I’m attempting to setup a connection from a VyOS instance in one AWS VPC, to another AWS VPC. I’m broadly following this guide, but I don’t fully understand the AWS config side of things (I’m not sure if the steps outlined in this guide will actually work either). https://www.cloudreach.com/gb-en/2014/06/2435/
I have a few questions then.
Do the steps in the above guide make sense? (struggling with the CGW/VGW side of the config.)
Will my VyOS instance be able to connect to several different VPCs? (E.g. eu-central, eu-west, Sydney)
Am I ok with a simple eth0 and a public Elastic IP address (which does not show up in VyOS?)
Hi syncer, thanks for the response. I’m still a little confused though, as in VPC_A my VyOS instance cannot setup a VPN connex to a VGW in VPC_B, unless I’m mistaken.
I would have thought that it would be something like:
VyOS instance in VPC_A
CGW in VPC_B, which the VyOS instance creates a VPN connection to. The CGW is bound to the VGW in VPC_B which allows the Inter VPC network access.
The link shows how to set up a NAT GW, using VyOS - is that a requirement of the scenario outlined above then?
UPDATE: So I’ve established the VPN connection, however ping only works one way: from destination network to source. My VyOS cannot ping the remote network. sounds like someone else at this page had same issue https://www.cloudreach.com/gb-en/2014/06/2435/
We are trying to set up the same thing right now, so maybe we can help each other.
We have one “admin” VPC, “vpc1,” 172.16.0.0/17 in us-east-1, and then regional VPCs in each of the AWS regions, defined as the next successive CIDR blocks.
We deployed a VyOS instance in the admin VPC and gave it an elastic IP.
In the regional VPCs, for example vpc2, we:
[list=1]
[]Added a Customer Gateway set to the VyOS’ elastic IP, with a BGP ASN of 65000 (default)
[]Added a Virtual Private Gateway for vpc1 and its CIDR range
[*]Added a dynamic (BGP) VPN Connection between the VPG and CG
[/list]
Then, we go to the VyOS and use GitHub - mboret/aws-vyos: Configuration to create an AWS inter region VPN to configure it. Both tunnels come up, yay.
And then we go to the route tables and
[list=1]
[]Add static routes through the VyOS to the regional VPCs in vpc1
[]Set the route tables to “propagate” in vpc2…n
[/list]
And lo and behold the route back to vpc1 via the vgw magically appears in vpc2…n’s route tables. It all looks good.
But it still doesn’t fully work. Traffic from vpc1 to systems in the regional VPCs go over the link, get to the box, get back to the VyOS, and then don’t get any farther (as tcpdumping on the hosts shows). You can even see a ssh connection initiate to a system in the regional VPC, but since no responses get back it times out. Traffic from vpc2 to a host in vpc1 gets “no route to host.” From the VyOS I can hit servers in vpc1 (ssh, ping) but not in the regional VPCs.
No network ACLs, and security groups open to facilitate the testing.
Setting up a connection from a VyOS instance in one AWS VPC to another AWS VPC can be complex, especially when dealing with AWS-specific configurations like Customer Gateways (CGW) and Virtual Private Gateways (VGW). Let’s address your questions one by one:
1. Do the steps in the above guide make sense? (Struggling with the CGW/VGW side of the config.)
The guide you’re following outlines the basic steps to establish a VPN connection between two VPCs using VyOS. Here’s a simplified explanation of the AWS components involved:
Customer Gateway (CGW): Represents your VyOS instance on AWS. You need to create a CGW and provide the public IP address of your VyOS instance.
Virtual Private Gateway (VGW): This is the AWS-side endpoint for your VPN connection. It connects to your VPC.
The key steps typically include:
Creating a CGW: You provide the IP address of your VyOS instance.
Creating a VGW: This is attached to your VPC.
Creating a VPN Connection: This links the CGW to the VGW.
Configuring the VyOS instance: You set up the VyOS instance to handle the VPN connection.
If you are unsure about specific steps, please provide more details, and I can offer further guidance.
2. Will my VyOS instance be able to connect to several different VPCs? (E.g. eu-central, eu-west, Sydney)
Yes, your VyOS instance can connect to multiple VPCs in different regions. You would need to establish separate VPN connections for each VPC, involving:
Creating a CGW for your VyOS instance in each region.
Creating a VGW and attaching it to each VPC.
Setting up VPN connections between the CGW and each VGW.
Configuring the VyOS instance to manage multiple VPN tunnels.
Make sure your instance has sufficient resources to handle the additional VPN tunnels.
3. Am I ok with a simple eth0 and a public Elastic IP address (which does not show up in VyOS?)
Yes, a simple eth0 interface with a public Elastic IP address should be sufficient for your VyOS instance to connect to other VPCs. The Elastic IP ensures that your VyOS instance has a stable public IP address, which is essential for the CGW configuration.
Here’s a quick checklist:
Elastic IP: Assign it to your VyOS instance.
Security Groups: Ensure that the security groups associated with your VyOS instance allow traffic on the necessary ports (e.g., UDP 500 and 4500 for IPsec).
NAT Handling: If your VyOS instance is behind a NAT, ensure proper NAT traversal settings.
Additional Tips
Monitoring and Logging: Enable logging on your VyOS instance to monitor the VPN connections and troubleshoot issues.
AWS VPN Configuration: Double-check AWS-side configurations, including route propagation and VPC route tables, to ensure traffic is correctly routed through the VPN.
If you need further assistance or specific configurations for your VyOS instance, feel free to ask. Good luck with your setup!