How to setup AWS Site to Site VPN with a $50 Router!

So after passing my AWS Architect Associate exam, I noticed at least 3-4 questions covering the AWS Site to Site VPN. Now, unfortunately, like most people who work with AWS, you may not necessarily play a part in setting this up or even know how it’s done. In the post, we will cover this and show a real word setup using an SMB router. The model I”m using is TP-Link R600VPN v3(shown below) and can be found for around $50. One of the limitations to this router is it only supports one tunnel. As most know, AWS is all about failover and high availability, so this router would not be my 1st pick for a production environment. But for the purpose of a lab, just a cool way to connect your personal AWS Dev VPC to a Home Network, it works great!

Part 1 Setup Site to Site VPN via Console

Navigate to VPC Section. If you like me, you have more than one VPC filter By ID to prevent any mistakes. Create the following:

VIRTUAL PRIVATE NETWORK (VPN)

Customer Gateways(1st image below)

Virtual Private Gateways(2nd image below)

Site-to-Site VPN Connections(3rd set of images)

First, create a customer gateway. My ISP, even though it’s labeled as dynamic IP, has remained the same address for the last year. So I choose static. When I used Dynamic on my 1st attempt, I could not get my router to work. Next, put your “IP Address” in the Customer gateway and hit “create.”

Second, Create a Virtual Private Gateway. Label this whatever name you want to reference your VPC.

Third, the fun part, creating the site-to-site VPN. Create a name tag, select your Virtual Private Gateway from the 2nd Step, and select your Customer Gateway from step 1. Make sure you select static for your routing options. Static IP prefixes should be the CIDR block of your IP of the Router. TP-Links default is 192.168.0.0/24. This is an IPv4 router and your local ipv4 CIDR 192.168.0.0/24, and the remote VPC CIDR block. AWS default is 172.31.0.0/16. Keep the tunnel options default for the purpose of this demo. Now click create at the lower right.

WARNING: AWS WILL CHARGE YOU PER HOUR AND PER GIG TRANSFER, SO MAKE SURE YOU USE IT WITH THE UNDERSTANDING THIS NOT CHEAP FOR SOMETHING LIKE HOME USE. I ran my test set for 30 minutes, and it cost me under $1.

You must go to the Virtual Private gateway after creating the site-to-site VPN and Attach it to the VPC. If this is already done, you’ll have a “green attached” under your status.

Last but not least, Routing. In my case, I currently host my web server in a private subnet behind my public-facing ALB. I’m looking to access my servers in that zone specifically; to do that, I need to associate my VGW in my private route table under destinations. Crucial step.

AWS will Generate the necessary Pre-shared Keys for the IKE Policy as well as the IPsec Policy setting needed. You must download the generic version of the configuration as shown below. Download a file is a safe place.

Now log into the TP-Link Router. Default is 192.168.0.1. Navigate to the IPsec section. From IPsec Tunnel #1, #1 Internet Key Exchange Configuration on the configuration file downloaded from part 1, copy-paste the Pre-share key on IKE. Copy the settings below and save.

Create a new IPsec Policy. Local Subnet is the subnet of the TP-Link router. Remote is the Subnet of your AWS VPC. Remote Gateway is found in the configuration file under #3 Tunnel Interface Config, Outside Private Gateway, Virtual Private Gateway. Go ahead and hit save.

Check the Log File in TP-Link Router: Success!

195	Jun 1 02:34:42	VPN	INFO	IPsec-SA established: ESP/Tunnel xx.xx.xx.xxx[4500]->3.15.51.149[4500] spi=3367742285(0xc8bbab4d)
194	Jun 1 02:34:42	VPN	INFO	IPsec-SA established: ESP/Tunnel 3.15.51.149[4500]->xx.xx.xx.xxx[4500] spi=173633940(0xa597194)

2nd test: SSH via private IP in the private subnet.