├── README.md
└── vyos_config.py


/README.md:
--------------------------------------------------------------------------------
  1 | # aws-vyos
  2 | Configuration to create an AWS inter region VPN
  3 | 
  4 | ### Description 
  5 | 
  6 | An easy way to create a VPN connection between two AWS Region. 
  7 | 
  8 | This repository describes how to configure the AWS VPN service on the first region and a Vyos instance on the second region.
  9 | 
 10 | # Use case example
 11 | 
 12 | For this how to we will used the region us-east-1 and eu-west-1.
 13 | The goal is to authorize instances in the VPC-EU to communicate with the instances in the VPC-US and vice versa.
 14 | 
 15 | ```  
 16 |                       US-EAST-1                                                        EU-WEST-1                 
 17 | -------------------           ------------------                      ---------------------       ---------------------
 18 | | VPC-US 10.10.0.0/16 | <===> | AWS VPN Service| <===> INTERNET <===> | EC2-Vyos-Instance | <===> | VPC-EU 10.0.0.0/16 |
 19 | -------------------           ------------------                      ---------------------       ---------------------
 20 | ```
 21 | 
 22 | # Requirement
 23 | 
 24 | In the EU-WEST-1 region, go to EC2, Elastic IPs and click on "Allocate New Address" and keep it on aside.
 25 |  
 26 | # 1. Create the VPN in US-EAST-1
 27 | 
 28 | In your AWS console, select the region US-EAST-1 and the VPC service.
 29 |  
 30 | 1.1 - Create the Customer Gateway:
 31 | 
 32 | - Click on "Create Customer Gateway"
 33 |     - "Name Tag" -> The name of the Customer Gateway(ex: CG-EU-US-PROD).
 34 |     - "Routing"  -> Choose dynamic.
 35 |     - "IP address" -> The EIP create in the eu-west-1 region.
 36 |     - "BGP ASN" -> Put a value for the BGP ASN(ex: 65000).
 37 | 
 38 | 1.2 - Create the Virtual Private Gateway:
 39 | 
 40 | - Click on "Create Virtual Private Gateway"
 41 |     - "Name Tag" -> The name of the private gateway(ex: PG-EU-US-PROD)
 42 |     -  Select the VPG previously create and click on "attach to VPC"
 43 |     -  Choose the VPC which will accessible through the VPN(in our example: VPC-US).
 44 |  
 45 | 1.3 - Configure the VPN connection:
 46 | 
 47 | - Click on "Create VPN Connection":
 48 | 
 49 |     - "Name Tag" -> The name of the VPN connection(ex: VPN-EU-US-PROD)
 50 |     - "Virtual Private Gateway" -> Select the Virtual Gateway create at the step 1.2
 51 |     - "Customer Gateway" -> Select the Customer Gateway create at the step 1.1
 52 |     - "Routing Options" -> Select "Dynamic"
 53 | 
 54 | 1.4 - Download the VPN configuration:
 55 | 
 56 | Select your new VPN connection and click on "Download the configuration". Select "Vyatta" as the configuration type.
 57 | 
 58 | On the VPN connection, click on the "Tunnel Details" tab and keep the two Public IPs on aside.
 59 | 
 60 | 
 61 | # 2. Create and configure the Vyos instance
 62 | 
 63 | In your AWS console, select the region EU-WEST-1 and the EC2 Service.
 64 | 
 65 | 2.1 -  Create the Vyos EC2 instance.
 66 | 
 67 | - Click on  "launch instance":
 68 | 
 69 |     - Select "AWS Marketplace" et search "vyos"
 70 |     - Choose the instance type.
 71 |     - Choose the VPC and the subnet(only Public!!!) where the Vyos instance will be started(ex: VPC-EU)
 72 |     - Create a new security group and add rules for the two Public IPs of the US VPN(step 1.4) and authorize them on the ports UDP/500, TCP/179 and UDP/123.
 73 |     - Finish the setup process as usual.
 74 | 
 75 | When the instance is ready, select it, right click -> networking -> source dest/check and click on disabled.
 76 | 
 77 | 2.2 - Configuration of the EC2 Vyos instance.
 78 | 
 79 | - Execute the script: vyos_config.py: 
 80 | *python vyos_config.py vpn_config_path    vyos_ip     cidr_vpc_vyos    local_gateway*
 81 | 
 82 | Parameters:
 83 |  
 84 |     - vpn_config_path: Full path of the VPN configuration downloaded at the end of the step 1.4(ex: /tmp/vpn-aa99ezv1.txt)
 85 |     - vyos_ip: The private IP of the Vyos instance(ex: 10.0.1.100)
 86 |     - cidr_vpc_vyos: The VPC CIDR of the Vyos instance(ex: 10.0.0.0/16)
 87 |     - local_gateway: The local gateway of the Vyos instance, you can found it when you are connected on Vyos with the command "show ip route"(take the gateway for the route "0.0.0.0/0"). (ex: 10.0.1.1)
 88 | 
 89 | Example:
 90 | 
 91 | *python vyos_config.py /tmp/vpn-aa99ezv1.txt 10.0.1.100 10.0.0.0/16 10.0.1.1*
 92 | 
 93 | - Connect on your Vyos EC2 instance(user: vyos):
 94 | 
 95 |     - Import the bash script create at the previous step.
 96 |     - Make the script executable:
 97 | 	*chmod +x vyos_config.sh*
 98 |     - Change the vyos user to root:
 99 | 	*sudo su*
100 |     - Execute the script: 
101 |         *vbash vyos_config.sh*
102 | 
103 | ### The instance will reboot automatically. Don't panic :)
104 | 
105 | 
106 | # 3. Update the route tables 
107 | 
108 |  
109 | 3.1 -  In US-EAST-1:
110 | 
111 | - Select the VPC service -> route tables -> select the route tables attached to your VPC subnets which you want to give the VPN access. 
112 | - Select the "route propagation" tab and set to "Yes" the value of  "propagate"(Normally, now you have a new route in the "routes table").
113 |  
114 | 3.2 - In EU-WEST-1:
115 | 
116 | - Select the VPC -> route tables -> select the route tables attached to the subnets which you want to give the VPN access through the Vyos instance.
117 | - Select the tab "routes", click on  "add". In "destination" enter the network CIDR of the US-EAST-1(ex: 10.10.0.0/16) and in "target", choose the instance Vyos.
118 | 
119 | 
120 | # Conclusion
121 | 
122 | Normally, now you have a working VPN connection between two AWS regions and the other EC2 instances can communicate through it(if they are in the VPC-US or in the VPC-EU).
123 | 
124 | 
125 | # Vyos debug commands
126 | 
127 | - show ip route
128 | - show vpn ipsec sa
129 | - show ip bgp 
130 | 
131 | # Debug steps
132 | 
133 | - Try to ping your Vyos instance from another local instance(same VPC).
134 | - Launch a tcpdump on the Vyos instance(cpdump -f "icmp" -i eth0) when you are trying to ping instances over the VPN. 
135 | - Try to ping your Vyos instance from a remote instance(the other side of your VPN).
136 | 
137 | 


--------------------------------------------------------------------------------
/vyos_config.py:
--------------------------------------------------------------------------------
 1 | """
 2 | 
 3 |     Create a bash script to configure a vyos EC2 instance for an AWS inter region VPN.
 4 |     The input format for the VPN must be vyatta.
 5 | 
 6 |     Argument1: Full path to the dowloaded VPN configuration file(/tmp/vpn-a99c83b.txt)
 7 |     Argument2: The private IP of the Vyos instance(ex: 10.0.1.100)
 8 |     Argument3: The CIDR of the VPC on the Vyos side(ex: 10.0.0.0/16)
 9 |     Argument4: The local gateway of the Vyos instance(ex: 10.0.0.1)
10 | 
11 |     Think to execute the script output as root on the Vyos instance.
12 | 
13 | """
14 | #!/bin/env python
15 | # -*- coding: utf-8 -*-
16 | 
17 | import re
18 | import sys
19 | 
20 | def read_config(config_file):
21 |     """ Return the entire config file as a list.
22 | 
23 |         :param  config_file: string  The path of the downloaded config file from AWS.
24 |     """
25 |     with open(config_file, 'r') as f:
26 |         return f.readlines()
27 | 
28 | def remove_comment(config):
29 |     """Return the config without comment.
30 | 
31 |       :param  config_file: list
32 |     """
33 |     new_content = []
34 |     for line in config:
35 |         if not line.startswith('!') and line != '\n':
36 |             new_content.append(line)
37 |     return new_content
38 | 
39 | 
40 | def create_script_file(config, local_IP, local_cidr, local_gateway):
41 |     """ Create a bash script for vyos configuration.
42 | 
43 |         :param config: list The VPN configuration.
44 |         :param local_ip: string The local IP of the Vyos instance.
45 |         :param local_cidr: string The CIDR of the entire VPC on the Vyos instance side.
46 |         :param local_gateway: string The default gateway of the Vyos instance.
47 |     """
48 |     bgp = [i for i in config if re.search(r'soft-reconfiguration',i)][0]
49 |     bgp = re.search(r'bgp (.*) neighbor', bgp).group(1)
50 |     f = open('/tmp/vyos_config.sh', 'w')
51 |     f.write('#!/bin/vbash\nsource /opt/vyatta/etc/functions/script-template\n')
52 |     f.write('echo "Vyos-1.1.7" |run add system image http://packages.vyos.net/iso/release/1.1.7/vyos-1.1.7-amd64.iso\nconfigure\n')
53 |     for line in config:
54 |         if re.search(r'local-address', line):
55 |             f.write(line.split('local-address')[0] + 'local-address ' + local_IP + '\n')
56 |         elif not re.search(r'0.0.0.0/0',line):
57 |             f.write(line)
58 |     f.write('set protocols static route {0} next-hop {1} distance 10\n' .format(local_cidr, local_gateway))
59 |     f.write('set protocols bgp {0} network {1}\n' .format(bgp, local_cidr))
60 |     f.write('set vpn ipsec nat-traversal enable\ncommit\nsave\nexit\necho "Yes" |run reboot\nexit')
61 |     f.close()
62 | 
63 | if __name__ == '__main__':
64 |     conf = remove_comment(read_config(sys.argv[1]))
65 |     create_script_file(conf, sys.argv[2], sys.argv[3], sys.argv[4])
66 |     print("The configuration has been created: /tmp/vyos_config.sh")
67 | 
68 | 
69 | 
70 | 


--------------------------------------------------------------------------------