Are your workloads spread across multiple cloud platforms to optimize costs and improve flexibility? While this approach has its benefits, it can create disadvantages when it comes to securely exchanging data between applications. That’s where site-to-site VPNs come in.
Site-to-site VPNs provide a secure communication channel between remote sites over the internet. By using existing internet infrastructure, they can be a cost-effective alternative to other options for connecting remote sites. Site-to-site VPNs can also enable secure remote access for individual users, such as employees who work from home.
In this article, we’ll guide you through the steps of establishing secure communication between your AWS VPC and DigitalOcean VPC using the AWS customer gateway and Strongswan software. But don’t worry if you’re not using DigitalOcean – you can use the same process to connect to your on-premises network or any other cloud provider.
To accomplish this, we’ll be using StrongSwan, an open-source, modular, and portable IPsec-based VPN solution. By following these steps, you’ll be able to establish a secure communication channel between your cloud platforms and take full advantage of the benefits they have to offer.
Launching a new droplet on Digitalocean
To start, launch a new droplet with at least 1GB of RAM and a single core CPU. Be sure to take note of the droplet’s public and private IP addresses, as well as the DigitalOcean VPC CIDR, once it’s created. We have used Ubuntu 20.04 LTS release for this setup.
Once your DigitalOcean droplet is up and running, it’s time to log into your AWS cloud console. You can use the default AWS VPC or create a new one, depending on your needs.
AWS VPC Configuration
Launch an EC2 instance within the default VPC. For our test case, a t2.nano instance will suffice. To ensure that you can test connectivity between DigitalOcean and AWS in a later stage, make sure to allow the ICMP protocol in the security group.
When setting up a site-to-site connection between two networks, it’s important to note that the VPC CIDR ranges must be unique and cannot overlap. To avoid any conflicts during the setup process, ensure that the VPC CIDR range for your DigitalOcean and AWS networks are distinct.
Here is the VPC CIDR information for our setup:
AWS VPC CIDR: 172.31.0.0/16
DigitalOcean VPC CIDR: 10.122.0.0/20
Creating Customer gateway
Please navigate to the VPC section of your AWS cloud console and click on “Customer gateways.” From there, select the “Create customer gateway” option to begin the process of setting up your site-to-site connection.
When setting up your customer gateway, it’s important to provide a name and use the correct IP address to ensure a successful connection. In the “Name” field, enter a unique name for your customer gateway, and leave the BGP ASN as the default value.
In the “IP address” section, use the public IP address of the DigitalOcean droplet you launched earlier in this tutorial. You can find this IP address in your DigitalOcean console. Make sure to enter the correct IP address to avoid any issues during setup.
Once you’ve entered the necessary information, click on “Create” and wait for the state to change from “pending” to “available.” This may take some time, so be patient and wait for the process to complete before proceeding to the next step.
Creating virtual private gateway
It’s important to remember that the customer gateway is for the DigitalOcean droplet, while the virtual private gateway is for AWS. The virtual private gateway allows traffic into your AWS VPC and is a crucial component of your site-to-site VPN connection.
To create a virtual private gateway, go to the “Virtual Private Network” section and click on “Virtual Private Gateway.” option. From there, you can create a new virtual private gateway that will be used for your site-to-site VPN connection.
Name it as you like and keep ASN as Amazon default ASN.
Once the virtual private gateway has been created, you will need to attach it to the desired VPC. To do this, head over to the VPC dashboard and select the “Virtual Private Gateway” section. From there, choose the virtual private gateway you created earlier, click on “Actions”, and then “Attach to VPC”. Select the desired VPC from the dropdown menu and click “Attach”.
Creating a VPN connection
Once the customer gateway and the virtual private gateway have been created, the next crucial step is to establish the VPN connection between them. To do so, navigate to the “Site-to-Site VPN Connections” section under the “Virtual Private Cloud” area of the VPC dashboard in the AWS console. Then, click on the “Create VPN Connection” button.
Here give it a name as you like . Select “Virtual Private Gateway” as the target gateway type, and choose the VPC that you created earlier. Similarly, for the customer gateway, select “Customer Gateway” as the target gateway type, and choose the customer gateway that you created earlier.
To configure the routing for the VPN connection, choose the “Static” route option and enter the CIDR range of your DigitalOcean VPC in the “Static IP Prefix” field. This will enable traffic to flow from your AWS VPC to your DigitalOcean VPC. After providing all the required details, click on “Create VPN Connection”. It may take a few minutes for the VPN to become available, as its status changes from “Pending” to “Available”.
Ones it goes to available state inspect your vpn conection and go to the tunnel details which should look like this
After creating the VPN connection, you will notice that there are two tunnels that have been created. Tunnel 1 will act as the primary tunnel, while Tunnel 2 will act as a failover tunnel. If Tunnel 1 goes down, Tunnel 2 will become active and keep the connection alive.
Copy the inside ipv4 CIDR range and it is needed when we update the static route in the next steps.
Please note that this tutorial will exclusively cover Tunnel 1, and Tunnel 2 will not be included in the discussion. Our primary focus will be on creating a secure and encrypted connection between the two VPCs utilizing Tunnel 1.
When creating the VPN connection earlier, we added the DigitalOcean VPC CIDR as a static route. This route will allow resources that reside in the AWS VPC to communicate with the DigitalOcean VPC
The next step is to update the static routes, which will enable resources in DigitalOcean to communicate with AWS.
Select the newly created virtual private connection, and click “Actions” followed by Edit static routes
Here in the static prefix column paste the tunnel 1 ipv4 CIDR which we copied earlier
Click on the save changes option to save it.
After following the previous steps, go to the Route Tables section in the Virtual Private Cloud (VPC) dashboard. Select the route table that is associated with your VPC and click on “Route Propagation.” Then, click on “Edit” and enable the Virtual Private Gateway by selecting the corresponding checkbox. Finally, click on “Save” to apply the changes.
After few minutes when you navigate to your Routes section you should see the changes like below
Here you can see the both the static routes has been added to the Routes section
Now the routes has been created on both the sides The next procedure is it to create connection between two VPCs.
Return to the AWS “site-to-site VPN connections” section and choose the VPN connection that you created. Next, select the “Download Configuration” button to download the configuration file, which contains all the necessary settings and parameters for the VPN connection. The file is a text document that outlines encryption algorithms, authentication methods, IP addresses, and routing information that are essential to create a secure connection between the AWS VPC & the DigitalOcean VPC.
You don’t need to worry about the platform option being set to “Ubuntu 16.04” as the configuration will work correctly for Ubuntu 20.04 release as well.
Digitalocean Server setup
Access the droplet launched earlier via SSH and run the following commands:
sudo apt update
sudo apt install -y strongswan
Open the strongswan configuration that you downloaded earlier in your favourite text editor. This file has the important instructions that need to be followed to establish the VPN connection.
We are only going to set up Tunnel 1 and will skip the instructions for setting up Tunnel 2.
Kindly follow steps 1 (Enable Packet Forwarding and Configure the Tunnel) through 4 (Create a new file at /etc/ipsec.secrets…) as outlined under the “IPSEC Tunnel #1” heading in the downloaded text file.
Automated Tunnel Health-check and Fail-over
Kindly follow the first two steps as outlined under the “Automated Tunnel Healthcheck and Failover” heading in the downloaded text file. In step 3 of the same section, the final uncommented line looks like below:
leftupdown="/etc/ipsec.d/aws-updown.sh -ln Tunnel2 -ll 169.254.167.6/30 -lr 169.254.167.5/30 -m 200 -r 172.31.0.0/16"
Once the above step is complete, please proceed to the next steps 4 and 5. Please note that step 6 is only relevant if you have configured two tunnels, and therefore can be disregarded in this case.
Please restart the ipsec service within the DigitalOcean droplet to apply the changes:
sudo systemctl restart ipsec
If the steps have been performed correctly, the status of Tunnel 1 should change from “Down” to “Up”.
you can also check the tunnel status by executing the following command within the DigitalOcean droplet:
sudo ipsec status
Once the status shows as “Up”, you should be able to ping your AWS EC2 instance from the DigitalOcean droplet using the private IP address and vice versa.
Currently, the EC2 instance can only ping the DigitalOcean Droplet that has been configured as the customer gateway. To enable all droplets hosted within the same VPC to be reachable, you must execute the following IPTABLES command within the DigitalOcean droplet:
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to <PRIVATE IP>
Here the <PRIVATE IP> will be your digitalocean vpn server private IP address.
Upon executing the aforementioned command, the EC2 server should be able to establish communication with all other droplets hosted within the same DigitalOcean VPC.
Please note that the changes made in iptables will only be saved temporarily, and any changes made will be lost upon server reboot. In order to prevent this, the following commands must be executed:
#this command will save the current iptables settings
sudo iptables-save > /etc/iptables/rules.v4
#Installing the iptables-persistent package
sudo apt-get install iptables-persistent
#Enabling the service
sudo systemctl enable netfilter-persistent.service
We hope that this blog post has provided you with useful guidance in setting up a site-to-site VPN connection between Amazon Web Services and DigitalOcean cloud platforms. Our company specializes in providing Cloud consulting services to small and medium-sized businesses. If you require any assistance or have any queries regarding this process, please do not hesitate to schedule a free consultation!