Create VPN from home subnet to AWS VPC with Raspberry Pi === AWS VPC has a very solid hardware-based VPN solution to bridge your home/office network to VPC subnet. It is recommended to use hardware router like `Cisco` or `Juniper` to build your `Customer Gateway`. AWS has a typical diagram like this:  In this article, I am giving some essential instructions to help you build `Customer Gateway` with a `Raspberry Pi`. Instead of modifying your existing home router, we make the Raspberry Pi work just out-off-the-box. Yes, it works like a charm.  Prerequisite -- - Raspberry Pi with Linux installed. I am using [HypriotOS](http://blog.hypriot.com/) in this case. But the native raspbian should also work as well. - make sure your RaspberryPi is connected to WIFI or ethernet LAN. Create VPN Gateway and VPN connection -- - in AWS `VPC console`->`VPN Connections`->`Customer Gateways`, click `Create Customer Gateway`  _enter your home public-facing IP address in the last field_ - create `Virtual Private Gateway` and attach the VPC to it - create `VPN Connection` with the `Customer Gateway` and the `Virtual Private Gateway` (the `Static IP Prefixes` is the CIDR of your home subnet, make sure you type correct CIDR info) - when `VPN Connection` is created, you'll see two VPN Tunnels in the `Tunnel Details` tab. We will use Tunnel 1 as the primary and optionally use Tunnel 2 as the redundant one. Write down the IP address of Tunnel 1. - click `Download Configuration`  - open the configuration file with editor and navigate the IKE part, write down your `<PSKEY_STRING>` and `<YOUR_TUNNEL1_IP>`. ``` ! ! The tunnel group sets the Pre Shared Key used to authenticate the ! tunnel endpoints. ! tunnel-group <YOUR_TUNNEL1_IP> type ipsec-l2l tunnel-group <YOUR_TUNNEL1_IP> ipsec-attributes pre-shared-key <PSKEY_STRING> ``` Install Openswan -- ``` $ sudo apt-get install -y openswan lsof ``` _(skip "Use an X.509 for this Host" in the next screen)_ Edit global config file -- _just overwrite `/etc/ipsec.conf` with all the following lines_ {%gist pahud/825029033286c1dcc536%} Configure IPsec connection -- edit `/etc/ipsec.d/home-to-aws.conf` ``` conn home-to-aws type=tunnel authby=secret #left=%defaultroute left=192.168.31.193 leftid=<YOUR_CGW_PUBLIC_IP> leftnexthop=%defaultroute leftsubnet=192.168.31.0/24 right=<AWS_VPNGW_TUNNEL_PUBLIC_IP> rightsubnet=10.0.0.0/16 pfs=yes auto=start ``` `left` - your home gateway private IP address, in my case, input the private IP of the Raspberry Pi `leftid` - public-facing home IP, same with the `Customer Gateway` IP `leftsubnet` - CIDR of home subnet `right` - `Virtual Private Gateway` Tunnel IP `rightsubnet` - CIDR of your VPC Input the pre-shared key -- edit `/var/lib/openswan/ipsec.secrets.inc` ``` <YOUR_CGW_PUBLIC_IP> <YOUR_VPNGW_PUBLIC_IP>: PSK "<PSKEY_STRING>" ``` Edit /etc/sysctl.conf -- append the following lines to `/etc/sysctl.conf` ``` net.ipv4.ip_forward=1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 ``` then run `sysctl -p` to reload it IPsec verify -- ``` $ sudo ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.38/K4.1.12-hypriotos-v7+ (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing XFRM related proc values [OK] [OK] [OK] Hardware RNG detected, testing if used properly [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [FAILED] Checking NAT and MASQUERADEing [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [WARNING] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED] ``` (just ignore the IP forwarding failure) Restart IPsec -- ``` $ service ipsec restart ``` Check IPsec status -- make sure an active connection is `running` ``` ● ipsec.service - LSB: Start Openswan IPsec at boot time Loaded: loaded (/etc/init.d/ipsec) Active: active (running) since Sat 2016-02-13 16:06:54 CET; 38s ago Process: 10721 ExecStop=/etc/init.d/ipsec stop (code=exited, status=0/SUCCESS) Process: 10802 ExecStart=/etc/init.d/ipsec start (code=exited, status=0/SUCCESS) CGroup: /system.slice/ipsec.service ├─10897 /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --stri... ├─10898 logger -s -p daemon.error -t ipsec__plutorun ├─10899 /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --stri... ├─10902 /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-... ├─10903 /bin/sh /usr/lib/ipsec/_plutoload --wait no --post ├─10907 pluto helper # 0 ├─10908 pluto helper # 1 ├─10909 pluto helper # 2 └─11069 _pluto_adns Feb 13 16:06:55 pi pluto[10902]: "home-to-aws" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Feb 13 16:06:55 pi pluto[10902]: "home-to-aws" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike ... NATed Feb 13 16:06:55 pi pluto[10902]: "home-to-aws" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Feb 13 16:06:55 pi pluto[10902]: "home-to-aws" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Feb 13 16:06:55 pi pluto[10902]: "home-to-aws" #1: Main mode peer ID is ID_IPV4_ADDR: '52.193.198.14' Feb 13 16:06:55 pi pluto[10902]: "home-to-aws" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Feb 13 16:06:55 pi pluto[10902]: "home-to-aws" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESH...p2048} Feb 13 16:06:55 pi pluto[10902]: "home-to-aws" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2AL...P2048} Feb 13 16:06:56 pi pluto[10902]: "home-to-aws" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 Feb 13 16:06:56 pi pluto[10902]: "home-to-aws" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel m...=none} Hint: Some lines were ellipsized, use -l to show in full. ``` check VPN connections in VPC console --  (make sure one of the VPN Tunnel Status is `UP`) check the routing table of subnet -- make sure: 1. Your VPC has `internet gateway` attached 2. the routing table associated to the subnet in the VPC has a destination entry to your home subnet and the `Target` is the `vgw` you created  create an EC2 instance within the subnet in the VPC -- In my case, just create an EC2 instance in `10.0.12.0/24` with no public IP address attached. And optionally open `All ICPM` access from your home subnet so you can `ping` from your home subnet  then you can `ping` the EC2 private IP from your home gw ``` HypriotOS: pi@pi2 in ~ $ ping 10.0.12.204 PING 10.0.12.204 (10.0.12.204) 56(84) bytes of data. 64 bytes from 10.0.12.204: icmp_seq=1 ttl=63 time=44.8 ms 64 bytes from 10.0.12.204: icmp_seq=2 ttl=63 time=44.6 ms 64 bytes from 10.0.12.204: icmp_seq=3 ttl=63 time=46.2 ms 64 bytes from 10.0.12.204: icmp_seq=4 ttl=63 time=45.1 ms ``` telnet port 22 from your home gw -- ``` sudo apt-get install -y telnet ``` try telnet EC2 port 22 you should see the OpenSSH prompt like this ``` HypriotOS: pi@pi2 in ~ $ telnet 10.0.12.204 22 Trying 10.0.12.204... Connected to 10.0.12.204. Escape character is '^]'. SSH-2.0-OpenSSH_6.6.1 ``` add static route in your Mac OS X -- ``` $ sudo route -n add 10.0.0.0/16 192.168.31.232 ``` then you can `ping` from your Mac ``` pahud-mpb:~ pahud$ ping 10.0.12.204 PING 10.0.12.204 (10.0.12.204): 56 data bytes 64 bytes from 10.0.12.204: icmp_seq=0 ttl=62 time=204.629 ms 64 bytes from 10.0.12.204: icmp_seq=1 ttl=62 time=55.137 ms 64 bytes from 10.0.12.204: icmp_seq=2 ttl=62 time=56.705 ms 64 bytes from 10.0.12.204: icmp_seq=3 ttl=62 time=55.724 ms ``` then SSH into EC2 ``` pahud-mpb:~ pahud$ ssh ec2-user@10.0.12.204 Last login: Sat Feb 13 14:49:07 2016 from 192.168.31.239 __| __|_ ) _| ( / Amazon Linux AMI ___|\___|___| https://aws.amazon.com/amazon-linux-ami/2015.09-release-notes/ [ec2-user@ip-10-0-12-204 ~]$ ```