├── README.md └── vyos_config.py /README.md: -------------------------------------------------------------------------------- 1 | # aws-vyos 2 | Configuration to create an AWS inter region VPN 3 | 4 | ### Description 5 | 6 | An easy way to create a VPN connection between two AWS Region. 7 | 8 | This repository describes how to configure the AWS VPN service on the first region and a Vyos instance on the second region. 9 | 10 | # Use case example 11 | 12 | For this how to we will used the region us-east-1 and eu-west-1. 13 | The goal is to authorize instances in the VPC-EU to communicate with the instances in the VPC-US and vice versa. 14 | 15 | ``` 16 | US-EAST-1 EU-WEST-1 17 | ------------------- ------------------ --------------------- --------------------- 18 | | VPC-US 10.10.0.0/16 | <===> | AWS VPN Service| <===> INTERNET <===> | EC2-Vyos-Instance | <===> | VPC-EU 10.0.0.0/16 | 19 | ------------------- ------------------ --------------------- --------------------- 20 | ``` 21 | 22 | # Requirement 23 | 24 | In the EU-WEST-1 region, go to EC2, Elastic IPs and click on "Allocate New Address" and keep it on aside. 25 | 26 | # 1. Create the VPN in US-EAST-1 27 | 28 | In your AWS console, select the region US-EAST-1 and the VPC service. 29 | 30 | 1.1 - Create the Customer Gateway: 31 | 32 | - Click on "Create Customer Gateway" 33 | - "Name Tag" -> The name of the Customer Gateway(ex: CG-EU-US-PROD). 34 | - "Routing" -> Choose dynamic. 35 | - "IP address" -> The EIP create in the eu-west-1 region. 36 | - "BGP ASN" -> Put a value for the BGP ASN(ex: 65000). 37 | 38 | 1.2 - Create the Virtual Private Gateway: 39 | 40 | - Click on "Create Virtual Private Gateway" 41 | - "Name Tag" -> The name of the private gateway(ex: PG-EU-US-PROD) 42 | - Select the VPG previously create and click on "attach to VPC" 43 | - Choose the VPC which will accessible through the VPN(in our example: VPC-US). 44 | 45 | 1.3 - Configure the VPN connection: 46 | 47 | - Click on "Create VPN Connection": 48 | 49 | - "Name Tag" -> The name of the VPN connection(ex: VPN-EU-US-PROD) 50 | - "Virtual Private Gateway" -> Select the Virtual Gateway create at the step 1.2 51 | - "Customer Gateway" -> Select the Customer Gateway create at the step 1.1 52 | - "Routing Options" -> Select "Dynamic" 53 | 54 | 1.4 - Download the VPN configuration: 55 | 56 | Select your new VPN connection and click on "Download the configuration". Select "Vyatta" as the configuration type. 57 | 58 | On the VPN connection, click on the "Tunnel Details" tab and keep the two Public IPs on aside. 59 | 60 | 61 | # 2. Create and configure the Vyos instance 62 | 63 | In your AWS console, select the region EU-WEST-1 and the EC2 Service. 64 | 65 | 2.1 - Create the Vyos EC2 instance. 66 | 67 | - Click on "launch instance": 68 | 69 | - Select "AWS Marketplace" et search "vyos" 70 | - Choose the instance type. 71 | - Choose the VPC and the subnet(only Public!!!) where the Vyos instance will be started(ex: VPC-EU) 72 | - Create a new security group and add rules for the two Public IPs of the US VPN(step 1.4) and authorize them on the ports UDP/500, TCP/179 and UDP/123. 73 | - Finish the setup process as usual. 74 | 75 | When the instance is ready, select it, right click -> networking -> source dest/check and click on disabled. 76 | 77 | 2.2 - Configuration of the EC2 Vyos instance. 78 | 79 | - Execute the script: vyos_config.py: 80 | *python vyos_config.py vpn_config_path vyos_ip cidr_vpc_vyos local_gateway* 81 | 82 | Parameters: 83 | 84 | - vpn_config_path: Full path of the VPN configuration downloaded at the end of the step 1.4(ex: /tmp/vpn-aa99ezv1.txt) 85 | - vyos_ip: The private IP of the Vyos instance(ex: 10.0.1.100) 86 | - cidr_vpc_vyos: The VPC CIDR of the Vyos instance(ex: 10.0.0.0/16) 87 | - local_gateway: The local gateway of the Vyos instance, you can found it when you are connected on Vyos with the command "show ip route"(take the gateway for the route "0.0.0.0/0"). (ex: 10.0.1.1) 88 | 89 | Example: 90 | 91 | *python vyos_config.py /tmp/vpn-aa99ezv1.txt 10.0.1.100 10.0.0.0/16 10.0.1.1* 92 | 93 | - Connect on your Vyos EC2 instance(user: vyos): 94 | 95 | - Import the bash script create at the previous step. 96 | - Make the script executable: 97 | *chmod +x vyos_config.sh* 98 | - Change the vyos user to root: 99 | *sudo su* 100 | - Execute the script: 101 | *vbash vyos_config.sh* 102 | 103 | ### The instance will reboot automatically. Don't panic :) 104 | 105 | 106 | # 3. Update the route tables 107 | 108 | 109 | 3.1 - In US-EAST-1: 110 | 111 | - Select the VPC service -> route tables -> select the route tables attached to your VPC subnets which you want to give the VPN access. 112 | - Select the "route propagation" tab and set to "Yes" the value of "propagate"(Normally, now you have a new route in the "routes table"). 113 | 114 | 3.2 - In EU-WEST-1: 115 | 116 | - Select the VPC -> route tables -> select the route tables attached to the subnets which you want to give the VPN access through the Vyos instance. 117 | - Select the tab "routes", click on "add". In "destination" enter the network CIDR of the US-EAST-1(ex: 10.10.0.0/16) and in "target", choose the instance Vyos. 118 | 119 | 120 | # Conclusion 121 | 122 | Normally, now you have a working VPN connection between two AWS regions and the other EC2 instances can communicate through it(if they are in the VPC-US or in the VPC-EU). 123 | 124 | 125 | # Vyos debug commands 126 | 127 | - show ip route 128 | - show vpn ipsec sa 129 | - show ip bgp 130 | 131 | # Debug steps 132 | 133 | - Try to ping your Vyos instance from another local instance(same VPC). 134 | - Launch a tcpdump on the Vyos instance(cpdump -f "icmp" -i eth0) when you are trying to ping instances over the VPN. 135 | - Try to ping your Vyos instance from a remote instance(the other side of your VPN). 136 | 137 | -------------------------------------------------------------------------------- /vyos_config.py: -------------------------------------------------------------------------------- 1 | """ 2 | 3 | Create a bash script to configure a vyos EC2 instance for an AWS inter region VPN. 4 | The input format for the VPN must be vyatta. 5 | 6 | Argument1: Full path to the dowloaded VPN configuration file(/tmp/vpn-a99c83b.txt) 7 | Argument2: The private IP of the Vyos instance(ex: 10.0.1.100) 8 | Argument3: The CIDR of the VPC on the Vyos side(ex: 10.0.0.0/16) 9 | Argument4: The local gateway of the Vyos instance(ex: 10.0.0.1) 10 | 11 | Think to execute the script output as root on the Vyos instance. 12 | 13 | """ 14 | #!/bin/env python 15 | # -*- coding: utf-8 -*- 16 | 17 | import re 18 | import sys 19 | 20 | def read_config(config_file): 21 | """ Return the entire config file as a list. 22 | 23 | :param config_file: string The path of the downloaded config file from AWS. 24 | """ 25 | with open(config_file, 'r') as f: 26 | return f.readlines() 27 | 28 | def remove_comment(config): 29 | """Return the config without comment. 30 | 31 | :param config_file: list 32 | """ 33 | new_content = [] 34 | for line in config: 35 | if not line.startswith('!') and line != '\n': 36 | new_content.append(line) 37 | return new_content 38 | 39 | 40 | def create_script_file(config, local_IP, local_cidr, local_gateway): 41 | """ Create a bash script for vyos configuration. 42 | 43 | :param config: list The VPN configuration. 44 | :param local_ip: string The local IP of the Vyos instance. 45 | :param local_cidr: string The CIDR of the entire VPC on the Vyos instance side. 46 | :param local_gateway: string The default gateway of the Vyos instance. 47 | """ 48 | bgp = [i for i in config if re.search(r'soft-reconfiguration',i)][0] 49 | bgp = re.search(r'bgp (.*) neighbor', bgp).group(1) 50 | f = open('/tmp/vyos_config.sh', 'w') 51 | f.write('#!/bin/vbash\nsource /opt/vyatta/etc/functions/script-template\n') 52 | f.write('echo "Vyos-1.1.7" |run add system image http://packages.vyos.net/iso/release/1.1.7/vyos-1.1.7-amd64.iso\nconfigure\n') 53 | for line in config: 54 | if re.search(r'local-address', line): 55 | f.write(line.split('local-address')[0] + 'local-address ' + local_IP + '\n') 56 | elif not re.search(r'0.0.0.0/0',line): 57 | f.write(line) 58 | f.write('set protocols static route {0} next-hop {1} distance 10\n' .format(local_cidr, local_gateway)) 59 | f.write('set protocols bgp {0} network {1}\n' .format(bgp, local_cidr)) 60 | f.write('set vpn ipsec nat-traversal enable\ncommit\nsave\nexit\necho "Yes" |run reboot\nexit') 61 | f.close() 62 | 63 | if __name__ == '__main__': 64 | conf = remove_comment(read_config(sys.argv[1])) 65 | create_script_file(conf, sys.argv[2], sys.argv[3], sys.argv[4]) 66 | print("The configuration has been created: /tmp/vyos_config.sh") 67 | 68 | 69 | 70 | --------------------------------------------------------------------------------