Setup Raspberry PI 3 as AWS VPN Customer Gateway

In my previous article, I showed you how to use a VPN Software Solution like OpenVPN to create a secure tunnel to your AWS private resources. In this post, I will walk you through step by step on how to setup a secure bridge to your remote AWS VPC subnets from your home network with a Raspberry PI as a Customer Gateway.

To get started, find your Home Router public-facing IP address:

Next, sign in to AWS Management Console, navigate to VPC Dashboard and create a new VPN Customer Gateway:

Next, create a Virtual Private Gateway:

And attach it to the target VPC:

Then, create a VPN Connection with the Customer Gateway and the Virtual Private Gateway:

Note: Make sure to add your Home CIDR subnet to the Static IP Prefixes section.

Once the VPN Connection is created, click on “Tunnel Details” tab, you should see two tunnels for redundancy:

It may take a few minutes to create the VPN connection. When it’s ready, select the connection and choose “Download Configuration“, and open the configuration file and write down your Pre-shared-key and Tunnel IP:

I used a Raspberry PI 3 (Quand Core CPU 1.2 GHz, 1 GB RAM) with Raspbian, with SSH server enabled (default username & password: pi/raspberry), you can login and start manipulating the PI:

IPsec kernel support must be installed. Therefore, you must install openswan on your PI:

Update the /etc/ipsec.conf file as below:

Create a new IPsec Connection in /etc/ipsec.d/home-to-aws.conf :

  • left: Your Raspberry PI private IP.
  • leftid: Your Home Router public-facing IP.
  • leftsubnet: CIDR of your Home Subnet.
  • right: Virtual Private Gateway Tunnel IP.
  • rightsubnet: CIDR of your VPC.

Add the tunnel pre-shared key to /var/lib/openswan/ipsec.secrets.inc:

To enable the IPv4 forwarding, edit /etc/sysctl.conf, and ensure the following lines are uncommented:

Run sysctl -p to reload it. Then, restart IPsec service:

Verify if the service is running correctly:

If you go back to your AWS Dashboard, you should see the 1st tunnel status changed to UP:

Add a new route entry that forwards traffic to your home subnet through the VPN Gateway:

Note: Follow the same steps above to setup the 2nd tunnel for resiliency & high availablity of VPN connectivity.

Launch an EC2 instance in the private subnet to verify the VPN connection:

Allow SSH only from your Home Gateway CIDR:

Connect via SSH using the instance private ip address:

 

Congratulations ! you can now connect securely to your private EC2 instances.

To take it further and connect from other machines in the same Home Network, add a static route as described below:

1 – Windows

2 – Linux

3 – Mac OS X

Test it out:

 

AWS OpenVPN Access Server

Being able to access AWS resources directly in secure way can be very useful. To achieve this you can:

  • Setup a dedicated connection with AWS Direct Connect
  • Use a Network Appliance
  • Software Defined Private Network like OpenVPN

In this post, I will walk you through how to create an OpenVPN server on AWS, to connect securely to your VPC, Private Network resources and applications from any device anywhere.

To get started, sign in to your AWS Management Console and launch an EC2 instance from the OpenVPN Access Server AWS Marketplace offering:

For demo purpose, choose t2.micro:

Use the default settings with the exception of “Enable termination protection” as we dont want our VPN being terminated on accident:

Assign a new Security Group as below:

  • TCP – 22 : Remote access to the instance.
  • TCP – 443 : HTTPS, this is the interface used by users to log on to the VPN server and retrieve their keying and installation information.
  • TCP – 943 : OpenVPN Admin Web Dashboard.
  • UDP – 1194 : OpenVPN UDP Port.

To ensure our VPN instance Public IP address doesnt change if it’s stopped, assign to it an Elastic IP:

For simplicity, I added an A record in Route 53 which points to the instance Elastic IP:

Once the AMI is successfully launched, you will need to connect to the server via SSH using the DNS record:

On first time connecting, you will be prompted and asked to setup the OpenVPN server:

Setup a new password for the openvpn admin user:

Point your browser to https://openvpn.slowcoder.com, and login using openvpn credentials

Download the OpenVPN Connect Client, after your installation is complete, click on “Import” then “From server” :

Then type the OpenVN DNS name:

Enter your openvpn as the username and enter the same password as before and click on “connect“:

After you are connected, you should see a green check mark:

To verify the client is connected, login to OpenVPN Admin Dashboard on https://openvpn.slowcoder.com/admin :

Finally, create a simple web server instance in a private subnet to verify the VPN is working:

If you point your browser to the webserver private address, you should see a simple HTML page

Network Infrastructure Weathermap

The main goal of collecting metrics is to store them for long term usage and to create graphs to debug problems or identify trends. However, storing metrics about your system isn’t enough to identity the problem’s & anomalies root cause. It’s necessary to have a high-level overview of your network backbone. Weathermap is perfect for a Network Operations Center (NOC). In this post, I will show you how to build one using Open Source tools only.

Icinga 2 will collect metrics about your backbone, write checks results metrics and performance data to InfluxDB (supported since Icinga 2.5). Visualize these metrics in Grafana in map form.

To get started, add your desired host configuration inside the hosts.conf file:

Note: the city & country attributes will be used to create the weathermap.

To enable the InfluxDBWriter on your Icinga 2 installation, type the following command:

Configure your InfluxDB host and database in /etc/icinga2/features-enabled/influxdb.conf (Learn more about the InfluxDB configuration)

Icinga 2 will forward all your metrics to a icinga2_metrics database. The included host and service templates define a storage, the measurement represents a table by which metrics are grouped with tags certain measurements of certain hosts or services are defined (notice the city & country tags usage).

Don’t forget to restart Icinga 2 after saving your changes:

Once Icinga 2 is up and running it’ll start collecting data and writing them to InfluxDB:

Once our data arrived, it’s time for visualization. Grafana is widely used to generate graphs and dashboards. To create a Weathermap we can use a Grafana plugin called Worldmap Panel. Make sure to install it using grafana-cli tool:

The plugin will be installed into your grafana plugins directory (/var/lib/grafana/plugins):

Restart Grafana, navigate to Grafana web interface and create a new datasource:

Create a new Dashboard:

The Group By clause should be the country code and an alias is needed too. The alias should be in the form $tag_field_name. See the image below for an example of a query:

Under the Worldmap tab, choose the countries option:

Finally, you should see a tile map of the world with circles representing the state of each host.

The field state possible values (0 – OK, 1 – Warning, 2 – Critical, 3 – Unknown/Unreachable)

Note: For lazy people I created a ready to use Dashboard you can import from GitHub.

Highly Available Bastion Hosts with Route53

Instances in a private subnet don’t have a public IP address, and without a VPN or a DirectConnect option, Bastion Host (JumpBox) is the expected mechanism to reach your servers. Therefore, we should make it Highly Available.

In this quick post, I will show you how to setup a Highly Available Bastion Hosts with the following targets :

  • Bastion hosts will be deployed in two Availability Zones to support immediate access across the VPC & withstand an AZ failure.
  • Elastic IP addresses are associated with the bastion instances to make sure the same trusted Elastic IPs are used at all times.
  • Bastion Hosts will be reachable via a permanent DNS entry configured with Route53.

In order to easily setup the infrastructure described above, I used Terraform:

Note: I did a tutorial on how to the setup a VPC with Terraform so make sure to read it for more details.

Update the variables.tfvars file with your SSH Key Pair name and an existing Hosted Zone ID. Then, issue the following command:

That will bring up the VPC, and all the necessary resources:

Now in your AWS Management Console you should see the resources created:

EC2 Instances:

DNS Record:

Finally, create an SSH tunnel using the DNS record to your private instance:

Once done, you should now be able to access to your private instances via SSH:

Take it further ? instead of defining number of bastion hosts, we could use a bastion host inside an autoscaling group with min target set to 1.

Install MEAN Stack Using CloudFormation

AWS CloudFormation is a service that helps you model, setup and replicate your AWS resources. It uses a template file to bring up a collection of resources together as single stack.

To create templates we use a JSON file or AWS CloudFormation Designer. For this tutorial I opted the first solution.

Note: The template is available on my Github 😎.

We start with a basic template that defines a single EC2 instance with a security group that allows SSH traffic on port 22, MongoDB traffic on port 27017, and the NodeJS app on port 3000 from anywhere, as shown below:

In addition to that, we create two input parameters that specify the instance type and a Key Pair for SSH access. Then, we use UserData property to provide a set of shell commands to install MongoDB, NodeJS and bootstrap a simple MEAN application. Finally the output section print the public URL of the MEAN application.

Now we defined our template. Go to AWS Management Console then navigate to CloudFormation Dashboard and click on “Create Stack“:

Upload the JSON file and click on “Next“:

Assign a name to the stack, and choose your instance type and key pair you will use to ssh to the instance. Then, click on “Next“:

Left all fields unchanged and click on “Next“, then “Create

Once launched, you will get the following screen with launching process events:

After a while, you will get the CREATE_COMPLETE message in the status tab.

If you point your browser to the URL shown in the Outputs tab, you should see: a simple HTML message:

If we change the endpoint we should see a JSON response:

Congratulation ! ✨🎉 you have deployed your MEAN Stack application.

Go to EC2 Dashboard, you should see your instance there:

Verify the security group is setup as configured in the template:

To verify all packages and dependencies has been installed correctly, we can connect to the server via SSH:

To terminate the instance we can delete the stack from the CloudFormation Wizard, Deleting the stack will terminate all the instances launched by the stack: