Extending VPN Connectivity to Amazon AWS VPC using AWS VPC VPN Gateway Service


If you are using Amazon Web Services, you probably already know that Amazon VPC has built-in functionality that you could utilize to connect your on-premise network to your VPC instances on the Amazon cloud. However, if you already have an OpenVPN Access Server setup on premises and would like to extend connectivity of your OpenVPN connection to the Amazon cloud, you can do so easily without purchasing additional hardware or expensive gear. After completing these instructions, your on-premise VPN users should also have access to your Amazon setup without any complicated setup or installation procedures.


To begin, you will need a working OpenVPN Access Server setup and an Internet-facing IP address for this instance. If you do not already have one installed, please follow this link for our virtual appliance. The virtual appliance will have everything you need pre-installed so you do not have to compile and install them yourself. The package needed for this connectivity is called strongswan and is preinstalled on our ESXi and HyperV images, but disabled by default. To enable it you can run this command:

systemctl enable strongswan

You can then finish configuration with instructions in this document and the connection can then establish.

If you are using a software package installation of Access Server and not our virtual appliance, for example if for some reason you do not wish to use our appliance, you will need to download Strongswan from source at www.strongswan.org and then install the package after you have compiled the software from source. You will also need the following supplementary files to connect to Amazon's VPN service (you will not need these files if you are using our virtual appliance):

Right click the link(s) below, and select Save link / selection as to download the file to your computer:

ipsec.sh - save to /sbin, then set as executable by issuing the chmod +x /sbin/ipsec.sh command. ipsec.secrets - save to /etc, or the directory specified inside your Strongswan configure file. ipsec.conf - save to /etc, or the directory specified inside your Strongswan configure file.
The steps below assume that you already have a running and up to date OpenVPN Access Server installed on your system (preferably the virtual appliance). Before you proceed, please make sure that your Amazon subnets do not overlap with your on-premises subnets. If overlaps do exist, you will need to renumber these subnets before you begin the following process.

Amazon VPC VPN Setup

To setup the VPN connection, login to your AWS Management Console. From there, select the VPC service from the list of Services.

In your VPC dashboard, you should already have at least 1 VPC listed, similar to the image indicated below. If you do not already have a VPC, most likely your instances are inside EC2 Classic or you may be inside the wrong active region (check the top right hand corner and see what your active region is). If your instances are currently inside EC2 Classic, you will need to create a new VPC and migrate your instances over to that VPC (by creating image AMIs and then redeploying them via the custom AMI process).

Afterwards, select the Customer Gateways option from the list of options presented. Click the Create Customer Gatewayto continue.

In the dialog that opens, enter the public IP address of your OpenVPN Access Server instance, with routing set to Static (default). Unlike OpenVPN Access Server, this server must be Internet-facing and must not be using NAT. You will not be able to use these procedures if you are using NAT, even if port forwarding is being used*. After you have entered the IP address of your OpenVPN Access Server, click the Yes, Create button to continue (please use your own IP address in the field below; the IP address in the screenshot is for demonstration purposes ONLY!)

  • If 1:1 NAT or NAT DMZ is used, enter the external facing IP in the field below. If your router supports forwarding of ESP streams (IP protocol 50) and UDP port 500, do so, and enter the router's public IP address in the box below. Some routers may support IPsec passthrough features that allow you to simply forward UDP port 500 to your internal machine. Consult your firewall / router vendor for further assistance if you are uncertain.

After this has been completed, visit the Virtual Private Gateways section on the left and then click the Create Virtual Private Gateway button. Click the Yes, Create button to complete the creation process. Select the virtual private gateway that is created, and select Attach to VPC. Select the VPC you would like to connect to using the VPN connection, and then click Yes, Attach (if you do not know what your VPC identifier is, visit the Your VPCs section and drop down the identifier appropriate for your VPC).

Following the creation of your Virtual Private Gateway, visit the Route Tables section of the VPC Management Console and select the routing table corresponding to your subnet(s). Afterwards, click the Route Propagation tab and then select the vgw identifier for the virtual private gateway that was created earlier, click Edit to view the Propagate checkbox, click the checkbox and choose Save.

Finally, visit the VPN Connections section on the left, and click the Create VPN Connection button.

In the dialog that results, select the virtual private gateway (vgw) and the customer gateway that you have previously created. You can refer to the previous screens if you do not remember what these identifiers are.

Select Use static routing, and then enter all of the IP prefixes of your on-premises network, as well as the virtual VPN networks created by OpenVPN Access Server. In order words, enter any networks here that you want to be communicating with your Amazon VPC network. Any networks not listed here will not be able to communicate with your Amazon cloud instances. You can always modify these selections at a later time if you would prefer.
After this is done, click the Yes, Create button. The VPN connection will take a few minutes to create.

After the VPN connection has been created, the State of the connection should switch to available. As the connections have not been made yet to the VPN servers, it is perfectly normal for the icons to be red. Select the VPN connection that was created, and then note the Tunnel 1 and Tunnel 2 IP addresses below. Click the Download Configuration button when finished.

In the Download Configuration dialog, select Generic as a vendor and then click the Yes, Download button. A text file should be generated that contains your pre-shared keys (PSKs).

Inside the generated file, note the two Pre-Shared Keys that are under the IPsec Tunnel #1 and IPsec Tunnel #2 sections. These PSKs correspond to the password you will be using to access the VPN connection for Tunnel 1 and 2, respectively.

Now, SSH into your OpenVPN Access Server on-premise instance and open the /etc/ipsec.conf file with a text editor (like nano).

In the file that is opened, change the rightsubnet= to your VPC CIDR mask. If you do not remember what this is, consult the Your VPCs section of the VPC Management Console.
Under the VPC-CUST-GW1 and VPC-CUST-GW2 sections respectively, change the right= IPs to the Tunnel 1 and 2 IPs you have noted above. In our case, the proper configuration would look like the following:

Afterwards, open the /etc/ipsec.secrets file, and enter the PSKs given to you in the configuration file that was downloaded. Please use the format designated in the file for the connection to work properly.

Save the file, and return to the command prompt. To start the VPN connection, issue the ipsec start command. If the connections were successful, you should see more than one security associations listed when you issue the ipsec status command. If you would like the VPN to start on system startup, add the ipsec start command to the /etc/rc.local file on your OpenVPN Access Server instance.