• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Amazon AWS VPN Gateway and OpenVPN Question

Joined
Jul 9, 2016
Messages
290 (0.29/day)
Likes
128
System Name Gaming System
Processor i7-4960X
Motherboard ASUS Rampage IV Black Edition
Cooling Noctua NH-D15
Memory Corsair Vengeance LP 32GB DDR3
Video Card(s) EVGA GTX 1080 ti FTW3
Storage 1TB Samsung 850 EVO; 500GB Samsung 850 EVO
Display(s) HP zr2740w Surround
Case Corsair A540
Audio Device(s) onboard
Power Supply EVGA G2 1300
Mouse Logitech MK550
Keyboard Logitech MK550
Software Windows 10 Pro
#1
Hello,

I want to connect to my AWS EC2 in private subnet via the AWS VPN Gateway. I have heard of OpenVPN but have never used it before. From what I read, I need to set up an OpenVPN server (a physical machine or software server?) Instead of that, can I simply go get a router that has OpenVPN? How does that work?

Thanks in advance.
 

Kursah

Moderator
Staff member
Joined
Oct 15, 2006
Messages
12,223 (2.69/day)
Likes
6,581
Location
Missoula, MT, USA
System Name Kursah's Gaming Rig 2018 - Ryzen+ Edition | SpartanCore | SpartanCore2
Processor R7 2700X @ Stock (3.7/4.35) w/PBO+XFR2 | i7 3770 3.4/3.9 Stock | i7 4770 3.4/3.9 Stock
Motherboard Asus ROG Strix X370-F Gaming | Intel DQ77MK | SuperMicro X10SLQ
Cooling Noctua NH-U14S Push-Pull + NT-H1 | Stock Intel Cooler + AC MX4 | Stock Intel Cooler + AC MX4
Memory 16GB (2x8) G.Skill DDR4-3200 | 16GB (4x4) Samsung DDR3-1600 | 32GB (4x8) Mushkin Stealth DDR3-1600
Video Card(s) MSI GTX980 Ti Gaming 6G LE @ Stock | Onboard Intel HD 4000 | Onboard Intel HD 4600
Storage SSD 250GB + 960GB, 1x2TB | 120GB SSD, RAID10 6x2TB (6TB) | 120GB SSD, RAID10 6x3TB (9TB)
Display(s) Samsung 32" TV IPS 1080p, Dell 23" U2312HM IPS 1080p | 19" Dell on KVM..mostly headless operation.
Case Corsair 600C - Stock Fans on Low | Lian Li Lancool PC-K7 - Cougar fans | Modified Lenovo TS430 Case
Audio Device(s) Aune T1 mk1 > AKG K553 Pro + HiFiMAN HE-350 (Equalizer APO + PeaceUI) | Not in use
Power Supply EVGA 750G2 Modular + APC Back-UPS Pro 1500 | EVGA KR500 80+ Bronze (Both) + APC Smart-UPS 1500
Mouse Logitech G502 | Dell USB Laser Mouse (KVM)
Keyboard Logitech G15 rv2 | Dell USB Keyboard (KVM)
Software Windows 10 Pro x64 | Windows Server 2012 R2 (Hyper-V) | Windows Server 2016 (Hyper-V)
#2
If you use a router with OpenVPN, then your LAN will be connected over VPN to your AWS EC2, if that's how you want it to work. That's called a site-to-site VPN in most cases its router-to-router. Though it can be router-to-server as well.

The other familiar option is called road warrior VPN, or device-to-router/server. Which I prefer in many lab situations where I only need access from a device at any given time and also how I connect to my home network when at work or on the road, I host the OpenVPN server on my PFSense router but it is only setup for road-warrior connectivity (user connection) at this time by my choice. OpenVPN is nice because it's generally free to work with, it does take time and some network comprehension to setup and use but is worth it if you're into networking and VPN's.

OpenVPN client software is free to download from Openvpn.net. MacOS can use something like Tunnelblick as well.

I recommend if you're creating a software server to host it (VM), to go with Linux. There's A LOT of documentation, in-fact one of my first experiences with creating an OpenVPN server was on a 10 y/o Toshiba laptop for a friend that needed remote access to print services several hundred miles away but was a cheap ass. That solution worked flawlessly for 3 years, until the laptop finally gave up the ghost. Tossed Ubuntu on there, setup an OpenVPN server via CLI, copied the config files I needed, and away we went.

I'm not familiar with the AWS VPN Gateway, but if they have instructions to use OpenVPN clients to connect, I would recommend it. Should work well.
 
Joined
Jul 9, 2016
Messages
290 (0.29/day)
Likes
128
System Name Gaming System
Processor i7-4960X
Motherboard ASUS Rampage IV Black Edition
Cooling Noctua NH-D15
Memory Corsair Vengeance LP 32GB DDR3
Video Card(s) EVGA GTX 1080 ti FTW3
Storage 1TB Samsung 850 EVO; 500GB Samsung 850 EVO
Display(s) HP zr2740w Surround
Case Corsair A540
Audio Device(s) onboard
Power Supply EVGA G2 1300
Mouse Logitech MK550
Keyboard Logitech MK550
Software Windows 10 Pro
#3
Thanks for the reply. I don't want to set up a machine to be the OpenVPN server. Are there any well known and repliable OpenVPN capable routers that would be simple to configure/set up? Budget is about $200. I am mid-level networking guy, but have never done any VPN set up before, other than using Cisco VPN software in my previous job.

Ah also, we want to go site to site route.
 

Kursah

Moderator
Staff member
Joined
Oct 15, 2006
Messages
12,223 (2.69/day)
Likes
6,581
Location
Missoula, MT, USA
System Name Kursah's Gaming Rig 2018 - Ryzen+ Edition | SpartanCore | SpartanCore2
Processor R7 2700X @ Stock (3.7/4.35) w/PBO+XFR2 | i7 3770 3.4/3.9 Stock | i7 4770 3.4/3.9 Stock
Motherboard Asus ROG Strix X370-F Gaming | Intel DQ77MK | SuperMicro X10SLQ
Cooling Noctua NH-U14S Push-Pull + NT-H1 | Stock Intel Cooler + AC MX4 | Stock Intel Cooler + AC MX4
Memory 16GB (2x8) G.Skill DDR4-3200 | 16GB (4x4) Samsung DDR3-1600 | 32GB (4x8) Mushkin Stealth DDR3-1600
Video Card(s) MSI GTX980 Ti Gaming 6G LE @ Stock | Onboard Intel HD 4000 | Onboard Intel HD 4600
Storage SSD 250GB + 960GB, 1x2TB | 120GB SSD, RAID10 6x2TB (6TB) | 120GB SSD, RAID10 6x3TB (9TB)
Display(s) Samsung 32" TV IPS 1080p, Dell 23" U2312HM IPS 1080p | 19" Dell on KVM..mostly headless operation.
Case Corsair 600C - Stock Fans on Low | Lian Li Lancool PC-K7 - Cougar fans | Modified Lenovo TS430 Case
Audio Device(s) Aune T1 mk1 > AKG K553 Pro + HiFiMAN HE-350 (Equalizer APO + PeaceUI) | Not in use
Power Supply EVGA 750G2 Modular + APC Back-UPS Pro 1500 | EVGA KR500 80+ Bronze (Both) + APC Smart-UPS 1500
Mouse Logitech G502 | Dell USB Laser Mouse (KVM)
Keyboard Logitech G15 rv2 | Dell USB Keyboard (KVM)
Software Windows 10 Pro x64 | Windows Server 2012 R2 (Hyper-V) | Windows Server 2016 (Hyper-V)
#4
Netgate PFSense SG-1100 is $159 MSRP could do it depending on your other network needs. - https://store.netgate.com/pfSense/SG-1100.aspx

I also really like the SG-3100 and higher series but those cost quite a bit more, and at those prices you might as well build a budget mITX system to run PFSense on IMHO.

Again, the issue is, if you're using that router to build a connection to Amazon, you're essentially having an open door to your LAN on both Amazon and at your home, so if one side is compromised, the other one can be once the other subnet is sniffed out. But if you have restricted access and are pretty careful about things, this should also be a non issue.



PFSense includes an OpenVPN server setup wizard, which is pretty easy to follow, make sure you know your / notations, most folks use /24 anyways. There's tons of good directions out there too.

OpenVPN server on PFSense is my favorite to setup, though I've done plenty of IPSec, PPTP, L2TP, etc. VPN's and other proprietary or OpenVPN-branched SSL-VPN's on Sophos, Netgate (PFSense), SonicWall, Cisco, Barracuda, Fortinet, etc. Most of them configure similarly, some offer more or less tuning. OpenVPN offers quite a bit, but there's only certain things you should setup. Once you get VPN's it's not bad to configure any of them IMHO and is worth the effort to learn because it isn't that bad.

As a mid-level networking guy, at least what I understand one to be, I believe you can absolutely create an OpenVPN server. Honestly more routers support standard old IPSEC VPN's than OpenVPN, and because you can set them up with IKE or IKEv2 and not rely on signed (self or third party) certifications as part of the checks and balances, are easier to setup. That also means they're not as secure, but as long as you're using AES256 encryption you should be good to go.

Here's some links:

OpenVPN setup:




IPSEC setup:



Note: I have setup IPSEC VPN's between PFSense and other router brands pretty easily, the trick has generally been to use static identifiers, so in Phase 1 to use My Identifier is IP Address which I manually enter, and same for the Peer Identifier rather than relying on them auto reporting to each other. I've had the most issues between SonicWalls and PFSenses using identifiers, but really its a non-issue if you set a static identifier.

Let me know if you have any other questions I can help with. Sorry I'm not more familiar with the Amazon AWS environment, but I did some Google-ing and found plenty of documentation about how to VPN a PFSense to AWS. So you should be able to source the help you need should you go this route.

Google Search: https://bit.ly/2NlPjWV

Some Results:
:toast:
 
Joined
Jul 9, 2016
Messages
290 (0.29/day)
Likes
128
System Name Gaming System
Processor i7-4960X
Motherboard ASUS Rampage IV Black Edition
Cooling Noctua NH-D15
Memory Corsair Vengeance LP 32GB DDR3
Video Card(s) EVGA GTX 1080 ti FTW3
Storage 1TB Samsung 850 EVO; 500GB Samsung 850 EVO
Display(s) HP zr2740w Surround
Case Corsair A540
Audio Device(s) onboard
Power Supply EVGA G2 1300
Mouse Logitech MK550
Keyboard Logitech MK550
Software Windows 10 Pro
#5
Wow, great info! I read up and learned quite a bit. pfSense seems pretty robust.

However, I did the cost analysis, and with using AWS VPN requires VPG, and the cost is $.05 per hour when the VPN is set up, for an annual cost of over $400. For that cost, it is much cheaper to set up an on demand EC2 instance to serve as the bastion host (I just need a host to connect to Production database and/or other EC2 on occasion to perform analysis or troubleshooting).

Now I have a different question though - I will have other remote employees that need to connect to the office in the near future. I looked at some of the small business VPN devices such as this one - https://smile.amazon.com/Firewall-B...2136&sr=8-11-spons&keywords=Zyxel+Zywall&th=1

I don't like the same router with WiFi because I want to provide better WiFi for the office. Can I daisy chain another router (Netgear) with this one? I probably need to disable DHCP in the Zyxel router then? And use the Netgear router to provide DHCP and WiFi? Would that work?

Thanks again.
 

Kursah

Moderator
Staff member
Joined
Oct 15, 2006
Messages
12,223 (2.69/day)
Likes
6,581
Location
Missoula, MT, USA
System Name Kursah's Gaming Rig 2018 - Ryzen+ Edition | SpartanCore | SpartanCore2
Processor R7 2700X @ Stock (3.7/4.35) w/PBO+XFR2 | i7 3770 3.4/3.9 Stock | i7 4770 3.4/3.9 Stock
Motherboard Asus ROG Strix X370-F Gaming | Intel DQ77MK | SuperMicro X10SLQ
Cooling Noctua NH-U14S Push-Pull + NT-H1 | Stock Intel Cooler + AC MX4 | Stock Intel Cooler + AC MX4
Memory 16GB (2x8) G.Skill DDR4-3200 | 16GB (4x4) Samsung DDR3-1600 | 32GB (4x8) Mushkin Stealth DDR3-1600
Video Card(s) MSI GTX980 Ti Gaming 6G LE @ Stock | Onboard Intel HD 4000 | Onboard Intel HD 4600
Storage SSD 250GB + 960GB, 1x2TB | 120GB SSD, RAID10 6x2TB (6TB) | 120GB SSD, RAID10 6x3TB (9TB)
Display(s) Samsung 32" TV IPS 1080p, Dell 23" U2312HM IPS 1080p | 19" Dell on KVM..mostly headless operation.
Case Corsair 600C - Stock Fans on Low | Lian Li Lancool PC-K7 - Cougar fans | Modified Lenovo TS430 Case
Audio Device(s) Aune T1 mk1 > AKG K553 Pro + HiFiMAN HE-350 (Equalizer APO + PeaceUI) | Not in use
Power Supply EVGA 750G2 Modular + APC Back-UPS Pro 1500 | EVGA KR500 80+ Bronze (Both) + APC Smart-UPS 1500
Mouse Logitech G502 | Dell USB Laser Mouse (KVM)
Keyboard Logitech G15 rv2 | Dell USB Keyboard (KVM)
Software Windows 10 Pro x64 | Windows Server 2012 R2 (Hyper-V) | Windows Server 2016 (Hyper-V)
#6
How do you intend your employees to connect? Road warrior by device or buying them each a VPN router? I'm not entirely clear there from your statement.

Depending on how business grade you wanna get, use a dedicated wifi AP for your network to extend your LAN to wifi, I like Ubiquity and Ruckus products primarily. If you want to provide better wifi door the office, buy and use business grade wifi gear imho. Your gateway, or border router could still manage DHCP.

If you have a VLAN capable layer-3 switch you could manage depending on how you want to control access and routing.

You could use a home grade wifi router in AP mode to provide wifi. But I'm unclear as to why you'd move DHCP away from your gateway and how you intend to design your office LAN(s).

Many routers with multilpe interfaces can manage different LANs at the physical (port) and logical (VLAN) level. Layer-3 switches to VLAN hosting better...but in a smaller office it won't be as critical...a managed Layer-2 switch that can allow you to assign VLANs tagged or untagged to ports is all you'd need and are much more affordable. Maybe you already know that.

You could use the Netgear for wifi and DHCP, but depending on the depth and complexity of your network you may run into issues or need to advertise it via relay. Again, need some more clarity from you here.

Cheers!
 
Joined
Jul 9, 2016
Messages
290 (0.29/day)
Likes
128
System Name Gaming System
Processor i7-4960X
Motherboard ASUS Rampage IV Black Edition
Cooling Noctua NH-D15
Memory Corsair Vengeance LP 32GB DDR3
Video Card(s) EVGA GTX 1080 ti FTW3
Storage 1TB Samsung 850 EVO; 500GB Samsung 850 EVO
Display(s) HP zr2740w Surround
Case Corsair A540
Audio Device(s) onboard
Power Supply EVGA G2 1300
Mouse Logitech MK550
Keyboard Logitech MK550
Software Windows 10 Pro
#7
Sorry for the late reply - I was traveling for work last week.

That is one of the questions that I have - can my users on Windows 10 Pro use the VPN option from Windows? My plan is to have the VPN router at the office, and for the users to connect to the router/VPN using the software from Windows. Would that work? Or do I need additional software? I would not be buying VPN router for the users. I need something secured but also simple (software) to set up as my users are not tech savvy.

The home office LAN is just a simple network.The WiFI router is connected to a Comcast modem, and currently it is the one that does DHCP. I am flexible to change the setup for best practices, if I need to use a gateway/router combo that can provide better WiFi as well as VPN service for the users. I do plan to upgrade the router when WPA3 routers are out.
 

Kursah

Moderator
Staff member
Joined
Oct 15, 2006
Messages
12,223 (2.69/day)
Likes
6,581
Location
Missoula, MT, USA
System Name Kursah's Gaming Rig 2018 - Ryzen+ Edition | SpartanCore | SpartanCore2
Processor R7 2700X @ Stock (3.7/4.35) w/PBO+XFR2 | i7 3770 3.4/3.9 Stock | i7 4770 3.4/3.9 Stock
Motherboard Asus ROG Strix X370-F Gaming | Intel DQ77MK | SuperMicro X10SLQ
Cooling Noctua NH-U14S Push-Pull + NT-H1 | Stock Intel Cooler + AC MX4 | Stock Intel Cooler + AC MX4
Memory 16GB (2x8) G.Skill DDR4-3200 | 16GB (4x4) Samsung DDR3-1600 | 32GB (4x8) Mushkin Stealth DDR3-1600
Video Card(s) MSI GTX980 Ti Gaming 6G LE @ Stock | Onboard Intel HD 4000 | Onboard Intel HD 4600
Storage SSD 250GB + 960GB, 1x2TB | 120GB SSD, RAID10 6x2TB (6TB) | 120GB SSD, RAID10 6x3TB (9TB)
Display(s) Samsung 32" TV IPS 1080p, Dell 23" U2312HM IPS 1080p | 19" Dell on KVM..mostly headless operation.
Case Corsair 600C - Stock Fans on Low | Lian Li Lancool PC-K7 - Cougar fans | Modified Lenovo TS430 Case
Audio Device(s) Aune T1 mk1 > AKG K553 Pro + HiFiMAN HE-350 (Equalizer APO + PeaceUI) | Not in use
Power Supply EVGA 750G2 Modular + APC Back-UPS Pro 1500 | EVGA KR500 80+ Bronze (Both) + APC Smart-UPS 1500
Mouse Logitech G502 | Dell USB Laser Mouse (KVM)
Keyboard Logitech G15 rv2 | Dell USB Keyboard (KVM)
Software Windows 10 Pro x64 | Windows Server 2012 R2 (Hyper-V) | Windows Server 2016 (Hyper-V)
#8
Road warrior VPN is why you're seeking and describing. OpenVPN requires it's own client, doesn't integrate into Windows VPN last I checked. Sonicwall SOHO can...but it's $50 per bonus user license as it only comes with one. Not sure if that's worth it...imho, I'd try OVPN with PFSense first. The app is lightweight and fairly easy to use.

OpenVPN client is free and I've trained dozens of users to use the OVPN client in Windows and Tunnelblick in OSX with great success. That's the route I'd suggest.
 
Top