Connect EC2 with Local Server through VPN

... This article is not complete and will be continued later ...

We use Amazon Virtual Private Cloud (VPC) to serve our product from Database, Application, Cache, Logstash, Autoscaling and more.

But we have additional requirement where the application has to run in local machine or network of each regions, like diagram below:

The new architecture must support the following rules:

1) Each local computer is accessible through private network.

For example local Jakarta (192.168.123.110) can SSH Local New York with its private IP (192.169.1.2) or local Riyadh (10.20.30.40) can open application in browser by using local Delhi Private IP (10.10.230.10)

2) Application in local computer can access database in local EC2.

**Our database is not open for public, it only can be accessed between EC2 subnet only (private network). we need to create replication and failover DB where the master will be in local but sync automatically to EC2 DB. In case, EC2 is shutdown the application can work or if there is force major issue in local, we still have backup in the cloud and cloud **

3) Application logs need to send to Logstash server

We use logstash to centralize and generate report from application activities, but logstash is not open for public, it only authorize local EC2 subnet

4,5,6 and many more that i dont need to tell all here.

Luckily amazon has provide the concept here, but how to implement that from scratch ?

We need Virtual Private Network (VPN) server that have internet connection for each region include the AWS VPC (we will use EC2 for VPN) and must have static public IP and local IP.

I use openswan to run in ubuntu server as VPN.

apt-get -y update
apt-get -y install openswan

if you see pop-up, you can click 'NO' and then 'OK', you don't need to restart after installation

Edit the ip tables by pasting basic codes below (you can edit per requirement)

iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE

Back current ipsec.conf then create new one:

mv /etc/ipsec.conf /etc/ipsec.conf.default
vim /etc/ipsec.conf

copy paste basic ipsec.conf below:

version 2.0
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=
        oe=off
include /etc/ipsec.d/*.conf

Note: you can strict virtual_private list like %v4:172.16.0.0/12 or %v4:!10.1.1.0/24, but if you not sure, you can leave it blank more detail about ipsec.conf

Create more ipsec configuration in folder ipsec.d. The configuration files below are for connecting Indonesia VPN to EC2, Saudi Arabia, United State and India.

vim /etc/ipsec.d/indonesia-to-ec2.conf

here is the basic configuration:

conn indonesia-to-ec2
        type=tunnel
        authby=secret
        left=%defaultroute
        leftid=<current-machine-ip-public>
        leftnexthop=%defaultroute
        leftsubnet=<current-machine-subnet>/<cidr>
        right=<target-ip-public>
        rightsubnet=<target-subnet>/<cidr>
        pfs=yes
        auto=start

Example result:

conn indonesia-to-ec2
        type=tunnel
        authby=secret
        left=%defaultroute
        leftid=118.123.234.234
        leftnexthop=%defaultroute
        leftsubnet=192.168.123.0/24
        right=217.80.90.100
        rightsubnet=172.30.0.0/16
        pfs=yes
        auto=start

NOTE:

• CIDR is cluster internet domain routing, you can learn more from [wiki](http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing)
• To get local subnet , you can use ifconfig then find inet address from eth0 or en0 or en1, if you see the diagram, the private ip is 192.168.123.234, then your subnet can be 192.168.123.0/24 or 192.168.0.0/16

After that you need to create all connection configuration to all regions, indonesia-to-saudi-arabia.conf, indonesia-to-united-state.conf, indonesia-to-india.conf

Edit your /etc/sysctl.conf and add or edit configuration below:

net.ipv4.ip_forward=1

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0

net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0

After that run the following orders:

sysctl -p /etc/sysctl.conf
ipsec verify

once you run ipsec verify make sure you will not get any [FAILED] or red warning. Then restart your ipsec

service ipsec restart
service ipsec status

You will get 0 tunnel running but your process is already made. Now you have to create the same process to all VPN servers. Once you done, every server will have running tunnels.

If every thing is working correctly, you can ping each VPN server to their local ip.

... to be continued...