OpenBSD VPN to Linux in an Amazon VPC
4:31pm on Jan 07, 2014
This article is a great start on how to connect two VPCs using Linux and OpenSWAN. I followed it, but then I also needed to connect my OpenBSD office router. Set up the VPC side the same way (except for the changes below).
Addresses
- Office router eternal address: 1.2.3.4
- Office internal subnet: 192.168.1.0/24
- VPC gateway instance address: 5.6.7.8
- AWS VPC subnet: 10.1.0.0/24
OpenBSD /etc/ipsec.conf:
1 2 3 4 5 6 7 | ike esp from 10.1.0.0/24 to 192.168.1.0/24 \ local 1.2.3.4 peer 5.6.7.8 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ srcid 1.2.3.4 \ psk "monkeys" \ tag amazon-vpc |
OpenBSD /etc/pf.conf:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | TcpState="flags S/SA modulate state" UdpState="keep state" table <amazon_vpn> const { 5.6.7.8 } table <our_vpns> const { 10.1.0.0/24 } set skip on enc0 match out on vr1 from any to <our_vpns> received-on vr2 tag EGRESS nat-to (vr1:0) pass out on vr1 inet proto tcp all $TcpState pass out on vr1 inet proto udp all $UdpState pass out on vr1 inet proto esp from any to <amazon_vpn> pass out on vr1 inet proto udp from any to <amazon_vpn> port { 500 4500 } $UdpState pass in quick on vr1 inet proto esp from <amazon_vpn> to (vr1:0) pass in quick on vr1 inet proto udp from <amazon_vpn> to (vr1:0) port { 500 4500 } $UdpState block in log on vr1 |
Add to OpenBSD /etc/sysctl.conf:
1 | net.inet.ip.forwarding=1 |
Add to OpenBSD /etc/rc.conf.local:
1 2 | ipsec=YES isakmpd_flags="-4 -K" |
Linux /etc/ipsec.conf:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | conn Office type=tunnel left=%defaultroute leftsubnet=10.1.0.0/24 leftnexthop=%defaultroute leftid=5.6.7.8 right=1.2.3.4 rightsubnet=192.168.1.0/23 keyexchange=ike esp=aes128-sha1 ike=aes128-sha1-modp1024 auto=start auth=esp authby=secret pfs=yes keyingtries=%forever rekeymargin=4m rekey=yes disablearrivalcheck=no aggrmode=no |
Linux /etc/ipsec.secrets:
1 | 5.6.7.8 1.2.3.4: PSK "monkeys" |