 2 tunnels will be created. If you want to customize the configuration click on each tunnel to configure them. In this case, I am going with the default case. But when we working on real projects better to edit the configuration and enable logs for troubleshooting purposes.
Step 7: Once the state of the VPN connection changes from pending, you can click on the ‘Download configuration’ option.
Step 8: In the new window use the following configuration and click download.
Now we can configure the On-prem side.
Step 9: In the client machine which is running on-prem run the following commands to install strongSwan and then edit the configuration file:
sudo apt update
sudo apt install strongswan
sudo nano /etc/sysctl.conf
In the sysctl.conf, uncomment the following line:
net.ipv4.ip_forward=1
Use the following command to reload the configuration:
sudo sysctl -p
Now we need to edit the ipsec.conf file. For this, run the following command;
nano /etc/ipsec.conf
The following is a template for ipsec.conf :
config setup
charondebug="ike 2, knl 2, net 2, dmn 2, mgr 2"
conn aws-vpn
left=<YOUR_LOCAL_IP> #home machine IP
leftsubnet=<YOUR_LOCAL_SUBNET> #home subnet
right=<AWS_VPN_GATEWAY_IP> # tunnel gateway
rightsubnet=<AWS_VPN_SUBNET> # tunnel subnet
keyexchange=ikev2
ikelifetime=60m
keylife=20m
ikesa=modp1024
esp=aes256-sha256
authby=secret
leftfirewall=yes
auto=start
Here we have 2 tunnel configurations for redundancy, you can edit the above content using the downloaded txt file. The following is my current configuration:
conn aws-vpn-tunnel1
left=192.168.1.200 #local machine IP
leftsubnet192.168.1.0/24
right=13.235.203.242 # Virtual Private Gateway IP for Tunnel #1
rightsubnet=172.31.32.0/20
keyexchange=ikev1
ikelifetime=60m
keylife=20m
ikesa=modp1024
esp=aes256-sha256
authby=secret
leftfirewall=yes
auto=start
conn aws-vpn-tunnel2
left=192.168.1.200
leftsubnet=192.168.1.0/24
right=65.0.111.114 # Virtual Private Gateway IP for Tunnel #2
rightsubnet=172.31.32.0/20
keyexchange=ikev1
ikelifetime=60m
keylife=20m
ikesa=modp1024
esp=aes256-sha256
authby=secret
leftfirewall=yes
auto=start
Now configure the preshared key:
sudo nano /etc/ipsec.secrets
~~~
192.168.1.200 : PSK " *******************************"
192.168.1.200 : PSK " *******************************"
~~~
Once the configuration is completed, restart the service and check the logs in journalctl:
sudo systemctl status strongswan-starter
sudo systemctl restart strongswan-starter
sudo journalctl -u strongswan-starter
sudo ipsec status
You can also use the IPsec status command mentioned above to check the status of the connection. If the connection is ready, the output will be similar as follows:
Security Associations (2 up, 0 connecting):
aws-vpn-tunnel2[2]: CONNECTION, 192.168.1.200[%any]...65.0.111.114[%any]
aws-vpn-tunnel1[1]: CONNECTION, 192.168.1.200[%any]...13.235.203.242[%any]
admin@master1:~$ ping 172.31.35.87
PING 172.31.35.87 (172.31.35.87) 56(84) bytes of data.
64 bytes from 172.31.35.87: icmp_seq=1 ttl=118 time=21.5 ms
64 bytes from 172.31.35.87: icmp_seq=2 ttl=118 time=22.8 ms
64 bytes from 172.31.35.87: icmp_seq=3 ttl=118 time=19.8 ms
64 bytes from 172.31.35.87: icmp_seq=4 ttl=118 time=29.2 ms
64 bytes from 172.31.35.87: icmp_seq=5 ttl=118 time=23.8 ms
^C
--- 172.31.35.87 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4007ms
rtt min/avg/max/mdev = 19.811/23.428/29.231/3.198 ms
admin@master1:~$
Now the connection is established.