Connecting the LRT214 or LRT224 to Amazon VPC via VPN
In this post I will explain how to establish a secure and standing VPN connection between the Linksys LRT214/LRT224 and Amazon VPC.
I assume that you have both your router and your Amazon VPC configured beforehand. Also, make sure you have the newest firmware for your router (1.0.5.03 as of this writing). For more details consult the Amazon VPC documentation regarding Hardware Virtual Private Gateways.
Let’s begin by logging into the Amazon Management Console and accessing the “Virtual Private Gateways” overview under “VPN Connections” in the VPC interface.
Create a new gateway. Multiple VPN connections can reuse the same gateway, so name it something other than “Office” or “Home”. I went with the unimaginative “Main” (you can rename it later, once you get a better picture of how it all fits together).
Once created, attach it to the VPC you want to connect your router with.
With the preliminaries out of the way, access the “VPN Connections” overview and create a new VPN connection.
OK, so there a few different settings here that need explaining.
- Name: The name of the VPN connection. You can only use the connection with one router, so naming it after the location of that router would make sense.
- Virtual Private Gateway: Choose the gateway you just created.
- Customer Gateway: Choose “New”
- IP Address: This is the internet-routable IP of your router, so if you’re on that routers network you should be able to get it using a service like icanhazip
- BGP ASN: Ignore it, the LRT2x4 does not support the Border Gateway Protocol (BGP allows AWS to figure out which IP addresses are on the other end, so that it can route to those from inside the VPC)
- Routing Options: Choose “Static”
- Static IP Prefixes: Enter the DHCP range of your router in CIDR notation (read more below).
The static IP part ensures that you can initiate connections from the VPC to the machines behind your router (it tells the VPC that it should route any packets addressed to that subnet to the router via VPN and let the router figure it out from there).
Regarding the notation: A typical DHCP range setup would be 192.168.1.1–192.168.1.255, which converts to 192.168.1.0/24 in CIDR. To restrict access to something less than the full range you need to calculate the corresponding CIDR (you don’t need to start at x.x.x.0, use x.x.x.64/26 to specify x.x.x.64-x.x.x.127 for example).
Make sure that there aren’t any subnet collisions between your VPC subnet and the subnet of your internal network.
In order for the machines on your VPC to actually know about the route to your network, you must enable “Propagate” for your Virtual Private Gateway under the “Route Propagation” tab in the details pane for the route table that associated with the subnets those machines are in.
The last thing to configure on AWS is the security groups for your VPC. Once you have a VPN connection up and running, there is no need to let e.g. SSH be accessible from anywhere but internal addresses, not even the external IP of your network. Instead you should only grant access to the subnet of your internal network.
Now that you have entered the bulk of the configuration parameters on the AWS side you can continue with entering the bulk of the configuration parameters on the router side.
Download the VPN configuration (choose “Generic” in the vendor dropdown).
Login to your LRT2x4, go to the “Gateway To Gateway” page under “VPN” in the “Configuration” tab.
Start with setting up the various IP addresses.
- Name: “AWS” was the best I could come up with
- Interface: On the LRT224 make sure to select the proper interface.
- Enable: Yes please.
- Local Security Gateway Type: Select “IP only”.
- Local Security Group Type (et al.): Select “Subnet”.
This restricts which IP addresses can access the VPC. Use the same setting as the “Static IP Prefixes” setting from the VPN configuration (convert the CIDR notation to subnet mask notation).
- Remote Security Gateway Type: Select “IP Only”
- IP Address: Enter the IP from the configuration you downloaded (under IPSec Tunnel #1 → #3: Tunnel Interface Configuration)
- Remote Security Group Type (et al.): Select “Subnet”. This subnet should match the VPC subnet you have attached the Virtual Private Gateway to. Once again you just convert the CIDR notation to subnet mask notation.
Next, configure the IPSec parameters. This diagram should sufficiently explain the game of musical chairs you’ll need play with the values.
Under Advanced, select nothing but the “Dead Peer Detection Interval” and set it to 10.
Click “Save”. You will be led to the VPN connections overview, where you can click “Connect” and check whether the router can connect to AWS.
Once the connection is established, you can connect to one of your instances using their private IP.
You should even be able to connect right back to your own machine.
That’s it! You have now successfully created a VPN tunnel between your network and your VPC with bi-directional connectivity!
About the Author
Anders Ingemann works for Secoya A/S, a company dedicated to providing advanced knowledge management solutions. In his spare time he rock climbs in the danish mountains and saves orphanages from supervillains. He is the author of open source projects such as homeshick and bootstrap-vz.