How to setup AWS Site to Site VPN with UDR - toge510/homelab GitHub Wiki

Customer Gateway

  HomeCustomerGateway:
    Type: AWS::EC2::CustomerGateway
    Properties:
      BgpAsn: 65000
      IpAddress: 220.144.139.181
      Type: ipsec.1
      Tags:
        - Key: Name
          Value: Home-Customer-Gateway

• Homelab's global IP address: 220.144.139.181

Virtual Private Gateway

  # Virtual Private Gateway
  MyVirtualPrivateGateway:
    Type: AWS::EC2::VPNGateway
    Properties:
      Type: ipsec.1
      Tags:
        - Key: Name
          Value: My-Virtual-Private-Gateway

VPN Connection

  # VPN Connection
  MyVPNConnection:
    Type: AWS::EC2::VPNConnection
    Properties:
      CustomerGatewayId: !Ref HomeCustomerGateway
      VpnGatewayId: !Ref MyVirtualPrivateGateway
      Type: ipsec.1
      StaticRoutesOnly: true
      LocalIpv4NetworkCidr: 192.168.1.0/24
      VpnTunnelOptionsSpecifications:
        - PreSharedKey: Qc9GZnO3RsimABGoz1G004JZXsTHZKrC
          Phase1EncryptionAlgorithms:
            - Value: AES256
          Phase2EncryptionAlgorithms:
            - Value: AES256
          Phase1IntegrityAlgorithms:
            - Value: SHA2-256
            - Value: SHA2-384
            - Value: SHA2-512
          Phase2IntegrityAlgorithms:
            - Value: SHA2-256
            - Value: SHA2-384
            - Value: SHA2-512
          Phase1DHGroupNumbers:
            - Value: 14
            - Value: 15
            - Value: 16
            - Value: 17
            - Value: 18
            - Value: 19
            - Value: 20
            - Value: 21
            - Value: 22
            - Value: 23
            - Value: 24
          Phase2DHGroupNumbers:
            - Value: 14
            - Value: 15
            - Value: 16
            - Value: 17
            - Value: 18
            - Value: 19
            - Value: 20
            - Value: 21
            - Value: 22
            - Value: 23
            - Value: 24
          IKEVersions:
            - Value: ikev2
        - PreSharedKey: Qc9GZnO3RsimABGoz1G004JZXsTHZKrC
          Phase1EncryptionAlgorithms:
            - Value: AES256
          Phase2EncryptionAlgorithms:
            - Value: AES256
          Phase1IntegrityAlgorithms:
            - Value: SHA2-256
            - Value: SHA2-384
            - Value: SHA2-512
          Phase2IntegrityAlgorithms:
            - Value: SHA2-256
            - Value: SHA2-384
            - Value: SHA2-512
          Phase1DHGroupNumbers:
            - Value: 14
            - Value: 15
            - Value: 16
            - Value: 17
            - Value: 18
            - Value: 19
            - Value: 20
            - Value: 21
            - Value: 22
            - Value: 23
            - Value: 24
          Phase2DHGroupNumbers:
            - Value: 14
            - Value: 15
            - Value: 16
            - Value: 17
            - Value: 18
            - Value: 19
            - Value: 20
            - Value: 21
            - Value: 22
            - Value: 23
            - Value: 24
          IKEVersions:
            - Value: ikev2
      Tags:
        - Key: Name
          Value: My-VPN-Connection

• Local network prefixes(homelab):192.168.1.0/24

Attach Virtual Private Gateway to VPC

  # VPC Gateway Attachment
  MyVPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !ImportValue MyVPC
      VpnGatewayId: !Ref MyVirtualPrivateGateway

Add static route to local network

  # VPN Connection Route
  MyVPNRoute:
    Type: AWS::EC2::VPNConnectionRoute
    Properties:
      DestinationCidrBlock: 192.168.1.0/24
      VpnConnectionId: !Ref MyVPNConnection

• Local network prefixes(homelab):192.168.1.0/24

Set Site-to-Site VPN in UDR

References

• https://mjasion.pl/posts/cloud/how-to-setup-aws-site-to-site-vpn-with-unifi-udm/
• https://rewse.jp/blog/how-build-site-vpn-ubiquiti-unifi-udm-se-aws/
• https://dev.classmethod.jp/articles/introduction-2024-aws-site-to-site-vpn/
• https://www.ashisuto.co.jp/db_blog/article/aws-vpn.html