Amazon AWS VPN Gateway and OpenVPN Question

[LFaWolf]

Hello,

I want to connect to my AWS EC2 in private subnet via the AWS VPN Gateway. I have heard of OpenVPN but have never used it before. From what I read, I need to set up an OpenVPN server (a physical machine or software server?) Instead of that, can I simply go get a router that has OpenVPN? How does that work?

Thanks in advance.

 

[Kursah]

If you use a router with OpenVPN, then your LAN will be connected over VPN to your AWS EC2, if that's how you want it to work. That's called a site-to-site VPN in most cases its router-to-router. Though it can be router-to-server as well.

The other familiar option is called road warrior VPN, or device-to-router/server. Which I prefer in many lab situations where I only need access from a device at any given time and also how I connect to my home network when at work or on the road, I host the OpenVPN server on my PFSense router but it is only setup for road-warrior connectivity (user connection) at this time by my choice. OpenVPN is nice because it's generally free to work with, it does take time and some network comprehension to setup and use but is worth it if you're into networking and VPN's.

OpenVPN client software is free to download from Openvpn.net. MacOS can use something like Tunnelblick as well.

I recommend if you're creating a software server to host it (VM), to go with Linux. There's A LOT of documentation, in-fact one of my first experiences with creating an OpenVPN server was on a 10 y/o Toshiba laptop for a friend that needed remote access to print services several hundred miles away but was a cheap ass. That solution worked flawlessly for 3 years, until the laptop finally gave up the ghost. Tossed Ubuntu on there, setup an OpenVPN server via CLI, copied the config files I needed, and away we went.

I'm not familiar with the AWS VPN Gateway, but if they have instructions to use OpenVPN clients to connect, I would recommend it. Should work well.

 

[LFaWolf]

Thanks for the reply. I don't want to set up a machine to be the OpenVPN server. Are there any well known and repliable OpenVPN capable routers that would be simple to configure/set up? Budget is about $200. I am mid-level networking guy, but have never done any VPN set up before, other than using Cisco VPN software in my previous job.

Ah also, we want to go site to site route.

 

[Kursah]

Netgate PFSense SG-1100 is $159 MSRP could do it depending on your other network needs. - https://store.netgate.com/pfSense/SG-1100.aspx

I also really like the SG-3100 and higher series but those cost quite a bit more, and at those prices you might as well build a budget mITX system to run PFSense on IMHO.

Again, the issue is, if you're using that router to build a connection to Amazon, you're essentially having an open door to your LAN on both Amazon and at your home, so if one side is compromised, the other one can be once the other subnet is sniffed out. But if you have restricted access and are pretty careful about things, this should also be a non issue.



PFSense includes an OpenVPN server setup wizard, which is pretty easy to follow, make sure you know your / notations, most folks use /24 anyways. There's tons of good directions out there too.

OpenVPN server on PFSense is my favorite to setup, though I've done plenty of IPSec, PPTP, L2TP, etc. VPN's and other proprietary or OpenVPN-branched SSL-VPN's on Sophos, Netgate (PFSense), SonicWall, Cisco, Barracuda, Fortinet, etc. Most of them configure similarly, some offer more or less tuning. OpenVPN offers quite a bit, but there's only certain things you should setup. Once you get VPN's it's not bad to configure any of them IMHO and is worth the effort to learn because it isn't that bad.

As a mid-level networking guy, at least what I understand one to be, I believe you can absolutely create an OpenVPN server. Honestly more routers support standard old IPSEC VPN's than OpenVPN, and because you can set them up with IKE or IKEv2 and not rely on signed (self or third party) certifications as part of the checks and balances, are easier to setup. That also means they're not as secure, but as long as you're using AES256 encryption you should be good to go.

Here's some links:

OpenVPN setup:

• https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/index.html
• https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/openvpn-remote-access-server.html
• https://docs.netgate.com/pfsense/en...site-to-site-static-key-openvpn-instance.html

IPSEC setup:

• https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-a-site-to-site-ipsec-vpn.html
• https://www.cyberciti.biz/faq/howto-site-to-site-ipsec-vpn-between-cisco-openbsd-router-pfsense/
• http://andreasschmid.com/2017/04/21/pfsense-2-3-3-vpn-ipsec/

Note: I have setup IPSEC VPN's between PFSense and other router brands pretty easily, the trick has generally been to use static identifiers, so in Phase 1 to use My Identifier is IP Address which I manually enter, and same for the Peer Identifier rather than relying on them auto reporting to each other. I've had the most issues between SonicWalls and PFSenses using identifiers, but really its a non-issue if you set a static identifier.

Let me know if you have any other questions I can help with. Sorry I'm not more familiar with the Amazon AWS environment, but I did some Google-ing and found plenty of documentation about how to VPN a PFSense to AWS. So you should be able to source the help you need should you go this route.

Google Search: https://bit.ly/2NlPjWV

Some Results:

• https://docs.netgate.com/pfsense/en/latest/solutions/aws-vpn-appliance/vpc-wizard-guide.html
• https://forum.netgate.com/topic/39106/amazon-virtual-private-cloud-vpc-vpn
• https://www.1strategy.com/blog/2017/08/29/tutorial-using-pfsense-as-a-vpn-to-your-vpc/
• http://mullener.blogspot.com/2015/03/amazon-aws-vpn-connectivity-to-pfsense.html

 

[LFaWolf]

Wow, great info! I read up and learned quite a bit. pfSense seems pretty robust.

However, I did the cost analysis, and with using AWS VPN requires VPG, and the cost is $.05 per hour when the VPN is set up, for an annual cost of over $400. For that cost, it is much cheaper to set up an on demand EC2 instance to serve as the bastion host (I just need a host to connect to Production database and/or other EC2 on occasion to perform analysis or troubleshooting).

Now I have a different question though - I will have other remote employees that need to connect to the office in the near future. I looked at some of the small business VPN devices such as this one - https://smile.amazon.com/Firewall-B...2136&sr=8-11-spons&keywords=Zyxel+Zywall&th=1

I don't like the same router with WiFi because I want to provide better WiFi for the office. Can I daisy chain another router (Netgear) with this one? I probably need to disable DHCP in the Zyxel router then? And use the Netgear router to provide DHCP and WiFi? Would that work?

Thanks again.

 

[Kursah]

How do you intend your employees to connect? Road warrior by device or buying them each a VPN router? I'm not entirely clear there from your statement.

Depending on how business grade you wanna get, use a dedicated wifi AP for your network to extend your LAN to wifi, I like Ubiquity and Ruckus products primarily. If you want to provide better wifi door the office, buy and use business grade wifi gear imho. Your gateway, or border router could still manage DHCP.

If you have a VLAN capable layer-3 switch you could manage depending on how you want to control access and routing.

You could use a home grade wifi router in AP mode to provide wifi. But I'm unclear as to why you'd move DHCP away from your gateway and how you intend to design your office LAN(s).

Many routers with multilpe interfaces can manage different LANs at the physical (port) and logical (VLAN) level. Layer-3 switches to VLAN hosting better...but in a smaller office it won't be as critical...a managed Layer-2 switch that can allow you to assign VLANs tagged or untagged to ports is all you'd need and are much more affordable. Maybe you already know that.

You could use the Netgear for wifi and DHCP, but depending on the depth and complexity of your network you may run into issues or need to advertise it via relay. Again, need some more clarity from you here.

Cheers!

 

[LFaWolf]

Sorry for the late reply - I was traveling for work last week.

That is one of the questions that I have - can my users on Windows 10 Pro use the VPN option from Windows? My plan is to have the VPN router at the office, and for the users to connect to the router/VPN using the software from Windows. Would that work? Or do I need additional software? I would not be buying VPN router for the users. I need something secured but also simple (software) to set up as my users are not tech savvy.

The home office LAN is just a simple network.The WiFI router is connected to a Comcast modem, and currently it is the one that does DHCP. I am flexible to change the setup for best practices, if I need to use a gateway/router combo that can provide better WiFi as well as VPN service for the users. I do plan to upgrade the router when WPA3 routers are out.

 

[Kursah]

Road warrior VPN is why you're seeking and describing. OpenVPN requires it's own client, doesn't integrate into Windows VPN last I checked. Sonicwall SOHO can...but it's $50 per bonus user license as it only comes with one. Not sure if that's worth it...imho, I'd try OVPN with PFSense first. The app is lightweight and fairly easy to use.

OpenVPN client is free and I've trained dozens of users to use the OVPN client in Windows and Tunnelblick in OSX with great success. That's the route I'd suggest.